50 shades of surveillance

As we traverse the digital landscape, we are being subjected to constant tracking and surveillance which siphons off our personal and sensitive information to feed the big data machine. What’s alarming is the number of entities that are involved in the process, some can be characterized as benign hoarders; they amass extensive troves of information but don’t usually take any action as a result; others are much more active and act upon the amassed and continually analyzed data. Much of this was enabled through search engines which were able to capture a great deal of personal and sensitive information, after which they began to leverage this data for profit. Browser cookies became a useful tool for surveillance and data capture; especially with the advent of tracking cookies. While initially cookies could only capture limited data related to the website a user was interacting with at a specific time, tracking cookies made it possible to receive information from all of the sites that a user was visiting. This was followed by web and platform hosting which made certain companies an access conduit for both individual users and service providers, allowing them to capture data on both ends. Social networks came next, promising to connect people at a time of increasing isolation. The internet of things (IoT) is making all of this increasingly easier to perpetrate, as all kinds of devices and gadgets that used to have a single function have now gained connectivity for no apparent reason. Since when does a toaster or refrigerator need a chip and 4G connectivity? Will the toast be any better if Bezos or Zuckerberg get the heads up that it has been toasted?

The one common theme between all of these offerings is that they cost users nothing or very modestly, while the service providers are among the wealthiest companies around. How is this possible? What is the business model for making money while no charging for the services they provide? Well the answer is quite simple, if you don’t know what the product is, you better look in the mirror to find out.

What is missing in the data processing equation are ethics, regulations and data subject rights. All three elements are crucial to ensure that the data processing activities do not become harmful to the data subjects. Ultimately if they do, a data subject needs to have the ability to seek remedy through easily accessible means that will level the playing field between them and the affluent, well represented and disproportionately more influential data processors. Litigation is not a viable avenue for seeking recourse for the average individual who is unable to represent themselves and would face opponents that are well paid and well prepared to defend the questionable processing practices of their masters. A robust regulatory regime could tame both the appetite for data and the way in which it is processed once captured.

Ethical data processing frameworks could be a game changer for individual privacy rights. There are specific features of ethical data processing that would create a more balanced and fair interaction. The most important of these is the concept of proportionality. Proportionality requires that data processing activities are carried out in the least intrusive manner, while anticipated advantages outweigh the potential risks for data subjects. This is especially true of processing activities involving special categories of data, also known as ‘sensitive data’, profiling, automated decision-making, data-mining techniques, big-data analytics and artificial intelligence, as these processing operations pose higher risks to the rights and freedoms of data subjects. Quite a few of these activities are driven by algorithms. Requiring such activities to assess the proportionality and possible harmful outcomes is an important step towards ensuring that algorithms do not perpetuate biases and do not cause harm. By assessing the risks and benefits of the processing activities we can be more confident of the outcomes. Because the risk to benefit ratio is never constant and both sides of the equation doesn’t necessarily materialize at the same time, we can be assured of frequent analysis and adjustment of the processing activities. While the benefits of specific data processing undertakings can be realized immediately, the risks may linger long after the project is decommissioned. By implementing ethical frameworks, there would be a greater likelihood of positive outcomes.

Sadly, the current state doesn’t bode well for such mechanisms to be implemented any time soon. Certainly not voluntarily by the data harvesters. When ethics come up against profits, the almighty dollar seems to win every time.