If we own ourselves, we certainly own information about ourselves. I believe this is a simple and reasonable approach that fixes many of the problems of fading privacy.
First case, public behavior. We do many things that are in public. If I take a picture of you in public, I certainly own the picture, but you own your image in that picture, which limits what I can do with it. So I can use it for my private reasons, even corporate reasons. Ditto for the security camera, my Questar telescope scanning a celebrity lek, … But unless you are one of the celebrities or other public figures who has given up expectations of privacy by your chosen role in society, I have to have your permission to do more with the information. Not different than now, same release forms.
Second case, if you are a public official doing your job, you have no right to privacy in doing it, while I as the citizen recorded by the cop’s body cam certainly do have the right to privacy while being a citizen. Citizens breaking laws forfeit the right to privacy to the extent needed to produce justice. The security camera can be shown on TV for a serious crime, but not for minor stuff. Not different than now.
Third case, some things, probably many more than now in government records, must be public by law. Court records, police records, many corporate records of public companies, charities, tax exempt organizations, … And all of the following have exceptions for criminal investigations, currently require a court order.
So our basic laws of privacy got this part of privacy mostly right, we have failed to extend that common sense into modern times.
The own-your-data approach makes a big difference in how organizations deal with individuals. If we own our data, a school may generate records of our attendance, behavior, classes and grades, and we agree to allow the school to use them for its very many purposes, but they may not share any record without our explicit agreement. That would include any identifiable-to-an-individual information sent out of the school to higher levels of the school, government, … Colleges are now asking permission to share records of classes attended and grades received, but that is new in the 1990s I believe.
In this ownership model, I would agree to allow Google to collect information from scanning my email and recording my web searches and to use it in selecting ads to display as I search or use email. But, without my agreement, Google may NOT share the IP address or email address. The IP address and email account name are my data because I have the first independent of Google and created the second myself. I allow Google to use both of them in providing service, but it may not provide them to others, that would be theft of something of value to me.
Google’s various data structures constructed from my searches and email contain information about me generated by me. Having jointly created that data, Google and I jointly own it and Google is therefore not free to use it without my agreement. A middle-way agreement might be that Google could not use that data in any way that could be connected to me without my permission. Depending upon our agreement, Google may have to give me access to the data structures holding our jointly owned data, and I would be equally restricted by Google’s joint ownership.
Data about telephone calls and cell phone locations is the same : The telephone company can use the information about my calls for its own internal uses, but may not share its data about me in any way. Again, I would probably agree to some sharing so long as the information was not linkable to me, e.g. the EFF needing that information for checking what can be derived from anonymized data.** Ditto the ISP, collect all the statistics about my traffic it wants, but it is my data that it collected from, and we jointly own it.
Ditto for banks and credit card companies and government and …
I own my computers and phones, thus no web site can place cookies on my systems without my explicit agreement. I see arguments on both sides for whether ads or ad companies need to ask my permission to check for cookies — probably it isn’t something easy to prevent, so should not be prohibited. But the fact of a cookie on my system is also my information, and may not be shared without my explicit permission.
Comments on a web site : Jointly owned, tho you give up ownership by posting anonymously or using a handle that does not easily link to you.
Posts on a web site, standard copyright. Those are personally-created data, owned by you. Copyrights are implicit contracts that lower the cost of dealing with those rights, similar to what we want to create for other personal data.
I believe individuals owning data they create will remove the standard excuses of corporations and governments, that they own the data and can do with it what they wish or nobody owns it at all. If we are going to have privacy, only the individual can own the information about themselves.
The argument is quite parallel to the standard Libertarian “Taxation is theft because it is taking my labor without compensation”. Privacy violations are theft because they are taking my data without compensation.
Privacy violations are serious because non-privacy enables consolidated power that is tyranny. Thus privacy is a civil right as fundamental as any of the US Constitution’s Bill of Rights.
Very clearly, a group like NSA or the police cannot legally access any of my data via tapping lines or intercepting radio waves because I have not authorized them to deal with my data in any way. I have no contractual relationship with them as I do with my ISP or web sites that I visit or my MD or …*
This ‘you own your data’ seems rather simple so I searched for other approaches. The EU’s data privacy laws are one. Definitely not simpler. You don’t own your data in the EU, non-you entities are restricted in what they can do with it, an entirely different frame. There are many apparently-tough restrictions but also enough exceptions that no powerful entity such as a government or collector of data for the government will be limited.
As usual, I start searching for other opinion after thinking something through ‘on my own’, meaning guided by vague memories that I think original insights and an occasional association that might be. This asks the right question, I think ‘the individual’ is the right answer for every example they give. This is a good discussion of the situation and mentions that Germany says you control your data. This says the entire idea of data is property is under attack by government. And finally, a good discussion. He predicts a sequence toward owning our data and being paid to use it.
Thoughts from readers are greatly needed in this kind of thing. I believe that a correct model of data ownership is the key to the secure and private web that will rise on the overlay networks and gradually obsolete the existing web. It is key to an honest society.
*This, I think, is a declining risk, because NSA is about to collect zero information : encryption is very much stronger than decryption, and overlay networks will hide all data traffic, end-to-end, from any transporting entity. Tap all of the transport links you will, you will get very little for the efforts. Thus another reason for NSA focusing on hacking into systems rather than defending against hackers. NSA can’t protect America’s Secrets, Snowden told us that, OMB, Joint Chiefs of Staff mail system, and the nearly-weekly stories of other data raids reinforce the point.
**Probably a bad example, as so much information is routinely found in anonymized data that can in fact be traced back to the creator/owner. Certainly sharing cannot be done via queries in a database, that is well-known to allow isolating individual’s data values, at least if enough queries can be done.
I put off starting this post for a month because I thought it was going to be hard to construct a rule that allowed things that need to continue to continue while stopping the massive invasions of privacy. It was trivial. Perhaps I am missing something quite major, always entirely possible and it wouldn’t be the first time. I read a lot, have been interested in privacy and security for years, nevertheless didn’t understand any of this, just that the system was broken because I didn’t control their use of my data. Another case of the obvious not being discussed in public? Why would that be? I believe Google, Facebook, the ad companies, … have thought about this.
Added later : a bit of a precedent.