In a distinguished career as a data privacy legal expert, Theodore Claypoole has gone from being a privacy evangelist to something of a self-confessed cynic. But while the blistering pace of technological innovation and the continued dominance of the big tech platforms continue, he does still hold out hope.
Theodore is a partner at US law firm Womble Carlyle where he heads the Data Privacy and Cyber Security teams. He is also co-author of the books Privacy in the age of big data: Recognising threats, defending your rights and protecting your family and Protecting your internet identity: Are you naked online?
He spoke to Internet of Me about the future of privacy in a world of mass data gathering, biometrics, regulation and connected devices.
IoM: Where do you think we are in terms of privacy in the personal data economy?
TC: What’s interesting is how I’ve evolved in that I was a privacy purist at first. In other words, as I’ve seen what’s happening to our privacy I became upset – you see that in the books and articles we’ve written. My biggest problem is that people just don’t know or understand what they are giving up.
It’s all too easy when you’re a Facebook or a Google or another big company to just suck up the data and not tell anybody where it’s going, what they’re using it for, why they have it, why you should be giving it up, why they’re benefiting from it.
I think we’ve passed a long time ago the point where people have got a lot more comfortable allowing their data to be collected and used.
That said, because they’ve become more comfortable – and because I’m a business lawyer – I’ve probably changed my view a little bit more towards the business side. I was adamantly pro privacy and now I see our privacy essentially slipping away. I have sounded the siren call many times and nobody seems to give a damn.
People don’t necessarily see the issues or the problems. I spent the first decade while this was happening waving my hands and trying to tell people you’re giving up too much, you don’t even know what you’re giving up you don’t know how it’s being used you don’t know how the aggregate are collecting these things, how they’re building models of you.
IoM: It seems people don’t understand the issues or simply don’t care as long as they are getting ‘free’ services. Will more people become aware or are proactive privacy steps such as ad blocking just the activity of a niche group of people?
TC It’s just the niche people. The true believers. It’s not just the ones who bother to understand but the ones that emotionally care deeply about this and take attempts to do something. They are modern day Luddites, trying to get off the grid one way or another because they want to be out of the machinery.
SC So do we just have to get over ourselves and accept the way things are?
TC: Unfortunately that’s where I’m getting to right now. I don’t know that we’re going to have much in the way of choice. It might be too late anyway. What’s already being gathered about you and the tiny little things that are gathered about you are going to be coming together in a way that too many third parties are going to know too much about you to begin with.
I sat on a panel last month and one of the questions was ‘Is the password dead?’
We all basically said ‘yes, the password is dead’ or at least it’s a zombie – it just doesn’t know its dead yet.
Part of the reason why is that when you pick up your phone there’s a number of indicators that are being gathered about you. The angle you hold the phone,. The speed at which you type on it, where you are geographically – there are a lot of things you could tell from that.
The companies that I see that are handling mobile authentication well are beginning to look at gathering dozens of small things to identify you so they don’t need any big things.
We’re beginning to get into a world where small indications of who you are from a biometric standpoint, as well as the items you’re carrying with you, are going to become more important. Because of that a lot of the old way we’ve been thinking about privacy is going to be shot to hell.
IoM: Such technological advances are usually in the name of improved service – more convenience, less friction, better identity verification. The flipside is that in the process, data can be gathered in more opaque ways and what an organisation then does with it might not be to your advantage.
TC: That’s been happening for years. I used to be in-house counsel for a major US bank and back in the 90s they were sorting out whether you were a profitable customer or not and, if not, you’d get put through to a different call centre. That was going on before technology came along.
From the retail standpoint now, the Holy Grail is cross platform identification. They want to know that a customer that calls inform that particular phone is the same customer that uses this particular laptop and signs in with that particular smart TV at home. They want to know that’s all the same person. Amazon knows that because you have an account with them, so the account travels through all the things you do with them.
But let’s say you’re a regular shopper at a clothing store. They want to know all those things but you probably don’t have an account with them.
What they are doing right now – and the FCC is putting out commentary on this – they’re putting out a sub-sonic signal so that your devices talk to each other without you knowing it. So if you’ve been to the store’s website on your phone they might well have planted something in your phone that allows it to hear their signal when it comes from someplace else and respond to it. And so if you’re on your TV and you go to the store online, its signalling your phone and your phone is signalling back and confirms that it is you. It’s all becoming much more automated. The tools are much more sophisticated than we can imagine at this point.
IoM: That raises fears of data that’s gathered for one purpose – sometimes without the user even knowing – being used for another purpose that might not be to that user’s advantage.
TC: Absolutely. In the US there is a law that says that if you’re an insurance company and you sell somebody health insurance you can’t use that information to cancel their life insurance. But there is very little in the way of broad protection for various kinds of information – there are specific protections in some areas such as finance and healthcare.
Legislation needs to be selective and target specific things – you either can’t use this stuff or you can’t do these things with what you gathering.
One interesting thing they are looking at right now in US legislation Is biometrics. Many states are coming out with various different biometric laws, some of them just alluding on one hand and others pretty well thought out. Only one of them has a private right of action – that’s the state of Illinois. There is some interesting case law coming out of that private right of action – what it means when somebody is taking your bio measurements without your knowledge and using them without your knowledge.
IoM: And the Internet of Things amplifies the quantity of data we are sending into the cloud.
TC: Nobody I know wants a dishwasher that speaks to the internet. But every company that makes dishwashers is going to make it a default that your dishwasher in the future speaks to the internet. It’s not a question of people pulling in technology because they think it’s great, it’s the manufacturers and retailers pushing it out on you so they have a line into your home.
The manufacturer will say it’s so they know when it’s going to break down, but the truth is they want a line into your home and they want to know what going on with their equipment.
I have a client that is going to be internet enabling your bed. It tells how well you sleep. It tells who’s in the bed and what their vital signs are.
IoM: That sounds scary. And the US outlook seems pretty bleak outlook. So, is privacy dead?
TC: To a certain extent yes. But I think there are pieces that could be saved, if a legislature or a parliament somewhere got in its sights that it could step in and save pieces of this. I do think we are where we are and there will more cleverer ways of getting around it, at least in US. The EU has been a lot better at being more careful about it. I think privacy probably is dead in the US and most of the world. In Canada and the EU, Israel and some other places they’re more careful about data and have laws that treat it as a human right, so you’re more likely to preserve there.
IoM: The widespread feeling in the UK and Europe is that having control over personal data is a human right – privacy should be protected, an individual should have rights to access the data organisations hold on them and use of data should be based on consent. Can this not be a competitive differentiator for businesses – to shift control back to the consumer?
TC: I would like to think so, but I’m a cynic who has been doing this for too long. I just don’t believe that it’s likely that regular people will get their act together enough to fight the entrenched interests. I’m working on a document which looks at the data economy as an extraction economy, very similar to coal. You have to have a license to go get the stuff.
We should begin thinking about data that way, that it’s an extraction product and that the landowner who essentially holds the key to it – you and I whose data they’re taking – have a right to know about it and either get paid for it one way or another or are able to track it where it goes.
IoM: So what’s the good news? How can individuals have a chance of maintaining any sense of privacy?
The only way you’re going to get privacy is to go grab it and take it. If you allow for these trade off you’re never going to get privacy. The truth is we as individuals probably don’t have enough power to make that happen but we should have some political power. That’s probably one of the ways we can keep ourselves protected.
Maybe some of the answer is simple legislation that says you cannot use information you take for certain purposes. Like a citizen’s bill of rights with regard to privacy.
IoM: Given what you’ve already said, is that even a possibility in the US?
Absolutely, although I think you’d need to see one or more catastrophic events – what I call an Exxon Valdez of privacy. You’re going to need to see a couple of big emergencies or problems where a lot of people get hurt or something that is just so breathtakingly awful, such as it’s their health insurance cancelled because it turns out they have a genetic marker to breast cancer or something like that.
IoM: Does an event like Personal Data Week help advance this cause?
I think James Felton Keith feels privacy to be an important issue that isn’t being addressed as well as it could be in the US and I don’t disagree with him. It’s important to have a specific time to try and highlight privacy for everybody – what the problems are and what the issues are.
This tends to get caught up in national security and law enforcement discussions. It’s important to start to talk about privacy in and of itself as a good that people need to be considering and protecting because there are a number of entrenched interests that don’t want you thinking that way.
IoM: What is your take on the EU GDPR? Do you think it’s a well framed piece of legislation?
TC: I’m not sure anybody truly understands all of it yet. I think it’s ambitious and it was created to take Europe to the next step and then try to bring the North Americans to heel a little bit on data issues and see if they could use this as a tool to not feel like they’re being pushed around by the US companies that have a lot freer access to different kinds of data. I’m not sure it will bring US firms to heel in the way some people in Europe think it might. I think big American firms will find work-arounds and develop parallel systems for the different markets.