Privacy, surveillence and ethics

Over on that infamous Telegram group where all good threads go to die, @ravi312 wrote

I think more awareness should happen about licensing and OER so that people are better informed and it becomes part of documentation process. I wish, educators and children can be introduced to this important topic early on as part of their digital literacy coursework including themes such as privacy, surveillence and ethics.

Here was my response, archived here for posterity, and also for the reading and contributing pleasure of others.

In my view, privacy, surveillance and ethics, yes (for children, esp). Licensing, meh. I am not sure. Which is a polite way of saying that I am quite sure the answer should be no

Children (and adults) should be taught to be nice, to give credit when they use someone else’s work, to ask first if it is not already clear, but to make it clear in the first place (if they are the creator). The law should always be the last resort in a civilized, nice place.

I wrote the following (7 years ago! my god!) with regards to medical info, but the part about the three locks is what I want to point out as being relevant to this discussion. To summarize

There are three locks that can be used to keep private information private: social, technological, legal.

The social lock marks information as one that should not be reverse engineered beyond the limits permitted by the donor. This lock is the default first defense.

The technological lock makes it difficult to re-identify de-identified information. This lock kicks in after the social lock has been breached.

The legal lock provides penalties for those who breach both the first and the second locks.

See, the law should be a deterrent to bad behavior, not an incentive for good behavior. Incentive for good behavior, in a civil society, should be just niceness… just being nice, kind, generous. Law should only exist so one can lean on it when being nice fails.

My dream institution would be, by design like so: “you want to work here? We will pay you a salary to create knowledge. But once you create it, it will be available to everyone everywhere forever. You may use only one of these following licenses to publish your work.” Of course, there are many subtleties and complexities to this that I am glossing over, but for now… this sets the tone

Privacy, like most things, is cultural. The concept of it changes not just over time but also over space. The concept of privacy in India is very different from the concept of privacy in Europe which is very different from the concept of privacy in the US (I am only talking about the areas I am quite familiar with). Here is a very short note on punkish: The Notion of Privacy that I wrote after observing my mother in a hospital in Lucknow.

And, even in a given place, the concept does and has changed (and will continue to change) over time. Technology, architecture and urban design (where and in what environments we live), cultural expectations and responsibilities, social networks and infrastructure, probably a countless other things, they all shape our idea of what is private and what is not

Typically privacy breaches happen due to mismanagement of data handling by multiple players more often than not unaware of each other.
Eg exam results posted online by local institution.
Same data posted by governing body now consolidated over many institutions. Some third party starts scraping data, sorting it over multiple metrics and selling. Such pooling at multiple levels by multiple players makes it impossible for an individual to either track or understand the risk he is exposed to.
Consequently the law is not a last resort, but a first preventive measure on allowing or prohibiting collection or dissemination of information.
Further, in the case of educational institutions the general awareness of privacy is quite non existent, and their ability to secure their websites and data stores quite poor. Hence they need to curtail their enthusiasm for publishing data.
Further the law should also curtail the collection of data due to the persistent nature of damage long after the breaching organisation is stopped.

Sadly the biggest culprits are not private players, but the government itself. Aided and abetted by every politico without exception.
Currently laws in the pipeline actually exacerbate an already bad situation. A general greenpass to the government and innumerable escape hatches for violators as long as they are sharing with government.

very important points made by @jtd, thanks for pointing out the role of the govt (both in creating laws to help protect privacy and in failing to protect it on its own).

That said, I would urge all of you readers and potential contributors to this thread to think about the difference in privacy standards for individuals vs corporations and private business vs the govt. Needless to say, the differences are many in number and much in nature. In the comment from @ravi312 that motivated this thread, he specifically talks about teaching educators and children, not govts and private corporations. I fundamentally believe that life and the world would be both easier and better if private individuals started with being nice, then resorting to tools, and finally leaning on the teeth of the law (the progression of the three locks). We can apply this fundamental principle to almost all aspects of our daily life and come out a winner if the default state is being nice to each other.

That said, I hope to hear more perspectives.

When one is discussing issues related to privacy, some of the questions that eventually crop up are

• If you have nothing to hide, why are you bothered?
• What concern is privacy for poor when they do not have enough to eat?
• I am nobody. Why would anyone be interested in my data?
• But so many people trust their data with government/company?

great! Very good and very plausible questions.

Since you’ve thought of these questions, I am assuming you have some answers as well. If someone were to pose these questions to you, what would your response be to each of them? Please share your thoughts with us.

Here’s the thing. While the law in many places around the world may be necessary in order to act as a barrier to unnecessary or incautious primary data collection (hence the European GDPR), this is not so in India.

The reason is that privacy protection in India is constitutional. It is an implicit fundamental right. As a result, laws are needed in order to enable any activity at all that needs data collection. Since it is a right, such laws need to be limiting in scope, defining not just the reason for data collection, but also ruling on how it is to be stored, and for how long, and how its destruction at the end of that period is to be assured.

In my opinion, we don’t have a single such law in India. The Supreme Court, since 2017, has been asked to address this issue several times, and each time has failed miserably to uphold the Constitution.

As such, the law, the third lock, is totally useless in India. This may not continue, after all, for forty years prior to 2017, court orders were framed along such Constitution-respecting lines. It may happen again. In the meantime, data in the wild, data that has been wildly collected, is up for grabs.

This needs to be kept in focus while considering the ambit of ethics discussions during all levels of learning. However, the earlier that young people learn to understand how ‘natural’ privacy works, and it’s importance in society, the better it may be when those young people get involved with either managing any aspect of data collection or of data usage.

This is quite fascinating. I learned a lot from reading this, but I also was left confused. Perhaps that was because this complex post introduces many disparate though related concepts, and also conflates a few unrelated things. I will try to tease them out below (though I may not be entirely successful – fair warning)

While the law in many places around the world may be necessary in order to act as a barrier to unnecessary or incautious primary data collection (hence the European GDPR), this is not so in India.

The reason is that privacy protection in India is constitutional. It is an implicit fundamental right. As a result, laws are needed in order to enable any activity at all that needs data collection.

The above two paras contain two different thoughts: One, a law preventing unnecessary data collection is required in many places around the world but not in India because in India privacy is protected by the constitution. (I added the emphasis.) And two, if the constitution protects privacy then a law is need to enable data collection (in India, and I am assuming anywhere the situation is thus). There is a bonus conflation here that somehow collecting data violates privacy. Even if we qualify that data collection activity with unnecessary data, it doesn’t offer much clarity. For starters, who decides what is unnecessary and at what point in the data collection process?

Ok first, just because a constitution explicitly mentions right to privacy, that doesn’t ban data collection. Actually, neither the Indian constitution nor the US constitution (which inspired the Indian constitution) do not explicitly mention the right to privacy, but hint at various other aspects that lead to the conclusion that privacy is a right, perhaps even a fundamental right. See India's Supreme Court Upholds Right to Privacy as a Fundamental Right—and It's About Time | Electronic Frontier Foundation for the case in India and https://constitution.laws.com/right-to-privacy and The Right of Privacy: Is it Protected by the Constitution? for the US. Note, these are popular articles and not authoritative sources, but for the sake of this forum let’s consider them sufficient for now and move on. For the basis of how this all started in the US, reading the original article on the Right to Privacy by Sam Warren and Justice Brandeis is highly recommended.

Now, India and its constitution are not unique in their treatment of privacy, however explicit or not it may be. In fact, ~150 countries around the world have constitutions that say something or the other about privacy which can lead to a conclusion that privacy is protected. See Constitutions - Constitute for a list that includes the pertinent language from each constitution. Yet, none of them prevent data collection. (Well, to be honest, I haven’t studied every constitution for this aspect, but for sure, the US Constitution doesn’t prevent data collection at all.)

Back to GDPR for a moment – actually GDPR does not prevent data collection, nor does it define what is necessary or unnecessary. What GDPR does is that it forces the data collector to do a few specific things (such as get consent, apply certain data protection standards, etc.) based on the kind of data being collected. GDPR, as the name says, is a General Data Protection Regulation, in fact very much focuses on protection of data, not on whether it is collected or not collected or whether it is necessary or not necessary. Here is a very short treatment of GDPR and medical data that I wrote early last year punkish: “Open” health data and GDPR

Whether or not the third lock, the lock of law is useless specifically in India is not for me to say. For starters, I am far from an expert in these issues. But, the question is, if we have to teach people about privacy, what should we teach them? (Remember, the question is about privacy, not about data – peeping in a neighbor’s window is violating that person’s privacy even though no data are being collected as we understand data collection.) Perhaps teaching children and adults to be nice to each other, to understand explicitly (as much as possible), the concept of privacy in their context, and respect each other’s privacy would go much farther than teaching them whether or not a law exists. Perhaps, even more so if such a law does not exist. I mean, if we are all nice to each other then there will never be any need to invoke the law whether or not it exists, no?

As usual, thanks for a great discussion, further proving that real discussion belongs to a web forum, not Telegram chat. The latter, however, is great for throwaway messages

Obviously, for the same reason that people wear clothes when moving around in public. No male or female human is intrinsically differently constructed than any other male or female, yet this norm is widely respected.

The failure of both the state and of private philanthropy to ensure that no person in India is forced to go to sleep at the end of the day on an empty stomach cannot be held to be an excuse. And numerous studies have shown that, indeed, the poverty stricken in terms of monetary wealth are not stricken the same way in terms of self respect.

Rather, any person who decides for a poverty-stricken person that they need not make the effort to retain self respect is not fit to participate in society, far less in policy making rules or the design of software that may be used to collect or retain such information or data.

Both aggregate and particular data on individuals contribute to the completion of a live profile that is, on the one hand, directly interesting to commercial interests, and on the other, to a state that seeks to finely control its people. For commercial interests, this highly personalised profile either leverages the ability to sell something, or to choose to economise on selling costs by not informing the ‘uninteresting’ target about such goods and services.

For a state interested in fine control, the ability to manipulate includes the ability to micromanage the flow of information to her, and to control her ability to inform others.

The Norway lemming is renowned (although this is a wonderful example of misinformation) for a mass migration where the herd might blindly follow its leader over a cliff into the sea.

The lack of ability or desire of a neighbour to take control of her life should not and cannot be a guide to a life well spent.

In fact, no. In most other countries, privacy has had to be legalised with a specific law, and around it, a complex of administrative fixes to try and ensure that the law is followed in letter and spirit.

In my opinion, this widespread example has fooled a lot of commentators into thinking that such an infrastructure is needed in India before privacy can be protected.

In fact, because the other countries have had to create special laws (and Warren and Brandeis describe this in fine detail, as do a huge list of other wonderful analysts), those laws and rules are constrained and often enough diminished by rapidly changing technologies. ‘Everybody knows’ (they don’t, but leaving that aside) that Facebook is intrusive, but the fact is that intrusion would not be intrinsically objectionable were it not that the data collected was being openly sold to third parties, and even the data collection methods (as in the Cambridge Analytica case) were being sold without controls of any kind.

One problem is that the legal infrastructure (including the quasi-legal construct of Privacy and Data Commissioners) is showing itself to be incapable of enforcing either the law or the Constitution.

Hence it is crucial and critical, if the human world is going to move forward with the freedom to carry on enquiring, for the first two locks to be strengthened. Only then can and will the third lock function.

Clearly, given the history of the last hundred or so years, intrusions into freedom are independent of political ideologies. All shades of the present political spectrum justify intrusion and curbs on freedom.

But, all such intrusions are eventually countered, and the ‘chimes of freedom’ brought out from the locked basement. That’s why this discussion is so important, in order to ensure that the meaning of freedom and individual choices are made a part, an essential part, of the learning curriculum for the youngest of people, who can then grow to maturity with this fundamental awareness.

Again, tons of great stuff in the detailed response with regards to the role of law, but I continue to be confused by the above argument:

You say that the Indian Constitution protects privacy as a fundamental right and hence, no further law should be needed to protect it. And yet, the Constitutions of hundred+ other countries also protect privacy in more or less the same (non-precise) manner, and yet, they have passed laws to protect privacy. This is specifically true of the US Constitution, of which, not only do I know more compared to that of the other (though still not much) but is also a model for the Indian Constitution. You further argue that because other countries have had to pass laws to protect privacy, commentators have been fooled into thinking that India too needs such laws. I am guessing you are implying that there should not be the need for any further laws in India as the Constitutional protect is enough.

Ok, obviously it is not enough. Why? Well, for one, the Indian Constitution, much like other Constitutions, does not mention privacy explicitly. It is interpreted and established by case law. Furthermore, and here is the most important point – all these Constitutions are a product of a certain time and space. But, privacy is not a single, unified, clear concept. It is, as I have said several times, dependent upon time and space. That is not my original thought though I have observed it to be true. Privacy is contextual. You can read a fairly facile write for my https://punkish.org/Notion-of-Privacy but the most important and in-depth treatment is by Helen Nussbaum (see https://www.amacad.org/publication/contextual-approach-privacy-online).

In most conversations I keep on seeing a drift toward conflating privacy with digital data. That is a very important conversation, but the subject of this thread, as initiated by @ravi312 in his OP, does not mention anything about data. While he does say that digital literacy should include themes such as privacy, that doesn’t mean he is talking about a very specific, narrow concept of privacy as it exists online. And, even online, there are numerous contexts of privacy.

Of course, you are very right in observing that the Indian bureaucratic mechanism has not done well at protecting online privacy, and yet, has ventured along with its various, pan-India digital initiatives. Surely, that is a cause for concern. But, the failure of one thing should not mean it is a failure of everything. The failure to implement privacy standards doesn’t mean privacy standards shouldn’t be implemented. The failure to pass effective laws doesn’t mean laws should not be passed. And certainly, the failure of the Constitution to mention every aspect and context of the complex notion of privacy should not mean that laws are not required to cover such various contexts.

But, we go back to my (personal) thesis, that being civil (which is a more formal way saying “being nice”) is a pre-requisite to a civil society. And part of learning that is learning about the boundaries.

With due respect, this is not the case. In fact, while you are correct that the word was not used, the reason is that (and this has been extensively documented) just as you pointed out in your blog post, the word itself is too vague and situational.

Therefore, it was implicit in the provision of various freedoms, that are called fundamental rights. These are the rights that do not need defining laws, laws that breach them (for ‘the greater common good’) must be precise and defining. And very specifically limited in scope, with provisions for time bound evaporation.

So, where this has not worked, over history, is the repeated failure of the legislature to provide such sculptured laws, and the subsequent repeated failure of the courts to take the state to task for it.

The case of the USA, and many other constitutional democracies, is quite different, they needed to create laws to specify privacy itself, and these laws continually get dated by changing technologies.

It is because modern society is, and I trust will always be, technologically bound, that the issue of data arises. Without technology, there is no artefact called data. And because technology is implicit in society, so is data.

Of course data needs careful legal handling, and of course different countries have different records/histories of managing this aspect. It is no surprise that Germany is quite good at it now, from a democratic point of view as well as a human point of view, because they are the very case history of a country that trashed their democracy in favour of, and accompanied by, the use of intrusive data-handling technologies.

I guess we’ll have to wait to find out whether we are, in India, going to be the second definitive case in history of a country that trashed its democracy in favour of, and accompanied by, intrusive data-handling technologies. And lived to tell the tale, but hopefully not after getting all our cities and industrial centres obliterated.

I don’t think I’m conflating privacy with data protection laws. I think that, in India, very structurally, these are two different things. I also think that, as technologists, we actually understand this very well here in our discussion groups.

It doesn’t seem to be as well understood outside of such conclaves, and that must change.

Heh, this is exactly how it is in the US Constitution as well. Think of what you are saying – the Indian Constitution doesn’t mention the word “privacy” but implies it by promising other things. Hence, we don’t need laws. And yet, other constitutions do the same but those countries still have had to promulgate laws.

Anyway, neither is this thread about the constitution’s and the constitutionality of privacy and nor is it something that I am an expert on. As such, I will leave it at that and hope others will also chime in with their views on whether or not privacy, surveillance, and ethics should be taught to kids and to their educators, and if yes, then how.

Thanks though, for bringing out many important things that probably deserve their own thread, and input from someone who is an expert in constitutional law.

https://www.nature.com/articles/s41591-020-0928-y

With respect to the earlier discussion on the difference between a Constitutional guarantee and a legally established right, there’s this comment from the cited article: ‘In the USA, however, there is no structured or legal privacy framework in place. The only federal agency that oversees digital privacy protections is the Federal Trade Commission, which addresses mainly inconsistent privacy policies from the point of view of consumer protection’.

In India, while we actually have a Constitutional guarantee, we also have a government that is filled with elected and appointed representatives who (knowingly or otherwise) do not understand the implications, and, far more troubling, a judicial system that has turned away from reinforcing the Constitution.

In effect, nearly 40 years of successive judgements that have helped to establish a package of legal frameworks that protect personal privacy have been undone by the series of technology based interventions in identity and identity related systems that were initiated with the introduction of the UID. Before that, there were various trials (particularly in financial systems) that tested the waters, so to speak, and did not in fact raise as much of a storm, possibly because they mainly affected the (comparatively) very rich, a group that is also well empowered to protect itself from misuse of systematic overreach.

With the UID, the impact fell on the most disempowered, and this, somewhat paradoxically, led to a major pushback from civil rights groups.

Since the weakening of judicial sensitivity is almost perfectly synchronised with the spread of surveillance-friendly technologies, it is not difficult to infer that, as has often been stated, pervasive surveillance has an inexorable impact on the ability to mount effective resistance to inroads into guaranteed personal freedoms.