I've been thinking about the current trend in privacy regulations also. I came to the same conclusion. My bank sent me a shiny new leaflet explaining their privacy position. It wasn't even an especially desirable or equitable position, but they presumably felt the new regulations obliged them to write it. I'm thinking: "so how do the laws that caused this leaflet to be written help my privacy?"
Yes, of course they will. They are designed to give you choice over how personal information is to be used. They will help orders of magnitude more than any "anonymization" technology ever will (reasons to follow)
These laws are almost exclusively about *handling* of data, rather than questioning the fact that the data is collected in the first place. (Well there is a principle that they should have a reason for collecting it, and/or that they get consent, but they do have some reason to have pretty much all the data they collect by their standards.)
I'm not sure what world you live in, but this point about not needing to collection infomration in the first place is barely a realistic way to conduct business in any way that I'm familiar with. Have you ever tried going to the doctor for basically anything? It's REALLY REALLY hard for him to treat you unless you tell him what's wrong, what your medical history is, and he is able to associate this information w/ YOU. I've done a little research on some of these "anonymization" protocols (like the cocaine auction by Ross Anderson: http://www.cl.cam.ac.uk/~fms27/cocaine/), and it seems like they are interesting mathematical curiosities, but that they don't model reality very well. No cocaine dealer on earth will do business anonymously. The reason is because "risky" businesses like this require an inordinately high level of trust, which the dealer cannot get from anonymous transactions. The dealer must make ABSOLUTELY certain that the person w/ whom he is dealing is NOT a government agent, and in the case that he gets shafted by a customer, he needs to know enough personal information about that customer to come after him guns blazing, killing him and preferrably taking out most of his immediate family too. Granted, the cocaine dealer has an interest in erasing any financial records of said transaction (i.e., dealing in cash and money laundering), but now we're talking about cash (or something like it; in general cash can be traced if it "wants" to be), not about anonymity or about "concealing" personal information in the course of a business transaction.
So here's the problem: these laws will if anything make it less visible what information companies and governments have on you because they will restrict uses. How the data is handled and used isn't the problem, the problem is that the information is collected, and available to law enforcement, national intelligence and your average dick (private detective).
The purpose of the laws is to make MORE visible the information that businesses and government have on you. None of these laws call for "restricting" the use of information, unless of course you the consumer are requesting the restriction, in which case the laws mandate that said organization must comply with the restriction. Like I said before, the information MUST be collected in order to perform most normal business transactions (especially in health and finance). The way the information is handled and used has TREMENDOUS implications for privacy. I'm not sure why you think that the "way" the information is handled has "nothing" to do w/ privacy.. uhh.. to most people working in the privacy field, this has EVERYTHING to do w/ privacy..
Privacy to me means being able to keep my affairs private from governments if I choose. The UK princple allowing you to use any name you want (so long as it is not for committing fraud or a crime) is agood one. (I'm hoping that using an alias does not affect the legal systems evaluation of the severity of the crime -- and that there are no "use of an alias in the commission of a crime" types things in effect though I don't know the details).
That is an interesting definition of privacy, but it is really a subset of the more general definition that is more widely used in the industry, which is namely the ability to control secondary uses of personal information. Your example about the UK allowing you to use multiple names seems to me to be a classic case of what one would call "security through obscurity." Most professionals would consider this to be EXTREMLEY weak security (or, in your case, privacy).. I'm not sure why you think this makes you more secure or private than a legal/economic/technical regime that allows you property rights over personal information..
So the solution appears to be technological countermeasures, and repealing laws. Neither of which appear even remotely likely within the political system. The political system has a systemic desire to create more laws. Every new law introduces more problems. The people writing the laws don't know the technology, they are control freaks, and pander to media and take bribes and broker favors with special interest groups. So at this point I firmly believe in "write code not laws", and think that "cypherpunks write code" is important.
I'm not certain what you mean by "technological countermeasures". If you mean "anonymization" technology, or "zero-knowledge proofs", you can talk till you're blue in the face and it still won't happen, although that has nothing to do w/ the current political system. It has to do w/ the fact that businessmen won't conduct business w/ people they can't trust (ie., people who are anonymous) and even IF they could, the economic reality is that NOTHING in the infrastructure (of banks, hospitals, retail, etc) is even remotely prepared for this, so why bother talking about it? Better to guarantee privacy through systems that engender communication of adequate amounts of personal information for the transaction at hand (whether financial, medical or retail), but that ensure trusted handling of the info on the transaction is complete.. Paul Sholtz PrivacyRight, Inc. - www.privacyright.com Chief Technology Officer
participants (2)
-
Jim Choate
-
Paul Sholtz