Is our privacy at risk?

In recent weeks discussions have flared up about privacy issues and the alleged failure of airport security measures in light of recent events. On the one hand there is the foiled terrorist attempt on a Holland – USA flight, on the other hand we have the adopted legislation regarding swift information exchange with the USA following the pending move of swift servers from the USA to Europe.

The discussions I read mostly centered around the issues “privacy vs. security & cost to society”, “Rule of law vs. Lawlessnes” and “Effectiveness of measures taken”.

Privacy, security and the cost to society.

Privacy advocates all around the globe warn that the private character of information about citizens is in danger. One of the arguments to make their case is the lack of self-control, i.e. we have no control over what is happening with the collected data ourselves. In case of biometric information all reason goes out the window in some of the “advocates” on the adagium my biometrics == me.

I do agree -in part- with their case. In the situation where I choose to share personal or private information with certain parties I will demand that they tell me what use they have for the required info and that they use the gathered data solely for the intended purpose, whitout leaking this information to third parties, be it voluntary or involuntary. It is a whole other ballgame in situations where I do not have control over what is done with my data, e.g. when regulatory obligations dictate a data recipient to share certain (parts) of info with third parties, i.e. in case of  the SWIFT story swift will be obliged to volunteer certain types of info to law enforcement agencies in the USA.

Example: if I give my phone company an address so that they can send me a bill, I expect them to use it for that purpose alone and I will have a case against them were I to learn that they sold the info to, say, a provider of electrical power. However, when I provide my bank with the same address details I have no problem whatsoever with the fact that they will share the information with anti-fraud agencies in case they judged a financial transaction I conducted to be of a doubtful or obscure nature. They must comply with anti-fraud laws and can not but share the information. Why? Because the cost of fraudulent transactions to society can be enormous, in lost tax revenue, in reputation and in human lives if the money is eventually used in the financing of terrorist action.
In case of biometric readings or body scans on airports I also feel that the violation of privacy is in proportion to the risk they are intended to mitigate or contain.  The cost of not doing it is too damn high. If my being scanned helps law enforcement officers or airport security staff to prevent a fundamentalistic madman to blow up the plane I was about to board, you damn right, I gladly let myself be scanned.

Misuse of power, data retention and privacy

I am NOT pleading for an uncontrolled collection of data. The legislators have to make sure that the collected data is treated with due diligence and care. If a company or government agency collects personal or private information, make them inform the involved parties: What is the goal of the data collection? What is the info needed and used for? How long will it be retained? How can you make sure the data is removed? This information of the subject must of course be done beforehand, and if possible you as a private citizen should have the right to disallow datacollection.
Failure to provide information, albeit personal, may then of course result in less service or no service, i.e. if you refuse to be bodyscanned, one could argue that such a person is prohibited to board the plane.
On the other side, legislators must put in place legal safeguards, to make sure that all parties that collect information of a private or personal nature take action to prevent data leakage or unintended use. Also, we must be careful not to drop the level of protected privacy so low that governments have uncontrolled access and use of the collected data.
This calls for both a good classification of information and a exhaustive risks assessment of what we are trying to protect. In casu, the flights passengers and the financial transactions of innocent people. We have need for good definition and scope of the information accessed so that we are able to define which types of information are needed to prevent a certain type of risk to the integrity of the protected.
Law makers should decide what information is available to what parties and why, (Business) needs for information and data types should be mapped and evaluated, e.g. if I need to send you a bill I do not need your birthday, but only an address and perhaps a phone number, no more, no less. Each permission to collect certain data, must also describe the constraints and conditions that are to be met to be allowed access to the data afterwards. Measures must be taken to restrict access to sensitive information to a limited number of people, in a limited set of conditions and situations, for a limited period of time. In the best of worlds, the subject of the information should have some form of control of this process.
In short, abuse or even unintended improper use of the collected data should be dissuaded and even punished, should it occur.
This is not a easy matter, since we as humans are essentially “broadcasting” information that can be used to uniquely identify us, i.e. biometric info -iris, fingerprint, voice…e.a. Technology exists to even identify persons from a distant photo (iPhoto anyone?) We must be aware of this. We leave our DNA all over the place…

Rule of Law vs. Police state
In reading the press related to the prevented terrorist attack I can’t but feel that RISK and the CONSEQUENCES of a terrorist attack are mistakenly(?) being mixed.

I fear that there is a risk that governments are dropping the right on privacy to a historic low in search for a solution to preventing terrorist attacks. In my view the risk of terrorist attacks may not be abused to sneakily enforce a downgrade of civil rights and privacy. The rule of law and democracy should prevail. If we fail to find an acceptable solution within the rule of law, and we evolve sneakily to a police state, then the terrorists have won.

Should we try and learn from what happened? YES. Should we throw all previous efforts and investments out the window? I fear that this is not realistic. We must have the courage to question the actions of several parties involved in the investigation and prevention of the Christmas terrorist attack. We must re-evaluate the processes, tools and people that where used and involved, keep what is good, improve where we can. We must also be aware that the recent events do not lead to improper measures that are out of proportion in regards to the risks against which they are meant to protect us.

Also, bear in mind the purpose of the Law. The law deals with those persons or actions that are not conform the ruleset our society adheres to, i.e. the law tells what to do with situations that are in conflict with the norm. The law is not there to regulate normal people or behaviour. In case of the SWIFT story, laws exsist in several countries to define what constitutes a possible fraudulent transaction or financial pattern. The law also stipulates in what circumstances information may be exchanged, and furthermore it also defines what information is to be exchanged and how the exchange is to be conducted. It will define the rules for the information exchange. The law protects the innocent, by telling us how to handle the abnormal. On cannot capture a criminal without in some cases investigating also the innocent. Hence the “pretence of innocence until proven guilty”.

Furthermore we have the difficulty that in order to provide democracy with the rule of law, the people that are enforcing the law have to move in bounds of the law. Criminals and by extention terrorists are not eagerly abiding by the law. This tension field is always there and is not always facilitating the work of our law enforcers. So every bit that can help, within reason, to capture those responsible for threatening our way of life is most appreciated by those trying to protect us.

Effectiveness of measures taken…

One of the questions raised is: can profiling help? I can be brief, if done correctly it can help. We must also bear in mind that it is only one of many tools, that can give us some insight afterwards. It can perhaps learn to understand why a person became a terrorist, but I am not convinced that it will help us to prevent terrorists from perfoming there gruesome acts. Terrorists will try and evade any profile, applied to them. Also, profiling has the tendencing of becoming to focused on a small set of aspects of the suspects. We should keep an open mind, think and work creatively, actively search for potential weaknesses, continually assess and re-evaluate our system, and in this way strengthen our resilience to attacks.

I am fairly confident that the current risk profile of an actual attack succeeding is low, much lower than, say, 20 or 30 years ago. However the possible consequences of a blown up plane and the cost in human lives should motivate us to do all that is humanly possible, but we must be aware that we can not protect ourselves against the rage of a madman, in all circumstances at all times! A very dedicated terrorist is like water, he or she will follow the way of least resistance. So resist, be alert and prepared… and hope for the best. That’s really all we can do, but we can not give up, … ever.

Should law makers and agencies guard our privacy to the best of their ability. YES. (duh) Should we be wary about who gets what information about us? OFCOURCE. Should we be ready to give up some privacy in trade for some security? Hell, yea.

As always, the above are my own views, inspired by what I read in the press, on blogs, etc. Do you agree? Don’t you ? Please do comment.