Joi Ito's Web

Joi Ito's conversation with the living web.

Some thought I wrote to a discussion online about privacy based
on our discussion yesterday. (12/20/2001)

A lot of this taken from the EPIC Privacy Law Sourcebook

Privacy is a very difficult word to define, Justice Brandeis of the US Supreme Court said that privacy was the "right to be left alone." In Japan, Ruth Gavison says privacy has three elements, secrecy, anonymity and solitude. Article 13 of the Japanese constitution says:
All of the people shall be respected as individuals. Their right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs.

You can break down privacy into four concepts,

Information Privacy or "data protection"

Bodily privacy such as drug testing and cavity searches

Privacy of communications (Article 21 of the Japanese constitution: Freedom of assembly and association as well as speech, press and all other forms of expression are guaranteed. 2) No censorship shall be maintained, nor shall the secrecy of any means of communication be violated. )

Territorial privacy such as intrusion, searches and ID checks. (Article 23 The right of all persons to be secure in their homes, papers and effects against entries, searches and seizures shall not be impaired except upon warrant issued for adequate cause and particularly describing the place to be searched and things to be seized, or except as provided by Article 33. 2) Each search or seizure shall be made upon separate warrant issued by a competent judicial officer. )

20 years ago, the OECD (Organisation for Economic Co-operation and Development) develop 8 guidelines for governments and companies to follow regarding privacy. These guidelines serve as the basis of privacy discussion today.

Collection Limitation Principle
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject

Data Quality Principle
Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Purpose Specification Principle
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Use Limitation Principle
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: (a) with the consent of the data subject; or (b) by the authority of law.

Security Safeguards Principle
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

Openness Principle
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Individual Participation Principle
An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him (i) within a reasonable time; (ii) at a charge, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

Accountability Principle
A data controller should be accountable for complying with measures which give effect to the principles stated above.

I think these priniples are generally very good, but there are several technological changes that make things quite different from when these guidelines were originally written. Data is no longer stored in large mainframes and are distributed so "destroying" or "protection" information is almost impossible.

Security is also impossible to assure.

ID can be forged and it is very difficult to make sure that only authorized people can have access to the data.

Therefore, I believe that they key to protecting privacy in a networked environment is to limit the amount of information we create. This can done by created limited or ID subsets such as pen names or the ability to have anonymous transactions. Marketing and profiling can be conducted locally, for instance.

This is where the Japanese kokumin bango issue comes in. One of the big problems with the current law is that there is an IC card/ID card associated with it. Germany has decided that a national ID like this is unconstitutional. Korea has recently stopped it as well. Althought there is a lot of data about us on the network, (we should try to create less) the new law makes it very difficult not to carry a picture ID with your number on it around with you. Although it is not written in the law, lawmakers are already contemplating tagging of genetic information, medical records, arrest records (even if you are not guilty) etc.

One last point is that abuse by commerical interests, individuals and government are also very different. One of my main fears is that broadly defined laws that allow the government to collect data without a mechanism for anyone to check what it is being used for has the possibility of abuse without the ability to monitor.

I'll give some more examples of things that might happen later...