Each time we’ve come into a surveillance oriented debate, there’s always a codicil that requires us to compare private vs. state data collection habits. Much of the debate focuses on which type of actor is worse in privacy violations. Left-leaning debaters point out that private firms already collect vast amounts of data and do so without any effective government oversight, while the right-leaning debaters will counter with the fact that private companies can’t arrest you. When you combine these perspectives it’s clear that data based privacy is simply not well defined. The root cause of so many of our problems with our information age: we have no control over information that involves our person.
One of the terms of art used when defining Fourth Amendment searches under US common law is the concept of a “reasonable expectation of privacy”. This is a concept that has evolved over time, starting with the first solid application of communications privacy in Ex Parte Jackson (1877). New technologies have always presented a problem with defining privacy. Early use of telephone wiretapping in the Olmstead (1928) case insisted that the very act of transmitting your voice through copper wire negated any expectation of privacy. This was eventually corrected in the Katz (1967) where Justice Harlan crafted the two-pronged “reasonable expectation of privacy” test in his concurrence. The Court would later officially adopt the test in Smith v. Maryland which tested the constitutionality of trap/trace devices. (What we might consider the first use of “telephone metadata”.)
The test employed by the Court has two prongs:
- Does the individual have a subjective expectation of privacy?
- Would the rest of society recognize that expectation as reasonable?
Today we face a situation where the subjective expectations of end-users of online services are substantially different from how the state and private firms consider to be reasonable. An example of this disconnect can be seen in the reactions to the AP phone records story. The collection of telephone data outside of the content of calls was considered outside the bounds of reasonable expectations of privacy (both legally and by the firm who provided the data) but not by the public when the collection went public.
We could, of course wait for another generation or two of Supreme Court justices to pass through SCOTUS and then overturn Smith v. Maryland, but it seems to me that the way forward requires proactive definitions of what acceptable and unacceptable use of data pertaining to an individual involve.
HIPAA’s introduction of medical records privacy regulations has helped make patient information substantially harder to connect with individual people. Just as it was unreasonable to expect that medical service providers stop collecting and archiving medical data on individuals, given the state of online media writ large, demanding widespread data retention bans is unrealistic. What the US (and by extension the world) needs is a system to monitor and account for data associated with a specific individual. There should be a narrow list of allowed uses of such data, criminal and civil penalties for violating these uses, methods for customers to know when their data is being accessed, and an active definition based on legislation rather than waiting for court precedent.
The simple fact of the matter is that the NSA revelations have shown us there’s many uses for data collected by private entities. While data collection by Google or Facebook might help their advertising models, it can be used by intelligence agencies for pattern analysis. The trend toward putting more and more of our lives in cloud storage is unlikely to abate, meaning that we need to take a proactive stance on protecting our data. We need to expand this definition to include data that can personally identify us in ANY way, and create legal remedies if this data is accessed without our consent.
A data driven society requires data to be collected. But as individuals we should have the power to restrict who has access to that data absent sufficient cause to issue a warrant. The debate we must have about privacy isn’t simply about database access or record keeping, but the fundamental nature of our personal data. Only then can we start curing the underlying illness in our surveillance state.