Coveting Personal Data · Tuesday May 13, 2008 by Crosbie Fitch
Recently I’ve noticed a fair bit of ‘data envy’ going on – suspicion and concern about the personal data silos being constructed for commercial motives. While it may be wise to remain suspicious and concerned about any corporation’s motives, many people appear to feel that personal data about them naturally remains private to them and should rightfully be surrendered, deleted, or tightly controlled at the subject’s behest by any entity who collects it.
This is a spurious, if not superstitious elevation of data into the property of the person it describes instead of the property of its possessor. It would appear to be informed by the same mindset that finds copyright wholesome, i.e. that a copy of an artwork may be sold or given away, but the intellectual work within it remains the property of its author (or their assigns).
I think it’s because people have mistaken personal data as a quasi-autonomous object able to make revealing statements about the person. Consequently, such powerful data is rightfully the property of the person it makes statements about – not to be contemptuously exchanged between merchants as some kind of commodity. Or so the thinking would appear to go.
The problem is, there is no such thing as intrinsically authoritative data. For data to be potent we always need an author who will be authoritative about it. Either the author who originated it, or the author who communicates it.
In other words, data, not being a sentient being, cannot be held responsible for its own veracity. It does not have a life of its own, nor can it possess any intrinsic value. For such potency it needs a context in which someone gives it meaning. Even if data constitutes the recording of an action or statement, it is impotent until it is spoken or otherwise communicated, and it is then the author and speaker who are responsible for it, not the statement.
Simply because a database contains data from which factual statements tend to be asserted does not actually confer an ability to be authoritative on the data or the database. The database owner is the authority and they make assertions from their data according to their confidence in its accuracy. Someone else may be able to inspect the database and to guess the assertions that the owner might be inclined to make, and may even have the audacity to make assertions of their own simply from such guess work. However, it is not the data that is authoritative or thus culpable, but the person who uses it to make statements. That is not to say that there are no irresponsible database owners who pretend to imbue their databases with autonomy sufficient to make authoritative statements upon their behalf (“The computer says you are deceased – QED – so you are.” and see Brazil).
Therefore if data is used to make statements about someone, then that someone is not so much entitled to control over the data, but entitled to truthfulness in whatever statements are made about them. It is the database owner in their dutiful care for accuracy who necessarily takes pains to ensure they have control over the data within their database (including access to it).
At the end of the day, someone makes a statement to another party – presumably voluntarily, e.g. “I, Fred Smith, am HIV positive”. The other party then chooses to record details of this in their database.
Fred does not own the data. The database owner owns the data, but then it only has meaning for them. The data typically represents a recording of someone’s statement or action – it is not the viva voce statement itself, nor can the permanence of the recording give permanence to the statement.
There are no privacy or property rights here as far as Fred is concerned, but moral rights – rights to truth.
If Fred didn’t want the database owner to be able to make statements about Fred’s immune system with confident accuracy, then Fred shouldn’t have imparted this information in the first place.
“Well, what’s the point of privacy if it doesn’t stop people blabbing to all and sundry about one’s private affairs?”
In the context of personal data, privacy is not the right to control what other people record or say about you (even if of a personal nature), but to prevent others having access to your private domain and all your personal data or secrets within it, and if they do via unauthorised access obtain such information, to prevent them revealing it further (necessarily returning/restoring any copies they’ve removed and destroying any additional copies they’ve made).
However, if you voluntarily reveal one of your secrets to someone, you have no right to control whether they reveal it to anyone else. You might like such power over your fellow man, but it would be an unethical privilege if granted. Even so, the secret remains private to those who legitimately know it. Simply because a secret has been told to another, does not void either confidant’s right to privacy (protection of the secret they share from access by another that neither authorises – joint authorisation being unnecessary).
Instead of a natural right or unnatural privilege to control the circulation of one’s secrets, what we naturally have instead is discretion and confidence. It is up to the individuals concerned to reassure each other as to what degree of discretion can be expected for any private information exchanged between them. This cannot be binding. Even so, the breaking of confidence can have ramifications for one’s reputation. So there are natural repercussions that obviate the need for unethical legislation.
There are two responses to this situation (if one considers the voluntary surrendering of personal details the surrendering of control over their circulation, and yet one wishes to deny any abusive or exploitative use by those in possession):
- The Horse’s Mouth convention
- The Boliaunification1 method
The Horse’s Mouth response is based on a convention (and reasonable argument) that no statement concerning someone’s personal details can be considered reliably authoritative unless it is currently issued by the person themselves – and if they won’t tell you, you can’t reliably know – all other statements must be considered unreliable hearsay. Adriana Lukas has proposed something along these lines.
After all, as I’ve already noted, veracity cannot reside in data, but must reside in people’s statements and actions. Simply because there’s a binary digit in a database that is 1 rather than 0, this does not constitute evidence that someone is a student, say. It may simply represent that this is the best known status of an applicant, hopefully entered voluntarily and thus accurately by them, possibly having been guessed by someone else, probably being out of date. Don’t ask for the digit nor that it not be recorded, but demand that statements based upon it must be truthful, and thus that decisions are correctly informed.
The Boliaunification1 response simply neutralises the restricted circulation status of any personal data in anyone else’s possession by publishing it, either authoritatively, or in a variegated2 manner by issuing contradictory statements (likely to impair truth, so unlikely to be ethical). Publishing authoritatively also achieves a ‘horse’s mouth’ effect, e.g. “Not only is your recording of my personal data no longer exclusive it is no longer as good as my live and fully historical feed”.
For confidences of personal details between people, it is a matter of mutual respect and confidence in each others discretion as far as it is agreed, offered, or to be expected.
Talking of which, I note with consternation some people’s expectations that they have a right for their private correspondence to remain unpublished, even if it is disrespectful, as in e-mail bullying. If a correspondent does not respect the recipient they can have no expectation that the recipient will respect the sender or the sender’s desire for their disrespectful missive not to be further circulated or published.
- Ownership of data rightfully accrues to its legitimate possessor, not its subject, even if the data is of a personal nature.
- The natural right to privacy protects personal or other data against access or theft, but not against disclosure by its authorised recipients.
- The natural right to truth protects people against others making false statements about them, of a personal nature or otherwise.
- Despite an understandable desire by people to have control over circulation of their disclosed secrets and their confidants’ statement of them, moreover to have control over others’ data and databases that may be relied upon to make such statements, there is no such natural right, nor sanction for such an unnatural privilege to be created4.
|Thou shalt not covet thy neighbour’s data, even if it concerns thee.|
- to intentionally make something inconspicuous, insignificant, valueless or non-exclusive, by mass proliferation of copies or other means of diffusion (especially something over which one has no direct control). From the ‘Field of Boliauns’ legend.
2 Variegated Boliaunification:
- to boliaunify by profusion of similar items, not necessarily copies.
3 Pre-emptive Boliaunification:
- to boliaunify something over which one has direct control as a precaution against it otherwise being at risk of another’s appropriation or exclusive control, e.g. the act of publishing details of one’s new invention in order to preserve the ability to use it by preventing it from being patented – also avoiding patent/litigation costs.
4 The UK Data Protection Act is not so much a privilege as a statutory remedy against inaccuracy (and consequentially misinformed decisions with potentially adverse consequences) within corporate databases (especially those that may tend to be abused as intrinsically authoritative).