Against the collection of private data: The unknown risk factor
I bet there are thousands of blog posts advocating privacy and explaining why people should resist governments and companies collecting personal data. I dare to write yet another one because I would like to make a couple of points that I have never seen made before. This post will discuss one of these two points: the unknown risk.
There are several good reasons not to agree to companies and governments collecting private data on you. People who disagree with this, often state that if you are not a criminal and have nothing to hide, there is no reason for you to oppose data collection and mass surveillance. This logic is obviously flawed, but it’s not always easy to see why. A paper titled “‘I Have Nothing to Hide’ and Other Misunderstandings of Privacy”, by Daniel J. Solove, tries to give some idea on why the concept is flawed; with some success. The commonly presented notion that a person who did nothing wrong has no reason to be spied on in the first place is completely valid, but somehow misses the underlying question of what is the risk that the person faces by having his private data collected and stored.
A couple of years ago, I made one point, which I have never yet seen repeated by anyone, although I still insist that it holds. I stressed, in this post that enabling advertising that is better targeted implies higher return on investment in unsolicited mail. This increase leads to more money being diverted to spam campaigns; money that will eventually feed resources that fight spam fighting. The only reason that spam has not made digital communication useless, is that it is reasonably mitigated, that is, filtered. If spam becomes effective enough (by becoming better targeted, thanks to our collected data) to be worth more money to advertisers, this will be money spent on countering our spam filters; the filters thanks to which we can still use e-mail.
I would like to make another novel (I think) point on this risk, explaining why a decent person should not allow data to be gathered on him.
What is the risk that a law abiding person faces by having dossiers of private information collected on him? There is only one right answer, and I wonder why I don’t hear it. The answer is that we just don’t know. Cory Doctorow once compared this data to plutonium. Once it was collected, there is no way to get rid of it. With storage available at an ever decreasing price, there is no reason for any company or agency to ever delete anything. Data about you that is collected today is available forever, and only degrades to the level that its relevance degrades. The future holds new options for both the collection and the correlation of data; options that we just cannot foresee today, but which will apply to today’s data also, and which will be enabled by the data collection habits we cultivate today.
The risk you face by private information gathering into the future is simply unknown. Call it a “2nd-order risk”.
It is widely acknowledged that we tend to overestimate technological progress of the next year, but underestimate progress in a decade. A decade ago, we could not foresee the data collected by Facebook, Twitter, Apple, etc., and even the collection of location data was limited to cellular operators and had just little context to enhance its usability. Back then, we were still concerned with the logs that credit card companies kept on our purchases, as if that was the biggest privacy leak ever.
In ten years, the data collected on you today, which will refuse to die, will be joined by more information, context and correlation tools, which we cannot imagine now. What will be your privacy risk by allowing data-collection habits for companies and governments today? We truly have no idea. We can only tell that it will be a larger risk than of today, because data never goes away, but we don’t know how it will grow. If risk is “unsure damage”, then this unknown risk is “unsure unsure damage”. Let us call it “2nd-order risk”.
I have nothing to hide, but if you put me at an added risk, along with risk that cannot be properly managed for its being undefinable, then you shall be able to explain what I, or society, gain in return.
Display comments as Linear | Threaded