Don Marti

Tue 31 Dec 2013 08:02:51 AM PST

Privacy snake oil

Remember how Bruce Schneier used to do those security snake oil posts? Somebody needs to start doing that for privacy.

Here's a great example of privacy snake oil. The primary NSA issue isn't privacy, it's authority by Jeff Jarvis.

I also think that my cancer hospital, Sloan-Kettering, should collect data about how many penises, including mine, still function properly after prostate surgery there because that information and associated metadata about surgeons and age and other conditions could be valuable to the patients who follow. Of course, I expect that data to be held anonymously.

But there is no such thing as depersonalized or safe data about a person. You can't magically assume that because some large institution has a policy where everyone has to raise his or her right hand and say something nice about privacy, that the data won't get out there.

And "white dude who chooses to write about his penis" shouldn't be the benchmark for privacy policy anyway, but that's a whole other issue.

Here's the real problem, explained in an Atlantic piece by Rebecca J. Rosen: It Is Trivially Easy to Match Metadata to Real People.

As federal district judge Richard Leon wrote in his decision last week, "There is also nothing stopping the Government from skipping the [National Security Letter] step altogether and using public databases or any of its other vast resources to match phone numbers with subscribers."

Yes, that's right. Real people. Not hypothetical "wouldn't it be nifty if in the future..." people, but real people with all the stalkers, scammers, data brokers, and assorted creeps who have just as much access to the surveillance-marketing complex as anybody else.

Gervase Markham thinks it through, in Location Services and Privacy.

Now, as Mozilla, our initial impulse as an open organization would be to release all the raw collected data to the public so people can build awesome things we haven’t even thought of yet. However, it turns out that this data comes with some interesting privacy challenges.

Yes, code should be free, and so on, but what about wireless MAC addresses? What about all the other privacy use cases?

Privacy is hard.

Schneier's snake oilers were always trying to re-use one-time pads. You can't do that. Likewise, you can't collect and store PII—and it's all PII—and not have it come back to bite the people that it's about.

Bonus links

RAND: Commentary by RAND Staff: Opt-In, Opt-Out; Why Not Forced Choice?

Top News - MIT Technology Review: Data Discrimination Means the Poor May Experience a Different Internet (via Hack Education)

Mason Weisz: California Ballot Initiative Would Create Presumption that PII is Confidential and that Unauthorized Disclosure Causes Harm

Doc Searls: Marketing isn’t getting the market’s message

Mike Williams: Easily block cookies, images, scripts and more with Chrome's HTTP Switchboard

Bruce Schneier: A Fraying of the Public/Private Surveillance Partnership

Michelle Richardson: Feinstein's NSA bill shows she doesn't have a clue about intelligence reform

Evgeny Morozov: The Real Privacy Problem

Chloe Green: Survey warns of looming consumer revolt on private data sharing

Bruce Schneier: Surveillance as a Business Model

Alice Marwick: How Your Data Are Being Deeply Mined