By Mitzi László [email protected]
“Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
- General Data Protection Regulation Article 4 (1) The collective of one individual's personal data forms a digital identity (or perhaps digital alter ego is more fitting). A digital identity encompasses all of our personal data shadowing, representing and connected to our physical and ideological self.
Data points are linked in meaning. For example, the genetic profile of one person can give insight into the genetic profile of family members. Data points can lead to deductions that result in other data points. When does one digital identity start and another digital identity stop? At what point does data become public as a result of describing a crowd?
If one person records their observations on another person who owns those observations? The observer or the observed? What responsibilities do the observer and the observed have in relation to each other? Since the massive scale and systematisation of observation of people and their thoughts as a result of the Web, these questions are increasingly important to address.
The question of personal data falls into an unknown territory in between corporate ownership, intellectual property, and slavery.
Ownership involves determining rights and duties over property. While the Web is not owned by anyone, corporations have come to collect, store, and control the personal data, creating value making use of data collection, search engines and communication tools. By default, as a side effect to owning the intellectual property making up the online tools, these corporations have been collecting our digital identities as raw material for the services delivered to other companies at a profit.
Data can be replicated making it somewhat like intellectual property. Multiple individuals can hold a copy of a digital identity. The replicability of data makes the question of control complex. Ownership implies exclusivity, particularly with abstract concepts like ideas or data points. It is not enough to simply have a copy of your own data. Others should be restricted in their access to what is yours. Knowing what data others keep is a near impossible task. The simpler approach would be to cloak yourself in nonsense. To ensure that corporations or institutions do not have a copy of your data it is possible to send noise to confuse the data that they have. For example, a robot could randomly search terms that you would not be inclined to usually search for making that data obtained by the search engine useless through confusion.
Can one person legitimately control the digital identity of another person? Slavery, the ownership of a person, is outlawed in all recognised countries. The institution of marriage originates from the need to grant property rights. The sexual and reproductive identity of the woman was controlled by the father and passed to the husband. Today, our digital identities are controlled by others, a situation of which the legitimacy is being increasingly questioned.
The ability for each and every person to self-determine is a fairly novel concept. If we go from the starting point that individuals should be in control of their digital identities, use of that data by another person, company or institution, requires the explicit permission of the owner.
Much like when choosing a contraceptive method, deciding our data sharing preferences is not done in isolation, there are other factors to weigh up and we end up making a risk benefit analysis. What do effective contraception techniques teach us about best practices for effective data sharing preferences?
As with sexual consent, it is questionably ethical is permission for the data transaction to go ahead is used as a bargaining chip for an unrelated or superfluous issue of consent, for example, improve marketing recommendations while you are trying to ring your mother. While there are services where you need to share data, these transactions should not be exaggerated and should be held within context. For example, an individual needs to share data to receive adequate medical recommendations, however, that medical data does not automatically need to go to a health insurance provider. These are separate data transactions which should be dealt with as such.
How far could we push the free services in exchange for control of your data? Imagine if you went to a restaurant and the food was free on the condition that a stranger sat with you and shouted advertisement. Imagine if there was a bar with free drinks on the condition that the bartender could sell your conversations.
For consent to be meaningful the full scope and extent of the transaction needs to be explicitly detailed to the individual who has to be given apt opportunity to engage in the process of evaluating whether they would like to engage. Choosing our preferred contraceptive method is often done through prolonged education of the options and the support of professionals who we sometimes see in a face-to-face setting. If we were to make an informed and considered decision about our digital contraception, what would that look like practically? How would you categorise and weigh up the risks and the benefits of data transactions in such a way that there was adequate protection while maintaining pleasure and convenience of online life? How could you make rules of engagement that catered to a variety of perspectives? How could you inform the person what the implications of each of the options were? Perhaps in the same way that we go to a professional to seek advice and dialogue to ensure an informed decision, we would need to seek face to face advice from a data ethics professional who can walk us through the alternatives.
Timing is critical i.e. these issues should be dealt with in a calm moment with time to reflect, not in the moment you want to buy a train ticket or are experiencing a medical emergency. If we were to choose our contraception in the same way that we accept terms and conditions online there would likely be an increase in the birth rate as well as the rate of transmission of sexually transmitted diseases. Making decisions in an environment that is not pressurized and allows for careful consideration and deliberation gives room to the individual to consider the options. What would it look like if we made decisions about our data sharing options well in advance to the action?
The permission needs to be given in a format which is explicit, not implied. Just because you chose an application to chat with your partner does not mean that this app needs access to your entire list of contacts. The button which you click to give permission should not be designed in such a way that the automatic behaviour is opting in. For example, in binary choices if one button is smaller than the other, or if one button is hidden in the design and the other jumps out at you, or if one button requires multiple clicks whereas the other is a single click.
While a person could give consent on a general topic to be continuous, it should always be possible to retract that permission for future transactions. Circumstances and opinions can change. As it is possible to adapt your contraception, it should be possible to adapt your data sharing preferences. However, there are some irreversible consequences of certain routes and these should be clearly explained. Similarly, to consent for sexual activity, retraction of past consent for data transactions is not feasible. For example, it would be possible for an individual to give consent to use their personal data for any cause advancing the treatment of cardiovascular disease until further notice. Until the human changes their mind, these transactions can continue to occur seamlessly without the involvement of the human. Additionally, there needs to be protocols for when there are undesirable side effects to mitigate the damage.
Who should decide which digital contraceptive is used by who? Can data, that reveals such intimate details about our personalities and preferences until it is essentially become an extension of ourselves be considered company property? Who is the rightful controller of data? The collector of the data, who has invested resources into the collection and storage of that data? Or the person who that data describes? If a person starts to use a marketing tool when under the age of consent with the understanding that is merely an address book, is this consent valid? Summarising, personal data is an extension of self. Self-determination requires the ability to be able to control one’s digital identity. Data control requires the development of digital contraception, i.e. techniques that classify data sharing options in such a way that an individual can conveniently weigh up the risks and benefits of the transaction.