I see no reason to choose between privacy and freedom, and in fact there is a strong argument that we must choose privacy AND freedom both, or neither. At its core privacy is an equalizer of all individuals; it brings strong and weak onto equal footing. As a real-life example, my mom is a head-hunter and regularly talks to people who are looking for new jobs while still working at their old job. The bosses are in a position of power, but that only matters if they can find out who is talking to whom. Thirty years ago if a company wanted to stop employees from talking to head-hunters they would have to tap everyone's phone and hire hundreds of private investigators. Today it is much easier -- employers now have to buy personal phone records of their employees on the grey market and match those numbers to known head-hunters. Still, this is expensive and time consuming, and the cost of getting caught is fairly severe. If privacy guarantees were to go, this protection of the employee would go, and power would revert to the person with the power to hire and fire.
As another example, it came out in the Wall Street Journal a few years ago that federal express was getting several hundred subpoenas per day for their shipping records [RA]. Among other things, tobacco companies were servind subpoenas to researchers to try to find who was leaking data to reporters. These researchers and whistle-blowers are protected by their anonymity. Take that away and they are no match for a large company.
Certainly we would like certain groups have less privacy, just as we would like to see certain groups have less freedom. It would be nice if terrorists could not hide their movements through encrypted phone lines. For that matter, it would be nice if we could curb the right of these terrorists to buy fertilizer. By our desire to live in a free society we have affirmed that we are willing to accept the consequences of giving some people too much freedom so that we might all have enough.
Moving on to the issue of technology and privacy, the biggest issue is that data can now be stored, indexed, and easilly retrieved based on all sorts of criteria. A few decades ago one could find out all kinds of information on a specific person with a little money and time. What is at issue now is that people can do a search not based on person, but based on the demographic you are seeking. For example, companies that sell equipment for new mothers buy lists of names of women who go for pre-natal gynecological exams, and then send junk mail to their house. This could be a problem if the mail is sent to a work address where co-workers weren't aware of the person's pregnency (especially if they were being considered for promotions or new projects in the near future). Even worse is the case of a young unwed mother living with a less-than-supportive family.
As another example of the problems of datamining, consider that I was an unscrupulous blackmailer (or for that matter, a reporter). In the old days I would follow a politician around, trying to catch him at some scandal. But now I could access the automatic highway surveillance system [RA] and automatically pick out politicians who were married and yet regularly drove to areas not near their house after work after calling home. The best part is, this semi-suspicous data would be enough to try someone in the public eye even if they had done nothing wrong. Indeed, a few years ago a french mayor was a witness in a trial where he claimed he met with the defendent. The press reported that the highway toll information had no listing of his presense, and insinuated that he was lying, merely for the lack of automatically collected information [RA].
Note that encryption hasn't come in here much at all, and won't in the rest of this essay/rant either. This is mainly because it's not a solution to most of the problems I'm presenting. Crypto is useful to stop unscrupulous people from snooping, but for the most part it's the law-abiding citiziens I'm much more worried about. Yes, highway systems should be developed with anonymous transactions rather than arbitrarily collecting data, and yes the internet should have crypto built in from the ground up. But that's really a minor point -- the important questions (and the harder questions) aren't about whether the kid next door is spying on you. It's about who can access the information, who can collect it, and what they can do with it, and that requires legislation. The issue will come up again after I deal with Brin.
As I see it, David Brin's position can be boiled down to a few main points:
First point first. Brin is big on the idea of "mutual transparency" where lack of privacy is OK as long as it is equal in all directions. Here's a nice quote summing up his position [RA]:
[Maintainers of genetic information databases] should not be allowed to
sell just to their private clients. If a person is listed in the database,
that person should have access to the database. That's light, that's using
light as the weapon. If insurance companies are discriminating against
people because of their genetic proclivities, don't pass a law preventing
doctors from knowing information about their clients. Instead, pass a law
saying that the top 100 officers of an insurance company, if they want to
use genetic information, must take all the same tests and publish the
results. They're not going to be as discriminatory if everyone in their
family has all their genetic laundry out on the line. And you would only
trust such people.
The supposition underlying his argument is that as long as the powerful and the weak have equal ability to shine light in each other's dark corners, they will both automatically be on equal footing. This is much like giving a marksman and a cripple the same brand of revolver and calling it a fair fight. In his own example above, why should the top 100 officers of an insurance company care if their genetic information is public? They already have high paying jobs and powerful positions, so they know the information won't be used to deny them an entry level position because they're in a "high risk" category. Privacy protects the weak and the strong equally, but strip it away and the strong still needs no protection.
He also argues that insurance companies won't be discriminatory if they know their family's genetic data is public. Nonsense. An equivalent argument would be that if insurance officers had bad drivers in their family they would be less discriminatory against people with bad driving records instead of using the actuarial tables. However, this is not the case. One family member paying higher insurance is no reason to make bad business decisions, especially if the competition is doing it. The stockholders would never allow it.
I think at the heart of Brin's argument is that he believes an organization is nothing more than the sum of it's members. At his last colloquium at the lab he talked about the solution to the "busy-body" problem where in Stalinist Russia the old neighborhood busy-body worked for the KGB. He described how during a brief uprising all the busy-body's found their cats nailed to their doors, and how after that the KGB couldn't get information from their busy-bodies anymore.[RA] Occasional anecdotes to the contrary notwithstanding, to think that one can strike personally at members of a powerful organization (without a powerful organization of your own) and get results seems extremely naive. People make decisions for their organizations, but they make those decisions for very different reasons than do individuals, and move in very different ways. Furthermore, powerful organization have much more ability to protect their members than do individuals, in the form of leagal advice, insurance, and networking.
Brin's second argument has more weight to it. He has a great respect for science and believes that critical peer review with all the cards on the table is the best way to improve a technology, an idea, oneself, and society. However, even in academia there is a strong tradition giving researchers large amounts of control over dissemination of their work. A researcher is encouraged not to reveal too much about early work, then to publish at workshops or other "uncitable" meetings in order to get feedback. Only then are ideas subjected to the high level of scrutiny of conferences or journals. This control is for two reasons. First, it makes it harder for other researchers to scoop one's ideas by keeping more lead time. Equally important is the idea that work you choose to show to the outside world is of high quality, both to save your own face and so you can defend the result. Every few years it seems that a scientist publishes a little prematurely, causing a backlash when they don't yet have the answers to the questions people are asking. Sometimes this backlash is good and saves us from unsafe cryptographic algorithms or investing money in cold fusion. But other times good ideas are released too early and the backlash destroys the possibility of bringing the work to completion. This is seen in business all the time, where marketing pressures force a company to release a product too quickly, thus hurting the reputation of an otherwise good technology because it wasn't quite ready. In politics, people opposed to a bill will leak details before the bugs are worked out so they can attack a weaker opponent. In all these examples light is eventually an important part of the process, but not indiscriminant light, and not light at any time by anyone.
A good recent example is the recent flap over Microsoft serving subpoenas for the archives from a personal employee mailing list. This mailing list was created as a way for employees to vent about their management, and it was assumed from the start that management would not see the emails. The people posting didn't mind that others on the list saw the messages -- the important point was that people outside the community not see them. The lesson learned here is that you can trust the keeper of private data completely and it can still get out through legal means. If you don't want information to get out, don't write it down and don't keep it around. This is why the MIT mail system deletes mail transmission records after three days and goes to great lengths to insure that they don't get onto archival backups.
Of course, sometimes a community privacy can be subverted from the inside. Take this example from Risks digest [RA]:
By some odd coincidence, the recent privacy thread in Risks comes along right
on the heels of an ugly incident at the company I work for. We have a very
large internal network along with a system of newsgroups on a wide variety of
topics. One of these is called "grumps" which is designed essentially for the
venting of curmudgeonly humor. It is generally considered to be the electronic
equivalent of the occasional water-cooler gripe session. Although humorous in
intent, sometimes issues important to the running of the company surface there.
I posted a satirical message last month, taking the company to task for some
bit of silly official pomposity, and thought nothing more of it.
Imagine my surprise when two weeks later, my manager's boss called me into his
office, with a copy of that message on his desk. He informed me that I should
think carefully about sending out this sort of thing and that it reflected
poorly on me and could jeopardize my professional advancement. Upon
investigation, I discovered that our personnel department has very quietly
taken on the job of surreptitiously monitoring traffic on certain internal
"recreational" distribution lists. When something "offensive" is detected, it
gets back, via the personnel system, to the offender's management.
I had a long talk with our VP of personnel who explained that they weren't
"spying", they were just trying to keep "offensive" mail off the net. Of
course, *they* decide what is offensive or not. There is a risk here, one
which I don't recall having seen mentioned here before, and it is that
personnel/management people operate under a very different set of values than
the people in the technical community with whom I normally share such postings.
For example, this VP pointed with pride to the fact that she doesn't have a
computer in her office. The manager I talked to insisted that posting to a dl
is a public act, whereas I view it as private in the same way as a conversation
around the lunch table in a group of friends. These people have now set
themselves up as social arbiters of a system which they themselves never use.
After thinking about this incident, I implemented an anonymous mail forwarding
system, which would allow people to express their opinions openly without fear
of retribution on unspecified charges. Not surprisingly, word of this got
around too. This system proved to be intolerable to Personnel. They could not
stand the idea that anyone could say what they liked and couldn't be traced,
despite the fact that the company itself operates a "Comment" system, which is
designed to allow people to send anonymous comments to management. I was
politely asked to stop my forwarding service. After thinking it over, I
agreed, and I now regret that decision. The net result has been greatly
decreased traffic on the grumps dl, and a major loss of faith on my part in the
goodwill of the management of our company toward the people who work here.
In this case, a community found itself being attacked by supposed insiders. In this case the issue of privacy is extremely tricky, since one has to define what is meant by a community, and who gets to say. Can I forward a message on to a friend? Can I give a friend my RA database to use? These issues will be addressed in a moment.
As a final case, even supposedly "public" documents can have privacy problems. A friend of mine, a grad student here at MIT, recently got a call from the MIT campus police. The CP was appologetic though official sounding, and said he had gotten a call from someone in the Massachusetts Maritime police. The maritime cop had seen the webpage for my friend's undergraduate fraternity, which included a picture of my friend with a large waterballoon funnelator (slingshot). He was told that slingshots were illegal in this state, and that the police just wanted to make sure the contraption "had been destroyed" [RA]. Here is a case where a statement is made publicly with the expectation of one kind of audience (people interested in his old fraternity) but seen by someone with different moral and cultural morays. This is similar to a case during the last election, where Clinton was being interviewed on MTV. He was asked if next time he would inhale, and Clinton responded "hell yeah I'd inhale." This is an appropriate remark for the audience in question, but the republican party took the quote and used it in their mainstream advertisements, making Clinton look bad.
All these issues raise serious questions for technologies like remembrance agents. Until recently I limited the databases being used to two kinds of information, personal information for a single user system and information meant for the general public (e.g. AP news articles, Netnews FAQs, and the INSPEC database) for generic systems. However, recently I've started using databases that fall somewhere inbetween. For example, I am now hosting a generic database drawn from all the email archives stored at the media lab since 1986. In theory these archives are "public" to media lab members, and my generic system is only available to lab computers. Furthermore, anyone in the lab can view the full archives to these lists if they wished. However, when people not subscribed to a list (i.e. not in the community) get a suggestion from that community, chances are they are missing important context surrounding that message. That context may be cultural, such as "dirty jokes are OK on big-phun" and "flaming is required on unix-haters." It can also be content-based, such as "this argument has produced a huge flame-fest, which is why the message is so terse." It can also be a combination of the two, such as "the audience for this message was assumed to be well versed in the field, so the author didn't feel it was necessary to add all the usual previsos or references that she would for a general audience."
These privacy concerns are problems not just for the people who wrote the message, but for the people receiving them. While certianly there is some voyeursim in all of us, for most people there is a limit to what they want to know about others. Just looking at the distaste for the current Monica Lewinsky scandal brings this to the forefront -- people not only don't care about Clinton's sexual details, they don't want to know.