zondag 11 december 2011

On Privacy, Data Protection and Anonymity

The value of internet for the emancipation of peoples has reached a high water mark in 2011. Uprisings in North Africa have shown its value for the rest of Africa, the Middle and Far East. I was honoured by several invitations to join think tank discussions on enhancing and also appreciating the value that internet has. It brought me to considerations on the protection of people's privacy on-line. Privacy or anonymity?

Privacy is a rather undefinable subject. How people look onto privacy depends very much on their culture and background. It does have a legal context in the US for example. Sometimes, the US concept of 'the right to be let alone' is stated as the start of the legal concept but there are many, older starts as well, amongst others in British law. Its complexity makes it hard to handle.

In general talk, people consider privacy as having the right to keep information about themselves out of reach or view from others. This includes life and limb but also property and facts. Even though others may know these people, these acquaintances should ask permission to gather information.

Personal Data Protection
So privacy is not the same as personal data protection. The Data Protection Acts that have been introduced in Europe and elsewhere restrict their legal district to ICT systems. These acts are often called Privacy Law but in fact they are not. This data protection concept is only about the collection (and any other processing) of personal data – it is “informational privacy” and thus a subset of privacy in general. Data however becomes only “information” once it is being used by the human mind: meaningful data. It describes facts about an identifiable individual. Only it that case do we speak of “personal” data.

Now, back to the subject of the liberation of peoples. So we had a Networking Event on “Democracy and Digitisation” during the International Day of Democracy meeting, organised by the European Partnership for Democracy and others (Sept 2011). I had the privilege to join the Waag Society's conference on 'Digital Democracy 2020' (Nov 2011). And just now, (Dec 2011) we had the Freedom Online conference, called together by Free Press Unlimited and the Ministry of Foreign Affairs. I will not go into details of these wonderful events, please do follow the links.

People fighting for liberty and democracy in their home countries, who were participating at the above events, run severe risks from brutality, incarceration to death penalty. Many of them use modern internet-based technology to spread the word, discuss issues and organise their own events. Even so, as Ahmed Maher (April 6 Movement, Egypt) said to me, “internet is only a tool, handy but without it the revolution will have its way anyway”. Still, internet is used intensively and helps to speed the process. But not without its own dangers.

Governmental malware
Governments can have their own way with internet. Not only is access to internet services blocked or filtered. IP addresses will show the regimes in dictator-run countries the whereabouts of bloggers and writers. Email can be read, copied and traced back to its origin. A privacy law or data protection act will not help.

Even here in Europe we see the danger by the discovery of the Bundestrojaner, key-logger and communication spyware devised by the German Secret Service, against the formal decision of the Bundesverfassungsgericht (Federal Constitutional Court of Germany). The Bundestrojaner shows that even encryption of email may not be enough: it copies your text while it is written, before encryption. (If it wasn't so shocking, it could be an exciting Discovery Channel feature film).

A certain amount of governmental distrust seems in place all over, reason to ask Eric Schmidt (Google), co-host at the Freedom Online conference, whether we should forego privacy and whether we should not aim for privacy on the internet but for anonymity, to support and safeguard the democracy bloggers, writers and organisers. Unfortunately his answer was not what I had hoped for: “Google makes it possible to work anonymously with our services (and servers). We only collect your IP address”. Yes, thank you, that is the whole point.

What's the difference, you ask? Well, privacy (here understood as personal data protection) means that information about you and your whereabouts can (and will) be collected and stored. And it can and will be used against you, either in your public life or in a court of law. You can create laws as much as you like, but even the country that shouts 'freedom' the hardest, the US, collects data about you and you have no way or legal status to protect yourself if you're not a US citizen. Privacy is guarding against the use of your data after or during the collection.

Anonymity on the other hand makes it possible to collect all your data but impossible to trace it back to you. Here you do not need laws; you need knowledge, awareness and some technology. It is just possible. But you do need help from companies like Facebook, Twitter, Google, Microsoft, Yahoo and the like. And your government should support and promote the use of anonymous technology.

Governments hate this. I remember that back in the old days anon.penet.fi was taken down: a server that anonymised the exchange of information between any two system. This Finnish server, run by Julf Helsingius, was shut down. Several governments were said to be involved. Freedom, what?

3 opmerkingen:

  1. Mr. Schmidt has a point: because without an IP address offering services is impossible. But are anonymous proxies the solution? I guess personalization of devices is much more threatening for privacy. Check https://panopticlick.eff.org for more on untraceability of anonymous data ...

  2. I believe Mr. Schmidt missed the point. And so did Mr. Bill Gates when I asked him the almost same question in a different setting in 2003.

    It is the question of authorization versus identification.

    Offering services doesn't mean collecting personal identifiers for months and years without end. Providing services with authentication but without identification must be the provider's problem, not the customer's.

    1. The link in the post of December 26 should have read: http://www.archieflivre.nl/content-partners-gast/jan-willem-broekema/-bill-vertrekt-het-eind-van-een-era.html.