Tuesday, August 7, 2012

Privacy is about trust and control

Originally posted 06/13/2011 on lubbockonline.com

In a guest blog post on Security Catalyst in 2009 Aaron Titus explained the importance of privacy in a world that equates privacy concerns with illegal activity. He focuses specifically on a phrase that pops up quite a bit when talking about privacy, "If you have nothing to hide, why worry about privacy." I've seen that phrase or some variant thousands of times. It sounds reasonable, but it's not. As Aaron points out, it misses the point entirely:

Baloney. I have everything to hide! When someone says, “I have nothing to hide,” it’s simply not true. What he really means is, “I have nothing to be ashamed of,” which may be true. But shame is only one, limited reason for confidentiality. Confidentiality is not an admission of guilt. I have much to hide, for one simple reason. I cannot trust people to act reasonably or responsibly when they are in possession of certain facts about me, even if I am not ashamed of those facts. For example, I keep my social security number private from a would-be criminal, because I can’t trust that he’ll act responsibly with the information. I’m certainly not ashamed of my SSN. Studies have shown that cancer patients loose their jobs at five times the rate of other employees, and employers tend to overestimate cancer patients’ fatigue. Cancer patients need privacy to avoid unreasonable and irresponsible employment decisions. Cancer patients aren’t ashamed of their medical status—they just need to keep their jobs.

Trust is a major reason we need to be able to keep some things private. But it's not the only one. Another reason I hear there's no need to worry about privacy is that it's already too late, we have no privacy anyway. It may feel that way, but it's not true. It is true that a lot of our information is out there, but far from all of it. We need to protect the rest, and start getting back control of what is already out.

That is another element of privacy, control. Keeping control of your information. We should be able to decide who can gather our information and what they can do with it. Facebook apps are a perfect example of this - though not the only one. To use most apps on Facebook you have to allow them to access not just your information, but your friends as well. And you have no say in how they use any of that information. So to use an app, even one that just allows you to post an interesting article on your wall with a click, you have to give up your friends information. Even if they've set their privacy settings so that only friends and family can see their pages the app gets access to everything because you used a simple way to share information on Facebook. They shouldn't be able to require you to turn over your friends, and you shouldn't be able to even if you want to.

When groups like the Electronic Frontier Foundation and the Electronic Privacy Information Center fight for privacy, they aren't fighting for the right to commit crimes, but the right to keep private information that is nobody's business but yours. I'm glad there are people and groups with the desire and the resources to fight that fight, whether or not we realize it needs fighting.