“You have zero privacy,”

“You own your data,”and other Myths

Dr. Gilad L. RosnerVisiting Researcher

Horizon Digital Economy Research Institute

gilad@giladrosner.comhttp://bit.ly/grosner

@GiladRosner

Where were you last night at 10pm?

What hygiene products do you buy?

How much do you drink?

Did you attend a political rally last week?

What is in your medicine cabinet?

Have you always been faithful to your partner?

What charities do you give money to?

What pornography do you prefer?

How much money do you make?

Do you have an STD?

Is there a history of alcoholism in your family?

Privacy ≠ regime to control information

“Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops....” The press is overstepping in every direction the obvious bounds of propriety and of decency.… The intensity and complexity of life ... have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual…”

Warren & Brandeis, 1890

“There exists a threshold beyond which social contact becomes irritating for all parties; therefore, some provision for removing oneself from interaction and observation must be built into every establishment...”

Schwartz, 1968

• An appetite for limitless collection• A blurring of separate informational spheres• Inter-organizational sharing• Fishing expeditions in data originally collected for

other uses – “dragnet behavior”• Poor security• System abuses leading to reduced confidence in

government• Impersonal machine-based choices about people’s

lives• The spectre of a master dossier about individuals

a right “to control, edit, manage, and delete information about [oneself] and decide when, how, and to what extent information is communicated to others”

solitude ・ intimacy ・ anonymity ・reserve

Fair Information Principles 1. There shall be no personal-data record-keeping system whose very existence is secret and there shall

be a policy of openness about an organization's personal-data record-keeping policies, practices, and systems. (The Openness Principle)

2. An individual about whom information is maintained by a record- keeping organization in individually identifiable form shall have a right to see and copy that information. (The Individual Access Principle)

3. An individual about whom information is maintained by a record- keeping organization shall have a right to correct or amend the substance of that information. (The Individual Participation Principle)

4. There shall be limits on the types of information an organization may collect about an individual, as well as certain requirements with respect to the manner in which it collects such information. (The Collection Limitation Principle)

5. There shall be limits on the internal uses of information about an individual within a record-keeping organization. (The Use Limitation Principle)

6. There shall be limits on the external disclosures of information about an individual a record-keeping organization may make. (The Disclosure Limitation Principle)

7. A record-keeping organization shall bear an affirmative responsibility for establishing reasonable and proper information management policies and practices which assure that its collection, maintenance, use, and dissemination of information about an individual is necessary and lawful and the information itself is current and accurate. (The Information Management Principle)

8. A record-keeping organization shall be accountable for its personal-data record-keeping policies, practices, and systems. (The Accountability Principle)

Article 8 of the European Convention on Human Rights

“Everyone has the right to respect for his private and family life, his home and his

correspondence.”

State Constitutions that Contain Privacy Rights

Alaska

Arizona

California

Florida

Hawaii

Illinois

Louisiana

Montana

South Carolina

Washington

Montana

“The right of individual privacy is essential to the well-being of a free society and

shall not be infringed without the showing of a compelling state interest.”

Right of informational self-determination

“... the authority of the individual to decide [for] himself, on the basis of the idea of self-

determination, when and within what limits information about his private life should be

communicated to others”Westin, 1968: “to control, edit, manage, and delete information about [oneself] and decide when, how, and to what extent information is

communicated to others.”

“If someone cannot predict with sufficient certainty which information about himself … is known to his social milieu and cannot estimate sufficiently the knowledge of parties to whom communication may be possibly made, he is crucially inhibited in his freedom to plan or to decide freely and without being subject to any

pressure or influence.”German Constitutional Court, 1983

“... data protection is ... a precondition for citizens’ unbiased participation in the political processes of the democratic constitutional state. The ... state relies to a great extent on the participation of all citizens and its legitimacy is based on respecting

each person’s individual liberty ... the right to informational self-determination is not only granted for the sake of the individual, but also in the interest

of the public, to guarantee a free and democratic communication order.”

Hornung and Schnabel, 2009

1. INDIVIDUAL CONTROL: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.

2. TRANSPARENCY: Consumers have a right to easily understandable and accessible information about privacy and security practices.

3. RESPECT FOR CONTEXT: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

4. SECURITY: Consumers have a right to secure and responsible handling of personal data. 5. ACCESS AND ACCURACY: Consumers have a right to access and correct personal data in usable

formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

6. FOCUSED COLLECTION: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

7. ACCOUNTABILITY: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Consumer Privacy Bill of Rights

Privacy by designPrivacy by default

Code is law

Confidentiality

IntegrityAvailability

Transparency

Unlinkability

Intervenability

Thank you!

Dr. Gilad L. Rosnergilad@giladrosner.com

http://bit.ly/grosner@GiladRosner