Why you care about privacy
Even if you don’t
Not long ago I rigged up a portable Bluetooth sniffer and hit the mall. I ended up buying a coat that day and while I was waiting for the salesperson, I checked the sniffer logs. The ID of one particular Fitbit showed up repeatedly so I figured that person had to be in the store. After walking around a bit I found the owner who turned out to be the store’s undercover loss prevention officer.
When I returned to the counter the salesperson asked what I was looking at so I gave her the 1-minute intro to Bluetooth beacons. Grocery stores are famous for analyzing shopper behavior so I floated the scenario in which the store tracks you to within a few inches of your actual position. She had no issue with this so I bumped it up a notch. There are a few loyalty companies who manage most of the retail loyalty programs out there. Would she be okay with tracking of her movements if a single company could correlate visits across dozens of stores and the line-item purchases at each?
“I don’t have anything to hide,” she shrugged. “What do I care if they want to track me walking around the store? Don’t they use that to make it easier for me to shop?”
I cringed. Holding the phone out for her to see, I pointed out which of the IDs on the sniffer log belonged to the loss prevention officer.
“Suppose I create an app that lets people enter the Fitbit ID of police, security guards, and loss prevention officers into a database, then gave the user a proximity alarm when one of those people was nearby. A shoplifting crew of three or more could even triangulate the officer’s position down to the inch, just like grocery stores do to track shoppers.”
She was horrified.
“Seems like you have something to hide after all,” I said.
“Your loss prevention officer. That’s why she’s in plain clothes and not wearing a uniform, right? Perhaps people who think they have nothing to hide just haven’t thought about it enough. Maybe it isn’t about hiding anything but about whether we get to say no to collection of data about us or how that data gets used.”
We need to remember that in every case where some commercial interest wants information about us, it is because they benefit from it. You don’t get tailored ads or a better shopping experience if the vendor doesn’t believe they will make substantial returns on their technology investment. If the thing they pitch to you as an improved experience doesn’t result in higher revenue and profits, it doesn’t get done. That new revenue comes from you.
Whether your “improved shopping experience” is a net benefit depends on what you would have done with that money had the vendor not convinced you to part with more of it. Opportunity cost and market friction ensure that this trade-off will almost never result in a net benefit to you. The best you can hope for is that your losses are well hidden from you so that the improved shopping experience is the only thing you consciously notice.
The tools-model of regulation where everything is legal by default doesn’t serve us well when those tools invade our privacy. Each point along whatever line we want to draw to define “too far” can only be established with some sort of legal action. Defending privacy under those terms is a practical impossibility, so the effect on privacy over time is a gradual but relentless decline. Since privacy is a function of consent, what is actually being eroded is your right to withhold your consent. To anything.
Consider also that our current policies favor of commercial interests over those of individuals. For instance, you don’t get to tell your vendor what they can and cannot do with information they hold about you. They, on the other hand, get to tell you what you can do with that same information when they make it available to you.
Case in point: Amazon has for some time now provided a means to download your book purchase history. Prior to Amazon buying Goodreads, customers were prohibited from downloading that data and then using it to populate their Goodreads profile. I wrote a tool to do just that and when I inquired in the forums I was told that others who had tried this were threatened with accounts closure and revocation of their digital purchases.
In another example, it is perfectly legal for merchants to offer differential pricing and charge a higher price to shoppers they think would pay it. That hotel room might cost less when booked on a PC instead of an Apple device. That new appliance might cost more if there are no appliance searches in your history.
Knowing and exploiting intimate personal information about shoppers can add millions of dollars to a company’s bottom line. But write a script to fetch your data for your own benefit and you might lose your account and all your digital purchases.
If you rent a house or apartment the government provides a default lease contract that sets a minimum standard of protection for both parties. But when you buy software or some tech gadget there are no standards of fairness or reciprocity imposed. The vendor offers a non-negotiable Terms of Service and either you agree to it or you don’t use that service. This works partly because individuals of limited means can’t fund a lawsuit or risk having to pay the legal expenses of the opposition if they lose, and partly because our elected representatives don’t feel it is in their interest to level the field for consumers.
Let this asymmetry of power play out for a time and when the day comes that you actually do wish to withhold consent, you may find that doing so has become difficult or even impossible. We encounter those Terms of Service documents individually and tend to think of them in the context of the individual vendors who foisted them on us, but the aggregate is what sets the standard.
In one recent case a judge ruled that there is no longer an expectation of privacy on any of your computing devices once you connect them to the Internet. That case was about child porn and decent people would revile any conclusion in which the defendants were acquitted. But getting that result set a precedent that applies to all of us, and when it comes to the government hacking into our online devices we no longer have an expectation of privacy or the right to withhold consent.
Our homes are our last bastion of privacy. Could we lose our right to withhold consent to searched inside our home? That depends. How many cameras are within 15 feet of you right now? How many listening devices? Amazon Alexa? Google Home? Bixby? Siri? XBox? Samsung TVs? Each of these services binds the user to a contract that grants the vendor rights to capture recordings from the devices, usually for quality assurance and customer support, and forward that data to unnamed “affiliates.” Even if the vendors are extremely ethical, the devices connect to the Internet and can be hacked.
If any device connected to the Internet has no expectation of privacy, then the fact that these devices are inside the privacy envelope of our homes makes little difference. We pierced the veil of privacy by installing the device and clicking “I Agree” on the Terms of Service. It’s only a matter of time before we lose the right to withhold consent for the digital search of our home or the capture and archive over time of sound and video from all our “smart” devices.
In the end, privacy isn’t about whether you have something to hide. It’s about consent. Every single case in which you are told that a privacy invasion will benefit you, there is a benefit to the vendor that they are probably not telling you about. This is because if they provided full disclosure you might realize they are actually acting against your interest and withhold your consent. If they do not disclose then you never get an opportunity to provide informed consent. Instead you get the marketing telling you one reality, and a Terms of Service you don’t read that tells you a different one.
Here in the US we used to have a legally protected right to withhold consent to all sorts of things. But like a trademark, if you don’t use it, don’t defend it, you eventually lose it. To say “I have nothing to hide from privacy-invading technology” is to waive your right to withhold consent. When this practice becomes the norm then our policy flips from an assumed right to withhold consent to a default in which no consent is required.
Privacy isn’t about where you draw the line. It’s about your ability to draw a line at all. Exercising your right to withhold consent to invasion of your privacy is your only means of preserving that right. It’s about time we started saying “no” more often to invasive technology, and stopped treating those of us who already do this as conspiracy theorists. Because even if you don’t care about privacy, I guarantee you care about consent.