A Framework for Privacy
(Use https://medium.com/swlh/a-framework-for-privacy-3327f2601135?source=friends_link&sk=4b59442659838086dd6bf874fd287530 to avoid the paywall. Medium won’t let me remove the paywall.)
There has been a lot of talk about privacy concerns lately. From my vantage point, these conversations have sort of bubbled up alongside the use of personal assistants like the Amazon Echo Dot and Google Home, and then hit a peak with Cambridge Analytica and Facebook conversations, and have now faded into a new norm.
This piece covers a more specific way of thinking about privacy concerns. Right now, when I talk to people, many different concerns are all lumped under the same umbrella of “privacy,” but I think there are multiple different ways that something can be “private,” and I’d like to share those ways here.
The opposite of privacy is surveillance. If there’s no surveillance, everyone has complete privacy, and if there’s complete surveillance, no one has any privacy. So, I’m actually going to talk about a framework for surveillance, but the theory should be helpful in any conversation about privacy.
What I hope these categories do is enable us to have better ways of explaining how we’d like surveillance to take place (if at all), and give us better terms for describing different types of surveillance that we might be worried about.
I split surveillance into three categories: clear vs. opaque surveillance, overt vs. covert surveillance, and consensual vs. non-consensual surveillance. The categories are essentially what and when, who, and how much you want it.
I’ll now dive more into the details of each.
Clear vs. Opaque Surveillance (What and When)
Clear surveillance is when you know exactly what information is being collected from you and when it’s being collected. If you aren’t aware that any information is being collected from you, but it is, then that’s opaque surveillance.
In general, the more you know about what information is being looked at from your life, and when that collection is taking place, the more clear the surveillance is.
I chose the terms “clear” and “opaque” because this seems to determine whether you can “see” the information that’s being collected.
New laws seem to be geared towards making collection more clear. You can request that companies send you all the data that they’ve collected on you, making it clear what information they’ve collected.
However, note that even with these laws in place, it’s still not completely clear surveillance because you still don’t know exactly when they’re collecting this information. You know that eventually they did receive it, but it’s still a little uncertain when they’ll be tracking you in the future and precisely what information they’ll be collecting then.
Overt vs. Covert Surveillance (Who)
Overt surveillance is when you know exactly what people have the information. Covert surveillance is when you have no idea who is receiving the information.
Note that you could know exactly what information is being tracked, but have no idea who has it. That would be clear surveillance, and it would also be covert surveillance.
Companies gathering information engage in covert surveillance just because they’re a company. When you give a company data, you don’t know who you’re giving the data to. The people working in companies often change over time. Your friend could work at that company and see your data. Your ex could work at that company and see your data. Because the data is given to the company, and you don’t know who works at the company, you don’t know who sees your data.
This is why I define overt surveillance to be based on knowing exactly which people have your information. To the extent that you’re uncertain of which individuals have your information, the surveillance is more covert.
This concept also extends to computer programs. A computer program may have access to data that we do not allow humans to have. However, the computer program may use the data to generate results which a human is able to see. Thus, if you don’t know what computer program has your information, you also don’t know who is getting the results from the computer program (and those results are based off of your information). So, if you don’t know what computer programs are looking at your data, and who is looking at the result of the computer programs, then the surveillance is at least partially covert.
While I have noticed more laws being enacted to force surveillance to be more clear, I have yet to see much meaningful legislation to make it more overt. Many times in privacy policies I see something about sharing information with third parties, and that the information under those third parties is subject to those parties’ privacy policies. In that case, unless I track down each third party, and read their privacy policies as well, the surveillance is almost completely covert; the third parties could be sending my information to any other company, and I would have no clue.
When we care about privacy issues, I think covert surveillance is often what we worry about the most. It often isn’t what information or when that information is gathered, and sometimes it doesn’t even matter whether we wanted that information to be gathered in the first place. We usually care about who gets that information. Do we trust them? Are they going to share it with anyone else?
That’s why ensuring that surveillance is overt is so important; we should know who knows things about us.
Consensual vs. Non-consensual (How Much You Want It)
This category for surveillance is the most common-sense one. Do you want to have information collected, or not?
If you do want the information to be collected, then the surveillance is consensual. If you don’t want the information to be collected, then the surveillance is non-consensual.
Now, this seems really simple, and on some level it is. However, as we are learning as a society, consent can be tricky. (For example, see the Aziz Ansari case. Warning: link leads to adult content.)
One of the most common examples of this that I have come across is people not reading privacy policies or terms of service. Yes, technically, people should take the time to read them and understand them. But very few people have that sort of time or the expertise to comprehend them. So, one of the questions that arises is: are we really giving our consent if we’re not reading the privacy policies? Even though we click the “I agree” button, do we really agree that we want these things to happen?
I think GDPR went a long ways towards forcing privacy policies to be readable, but I’m still not certain if the mechanisms we have in place actually ensure that the surveillance is consensual.
Another very interesting argument I’ve seen raised before is that we might not be able to consent even if we do read the privacy policies because we don’t know how our information will be used in the future.
The most recent worry I’ve had with this is DeepFakes. As an example, a researcher created an AI that takes photos of faces and recombines them into very realistic new faces. (Try it yourself here.) I looked into how the dataset of the original faces was obtained, and it turns out it was scraped from the internet. The researcher was very careful to only scrape faces from Flickr, and only use photos that were released under a license that allowed for “free use, redistribution, and adaptation for non-commercial purposes” of the photos. (Source)
However, my guess is that the people posting those photos had no idea that their image would be used to create fake images of people who don’t really exist but whose faces are based off of theirs. Did they really consent to that happening?
So I worry that one day I may find an image of me, animated and saying something I never said, and when I claim that I didn’t consent to this happening, someone will point to an image online that I released under some license that technically gave people permission to do something that I didn’t even realize was possible at the time that I “consented” to my photo being used.
Just to make it clear, any surveillance that you don’t want to happen is not completely consensual. Some people may claim that since you formally agree to something, it’s more consensual than it is non-consensual, but it’s still not completely consensual because you don’t want it to happen.
One very important issue for laws is to ensure that how we feel about whether or not we want surveillance to take place actually matches up with the legal definition of consent. If it doesn’t, then there’s still work to be done.
Conclusion (How This Helps)
All three aspects of privacy are important. I want to know what information is being gathered about me and when it’s being gathered, I want to know who is gathering that information, and I don’t want it to take place without my consent.
My hope is that by introducing the terminology of clear vs. opaque surveillance, overt vs. covert surveillance, and consensual vs. non-consensual surveillance, people will be able to talk about their concerns more clearly.
For example, if I’m worried that Google has information that I’m not aware of, that’s a concern about opaque surveillance. If I’m worried that “the government” might have videos from inside my home because I have a Kinect, that seems like a concern focused on covert surveillance. If I’m worried about Facebook reading my messages to friends on Messenger, that’s a concern primarily about non-consensual surveillance.
As you can probably tell from the examples I just gave, the three categories are often intertwined in any one concern about privacy. However, breaking down general “privacy” concerns into concerns specifically about opaque, covert, or non-consensual surveillance will hopefully allow us to better understand exactly what we think is wrong and how we might be able to fix it.
Thank you for scrolling to the end of this. I have no idea if you read all that, but hopefully at least something in here is helpful to you in some way.
Please leave a comment. I really care about hearing from you. It doesn’t matter whether or not you’ve had experience with the philosophy of privacy or anything else. I’d love to hear any little ideas, thoughts, or critiques you have.
On March 13, 2021, I edited this piece to change what was previous called “open surveillance” to instead be “overt surveillance” so that it was more clearly the opposite of “covert surveillance.”
