I've been pondering about privacy. Why do we care so much about it and what's the best way to go about protecting it? It's a tricky thing because not only does (almost) none of us want absolute privacy, but often times we want the opposite: we want to connect with other people, explore and discover new things and new people, and sometimes even advertise ourselves (anyone else looking for a job these days?).
Privacy is especially important to me these days as I am a new father and my wife and I are carefully navigating how to expose our baby daughter to the world. We want to share her with friends and loved ones and sometimes even strangers (we've already had one offer for her to model), but certainly not absolutely, and naturally I feel I need to protect her identity. Protect her from what exactly?...
My first foray into the online world was in the late 1980s through BBSes. BBSes were wonderful, marvellous things. At school you were a geeky loner, but when you got home and connected to one of dozens (even in a small city) of local BBSes, suddenly you could connect with all the other geeky loners in your area. Everything was out in the open: it really was a “bulletin board” system in the most literal sense, with no private messages (except to the SysOp). But no one cared. We didn't have privacy in the technical sense of the term because everyone's posts and messages were public. But in a more functional and pragmatic sense, we did have privacy. Nobody used their real names, and there were bad agents spying on us trying to use our data against us.
The 1990s had a similar feel, if a bit bigger and crazier. We had email, which offered some modicum of privacy (not a lot, by today's standards), but even that I didn't use much. Most of the communicating and exploring happened in (public) IRC channels and people putting up their own (obviously very public) “homepages” with some (public) forums sprinkled in. Similar to the BBS era, everything was mostly public (even IP addresses) and people could have been spying on us, but it didn't feel like they were.
I think a lot of people would pick Facebook as a turning point when it comes to privacy. For me, there are three things that place Facebook apart from what came before it: 1. Facebook administration wasn't “one of us”. Right from day one, Mark Zuckerberg was not part of the community of users. I know technically he was a user, but cultural he didn't feel like he was. This set up a different atmosphere than I was accustomed to. 2. Facebook encouraged, and later required, users to use their real names. No longer were people encouraged to be pseudonymous. 3. Facebook started targeting ads early on. This wasn't a “hey guys I need to throw a banner ad up at the top of the forum to pay the bills, sorry”: this was a calculated move to target each individual user as a revenue stream.
#1 and #3 combine to give an antagonistic and arguably exploitative relationship, where the service exists only as a means to extract data from users and sell it back to them in the form of targeted advertising. Facebook wasn't a real community: it was an attempt to construct a community as a means to exploit it. It's like the difference between discussing something with your friend over beers and discussing it in a focus group.
Since the advent of Facebook, the importance around privacy has increased. Part of this is due to FAANG and friends taking more of our data. Smartphones gave them a tremendous amount of information to draw from: no longer do companies only have our basic demographics (age, gender, job, general area, etc.), but they know when we wake up, when we go to work, how to go to work, who we talk to, what we talk about, and a tonne more.
The other part of the puzzle, though, is that we are starting to see more of what our data is being used for. People now speculate on precisely how creepy FAANG is in targeting its ads for us. A friend and I talk about buying a folding bike in the same room as his smart TV. I go home and log onto Facebook and see an ad for a folding bike. Is it a coincidence? Does it matter?
If this is all there is to data, then I believe we might be in a personal data bubble, in that it's less valuable than companies are willing to pay for it. No doubt targeted advertising can be valuable. We are weak, emotional, irrational, impulsive, easily manipulated animals, and ads targeted at us very well can convince us to spend more of our money. As data collection, data analytics and advertising get more sophisticated, data will get more valuable: think about what how much more valuable you would be to targeted advertising if advertisers knew your personal psychological triggers to make you more impulsive.
But, though we may be irrational, we are not totally irrational. We have the ability to be rational and restrain ourselves. We budget ourselves. We reconcile our credit card statements. We take sober moments here and there to reflect on our habits and no matter how slick and subtle an ad targeting us may come at us, it can't make us spend more than we've disciplined ourselves to spend.
If data were only about targeted ads, I think it's not the end of the world at a personal level. At a societal level, it's probably widening the divide between those who have data (the super-rich data-slurping companies) and those who don't. But that's for another time.
But it's not just about targeted ads. There are a few spectres on the horizon for how our data can be used against us.
One, which we've seen already, is border control. Border guards use technology that scans through our social networking posts. They've even started seizing and imaging our smartphones. They're looking for information that can be used against us when travelling internationally.
The other, more interesting on, is how our data can be used against us in differential pricing. There have been publicized examples of companies using your device's operating system to determine how much to charge you for airline tickets and hotel rooms. Apple users are willing to pay more, and some companies in the past (not sure if any are still around) use the user's user agent string to determine what price to show them. Windows users might pay only $189 for a hotel room that OS X users pay $209 for, all other things being equal.
But we can take it further. Imagine you're a hotel and you're running a website to allow customers to book rooms on that hotel. A potential customer comes to the website and you have to show them a price. What price should you show them? Well, it depends on what information you have about them.
What if you knew they needed a hotel room because of a funeral? What if you knew exactly which funeral hall and cemetery they were going to be visiting, and knew that your hotel was the closest? Would you be tempted to give them a higher rate knowing that you were their best choice? If you know they were in a psychologically vulnerable state?
Ultimately I don't think privacy is necessarily about preciously safe-guarding everything about us. In the extreme case, this sort of overreaction just makes us anti-social and hermits. We are still social animals and need to make connections with people. The keys in my mind are: 1. We should be participating in genuine communities. Not fake constructed communities like Facebook or Instagram, but communities are operated by community members. The recent wave of Fediverse communities (and resurgence on IRC) has helped a lot here. 2. We must be encouraged to use pseudonyms. Using personally identifying information is a valid choice for some people, but it must not be considered the default choice (or, heaven forfend, the only choice). 3. Revealing data must be a conscious and deliberate act. Anything implicit or secretive should be avoided. There are some situations where this cannot reasonably be avoided (either I reveal my IP address to every website I visit, or I reveal my IP address and every website I visit to a VPN provider) in which case we have to rely on educating people to help them realize what they're revealing.