privacy in the age of forever

i've written before about what i think privacy is, though classifying it as an obscurity-based strategy for satisfying a basic need for safety was very high level and abstract. it could also be taken the wrong way, since people often think about safety as only applying to their physical person (i.e. physical safety). our physical bodies aren't the only thing we want to keep safe, of course. our families, our property, our reputations, our opportunities, etc. are all things we want to keep safe, all things we want to protect, and all things for which privacy can help offer some protection.

privacy is often described in terms of controlling information but on reading danah boyd's thoughts on privacy i realized it can and should be expressed a different way. controlling information is the means by which privacy is often accomplished, but it's not what privacy is actually about. while i don't agree with the narrow scope boyd used ('asserting control over social situations'), at it's root was a kernel of truth. while the means by which privacy is achieved may be the control of information, the point is the control of outcomes related to that information, whether they be social outcomes, business outcomes, educational outcomes, housing outcomes, health outcomes, political outcomes, legal outcomes, etc.

controlling outcomes is, of course, the point of any strategy. the thing about strategies, though, is that their appropriateness depends heavily on the situation, and what people largely don't realize is that there is a situation which is becoming increasingly ubiquitous under which many traditional privacy strategies don't work very well.

in the online world everything is recorded and stored for consumption at a different time or in a different place. it is essentially a persistent medium through which we can interact with each other. this is a significant point because for most of human history the real world has largely been an ephemeral medium for interaction. our behaviour, the strategies that we develop as we mature in the real world take great advantage of the ephemeral nature of our interactions with others. if you weren't present the day your best friend made a hurtful comment about you to others in your peer group then you missed out, that experience is gone, "you had to be there" as it were. this ephemeral property of the event, the fact that the information only exists in a very particular point in time and space, serves to restrict access to that information to only those who were present at the same point in time and space.

once we start interacting online that ephemeral property ceases to exist, so access to the information that we might have otherwise expected to be restricted due to it's ephemeral nature is no longer restricted in that way. we often don't realize that, however, because we take that 'ephemeral-ness' for granted. it's not easy adapting to a situation where that no longer applies.

for example, imagine for a moment that every word you speak goes into a speech bubble above your head, like in the comic books, except unlike the comics the speech bubble doesn't go away, it stays with you and allows people to read what you said 5 minutes ago or even 5 hours ago. every swear word, every uncharitable thought uttered under your breath in the heat of the moment, everything. can you imagine how you'd adapt to that sort of situation? you'd probably censor yourself a lot more than you currently do - since your utterances have become persistent the natural adaptation that would allow you to continue to control the outcomes associated with what you say is to say far less.

at first blush that might not seem unbearably bad, but let's take things a step farther because that example really only dealt with your words. this time (this is inspired by danah boyd's post, by the way), imagine you are stuck in a very large room and surrounded by everyone you ever have and ever will meet. imagine trying to live your life in this room. how do you play with your toddler in front of your business partner or a potential client? how do you woo your future wife in front of your children or your parents? how do you hang out with your high school friends in front of your future employers? how do you project an image of cool professionalism to people who saw you fall face first in a mud puddle? again, in such a situation, surrounded by people from disparate contexts of your life, the natural adaptation is to reduce the amount of information that you reveal about yourself, but think about those questions; there are certain outcomes that can't reasonably happen without revealing sensitive things about yourself.

these examples may seem absurd, but this is what it means to interact in a persistent medium. anyone, anywhere, at any time can (in theory) see the footprints you've left in that medium. your interactions in a persistent medium transcend time and space, allowing people to effectively 'TiVo' your life (or at least the portion of it that's been recorded).

obviously this represents an unacceptable state of affairs for online interaction. there's very little utility in it if it requires such profound self-censorship. that's the reason that technological privacy controls and privacy settings were invented - to help replace the access control that was lost when the information became recorded. unfortunately the technological controls don't operate the same way that ephemerality does, so trying to achieve a simliar outcome with them is complicated and often not intuitive.

sean sullivan (at least i assume it was that sean) made a post on the f-secure blog that highlighted a talk given by clay shirky where he said (as quoted by sean) that "managing privacy isn't natural". technically what shirky said was that managing privacy settings isn't natural. we manage privacy every day in every interaction we make with others, but managing privacy settings by definition can't be natural because the settings themselves are artificial. this has implications for the kind of privacy one can achieve though managing such settings - it is itself an artificial, man made analog to natural privacy, and prone not only to being incomplete in comparison to it's natural counterpart but also to breaking down as all man made things do.

but as untrustworthy as that sounds, it will have to be good enough, because we can't turn back the hands of time or halt progress. we can't even opt out of the persistent medium. oh, we might get away with staying out of the online world ourselves, but persistence is intruding into the real world more and more. public photography, for example, is turning the public sphere (which used to represent an ephemeral medium) into a much more persistent medium than it used to be. this can be a good thing when it helps to expose things like police brutality, but it poses a not insignificant problem for us as a society.

paul ducklin raised some concerns about this very problem last year on the sophos blog. at the time i didn't think his concept of public privacy made much sense, but when examined through the lens of a traditionally ephemeral medium of interaction being changed into a persistent one without people noticing or appreciating the consequences for their existing privacy strategies, it starts to be clear (to me) that this is a problem that deserves some consideration. i wouldn't consider it an invasion of privacy, per se, but perhaps it would qualify as a subversion of privacy, since it changes the environment to one where the strategies people were using to control outcomes no longer work properly, and it does so without making it clear that that had happened.

are we ready for the implications of living in a world where our actions live on beyond the moment? i don't really know. certainly we can manage our privacy settings online, and maybe we can obscure our identifying features offline (though that may interact poorly with some of our cultural norms) so that public photography becomes less of an issue. i just wonder if explaining to the next generation what it was like before everything became persistent will be the last time we ever get to use the phrase "you had to be there".

facebook's ticker: a ticking privacy timebomb?

there's a lot of pixels and bits being dedicated to the major changes that are underway at facebook, but most of the attention seems to be focused on the timeline feature. i tend to think the ticker feature deserves a lot more attention and, frankly, concern.

first off, it seems clear that facebook wants to be the destination for an ever increasing number of activities - not just farmville or mafia wars, but consuming print, audio, and video media, and even purchasing goods too. fine, facebook wants to be the web portal to end all web portals - the next AOL or compuserve - it's fine to have aspirations like that; although actually being AOL or compuserve doesn't seem to have worked out that great for AOL or compuserve in the end.

but with that breadth possible activities in mind, the idea that facebook will now be sharing everything you do automatically seemed really rather stupid to me at first. maybe there is too much friction inhibiting sharing right now, maybe clicking a button isn't easy enough, but truly "frictionless" sharing that happens without any action taken on the user's part takes the intent out of sharing. sharing loses all meaning that way. it no longer tells you the sharer thought this article was insightful or that video was funny, it doesn't give any hint what so ever as to whether the sharer thought something was worthwhile, it just collects everything in one big activity profile. indeed, was the person performing those activities really the sharer in that situation, or is the sharer facebook themselves?

at first you might think that the resulting poor signal/noise ratio would render facebook as irrelevant as myspace and it's blinking, glittery profile pages has become. the folks at facebook seem to have realized this, though. they don't want people's main feeds to get filled with all that noise. they recognize that from a personal interaction standpoint, this data is too voluminous and unimportant. that's why they've relegated the data to a new place - the ticker.

the question you should be asking yourself right now, however, is this: if this data isn't actually useful to users when they're connecting with their friends, why is facebook interested in automatically sharing it? who is interested in that data? the answer is simple - advertisers. a large profile of everything you read, watched, listened to, and did online is for all intents and purposes your web history. in this case it will be your web history as seen through the eyes of facebook. we in the security community get upset about browser vulnerabilities leaking our browser history, or tracking cookies being used to track where we've been; the data collected for ticker is not going to be inherently different than the data acquired through those other means. furthermore, it's too voluminous and granular to be useful to anything other than an automated process that looks for certain types of patterns and trends. the kind of process you'd use for the automated targeting of ads - targeting based on your activities, your behaviour.

the ruse of "frictionless sharing" appears to be a trojan horse (not the malware variety one might traditionally think of, though) for introducing behavioural profiling for the purposes of targeted advertisements. social spyware at it's best.

but even if that's not the case, even if that data really is meant for a user's friends to see and use, there is a profound implication buried in the automated sharing of everything. you can't control your public image if the choice of what you share about yourself is taken away from you. for all the hand wringing recently about the damage that real name policies do (eliminating your ability to control the personal information that your identity represents), the elimination of your ability to control your public image means the elimination of the persona - something that has been part of the social experience of humans since the dawn of mankind if not longer.

our true selves, the nature that we keep hidden behind the masks that we each present the world, is something that we innately keep private. i simply cannot believe that our social norms are headed in the direction of completely removing those social masks. giving up that private information in exchange for access to a service is a privacy bargain that we have never faced before.

so, if you thought the ways facebook could violate our privacy couldn't get much worse, you were dead wrong.