From: Alexander van der Wolk <av2139@columbia.edu>
  To  : <CPC@emoglen.law.columbia.edu>
  Date: Thu, 20 Apr 2006 10:07:48 -0400

[CPC] Paper 2 - Digital Privacy; an Oxymoron? (graduating)

“Digital Privacy”; an Oxymoron?


There are two inherent problems with digital data, particularly  
related to privacy: a) it cannot be unlearned, and b) the current  
networked environment is not set up to allow complete autonomy.   
Given this notion, the question is whether digital privacy is an  
oxymoron, such as “airline food” or “Microsoft Works”.  Is it at all  
possible to maintain privacy[1] in an online environment, or is it  
really a contradiction in terms, impossible to achieve?

The government and Microsoft seem to have in common the concept of  
‘security’ in their respective motivations for learning your data.   
Their both approach in implementing this security is through  
obscurity.  As long as you don’t know what happens behind the  
curtain, they will call the play safe.  But if we would know what  
happens, security would be breached, and so the level of security  
follows from the strength of the curtain.

This concept of security is built on fear, and lacks every form of  
trust /in/ its ‘users’, while demanding a very high level of trust / 
from/ its users.  Security through obscurity is therefore like  
compelling trust.  “I won’t tell you how security is enforced, but  
you’d better trust me, or else all is doomed.”  This ‘trust’ is  
enforced by tightening the screws on user liberties with respect to  
what is being secured.  And so the message they send out is: in order  
to secure freedom, we need to limit freedom.  Right.

Security built on fear is premised on the concept of marketing.  Keep  
indoctrinating that anything else is unsafe, and long enough people  
will start believing it.  “You want a better internet?  You belong at  
AOL.”  Security, just like the net, is sold as a product, packaged in  
nice little boxes which we pick up on the go.  “Did you want security  
with your fries?”

But the problem, as with all mis-applied product approaches to  
intangibles, is that they’re incorrect and stupid.  Access to the net  
is not subject to ownership, any less than security or privacy is  
susceptible to conceptualization.  Just like the net is a social  
status, in which access should be a fundamental right of those part  
of society, security and privacy are the individual’s conditions on  
taking part in that society.  They flow directly from the behavior of  
the individual, and are therefore in the direct realm of influence of  
the individual.  Just like every child is taught not to go with  
strangers on the street, they should also be taught how to behave in  
a networked society, and take responsibility for their digital identity.

If we want to maintain freedom, let’s start with practicing freedom.   
Free Software works because everyone can see how it works.  Every  
aspect of it can be examined and scrutinized, and every vulnerability  
can be criticized and improved.  Its effectivity is subject to public  
discussion, and its result is therefore greater than the sum of its  
parts.  In order to convert “digital privacy” from an antagonistic  
notion to synergy, we need to make “digital” as much part of us as  
“privacy”.

One of the current challenges of openness of data is the way in which  
to achieve it.  Compelling openness requires the involvement of the  
legislator, which demands a change in mindset at government level.   
Also, it’s the kind of approach of fighting fire with fire, with its  
own effects and results.  It requires enforcement in order to be  
effective.  I’m not saying it is a road that shouldn’t be pursued,  
but for the short term it might not be as successful.

Choosing openness seems to be – for the moment – a better option.   
Windows is currently the de facto standard in operating systems  
(which is why most people don’t know a thing about computing),  
because people choose to follow other people.  It’s this nice little  
feature of humanity.

But Microsoft’s empire is crumbling.  As Microsoft pushes for more  
imposed ‘security’, they will find themselves in a compromising  
position in which consumers are just not buying it any more.[2]   
Businesses move away from product based models and enter into service  
based models, because competition for products in zero-marginal  
markets just doesn’t make money anymore.

Privacy has too long been a second tier interest.  When it comes to  
convenience, ease and service, the one thing that is signed away  
easily are our identities.  What we need is a change of mindframe.   
Starting with a realization that our online identity does represent  
value, and that it is something that we should be concerned with.   
“Digital security”, therefore, is not an oxymoron, but a pars pro  
toto.  It denominates a mindset from which both privacy and security  
can be built, while effectuating our participation in a networked  
environment.

Will it work?  Well, for now you have to differentiate between which  
areas you want it applied in.  For digital uses, such as personal  
computing and net participation I am convinced this will become a new  
standard.  As Microsoft’s quest for control over the personal  
computer advances, it creates a system hanging together by a myriad  
of threads, which won’t sustain for a long time.  Web based services  
will move towards open models in which privacy will become a center  
player.  The Higgins project is a very nice example of this.[3]

As for government use; that might take a little longer.  I am  
faithful, however, that as we will increasingly see that security is  
best served by a system of transparent checks and balances,  
governments will start to realize that their paradoxical approach to  
security in the ‘interest’ of freedom will not work.  I am not  
arguing that secret services will disappear, but I am confident that  
our digital communications and existence will move towards a realm of  
real security.


[1] In this paper I use privacy in the sense of autonomy over  
individual identity.
[2] For an analysis of the potential of Trusted Computing I refer to  
my research paper: http://www.xs4all.nl/~avdwolk/coldcuts/ColdCuts/ 
Papers.html (forthcoming).
[3] Project Higgins, available at: http://www.eclipse.org/higgins/.
-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list