“Privacy Begins At Home” - this advertisement was brought to my attention by Steven Sinofsky’s article Bicycle For the Mind. John Rankine, former chair of American National Standards Institute (ANSI) and IBM employee of 32 years, is featured prominently in the advertisement.
When IBM considered the privacy rights of their employees in the mid-1970s, they came up with these four principles:Written statement of I.B.M., Employment Records Hearings, December 12, 1976. (see Personal Privacy In An Information Society: Appendix 3: Employment Records by the Privacy Protection Study Commission)
- Individuals should have access to the information about themselves in record-keeping systems. And there should be some procedure for individuals to find out how this information is being used.
- There should be some way for an individual to correct or amend an inaccurate record.
- An individual should be able to prevent information from being improperly disclosed or used for other than authorized purposes without his or her consent, unless required by law.
- The custodian of data files containing sensitive information should take reasonable precautions to be sure that the data are reliable and not misused.
These principles were included as part of 1977’s Report of the Privacy Protection Study Commission to President Jimmy Carter. The report was one of many US digital privacy initiatives in this era:
- A 1972 amendment to the California Constitution that included the “right of privacy among the ‘inalienable’ rights of all people. The amendment established a legal and enforceable right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.”California Legislative Information Website, Assembly Bill No. 375: Legislative Consunsel’s Digest: Today’s Law As Amended, 2018.
- A 1973 report by the United States Department of Health, Education, and Welfare on Automated Personnel Data Systems, Records, Computers, and the Rights of Citizens established the Code of Fair Information Practices.
- A 1974 national Privacy Act
- The 1975 Church Committee, a Senate-lead investigation into US intelligence’s unconstitutional spying on American citizens.
The United States has been legislating on digital privacy for half a centuryThe original Privacy Act of 1974 legislated on the narrow issue of citizen’s information held by the government. Soon thereafter, the United States Privacy Protection Study Commission found the law “had not resulted in the general benefits to the public that either its legislative history or the prevailing opinion as to its accomplishments would lead one to expect.” Their July 1977 report contained 162 recommendations to make the legislation more robust. They were never codified into law. (see The Report of the Privacy Protection Study Commission, Personal Privacy In An Information Society: Appendix 3: Employment Records (Washington, D.C.: U.S. Government Printing Office, July 1977), pg 38, 89. The full report is here)
. Why have the policies failed to provide a sense of privacy for American citizens?Dick van Lente has noted that stories about powerful technologies changing our lives often have two components. 1) a topos of cultural lag and 2) a common lapsus of the unspecified we. As it relates to this blog post, we write legislation to deal with the privacy implications of the computer. Van Lente suggests that the visions of modernity in both Francis Bacon’s The New Atlantis (1627) and Condorcet’s Esquisse d’un Tableau historique des progrès de l’esprit humain (1795) expresses a belief that “moral sensibility would keep pace with the expansion of options by technological change: they did not worry about a cultural lag.” In this blog post, I am suggesting that the legislative process was acute but the will to enforce has been myopic.
The Value of Personal Data
Advertising companies like Google and Facebook are just one spoke on the wheel of privacy. They are both among the world’s most profitable companies by selling advertisements that run against personal data.
Websites acquire this valuable data through users. The users are not the customers of a advertising-based website. The customers are the advertisers.
We believe that privacy is valuable and should be a right. But it remains in a tense relation with what we know: personal data is valuable to those who aggregate it.
No Liability For Unrecognized Value
Social media compounds the problem. They provide users tools to build a community. The companies then leverage this activity to claim status as a “town square” or a “neighborhood.” But the residents are nothing like citizens; the only “residents” with a real voice are the shareholders of the corporation that runs the website.
The users create assets for corporate benefit - they are literally doing the work that drives corporate value - but they are not employees. In this way, social media platforms keep people in an unnegotiated space between employee, customer, and citizen.The saying goes, “if you’re not the customer; you’re the product.” But products cannot have rights so it is not a useful distinction here.
But what if we recognized the work being done and treated users who create value as unpaid labor? This is how the 1970s IBM privacy guarantees would look in 2020:
- An individual can learn how their information is being used: it’s impossible for an individual to trace how their information is being bought and sold on the internet.
- An individual can correct information about themselves: the European Union’s controversial “Right to be Forgotten” provides some ability to modify a public record; an individual can request the erasure of personal data.
- An individual can prevent their information from being disclosed: again, the European Union’s controversial General Data Protection Regulation provides some form of consent; an individual can influence what information is collected (and thereby disclosed).
- The custodian of data will prevent information from being improperly disclosed: as the 2017 Equifax data breach demonstrated, organizations do not need to take any precautions to safeguard sensitive data. Data breaches have few legal or economic consequences for negligent corporations and government institutions. It remains to be seen whether or not the California Consumer Privacy Act of 2018 will have any effect.
From the same report that discussed IBM’s employee guarantees, the authors opine:The Report of the Privacy Protection Study Commission, Personal Privacy In An Information Society: Appendix 3: Employment Records (Washington, D.C.: U.S. Government Printing Office, July 1977), pg 38, 89.
IBM’s policy on disclosure to third parties outside the corporation seems uniquely responsive, both to the needs of the employee, and to the employer’s desire for clearly limited liability for disclosure.
Which points to the essence of today’s paradox. Companies hold virtually no liability for the safeguarding of data they hold. It’s too difficult to prove that individual harm is related to information found in a massive database.
Conversely, the information stored in massive databases is only valuable in aggregate.
After fifty years of experience in digital record keeping and policy making, the primacy of personal privacy is still not true in practice. The value of the data produced is simultaneously immense and worthless. Like other existential rights, such as the right to free speech, the related harms are too abstract until the moment they become concrete. The moment existential harms are realized is often beyond the point of no return.
Special thanks to Steven Sinofsky for his help contextualizing the IBM advertisement.
Also thanks to James W. Cortada, Senior Research Fellow at the University of Minnesota’s Charles Babbage Institute. The institute does have an oral history interview with John Rankine but the audio is not publicly available, nor has a transcript been prepared.