Law in Contemporary Society

The Expanding Bounds of Identifiability

The Tools

On 3/1/2012, Google’s new privacy policy went into effect. This policy will apply uniformly to Google products like GMail, Calendar and Google Search, and will unify the 70+ policies that currently govern data sharing in the individual products. Google claims this change will create a more optimized, individually tailored internet experience. On its face, the unification promotes transparency by limiting the number of policies which Google users must review to inform themselves of the rules to which they are subjected. However, the new policy also allows communication between the products such that a user’s actions while using one product can be reflected in the user’s experience of other products. For example, watching a video tour of a law school on YouTube may result in a Phoenix Law advertisement above the user’s GMail inbox. While this seemingly innocuous feature could marginally improve the user’s experience, it also gives rise to a problem increasingly characteristic of online services.

Individually, Google’s services can only collect a limited amount of data by which those who have access to the server log can identify the user. When the services begin to share such data, the users’ unique combinations of activity make them more identifiable.

This is technical nonsense. Many of these services require signing in, and the new privacy policy specifically covers sharing data among these services only when the user is signed in. So there is no identifiability question involved at all.

Beyond making them identifiable, these users also create a rich pattern of behavior from which anyone who has access to the server logs can create a predictive algorithm for that user’s future actions. Services like Facebook, whose superficial purpose is social networking, make no effort to hide the fact that the service will collect user information and make predictions about the user’s desires and future activities. Google’s policy, however, states that they may share “non-personally identifiable information” publicly and with its partners.

A non-sequitur.

However, as Google intertwines its available information, and as people’s Facebook surging amounts of site activity provides more data to Facebook’s servers, there is a growing pool of user information that can predict the user’s characteristics to a mind-boggling extent. Even those who only have access to the publicly listed information on Facebook are able to extract unlisted information. A group of MIT students in 2009 designed an algorithm that predicted a male user’s unlisted sexual orientation based on his Facebook profile. While they had obvious problems in confirming their algorithm’s results, the program correctly identified 10 out of 10 users’ sexualities of which the students had independent verification. With the amount of information that users currently provide to Google, the predictive algorithms that Google could create have the potential to deduce much more about the user than the user ever intended to reveal.

So it would be correct to say that the changes at Google were designed to make Google's treatment of user data derived from its services more unitary, like Facebook's. You could just have said that, without additions of dubious accuracy. And Google does not require "real name" identification, unlike Facebook, which you don't mention.

The Legal Barriers

This type of subtle invasion of privacy is one the law will have trouble curbing. If we take Cohen’s functional approach to legal decisions and ask what such a law would have to do, we run into several problems. Much of the information provided to the servers of these sites is useless in its individual bytes, so there is no individual characteristic that can be withheld to deplete the power of these invasive mechanisms. Further, almost every invasive mechanism confers a corresponding perceived benefit: Google’s Docs and Calendar features grant the servers access to the user’s whereabouts and interests, but they also allow the user to access his schedule and documents instantaneously from any terminal of the user’s choice. Facebook’s “Check-In” feature allows the servers to track users’ whereabouts and tastes in products, if the check-in location is a store or restaurant; however, this feature also allows users to meet when they find themselves in the same vicinity. Because the loss of privacy is not always manifested, many users may be unwilling to forfeit the benefits until the consequences hit home.

This is all waste motion, complexity without purpose. The reason the law "will have trouble curbing" this activity is that people voluntarily agree to provide their information in return for the services they receive. Regulatory intervention therefore requires a showing that people should not be allowed to make the arrangements they evidently presently choose to make. This is, and should be, difficult. Freedom to exchange information is strongly protected against government intervention by an object called the First Amendment.

This issue will be troublesome for the courts because it is not susceptible to a beloved bright-line rule. The extent to which privacy is invaded is the extent to which user information is impermissibly used to intrude on the user’s persona and communications. This in turn varies directly with the capacity and creativity of the intruder to deduce a greater whole from the sum of the data the user sends to the server. Thus, the question for the court becomes whether the data is being used in an impermissible way beyond the purposes for which the user voluntarily provided it. This will in turn give rise to problems of transcendental nonsense, as questions such as “voluntariness” and “permissibility” could fall prey to purely legal operational definitions.

Lastly, there is a practical problem against which the courts will clash in attempting to resolve such problems through legal channels. One of Holmes’ statements about the law describes it as a habit; the rules of our fathers and neighbors will carry forth by momentum. It takes a gradual chipping away of the existing understanding of privacy to effect a change that recognizes such a right on the internet, a place without a physical location in which that right can be violated. The law is not a speedy tool of change. Only in 2010 did the federal legal system acknowledge a right to privacy in private e-mail, ruling in US v. Warshak that the government must obtain a search warrant before seizing such e-mail. Even then, the court acknowledged this right based on the similarities between e-mail and traditional mail. If the right to privacy that is being violated by the data-gathering social tools of the 21st century is to be recognized at law, it will likely have to be analogized to another, established, right to privacy. This is particularly difficult due to the quickly evolving nature of technology and social tools; the rights they violate may not resemble any particular set of established rights for a long enough period of time for a law to protect them. Perhaps the efficient solution is technological rather than legal, but until some safeguard is implemented, the servers will continue to hone their predictive powers unchecked.

I teach a course or two on this subject, which you might find it interesting to take. The present analysis is blowsy, repetitive, occasionally inaccurate, and out of touch with the arguments on the other side. The problem you are writing about is real, and I spend more than a little bit of my professional time working on it. But if you're going either to understand it or do something about it, you need to back up and consider the nature of the objections posed at each of your key points, both in order to learn about the parts of the problem you don't yet fully understand, and in order to deal more effectively with the real legal issues, which have less to do with Cohen or Holmes than you seem to think.

Navigation

Webs Webs

r3 - 15 Apr 2012 - 16:14:41 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM