Transparency and privacy

A note for context: I presented a much-abbreviated version of this talk at an Extropian conference in San Jose on June 17, 2001 (with David Brin in the audience, just to make it a little more nerve-wracking). I have reworked it a bit to better suit a general audience. The references to Hal Varian, Harvey Newstrom, Tadd Hogg, and Mark Miller refer to earlier talks in that conference. I also updated it a bit. This was before Facebook, before the iPhone, before Youtube. I think those things have strengthened my position.

In The Transparent Society, David Brin envisions a world of universal surveillance by small ubiquitous cameras, recorders, and other electronic monitoring and profiling techniques that deprive citizens of much of the privacy we enjoy today. But far from being the Orwellian nightmare a knee-jerk libertarian reaction might suppose, Brin hails this as a positive step in the evolution of our culture and looks forward to it as a world of unprecedented freedom. Though we disagree about other political issues, I happen to agree with him on this one.

This is a minority opinion, even among those with whom I share much political and ethical common ground. The Electronic Frontier Foundation, for example, which I heartily endorse for their great work supporting free speeach and the rights of consumers on the Internet, also advocates for privacy protections well beyond what I would consider necessary or reasonable.

Definitions of Privacy

The word “privacy” is used to mean different things, so I think it is important to begin by outlining those. There are at least three significant meanings I have found:

  1. The ability (technical and legal) to choose for yourself with whom you will associate and how. We live in individual “private” houses with roommates and family of our choosing; we form work groups and social groups of our own choosing; we do not in general want others to impose themselves upon our lives in ways that we can't control.
  2. The ability (technical and legal) to keep secrets. We want the ability to have information that we don't reveal to others, or that we reveal selectively. Likewise, we want to be able to give and keep confidences with others.
  3. The ability to prevent others from distributing information about you.

The first of these is pretty uncontroversial. It is generally accepted in our culture that we have a right to choose our own associates, and we have technologies to accomplish it: walls and fences, caller ID and blocking, transportation for meeting our chosen friends in chosen places, and online tools like spam filters. The law recognizes invasions of this kind of privacy as trespassing, harassment, stalking, and other crimes.

The second of these is also widely supported, at least to the extent that most people believe one should have the right and power to keep secrets. I agree, and in projects such as Freenet I have fought to create that technological power. These technologies make it possible, for example, for political dissidents to exchange information freely and anonymously, or to publish criticism of powerful institutions without fear of reprisal. The ability to keep secrets is not absolute in our laws: an American court may compel testimony on pain of imprisonment, with narrow exceptions carved out for lawyers, doctors, and clergy. I would argue that all of us should have this right as well. I will describe here many reasons one might choose not to keep secrets that today are routinely kept, but I nonetheless support everyone's right to keep them.

It is the last of these that is problematic, and I will argue against it in general. I do not believe we have a right to control what another person—or group of people, such as a corporation—does with information they have been willingly given. Once we have given someone information, and it leaves our brain through our voice or our fingers on a keyboard, it is no longer ours, even it is information about us. Controlling such information requires us to impose upon the liberty of others, and allows others to impose on our liberty.

Information enables progress in many ways, and it is not possible for any person to imagine the ways in which information might be used when it can be used freely. Scientific research and business, in particular, thrive on information. The more these institutions know about us, the more they are empowered to create things that benefit us. Of course, as with technology, it also empowers them the create things that harm us. But it is a mistake to use that fear to justify restricting technology, business, or the free flow of information. Any restrictions we impose today are less likely to protect us that they are to hamper future good uses that we could not have imagined.

Even if we assume (which I do not) that preventing others from distributing information about us is a benefit to us, enshrining that into law becomes an economic entitlement that distorts the marketplace. It forces business to adopt methods and models that assume such information is “owned” by someone else, and therefore requires them to pay more for it than they would without the laws. This will make some business models and research proposals impractical that might otherwise have been a great benefit to us. Credit reporting is a classic example. We may not like the fact that businesses share information about our purchases and our finances, but without that sharing of information, the economic benefits of credit would not be available to us, or would be significantly more expensive. In short, if this kind of privacy is something we want, then we should have to pay for it ourselves, and develop technologies to make it cheaper.

Hal Varian brought up a wonderful example. When Blockbuster Video first opened, their business model was to purchase videotapes of movies from the producer and rent them to the consumer. It generally worked, but the high cost of the tapes (required because the producer got nothing but the up-front cost and had no control over rentals) forced them to buy very few of them, and popular movies were constantly unavailable at the time when they were most in demand—clearly a bad situation for consumers and sellers. Blockbuster's solution was to install a nationwide network of cash registers to track exactly when each tape was rented, with this information made available to the movie producers. This enabled them to change to a different contract with the producers, whereby instead of buying a small number of tapes at a high price, they bought large numbers cheaply with the agreement that they would forward part of the rental fee to the producer. Blockbuster can now guarantee that popular movies will be available, more people rent them when they are in demand pleasing the consumers, and both Blockbuster and the producers make more money. This win-win situation was only made possible by the fact that information about when each tape is rented—information that some people might want to restrict in the name of privacy—was made freely available. [Update: Yes, I realize this example is dated. Today I'd probably talk about how services like Facebook, Google, and many others remain free because they use information about you to target advertising, which also makes the advertisements less annoying.]

Motivations for privacy

Perceived liberty

We all live with powerful and intrusive governments that interfere in the lives of their subjects in many ways. Even in the United States, arguably one of the freest societies in history, most states will still put you in jail for smoking marijuana, hiring a prostitute, gambling, and many other peaceful activities that have no legitimate reason to be crimes. Most states still criminalize certain kinds of sex between consenting adults.

One way to minimize this intrusion into our lives is to jealously guard privacy, to ensure that the government doesn't know what you're smoking or who you're sleeping with. They can't prosecute you if they can't find you. But this is a band-aid approach. It doesn't solve the real problem that the government can haul you away for something you have a basic human right to do, and in fact it may even hamper efforts to solve the real problem by allowing people to tolerate bad laws as long as they have the privacy to avoid them. [Update: as of 2013, only Colorado explicitly allows recreational marijuana use, though of course it continues in private everywhere.]

We also use privacy to avoid discrimination by individuals. There are still many employers who would prefer not to hire gays or ethnic minorities or others they don't like. We may not want family or friends to know about some of our activities they might disapprove of. Here too privacy is a band-aid that masks the underlying problem—that many people dislike or disapprove of others for irrational reasons.

The ability to keep secrets does have some very pragmatic uses that are harder to argue against, and I do applaud those who create technological solutions for them. These include major uses such as national security (though this excuse is much overused) and confidential confession, and minor ones like the ability to play multiplayer games over the Internet without the possibility of cheating. [Update: This technology existed back then and was well known, yet there is not a single online poker site that protects its users in this way.] Because these uses do exist, and because of the necessary short-term use of minimizing government intrusions, I support efforts at technological solutions like cryptography that enable keeping of secrets, even though I believe these methods are often used in ways that may not support our goals.

Security

My third sense of privacy—the desire to prevent others from spreading information about us—is usually seen as a means to physical security. We believe that if we make it harder for evildoers to find us or learn about us, they will be less able to harm us. A typical example are laws that forbid companies to give personal information about you (such as social security number and address) without your permission. They are often hailed as a way to curb identity theft.

This sense of security is unjustified. Computer networking engineers call this security through obscurity, an epithet used to describe lackadaisical measures that fail to properly secure a computer system. “Don't worry,” an IT manager says, “we know the server can be remotely accessed, but no one knows it's here, so we're OK”. “Yes, the users can run the disk formatting program, but most of them don't know how, so it's not a problem.” As every security consultant knows, those two systems will be broken into and erased in short order. The proper way to secure a computer network—and a human being—is to make sure that systems are in place that make it impossible even for someone with detailed information to take advantage. The solution to identity theft is not to make it harder for the criminal to get basic information about you that is revealed in the ordinary affairs of business; the solution is to make sure that someone who does get the information still can't use it to defraud you. My bank account number is secure in this way. I could give you the number and you wouldn't be able to impersonate me or withdraw my money unless you could pass further security checks like forging my signature or guessing the PIN on my ATM card.

New cryptography-based technological measures such as those mentioned by Tadd Hogg, like zero-knowledge systems and capability security, are far superior to legal systems for accomplishing some of these goals. Credit card purchases over the net are well-secured by cryptography, and can be further protected by using single-use credit card numbers. With these systems it will be possible to give a merchant the ability to send you a package without actually revealing your physical address to him. [Update: This idea never caught on. Amazon knows my real address.] Many mail order and Internet sales in Europe already use a system whereby a merchant is given the ability to withdraw a certain amount from your credit card account without your having to reveal your card number. A lender can be given the ability to verify your employment history and income without revealing the details. Again, having laws that cover up these problems may actually delay implementation of the good technological solutions.

Legal protections have two flaws: they generally don't physically prevent security breaches but only punish offenders after the fact, and they only apply to humans. More and more, the information that we think is private is being collected and shared by computer software that may grow beyond the control and oversight of even those who create it. Electrons are constrained only by the laws of physics, not the laws of your local legislature. Hiding your information from other humans may not be enough.

Benefits of transparency

Before I describe the benefits of a more transparent society, let me first say that I fully endorse the sentiments of Benjamin Franklin: “They that give up essential liberty to obtain a little temporary safety...deserve neither safety nor liberty.” I do not propose that we give up the liberties implied by the first two definitions of privacy above—the liberty to choose our associates and the liberty to keep secrets. But there are good reasons why we might choose not to exercise some of those liberties in many situations, and the third use of the word privacy is not a liberty for ourselves at all. It is a desire to restrict the liberty of others to share information in ways we don't approve of.

I have deliberately avoided using the word “freedom” here because it too is notoriously ambiguous and is used to mean both the liberty to choose and act for oneself (e.g., “freedom of speech”), and also to mean the absence of some condition we find undesirable (e.g., “freedom from want”). It is the former that Franklin is talking about and that I am talking about when I say that my third definition of privacy is not an example of it. We may well have reasons to desire that others not give personal information about us to third parties, but if we do, it is our job to figure how not to give them the information in the first place rather than shackling them with restrictions on what they can do with it after we have given it. Otherwise we are sacrificing their liberty for our safety, which I believe Franklin's admonition applies to as well.

There are benefits to choosing to reveal over choosing to conceal. The above mentioned benefit of enabling new forms of commerce is one of these. Security and crime prevention is another. Examples include day care centers with web cameras where parents can view their children at any time during the day to ensure their well being; cameras in public places to deter crime (the effectiveness of which is still debatable); web sites like beenverified.com where chatroom acquaintances can get background information on the people they meet in cyberspace before risking real-life encounters; shopping sites like Amazon where information about my book purchases and those of others allows them to recommend things I might like but haven't found for myself. I would answer Eliezer Yudkowsky's objection that your children may not want to be in such a day care center by pointing out that the reason they are in day care in the first place is that they are not yet competent to take responsibility for their own lives and safety. My mother understands the dynamics involved and insists that if she ever has to face going to an elder care center, she wants one with webcams that I and my sister can monitor.

I may play low-stakes poker at home among friends in private, but when I want to play for serious money, I do what most serious poker players do and head for a public casino. A casino typically rakes 25-50 cents per hand, per player, for the privilege of using their tables. Why is it worth that cost? Because they have trained dealers, floormen to watch the game and arbitrate disputes, and cameras in the ceiling to catch cheaters. They go to great lengths to ensure that the customer gets a fair game, because they know that's what keeps the customer coming back.

Reagan at Brandenburg Gate, 1987.

Reagan at Brandenburg Gate, 1987.

The impact of the video camera to democracy and freedom cannot be overemphasized. Ronald Reagan didn't bring down the Berlin wall, Sony did. Germany reunited because the East could no longer hide the prosperity and freedom of the West from its citizens, who became increasingly resentful. Oppressed people around the world give witness to their conditions with video. Video of Tienanmen square moved the world, and news went out over the Internet even after China closed all the official media. We know about the LAPD because someone filmed Rodney King's beating. It is no accident that the framers of the Constitution protected the right to a public trial, and that we reacted to President Nixon by passing the Freedom of Information act. Sunlight is the best disinfectant. [Update: Of course I never could have predicted Youtube. Or Twitter and the Arab Spring.]

Certainly there are times when more information can seem to be a problem. Presidents and other public figures have a hard time hiding aspects of their personal lives. While some might lament this (especially the politicians), I think the nation as a whole is better for it. The American people demonstrated in the 1996 election that they are capable of choosing a candidate in spite of personal peccadilloes, and while we might argue with the choice they made, it does demonstrate that they are sophisticated enough to see through tabloid headlines and make decisions for themselves. In the 1930s, President Roosevelt was able to hide from the American people the fact that polio had confined him to a wheelchair, which he would certainly not be able to do today. Is it an accident that cultural attitudes about the disabled have improved only in recent years? We as a culture have grown up. We now know more about the personal lives of others, and this has led to understanding and tolerance.

Scientific research lives and dies on information. A great example is the Hoffman LaRoche/DeCODE Genetics study in Iceland. Iceland's population is a geneticist's dream. Their population is almost entirely descended from a small group of explorers and they have almost no immigration, so they are genetically isolated. They also have a passion for genealogy, and keep detailed records going back to the time of the Vikings. Because of this, DeCODE proposed to get genetic samples and detailed medical records and family histories from nearly everyone in the country, which they could then use to isolate genes for the genetic diseases that often plague the Icelandic (as well as others). The country held a public vote on the proposal, and approved a plan to allow DeCODE to collect the data and use it for this research—and even sell it to others for their research—for 12 years. While this proposal has been criticized for being deceptively marketed to the Icelanders and for overly benefiting a few private corporations, the value of the data for research is rarely questioned, and it is reaping benefits. In a more open society less concerned with privacy and secrecy, not only would the data be available to everyone, but the benefits of the research would be as well.

Information is the fuel of the social machine, and trust is the lubricant. As Mark Miller has shown us, trust is the essential ingredient that enables business. It enables personal relationships. And yes, it enables betrayal. Hiding information about ourselves may shield us from betrayal, but it also limits our interactions. Greater exchange of information by all sides can both protect us from betrayal and facilitate our interactions. In short, don't fear the camera pointed at you--rejoice in in it, and make sure you know who is controlling it by having your own cameras too.

Law and custom

Current privacy law in the United States is odd, and often depends on the circular definition of “reasonable expectation”. You have a right to privacy if you reasonably expect that you do, which basically means that that a judge somewhere has ruled that it is reasonable to expect it. For example, you have an expectation of privacy in land-line telephone conversations, but not cellular phones. Whether one party has the right to record the other without consent varies from state to state, but the police need a warrant to tap your land line. Anachronisms of law make it illegal to audio record people in many situations where it would be legal to videotape them. Voyeur cams, whereby men secretly record the view looking up women's skirts are surprisingly legal in many places. The Supreme Court has issued dozens of confusing rulings: police can be issued no-knock warrants on the say of an anonymous informant, but they can't use a thermal imaging device to look for pot plants in your home.

The upshot is that law generally follows custom, but it follows at a distance. Social and technological progress moves much faster than legislatures, so it is unlikely that the law will ever fully comport with the culture's sense of what should be private and what shouldn't be. That's to be expected when the culture itself is a dynamic thing. It is important to realize that if too many of our less rational desires for privacy are encoded into law, they are very difficult to remove even after we discover conflicts between privacy and the free exchange of information, because people will come to expect them, and the law will recognize them, for a long time even after the problems are discovered.

In the absence of effective law, voluntary restraint works remarkably well. People generally do respect what they perceive to be the privacy of others, with the exception, perhaps, of a few paparazzi. Voyeur cams are very rare despite being legal, and many web hosting services refuse to give them connectivity. Major newspapers have a long-standing policy of not outing gay celebrities like Jody Foster and Rosie O'Donnell even though their secrets are hardly news to anyone who's paying attention, because they know that these celebrities still personally value having these secrets kept in some markets and they agree to do that. [Update: O'Donnell has since come out, and married. Foster is, well, an even more open secret.]

Another social custom that has arisen in the Internet age is for consumers to protest sites that ask for more information than the consumer thinks they need. They protest by simply ignoring those sites in favor of others, and by the expedient of lying, helped by sites like bugmenot.com. Orwell predicted this response as well when talked about “jamming”, or flooding the watchers with more useless information than they could handle. I imagine other creative techniques will evolve as well. [Update: Sites like Facebook and Google are constantly increasing their privacy controls not because of legislation but because users demand it.]

The technological future

Harvey Newstrom did a marvelous job showing us just how much companies want to find information about you and the vast array of tricks they have for doing it. It's really quite remarkable considering the lengths to which people go to try to prevent it. When I was working on the PNG image file format, we had to include a section on security issues. Most of us thought this was rather silly since it's just a method of representing images as bits, but the standardization process required it, so it's there. Every Internet standards document has that section, and all are carefully reviewed by many people before becoming a standard, so security issues on the Internet are heavily scrutinized. Despite that, people can and do find breaches and companies do get personal information.

The ability of the Internet to collect and correlate personal information will get better. Companies already cooperate to compile shared profiles of you as a consumer. Databases already exchange information without detailed human direction. As the Internet gets faster and bigger, it will collect more information from more sources and correlate them faster.

But that's only the tip of the iceberg compared to what will be possible in the near future. Cameras and other recording devices are getting smaller and cheaper every year. Today we carry them in our pockets and mount them in teddy bears. Soon they will be flying about like birds, then buzzing about like insects, and then floating in the air like dust. They will be everywhere, observing everyone, all the time, sending their information to the Internet to be collected and correlated with other information sources.

The wearable PC you use to surf the net while going about your daily life will enable you to get information wherever you are, but it will also tell the net about you. It will have a GPS receiver so you can get maps to help you get where you're going, but that will also tell the net where you are (and even how fast you're moving—yes, there have been speeders caught by their own GPS devices). These computers will be embedded in the walls of your house, the instrument panel of your car, even your clothing. [Update: No, I didn't predict that this portable computer would also be your phone, and that it would also save all your texts and voicemails.]

Trying to stem this flood of information and technology with legal protections and cultural norms is ineffective now, and will become absurd sooner than most people think. A far better approach is to recognize that these systems are coming and create cultural attitudes and legal systems for dealing with them, not pretending to prevent them.

First, let us understand who wants the information and why. Companies want to sell us things. This is not particularly sinister as motives go, and public indignation to corporate abuse is a very effective means of curbing it. Companies are so concerned about appearing to violate social norms of privacy that they hire security consultants with contracts that forbid them to reveal what they find. Public opinion is a powerful force--just ask any tobacco company. The more serious threat is government. They want to spy on us to catch us doing things they disapprove of. Sometimes that leads them to catch real criminals, but far too often it lets them harass innocent citizens. But even here, citizens turning the lights and cameras back at the government has done far more to stem these abuses than privacy protection. Freedom for supporters of more open marijuana laws to speak has led to more relaxed laws in many states over the loud objections of politicians who are behind the times. Let us strive to ensure that we are free to do those things we now want to hide, rather than continuing to hide them.

An ethical argument

In another essay of mine, Moral realism, I explain how accurate knowledge of the world is esential regardless of your goals or values. No matter where you're going, you can't get there unless your map matches the territory.

I argue, therefore, that the more correct information is known about the world and about me, the more likely it is that other people's actions toward me will be rational. This is borne out by many experiments that show exposure to foreign ideas tends to increase tolerance and reduce bigotry. The more we know about others, the better enabled we are to act for their benefit. The more others know about us, the better enabled they are to act in ours.

Of course, if someone's goal is my destruction, then knowing more about me will also aid him in achieving that goal. But despite what the Calvinists and others might believe, I don't think enough people really want that for it to be a problem. The vast majority of people merely want a good life for themselves, and those few who do lust for power and destruction can be kept in check by making sure we know enough about them to protect ourselves. At any rate, I believe that misinformation is a greater risk than evil motives, because evil motives are self-limiting and not advantageous in the long run. It is those who get along in society that prosper—if they have enough good information to do so.

Open source software

As a final example about the benefits of transparency, I'd like to talk about open source software. It is well known in that community that keeping software secret is a very good way to ensure that it has bugs and security holes. Only software that is examined by everyone can be regarded as safe. But further than that, open source gives us the ability to repair and replace modules that we wouldn't have with proprietary systems, and opens up new opportunities.

Software is complex. I doubt many people—even computer scientists—could name every software module between their PC's silicon chips and, say, a Java applet. There are many layers: microcode in the chips, hardware controllers with onboard ROM, system BIOS software, bootstrap loaders, the operating system kernel, device drivers, internet protocols, operating system APIs, shared libraries, language runtimes, a system shell, browser software, a Java virtual machine, Java APIs, the applet software itself, and several interactions among those various levels. Some of these are proprietary closed systems, and some are more open (or can be). Because each of these things can have bugs or can behave in ways we don't like, it is important that we understand how they work and be able to repair or replace them to improve performance, security, or other features. This can be extraordinarily difficult with closed systems. Vernor Vinge's science fiction work A Deepness in the Sky describes a character whose job is “programmer/archaeologist”, which is not at all far-fetched.

The importance of being able to change these modules can be shown by what happens when they are too proprietary. System BIOS software, for example, is relatively simple, but its function is important. Without being able to duplicate and update it, manufacturers would not have been able to make the PC clones that opened up the PC market to everyone. The way they did this was to to spend thousands of dollars doing something that could have been done with a few minutes in an EPROM burner if it weren't for copyright law; they made what is called a “clean room” implementation. They hired two groups of programmers, one to write the duplicate BIOS and one to reverse-engineer the function of the existing one, but they made sure that the first team got no information about the actual code from team two so that they could not be accused of copying actual code. Likewise, hundreds of programmers have spent years creating Linux to replace proprietary operating systems like Microsoft Windows, because they can't fix or improve upon closed systems.

Open source software improves the situation considerably, allowing us to look, for example, at the actual source code of the operating system, various libraries, and application code. There are many free and open Java virtual machines, for example, and most of them are superior to Sun's original in some way, which has helped to spread the use of the language considerably. Most web servers use Linux because it is fast and secure and easily updated. Despite the fears of the those who still support the proprietary software sales model, open source can be big business, too. Red Hat software makes good money despite the fact that every software product they sell can be downloaded over the net for free and fully examined. Proprietary software still has the upper hand in the marketplace so far, but the trend is definitely toward more open systems, and for many good reasons.

Conclusion

Just as Napster [Update: OK, maybe Bittorrent] and Freenet show the futility of trying to maintain business models and social systems based on the ownership of information, the coming technologies of surveillance and data collection make it clear that social systems based on scarcity of information won't work. Rather than trying to put our finger in the dyke to prevent the flood, let us build a hydroelectric plant to benefit from it, and use it to shine a brighter light on the dark forces we now hide from.