We Have Unrealistic Expectations of Privacy

Nolan shared a short blog post with me yesterday about privacy that I thought was pretty good. I’m in agreement with the author, Bruce Schneier, who makes a great point about why our expectation of online privacy is unrealistic at this point. Here’s a quote from his piece:

“Your webmail is less under your control than it would be if you downloaded your mail to your computer. If you use Salesforce.com, you’re relying on that company to keep your data private. If you use Google Docs, you’re relying on Google. This is why the Electronic Privacy Information Center recently filed a complaint with the Federal Trade Commission: many of us are relying on Google’s security, but we don’t know what it is.

This is new. Twenty years ago, if someone wanted to look through your correspondence, he had to break into your house. Now, he can just break into your ISP. Ten years ago, your voicemail was on an answering machine in your office; now it’s on a computer owned by a telephone company. Your financial accounts are on remote websites protected only by passwords; your credit history is collected, stored, and sold by companies you don’t even know exist.”

Even though these services offer the convenience of not being tied to one machine, I ultimately think the problems that come from it should rightfully cause us to reconsider our priorities. In previous posts on privacy, two particular concepts have come up again and again. The first is ownership. In my post about how your social media profiles are not really private, the following string from the comments is indicative:

Ted

If someone wants their information, even on a profile, to be private, they should be able to. It’s theirs! Who can tell someone else what’s public or private?

Chris Butler

One thing that Vanessa Grigoriadis points out in her article is that Facebook has the most sophisticated privacy controls of any social network before it. But what I think is the point here is that, with the MySpace court case, the user chose to post certain information on their profile. It was only when that information got them into trouble that the user wanted it to be “private.” The point is that you can’t have something be public and then take back its “public-ness” after it becomes incriminating. To your last point (“it’s theirs”), Grigoriadis also points out that all that content you upload to your Facebook account is NOT yours anymore. It belongs to Facebook!

People seem to have made the assumption that the data they maintain with services like Facebook, MySpace, Google Docs, etc. belongs to them. But many of these services have clearly stated the opposite. In fact, it stands to reason that Google’s entire revenue model, based upon automatically placing advertising on the sides of pages comprised of users’ emails, documents, blog posts, etc., is predicated on Google’s ownership of this content. Google gives away the processing power, storage, convenience and visibility, but the cost is that what you create with those tools, so long as it remains on their servers, is not yours. Think about it: If you bought some cheap hosting somewhere and put up a simple html page with some text you wrote, wouldn’t you be surprised if one day you pulled it up and saw a Google ad on it? You would probably be confused at best, but most likely irate due to having had your content essentially pirated by another company. But nobody has these feelings with the content they put up with Google, Facebook, etc. Why do we get the terms of the exchange but still expect ownership?

The second concept is intentionality of critical policy making. In my post about cloud computing and privacy, I quoted Brad Templeton, the chairman of the Electronic Frontier Foundation, who said:

“When you have something on the computer in your house, it is protected by the Fourth Amendment. If you put something on a computer owned by Facebook, it is not protected by the Fourth Amendment. It is only protected in some cases—email has a law that protects email and medical data has a law that protects medical data, and there are laws governing banking records. Specific laws protect certain types of data, but by changing the way we do computing so that all of our data is stored in the cloud we are effectively moving all of our personal data out of our houses and into big data warehouses, and we are erasing a line from the Bill of Rights.We may decide that we want to do that, but I want to make sure that we do not do it casually.”

What he’s saying is that laws protecting data were crafted with our common sense understanding of what we own when we actually possess it. Yes, intellectual property laws provide plenty of nuance in this regard, but what I’m talking about here is a transition from personal data storage to corporate data storage. It makes a lot of sense to anyone to think that if you have a hard drive in your home with data on it, that data is protected on your behalf by the Constitution. The assumption is that the same protection applies to the same data when you willingly store it on Google’s servers, but that assumption is wrong. As Bruce Schneier goes on to say in his post,

“This isn’t a technological problem; it’s a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don’t have the same boundaries.”

He’s right. It is a legal problem, but I’m not sure if adapting the fourth amendment to account for “the cloud” is the only solution worth discussing. There have go to be other approaches. For instance, Nolan and I discussed the idea of having all your data exist locally on your machine, but creating some kind of protected protocol that allows you to share particular data with services like Facebook, for example. Of course, the privacy issues are still at play. We’d have to beef up the security on your machine to make sure that whatever means we employ to connect it to Facebook does not become a vulnerability to the rest of the machine. Also, in what way is the data protected between your machine and it’s final destination on Facebook’s (or any other “cloud” service’s) server? No matter what we decide to do, we need to make sure that we are deliberately making that decision. I think the low turnout of “voters” on Facebook’s recent “democratic” privacy settings vote shows that people may be disgruntled about these issue, but are still fairly complacent when it comes to actually doing anything about them.