“Nothing to Hide, Nothing to Fear: Defending Privacy and Private Property”
The SafeView Research Report is intended to give you a snapshot of technology risk management issues. Airius Internet Solutions manages SafeView data and provides strategic, tactical and emergency risk management consulting. If you have any technology risk issues, please contact Airius with your questions at firstname.lastname@example.org.
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated….
Read more background here.
There is no such thing as a right to privacy. Our Declaration of Independence does not promise this. The Constitution does not explicitly mention privacy. The closest reference to privacy is within the Fourth Amendment of the Constitution of the United States.
Over the last century, the concept of privacy as a right for individuals has evolved.
“The Right to Privacy” is a law review article written by Samuel Warren and Louis Brandeis and published in the 1890 Harvard Law Review. It is “one of the most influential essays in the history of American law” and is widely regarded as the first publication in the United States to advocate a right to privacy, articulating that right primarily as a “right to be let alone”.
“The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle.”
Privacy as a Human Right
The Universal Declaration of Human Rights (UDHR) is a declaration adopted by the United
Nations General Assembly on 10 December 1948 at the Palais de Chaillot, Paris. The Declaration arose directly from the experience of the Second World War and represents the first global expression of what many people believe to be the rights to which all human beings are inherently entitled. The full text is published by the United Nations on its website.
The Declaration consists of thirty articles which have been elaborated in subsequent international treaties, economic transfers, regional human rights instruments, national constitutions, and other laws. The International Bill of Human Rights consists of the Universal Declaration of Human Rights, the International Covenant on Economic, Social and Cultural Rights, and the International Covenant on Civil and Political Rights and its two Optional Protocols. In 1966, the General Assembly adopted the two detailed Covenants, which complete the International Bill of Human Rights. In 1976, after the Covenants had been ratified by a sufficient number of individual nations, the Bill took on the force of international law.
US Privacy Laws
The Constructs of Privacy in the US
Most states of the United States also grant a right to privacy and recognize four torts based on that right:
1. Intrusion upon seclusion or solitude, or into private affairs;
2. Public disclosure of embarrassing private facts;
3. Publicity which places a person in a false light in the public eye; and
4. Appropriation of name or likeness.
Evolution of Privacy Related Laws in the United States (don’t worry, this is summarized below)
Ownership of Private Digital Property
With significant changes in the laws around digital assets, content that is harvested legally is no longer the property of the original owner of the property. We can assume that local, state and federal authorities, along with internet service providers, healthcare, social media and cell companies, operating system, hardware and software manufacturers collectively have a library of personal data on each person.
This information has been harvested legitimately by all of these organizations for years at an ever increasing volume. Barring any successful challenge in supreme court, this data belongs to the collector. In this way, the government, law enforcement and commercial vendors harvest and keep personally identifiable information on billions of people around the world.
Individuals have little recourse to get the data that has been collected. While some laws and guidance exists regarding the safeguarding of this information, the data becomes the property of the collector once harvested, and may very well be governed by general and less restrictive information management policies. PII, healthcare data, financial information and all private communications may be stored in many third party repositories.
Internet Service Providers and cell service providers are generally secretive regarding the retention of customer access logs. However, it is reasonable to believe that they maintain logs for a year or more. The logs are property of the providers, and customers have NO claim to the data. It can include full transcripts of text messages for extended periods of time.
An individual has no rights associated to the harvested data. The party that collected it rarely has to disclose what they intend to collect, and they do not in practice disclose what has been collected, and how it is stored.
Surrendered Property Rights
Personal information is harvested by numerous parties. To avoid any confusion, any user must assume that ALL content distributed through the internet, through cell service, through broadband, has been collected, archived and saved by numerous parties. Let’s consider the implications:
1. Intellectual property is protected by copyright, trademark and patents. The challenge here is that sending a “private” email containing secret designs might constitute a public disclosure for the purposes of a patent.
2. Copyright is not granted to the harvester for all content. However, while there may not be a right of redistribution and modification, there is an implicit right of use.
3. Lawyers defending their clients against government have to assume that their communications with the clients are subject to review and scrutiny, without further disclosure, if those communications are electronic.
4. Businesses depend on technology to distribute ideas, opportunities, throughout the organization. Innovation can be stolen by an operating system vendor when a small developer uses electronic communications and cloud data storage. This might actually be authorized within the thousands of pages of EULAs that normal users are compelled to accept to just operate cell phones, tablets and small computers.
A problem not discussed yet is the reality that if law enforcement and vendors can and do harvest massive amounts of data using infrastructure built into our devices and the communications frameworks, competitors and conspirators are doing the same thing. Criminals, state and corporate sponsored cyber spies, do not abide to laws. An infrastructure that is designed to allow massive data harvesting may not discriminate between good guys and bad guys. Whoever has the key can open the lock. In some cases, a key is not even required.
What this means is that we have an infrastructure with weak protections around digital information, and taps at every point to harvest volumes of data. The taps are part of the underlying systems, so anyone gaining access could be collecting the same data. Since the good guys don’t log their collections, the bad guys don’t have to either.
Privacy Has Nothing to Do with Having Bad Things to Hide
The spirit of the law was to protect privacy and private property. With the advent of internet and email, laws initially defended routine harvesting of bulk data without warrants and just cause. Over time, protections eroded, and fear took precedence over privacy. Data was harvested in bulk by our government, and governments around the world. Despite recent changes in data collection laws, the data is still being collected and stored. Where government was grabbing everything, new laws make private companies directly responsible, and complicit with the mass surveillance of individuals.
Governments have created a weakness with laws that allow and encourage bulk data collection with little to no oversight. Vendors have incorporated logging and collection facilities – telemetry, customer experience program, and more – allowing them to harvest incredibly valuable information about individuals. Search engines collect even more data about individuals. When this harvesting is allowed by law, by design, without tracking the collection, and restricting it to finite activities, warrants, active cases, such activities allow the assumption of ownership of the collected data and rights.
Corporations have assets (information) that can be sold for profit. Service providers can provide detailed information about anyone, and do, without warrant. Fourth amendment protections apply to things owned by an individual, where a warrant is required to compel cooperation of the individual. When a third party has the data, the third party can choose to cooperate with no liability.
The infrastructure and legal climate may actually weaken prosecution of data harvesting by a state sponsored corporate spy who is able to copy all data transmitted over the internet. Since technology is so efficient at harvesting data, hacking from dark buildings in China is no longer required to collect data. A well funded effort can release popular software, make it free, and build in auto-update and user satisfaction technology.In doing so, users accept surrendering personal information by clicking on an End User License Agreement (EULA), and the harvester of the data is not committing a crime to steal private information.
Even though laws and business practices have undermined some protections afforded by the Fourth Amendment, data is still protected until it leaves the control of an individual.
A combination of the evolution of laws and technology has made it possible for legitimate organizations to collect massive sums of data from private individuals. Thanks to the same advances, rogue governments and shady organizations can harvest bulk data with equivalent ease.
The realistic likelihood is that every American and many individuals in Europe have already had their private information compromised by both legitimate and rogue sources. Without a way to track bulk collection, it is hard to audit the efficacy of data management practices, and it is impossible for organizations collecting to implement protections that only allow “secret” data collection from good guys while blocking the bad guys.
As this continues, digital commerce will be subject to problems validating the authentic source of a transaction. Individuals will be compelled to consider implants, use invasive biometrics, and accept even more intrusion into our privacy as we try to do basic things like buy gasoline and order things on Amazon.
The answer is not more technology while data is globally harvested. Individuals need to accept responsibility for any digital communications, assets, content, made available on the internet. In the next post, we will explore current technologies available to allow private users and organizations alike to protect data from good guys and bad guys equally.