Recently, I engaged some friends in a discussion about privacy issues. In some cases they didn't see the big deal around these until I began to articulate their importance with examples. In going through this process and trying to figure out how to express the various tensions around these issues, it helped me gain some insights into why it's been challenging to subscribe to some of the notions about privacy that have been suggested by legislative and industry efforts. Some of this may be basic to some, but for those trying to come to terms with privacy issues, I'm hoping the following post will be helpful.
Let me start by saying that privacy in all its glory, is about one thing, CONTEXT. Whether we are talking about data or information, it's important to understand that without context, none of it has any value, whether good or bad or anything in between. Words only get judged through the meaning we ascribe to them. If Content is King, then Context is the Emperor, for data is not information without context, and information has no value without context. Think about that. By the same token, the context you apply to any data makes all the difference, it is this point that frequently confuses people.
Let's start by talking about something as simple as one's name and address information. This is information that most people believe to be indiscriminately personally identifiable information, the very thing that no marketer should ever get unless the person gives them explicit permission to have it. Some people would go so far as to say that they "own" that information about themselves. However, it's clear that this can't be. In fact, the post office, your neighbors, anyone who finds your lost luggage, anyone who receives a "snail-mail" letter from you and all who see it pass by them, anyone you show your driver's license to, the previous tenants or owners of your home, and a host of other people, have or have had access to this information about you and can do what they wish with it. For those people who have their names (or last names) on their mailboxes, that means that anyone walking by their home or apartment building lobby could also have access to and make use of this information. So how could this information be owned by anyone? Though perhaps the better question is what does ownership of information entitle since clearly it can be in many people's possession for good reason? I won't address these questions here, though I personally don't believe information can be owned as property. Instead, I'm going to touch on more fundamental issues.
In all of the examples of people who have your information, we should note that there are good reasons to let some of those people know or have access to this information even without your explicit permission. Even in
Facebook's recent announcements saying that they would allow developers to have access to their users' and their users' friends' addresses and phone numbers, they did this because new creative applications are able to provide users with better and more useful services if they have access to this information. So there's nothing inherently wrong with anyone having this information, what becomes troubling is when this information appears or is used in a context that we did not permit, anticipate or have control over.
There's a company called
Jigsaw, which was recently acquired by Salesforce.com. The way the service worked is that sales people would enter business card information of their contacts into the system in order to gain credits which they could use to get contact information about prospects. This was a service targeted to sales people. The company took a lot of flack from the media and non-users (people who were not the target customers), because they felt violated by a service that encouraged sales people to provide their contacts databases in exchange for the contact information on people whom they did not know and might want to reach out to. Imagine that you have a business meeting and all the participants exchange cards. While you never really know what any of the people receiving your card is going to do with it, you assume that they will respect that you gave it to them with some sort of implied confidence. The reality is that at least one (if not more than one) person at the meeting will eventually enter your information into their company's CRM (Customer Relationship Management) system. This also means that everyone in their company will have access to your contact information. In other words the context of giving your card to someone at a business meeting was fine, but in the context that it ends up on some random service's mailing list or contacts database makes this less palatable.
Now let's take a slightly more extreme example, imagine getting into a fight with a friend and sending them an email where you say something to the effect of "eat shit and die". By happenstance, a few days later your friend dies of a stroke due to some rare food allergy, but because the death happened under mysterious circumstances this leads investigators to check your friend's email account. On its own and under the context that I'm pissed at my friend from an argument we had, "eat shit and die" is an understandable response. The same words under the context that my friend ate something which killed them, take on a whole new meaning. They certainly are cause for concern and place me as a suspect in my friend's death. Note that in one circumstance (or context), the words were fine, albeit strong and even hurtful, under circumstances that I could never have foreseen the words become cause enough for me to look like a potential murderer.
Consider the recent events surrounding Wikileaks and the discomfort that governments officials are going through as a result of the release of the confidential cables, the pattern of behavior suggests that in the context of diplomatic communications, none of what was being said was of any serious consequence among the communicators and their intended audience. However, once the context changed, and a critical public that has not had the benefit of understanding how diplomatic policy is conducted, the words now have to answer to some very different interpretations. What they say about statistics, that "statistics can be made to prove anything, even the truth", can also be said about context. What is worrisome to most is that we never know when someone will take known information about us and process it through a context that we are not aware of or in control of.
What these examples show is that information, in and of itself, is not the problem we are facing when we discuss privacy issues. The problem is that there has been no way to know (or control) the context under which information about us will be viewed or used over time, and hence even the most seemingly innocent data or information about us in one context can become an indictment of our character or worse, when viewed under another. When we give information about ourselves to someone or a company by virtue of also knowing what it will be used for, we control the context and we are comforted by that. As soon more is done with this information about us, we lose that control and we lose that comfort. The fact that there are services out there compiling and aggregating information about each of us has been happening for a long time, but most people were unaware or only mildly aware of this. Most certainly aren't aware of the extent to which it has been happening. Recently,
Rapleaf shared some information about Microsoft and Google employee food buying habits. They did this through the combination of the user data Rapleaf has, with user data kept by a loyalty card data aggregator. We could probably venture to guess that neither the Microsoft or Google employees that made purchases using their loyalty cards expected that information about their purchases as it relates to their employment with these companies would be used in this way. By extension, if an insurance company wanted to price their insurance to either of these companies based on this data, this would certainly make many people very uncomfortable. Was the individual shopper's data private? Not really, anyone at the supermarket could have seen what each one of these people purchased unless they placed a blanket over their shopping cart and at the checkout stand. By virtue of using a loyalty card, the supermarket certainly had a record of the transaction which means that the shoppers willingly agreed to be tracked, likely in exchange for some food item discounts. Combining this information with their email addresses in order to determine where these people worked, is not part of the context these users agreed to.
A
recent example of law enforcement databases combining their information with marketing databases has been unsettling, not least of which is because as we know, many of the marketing databases lack the integrity and accuracy we would expect of data that is to be co-mingled with law enforcement data about us. Context matters, and our ability to control and maintain this information is important. Note, there are likely many reasons that we would all provide more information about ourselves, which would also be more accurate, given the right value proposition. If we understood how and when it would be used, we would be willing participants. In the example above about the eating habits of employees being surreptitiously obtained, there are great inaccuracies and that's part of what would be upsetting if we ever found out an insurance company was using these methods to obtain information about our eating habits. By contrast, if the insurance companies suggested that a healthy lifestyle would enable us to reduce our monthly health insurance bill (think Allstate's good driving record discount), then perhaps we would not only be more likely to maintain the accuracy of this information, but also motivated to provide it willingly. All this, so long as we control that this is the only context under which that information would be put to use.
So where does that leave us? Frankly, I'm not sure. It's very hard to legislate or regulate the concept of context. Heck, as it is our laws have very little notion of context. If the contexts for exceptions to a law are not all considered in advance and written into the law, then the law is followed literally. This is clearly unfortunate since new contexts emerge all the time and at a pace faster than laws can be changed to address these. We see this all the time, generally in heart wrenching scenarios where the letter of the law is followed rather than the spirit of the law. With privacy issues and the upcoming privacy bill, it feels like our legislators continue to play the game of trying to foresee all of the possible problematic contexts rather than understanding the need to establish frameworks that work for current unknowns. As part of this framework, it's critical that we put people in control of their information. I believe the result of doing this is that we will see the emergence of a new class of service provider that will help people manage their and interact with their information and those [companies or people] they interact with in ways that make this process easier.
Doc Searls over at the
Harvard's Berkman Center For Internet & Society has been working on
ProjectVRM which is working on addressing how people can more easily and effectively interact with the companies they do business with through the concept of Vendor Relationship Management.
There is a brave new world coming and we should not lose sight of what we mean and understand by privacy in order to move the ball forward in a positive direction for our social and commercial ecosystems. This, with an understanding that commerce is only a part of that, not the center around which everything revolves. Privacy is all about Context, remember that. In a future post, I'll try to discuss Context Arbitrage, which is where I believe a lot of money is being made today and why we need to get a handle on it.