Last week, I discussed the trade offs between privacy, authenticity, and confidentiality
, concluding that the real trade off is usually between privacy and authenticity. Ultimately, that seems like it pits privacy against accountability and leaves us with a Hobson’s choice where privacy cannot be chosen if we want to prevent fraud. Fortunately, the trade off is informed by a number of factors, making the outcome not nearly as bleak as it might appear at first.
Authenticity is often driven by a need for accountability. Understanding accountability helps navigate the spectrum of choices between privacy and authenticity. As I mentioned last week, Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations require that banks be able to identify the parties to transactions. That’s why, when you open a bank account, they ask for numerous identity documents. The purpose is to enable law enforcement to determine the actors behind transactions deemed illegal (hopefully with a warrant). Technically, this is a bias toward authentic at the cost of privacy. But there are nuances. The bank collects this data, but doesn’t need to use it unless there’s a question of fraud or money laundering.
The point is that while in a technical sense, the non-repudiability of bank transactions makes them less private, there aren’t a lot of people who are concerned about the privacy of their banking transactions. The authenticity associated with those transactions is provisional or latent. Transactions are only revealed to outside parties when legally required and most people don’t worry about that. From that perspective, transactions with provisional authenticity are private enough. We might call this functional privacy.
I’ve used movie tickets several times as an example of an ephemeral transaction that doesn’t need authenticity to function and thus is private. But consider another example where an ephemeral, non-authenticated transaction is not good enough. A while back our family went to the roller skating rink. We bought a ticket to get in, just like at the movies. But each of us also signed a liability waiver. That waiver, which the skating rink required to reduce their risk, meant that the transaction was much less private. Unlike the bank, where I feel confident my KYC data is not being shared, I don’t know what the skating rink is doing with the data.
This is a situation where minimal disclosure doesn’t help me. I’ve given away the data needed to hold me accountable in the case of an accident. No promise was made to me about what the rink might do with it. The only way to hold me accountable and protect my privacy is for the authenticity of the transaction to be made provisional through agreement. If the skating rink were to make strong promises that the data would only be used in the event that I had a accident and threatened to sue, then even though I’m identified to the rink, my privacy is protected except in clearly defined circumstances.
Online we can make the authenticity’s provisionality even more trustworthy using cryptographic commitments
and key escrow. The idea is that any data about me that’s needed to enforce the waiver would be hidden from the rink, unchangeable by me, and only revealed if I threaten to sue. This adds a technical element and exchanges my need to trust the rink for trusting the escrow agent. Trusting the escrow agent might be more manageable than trusting every business I interact with. Escrow services could be regulated as fiduciaries to increase trust.
Provisional authenticity works when the data is only needed in a low-probability events. Often, however, data is being actively used to provide utility in the relationship
. In these cases the answer to maintaining privacy while providing needed authenticity is using confidentiality agreements, essentially NDAs. These agreements can’t be the traditional contracts of adhesion
where, rather than promising to protect confidentiality, companies force people to consent to surveillance. Sometimes data needs to be shared to provide utility. Agreements should be written to ensure that data is always shared with the same promise of confidentiality that existed in the root agreement.
Provisional authenticity and data NDAs provide good tools for protecting functional privacy without giving up accountability and relationship utility. Functional privacy is necessary for digital lives worth living. But so is accountability. Finding the means and tools to have both is vital.
- Beyond accountability, a number of businesses make their living survielling people online or are remunerated for aiding in the collection of data that informs that surveillance. Second, many businesses need accountability for legal or other reasons. I’ve written about surveillance economy and ideas for dealing with it previously.
- Note that I said need. I’m aware that banks likely use it for more than this, often without disclosing how it’s being used.
- I’m grateful to Sam Smith for discussions that helped me clarify my thinking about this.