I recently wrote about proposed changes to the Australian Privacy Act, an article that was well received but which provoked what is an all too common response from some when writing about online privacy or security. Given the Snowden Revelations, public knowledge of PRISM, the Cambridge Analytica Scandal, Australia’s Medibank data breach, the OPTUS data breach, and the list goes on and on, it is a surprising stance — yet one that persists. The responses generally take the form of ‘I don’t mind if people want to read the joke I sent to my friend’, ‘I haven’t done anything wrong, so I’ve got nothing to hide’, ‘I’m not interesting enough for anyone to care about’.
While it is irrefutably true that if you are a Head of State, business magnate, celebrity, or other high profile person, then you are likely to be targeted while the rest of us who live in comparative anonymity are generally left alone, this does not mean that privacy or security do not matter nor that your life cannot be turned upside down if someone steals your online identity.
Nothing to Hide
While issues of online security and privacy are a very recent phenomenon, the concept of having something to hide is about as old as society itself and stems from the notion that everyone is guilty of something. Even if that something is as innocuous as taking a cookie from the jar. The Russian writer and Soviet dissident, Aleksandr Solzhenitsyn, observed:
Everyone is guilty of something or has something to conceal. All one has to do is look hard enough to find what it is.
Cardinal Richelieu held an even more sinister opinion on the matter in asserting:
If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.
Though, it is disputed if the Cardinal ever said this.
Apocryphal or not, both men were prescient in noting the challenges even the meanest individual faces when confronted by despotism. A challenge that diminishes but which does not entirely vanish in even the most enlightened and free societies. This is because while a person may not think they have anything to hide, there are nonetheless things we prefer to protect. A reality that is often made manifest by asking people of the ‘nothing to hide’ ilk for their pin number or log in to their email. As the Canadian privacy expert David Flaherty argued:
There is no sentient human being in the Western world who has little or no regard for his or her personal privacy; those who would attempt such claims cannot withstand even a few minutes’ questioning about intimate aspects of their lives without capitulating to the intrusiveness of certain subject matters.
However, many, if not most, arguments break down when taken to extremis. What about if we keep well within the bounds of the mundane? Even here, when we are not talking most intimate knowledge but the general minutiae that is gathered by companies and governments by the exabyte each day, ‘nothing to hide’ fails due to it being based upon incorrect assumptions about the value of individual privacy. Assumptions that result from trying to conceptualise privacy as a thing, reifying what is a continual state of being so as to place it as a physical object or static moment in time.
Perhaps the most readily identifiable example of this is when we are being watched by other people. The person may not discover, much less disclose, any secrets about us. They may not be granted a view of ourselves we reserve only for a special few, much less gain a window into our soul. But they do, even for the socially ignorant and indifferent, give us a sense of someone being in our space. The harm, if I can use such a term, caused by being watched is that our personal space or privacy is being invaded by their gaze.
Imagined thus, the act of privacy is not so much about hiding as it is about protecting. Making the concept of ‘nothing to hide’ a category error as it would be better asserted as ‘I have nothing to protect’. Which is a statement so unlikely as to be implausible.
I wrote about this notion in The Subjective Nature of Nothing to Hide, and will not rehash the arguments here, only to observe that once we have unpacked the box of ‘nothing to hide’ and found it to be an empty argument, we can apprehend that we still have something to protect even if we have nothing to hide.
This is not just because privacy, like any right, must be protected lest it be lost, but because whether or not we think we are being watched can fundamentally alter our choices and by extension our free will. This notion was unpacked by Glenn Greenwald in his TedTalk, which repays the watching, as he argues that privacy underpins voting due to the way in which people may alter their public comments and voting choices if they think they are being observed.
Needle in a Haystack
The other common assertion is the needle in a haystack fallacy. It is based on the idea that my life or my data is so insignificant in the galaxy of lives and data that swirls around this planet it will go unnoticed. This is exposed as a fallacy on two levels, the first is ‘wrong place wrong time’ and the second is the nature of big data.
Wrong place, wrong time is the notion that being a victim can happen to anyone. The average person, on their way home, faces a mugger on the street. There is often nothing special about them, no gold Rolex dangling from the wrist or some other marker that makes them a target. They just happened to walk down that alley. The same is true of online privacy and security. There need be nothing stand out about my data such as Kompromat about someone important or business intelligence that is valuable to a competitor. In other words, nothing that would make me a worthy target. It can simply be that my account was randomly targeted and was easy to compromise.
Moving on to the nature of big data and we see that it does not require people to read each page or carry dozens of physical files out of a building. As such, governments, businesses, activists, and criminals can process exabytes of data on people and companies — trawling via algorithm. This means there is no data set so large that you can remain anonymous in a crowd. It also means that while you may have nothing to hide and thus think that no one will take an interest in you, your data may be scooped up with millions of others to be processed and stored. Data which if not held secure, even if you are happy with the government or business which holds it having access, may be stolen and accessed by those less trustworthy. A data breach which, even if anonymised by the original holder, can be used to identify individuals for future attacks. As MIT researchers discovered:
just four fairly vague pieces of information — the dates and locations of four purchases — are enough to identify 90 percent of the people in a data set recording three months of credit-card transactions by 1.1 million users.
This is How Privacy Dies
Because being ‘off the grid’ is now next to impossible in many societies, and knowing that one or two more privacy respecting apps in our life won’t stem the tide, it is tempting to give up and either proclaim ‘I have nothing to hide’ or that ‘I am too insignificant to be noticed’. But as we have seen, neither of these philosophical refuges afford any meaningful protection.
While absolute security and absolute privacy is well-nigh impossible, it still makes as little sense to not care and fail to do what little we may in the same way it makes little sense to not bother to learn about a subject because we cannot know everything. Life is seldom a zero-sum game. Rather, it is a game in which we do best when we do what little we can.
For companies and governments, this means working on the imperfect privacy acts and, step by step, strengthening them and uplifting their efforts at safeguarding user data. For individuals, it means taking our online privacy and security seriously. Enabling two-factor-authentication, limiting what we choose to share, and migrating to services which, though far from perfect, make significant effort to safeguard our privacy. By re-framing the conversation thus, there is hope we can stem the massive social experiment emanating from the big tech firms, and those who seek to imitate their profits. In doing so, find meaningful solutions to safeguard our ambient privacy.
Failing this, we face a bleak digital future. One which reminds me of a moment of Lucas brilliance. It is an ominous statement by his fictional character Padmé Amidala:
So this is how liberty dies…with thunderous applause.
Perhaps in the case of our privacy, it ought to be rephrased: ‘So this is how privacy dies… with thunderous ambivalence.’
Good night, and good luck.