Do we need new rights to protect our anonymity?

Do we need new rights to protect our anonymity?

A blog by Ellen Strickland and Jordan Carter, 20 February 2018

The below is adapted from Ellen Stricklands's comments on the Balancing the power of data and analytics with privacy, security and equality panel at the Digital Nations 2030 Conference held in Auckland. Jordan and Ellen worked with colleagues in the InternetNZ team to pull these ideas together.

We think that, as members of a global Internet community, societies need to protect human rights, especially rights to privacy as well as freedom of expression. We also want to put forward our thinking about a new right, related to privacy and technology. But to get there, we need to talk about the GDPR.

The European Union's General Data Protection Regulation is coming, and actually, at a high level, we should all welcome it. There are challenges, it's true. GDPR and other laws try to apply one framework to actions around the globe. There's a collision between national or regional legal borders and the borderless Internet.

What we support is a substantial move to support individual privacy, at a moment where most of the strongest market forces are pulling in other directions.

As technology matures, data is becoming more readily available, easy to trace back to individuals, and more pervasive. The available data is easier to process and make sense of.

There will always be situation where people must be required to be identified, such as a matter of law like driver licenses. But the power of data is that in situations where in the past one might have expected anonymity, and many people still do, people become identifiable by the amount of data which is now collected.

The GDPR is an effort by legislators and politicians to ensure that we are driven by privacy by design, and putting citizens first.

But with the power of data to render people identifiable in ways we can hardly imagine, privacy by design isn't enough...

We need a right to be anonymous

We live in a world where if we don't actively work to protect it, anonymity is dead. Internationally, current technology gives some organisations and state agencies:

  • facial recognition is possible at 500 meters
  • iris recognition is possible at 50 feet meters
  • Identification due to gait analysis (from a smartphone).

Our institutions and personal relationships assume that we can forget - that we can move on from past mistakes. Paper gets shredded, lost, or ignored. Data doesn't. Instead data either stays in databases, gets traded and sold to third parties, or gets leaked.

It can be turned into knowledge, and use made of that knowledge, more easily than ever. This is a situation of great promise but also of great risk.

We need to actively take a stand and say that the people of our societies deserve some anonymity to protect their right to privacy. To protect their right to free expression and to flourish freely as individuals.

Yes we need a recognised right to privacy.

But we believe this right needs to go further. We need to develop a right to anonymity, including protections against re-identification. Re-identification and de-anonymisation are a serious issue, that citizens need protection from.

Many people laughed or shook their heads when the Australians suggested introducing an offence for unauthorised de-anonymisation. But if we think about it long and hard - re-identification is increasingly easy and the datasets available are vast.

As societies committed to the rule of law, it may be that we need to send a clear signal to data analysts, users, collators and brokers that re-identification without consent is not okay.

So to all the Governments in the D5 (soon to be D7) we say, think about developing a right to anonymity for all your citizens, to give us the collective protection we need.

It is clear that a right to anonymity won't be upheld everywhere, even if many places move in this direction. But what is important is that we can, assuming the rule of law, reasonably expect that state institutions in countries that develop such an approach will follow that law.

That matters because it is still the state that can impede our freedom; curtail our rights; put us in prison. The State is in a unique position to make easy use of the collision of big data, cloud computing and the resulting information and knowledge to keep an eye on us all.

A modern Panopticon is not consistent with a flourishing civil society or with our ability to develop in a free and open way as individuals with our diverse interests, perspectives, passions and ideas.

So should we organise to protect our freedom in this way?

We look forward to your thoughts.