Trip report from the Privacy Symposium

This is a cross-post from Burton Group’s Identity Blog.

BTW, I am moderating a panel at Defrag. If you use “ig1″ as a registration code, you get $200 off the registration fee. Hope to see you there!

A few weeks ago I was up in Cambridge at the Privacy Summer Symposium.  Gathered together on Harvard’s campus were a collection of lawyers, activists, government officials, and privacy officers discussing various aspects of privacy.  It was certainly a bit of a change for me to be in a non-tech heavy conference.  Besides hearing people like the chairman of the FTC, William Kovacic, speak, I got to witness the launch of EPIC’s Privacy ’08 campaign.  Further, I got to hear Jeffery Rosen share his thoughts on potential privacy “Chernobyls,” events and trends that will fundamentally alter our privacy in the next 3 to 10 years.

Privacy Chernobyl #1 – Targeted Ads

We’ve already seen enough concern over targeted ads to trigger Congressional hearings.  The Energy and Commerce Committee in the House has been asking ISPs and advertising providers to answer questions as to how they track and use clickstream data. Not be left out, the EU has notified the UK that it must respond to an inquiry whether the Phorm system violated EU data privacy laws.  From NebuAd to Phorm to DoubleClick and beyond, targeted ads are getting more and more targeted.  The real concern for Rosen is the downstream use of the collected clickstream data.  For example, my ISP may not directly do anything overly odious with the information about which sites I visit, but if they sell that information, the 2nd and 3rd generation data users may bit a more nefarious.

Privacy Chernobyl #2 – Personally identifiable search term leak

The knowledge of who I am and what I search for can be used in a variety of ways: from serving voyeuristic desires to putting me in a compromising situation.  Without being able to provide the context for the searches, I could be judged by a people like a potential employer, dating service, or insurance provider unfairly, and these judgments can have a real impact on my life.  As YouTube has to disclose data for its court case, I have to imagine there are some people who really don’t want identifiable searches being disclosed into the public record.  As more and more of our web browsing is search driven, the potential impact of this problem will only grow.

Privacy Chernobyl #3 – Unexpected data exposure on Facebook

There are two concerns to this issue.  The first concern is one that Rosen categorized as data exposure in unexpected ways.  I may have tailored my Facebook profile’s privacy settings to what I think strikes a decent balance between my desire to connect to people and maintaining some level of privacy.  But what is unclear is how Facebook application developers are using my data, including clickstream data.  I don’t expect to hear a friend tell me that I “friended” a product whose ad appeared in Facebook for her, and I certainly never want to hear that this has happened.

The second issue is there is a disconnect between social expectations of privacy and current reality.  I was talking to a friend of mine, a professor at American University, who teaches a class on social networking.  One of the first reactions her class has is, “How dare a potential employer look at my Facebook profile!”  I may share potentially embarrassing photos of me from a Catalyst conference with my friends thinking that those photos will accessible only to them and forget (or not know) that that is simply not the case.  This is a problem of social norms and a topic I’ll return to.

Privacy Chernobyl #4 – The Star Wars Kid

You’ve probably seen the original video and the myriad of remixes already.  Dan Solove wrote about this recently for Scientific American.  The concern is that each and every one of us is now armed with nearly infinite distribution capabilities.  Give an excellent presentation – it becomes a web sensation.  Imitate Tom Cruise’s karaoke in Risky Business – it becomes a web sensation as well.  We are losing spaces where we can let our public persona down and be our private selves.

Privacy Chernobyl #5 – Ubiquitous surveillance

We are constructing Bentham’s Panopticon and it is pure security theater.  I have written about the “security” cameras in my neighborhood and my concerns about who has access to them.  Further the number of mobile surveillance units is increasing rapidly, all in the name of security.  Closed-circuit television, CCTV, will become open-circuit sooner than we think. We are entering a time when all of our actions, even those in the home, will be viewable and third-party access to this complete surveillance is a truly frightening situation.

What can be done?

Rosen and other speakers all stressed the need for new social norms.  We lack the social language to describe our privacy expectations and needs.  Just as with the telegraph and telephone, we will develop social norms (and then laws will follow) for social networks, search terms, and clickstreams.  But to develop these norms, society must raise privacy up from being a topic for security wonks and people wearing tin-foil hats, to a conversation that we all can participate in.

In the coming months, the team here at Burton Group will be exploring privacy issues like these, offering guidance on how enterprises can avoid setting off a privacy Chernobyl, how to shape the privacy discussion, and the impact of potential privacy regulation.

Watch this space for coming developments.