The dangers of eroding privacy
We are living in an age where information is fast becoming the most important commodity. This has created a new class of poor people. Apart from the ‘have-nots’ we now also have the ‘know-nots’, people who are not privy to certain types of information. Because information is so valuable, lots of companies, agencies and governments are doing their utmost to get their hands on our data. I recently did a little survey of my own situation and I came to the conclusion that there are well over 120 separate entities who have some kind of information about me. These are just the entities that I am aware of, of course. There may be many more that I am not immediately aware of, like marketing companies, stores, publishers and last but not least: government agencies.
Our privacy is disappearing
With all those entities our there, gathering, warehousing, analysing and correlating our data, our privacy is disappearing fast. We are actively contributing to that disappearance by volunteering our information on sites such as Myspace, Facebook, LinkedIn and so on. And with cloud computing as the next hot thing, more and more of our company and personal data will be stored in places where we really are no longer in control of said information. A lot of things concerning cloud computing are still uncertain, such as who owns the information being stored in the cloud, which privacy laws apply to that information, etc. For instance, if the data that I put into the cloud gets stored on a server in the USA, do Dutch privacy laws apply, or US privacy laws? What if there is a conflict between me and the cloud owner? Do I lose access to the data? Until such fundamental questions are answered, do we really want to start putting our data in the cloud?
Annoying as direct marketing and telemarketers calling during dinner are, those issues concern me less than another kind of snooping: that of our governments. Of course the government has always had all kinds of data on us: birth certificates, marriage certificates, property information, identity information, employment status, income status, car ownership and more. However, that information has always been fragmented. Birth and marriage certificates were held by the municipal government, ownership of houses or land was stored at the land register, identity information was stored at the ministry of the interior, the justice department or the municipal government, depending on the kind of information, employment and income information was the field of the tax department and car ownership was dealt with by the department of motor vehicles. This information was nearly always paper information. So if say the tax department wanted to know if I owned a car, they’d have to get in touch with the department of motor vehicles to see if they had a registration on me. This would then be faxed to the tax department. When computers came around, it was the logical thing to input all this information into databases, so that it could be indexed, accessed and searched as need be. This made the information more readily available which meant an increase in efficiency but the information was still fragmented and spread over the many different branches of the government.
Now that the information age is upon us, computer networks are ubiquitous and commonplace and we are used to always being connected. The government has also become aware that it has all this information on its citizens and that it would mean a tremendous increase in efficiency if all this information could be pooled so that it would all be accessible to those civil servants that need it. In The Netherlands, this process is happening at the moment. Pretty soon, if the municipal government wants to know about which buildings I own, they can query the land register database directly. If the tax department wants to know if I own a car, they can retrieve the information from the department of motor vehicles without leaving their desk or picking up the phone.
When you think about it, you have to admit that it makes sense to connect all this information together. It will save the government a lot of work and it also cuts down on paperwork for civilians. You only have to provide your information once and the rest of the needed information can come out of the various databases the government has.
However, if we look at the Dutch government, the process seems a bit more sinister than just an increase of efficiency. Several large projects have been launched, or may launch that will give our government a vast array of information on its citizens, more than any other government has ever had in the past. Let’s take a quick look at all the information the Dutch government has, gathers and sometimes shares with foreign governments, often without our knowledge.
- All Dutch Telecom providers are required to store traffic information on all customers for a period of 12 months. The reason: law enforcement officials may need access to this information to help them solve crimes or to track terrorists. This means that our government has cast an enormous dragnet into the sea of information to catch a few fish that may or may not be there. It also means that all Dutch phone and Internet users are under constant surveillance. The government is yet to demonstrate how efficient this dragnet is, how it is helping them and indeed how exactly it is being used. What is known is that a Dutch phone or Internet user is 200 times more likely to be monitored than for instance a US phone or Internet user. For more information, check the links below. The articles are all in Dutch.
For a list of things that are being stored, please see here.
Our politicians are seeing the light, perhaps: BOF.
- Since the introduction of the digital public transportation pass (OV-chipkaart in Dutch), all travel data of its users is stored for a period of 7 years, even though this is in violation of Dutch privacy laws, which stipulate that private information should not be kept longer than strictly necessary. There is no reason to keep this data (at least not the personal part of it) much longer than just after the financial transactions required have been completed. So why is this information being kept for 7 years?
- The introduction of the EPD, Electronic Patient Dossier, will make a patient’s medical records available to any healthcare professional. The security of this system has already been demonstrated to be weak. Yet the Dutch government forges ahead with this plan, planning to make use of the EPD mandatory for all healthcare providers. There was talk of access for patients, so that they could examine their own dossier, however this has run into technical difficulties, because secure access could not be guaranteed. If the government can’t give me secure access to my own information, how can they possibly secure this system. Webwereld has a complete dossier on the EPD, which makes for a rather terrifying read.
- A plan which now (thank heavens) appears to be temporarily off the table, is the plan to introduce a new tax system which would allow Dutch motorists to pay per kilometre driven and no longer a fixed fee per weight class of a car. A fairer system, certainly. But the price in loss of privacy would have been tremendous. Instead of regularly checking the amount of kilometres driven, say for instance during scheduled maintenance at a dealer, the Dutch government was planning to fit every car with a GPS device, which would keep track exactly where each car had been. The data could be read remotely and the owner of the car then billed. But imagine what this would mean: the government would know at all times where every car registered in the Netherlands is! They would have the possibility to track all of your trips. Combined with the digital public transportation pass mentioned above, this would pretty much put an end to free and unrestricted travel. Fortunately, this plan is on ice. For now. See here for more information.
- Something you don’t hear much about any more, because there’s not much in the news about it, is internet censorship. On purpose? I don’t know, but it gives you something to think about. The internet filter was implemented to stop kiddie porn and “terrorist publications”, not that it helps much, because kiddie porn isn’t just downloaded from an average website. The police determine what gets filtered and Dutch providers have to comply. However, there is no democratic review of this process. No external control whatsoever. So who is to know what else is filtered out?
While minister Opstelten has allowed Dutch ISPs to halt implementation of the internet filter, something else and more sinister looms on the horizon: DPI or deep packet inspection. If this is implemented on a large scale by ISPs operating in the Netherlands, all Dutch internet users will be under permanent surveillance. And since DPI can actually look inside data packets to see what kind of data is being transmitted, it is a much larger danger to our privacy.
A lot of this stuff above is being done without much of a review process. There is often no way for a single citizen to see who has access to his private information or how that information is being processed. There is also little reporting to parliament. It is unclear for instance, how many people have been tapped through the internet and for what reasons. It is also unclear how many criminals and terrorists have been arrested as a result of the internet dragnet. Surely you’d want to monitor the effectiveness of such measures? Our government also does not want to reveal which websites it has blocked or filtered. It would be a good thing if there was some kind of impartial review of these measures and some kind of evaluation of effectiveness.
Nothing to hide?
An oft heard argument of people who do not object to the data harvesting and data mining above, is that they have nothing to hide. But this is turning the entire argument upside down. It is not about you having something to hide or not. The question is “who wants to know something about me and why?”. You may trust the government when it requests your information but I think that the question why they want to know something about me, is a valid one. Why should it be the government’s business that I called my mother last night? Why should they know that today, I visited www.geenstijl.nl and www.linkedin.com, for instance? And when the government knows this, how is it going to use this information? Who will have access to it, now or in the future? As long as such questions are not answered, I think it is legitimate to question the motives of those wanting the data.
Furthermore, everybody has something to hide, not just criminals, terrorists or paedophiles. Most people close their curtains at night. Why? So people from the outside can not look in. Why don’t they want people from the outside to look in? I suppose because they want to sit in their home unobserved, in other words, they want their privacy.
Would you let your employer read all of the emails you sent out? Even that one critical one about that one manager you thought was so incompetent? How about the messages full of sexual innuendo to that one hot person in the next room? Your messages to the fertility clinic, or a health care provider? My guess is that you’d probably not want that.
Wouldn’t it make you slightly uncomfortable if the mail man handed you your mail, telling you that you are not approved for a loan you applied for, you mother’s bunion is acting up again and commended you on your choice of sex toy from that one mail order company? It probably would, wouldn’t it?
In a time when identity theft and identity fraud are becoming increasingly common, it makes sense to protect your personal information. It makes you safer from this sort of crime. This goes beyond shielding the keypad with your hand when you enter your PIN number. Things like date of birth, place of birth, name of your partner, employee information, insurance data, they can all be important information for identity fraudsters so you should do your best to keep this information secret.
As we have seen, privacy and the protection of personal information is important for people individually. For a large group of people as a whole, it is more than important: it is vital. I believe that a country such as the Netherlands, where we have freedom of speech, where we have democracy, should do its utmost to protect the privacy of its citizens. People should be able to gather in private, say things privately, call in private and use the internet privately without censorship and without eavesdropping by an information-hungry government. If a government deploys nationwide dragnets, gathers information, harvests data and profiles its people, can such people be said to have free speech? Can true democracy exist if a government spies on and criminalizes its own people, the people that it is supposed to represent?
I think the job of our government should not be harvesting, profiling and sharing our information with other nations. Rather, it should be the job of our government to ensure we have a free internet, that we have the ability to call without some government spook monitoring us, to keep information free and combat censorship. In short, the government should be protecting us from prying eyes and ears and keep our information safe. At the very least, our government should be open about the information it has about us, allow us to review this information and implement some system of checks and balances so that no citizen can be monitored without good reason.