Future privacy

Talk by Michael Cordover at linux.conf.au on 18 January 2017

Materials

Abstract

Privacy isn't dead, but sometimes it's not even clear what we mean when we mean by the word "privacy". In this talk we'll take a deep dive into the ways we think about privacy and how technological development has shaped this. In particular, pervasive data collection by government and non-government actors has totally changed the landscape. We live in the future, but we weren't conscious of how we got here.

One conception of privacy is about preventing disclosure of personal information. This model - preferred by lawmakers - says that the most important thing is that your name isn't associated with other information without your consent. Of course, this is meaningless when you have anonymized aggregation and data matching. Why is protection of your name important when your GUID provides a much better matching key, or two data points can be correlated with high probability? And what does consent mean when you aren't aware of any of this today, let alone how it could affect you in a year or ten?

Another version of privacy is about solitude: being able to do things without being observed. A hundred years ago, this meant closing the door. These days there are hidden depths to everything we do. Data collection and analytics is probably being performed by your operating system, your keyboard, the application you're using and every service your data passes through at every OSI layer. Even strong encryption doesn't provide protection from metadata analysis, which can reveal enormous amounts you didn't think you were revealing. Even when this data is anonymised (to the extent that is possible) and used in the aggregate, that still doesn't sit well with many people. And that's before we even get to creepy inference or being an unwitting subject of experimentation.

There is a technological response to this changing environment: open, decentralised systems can be incredibly effective for bringing things back into line with user expectations. But in a world increasingly moving to centralised services, where even your open source tools are running in the cloud, how realistic is it to expect this to catch on? Is a legal approach any better in a globalised world where governments are as much a threat to privacy as non-government actors? Or should society just adapt to this kind of more open living?