Law in the Internet Society

Regulating behavioural collection

-- By RohanGeorge1 - 9 Nov 2017

Setting the scene

Recently, I went to Joe’s Pizza – the finest slice in the city. Since then, my Android smartphone has prompted me via push notification to view Joe’s menu thrice. This was the latest and most tangible form of behavioral collection I’ve consciously experienced. The scale of behavioral advertising, based on ubiquitous collection and tracking of consumer behavior through recursive cycles of stimulus and response tracking, should not surprise anyone.

For the longest time, I thought little of digital privacy because I had nothing to hide. A simple thought experiment exposes the fallacious logic underlying such thoughts: Simply imagine you have something to hide – a colorful past, an addiction or a secret hobby – and then you realize the scale of the problem Daniel Solove lucidly highlights. Equating privacy with secrecy is too narrow a conception of privacy. It fails to capture the harms caused by extensive behavioral collection networks due to collection, use, disclosure or storage of personal data.

Against this backdrop, it’s worth considering a recent development in human society – privacy and data protection legislation. Arguably, such laws consider some of these harms and put in place restrictions about how individuals’ personal data is used.

The 'main' problem

But I think these laws are woefully ill-suited to the times. For one, the crux of most regulatory regimes focuses on principles of notice, consent and purpose limitation. Those who collect, use disclose or store your data should notify you about it, garner your consent and do with your data nothing more than what they notified you about. This model, which has been called Privacy Self-Management, does not account for new technology and the political economy that emerged around it.

I have previously written on the limits of consent – two points are salient: first, that consent places unrealistic and unfair expectations on individuals. These expectations manifest in individuals being expected to fend for themselves against the legalese-filled, lengthy terms-of-service documents that condition use of services on accepting lopsided terms. The cost of reading such documents, according to one estimate, was $781 billion.

Second, the potential for mass-collection, aggregation and downstream uses of individual’s data is simply not considered by a legislative regime that focuses at the point of collection of data. Platform companies hold troves of our personal data, subject it to endless forms of analytics and often use it in ways impossible to conceive at the point of collection (even by the companies themselves).

The above reasons highlight the significant limitations on a privacy self-management style of regulation. Moreover, I think even these arguments fail to address a more fundamental problem.

The real 'main' problem

The problem is that our data protection legislation focuses on protecting the wrong subject. As exemplified by Article 8(1) of the EU’s Charter on Fundamental Rights, “Everyone has the right to the protection of personal data concerning him or her”. Somehow society has decided that what ought to be protected is information about humans, and not humans themselves. This goes back to the earlier experiences I identified: experiences of behavioral collection and how its collectors use our behavior to influence our actions and thoughts (and profit from it too).

It is worth articulating some questions about the relationship between platform companies, personal data and humans: how did such a fundamental imbalance of power between the companies who own our data and us? Why do they collect so much information (behavior) about us? How did it come to pass that a handful of companies are authorized to use our information to profit with a mandate that is extremely wide?

It is not that these observations are on their face, wrong. In fact, the real problem is that any answer to how society should model its relationship with platform companies is necessarily ambiguous. For society has not considered the issue in the first place. Partially due to the staggering speed at which technology has developed, it seems as if this situation has snuck up on society. Granted, the visionaries of the early internet were aware about the effects such technologies can have on society.

But for the majority of today’s users, my view is that the realization of powerlessness has not dawned on us. Instead we have been seduced by the convenience of social networking and an appeal to the innate human desire for connection with other humans. This seduction has, in my view, precluded society from seriously considering the status quo. Convenience is too convenient an excuse to consider the rather inconvenient nature of society’s predicament.

For example, it is worth asking whether each person has a fundamental right to not have his/her behavior collected. It is worth asking whether the individual and not the platform company should own the data currently collected and held by these private companies. It is also worth asking what kind of mandate these companies should have with respect to using this information for their profit, (and potentially at our expense).

It may well be that the status quo is preferred by the majority of society, but perhaps instead the answers to these questions should be considered “behind the veil of ignorance”. Perhaps instead this discussion of how society should order its relationship with platform companies should begin by focusing on what rights and protections humans should have.

My fear is that such discussions may yield a societal consensus that is merely a pipe dream for us all, given the current political and economic realities.

But the place for the draft to go next is made obvious by this disempowering conclusion. What are the realities? If it is technically necessary for people to give away so much data in order to have particular services they consider "convenient" or "important," even "vital," so be it. But if it is not necessary to design and implement our technology with these drawbacks in order to achieve those objectives, then the issues concerning regulation shift straightforwardly: there is no inherent difficulty in prohibiting environmentally dangerous activities for which safe substitutes are readily available at lower cost. If we had an "emission control" rather than a "data protection" approach to consumers' digital hardware, software and services bundle, what would happen? Tradeoffs between energy efficiency, cost, and safety exist with respect to all forms of mass and automotive transport: societies have many, not necessarily consistent, modes of dealing with those tradeoffs, in which concealment and misdirection are generally not thought to have any place.

I think you should reduce the space in this draft spent setting up a problem we can agree we basically understand. Let's try to use that space to explain, succinctly and forcefully, which parts of the existing system could be re-engineered relatively easily to offer individuals the services and facilities they want, as much as possible, in an environmentally-conscious context in which design objectives and implementation methods take privacy destruction as an ecological cost to be minimized rather than ignored.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r2 - 04 Dec 2017 - 16:39:10 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM