Markus Schroeder, Vienna University of Economics and Business
Big Data aggregators are all around us - just take Facebook as an example. And so is the issue of Big Data and Privacy. As Danah Boyd said it in her ground-breaking paper “Privacy and Publicity in the Context of Big Data”, a lot is about trust. The matter of trust can be met by self-regulation. But can trust actually be the only category to justify the aggregation of Big Data? Still, there must be more to it. Despite all the discussions about industry self-regulation, it is still mostly the legislators turn. After this short preface, let´s take a closer look at Danah´s theses:
1) Security is through obscurity is a reasonable strategy
According to this thesis people rely on being obscure in mediated settings like Facebook. But actually this is far from being a reasonable strategy. One simply cannot rely on being obscure. Big Data may be hard to scan for the personal information of one particular person. But facing increasing computer capacities, it is likely to be no problem to correspond data to one particular person. Big Data aggregators, such as Facebook and Google are already doing so. So privacy has to be protected by more than obscurity.
2) Not all publicly accessible data is meant to be publicized
This is true. But the very moment one posts data on the Internet, this data actually is publicized. Once again, one simply cannot rely on publicly accessible data not being publicized. Publication in Danah´s context means that data is link and shared. But its actual publication takes place before that. So Privacy has to be protected by more than relying on non-publication.
3) People who share personally identifiable information (PII) aren´t rejecting privacy
This is true. Big Data aggregators tend to talk about a concept of post-privacy. But just because people are posting personal information on the Internet, this does not necessarily mean, that people are rejecting privacy or that they are living in an age of post-privacy concepts. A lot of times people are just not aware, that the Internet will not forget their data. The right to be forgotten, as pointed out by Viktor Mayer-Schönberger in “Delete – the Virtue of Forgetting in the Digital Age” might help to protect people from their own carelessness.
4) Aggregating and distributing data out of context is a privacy violation
This is true. But is not all about the context. The context might change, but the data is still accessible. The context might not change, but the person who shared its data on the Internet is just not interested in sharing the data any more. Even within the same context. But the data is still accessible as well. So this has to be seen as a privacy violation as well. Once again, the right to be forgotten might help to regain control about data.
5) Privacy is not access control
This is not fully true. Privacy actually is access control. But this is not its only and foremost purpose. Its foremost purpose is the protection of human dignity and human rights. One´s right to be left alone, one´s right to enjoy privacy is not be categorized in categories such as access control or property. Privacy actually is a human right. Our attitude towards privacy issues affects the way we are shaping the future society.
So Danah was not wrong, but there is much to privacy. One point she made must be absolutely agrees upon: Despite what Larry Lessig has written in “Code”, Law will become even more important in privacy matters. One step was that the EU Data Protection regulation Reform Proposal implies the right to be forgotten. The aim has to be the development of a model where the benefits of data for businesses and researchers are balanced against individual rights (see Omer Tene/Jules Polonetsky, Privacy in the Age of Big Data: A Time for Big Decisions). It is about time!