In the age of the Internet, social media, robot vacuums, and computerized record keeping in almost every industry, is anything truly private or are we just kidding ourselves? Can you live in a connected society and still maintain a modicum of privacy? I don’t think you can. More importantly, I’m not sure you should try.
In my career I have often been employed by various healthcare and financial companies. Until the HIPAA act of 1996, these types of institutions did not have data security departments for the most part. Effectivley meaning that somebody getting ahold of your personal records was no big deal. What changed to make the protection of this and other seemingly private information worthy of a multi-billion dollar industry of its own?
The world has been bamboozled into thinking that the “privacy” of your digital identity somehow matters. Account credentials aside, your personal preferences, medical records, shopping history, and web-site preferences have no intrinsic value. I liken this phenomenon to the marketing campaigns that have resulted in crystalized carbon (diamonds) escalating to ridiculous values. A series of commercials in the 1950s made the substance a “must have” for any couple thinking about marriage. Diamonds are not a girls best friend, they are literally made from one of the most common substances in the known universe. A diamond’s value is determined solely by the mislead perception of the masses and so too, is the value of privacy and thus the value of personal data.
There is no such thing as digital privacy, there never has been and there never will be. How does one privately share something? The notion that its possible to do so is entirely nonsensical. It was difficult to privately communicate in the analog world; everyone has witnessed a teacher intercepting a note. It’s impossible in the digital realm. Everything you do or have done on every computerized device you have ever touched is logged by the systems you were interacting with at the time. The systems and their interconnected software cannot function without the data you provide them. If you authenticated (logged on) to the device or a service with some type of account then the logs can be correlated to you personally.
Facebook cannot post your latest witty comment if you don’t type it into their app’s box. The email you send to your BFF cannot be delivered without traveling through countless routers, switches, appliances, and computers each one of which learns your email address, your IP address, what type of system you are using and more. The photo application on your smartphone cannot organize your pictures by the location you took them in if it didn’t know where you were when you snapped them. You cannot connect to Xbox live and play a game with other users anonymously. In all of these cases, the purveyor of the services you’ve connected to is able to find out exactly who and where you are if they are willing to invest the time and effort to do so.
You can obscure your digital trail from service providers by using man in the middle services like VPNs and TOR, but you’ve only shifted the burden of identification to those service providers instead. You may feel or have read that TOR, or the encryption your VPN uses, is unbeatable but that information has been proven to be false multiple times. At best, it makes you more difficult to track. At worst using these technologies flags you as someone worthy of extra attention.
HIPPA, FISMA, and GPDR are regulatory laws that have been enacted in the United States and Europe to ensure organizations take steps to safeguard your personally identifiable data. They accomplish this goal by applying expensive fines to companies that are determined to have lost private data. There are all kinds of loopholes and exceptions in the regulations, of course, but that isn’t the main issue in my opinion.
HIPPA violations can warrant fines of up to $250,000 per infraction. These fines impart a value on the data. It makes good business sense to invest in personnel and solutions that drastically reduce the chances of the information being accessed in an unauthorized manner, as long as the cost is less than the fines. The same is true for your personal information on your own computer. It’s value is determined by what you would pay to have it kept private. Thus, the computer security industry was born.
What if we didn’t care? How much financial value would personal data have if we all stopped pretending that it was private in the first place? Assuming we could get over ourselves and de-value privacy, who would invest time and resources into obtaining worthless information? Our own misconceptions about the number of people and companies that have access to every bit of your supposedly private information from your social security number to your bank card info, has been leveraged to build a booming empire around making something public feel private.