Information Privacy and The Internet
Apr. 2nd, 2021 04:42 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
pheloniusfriarI am digging through boxes upon boxes upon boxes looking for where I put my stupid birth certificate (which I need for some paperwork). I had taken it out of my wallet in 2019 because I was traveling overseas and figured that carrying my passport and birth certificate was probably a security risk (doing so domestically was as well, probably more so), and I put it somewhere safe. It's in the house, but it might as well be on Ceres. As I dig through boxes, I am uncovering some essays that I wrote but never posted.
The first one was written for a 4th year class in the "Technology, Society, Environment Studies" (TSES) department, an odd little department at Carleton University. The class was called "Information Technology and Society", which is a pretty cool and important topic (which is why I took it as an elective). It uses a case study of a Supreme Court of Canada decision as the foundation to ask questions about whether we have a reasonable expectation of privacy on the Internet, and manages to tie that to the notions of entropy, memetics, and the evolution of blue-green algae... go figure. The defendant, Spencer, had been arrested and charged with distributing child pornography. The Supreme Court decided that the police did violate his rights, but the crime had been committed and was sufficiently egregious that his appeal was dismissed (and he went to prison). It does bring up many questions about privacy as secrecy, as control, and as anonymity (the latter of which is least understood). I seem to remember I got a good mark on this essay.
Information Privacy and The Internet
On June 13, 2014 the Supreme Court of Canada, in the case of R. vs. Spencer, found that the constitutional rights of Matthew David Spencer had been violated when the police requested “pursuant to s. 7(3)(c.1)(ii) of the Personal Information Protection and Electronic Documents Act (PIPEDA)”1, and subsequently received “without prior judicial authorization”1, identifying information from his Internet Service Provider (ISP) based on his Internet Protocol (IP) address and the time window of his criminal usage of the Internet. Spencer was tried and convicted with evidence collected from his residence – with a proper warrant secured to actually enter and search the house, and seize his computer equipment – based on the police’s observations of his online activities and the identifying information received from the ISP that led them there. However, Spencer appealed the conviction stating that the technique used to locate him was a violation of his Section 8 Charter rights, which states that “everyone has the right to be secure against unreasonable search or seizure”2. The case ultimately went to the Supreme Court of Canada which ruled that, yes, his rights had been unwittingly violated by the police, but that due to the nature of his crimes, “the exclusion of the evidence rather than its admission would bring the administration of justice into disrepute”1, and his appeal was denied. While the search was ultimately deemed to have been illegal, the police “were acting by what they reasonably thought were lawful means to pursue an important law enforcement purpose”1 (in other words, they didn’t understand how PIPEDA worked), and Spencer would do his time.
But the case took on a more important and far-reaching significance when the court went beyond the specific questions of admissibility of evidence, and took a broad look at information privacy and expectations of anonymity on the Internet. In particular, the court stated “the police request to link a given IP address to subscriber information was in effect a request to link a specific person to specific online activities [which] engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities”1. Since the police and the lower courts were apparently operating on an incorrect interpretation of PIPEDA and how the constitution applied to information privacy vis-a-vis the Internet, and in light of the tremendous amount of publicity and concern over privacy as it relates to the Internet at this time, the Supreme Court of Canada felt it necessary to examine the relationship between ownership and control of one’s personal information as it related to one’s activity on the Internet, and what were reasonable expectations of anonymity and privacy on what is essentially a public conveyance of information. This question is being asked in many different ways lately in light of the revelations widely circulated as part of the Snowden data leak – people are starting to question the impact of seemingly ubiquitous and aggressive government and corporate data collection on the security and privacy of customer’s data “in the cloud”, especially (but not limited to) data stored outside the borders of a country3 or that travels across international boundaries4.
Politics and this specific case aside, is data privacy a reasonable expectation on any sufficiently complex and open network? Gleick suggests that memetics forces us to reinterpret information as it exists on the Internet today as the first primordial stirrings of a new, perhaps, lifeform based on the meme as its replicator5 (versus the gene which has been the dominant replicator on Earth to this point). Floridi, using information-ethical arguments, goes so far as to state that allowing a piece of information to be destroyed or distorted, no matter how seemingly unimportant, is to commit an act of evil6. Should we therefore accept our status as the “ooze” from which this new emergent lifeform will arise, and abolish information ownership and control to enhance its “growth conditions”? Or do we move in the other direction to prevent this potential competition for resources, and ensure that we remain in control of all the data we generate (each of us becoming individual islands of controlled access)? If the medium is the message, then the medium of the Internet was designed and evolved to maximize the chances of the former; however, there is theoretically nothing to prevent us from altering the medium to implement the latter. Except... the power of social media platforms to employ us to propagate memes (social media is, of course, a meme in itself) is likely irresistible. Tumblr, Facebook, Twitter, even going back to Livejournal and IRC (Internet Relay Chat), are all still second generation communications platforms – the first generation, from my personal experience, were dialup BBS (Bulletin Board System) and UUCP (Unix-to-Unix Copy Program) based point-to-point and “store and forward” systems. The social media revolution did not happen because someone wrote those programs to become what they have become, it is because those are the platforms that survived due to their suitability for the propagation of memes (the weaker attempts did not survive or have been heavily marginalized). What are the implications for information privacy when the successors to the current social media meme are fully evolved and are even more compelling and seamless (blurring the boundaries between online and offline) than the current generation of platforms that already make privacy and control the antithesis of participation in the culture they generate?
I would suggest, continuing to look at the issue from a memetic perspective, that the notion of privacy and control over one’s personal data – a notion with deep historic roots – is itself a meme that is in the process of flourishing, creating competition in the “meme pool”, and fighting for its own share of the resources. Cases like R. vs. Spencer, and the outcry by corporations to prevent ubiquitous and intrusive data collection by governments (while ironically doing the same thing themselves to maximize their share of global resources), are the first significant stirrings of this backlash in the information ecosystem we currently find ourselves in. Like all ecosystems, specialized roles and structures will evolve as systems over time to allow dynamic equilibria to form within it, and the resultant will be some ongoing compromise between the extremes of existence and possibility. However, these are the early days of experimentation in this new infosphere6 we have constructed the basis for (the first small “pond”), and it will take thousands or millions of info-generations to reach its next plateau of stability – we are witnessing the first real struggles just beginning.
Knowing that information privacy deprives memes of their propagation medium, and that like the selfish gene, if it is possible at all, the selfish meme will find a way to reproduce itself, it seems reasonable to presume that rapid evolution will occur in the meme pool to make it advantageous to humans to become efficient propagators. The question is do we accept it, or do we resist? As Gleick quotes Dennett, “I don’t know about you, but I am not initially attracted by the idea of my brain as a sort of dung heap in which the larvae of other people’s ideas renew themselves, before sending out copies of themselves in an informational diaspora [...] Who’s in charge, according to this vision – we or our memes?”5 (p. 317). I contend that the question is nonsensical and builds a false binary representation of the situation when it could be considered more of a dynamic symbiosis between humans and memetic content. Or, conversely, it could be viewed as parasitic relationship – in which case, which is the parasite and which is the host? See, for instance, the debate about the role of blue-green algae in the formation of Earth as we know it today7. In either case, there is and will continue to be an uneasy pull between the indiscriminate flow of memetic information as a meme in itself, and the memetic notion of information privacy.
To understand the tension, I will go back to the Supreme Court of Canada ruling in R. vs. Spencer and summarize some of the relevant details and context. A police constable in the Saskatoon Police Service was using the peer-to-peer file sharing software LimeWire8 to search for people sharing child pornography. They compiled a list of IP addresses of computers and LimeWire GUIDs9 (Global Unique IDentifiers) that appeared to be doing so, and determined that one of the IP addresses in question, based on its value, was likely in Saskatoon and maintained by the company Shaw Communications:
Very simply put, the Supreme Court of Canada states, “it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent. [...] Therefore, the request by the police that the ISP voluntarily disclose such information amounts to a search”1. The case summary further clarifies that the legislation cited by the police (the Criminal Code section 487.014(1) and PIPEDA section 7(3)(c.1)(ii) – although the Supreme Court judge indicates that their analysis applies to PIPEDA in toto) does not create “any police search and seizure powers”1. In the former, the Criminal Code simply reaffirms that police are allowed to ask for the voluntary disclosure of information; and in the latter, it is simply supposed to “increase the protection of personal information”1. To be clear, the relevant sections of legislation being quoted in the ruling of R. vs. Spencer are the PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT, S.C. 2000, C. 5:
Cromwell, the Supreme Court justice who wrote the ruling, realized that there was a lack of understanding and appreciation of what these rights were when considering our collective presences as we participate in communications and data sharing over the Internet, and thus set out to clarify what those rights actually entailed and how they intersected with Internet use. Because the considerations and arguments were complex and subtle, he grouped the “factors that may be considered in assessing the reasonable expectation of privacy” into “four main headings for analytical convenience”: “[18] ... (1) the subject matter of the alleged search; (2) the claimant’s interest in the subject matter; (3) the claimant’s subjective expectation of privacy in the subject matter; and (4) whether this subjective expectation of privacy was objectively reasonable, having regard to the totality of the circumstances”1. He goes on to make what I consider to be some very bold statements about the subject matter and the consequences of posing these questions: “[18] ... However, this is not a purely factual inquiry. The reasonable expectation of privacy standard is normative rather than simply descriptive [...] Thus, while the analysis is sensitive to the factual context, it is inevitably laden with value judgements which are made from the independent perspective of the reasonable and informed person who is concerned about the long-term consequences of government action for the protection of privacy”1 (emphasis added). Here, we can catch a glimpse of the memetic notion of privacy rights in a global digital age at work: the expectation of privacy is a normative component of our modern society (at least modern Canadian society).
With respect to the “subject matter” in question, in a previous decision dealing with information privacy, the Court “[27] ... stressed the strong claim to privacy in relation to information that is at the ‘biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state’ [and] s. 8 protection is accorded not only to the information which is itself of that nature, but also to ‘information which tends to reveal intimate details of the lifestyle and personal choices of the individual’”1 – in short information that can even potentially lead to deanonymization and even metadata about a person’s activities. Referring to yet another Supreme Court case, “[31] ... when identifying the subject matter of an alleged search, the court must not do so ‘narrowly in terms of the physical acts involved or the physical space invaded, but rather by reference to the nature of the privacy interests potentially compromised by the state action’”1. Here again, privacy rights are re-affirmed and the powers of the state are limited. Finally, with respect to this specific case, Cromwell states “[32] ... The subject matter of the search was not simply a name and address of someone in a contractual relationship with Shaw. Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage”1. While this decision deals with a specific case, it’s implications are broad and far-reaching in its clear protection of privacy rights on the Internet. It is not a stretch to consider this ruling as a foundation by which individuals and groups could take governments and corporations to task for failing to comprehend (or being willfully blind to) the broader implications of their data collection and use, of byzantine attempts to obfuscate privacy obligations or account settings to confound unsophisticated or casual users, and ultimately could be used to challenge an unengaged approach to ensuring that users/customers are educated about their rights (again, either through deliberate choice or wilful blindness while benefiting from that data). It certainly has more immediate implications for the Conservative government’s proposed “cyberbullying” Bill C-13 – as constructed, it is clear that key provisions of the bill are unconstitutional, specifically with respect to the warrantless search and seizure of data and identifying information10.
The principles at work in the contemplations of the court are captured in an elegant and practical form in Schnarch’s paper on Ownership, Control, Access, and Possession (OCAP)11. While OCAP was specifically targeted at Aboriginal control of research being conducted on them, the paper drew on existing principles, and the basic tenets it documents can be applied in a more general sense to any information pertaining to individuals or collectives of individuals. These four principles can and seem to be applicable even to the domain of corporations as shown in the backlash by corporations against indiscriminate government surveillance of their communications and data, and the communications and data of their clients. The notions of ownership and control have an implicit but strong requirement that the privacy of information and action (including meta information about said data) – the control of it – is at the discretion of those that have, as the court stated, “an interest in the subject” (see above). Similarly, the access component, which allows those that have title or right over the data to decide who has the ability to use that data, if at all, and for what purpose is another way of looking at the anonymity component being considered by the courts. Here again, there is an implicit but strong implication that should someone or a group wish that the data to which they have “an interest” can be kept secret or, should it be released, can be done so in an anonymous manner unless otherwise explicitly specified.
These principles mirror the Supreme Court’s interpretation of the Canadian constitution’s protection of rights and freedoms. In particular, in R. vs. Spencer, Cromwell states, “[38] ... it seems to me that privacy in relation to information includes at least three conceptually distinct although overlapping understandings of what privacy is. These are privacy as secrecy, privacy as control and privacy as anonymity”1. The first two are generally well understood, even in the context of networked technologies; however, “[41] There is also a third conception of informational privacy that is particularly important in the context of Internet usage. This is the understanding of privacy as anonymity. In my view, the concept of privacy potentially protected by s. 8 must include this understanding of privacy”1. He goes further by way of clarification, “[46] ... the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information about users’ interests. Search engines may gather records of users’ search terms. Advertisers may track their users across networks of websites, gathering an overview of their interests and concerns”1. Observing that “[46] ... the user cannot fully control or even necessarily be aware of who may observe a pattern of online activity, but by remaining anonymous — by guarding the link between the information and the identity of the person to whom it relates — the user can in large measure be assured that the activity remains private”1, Cromwell makes clear the need for the law and society to “[44] recognize anonymity as one conception of privacy”1. Here again, there seems to be some intent to put those outside the law enforcement community on notice that privacy laws are being refined and that the courts are not ignorant of the methods by which a reasonable expectation of privacy is currently being compromised.
The last component of OCAP, that of possession, is a thornier issue that I believe is in a state of transition as new network-centric technologies emerge – here, corporations are in some ways leading the discussion on this issue, for example Microsoft, Verizon Communications, AT&T, Apple, and Cisco Systems have launched suit against the US government around that government’s assertion that it has the unimpeded right to “seize computer data stored outside the country”3. They state that “over the course of the past year, [they] have faced growing mistrust and concern about their ability to protect the privacy of personal information located outside the United States [... which] will ultimately erode the leadership of U.S. technology companies in the global market”3. In fact, they claim, “compliance with U.S. search warrants may cause companies to violate data-protection laws in countries where the targeted data is stored [... and, therefore ...] the U.S. technology sector’s business model of providing ‘cloud’ Internet-based services to enterprises, governments, and educational institutions worldwide will be substantially undermined”3. When data is distributed on a pay-for-play global “cloud” of storage facilities, the notion of possession of one’s data becomes a more complex issue. Indeed the only way to maintain possession of one’s data is to eschew social media entirely, thus isolating one’s self from the bulk of modern Western society. While an examination of OCAP as it relates to platforms such as Facebook and Google is beyond the scope of this paper, actions like the European Union’s order to Google to respect requests to remove search results about individuals that wish to maintain their privacy12 indicate that there is an unresolved tension in place here.
“The meme is not the dancer, but the dance [...] For most of our biological history they existed fleetingly; their main mode of transmission was word of mouth. More recently they have managed to adhere in solid substances: clay tablets, cave walls, paper sheets. They achieve longevity through our pens and printing presses, magnetic tapes and optical disks. They spread via broadcast towers and digital networks. In Dawkins’ meme-centred perspective, memes copy themselves by any means available”5 (p. 314). Memes must therefore have phenotypic effects: the meme for making fire, the meme for wearing clothes, etc. all have had powerful effects and they thus influence the conditions affecting their own chance of survival as they broadcast themselves – the memes for unfettered information propagation and compartmentalization and control through information privacy rights being no less impactful in our modern society. Gleick quoted Dawkins as stating, “I believe that, given the right conditions, replicators automatically band together to create systems, or machines, that carry them around and work to favour their continued replication”5, and then Humphrey informing us that these entities should be considered “living structures, not just metaphorically but technically: when you plant a fertile meme in my mind, you literally parasitize my brain, turning it into a vehicle for the meme’s propagation”5 (p. 315). Again, we have the question of symbiosis versus parasitism appearing when we ask these questions. Which of the two it turns out to be will, in large part, be determined by whether we guide the development of the greater Internet or allow it to happen to us.
On one hand, we have the rise of formalized privacy rights as illustrated in the analysis presented in the case of R. vs. Spencer1, legislation being enacted in the European Union allowing people to challenge the persistence of information relating to them on the Internet12 and efforts like the OCAP framework11, and companies challenging ubiquitous government intrusion into the information privacy of their clients and corporate data3. On the other hand, we have the notion of the meme as replicator and people like Floridi suggesting there is an info-morality that we need to consider when making our decisions. He suggests that “any information entity has a right to persist in its own status, and a right to flourish [...] as a consequence of such ‘rights’, information ethics evaluates the duty of any moral agent in terms of contribution to the growth of the infosphere and any process, action, or event that negatively affects the whole infosphere – not just an informational entity – as an increase in its level of entropy and hence an instance of evil”6 (p. 112/113). Obviously, OCAP is effectively an “evil” in the eyes of Floridi, so there is certainly not a consensus on how to address these competing visions.
The uneasy memetic to and fro between information seemingly “wanting” freedom, and the powerful drive to maintain control over it does not have a hegemonic solution, but rather will reach various states of dynamic equilibria over time. If one considers the memetic notion of info-freedom as a state, then this can be thought of as a “gaseous” phase of information; similarly, the meme of info-privacy can be conceptualized as information being in a “liquid” phase. In the former, information will expand to fill all the possible states available for it to be in and if new ideas (memes, information, data) is introduced into the system, it will over time diffuse through the entire infosphere. In the latter, information is still fluid, but it can be contained, controlled, measured, and distributed by those who manage its container. I humbly propose that what I have described comes complete with a fully-formed set of mathematical tools that could be used in the analysis of the flow of information from the “liquid” to the “gaseous” forms and back again: this field of study is called thermodynamics. Since information has already been framed using thermodynamic concepts (entropy), it seems natural to press the larger toolset available from that field into the study of how information will move towards a state where the flow of information between the “gaseous” and “liquid” states will be in balance – like a pool of liquid water in a vacuum at a certain temperature (where liquid water can still exist) will eventually stabilize into some amount of liquid and some amount of gas. As the pressure increases in the system, the equilibrium point will move toward more water and less gas; or as the temperature increases, that point will favour the gas phase. I would argue that we can consider the Internet (or broader infosphere) as the “box”, but one that is expanding exponentially (decreasing the gas pressure and favouring a gaseous state); but that the amount of information is also expanding exponentially (increasing the pressure and thus favouring a liquid state), and thus the equilibrium point is constantly moving and reacting to decisions we make regarding the extent of our global network infrastructure, privacy legislation, how much information is generated at what rate, and how accessible (from an interpretation standpoint) that information is, amongst other criteria.
Like any other ecosystem that humans participate in, we can and will shape it to suit whatever priorities we have at the time. In the end, if we consider the memetic perspective as accurate, neither absolute OCAP nor complete permissiveness will win, but rather a dynamic and ever-changing balance will be achieved between the two. The challenge we face then is, like trying to model the ecosystem of the Earth, to develop models we can use to analyze its dynamic behaviour, but to do so, we need to increase our understanding, though examinations like the R. vs. Spencer case, of what questions need to be asked.
Works Cited
1 Cromwell, J. R. v. Spencer, 2014 SCC 43. Lexum - SCC Cases (2014). http://scc-csc.lexum.com/scc-csc/scc-csc/en/item/14233/index.do
2 Department of Justice. Canadian Charter of Rights and Freedoms. Constitution Acts, 1867 to 1982 (2012). http://laws-lois.justice.gc.ca/eng/Const/page-15.html
3 Associated Press. Microsoft and other tech giants fight U.S. right to seize cloud data. CBC News - Business (2014). http://www.cbc.ca/news/business/microsoft-and-other-tech-giants-fight-u-s-right-to-seize-cloud-data-1.2677688
4 BBC News. Google and Facebook can be legally intercepted, says UK spy boss. BBC News (2014). http://www.bbc.com/news/technology-27887639
5 Gleick, J. The information: a history, a theory, a flood. (Vintage Books, 2011).
6 Floridi, L. Information: a very short introduction. (Oxford University Press, 2010).
7 Siegal, L. J. The Rise of Oxygen. Astrobiology Magazine (2003). http://www.astrobio.net/news-exclusive/the-rise-of-oxygen/
8 LimeWire. Wikipedia, English. http://en.wikipedia.org/wiki/LimeWire
9 A Bit History of Internet/Chapter 6: Peer-to-peer. Wikibooks. http://en.wikibooks.org/wiki/A_Bit_History_of_Internet/Chapter_6_:_Peer-to-peer
10 Payton, L. Online privacy decision means ‘back to the drawing board’ for Tories. CBC News (2014). http://www.cbc.ca/news/politics/online-privacy-decision-means-back-to-the-drawing-board-for-tories-1.2674793
11 Schnarch, B. Ownership, Control, Access, and Possession (OCAP) or Self-Determination Applied to Research: A Critical Analysis of Contemporary First Nations Research and Some Options for First Nations Communities. Journal of Aboriginal Health 80–95 (2004).
12 Streitfeld, D. European Court Lets Users Erase Records on Web. NYTimes.com (2014). http://www.nytimes.com/2014/05/14/technology/google-should-erase-web-links-to-some-personal-data-europes-highest-court-says.html?_r=0
The first one was written for a 4th year class in the "Technology, Society, Environment Studies" (TSES) department, an odd little department at Carleton University. The class was called "Information Technology and Society", which is a pretty cool and important topic (which is why I took it as an elective). It uses a case study of a Supreme Court of Canada decision as the foundation to ask questions about whether we have a reasonable expectation of privacy on the Internet, and manages to tie that to the notions of entropy, memetics, and the evolution of blue-green algae... go figure. The defendant, Spencer, had been arrested and charged with distributing child pornography. The Supreme Court decided that the police did violate his rights, but the crime had been committed and was sufficiently egregious that his appeal was dismissed (and he went to prison). It does bring up many questions about privacy as secrecy, as control, and as anonymity (the latter of which is least understood). I seem to remember I got a good mark on this essay.
On June 13, 2014 the Supreme Court of Canada, in the case of R. vs. Spencer, found that the constitutional rights of Matthew David Spencer had been violated when the police requested “pursuant to s. 7(3)(c.1)(ii) of the Personal Information Protection and Electronic Documents Act (PIPEDA)”1, and subsequently received “without prior judicial authorization”1, identifying information from his Internet Service Provider (ISP) based on his Internet Protocol (IP) address and the time window of his criminal usage of the Internet. Spencer was tried and convicted with evidence collected from his residence – with a proper warrant secured to actually enter and search the house, and seize his computer equipment – based on the police’s observations of his online activities and the identifying information received from the ISP that led them there. However, Spencer appealed the conviction stating that the technique used to locate him was a violation of his Section 8 Charter rights, which states that “everyone has the right to be secure against unreasonable search or seizure”2. The case ultimately went to the Supreme Court of Canada which ruled that, yes, his rights had been unwittingly violated by the police, but that due to the nature of his crimes, “the exclusion of the evidence rather than its admission would bring the administration of justice into disrepute”1, and his appeal was denied. While the search was ultimately deemed to have been illegal, the police “were acting by what they reasonably thought were lawful means to pursue an important law enforcement purpose”1 (in other words, they didn’t understand how PIPEDA worked), and Spencer would do his time.
But the case took on a more important and far-reaching significance when the court went beyond the specific questions of admissibility of evidence, and took a broad look at information privacy and expectations of anonymity on the Internet. In particular, the court stated “the police request to link a given IP address to subscriber information was in effect a request to link a specific person to specific online activities [which] engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities”1. Since the police and the lower courts were apparently operating on an incorrect interpretation of PIPEDA and how the constitution applied to information privacy vis-a-vis the Internet, and in light of the tremendous amount of publicity and concern over privacy as it relates to the Internet at this time, the Supreme Court of Canada felt it necessary to examine the relationship between ownership and control of one’s personal information as it related to one’s activity on the Internet, and what were reasonable expectations of anonymity and privacy on what is essentially a public conveyance of information. This question is being asked in many different ways lately in light of the revelations widely circulated as part of the Snowden data leak – people are starting to question the impact of seemingly ubiquitous and aggressive government and corporate data collection on the security and privacy of customer’s data “in the cloud”, especially (but not limited to) data stored outside the borders of a country3 or that travels across international boundaries4.
Politics and this specific case aside, is data privacy a reasonable expectation on any sufficiently complex and open network? Gleick suggests that memetics forces us to reinterpret information as it exists on the Internet today as the first primordial stirrings of a new, perhaps, lifeform based on the meme as its replicator5 (versus the gene which has been the dominant replicator on Earth to this point). Floridi, using information-ethical arguments, goes so far as to state that allowing a piece of information to be destroyed or distorted, no matter how seemingly unimportant, is to commit an act of evil6. Should we therefore accept our status as the “ooze” from which this new emergent lifeform will arise, and abolish information ownership and control to enhance its “growth conditions”? Or do we move in the other direction to prevent this potential competition for resources, and ensure that we remain in control of all the data we generate (each of us becoming individual islands of controlled access)? If the medium is the message, then the medium of the Internet was designed and evolved to maximize the chances of the former; however, there is theoretically nothing to prevent us from altering the medium to implement the latter. Except... the power of social media platforms to employ us to propagate memes (social media is, of course, a meme in itself) is likely irresistible. Tumblr, Facebook, Twitter, even going back to Livejournal and IRC (Internet Relay Chat), are all still second generation communications platforms – the first generation, from my personal experience, were dialup BBS (Bulletin Board System) and UUCP (Unix-to-Unix Copy Program) based point-to-point and “store and forward” systems. The social media revolution did not happen because someone wrote those programs to become what they have become, it is because those are the platforms that survived due to their suitability for the propagation of memes (the weaker attempts did not survive or have been heavily marginalized). What are the implications for information privacy when the successors to the current social media meme are fully evolved and are even more compelling and seamless (blurring the boundaries between online and offline) than the current generation of platforms that already make privacy and control the antithesis of participation in the culture they generate?
I would suggest, continuing to look at the issue from a memetic perspective, that the notion of privacy and control over one’s personal data – a notion with deep historic roots – is itself a meme that is in the process of flourishing, creating competition in the “meme pool”, and fighting for its own share of the resources. Cases like R. vs. Spencer, and the outcry by corporations to prevent ubiquitous and intrusive data collection by governments (while ironically doing the same thing themselves to maximize their share of global resources), are the first significant stirrings of this backlash in the information ecosystem we currently find ourselves in. Like all ecosystems, specialized roles and structures will evolve as systems over time to allow dynamic equilibria to form within it, and the resultant will be some ongoing compromise between the extremes of existence and possibility. However, these are the early days of experimentation in this new infosphere6 we have constructed the basis for (the first small “pond”), and it will take thousands or millions of info-generations to reach its next plateau of stability – we are witnessing the first real struggles just beginning.
Knowing that information privacy deprives memes of their propagation medium, and that like the selfish gene, if it is possible at all, the selfish meme will find a way to reproduce itself, it seems reasonable to presume that rapid evolution will occur in the meme pool to make it advantageous to humans to become efficient propagators. The question is do we accept it, or do we resist? As Gleick quotes Dennett, “I don’t know about you, but I am not initially attracted by the idea of my brain as a sort of dung heap in which the larvae of other people’s ideas renew themselves, before sending out copies of themselves in an informational diaspora [...] Who’s in charge, according to this vision – we or our memes?”5 (p. 317). I contend that the question is nonsensical and builds a false binary representation of the situation when it could be considered more of a dynamic symbiosis between humans and memetic content. Or, conversely, it could be viewed as parasitic relationship – in which case, which is the parasite and which is the host? See, for instance, the debate about the role of blue-green algae in the formation of Earth as we know it today7. In either case, there is and will continue to be an uneasy pull between the indiscriminate flow of memetic information as a meme in itself, and the memetic notion of information privacy.
To understand the tension, I will go back to the Supreme Court of Canada ruling in R. vs. Spencer and summarize some of the relevant details and context. A police constable in the Saskatoon Police Service was using the peer-to-peer file sharing software LimeWire8 to search for people sharing child pornography. They compiled a list of IP addresses of computers and LimeWire GUIDs9 (Global Unique IDentifiers) that appeared to be doing so, and determined that one of the IP addresses in question, based on its value, was likely in Saskatoon and maintained by the company Shaw Communications:
[11] To connect the computer usage to a location and potentially a person, investigators made a written “law enforcement request” to Shaw for the subscriber information including the name, address and telephone number of the customer using that IP address. The request, which was purportedly made pursuant to s. 7(3) (c.1)(ii) of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA), indicated that police were investigating an offence under the Criminal Code, R.S.C. 1985, c. C-46, pertaining to child pornography and the Internet and that the subscriber information was being sought as part of an ongoing investigationThe trial judge and appeal judges in Saskatchewan both concluded that because of the nature of the information obtained – “simply a name, address and telephone number matching a publicly available IP address”1 – that no search had been conducted and that Spencer had no reasonable expectation of privacy on the Internet anyway. The Crown maintained that contention throughout the appeals process. The Supreme Court of Canada took a much closer look at those issues and decided that clarification was definitely required as “[35] ... The subject matter of the search was not simply a name and address of someone in a contractual relationship with Shaw. Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage”1.
[12] Shaw complied with the request and provided the name, address and telephone number of the customer associated with the IP address, Mr. Spencer’s sister. With this information in hand, the police obtained a warrant to search Ms. Spencer’s home (where Mr. Spencer lived) and seize his computer, which they did. The search of Mr. Spencer’s computer revealed hundreds of child pornography images and over a hundred child pornography videos in his shared LimeWire folder. [...]
[14] At trial, Mr. Spencer sought to exclude the evidence found on his computer on the basis that the police actions in obtaining his address from Shaw without prior judicial authorization amounted to an unreasonable search contrary to s. 8 of the Canadian Charter Rights and Freedoms.1
Very simply put, the Supreme Court of Canada states, “it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent. [...] Therefore, the request by the police that the ISP voluntarily disclose such information amounts to a search”1. The case summary further clarifies that the legislation cited by the police (the Criminal Code section 487.014(1) and PIPEDA section 7(3)(c.1)(ii) – although the Supreme Court judge indicates that their analysis applies to PIPEDA in toto) does not create “any police search and seizure powers”1. In the former, the Criminal Code simply reaffirms that police are allowed to ask for the voluntary disclosure of information; and in the latter, it is simply supposed to “increase the protection of personal information”1. To be clear, the relevant sections of legislation being quoted in the ruling of R. vs. Spencer are the PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT, S.C. 2000, C. 5:
7 ... (3) [Disclosure without knowledge or consent] For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ... (c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records; (c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that ... (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law1and the Criminal Code of Canada, R.S.C. 1985, c. C-46:
487.014 (1) [Power of peace officer] For greater certainty, no production order is necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.1So the Supreme Court of Canada determined that there was no legislation to back up the police actions, and that Spencer had a reasonable expectation of privacy and anonymity while conducting any activity on the Internet, and thus the request for information from Shaw Communications was legitimately a search, and thus had been conducted illegally. Obviously, the police could have obtained that information legally from Shaw if they had secured a warrant for that information, so if someone engages in demonstrably illegal activities on the Internet (or law enforcement agents have a reasonable and demonstrable suspicion), then there is presumably a case to be made that a lawful search and possible seizure needs to take place. Thus, this case does seem to affirm that we, the ordinary rank and file of Canadian society at least, are to have our anonymity and privacy rights protected from warrantless (in both senses of the word) violations.
Cromwell, the Supreme Court justice who wrote the ruling, realized that there was a lack of understanding and appreciation of what these rights were when considering our collective presences as we participate in communications and data sharing over the Internet, and thus set out to clarify what those rights actually entailed and how they intersected with Internet use. Because the considerations and arguments were complex and subtle, he grouped the “factors that may be considered in assessing the reasonable expectation of privacy” into “four main headings for analytical convenience”: “[18] ... (1) the subject matter of the alleged search; (2) the claimant’s interest in the subject matter; (3) the claimant’s subjective expectation of privacy in the subject matter; and (4) whether this subjective expectation of privacy was objectively reasonable, having regard to the totality of the circumstances”1. He goes on to make what I consider to be some very bold statements about the subject matter and the consequences of posing these questions: “[18] ... However, this is not a purely factual inquiry. The reasonable expectation of privacy standard is normative rather than simply descriptive [...] Thus, while the analysis is sensitive to the factual context, it is inevitably laden with value judgements which are made from the independent perspective of the reasonable and informed person who is concerned about the long-term consequences of government action for the protection of privacy”1 (emphasis added). Here, we can catch a glimpse of the memetic notion of privacy rights in a global digital age at work: the expectation of privacy is a normative component of our modern society (at least modern Canadian society).
With respect to the “subject matter” in question, in a previous decision dealing with information privacy, the Court “[27] ... stressed the strong claim to privacy in relation to information that is at the ‘biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state’ [and] s. 8 protection is accorded not only to the information which is itself of that nature, but also to ‘information which tends to reveal intimate details of the lifestyle and personal choices of the individual’”1 – in short information that can even potentially lead to deanonymization and even metadata about a person’s activities. Referring to yet another Supreme Court case, “[31] ... when identifying the subject matter of an alleged search, the court must not do so ‘narrowly in terms of the physical acts involved or the physical space invaded, but rather by reference to the nature of the privacy interests potentially compromised by the state action’”1. Here again, privacy rights are re-affirmed and the powers of the state are limited. Finally, with respect to this specific case, Cromwell states “[32] ... The subject matter of the search was not simply a name and address of someone in a contractual relationship with Shaw. Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage”1. While this decision deals with a specific case, it’s implications are broad and far-reaching in its clear protection of privacy rights on the Internet. It is not a stretch to consider this ruling as a foundation by which individuals and groups could take governments and corporations to task for failing to comprehend (or being willfully blind to) the broader implications of their data collection and use, of byzantine attempts to obfuscate privacy obligations or account settings to confound unsophisticated or casual users, and ultimately could be used to challenge an unengaged approach to ensuring that users/customers are educated about their rights (again, either through deliberate choice or wilful blindness while benefiting from that data). It certainly has more immediate implications for the Conservative government’s proposed “cyberbullying” Bill C-13 – as constructed, it is clear that key provisions of the bill are unconstitutional, specifically with respect to the warrantless search and seizure of data and identifying information10.
The principles at work in the contemplations of the court are captured in an elegant and practical form in Schnarch’s paper on Ownership, Control, Access, and Possession (OCAP)11. While OCAP was specifically targeted at Aboriginal control of research being conducted on them, the paper drew on existing principles, and the basic tenets it documents can be applied in a more general sense to any information pertaining to individuals or collectives of individuals. These four principles can and seem to be applicable even to the domain of corporations as shown in the backlash by corporations against indiscriminate government surveillance of their communications and data, and the communications and data of their clients. The notions of ownership and control have an implicit but strong requirement that the privacy of information and action (including meta information about said data) – the control of it – is at the discretion of those that have, as the court stated, “an interest in the subject” (see above). Similarly, the access component, which allows those that have title or right over the data to decide who has the ability to use that data, if at all, and for what purpose is another way of looking at the anonymity component being considered by the courts. Here again, there is an implicit but strong implication that should someone or a group wish that the data to which they have “an interest” can be kept secret or, should it be released, can be done so in an anonymous manner unless otherwise explicitly specified.
These principles mirror the Supreme Court’s interpretation of the Canadian constitution’s protection of rights and freedoms. In particular, in R. vs. Spencer, Cromwell states, “[38] ... it seems to me that privacy in relation to information includes at least three conceptually distinct although overlapping understandings of what privacy is. These are privacy as secrecy, privacy as control and privacy as anonymity”1. The first two are generally well understood, even in the context of networked technologies; however, “[41] There is also a third conception of informational privacy that is particularly important in the context of Internet usage. This is the understanding of privacy as anonymity. In my view, the concept of privacy potentially protected by s. 8 must include this understanding of privacy”1. He goes further by way of clarification, “[46] ... the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information about users’ interests. Search engines may gather records of users’ search terms. Advertisers may track their users across networks of websites, gathering an overview of their interests and concerns”1. Observing that “[46] ... the user cannot fully control or even necessarily be aware of who may observe a pattern of online activity, but by remaining anonymous — by guarding the link between the information and the identity of the person to whom it relates — the user can in large measure be assured that the activity remains private”1, Cromwell makes clear the need for the law and society to “[44] recognize anonymity as one conception of privacy”1. Here again, there seems to be some intent to put those outside the law enforcement community on notice that privacy laws are being refined and that the courts are not ignorant of the methods by which a reasonable expectation of privacy is currently being compromised.
The last component of OCAP, that of possession, is a thornier issue that I believe is in a state of transition as new network-centric technologies emerge – here, corporations are in some ways leading the discussion on this issue, for example Microsoft, Verizon Communications, AT&T, Apple, and Cisco Systems have launched suit against the US government around that government’s assertion that it has the unimpeded right to “seize computer data stored outside the country”3. They state that “over the course of the past year, [they] have faced growing mistrust and concern about their ability to protect the privacy of personal information located outside the United States [... which] will ultimately erode the leadership of U.S. technology companies in the global market”3. In fact, they claim, “compliance with U.S. search warrants may cause companies to violate data-protection laws in countries where the targeted data is stored [... and, therefore ...] the U.S. technology sector’s business model of providing ‘cloud’ Internet-based services to enterprises, governments, and educational institutions worldwide will be substantially undermined”3. When data is distributed on a pay-for-play global “cloud” of storage facilities, the notion of possession of one’s data becomes a more complex issue. Indeed the only way to maintain possession of one’s data is to eschew social media entirely, thus isolating one’s self from the bulk of modern Western society. While an examination of OCAP as it relates to platforms such as Facebook and Google is beyond the scope of this paper, actions like the European Union’s order to Google to respect requests to remove search results about individuals that wish to maintain their privacy12 indicate that there is an unresolved tension in place here.
“The meme is not the dancer, but the dance [...] For most of our biological history they existed fleetingly; their main mode of transmission was word of mouth. More recently they have managed to adhere in solid substances: clay tablets, cave walls, paper sheets. They achieve longevity through our pens and printing presses, magnetic tapes and optical disks. They spread via broadcast towers and digital networks. In Dawkins’ meme-centred perspective, memes copy themselves by any means available”5 (p. 314). Memes must therefore have phenotypic effects: the meme for making fire, the meme for wearing clothes, etc. all have had powerful effects and they thus influence the conditions affecting their own chance of survival as they broadcast themselves – the memes for unfettered information propagation and compartmentalization and control through information privacy rights being no less impactful in our modern society. Gleick quoted Dawkins as stating, “I believe that, given the right conditions, replicators automatically band together to create systems, or machines, that carry them around and work to favour their continued replication”5, and then Humphrey informing us that these entities should be considered “living structures, not just metaphorically but technically: when you plant a fertile meme in my mind, you literally parasitize my brain, turning it into a vehicle for the meme’s propagation”5 (p. 315). Again, we have the question of symbiosis versus parasitism appearing when we ask these questions. Which of the two it turns out to be will, in large part, be determined by whether we guide the development of the greater Internet or allow it to happen to us.
On one hand, we have the rise of formalized privacy rights as illustrated in the analysis presented in the case of R. vs. Spencer1, legislation being enacted in the European Union allowing people to challenge the persistence of information relating to them on the Internet12 and efforts like the OCAP framework11, and companies challenging ubiquitous government intrusion into the information privacy of their clients and corporate data3. On the other hand, we have the notion of the meme as replicator and people like Floridi suggesting there is an info-morality that we need to consider when making our decisions. He suggests that “any information entity has a right to persist in its own status, and a right to flourish [...] as a consequence of such ‘rights’, information ethics evaluates the duty of any moral agent in terms of contribution to the growth of the infosphere and any process, action, or event that negatively affects the whole infosphere – not just an informational entity – as an increase in its level of entropy and hence an instance of evil”6 (p. 112/113). Obviously, OCAP is effectively an “evil” in the eyes of Floridi, so there is certainly not a consensus on how to address these competing visions.
The uneasy memetic to and fro between information seemingly “wanting” freedom, and the powerful drive to maintain control over it does not have a hegemonic solution, but rather will reach various states of dynamic equilibria over time. If one considers the memetic notion of info-freedom as a state, then this can be thought of as a “gaseous” phase of information; similarly, the meme of info-privacy can be conceptualized as information being in a “liquid” phase. In the former, information will expand to fill all the possible states available for it to be in and if new ideas (memes, information, data) is introduced into the system, it will over time diffuse through the entire infosphere. In the latter, information is still fluid, but it can be contained, controlled, measured, and distributed by those who manage its container. I humbly propose that what I have described comes complete with a fully-formed set of mathematical tools that could be used in the analysis of the flow of information from the “liquid” to the “gaseous” forms and back again: this field of study is called thermodynamics. Since information has already been framed using thermodynamic concepts (entropy), it seems natural to press the larger toolset available from that field into the study of how information will move towards a state where the flow of information between the “gaseous” and “liquid” states will be in balance – like a pool of liquid water in a vacuum at a certain temperature (where liquid water can still exist) will eventually stabilize into some amount of liquid and some amount of gas. As the pressure increases in the system, the equilibrium point will move toward more water and less gas; or as the temperature increases, that point will favour the gas phase. I would argue that we can consider the Internet (or broader infosphere) as the “box”, but one that is expanding exponentially (decreasing the gas pressure and favouring a gaseous state); but that the amount of information is also expanding exponentially (increasing the pressure and thus favouring a liquid state), and thus the equilibrium point is constantly moving and reacting to decisions we make regarding the extent of our global network infrastructure, privacy legislation, how much information is generated at what rate, and how accessible (from an interpretation standpoint) that information is, amongst other criteria.
Like any other ecosystem that humans participate in, we can and will shape it to suit whatever priorities we have at the time. In the end, if we consider the memetic perspective as accurate, neither absolute OCAP nor complete permissiveness will win, but rather a dynamic and ever-changing balance will be achieved between the two. The challenge we face then is, like trying to model the ecosystem of the Earth, to develop models we can use to analyze its dynamic behaviour, but to do so, we need to increase our understanding, though examinations like the R. vs. Spencer case, of what questions need to be asked.
Works Cited
1 Cromwell, J. R. v. Spencer, 2014 SCC 43. Lexum - SCC Cases (2014). http://scc-csc.lexum.com/scc-csc/scc-csc/en/item/14233/index.do
2 Department of Justice. Canadian Charter of Rights and Freedoms. Constitution Acts, 1867 to 1982 (2012). http://laws-lois.justice.gc.ca/eng/Const/page-15.html
3 Associated Press. Microsoft and other tech giants fight U.S. right to seize cloud data. CBC News - Business (2014). http://www.cbc.ca/news/business/microsoft-and-other-tech-giants-fight-u-s-right-to-seize-cloud-data-1.2677688
4 BBC News. Google and Facebook can be legally intercepted, says UK spy boss. BBC News (2014). http://www.bbc.com/news/technology-27887639
5 Gleick, J. The information: a history, a theory, a flood. (Vintage Books, 2011).
6 Floridi, L. Information: a very short introduction. (Oxford University Press, 2010).
7 Siegal, L. J. The Rise of Oxygen. Astrobiology Magazine (2003). http://www.astrobio.net/news-exclusive/the-rise-of-oxygen/
8 LimeWire. Wikipedia, English. http://en.wikipedia.org/wiki/LimeWire
9 A Bit History of Internet/Chapter 6: Peer-to-peer. Wikibooks. http://en.wikibooks.org/wiki/A_Bit_History_of_Internet/Chapter_6_:_Peer-to-peer
10 Payton, L. Online privacy decision means ‘back to the drawing board’ for Tories. CBC News (2014). http://www.cbc.ca/news/politics/online-privacy-decision-means-back-to-the-drawing-board-for-tories-1.2674793
11 Schnarch, B. Ownership, Control, Access, and Possession (OCAP) or Self-Determination Applied to Research: A Critical Analysis of Contemporary First Nations Research and Some Options for First Nations Communities. Journal of Aboriginal Health 80–95 (2004).
12 Streitfeld, D. European Court Lets Users Erase Records on Web. NYTimes.com (2014). http://www.nytimes.com/2014/05/14/technology/google-should-erase-web-links-to-some-personal-data-europes-highest-court-says.html?_r=0
