left alone, together
There’s a depressing sort of symmetry in the fact that our modern paradigms of privacy were developed in response to the proliferation of photography and their exploitation by tabloids. The seminal 1890 Harvard Law Review article The Right to Privacy—which every essay about data privacy is contractually obligated to cite—argued that the right of an individual to object to the publication of photographs ought to be considered part of a general ‘right to be let alone’.
130 years on, privacy is still largely conceived of as an individual thing, wherein we get to make solo decisions about when we want to be left alone and when we’re comfortable being trespassed upon. This principle undergirds the notice-and-consent model of data management, which you might also know as the pavlovian response to click “I agree” on any popup and login screen with little regard for the forty pages of legalese you might be agreeing to.
The thing is, the right to be left alone makes perfect sense when you’re managing information relationships between individuals, where there are generally pretty clear social norms around what constitutes a boundary violation. Reasonable people can and do disagree as to the level of privacy they expect, but if I invite you into my home and you snoop through my bedside table and read my diary, there isn’t much ambiguity about that being an invasion.
But in the age of ✨ networked computing ✨, this individual model of privacy just doesn’t scale anymore. There are too many exponentially intersecting relationships for any of us to keep in our head. It’s no longer just about what we tell a friend or the tax collector or even a journalist. It’s the digital footprint that we often unknowingly leave in our wake every time we interact with something online, and how all of those websites and apps and their shadowy partners talk to each other behind our backs. It’s the cameras in malls tracking our location and sometimes emotions, and it’s the license plate readers compiling a log of our movements.
At a time when governments and companies are increasingly investing in surveillance mechanisms under the guise of security and transparency, that scale is only going to keep growing. Our individual comfort about whether we are left alone is no longer the only, or even the most salient part of the story, and we need to think about privacy as a public good and a collective value.
Notice-and-consent fundamentally assumes that we’re always free to choose how our data is used, but that ignores the constraints of the real world contexts in which we make those decisions. At a very basic level, if you work somewhere that uses Gmail, good luck telling your boss you conscientiously object to Google. And if your kid’s friends are all on Instagram, the choice between handing their data over to Facebook or being socially shut out is not exactly a neutral decision.
But even if we did have full control over these decisions, the amount of energy that would be required for all of us to monitor everyone we’ve ever given any data to, forever, is just too much, especially when those privacy relationships are constantly changing, and we are constantly changing too.
Have I Been Pwned is a wonderful service that can tell you if your email has been part of a large scale data breach. Every time I look at my personal list (seventeen and counting), one of them always draws my eye because it’s a site I signed up for when I was eleven years old: Neopets. There is absolutely nothing you could’ve done to persuade that 11-year-old kid not to sign up for Neopets, and there’s also nothing I can do now as an adult to undo the harm. Is it my responsibility to have taken steps to delete my accounts on everything I’ve ever stopped using?
Assuming I’m not reusing passwords all over the place, at least the worst thing you could do with my Neopets account is mistreat my virtual pet. Imagine, instead, that you’re a queer kid living in a small town in 1999, and you sign up for Livejournal and use it to find a supportive and loving queer community online. Then in 2007 Livejournal gets sold to a company based in Russia, which in 2013 criminalizes the distribution of pro-LGBTQ content to minors, and in 2017 Livejournal loses the account info of 26 million users. Was it your responsibility to monitor the shifting geopolitical context of your childhood diary for the next two decades?
The impossibility of this burden to individually safeguard our data often reminds me of recycling. Because yes, there’s absolutely digital safety practices to lower our risk of exposure, but they don’t address the core issue that there’s too much data, too many data brokers, too many transactions hidden from the user’s view. And yes, we can and should recycle, but it doesn’t change the fact that 71% of global emissions can be traced back to 100 companies, and it certainly doesn’t change the fact that those companies have spent decades lying to us about how effective recycling is so that they can keep churning out plastic. Those are structural problems that we can’t recycle our way out of, just as we can’t notice-and-consent our way into collective privacy.
I like thinking about privacy as being collective, because it feels like a more true reflection of the fact that our lives are made up of relationships, and information about our lives is social and contextual by nature. The fact that I have a sister also indicates that my sister has at least one sibling: me. If I took a DNA test through 23andme1 I’m not just disclosing information about me but also about everyone that I’m related to, none of whom are able to give consent. The privacy implications for familial DNA are pretty broad: this information might be used to sell or withhold products and services, expose family secrets, or implicate a future as-yet-unborn relative in a crime. I could email 23andme and ask them to delete my records, and they might eventually comply in a month or three. But my present and future relatives wouldn’t be able to do that, or even know that their privacy had been compromised at all.
Even with data that’s less fraught than our genome, our decisions about what we expose to the world have externalities for the people around us. I might think nothing of posting a photo of going out with my friends and mentioning the name of the bar, but I’ve just exposed our physical location to the internet. If one of my friends has had to deal with a stalker in their past, I could’ve put their physical safety at risk. Even if I’m careful to make the post friends-only, the people I trust are not the same as the people my friends trust. In an individual model of privacy, we are only as private as our least private friend.
Amidst the global pandemic, this might sound not dissimilar to public health. When I decide whether to wear a mask in public, that’s partially about how much the mask will protect me from airborne droplets. But it’s also—perhaps more significantly—about protecting everyone else from me.
People who refuse to wear a mask because they’re willing to risk getting Covid are often only thinking about their bodies as a thing to defend, whose sanctity depends on the strength of their individual immune system. They’re not thinking about their bodies as a thing that can also attack, that can be the conduit that kills someone else. People who are careless about their own data because they think they’ve done nothing wrong are only thinking of the harms that they might experience, not the harms that they can cause.
The thing about common goods like public health, though, is that there’s only so much individual actions can achieve without a collective response that targets systemic problems. While we owe a duty of care to one another, it’s not enough for all of us to be willing to wear masks if there’s no contact tracing, no paid sick leave, no medical manufacturing and distribution capacity, no international sharing of vaccine research. And it’s not enough for each of us to be individually vigilant about our information if unscrupulous trackers are gathering up data we didn’t even know we were shedding, or if law enforcement is buying up that data on the private market to use for surveillance purposes none of us ever consented to.
Data collection isn’t always bad, but it is always risky. Sometimes that’s due to shoddy design and programming or lazy security practices. But even the best engineers often fail to build risk-free systems, by the very nature of systems.
Systems are easier to attack than they are to defend. If you want to defend a system, you have to make sure every part of it is perfectly implemented to guard against any possible vulnerabilities. Oftentimes, trying to defend a system means adding additional components, which just ends up creating more potential weak points. Whereas if you want to attack, all you have to do is find the one weakness that the systems designer missed. (Or, to paraphrase the IRA, you only have to be lucky once.)
This is true of all systems, digital or analog, but the thing that makes computer systems particularly vulnerable is that the same weaknesses can be deployed across millions of devices, in our phones and laptops and watches and toasters and refrigerators and doorbells. When a vulnerability is discovered in one system, an entire class of devices around the world is instantly a potential target, but we still have to go fix them one by one.
This is how the Equifax data leak happened. Equifax used a piece of open source software that had a security flaw in it, the people who work on that software found it and fixed it, and instead of diligently updating their systems Equifax hit the snooze button for four months and let hackers steal hundreds of millions of customer records. And while Equifax is definitely guilty of aforementioned lazy security practices, this incident also illustrates how fragile computer systems are. From the moment this bug was discovered, every server in the world that ran that software was at risk.
What’s worse, in many cases people weren’t even aware that their data was stored with Equifax. If you’re an adult who has had a job or a phone bill or interacted with a bank in the last seven years, your identifying information is collected by Equifax whether you like it or not. The only way to opt out would have been to be among the small percentage of overwhelmingly young, poor, and racialized people who have no credit histories, which significantly limits the scope of their ability to participate in the economy. How do you notice-and-consent your way out of that?
Software engineer Maciej Ceglowski gave an excellent talk in 2015 that compared data to nuclear waste. While the promise of nuclear energy is great, we’ve never quite figured out what to do with nuclear waste, which will outlive all the institutions that generated it. Oftentimes, we shrug, stick it in a big vat underground, put up some scary warning signs and hope for the best. Similarly, because data storage has become so cheap, it’s easy to keep all of it just in case you figure out how to make money from it at some point. This means there’s just petabytes of toxic data on hard drives all around the world, waiting to go off.
As ineffective as recycling might be, at least it’s something we can do to reduce our footprint. But there’s little you or I can do to prevent thousands of tons of radioactive waste from spilling into a river, whether by accident or by corporate design.
I could go on and on about the practical reasons to shift away from privacy as an individual phenomenon, but honestly the main thing that motivates me is that I want to live in a society where everyone has a basic right to privacy.
Privacy is essential to human agency and dignity. Denying someone privacy—even when it’s as seemingly small as a parent who won’t let their kid close the door—has a corrosive effect, eroding trust as well as our sense of interiority. When we scale up the individual to a body politic, it is the private sphere that’s crucial for our capacity for democracy and self-determination. As individuals, we need privacy to figure out who we are when we’re no longer performing the self. As a collective, we have to be able to distinguish who we are as individuals hidden from the norms and pressures of the group in order to reason clearly about how we want to shape the group. Elections have secret ballots for a reason.
If we do care about privacy as a collective value, then it cannot be an individual burden. Right now, privacy is essentially a luxury good. If you can afford not to use coupons, you don’t have to let retailers track your shopping habits with loyalty points. If you’re technically savvy, you don’t have to let Gmail see all your emails. Not only does that make access to privacy incredibly inequitable, it also affects our collective understanding of what is a “normal” amount of privacy.
I don’t just mean that in terms of the weird looks checkout clerks give me when I decline to provide my email or postal code or phone number for 10% off next time I shop. If everyone uses insecure texting apps, then having an encrypted chat app like Signal on your phone becomes a red flag to law enforcement. If you use Signal because you’re an activist or you belong to a marginalized group targeted by the state, you are doubly harmed by this norm.
An individual framing of this problem asks questions like, why don’t you want Google to see your email? What have you got to hide? But if you only have the right to privacy when you’re hypervigilant about defending it, you never really had that right to begin with. Instead, at a very minimum the question should be: why does Google deserve to see your email?
And if I can be more ambitious: what values do we as a society want to enshrine in our communication systems? The seriousness with which most legal frameworks treat mail fraud indicates that the capacity for private communication is a pretty important social value. So how can we best design the technical protocols and systems for electronic mail to protect what we care about?
There unfortunately isn’t one weird trick to save democracy, but that doesn’t mean there aren’t lessons we can learn from history to figure out how to protect privacy as a public good. The scale and ubiquity of computers may be unprecedented, but so is the scale of our collective knowledge.
For example, we know one of the ways to make people care about negative externalities is to make them pay for it; that’s why carbon pricing is one of the most efficient ways of reducing emissions. There’s no reason why we couldn’t enact a data tax of some kind. We can also take a cautionary tale from pricing externalities, because you have to have the will to enforce it. Western Canada is littered with tens of thousands of orphan wells that oil production companies said they would clean up and haven’t, and now the Canadian government is chipping in billions of dollars to do it for them. This means we must build in enforcement mechanisms at the same time that we’re designing principles for data governance, otherwise it’s little more than ethics-washing.
We also know that while public goods often have a free rider problem, people are actually pretty willing to act for the collective good if they know that others will, too. There’s many examples around the world of communities banding together to collectively govern a shared resource, like forestry, grazing grounds, and wells. The same principle can also be used in data governance, using systems like data trusts or a data commons. Nor is that collective action limited to users and consumers. Anyone who works with data can influence the future of privacy by organizing with their coworkers. Our tech overlords are powerful, but they still rely on the labour of their employees. If you work in tech, building collective labour power is one of the most effective things you can do to influence policy and product direction. If unions didn’t work, executives wouldn’t be so terrified of them.
But all of that starts with a shift in how we see privacy and its relationship to data governance.
In 1962, a book called Silent Spring by Rachel Carson documenting the widespread ecological harms caused by synthetic pesticides went off like a metaphorical bomb in the nascent environmental movement. Rachel Carson was far from the first person to criticize DDT, but she captured the public’s horrified imagination by demonstrating that DDT’s systemic impact to the biosphere was something we needed to solve collectively. Silent Spring is credited with the surge of environmental activism in the 60s, a ban on the use of DDT for agriculture in the US, and eventually the creation of the US Environmental Protection Agency.
I know the political landscape and information space is very different today than in the 60s, and history is never as clean as a paragraph-long recounting makes it sound. Nevertheless, I find the story of Silent Spring incredibly hopeful, because it’s a story about the power that shifting our frame of focus can have in expanding our vision of what’s possible.
I’m not saying data is like DDT2. But right now, we’re still only thinking about privacy protection in incremental terms, by changing the individual data relationships between consumers and corporations. If we think of privacy as a public good, the scale of solutions we can let ourselves imagine becomes so much bigger. It might feel ludicrous to think about drastic measures like banning inferred data, or data expiry by default, or taxing data as an income, but banning DDT also seemed ludicrous until it wasn’t. Nothing about how technology shows up in our lives is predetermined; these are all policy choices. We cannot afford to keep treating the question of privacy as a narrow technocratic or procedural problem. But there’s no telling what expansive solutions might open up to us when we see this fight for privacy for what it really is, a fight for a public good, and our fundamental collective rights.
This essay is substantively adapted from a talk I gave at Theorizing the Web Presents in October of 2020. My thanks to TtW for giving me the space to work out some of these ideas, as well as Kathy, Sarah, Ellie, Jamie, Jane, and Chris for reading several early drafts and providing valuable feedback.