Finding a privacy compromise

[Dave Birch] People, quite reasonably, express concern that organisations keep data about them and it is an entirely realistic fear that this data will be mined in unexpected ways in the future. I remember coming across this problem in the early days electronic purses, when there were differing opinions as to how long transaction data should be retained. In one of the schemes, for reasons I can’t entirely recall, it was determined that 90 days was an acceptable comprise for “cash replacement” purposes. So, detailed transaction data would be retained for 90 days and during this time the police could obtain (with an appropriate court order) records for an individual card’s transactions (although since there was no signature or PIN involved, that told you nothing about who was using it). After 90 days, the individual records were deleted and only the statistical aggregates were retained. This seemed to me to be a sensible way of dealing with the problem of the data trail left by digital identities.

Technorati Tags: biometrics, government, privacy

In the U.K., the London mass transit card Oyster has opted for a similar, reasonable, compromise. Records for individuals (or at least their Oyster cards) are kept for eight weeks, during which time the police can (and do) obtain access. After eight weeks, the individual records are anonymised and kept for transport planning and other statistical purposes. Can this privacy compromise be generalised?

If organisations are up front with people, then it can. But suppose the data is more personal than a subway journey or buying a pack of gum? Fingerprints, for example. Well, in the case of Disney theme parks which use a fingerprint admission system, they tell people clearly that the fingerprint scan templates are kept independent of all of any other system and are purged 30 days after the customer’s ticket expires. Again, being up front with the compromise appears to satisfy the public (although I have to say from personal experience of trying to use a similar system at another theme park that the contactless wristband of the kind used for the O2 Wireless Festival works much better). So if people accept this kind of privacy compromise for a theme park, why are they nervous about providing fingerprints to governments? Perhaps it’s because of the inevitable function creep that accompanies government use. In the U.S., the IAFIS (fingerprint system) was designed to 62,500 fingerprint matches daily. As a result of increased demand — especially for background checks mandated by civil laws covering employees in the financial, child-care and educational fields — among others, IAFIS’ busiest day called for the system to process about 114,000 checks, many of them clearly for purposes never intended when the system was commissioned.

In the virtual world, the issues are the same. Google’s new privacy policy — written by Peter Fleischer, Google’s privacy counsel for Europe, and Nicole Wong, the company’s deputy general counsel — is, that unless Google is legally required to retain them longer, server logs will be retained but will be “anonymized” after 18 to 24 months so that they can’t be identified with individual users. I heard to a very good podcast with Peter at the Story of Digital Identity a while back. Well worth a listen. Google’s policy sounds like a reasonable compromise, but I wonder if it will just prove too tempting for law enforcement (egged on by politicians) to insist that Google turn over all search logs to them, where they will be kept indefinitely and then, subject to inevitable function creep, used for all sorts of things (eg, who was googling for anti-government websites, that sort of thing).

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]