Telling Privacy from Not Privacy

We often see privacy as a topic for academic debates and activists’ demonstrations. We shouldn’t. Having a grasp over the concept — in short, telling Privacy from Not Privacy — helps in many ways.

Showering, and dinner guests

It is not a secret that when naked, I look very similar to three billion other beings on this planet — and so do you, reader. Nevertheless, upon taking a shower, I close the door of the bathroom. Having nothing to hide, yet choosing not to show — that is the gist of it all.

Privacy is, in short, the freedom to know who we share our information with. During a dinner conversation, someone overhearing or wiretapping the conversation infringes privacy, whereas guests, whoever they are, do not.

Depending on who is present in the room, we can express different things. This choice of who we share our ideas and emotions with is not trivial. Someone who shares everything with everyone, without discrimination, has no personality; no more than someone who shares nothing at all.

Not Privacy

It is often assumed that privacy is about keeping secrets: this is an important mistake. Most of what we keep private is trivial. Better shower singing has been done, more interesting points have been made, more beautiful love letters have been written. My whereabouts in town, my favorite type of biscuit, the list of websites I visit, have nothing exceptional to them. This should not be a pretext to invade.

In a similar way, privacy doesn’t stem from a desire to keep control of access to information. If I tell my friend that my favorite color is blue, s/he is free to pass this information on. The very fact that I do not control that information anymore makes the exchange interesting. His/her judgment of whom to share with defines personality, and makes exchanges worthwhile.

Keeping the liberty of choosing whom I share with, does not mean I am afraid of people knowing. I will tell anyone who asks me what my favorite color is — but since this information is personal, I should be the one to decide whether or not, and with whom, to share it.

So, when the argument of “you should have nothing to hide” comes up, we should know that something is wrong. Likewise, likening privacy to a paranoid fear of sharing information is simply incorrect.

Privacy

In practice, privacy is difficult to handle on the Internet. A smart-looking person who knocked on my door and asked for a very long list of personal information, along with the permission to retain and re-sell them, would get no success. But web services such as MySpace, Facebook and LinkedIn are all the rage.

Aside from the taxonomy du jour, this is nothing new. Credit card companies have long been selling localized (and anonymized) shopping behavior information based on card usage tracking data. Any large store, whether on-line or not, will analyze the shopping patterns of its customers.

The scary part is not that this is happening: understanding customers, and targeting audiences is a fundamental part of business. We are, however, feeding these databases with more and more information, and with less and less understanding. Feeding one’s LinkedIn profile with sensitive professional information is fine; not knowing to whom these will be sold is critical¹.
In short, by using a GPS phone, searching the web, or chatting with friends, I know I may be monitored, but I don’t know when or how. The similarity with the telescreen, the sinister Nineteen-eighty-four² television device that transmits both ways, is striking. Privacy is not about absence of monitoring, it is about knowing when one is being monitored.

A Privacy Survival Kit

A lot of confusion surrounds the theme of privacy. Most people, for example, particularly dislike being shown their IP address, although this is a trivial and necessary piece of information for exchange on the Internet³.

A privacy survival kit in the form of a downloadable package does not exist. Instead, the best way one can keep his/her privacy is with three simple questions:

1. Is this about private information?
   Example: “Securing” one’s wi-fi Internet access. Preventing others from using one’s modem to access the Internet has nothing to do with privacy. At best, this is snake-oil security, at worst, an illusion of maintaining one’s privacy.
2. To whom am I giving information?
   Example: sending an e-mail. The Internet access provider and mail host of both the sender and receiver have full access to everything that is written and exchanged. Unless some precautions are taken⁴, an e-mail is akin to a postcard.
3. What is being done with it?
   Example: Most search engines (but not all) keep an extensive amount of information about the users of all their services, including mail, search interests, and reading lists. Depending on the (often obscure) legal terms and applicable laws, some of this information is often sold or made available to Government authorities⁵.

Beginning to answer these three questions is an excellent step to handling one’s privacy fully. Everything seems to indicate that it’s a worhwhile step.

Addendum: The theme of the 25th Chaos Communication Congress in Berlin this December is Nothing to Hide. Can I get you to visit the best digital freedom event in Europe?

1. Hint: LinkedIn’s terms of service specify that “By […] providing materials to LinkedIn, you are granting to LinkedIn Corporation a royalty-free, perpetual, irrevocable license to use this information in the course of offering the LinkedIn service [‘enable professionals find and connect with other professionals’]” [↩]
2. Nineteen-eighty-four is an exceptional book. An easy-to-read story that is more thought-provoking than anything I have ever read. I suggest you give it (another) read. [↩]
3. An IP address is like a telephone number. Having one is necessary to make a communication with someone (or a machine, such as a website server). Hiding it is only feasible if one uses, and trusts, a middle player. [↩]
4. One way to keep e-mail exchanges private is to use PGP encryption, which requires a key exchange between the correspondents. The mail and Internet access providers then only transmit a scrambled version of the e-mails, which they cannot decipher. [↩]
5. In Germany, for example, it is required of the e-mail providers that they keep the correspondents’ e-mail and IP addresses of every single e-mail they handle, for six months. [↩]