Is the Solution to Online Privacy Simply a Question of Ownership?

"Privacy is dead, deal with it" - Scott McNealy then CEO of Sun
"If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." - Eric Schmidt, CEO of Google
Zuck: Yeah so if you ever need info about anyone at Harvard Zuck: Just ask. Zuck: I have over 4,000 emails, pictures, addresses, SNS [Unknown Friend]: What? How'd you manage that one? Zuck: People just submitted it. Zuck: I don't know why. Zuck: They "trust me" Zuck: Dumb f*cks -Alleged conversation between Mark Zuckerberg, CEO of Facebook and an unknown friend

Is Privacy broken?

The problem with privacy, like many things, is counter intuitive. It has very little to do with what information I choose to keep private. The problem instead lies in the question of who owns "my" information once I choose to release it? For example Facebook didn't force me to enter in my likes and dislikes, I shared it willingly, but unfortunately once I shared it to them, it ceased to be my information and it became their choice as to what they wanted to do with it. More specifically because we allow personal information to be owned by companies and not the person in question we as individuals have little control over what companies do with our information. This is the root of many of our privacy issues and I believe that all attempts to address online privacy issues will likely continue to amount to nothing more than privacy theater until we can call our personal information personal property.

Who owns your age?

If you are 35 years old, who owns that piece of information? Likewise who owns your name, address or coffee preferences? If a company scanned in your birth certificate, looked up your home address in the phone book or paid Starbucks for your choice of coffee the answer is someone other than you. No matter how hard you try to own this information and protect it like you would any other personal property you can't. Information about you doesn't have an implied owner (you) and when information is collected about you, that information belongs to the collector. You can ask the collector to delete the information but chances are they are under no obligation to do so because your information is their information. This is the problem.

Simply put, privacy is not going to exist until personal information is given the same protections as personal property. Without that distinction there is nothing to imply that you or I have any rights to the very information that defines who we are. Sure we could inject layers of privacy legislation into the legal system like Germany has done with some of the strictest privacy rules in the world but what if we took another approach and let people own not just their age but the very knowledge of their age?

If you love something, set it free?

Of course there are other alternatives, full and complete transparency and the removal of privacy altogether is one of them. Your might compare this approach similar to life in a village. If you have ever lived in a small community or even traveled with a small group for a extended period of time you know how quickly most privacy goes out the window. Share a secret with a few people and soon the whole tribe knows. There is something liberating in this approach but unfortunately it doesn't scale. The Internet is not a small village. The reason zero privacy works at a village level is because that transparency also comes with context which helps you put that information into perspective. On the Internet when you read about how some complete stranger jumped through a wall of boxes you might think any number of things about that person but unfortunately you have no context and are free to come to any number of likely wrong conclusions.

The other problem is authentication, unfortunately for modern society we use things that are too easy to learn or obtain (like age, social security number or zip code) to authenticate ourselves which is why identity theft is so easy. This problem would get dramatically worse if suddenly we moved to full transparency without thinking about authentication at the same time. Unfortunately when one starts to think about privacy and threats it leads some people to say things like this:

"The only way to manage this is true transparency and no anonymity. In a world of asynchronous threats, it is too dangerous for there not to be some way to identify you. We need a [verified] name service for people. Governments will demand it." - Eric Schmidt, CEO of Google, on the misuse of information & technology for criminal purposes

Unfortunately Schmidt confuses eliminating privacy with security by making the claim that in today's world you can't have privacy if you want to have security which is a pretty dangerous conclusion to make. Of course full transparency and a verified identity system would be advantageous to a company that makes it's money from knowing exactly what sort of coffee you like to drink in the morning. But what if you don't want Google to know these things? Unfortunately there is nothing you can do unless you decide you will start making your own coffee in the morning.

End the Madness

I won't go into my thoughts on identity other than to say if you want to start thinking about it start with what is perhaps the most famous presentation on the subject of identity by Dick Hardt, CEO of Sxip Identity. Dick outlined a solution for identity that operated much like your driver license and didn't require a central directory to operate. The lack of a directory is important to privacy because without separating the knowledge of using an ID from the ID issuing party you have a privacy problem (unless of course it's a closed system).

Instead getting back to the issue of privacy the the problem with either full transparency or limited transparency is again that the issue is not in our rights and ability to keep something private or not, but in the rights we have to our own information when we decide to release it, which inevitably we have to do to function in any society. Even if we were to choose a full transparency model we still wouldn't own our information. I'm going to give Amazon my address and credit card number because I want to do business with them, but what if I don't want to anymore? They are under no obligation to delete "my" information. However if we were to start treating personal information as personal property, Amazon would have to ask me for permission before they shared it to someone else and delete (return) it when I demanded it. Society would suddenly have a set of rules and penalties for handling personal information just like we do for any other personal property and the control would move back to where it should have been all along, the individual who likes Caramel Macchiatos.

Of course we could choose to give away our personal information just like we can sell or give away our personal property and then maybe not a whole lot would change. Then again the decision regarding our personal information and how it's used would be our decision from the start for once. That alone could be a huge change by putting the balance of power back in our hands and changing how we view privacy forever.

What do you think?