Privacy by Profession
To mangle the old bon mot: “Every problem has a solution that is Obvious, Simple and an Utter Privacy Disaster“
Today (Mid-March, 2021) in Australia, the internet is abuzz with pointing-and-laughing at a police official who mused that creating a smartphone application to record sexual consent is a laudable solution to recent public concern around Rape Culture and in particular several very high-profile sexual assault allegations. Of course, this is a terrible idea. One digital rights advocate called it “fractally wrong. The closer you look, the wronger it is”.
What’s the worst that could happen?
Besides the particular misunderstanding of the nature and process of consent, just imagine what could go wrong if we diarised our every sexual contact in a collective database. I’ll wait.
You’re not imagining hard enough. It’s worse than that. No, even worse.
I want you to picture every internet application failure-mode applied to the bedroom:
- Instagram: “We noticed you have 3 sexual partners in common with Charlie. You should hook up”.
- WikiLeaks: “There are calls for a senior politician to resign after leaked app data shows a pattern of assignations with junior staffers over many decades”.
- Ebay: “A partner in your wish list is Not Getting Any, and may be available”.
- Twitter: “Your previous sexual partner Alex, is trending”.
- Foursquare: “You are now the Mayor of Banksia Park, with 15 hookups so far this year”.
- LinkedIn: “Your former sexual partner Andy is now sleeping with Kelly”.
- Amazon: “Since you got it on with Dallas, you might also like Bobbie, Jamie or Taylor”.
- Centrelink: “We are aware that you slept with Morgan, who is a high income earner. Your benefits are now suspended”.
- Facebook: “Your spouse has two new sexual partners. See details”.
- Telegram: “You engaged in [CENSORED SEX ACT]. Would you like us to proposition all of your contacts who are also into [CENSORED SEX ACT]?“.
- MyGov: “You have a new sexual partner in your MyGov inbox”.
- HaveIBeenPwned: “Alert: Your history of sexual activity has appeared in this Dark-Net data dump”.
This is why we can’t have nice things. Every useful technology is also susceptible to abusers, corporate sociopaths, or just the Law of Unintended Consequences.
You may not realise it, but if you are building any kind of website or application, you are in the Privacy business, and you owe it to your customers to be Professional about it.
This is not an article that will tell you “20 things you need to know to avoid consulting an expert”. In fact, I am aiming here to leave you feeling less confident in your abilities after reading this, not more.
In my professional life I advise, advocate, design and implement in the so-called “Internet of Things” sector, that is the practice of extending human vision and agency through the creation of internet-connected sensors, actuators and applications. By accident of my career history I have accumulated broad experience in Software engineering, Electronics, Cloud Services and InfoSec. By disposition, I ardently desire a sci-fi future filled with household robots, bodily implanted computers, intelligent agents, and ubiquitous sensors. I’m obsessed with reconciling the utopia I seek with the dystopia my technical experience leads me to expect.
I’m not going to give you solutions today, but I can give you some questions to ask, when you are buying, designing or implementing a product:
If you collect it, it will leak
Is it possible to not collect this data at all?
Is it possible to store this data only for a limited time rather than indefinitely? For how long? Can I identify and expire data that is no longer needed?
Should I remove Personally Identifiable Information from this data if this can be done while still achieving my goal?
Do I need to be able to meet my obligations under laws such as EU GDPR (and also under common decency) to remove data corresponding to an individual who so requests?
Should I consider processing data at or near point of collection in order to reduce the detail of transmitted and stored data?
Should I endeavour to achieve my aims while retaining only aggregate statistics instead of individual data?
Is it possible that a formerly willing participant in a data set may wish to retract their involvement?
Is it possible that deliberate provision of incorrect data could be used to abuse or persecute someone?
If you centralise, miners gonna mine
Can correlating individuals within this data reveal further information about them that was not specifically collected?
Can this data be used to identify groups of people that are vulnerable or subject to persecution in some way?
Can this data be used to infer an individual’s membership in a vulnerable group?
Could an abuser correlate this data with other data-sets in order to violate privacy, reveal new information, or act abusively?
Could information in this data set be used to infer conclusions about relatives, neighbours or other non-involved contacts of a participant?
Could statistical methods or correlation be used to recover identity from de-identified data?
Is there a risk to a high-profile individual of having someone locate their data in a collection out of perverse curiosity or malicious motive?
Might enemies (political, ideological or personal) of a person or group attempt to use this data in a dangerous fashion?
Is there a risk that vulnerable individuals or groups could have this data used to persecute them?
Should I endeavour to provide access to data in a way that allows a user’s stated need to be achieved, AND NO MORE?
Must I provide a capability to revoke granted access to data?
Do transitive associations between individuals in this data set reveal information that was not specifically collected?
If you “share” your data, its not “your data” any more
Are there adverse consequences to an individual if this data is stolen or leaked? Should I consider ways to reduce the impact?
Is there certain information that, if made public about an individual, would irrevocably change their life?
Does this data have a value if stolen?
Is there a risk to this data being used in unforeseen ways if it is re-sold or re-packaged?
Could legal subpoena, government or law-enforcement access, or nation-state espionage expose individuals in this data-set to risk?
Could this information be used to politically or commercially manipulate the relevant individuals?
If this data referred to you personally, is there a situation in which you would regret providing it?
The answer, by the way, to all of the above questions is YES. The whole field of Data Science is about doing those things; inferring conclusions is what data is for.
Some data could be too dangerous to hold. I can’t tell you which, but if you ask yourself all these questions, perhaps you already know. I certainly hope the process of asking those questions causes you be more careful in what you collect and store.
If you remember Just One Thing, make it this:
Privacy is hard. Some say privacy on the Internet is impossible.
You need to think beyond “is my product useful?” to “how could a terrible person use my product to do harm?“.