I’ve always wanted to write my own autobiography. Maybe it’s narcissistic, but I thought it would be a good chance for me to think back, reflect, introspect, and remember both the good and bad things that happened to me throughout my life. I could then maybe figure out what went right, and in some cases, what went horribly wrong. But I told myself that I would save this personal task until I was older and also until I had enough stories and experiences to share and write about. Otherwise, if I wrote my autobiography today, it would be a story about a girl named Cynthia, who went to school, who then decided to go to more school.

I then came across McAdams’ “Life Story Theory” of identity [1] and realized that I didn’t have to wait until I was old and experienced to write my autobiography. I was already in the midst of writing one and in fact, I had been writing and contributing to this autobiography my whole life. According to McAdams, the individual is the primary author of his or her autobiographical narratives and the individual’s memories link together the past, the present, and the future in order to provide a sense of identity and also to provide a sense of purpose for one’s thoughts and behaviours.

This means that all the memories that I formed (both consciously and unconsciously) have helped to provide me with my sense of identity and that I’m continuously evaluating my experiences and integrating them into the larger narrative of my life.

But what would happen if I experienced something so horrifically terrible that I didn’t want it to form part of my life story. Would I have the option of ensuring that I no longer remember this event and that the memory of the event no longer forms part of my autobiography? If so, and I can start actively meddling with my autobiography, would this change who I am?

Memory and Drugs

Because of the importance of memory and its role in defining one’s identity, scientists in the realm of psychology, neurology, and neuroscience have been investigating methods of enhancing or preserving different types of memory. [2]

More recently, scientists have started to focus on developing pharmacological agents that inhibit or dampen the strength of memory formation and recall. These memory dampening agents are currently being investigated for the treatment of post traumatic stress disorder (PTSD).

PTSD and Autobiographical Memories

PTSD is a psychiatric anxiety disorder that can develop in response to traumatic experiences. [3] One hallmark characteristic of this disorder is the alternation between re-experiencing and avoiding trauma-related memories. In some cases, the disorder can be so debilitating that the individual can no longer function in society due to the involuntary and continuous recall of the horrific event.

Currently, researchers are investigating the interaction between autobiographical memories and PTSD. According to Bernsten (2001), traumatic memories are important in that they become reference points to other experiences in one’s autobiographical memory database. More specifically, traumatic memories become significant landmarks, which represent a major threat that is perceived by individuals with PTSD. [4]

By inhibiting the formation of certain autobiographical memories with the use of these memory dampening agents, the potential formation of these important landmarks may be circumvented.

Pharmaceutical Forgetting

Research has shown in both animal and human studies that emotionally arousing experiences are better remembered than those that are emotionally neutral. [5] Arousal is dictated by the level of adrenaline in the body; a higher level of adrenaline results in increased arousal, and therefore, stronger memory formation. Propranolol, which is already being prescribed for the treatment of hypertension, is used to block the effects of adrenaline. Scientists hypothesize that propranolol could help to dampen the recall of traumatic experiences by dampening arousal. Propranolol is currently being tested in multi-centre clinical trials for the treatment of PTSD.

More interestingly, researchers have recently shown that propranolol can also blunt previously formed memories in humans. [6] In a double blind, randomized study, persons with chronic PTSD were asked to recall their traumatic experiences. The mere recall of these previously experienced traumatic events caused adrenaline to be released and resulted in increased arousal. Upon experiencing arousal, half of the participants were administered propranolol; the other half were administered a placebo. Results showed that propranolol retroactively blunted the recall of previously formed traumatic memories.

Once approved for the treatment of PTSD, what would be the legal implications of using these agents in society?

Legal Issues

Propranolol is known as a “beta-blocker” and was developed in the 1950s and has been prescribed for the treatment of hypertension since the 1970s. In both volunteer studies [7] and clinical trials [8] the use of beta blockers was found to impair memory recall. Interestingly, a similar dose (120 mg-160mg/day) is being prescribed for both the treatment of hypertension and for the treatment of memory dampening. [9] Results from these experiments suggest that individuals who are prescribed propranolol for the treatment of hypertension may be subject to memory impairment; perhaps without their knowledge or consent. Of concern to the legal system is that the reliability and accuracy of the testimonies given by these individuals taking propranolol will be called into question. When deliberating future cases, it will be important for Canadian courts to be mindful of the potential effects that propranolol and similar drugs could have on a witness’s testimony.

Another legal issue arising from the use of these agents is the extent of informed consent that would be required when prescribing these memory dampening drugs. After experiencing a traumatic event, individuals will likely be rushed to the emergency room in order to be treated for both mental and physical distress. Upon reaching the emergency room, a tending physician may recommend the treatment of propranolol in order to help minimize the chances of developing PTSD in the future. Despite being informed of the potential risks and uncertainties associated with these agents, it is questionable whether individuals taking these drugs would be in a legitimate position to give their informed consent because 1) their decision making skills would be significantly compromised as they are in times of distress [10], and 2) they would not know the potential role these dampened memories would have played in their future lives and identities.

Some Final Thoughts

Currently, memory dampening agents are not available to the general public. The quickly advancing field of neuroscience, however, may be able to provide new, more specific, and safer agents to help dampen the painful memories associated with traumatic events. In the near future, some of these newer technologies could be potent enough to allow for memory deletion to occur. Recently, the drug, U0126 (not yet available in humans), was able to selectively delete a particular fear-induced memory in rats. [11] Perhaps these memory deleting agents will become available for use in humans.

In conclusion, it will be necessary for the courts and the government to be informed of all of these new pharmacological developments so that they will be in a legitimate position to weigh both the legal and social implications of using these interventions in the future.

Some Final Final Thoughts

By the time I get around to writing an autobiography, I could have gone through some experiences that may have tempted me to take one of these memory dampening agents and artificially blunt some of my memories.
Maybe it’s just me, but if I do decide to write an autobiography, I want to be able to look back and remember both the good and bad times; the times I’ve laughed and sobbed. I want to be confident that the memories I’m recalling and writing about are genuine and that my memories aren’t pharmaceutically modified in any way, shape, or form.

[1] D.P. McAdams, “The Psychology of Life Stories” (2001) 5:2 Review of General Psychology 100-122
[2] Farah, M. J., Illes, J., Cook-Deegan, R., Gardner, H., Kandel, E., King, P., Parens, E., Sahakian, B., & Wolpe, P. R. (2004). Neurocognitive enhancement: what can we do and what should we do? Nat Rev Neurosci, 5(5), 421-425
[3] Vasterling, J. J., Brewin, C. R. (2005). Neuropsychology of PTSD. New York: Guilford Press.
[4] Bernsten, D., Willert, M., Rubin, D.C. (2005). Splintered memories or vivid landmarks? Qualities and organization of traumatic memories with and without PTSD. Applied Cognitive Psychology, 17, 675-693.
[5] McGaugh, J. L. (2006). Make mild moments memorable: add a little arousal. Trends Cogn Sci, 10(8),
345-347.
[6] Brunet, A., Orr, S. P., Tremblay, J., Robertson, K., Nader, K., & Pitman, R. K. (2007). Effect of post-retrieval
propranolol on psychophysiologic responding during subsequent script-driven traumatic imagery in post-traumatic
stress disorder. J Psychiatr Res. (in press).
[7] Frcka, G., & Lader, M. (1988). Psychotropic effects of repeated doses of enalapril, propranolol and
atenolol in normal subjects. Br J Clin Pharmacol, 25(1), 67-73.
[8] Blumenthal, J. A., Madden, D. J., Krantz, D. S., Light, K. C., McKee, D. C., Ekelund, L. G., & Simon, J.
(1988). Short-term behavioral effects of beta-adrenergic medications in men with mild hypertension. Clin
Pharmacol Ther, 43(4), 429-435.
[9] Pitman, R. K., Sanders, K. M., Zusman, R. M., Healy, A. R., Cheema, F., Lasko, N. B., Cahill, L., & Orr, S. P.
(2002). Pilot study of secondary prevention of posttraumatic stress disorder with propranolol. Biol Psychiatry, 51(2), 189-192.
[10] Hammond, K. R. (2000). Judgments under stress. New York: Oxford University Press.
[11] Doyere, V., Debiec, J., Monfils, M. H., Schafe, G. E., & LeDoux, J. E. (2007). Synapse-specific reconsolidation
of distinct fear memories in the lateral amygdala. Nat Neurosci, 10(4), 414-416.

I recently, for the first time in my life, set up my own wireless router in order to connect my laptop, as well as my roommate’s, to the Internet. This was not a user-friendly experience, and my stress level was heightened by my need to safeguard my wireless signal from outside intruders. I was creating a code of identity for my actions through my computer network: I had to name my signal and trust that it will safeguard my IP address which is now, through my actions online, an extension of my self and identity.

By giving a name to my Internet network, I was sending a secure signal of my own personal identity out into cyberspace. This is a name that anyone in my physical world close enough to pick up on my Internet signal will be able to see. The Internet, as a social system, is a lot less anonymous than many people seem to still think; whether consciously or unconsciously, we are constantly sending out signals of our identity online. From postings on a blog to a wireless network name, our physical life-based identities seep out to the cyber world.

It’s an alarming trend to notice how oblivious people are to their cyber identities, and how careless they are with cyber information that can have a massive affect in their physical world. The online psyche is now a permanent aspect of most people’s lives.

With such a plugged in world, people live and communicate endlessly via online routes. However, like an unguarded Internet signal, many people leave themselves open to cyberintrusions that endanger both their cyberidentites and their physical life identities. Two women have recently been in the news for such open intrusions into their private lives through seemingly safe online channels. Neither Jessica Coen, nor Allyson Stokke intended to victimize themselves through innocent online actions, yet both had their identities and privacy victimized and destroyed through the very avenues they left open to the cyberworld.

Jessica Coen is an online blogger who is now deputy online editor for Vanity Fair magazine. In a previous job, however, she was a popular blogger on the snarky Manhattan-based gossip website, gawker.com [I]. Coen wrote aggressive observations about people’s looks, loves and lives in New York City through the online medium. Coen wrote to receive a reaction, which she received in hordes. Emails, phone calls, letters in the mail, false email accounts set-up under her identity were just some of the reactions she caused from her caustic writing. All were, of course, anonymous. All were invasions of her privacy. None of which would have been so easily acted upon in the physical world. What was a wake-up call to Coen and her lifestyle should be a wakeup call to us all. Just because the anonymity of online actions makes it easier for many people to do or act in ways they are not comfortable in the physical world, does not mean the actions do not have an affect in the physical world. Voyeuristic tendencies have increased in popularity of negative online actions. The Internet has increased many people’s freedom of expression, both positive and negative. In this “me” generation, where the staged reality show, “The Hills,” is a hit, men and women not only feel that it is alright to comment and act as they desire in the online world, but seemingly get approval of their actions through physical world reactions such as media social relations. In today’s world, it is just as common to end a relationship through online or cellular means as it is in a physical world situation.

It is interesting to note that Coen is still active online. She is currently working online and still maintains a blog. A quick search on Facebook brings up a profile that appears to be hers as well. While Coen has been awakened to the threats that are online regarding her own privacy, as well as the malleableness of her identity in the online arena, she has continued to safely traverse the online realm as well as educate other women about both her experiences and her suggestions.

Allison Stokke is young woman with a similar story [II]. However, Stokke’s online privacy invasion began innocently with a sports blogger posting a picture of the young track and field athlete on his website. Rapidly, Stokke received an overwhelming amount of friend requests on her Facebook profile, and YouTube montages made in her honour. More online and even real-life harassment followed in the wake of that one posted picture. Today it is very easy to still find pictures of Stokke online, but not her physical cyber self. Stokke, as an individual, has all but disappeared online due to her experiences.

Online voyeurism has, I dare say, become more dangerous today than in the early days of the Internet when adults were arrested for meeting minors they had met online. You see, online voyeurism has gone beyond something that both appals and frightens us as it was in the past: online voyeurism has gone mainstream. While neither Coen nor Stokke were physically harmed by their attacks, not all individuals have been so lucky. Indeed, the separation between people’s physical world actions and their cyberworld actions is becoming more apparent by the more vicious people become online. Indeed, many people feel comfortable acting out online in ways they would never do in the physical world. As the cyberworld becomes more “real” in our daily lives, our ethics and responsibilities online must be reassessed. The separation of self and ethics must cease to exist. Verbally tearing into someone online may be exhilarating, but has “real life” affects on people’s lives. We need to keep in mind the humanist aspects of the online world. To continue to be wired we must keep it real.

In short, we must redefine the real to fit our new dimensions of our world. What is the real experience? How do we feel the real in cyberworld? How do we let the cyberworld fully compliment the physical world? Finally, how far do we let the two worlds go?

[I]I See Jessica Coen, Online Bullies Back Off. Glamour Magazine. Oct. 2007: 227-228.
[II] See Rebecca Webber, Give This Girl Her Life Back! Glamour Magazine. Sept. 2007: 80.

Wikisurveillance: a genealogy of cooperative watching in the West
By: Michael Arntfield

October 2, 2007 

As the duly elected Liberal government currently serving the Province of Ontario stands poised to infuse one of the largest revenue collection and fine levying agencies in the Western hemisphere—the Ontario Provincial Police—with $2 million (Can) to fund the operation of a state-of-the-art spy plane ostensibly required to identify “racers” or “stunt” drivers using the King’s Highways (Cockburn & Greenberg 2007), all while police in Britain continue to append audio-video recording equipment, or “Bobbie-Cams,” to the helmets of their patrol officers in the vein of Paul Verhoeven’s dystopic 1987 film Robocop (Satter 2007), one is prompted to take a look back at the corpus of police surveillance devices suborned by modernity, that have in aggregate given way for what might be called the golden age of voyeurism.

The mechanical metamorphosis from Althusser’s (1971) Ideological State Apparatus, into the more palpable “technical apparatus” (Ellul 1964: 101) of the police as we know them today, has been achieved in large part through a process of technological determinism, or the means by which human culture and history are simultaneously rendered and reified by our machines. In other words, the ubiquity of those police surveillance and reporting tools that have pervaded urban life for well over a century, has in turn propagated a mimetic response in occidental consumer culture whereby the general public is increasingly enamored by the “democratization of surveillance” (Staples 2000: 155) made possible by portable, affordable, and elegant devices that, through their egalitarian accessibility, make “coercion embedded, cooperative, and subtle, and therefore not experienced as coercion at all” (Ericson & Haggerty 1997: 7). As public and private interests ultimately converge through a phenomenon I call wikisurveillance, the denizens of this self-supervising panoptic state cooperatively pen the requiem for once valued tenets of privacy through the normalization, even fetishization, of corporate and private data mining, cell phone videography, security camera ubiquity, home “monitoring” systems, the proliferation of spy stores, and systemic Facebook cultism.

As such, I define wikisurveillance as the manner in which the community at large has been seduced by, or at the very least summarily acceded to, the idea of watching, recording, reporting, and even the expectation, or exhibitionism, of being watched, as the new de facto social contract for the post-industrial age. Ergo, the computing neologism “wiki” is an appropriate prefix to denote and describe this present Zeitgeist of freelance information brokering in which we presently live, as not unlike any open-source wiki-based text that is publicly inclusive, accessible, modifiable, and even corruptible in its design, the commercial surveillance technologies that define the new historicism of Western media have fostered an age of consensual spying and reporting perhaps best described as the Vichy state of late-capitalism. As conventional law enforcement’s monopoly on surveillance has consequently been muscled out by a veritable coup d’état spearheaded by free unlimited video messaging, Dateline hidden camera specials, and “how’s my driving?” bumper stickers, we must to some extent acquiesce to the troubling truism that Orwell was wrong: that “[t]here is no Big Brother…we are him” (Staples 2000: 153).

From the discreet distribution of “Constable keys” in the early 20th century to select citizens who could then access locked police signal-boxes and secretly report on the activities of their neighbors, illegal or otherwise, through to the efforts of the Ontario Green Ribbon Task Force in the early 1990s to have affluent commuters armed with what were then nascent and comparatively costly cell-phones report on the movements and identifiers of any vehicle similar to that believed to have been driven by serial killer Paul Bernardo, to modern AMBER-Alerts that function under this same basic pretense, and ultimately to the use of virtual communities like You Tube to solve crimes as serious as murder in some instances (Quintino 2006), there is indeed a long standing confederacy between hegemony and communications technology—even a co-constitutive evolution—which is being increasingly co-opted by private citizens and private enterprise as the state’s observational authority is deregulated.

As Western law enforcement continues to increasingly assert itself through largely privately owned and definitively for-profit entities whose loyalty remains to its capital interests in earnest, the “technical apparatus” of the police is diffused amongst an untrained, unaccountable, and largely anonymous civilian populace who mimic the police methodology by not only buying the compatible hardware, but also buying-in to the associated mindset that all human activities have an inherent intelligence-gathering value.

Whether it be the regular use of clandestine listening devices in Dunkin’ Donuts stores throughout the US (Staples 2000), or the Argus Digital Doorman maintaining and potentially selling off a facial recognition database containing the images of all visitors traveling to and fro any subscribing condominium or apartment building, we see that wikisurveillance allows the Western narrative on both privacy and paranoia to be scribed by a cabal of agents provocateurs who, in working for purely commercial interests, transform the thin blue line into a proverbial Maginot Line of strategic technical installations that expedite the erosion of human agency in not only the management, but also the manufacturing, of law and order.

Wikisurveillance has shown us that the rise of the dreaded police state in the West will not come with the terrifying, sweeping reforms of some new radical and totalitarian government that somehow seizes power, nor from under the boot of some fascist despot, but rather, with the efforts taken in the here and now largely to protect actuarial assets. While police agencies are generally subject to public oversight and accountability, and to archival audits and the eventual de-classification or disclosure of some information, where, when, and how the fragments of unregulated and individually mined data presently floating around will ultimately be used becomes the nagging query written into the code of wikisurvillance. As all human activities become increasingly part of a permanent and quantifiable record that is in large part privately owned and maintained, the Monday morning quarterbacking of historical surveillance data will consequently ensure that “[a] crime can always be found” (Solove 2007: 5) amongst the assorted images, as the floating definition of deviance ensures that crime becomes the last truly renewable Western resource.

Michael Arntfield is a PhD candidate at the Faculty of Information & Media Studies, University of Western Ontario.

BIBLIOGRPAHY

Adlam, Robert C.A. (1981) “The Police Personality.” In: Pope, David W. & Weiner, Norman L. (eds) Modern Policing. pp. 152-162. London: Croom Helm Ltd.

Chu, Jim (2001) Law Enforcement Information Technology: A Managerial, Operational and Practitioner Guide. USA: CRC Press

Cockburn, Neco & Greenberg, Lee (2007) “Ont. to Impose $10,000 Fines for Street Racing.” National Post on-line, Aug 15, 2007. Electronic document: http://www.canada.com/nationalpost/news/story.html?id=6b7d070b-7d48-466c-96db-586d2a5f6def&k=10512. Retrieved Aug 16, 2007

Dandeker, Christopher (1990) Surveillance, Power and Modernity: Bureaucracy and Discipline from 1700 to the Present Day. Cambridge: Polity Press

Ellul, Jacques (1964) The Technological Society. New York: Knopf

Ericson, Richard V. & Haggerty, Kevin, D (1997) Policing the Risk Society. Toronto: University of Toronto Press

Lind, Laura (2007, August 18) “Hysteria Lane” The National Post, Toronto Weekend Magazine, p.14

Mann, Steve (1998) “’Reflectionism' and 'Diffusionism': New Tactics for Deconstructing the Video Surveillance Superhighway,” Leonardo, 31(2): 93-102.

Manning, Peter K. (1992) “Information Technologies and the Police” In Tonry, Michael & Morris, Norval (eds) Modern Policing. pp. 349-398. Chicago: University of Chicago Press

Marx, Leo (1964) The Machine in the Garden: The Pastoral Idea in America. New York: Oxford University Press

Maxcer, Chris (2007, March 6) “Cops Nab Crooks Using YouTube” Tech News World.com. Electronic document: http://www.technewsworld.com/story/56108.html
Retrieved July 10/07

Morgan, Rod & Newburn, Tim (1997) The Future of Policing. Oxford: Oxford University Press

North, Dick (1978) The Lost Patrol. Anchorage: Alaska Northwest Publishing Co.

ODMP (2006) Officer Down Memorial Page. Fallen officer directory. Electronic document: http://www.odmp.org/agency.php?agencyid=2758. Retrieved June 14/06

Packer, Jeremy (2002) “Mobile Communications and Governing the Mobile: CBs and Truckers,” Communication Review, 5(1) pp. 39-58

Phillips, Alberta (2005, March 17) “After Club Fire Police Comments Still Smolder” Statesman.com. Electronic document: http://www.statesman.com/opinion/content/editorial/stories/03/17phillips_edit.html. Retrieved May 2/06

Quintino, Anne-Marie (2006, December 15) “Police Discovering Power of YouTube” Globe and Mail.com. Electronic document: http://www.theglobeandmail.com/servlet/story/RTGAM.20061215.gtcopsyoutube1215/BNStory/Technology/home. Retrieved July 17/07

Richardson, Mark (2005) On the Beat: 150 Years of Policing in London Ontario. Canada: Aylmer Express Ltd.

Rubinstein, Jonathan (1973) City Police. USA: Hill & Wang

Satter, Raphael G. (2007, July 13) “Britain’s surveillance to new levels with video cameras strapped to police helmets.” CBC Newsworld. Electronic document: http://www.cbc.ca/cp/world/070713/w071347A.html. Retrieved July 14/07

Seltzer, Mark (1992) Bodies & Machines. New York: Routledge

Smith, Merritt Roe (1994) “Technological Determinism in American Culture.” In Smith, Merritt Roe & Marx, Leo (eds) Does Technology Drive History? The Dilemma of Technological Determinism. pp. 1-36. Cambridge, Mass: MIT Press

Solove, Daniel J. (2007) “I’ve Got Nothing to Hide and Other Misunderstandings of Privacy,” The San Diego Law Review (44), pp. 1-23

Staples, William G. (2000) Everyday Surveillance: Vigilance and Visibility in Postmodern Life. Lanham, MD: Rowman & Littlefield

Stewart, Robert W. (1994) The Police Signal Box: A 100 Year History. Glasgow: University of Strathclyde. Electronic document: http://www.eee.strath.ac.uk/r.w.stewart/boxes.pdf. Retrieved April 25/06

Vanderburg, Willem H. (2000) The Labyrinth of Technology. Toronto: University of Toronto Press

In this particular historical moment of fetishized “security” and state-sponsored surveillance carried out “for our own good,” it is tempting for some of us to think that we are reaching some low point in the history of privacy, where new technologies already allow the deployment of an Orwellian omniscience by states and corporations. This may indeed be so, but some research I did some years ago on the history of nursing education (of all things) has inclined me (a privacy advocacy neophyte) to wonder if the drive for total surveillance is neither novel nor dependent upon new technologies. In the spirit of Heritage Canada’s iconic television spots, I offer my own “Privacy Heritage Minute,” with all the skeletal theoretical framework, carefully-selected facts and simplistic moral that such an approach implies.

Prior to the 1950s, most Canadian nurses (who were predominantly young, white, unmarried women) were trained through an apprenticeship system, learning their craft by working for three years unpaid on hospital wards. This training was extremely arduous and strictly regimented, and was overseen by a limited number of paid nurse overseers and by senior nurse apprentices. The vast bulk of nursing labour in hospitals was completed by students, who lived on the hospital campus and seldom left the site until their training was complete.

Beginning in the late 19th century, it was understood that moral rectitude (read virginity) and feminine deference (read unquestioning obedience) were key characteristics of the ideal nurse. In part this was because prevailing models of health contained an unmistakably moral component (as arguably they still do – see the rhetoric around obesity, heart disease, HIV, etc.). Likewise hospitals, which were in competition for the dollars of wealthy patients and donors, used the image of the physically and morally clean (female) student nurse as advertising to convince the well-to-do of the safety and efficacy of institutional health care. [1]

Hospitals posted extensive lists of rules intended to ensure the proper behaviour of their student nurses. Obedience was far too important to be entrusted simply to sets of rules, however. As was explained in one nurses’ orientation manual, each individual would be “carefully watched to ensure strict obedience.” Surveillance, embodied in the policies, procedures, and the very architecture of the training school and Nurses’ Home, provided the disciplinary backbone for nursing training. Michel Foucault described similar developments with respect to 18th-century reform schools and prisons in Discipline and Punish: “We have here a sketch of an institution ... in which three procedures are integrated into a single mechanism: teaching proper, the acquisition of knowledge by the very practice of the pedagogical activity, and a reciprocal, hierarchised observation.”

Surveillance of student nurses began from the moment they applied to their training. Candidates underwent gynecological screening tests, which allowed hospital management to determine whether the candidates showed signs of sexually transmitted diseases, previous pregnancy, or loss of virginity. Applicants who showed evidence of such indiscretions were likely to be rejected as “not suitable to become a nurse.” This managerial anxiety over sexuality permeated the apprenticeship program. Of particular concern in these all-female spaces was homosexuality, a “vice” that dared not speak its name but that nevertheless attracted careful scrutiny by managers and hospital trustees. As one former nurse explained to me,

In some residences, bath doors were designed like the swinging doors of saloons with spaces above and below, a technology of observation noted by Foucault at Paris-Duverney's Ecole Militaire. [2]

Surveillance was also trained upon the movements of apprentice nurses in their leisure time and private spaces. Purpose-built Nurses’ Homes were designed along panoptic principles, situating the Matron’s quarters adjacent to the main exit, an arrangement that gave the impression that the foyer was under constant supervision. Anyone entering or exiting the residence was required to sign a log, and bedrooms were checked for absent (or extra) bodies every evening. Strict curfews were enforced with the threat of dismissal, and reinforced with the possibility of character assassination for young women seen “out on the town” after curfew. In this latter area, the hospital enlisted the aid of the surrounding community as observers and judges of nurses’ conduct, and upright citizens regularly informed managers of suspected infractions by students.

On the hospital wards, surveillance took its shape via the ideology of scientific management. By the 1910’s, hospital managers had joined the cult of efficiency, and strongly believed that minute regulation of workers’ time and motion would lead to increased production and lower costs, concepts which fit awkwardly into the provision of health care but which nevertheless persist in hospital management to this day. [3] To this end, nurses were monitored carefully as they learned nursing tasks in a deskilled [4], routinized manner, with harsh discipline as the reward for lapses of technique or behaviour. A fundamental goal of this system was that students would internalize the observing eye, and like Jeremy Bentham’s panopticized prisoners, govern their behaviour according to the priorities of the institution.

Although there were obvious functional reasons for hospitals to maintain strict control over their unpaid labour force, the diligence with which such controls were implemented cannot be explained without attention to the larger discursive webs in which hospitals and nurses were caught. Rapid urbanisation and economic change in Canada, with the attendant increases in single women's urban employment and public visibility, fostered in the imaginations of civic leaders the spectre of the 'woman adrift', the young working girl living in unsupervised residences in an urban environment, untended by patriarchal authority. Promoting women's chaperoned boarding houses, the Toronto Star-Weekly prodaimed in 1917: "It would seem to be but our duty, from an economic as well as a humanitarian stand-point, to see that [the working girl] lives under conditions which tend to make her more efficient, as well as a worthy citizen. It is not too much to say that the future of our country lies in the hands of these girls.” This disingenuous language reflects (in part) anxieties about “degeneracy” that brought us such historical highlights as eugenic sterilization and the Chinese head tax. Regulation of the young female student nurses was thereby elevated to the level of a patriotic duty. Hospitals as major Canadian institutions bought into this wholesale, boasting that their system of discipline and training worked to produce “the best type of Canadian womanhood.”

With the future of the nation apparently at stake, there was little or no concern expressed about the privacy or autonomy of student nurses. [5] No privacy laws governed the surveillance of these young women – there were compelling moral, economic, political, medical, and other reasons to watch them, and so they were watched.

Without overstating the case, I wonder whether this Heritage Minute tells us a couple of things about reasonable expectations of privacy. To me it says that where fear and prejudice coalesce into social panic, surveillance is a ready tool for the identification and punishment of deviance, and privacy rights will be among the first in a long line of casualties. It also implies that surveillance technology takes the form of whatever is at hand. Hospitals used architectural techniques, documents, holes in walls, and human eyes to watch nurses, and socialized their students to watch themselves and each other. So although resisting the development of new methods of surveillance is important, it’s maybe just as important to keep our eyes on the core reasons why our privacy comes under constant assault. The longevity of the hospital system of nursing training suggests that where serious abrogations of privacy rights have apparent social or economic utility, or where they support the societal status quo, they may persist invisibly or unremarkably for decades.

Thank you. This has been a Canadian Privacy Heritage Minute brought to you by the idTrail.

I recently received news that my friend Kelly was found dead in her single room occupancy [1] hotel in Vancouver, several days after she had died. [2]

I knew Kelly as a great force working to improve the lives of street level sex workers in Vancouver’s Downtown Eastside (DTES). Feeling far away and alone in my grief, I googled her to see whether anything had been written about her death. To my surprise, I found a handful of references to her (full name included) as a participant in a free heroin trial program, and identifying her as a woman living out of a shopping cart in Canada’s poorest postal code. I was frustrated and angry that this one-dimensional sketch of Kelly, involving incredibly private details about her life, was so accessible. My first instinct was to wonder whether she had consented to having her name published in these articles. But then a different, and rather more pressing set of questions struck me.

Why, when so few people took notice of her daily existence and suffering, when she was allowed to die almost invisibly – was it possible for me to access information about her health, [3] her poverty and her homelessness on the World Wide Web? I couldn’t shake the idea that Kelly had too much of the wrong kind of privacy.

For Better, For Worse, or Until I Decide to Spy on You
By: Dina Mashayekhi

September 11, 2007

Being recently married, I still haven’t quite adjusted to the idea that you can’t change certain traits in your spouse. For example, my other half tends to view cell phones as a leash, and he regularly “forgets” to call me when he’s going to be late, or going out after class or work. As a result, I end up panicking, thinking he has been in a terrible accident and is unconscious somewhere, and I promptly begin my routine of repeatedly calling his cellphone (which is usually off or at the bottom of his bag on silent mode). By the time he finally gets to the phone and sees 18 missed-calls from me, I’m usually anxiety ridden and he calls me laughing, telling me I’m crazy, and that he’s on his way home. This conversation is usually followed by certain expletives and ends with my threat that I’m going to implant him with a GPS tracking device.

Of course, when I raised this idea, I was completely joking. For the sake of fantasy, my ideal device would be a microchip and to my knowledge, the Verichip doesn’t operate as a GPS device for commercial use (yet). Such a use would also run contrary to my convictions as a privacy advocate, but at times, I feel as though my sanity is at stake. I decided to inquire further into the practical aspects of my GPS threat (after all, there’s no point in a threat without any substance), and to examine the idea of spousal surveillance in general. [i]

Credit cards and databases/data-mining/data aggregation. How does the database nation get affected by a cashless society?

I recently had the opportunity to dwell upon the loss of anonymity as we continue the path to cashless-ness. It was on one of those west coast road trips that seem like the perfect way to cap off a summer.

Driving to South Bay

This August, a couple of friends and I drove down to the Bay Area of California from Vancouver to visit with friends working there. An interesting exercise we got caught up in was to see how difficult it would be to “stay off the radar”. Although we realized that giving out personal information itself is not dangerous, but rather simply provides a possibility for misuse, the recent discourse on domestic spying and the Patriot Act in the US got us to think deeper about sharing our spending habits with US businesses and the US government.

Like any good conspiracy theorist, travel begins by taking large wads of cash out from under the mattress - or a Canadian bank, if your mattress is rather thin. Minimizing our use of credit cards was the obvious step. This was also facilitated (others say caused) by the midsummer drop in the Canadian dollar and our desire not to be gouged by Visa’s exchange/conversion rate. [1]

So we used cash, and lots of it. All of our food, hotel rooms, and activities were anonymous transactions. When we stopped for gas, we prepaid the attendant in $20s. As Canadians, we had never seen so many green bills. Because realistically, although not quite to the level of a wheelbarrow or a duffel bag, carrying enough money for three guys on an 11 day trip is a significant task in itself and more than a little inane.

For the most part, our experiment was successful. Although frustrated by the inefficiency of their monotone bills, our system seemed to work as cash equalled anonymity in most situations encountered. But one time it didn’t was when we came up against the dreaded loyalty card.

Safeway and the Loyalty Card

Loyalty cards are a common occurrence in today's consumer driven world. It seems like everything from airline tickets to cups of coffee have a mode of tracking your purchases and collecting detailed information regarding your personal shopping habits. [2]

But loyalty systems also seem to “work”. The collection of points almost seems like a North American sport. Canadians seem to do anything for their points. [3] And sometimes using the loyalty system is almost forced upon you.

While at the local Safeway trying to buy some supplies in California, we encountered an insidious ploy to force shoppers to self-identify. It has always been part of the loyalty system to offer discounts to those who sign onto the system; discounts of 5% to 10% are not uncommon. But at this particular Safeway, oranges were over $1/lb cheaper for those showing a Safeway card. 1$/lb or more than 30%!

With this kind of price differential, how can you resist? How can you compare the intangible benefit of remaining anonymous with the prospect of saving money on fresh fruit? Although I knew about the privacy implications and why Safeway was operating in such a manner, my biggest concern wasn't about data mining but rather me not having an American Safeway account to be able to take advantage of this offer!

Luckily, or scary depending upon your point of view, the Safeway databases in the United States and Canada are linked and my Canadian account worked just fine. And on top of that, I didn't even need my physical card. Supplying my phone number was enough for the clerk to identify me by name and recite my home address. I'm sure in some way it is useful for Safeway to know that while on vacation in California I enjoy oranges, bananas and croissants for breakfast.

But data collection can go far beyond that. Demographic shopping information is big business in today's always-on marketing environment. Companies like Choicepoint and Acxiom aggregate and sell personal information to government and businesses on everything from health and insurance records to consumer purchasing information. [4] The US government even claims that these aggregators fill a necessary role in the “war on terror” by allowing the government to search for specific purchasing trends and monitor suspicious activity. [5] Vast databases are being filled and very few seem to mind that there are numerous instances of databases being hacked or leaked due to shoddy security practices and inadequate protections.

Adam Greenfield says in his book Everyware that

But, seriously? Identity or oranges. The red pill or the blue. They were good oranges.

Final Thoughts

The beauty of technology is its ability to make life easier. A GPS system and a cell phone were lifelines in trying to navigate the complicated mass of streets and highways of California's Bay Area. But, there are always trade-offs. Simson Garfinkel's Database Nation [7] draws a picture of a frightening dystopia where identifiers such as credit and debit cards, cell phones and surveillance records link to vast databases of personal information that can track you from dawn to dusk and from birth to grave. It is already a reality. There are billions to be made. [8]

But, it doesn’t have to be this way. Besides better laws to control the transfer of personal information, there are electronic alternatives to large wads of money. Electronic e-cash or smartcard systems are making the rounds. They can be programmed with privacy in mind.

An example of an effective privacy respecting system is the Octopus Card system implemented in Hong Kong. The Octopus Card, in one of its selectable iterations, allows its users to anonymously access the transit system in addition to purchasing items from a wide variety of stores. All this is done with a contactless RFID embedded in the card that boasts a 95% penetration rate. [9]

By not requiring any information to purchase, the Octopus Card has many of the same privacy benefits as cash. But not all implementations of this ubiquitous technology are so benign. [10] When done without sufficiently respecting privacy concerns, electronic cash is an effective form of surveillance allowing marketers to tie purchase and travel history to other demographic information.

Even more effective is comprehensive legislation protecting consumer privacy. But it's difficult for legislatures to keep up with advancing technology. Safeguards need to be put in place where the convenience and benefit of a cashless system benefits consumers and is not a tool for marketers and data aggregators. Without that framework, and the penalties to compel adherence, corporations will continue with policies that are in their best interests, in an environment where the majority of consumers are unaware and uninterested in personal data protection.

By the end of our trip, a little bit sunburned and a little bit poorer with cash supplies depleted, we broke down and resorted to credit. We were pretty good, though. Over an 11 day trip and 4000km, 10 days went by without using credit – although there were numerous instances where we had to self-identify. The fact of the matter is that credit is just too easy, and that's how they like it.

Privacy law is increasingly important in litigation in Canada. Contemporary litigants routinely file requests for access to their personal information under PIPEDA and its provincial counterparts. Such requests can give a party a partial head-start on litigation discovery, or aid a party in rooting out information held by an opponent or potential opponent.

That said, with some possible room for improvement (at least in the case of PIPEDA), [1] data protection law in Canada takes a relatively hands-off approach when it comes to legal proceedings. Parties in legal proceedings are generally required to disclose information in accordance with long-standing litigation rules and are largely exempted from restrictions that might otherwise be applicable under data protection laws in other contexts. Yet, this does not mean that privacy considerations are not relevant or applicable to discovery in legal proceedings. This short article identifies some existing and emerging privacy-based limits in litigation discovery at the intersection between privacy interests and the need for full disclosure in litigation.

I. The Implied Undertaking Rule

As a starting point, it is important to note that privacy protections are built into discovery at a fundamental level. Information obtained through discovery is generally subject to an implied undertaking of confidentiality. This prohibits parties from using or disclosing information obtained during discovery for purposes outside of the litigation. The implied undertaking rule is based on a recognition by Canadian courts of the general right of privacy that a person has with respect to his or her own documents. [2] Many Canadian decisions cite the English text Discovery by Matthews & Malek for the principle behind the rule:

A party may apply for relief from the implied undertaking rule where a party's interest in using information outweighs the privacy interest protected or where the document is otherwise available. However, the courts do not take the principle of privacy behind the rule lightly, as such applications for relief are frequently denied, for example, on the basis that it would be “an unwarranted intrusion on [the party’s] privacy rights”. [5]

Privacy has similarly been invoked as a limitation in defining what is and is not reasonable in discovery. For example, in Fraser v. Houston, the court declined to order production of the plaintiff’s financial documents on the basis of privacy concerns, despite concluding that the documents had “at least marginal probative value” to an allegation of economic duress:

Information potentially subject to disclosure in legal proceedings could be held directly by a party to the litigation or by a third party, such as an Internet service provider (ISP). In each of these categories, discussed in turn below, courts have balanced privacy considerations against the interests of full disclosure in litigation.

II. Information Held by a Party

A. Motions for Production

In Park v. Mullin, [7] a party applied for discovery of its opponent’s computer. Relying on earlier Supreme Court of Canada jurisprudence, Dorgan J. expressly drew on privacy considerations in refusing to order disclosure:

Privacy also played an integral role in the leading case Desgagne v. Yuen [9], where the Court balanced the relevance of the information sought against other considerations, including privacy. The plaintiff had been injured in an accident, and the defendant sought production of her hard drive, Palm Pilot, video game unit, and photographs (both electronic and hard copies) taken since the accident. The plaintiff argued that the information was relevant since it would shed light on the defendant’s post-accident cognitive abilities and quality of life. Myers J. refused to order production of the plaintiff’s photographs because of privacy considerations:

Access to the plaintiff’s video game unit, Palm Pilot, and Internet Browsing history were also denied on the basis of their probative value being outweighed by the plaintiff’s privacy interest and the invasiveness of ordering their production. Similar reasoning was applied in Goldman, Sachs & Co. v. Sessions, [11] Ireland v Low [12], and Baldwin Janzen Insurance Services (2004) Ltd. v. Janzen. [13]

B. Motions for Preservation

In the context of preserving evidence for discovery, ex parte orders for the seizure of evidence (such as Anton Piller orders) allow litigation opponents access to documents that may contain personal or confidential information. Although such orders relate to the preservation of evidence, they form part of the overall process of document discovery. Given the invasiveness of such orders, privacy considerations can play an important role in Anton Piller cases. Courts urged taking a cautionary approach to Anton Piller orders as early as 1981. In the words of Browne-Wilkinson J. (as he then was) in Thermax Ltd v. Schott Industrial Glass Ltd: [14]

In Harris Scientific Products Ltd. v. Araujo, [16] the Court found that an Anton Piller order had been improperly obtained and improperly executed. The plaintiff had misrepresented a material fact in its application for the order, and the court found numerous and serious breaches of the order’s execution by the plaintiff. Two of the more serious breaches included the seizure of material subject to solicitor-client privilege and the seizure of an audio cassette that clearly had no relation to the proceedings (“a state-assisted major invasion of Mr. Araujo’s privacy on an unrelated matter”) [17]. When considering the quantum of damages to be awarded, the court reiterated how seriously such breaches of privacy are taken:

Finally, in CIBC World Markets v. Genuity Capital Markets, [19] an order in the nature of an Anton Piller order was made for full preservation of “computers, Blackberries and other types of similar electronic devices of every nature and kind” including all devices “owned or used by others including spouses, children or other relatives”. [20] An order for a seizure of this magnitude obviously has a broad privacy impact. However, the order provided that a technical consultant would perform the imaging and indexing of information and that the imaged drives and information would not initially be shared with the plaintiffs. [21] The court addressed the matters of relevance and confidentiality in a subsequent order, holding that if there were confidential or irrelevant documents contained in the devices imaged, then the defendants could apply to have the full index of documents sealed and one made public that only contained relevant material. [22]

IV. Information Held by a Non-Party

Privacy also plays an important role in contouring limits to discovery from non-parties in litigation. A great deal of personal information is held by non-parties such as ISPs and banks; it is increasingly sought out by parties in litigation.

In BMG v. Doe, [23] the Federal Court of Appeal considered an appeal by music providers who were seeking disclosure of the identities of customers alleged to have infringed copyrights by sharing music on peer-to-peer networks. Sexton JA, for the court, held that plaintiffs must conduct their initial investigations in a way that minimized privacy invasion; failure to do so could justify a court refusing to order ISPs to identify potential defendant customers as requested by the plaintiffs:

In other similar cases of discovery from non-parties, courts have relied on privacy as one of the key considerations factoring into whether production should be granted. For example, in Irwin Toy Ltd. v. Doe, [25] Wilkins J. provided the following view of privacy considerations: “some degree of privacy or confidentiality with respect to the identity of the internet protocol address of the originator of a message has significant safety value and is in keeping with what should be perceived as being good public policy.” [26] Although the court ordered the ISP to disclose the identity of the targeted ISP customer, it required the plaintiffs to meet a privacy-informed threshold test before disclosure would be granted.

Finally, discovery limits based on privacy considerations may also be developed after the fact, in the form of sanctions for wrongful behaviour. Where ex parte orders for evidence seizure (such as Anton Piller orders) are obtained or executed improperly in a way that has an impact on privacy, the courts may step in. This may result in the removal of the offending party’s counsel, or possibly even a stay of proceedings. For example, Grenzservice Speditions Ges.m.b.H. v. Jans [27] concerned an order in the nature of an Anton Piller order. The Court found that the plaintiff’s solicitor allowed flagrant abuses of privacy in the execution of that order, including questioning of the occupants of the home and videotaping of the proceedings surrounding the search. Because of the egregious nature of the infringement on the individual’s right to privacy, Huddart J. (as she then was) disqualified the plaintiff's counsel from further involvement in the case, in order to “assure the defendants and members of the public, all of whom are potential subjects of search and seizure orders, that their rights will be protected.” [28]

Conclusions

This article has briefly reviewed some of the rules and jurisprudence at the intersection between privacy and litigation discovery. Although data protection legislation has an impact on discovery, it generally leaves established litigation rules untouched. However, as seen in the cases reviewed here, there are a number of existing and emerging privacy-based limits on discovery in litigation. Conflicts between the need for full disclosure in litigation and privacy interests will certainly arise more frequently in light of the increasing prominence of electronic discovery and the increasing role that electronic devices play in the creation, processing and storage of personal information.

In 2006, the University of Maryland’s Clark School of Engineering released a study assessing the threat of attacks associated with the chat medium IRC (Internet Relay Chat). The authors observed that users with female identifiers were “far more likely” to receive malicious private messages and slightly more likely to receive files and links. [1] Users with ambiguous names were less likely to receive malicious private messages than female users, but more likely to receive them than male users. [2] The results of the study indicated that the attacks came from human chat-users who selected their targets, rather than automated scripts programmed to send attacks to everyone on the channel.

The findings of this study highlight the realities that many women face when they are online. From the early days of cyberspace, women who identify as female are frequently subject to hostility and harassment in gendered and sexually threatening terms. [3] These actions typically stem from anonymous users.

In this Google Era of unlimited information creation and availability, it is becoming an increasingly quixotic task to advocate for limits on collecting, use, disclosure and retention of personally-identifiable information ("PII"), or for meaningful direct roles for individuals to play regarding the disposition of their PII "out there" in the Netw0rked Cloud. Information has become the currency of the Modern Era, and there is no going back to practical obscurity. Regarding personal privacy, the basic choices seem to be engagement or abstinence, so overwhelming are the imperatives of the Information Age, so unstoppable the technologies that promise new services, conveniences and efficiencies. Privacy, as we knew it, is dying.

Privacy advocates are starting to play the role of reactive luddites: suspicious of motives, they criticize, they raise alarm bells; they oppose big IT projects like data-mining and profiling, electronic health records and national ID cards; and they incite others to join in their concerns and opposition. Privacy advocates tend to react to information privacy excesses by seeking stronger oversight and enforcement controls, and calling for better education and awareness. Some are more proactive, however, and seek to encourage the development and adoption of
privacy-enhancing technologies (PETs). If information and communication technologies (ICTs) are partly the cause of the information privacy problem, the thinking goes, then perhaps ICTs should also be part of the privacy solution.

In May the European Commission endorsed the development and deployment of PETs(1), in order to help “ensure that certain breaches of data protection rules, resulting in invasions of fundamental rights including privacy, could be avoided because they would become technologically more difficult to carry out.” The UK Information Commissioner issued similar guidance on PETs in November 2006(2). Other international and European authorities have released studies and reports discussing and supporting PETs in recent years. (see references and links below)

PETs as a Personal Tool/Application

Are PETs the answer to information privacy concerns? A closer look at the European and UK communiqués suggests otherwise - for all their timeliness and prominence, they reflect thinking about PETs that is becoming outdated. The reports cite, as examples of PETs, technologies such personal encryption tools for files and communications, cookie cutters, anonymous proxies and P3P (a privacy negotiation protocol). Not a single new privacy-enhancing technology category here in seven years. Other web pages dedicated to promoting PETs list more technologies, such as password managers, file scrubbers, and firewalls, but otherwise don’t appear to have significantly new categories of tools.(3,4).

The general intent off the PETs endorsements seem clear and laudable enough: publicize and promote technologies that place more controls into the hands of individuals over the disclosure and use of their personal information and online activities. PETs should directly enable information self-determination. Empowered by PETs, online users can mitigate the privacy risks arising from the observability, identifiability, linkability of their online personal data and behaviours by others.

Unfortunately, few of the privacy-enhancing tools cited by advocates have enjoyed widespread public adoption or viability (unless installed and activated by default on users’ computers, e.g. SSL and Windows firewalls). The reasons are several and varied: PETs are too complicated, too unreliable, untrusted, expensive or simply not feasible to use. The threat model they respond to, and benefits they offer, are not always clear or measurable to users. PETs may interfere with normal operation of computer applications and communications, for example, they can render web pages non-functional. In the case of P3P, a privacy negotiation protocol, viable user-agents were simply never developed (except for a. modest but largely incomprehensible cookie implementation in IE6 and IE7). PETs simply haven't taken off in the marketplace, and the bottom-line reason seems to be that there are few incentives for organizations to develop them and make them available. (Where there has been a congruence of interests between users and organizations, some PETs have thrived, for example, SSL for encrypted secure web traffic and e-commerce. Perhaps the same is happening for anti-spam and anti-phishing tools, since deployment of these technologies helps to promote confidence and trust in online transactions.)

Perhaps the underlying difficulty may be a conceptualization of PETs as a technology, tool or application exclusively for use by individuals, complete in itself, expressed perhaps in its purest form by David Chaum’s digital cash Stefan Brands' private credentials. As brilliant as those ideas are, they have had limited deployment and viability to date. It seems that, to be viable, PETs must be also meet specific, recognizable needs of organizations. Secure Socket Layer (SSL) is a good example, responding as it did to well-understood problems of interception, surveillance and consumer trust online. SSL succeeded because organizations had a mutual interest in seeing that it was baked into the cake of all browsers and its use largely transparent to user.

Meanwhile, technology marches on. Many PETs weren't very practical to use. Sure you can surf anonymously, if don't mind a little latency and the need to tweak or disable browser functionality. But as soon as you want to carry out an online transaction, sign on to a site, make a purchase, or otherwise become engaged online in a sustained way, you had to identify yourself, provide a credit card, login credential, registration form, mailing address, etc. Privacy suffered from the 100th window syndrome: your house, just like your privacy, could be Fort Knox secure but all it took was to leave one window open and the security (privacy) was compromised. Privacy required too much knowledge and effort and responsibility on the part of the individuals to sustain in an ongoing way. Online privacy was just too much work.

And, anyway, the benefits of online privacy tended to pale in the face of immediate gratification needs, and greater conveniences, personalization, efficiency, and essential connectedness afforded by consent and trust. The privacy emphasis slides inexorably towards holding others accountable for the personal information they must inevitably collect about us, not PETs. The only effective privacy option for most people in the online world is disengagement and abstinence.

PETs as a Security Technology

Certain consumer PETs have thrived, such as SSL, firewalls, anti-virus/anti-spyware tools, secure authentication tools. Perhaps anti-phishing tools and whole disk encryption will follow –if incorporated and activated by default into users’ hardware/software. But note: these are all largely information security tools. PETs have tended to become equated with information security. Safeguards are certainly an important components of privacy. We may not be able to stifle the global information explosion, but with appropriate deployment of PETs we can help ensure that our data stays where it belongs, is not accessed inappropriately, tampered with, or otherwise subject to breaches of confidentiality, integrity and availability.

Personal security tools like firewalls, virus/spyware detection, encryption are available to individuals. To the extent that PETs have been adopted by organizations public and private, rather than users, they have been security technologies. Legal and regulatory compliance for managing sensitive information in accountable ways, and for notifying individuals of data breaches, as well as the desire to build brand and promote consumer trust, have helped drive innovation and growth in the data security technology products market. Organizations, both public and private, today are deploying information security technologies throughout their operations, from web SSL to encrypted backup tapes to data ingress and egress filtering, to strong authentication and access controls, to privacy policy enforcement tools such as intrusion detection/prevention systems, transaction logging and audit trails, and so forth. When it comes to organizational PET deployments in practice, security is the name of the game.

But are these technologies really PETs? They may be technologies that are deployed with the end-user in mind - it is their data after all, but they don't really involve the user in a meaningful way in the life-cycle management of the information. The security measures listed above are put in place mainly to protect the interests of the organization. Of course, some organizations do go further and put in place technologies that help express important principles of fair information practices, such as technologies that promote openness and accountability in organizational practices, that capture user consent and preferences, and which allow to clients a measure of direct access and correction rights to the data and preferences stored about them - but this is still the exception rather than the norm..

PETs as Data Minimization Tools

More critically, security-enhancing and access/accountability technologies controls really miss out on the final ingredient of a true PET: data minimization. Information privacy is nothing if not about data minimization. The best way to ensure data privacy is not to disclose, use or retain the data at all. The minimization impulse is well captured by the fair information practices that require purposes to be specified and limited, and which seek to place limits on all data collected, used, disclosed and retained pursuant to those purposes. But such limitations run contrary to the impulses of most information-intensive organizations today, which is to collect and stockpile as much data as possible (and then to secure it as best as possible) because it may be useful later. More data, not less, is the trend. Why voluntarily limit a potential competitive advantage?

Apart from being a legal requirement, arguments for data minimization should be compelling, beginning with fewer cost and liabilities associated with maintaining and securing the data against leaks and misuse, or with bad decisions based upon old, stale and inaccurate data, as well as reputation and brand issue (faced with growing public concerns about excessive data collection, use and retention, major search engines and transportation agencies alike are now adopting more limited data usage policies and practices, but off course these policy-level decisions not PETs).

The problem is that there are few benchmarks against with to judge whether data minimization is being observed via use of technologies. How much less is enough to qualify as a PET? Is a networked, real-time passenger/terrorist screening program that flashes only a red, yellow or green light to the front line border security personnel a PET because the program design minimized unnecessary transmission and display of sensitive passenger PII? Similarly, is an information technology that automatically aggregates data after analysis, or which mines data and computes assessments on individuals for decision-making, or which is capable of delivering targeted bbut pseudonymous ads, a true PET because the actual personal information used in the process was minimized so not to be revealed to a human being? If a specific technology’s purpose for collecting, using, disclosing, and retaining customer or citizen data is sharply limited to "providing better services" and "for security purposes" then can these technology properly be considered PETs?!

PETs as expressing the Fair Information Principles (FIPs)

PETs minimize data, but not all technologies that minimize data are PETs. Data minimization is a necessary but insufficient requirement to become a PET. Enhanced information security is a necessary but insufficient requirement to become a PET. User empowerment is a necessary but insufficient requirement to become a PET. Together, all these impulses are expressed in the ten principles of (CSA) fair information practices, all of which must be substantially satisfied, within a defined context, in order for a given technology to be judged a PET worthy of the name, and of public support and adoption:

To enable user empowerment, we find the (CSA) fair information practices of:
1. Accountability; 2. Informed Consent; 3. Openness; 4. Access; and 5. Challenging Compliance. These principles and practices should be substantially operationalized by PETs.

To enable data minimization, we find the CSA fair information principles requiring 1. Identifying Purposes; 2. Limiting Collection; and 3. Limiting Use, Disclosure, and Retention.

Finally, the CSA Privacy Code calls for Security (Safeguards() appropriate to the sensitivity off the information.

[Comment: The CSA principle ‘Accuracy’ can fit under all three categories, since it implies a right for users to inspect and correct errors, as well as an obligation upon organizations to discard stale and/or inaccurate data, as well as a security obligation to assure integrity of data against unauthorized tampering and modification.]

A more comprehensive approach to defining and using PETs is required - one that clearly accommodates the interests and rights of individuals in a substantial way, yet which can be adopted or at least accommodated by organizations with whom individuals must inevitably deal. This requires a more systemic, process-oriented, life-cycle, and architectural approach to engineering privacy into information technologies and systems.

PETs as we know them are effectively dead, reduced to a niche market for paranoids and criminals, claimed by some security products (e.g., two-factor authentication dongles) or else deployed by organizations as a public relations exercise to assuage specific customer fears and to build brand confidence (e.g. banks' anti-phishing tools, web seals).

PETs as Information Architecture?

The future of PETs is architecture, not applications. Large-scale IT-intensive transformations are underway across public and private sector organizations, from real-time passenger screening programs and background/fraud checking, to the creation of networked electronic health records and eGovernment portals, to national identity systems for use across physical and logical domains. What is needed is a comprehensive, systematic process of ensuring that PETs are full enabled and embedded into the design and operation of these complex data systems. If code is law, as Lawrence Lessig posited, then systems architecture will be the rightful domain for privacy technologies to flourish in the current Google era.

The time has come to speak of privacy-enabling technologies and systems that help create favorable conditions for privacy-enhancing technologies to flourish and to express the three essential privacy impulses: user empowerment, data minimization, and enhanced security. Objective and auditable standards are essential preconditions.

Examples abound: Privacy-embedded "Laws of Identity" can enable privacy-enhanced identity systems and technologies to emerge; as is the development of 'smart' data that carries with it enforceable conditions of its use, in a manner similar to digital rights management technologies. Another example are intelligent software agents that can negotiate and express the preferences –and take action on behalf of- of individuals with respect to the disposition of their personal data held by others. Yet another promising development are new and innovative technologies that enable secure but pseudonymous user authentication and access to remote resources. These and other new information technologies may be the true future of PETs in the Google Era of petabytes squared, and worthy of public support and encouragement.

Recap

So, to summarize: the essential messages of this think piece are:
* PETs are attracting renewed interest and support, after several years of neglect and failure
* PETs are an essential ingredient for protecting and promoting privacy in the Information Age (along with regulation and awareness/education), but their conception and execution in practice is highly variable and still rooted in last-century thinking.
* True PETs should incorporate into information technologies ALL of the principles of fair information practices, rather than any subset of them.
* In today's Information Age, true PETs must be comprehensive, and involve all actors and processes. Evaluating PETs will increasingly be a function of whole systems and information architectures, not standalone products.
* It may be more useful to think of privacy-enabling technologies and architectures, which enable and make possible specific PETs.

Endnotes:

(1) European Commission Supports PETs
Promoting Data Protection by Privacy Enhancing Technologies (2 May 2007)
http://ec.europa.eu/information_society/newsroom/cf/itemlongdetail.cfm?item_id=3402
Background Memo (2 May 2007): http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/07/159&format=HTML&aged=0&language=EN&guiLanguage=en

(2) Office of the UK Information Commissioner
Data Protection Technical Guidance Note: Privacy enhancing technologies (Nov 2006)
www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/privacy_enhancing_technologies.pdf

(3) Center for Democracy and Technology
Page on Privacy Enhancing Technologies
www.cdt.org/privacy/pet/

(4) EPIC Online Guide to Practical Privacy Tools
www.epic.org/privacy/tools.html

Other Useful Resources:

Dutch Ministry of the Interior and Kingdom Relations, the Netherlands
—Privacy-Enhancing Technologies. White paper for decision-makers (December 2004)
www.dutchdpa.nl/downloads_overig/PET_whitebook.pdf

OECD Directorate For Science, Technology And Industry
—Committee For Information, Computer And Communications Policy
Inventory Of Privacy-Enhancing Technologies (January 2002)
www.olis.oecd.org/olis/2001doc.nsf/LinkTo/dsti-iccp-reg(2001)1-final

Danish Ministry of Science, Technology and Innovation
—Privacy Enhancing Technologies
Report prepared by the META Group v1.1 (March 2005)
www.itst.dk/image.asp?page=image&objno=198999309

Office of the UK Information Commissioner
—Data protection best practice guidance (May 2002)
Report prepared by UMIST
www.hispec.org.uk/public_documents/BPDMay02.pdf

—Privacy enhancing technologies state of the art review (Feb 2002) www.hispec.org.uk/public_documents/7_1PETreview3.pdf

EU PRIME Project
—White paper v2 (June 2007)
https://www.prime-project.eu/prime_products/whitepaper/PRIME-Whitepaper-V2.pdf

Andreas Pfitzmann & Marit Hansen,
TU Dresden, Department of Computer Science, Institute For System Architecture
—Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management - A Consolidated Proposal for Terminology (Version v0.29 - July 2007)
http://dud.inf.tu-dresden.de/Anon_Terminology.shtml

EU FIDIS Project
—Identity and impact of privacy enhancing technologies (2006)
www.fidis.net/fileadmin/fidis/deliverables/fidis-wp13-del13.1.identity_and_impact_PET.pdf

Roger Clarke
—Introducing PITs and PETS Technologies: technologies affecting privacy (Feb 2001)
www.anu.edu.au/people/Roger.Clarke/DV/PITsPETs.html

Office of the Ontario Information and Privacy Commissioner & Dutch Registratierkamer
—Privacy-Enhancing Technologies: The Path to Anonymity (Volume I - August 1995)
www.ipc.on.ca/index.asp?layid=86&fid1=329

A short story on the ID Trail

**********

Incorrect username or password. Please try again.

He tried again.

**********

Incorrect username or password. Please try again.

He tried again.

Incorrect username or password. Your ID is now locked. Please proceed to the nearest SECURE ID Validation Center for formal authentication. The nearest location can be found using the GoogleFED Search Tool.

After sitting stunned for a couple moments, Ross began to appreciate the full gravity of the situation. His ID was frozen. Everything was frozen. He just couldn't remember his damn PIN and that was the end of it. No PIN. No renewal. No ID. No authentication. No anything.

Since the government had launched the Single Enhanced Certification Using Reviewed Examination [SECURE] initiative, he really hadn't thought too much about it. Aside from a couple of headlines describing massive budget overruns and the usual privacy geeks heralding the end of the world, the New Government had pushed everything through without much fanfare.

Technological advances are making genetic testing and screening easier and more accessible. My concerns are that the ease and accessibility are masking the fact that these are not straightforward decisions that should be made quickly. Such decisions may include whether or not to terminate a pregnancy if your fetus has Down syndrome, whether to have prophylactic surgery if you test positive for breast cancer genes, whether to be tested for a late onset disease that may have no treatment or cure, and whether or not to submit to genome testing without knowing what the future will hold in terms of discrimination and possible privacy threats. The reasons for genetic testing have real world consequences that are often not spelled out before the testing takes place.

A recent article in the Globe and Mail discusses new recommendations that pregnant women over the age of 35, but under the age of 40, should no longer undergo routine amniocentesis. It has been standard practice that amniocentesis be available to women over the age of 35 because the probability of conceiving a child with a disability or genetic condition increases with maternal age. New non-invasive screening tests such as maternal blood tests and the nuchal translucency test (a detailed ultrasound taken at 11-13 weeks gestation that measures the fluid levels behind the fetus’s neck) can now indicate whether further testing is indicated or whether the risk of abnormalities is low. This development is very positive as amniocentesis is invasive and carries with it a risk of miscarriage.

However, the article states, “40 is the new 35 when it comes to being labelled a high-risk pregnancy.” [1] The implication here that is repeated several times throughout the article is that pregnant women who are over 35 no longer have the same risks associated with this maternal age; it seems that somehow their risks have decreased, which is not true.

As well the article quotes a physician stating,

Obviously the screening tests are a positive medical advance. Yet coupled with the misleading implication that risks have somehow decreased, what we see here is often the case: the language of genetic discoveries and genetic technologies seems to support a “wait and see” attitude – find out what the testing tells you, then decide what to do. It sometimes appears a bit like a lottery.

Francis Collins, direction of the National Human Genome Research Institute has mentioned that genetic technologies are much like new drugs – we must see what the general reactions are to them after they are first introduced. And many authors advocate that we should work to address concerns as they appear, as opposed to limiting technological advances with unnecessary policies. This is not to confuse the “wait and see” attitude of the researchers developing the technology with the “wait and see” attitude of the doctor performing the testing – they seem to be on a continuum.

Sonia Mateu Suter notes from her research as a genetic counsellor for prospective parents, “little emphasis is placed on the many emotional and psychological ramifications of undergoing such testing, leaving patients unprepared for certain choices and emotional reactions.” [3] She feels that this has “impoverished the informed consent process”. [4] Likewise, a “wait and see” attitude ultimately diminishes autonomy because we are not able to make choices we might have made if we had a comprehensive understanding of all the options and consequences.

Much is unclear as new technologies emerge. What we do know is that the vast majority of those individuals at risk for Huntington’s disease choose not to be tested for the HD gene. A child whose parent has had Huntington’s has a 50% chance of inheriting the gene and developing the disease. There are no cures or preventative measures. Yet at-risk individuals also have a 50% chance of not inheriting the gene and never developing Huntington’s disease. The choice not to be tested struck me as surprising until I read the stories of those at risk and those living with the knowledge that they are carriers. Some of the stories such as Katharine Moser’s (http://www.hdfoundation.org/news/NYTimes3-18-07.php) really put in perspective what it must be like to live with the end of your life before you. She had prepared herself with the requisite six months of counselling when she decided to be tested at age 23, yet admitted she never really believed the test result would be positive. Is it fair for certain people to live this way when no one’s future is certain?

Many would say that genetic testing for other conditions such as Alzheimer’s disease or Multiple Sclerosis, which may become reality in the near future, are not on par with testing for the HD gene. Likely such testing will be in terms of probabilities rather than certainties, such as the current testing for the breast cancer genes – a positive test translates into an increased risk for developing breast, uterine, and ovarian cancer but does not mean a woman will get any of these for certain. Nor does it mean that a woman without these genes is immune to these illnesses. Most likely this difference is part of the reason that intensive counselling is often not part of the testing process, though many acknowledge that the system would be improved if it were. Yet I wonder what the idea of an “increased risk” will mean to people and their families, especially for diseases with no known cure? What will the consequences be for them? Will it be easily accepted as a “probability” – something to think about or watch out for – or will they feel that the die is cast, and they cannot escape their fate? It seems that the outcome will be based on each situation and individual, which underlines the inappropriateness of the “wait and see” attitude.

As testing advances, home testing, where an individual sends a sample away and waits for results, may become more commonplace. Such scenarios have serious implications for privacy and ethics. I read a story of a man who did a home paternity test behind his wife’s back (this is actually encouraged on one paternity website as a way to gain initial information before proceeding with overt testing). The man confronted his wife with the test results that showed he was not the biological father of their children. She flew into a rage and told him he would never see the kids again. While he still has rights as a father, even if he is not a biological one, he now has to battle for these in court. He confessed that he had never fully thought through the consequence of a negative result and deeply regretted doing the test. He was unsure what relationship to have with his kids now, how to think of them, whether he was really their “daddy”. My point here is not to begin a commentary on paternal rights – I mean merely to highlight that this man felt he had acted without fully considering how the test results would affect him.

As genetic testing becomes easier and more commonplace concerns over emotions, psychological states and privacy concerns may be easily overlooked to the point that they are seen as unimportant. Yet to promote autonomous choices we must attend to genetic decision-making in context and encourage individuals to think about what test results will mean to them, their families, and their future. This is not to decry genetic testing; it is to open a dialogue about choices before decisions need to be made. Let’s not “wait and see” what the future holds if diminished autonomy becomes an accepted part of our medical system.

Andre Picard, writing in the Globe and Mail on June 14, made a poignant plea for speeding up the move to electronic health records for all Canadians. He says:

Picard points out that medical records should be accessible to all health professionals we consult, from the pharmacist close to home through the emergency room at the other end of the country. And then he adds, in parentheses: “With the requisite protection of privacy, of course.”

And there’s the rub. Just what is the requisite protection of privacy, and how should it be implemented? For example, in British Columbia a few years ago there was a huge, and quite public to-do about the contracting out of the Medical Services Plan databases to a U.S. company, and the need to protect the information from unwarranted access through the Patriot Act. The B.C. Privacy Commissioner, David Loukidelis, played a very visible role in helping to achieve a reasonable understanding of what would be appropriate in this case. But it turned out that, a year after contracting out the information collection and management to EDS Advanced Solutions, an employee of the company spent several months improperly and repeatedly surfing the files of sixty-four individuals, including the file of a woman whose ex-husband had claimed he could find out where she lived, despite her efforts to keep her location secret. And the source of that information, apparently, was to be the employee who had been doing the surfing. As it happened, none of this had anything to do with access through the Patriot Act.

EDS performed an audit that revealed “some unexplained accesses”, and then claimed there had been no privacy violations because they found no evidence that the information had actually been disclosed to anyone! Furthermore, it took nine months before the woman who had complained received notification about what had actually happened and what lay behind her ex-husband’s claims that he could find her. Various safeguards were subsequently put in place, but one can’t help wondering how much “snooping” of electronic health records might take place without being detected, especially considering the access that vast numbers of employees of pharmacies, hospitals and physicians’ offices would have to such information.

Meanwhile, British Columbia has embarked on a major effort to digitize all medical records, including providing electronic medical records technology to groups of doctor’s offices, much along the lines advocated by Picard. Indeed, B.C. plans to be a leader in Canada in this area of moving from paper records to electronic ones. It is clear that such a project could have the effect of improving medical care enormously by integrating records so that each physician or nurse or pharmacist with whom we interact has access to an overview of our medical histories and records. Advantages may include the fact that tests don’t need to be repeated endlessly, that many errors can be avoided, and that some diagnoses can be made without requiring patients to travel long distances. All good. But since many people are quite concerned about preserving their medical privacy, there is a remaining worry revolving around how we are to ensure the protection of that privacy within the system, and the related autonomy and dignity of patients.

So the first questions are about who needs to have access to all this information, and how we can ensure that access is not granted beyond those groups, except under carefully monitored conditions. Secondly, we need to devise ways to ensure that the information is never used to the detriment of patients, that patients are fully informed at all stages, and that they are involved to whatever degree they wish to be in all decisions about their testing, their results and their treatment. All of these are standard issues in designing good medical care plans – it is just that some of them are more likely to lead to problems when medical records are computerized and networked.

The situation becomes more complicated when we add the more recent developments in genetic and genomic technologies, which will, if they haven’t already, expand not just the amount of information available about individuals, but also the kind of information that is gathered. Individuals who agree to the collection of information are usually assured that their privacy will be protected by secure coding of the information and other means. But to what extent are these measures monitored, and how easy or difficult is it for the codes to be cracked? Even if the coding is secure now, it may well be easy to decipher with new information technology methods.

To be sure, not everyone worries about the privacy implications of these technologies. There has been much discussion surrounding the sequencing of individual genomes, two of the most recent highly publicized examples being J. Craig Venter, former president of the Celera Corporation and James D. Watson, one of the scientists who formulated the double helix model for DNA. And amidst the excitement about these developments the likelihood increases that certain genetic information pertaining to individuals will become part of their medical records and, in due course, so will their entire genomes. No doubt for some purposes this is all to the good in the sense that more information about an individual may well make it possible to provide better care.

But what if making this information available leads to refusal of treatment for people with certain “genetic diseases” or various other forms of discrimination such as denial of insurance or employment? Or what if the individual simply wishes to keep certain matters about his genetic make-up private? Or what if he does not wish to know that he is at risk for a disease such as Alzheimer’s, which manifests itself later in life? Or what if someone’s records are retained and used at a later time in a non-secure environment? We must also remember that genetic information about a given individual tells us quite a bit about his or her family, which may expose many people to having their genetic information widely known, whether or not they have consented to such exposure.

In discussions about information technology and medicine, one commonly heard complaint is that privacy advocates are holding up progress by making it difficult to implement the obviously necessary computerization and integration of medical records. On the other side, one might argue that the focus on technology in this area carries with it the danger that privacy considerations will be relegated to the sidelines and may even come to be seen as insignificant. Unfortunately, a consequence of failing to respect privacy is that the dignity and autonomy of individuals is likely to be impaired. In that case, we will all pay the price.

Planning to litter, hang around looking intimidating, or just generally be a public nuisance in England? Careful where you do it.

This past spring, Britain, already host to more video surveillance cameras than any other country in the world [2], rolled out a new crime prevention measure: ‘Talking CCTV’ (closed-circuit television). Government officials describe the new development as “enhanced CCTV cameras with speaker systems [that] allow workers in control rooms to speak directly to people on the street.” The ‘Talking CCTV’ initiative is just one component of the British Home Office’s Respect Action Plan a domestic program designed to tackle anti-social behaviour and its causes. [3]

What this means in practice is that when staff, operating from an unseen central control room, observe an individual engaged in anti-social behaviour they can publicly challenge the person using the speakers. At the moment the one-sided conversation is relatively unscripted, although workers are expected to be polite. The first time a member of the public is spoken to about her behaviour, she hears a polite request. If she complies, she is thanked. If not, she can expect to hear a command . If she fails to correct her behaviour, the anti-social individual may find surveillance footage of her alleged infraction splashed across the evening news.

While ‘Talking CCTV’ may be novel, video surveillance is nothing new in Britain. It is estimated that a person living and working in London is photographed an average of 300 times a day. [4] One commonly quoted figure is that there is one surveillance camera for every 14 people in Britain. [5] This year the government is spending half a million pounds to set up ‘Talking CCTV’ in twenty communities and it is likely that the program will be expanded in future funding cycles.

Critics of the program argue that the money spent adding speakers to existing surveillance cameras is being wasted. The human rights organization Liberty contends that 78% of the national crime prevention budget in the past decade has been spent on CCTV equipment without proper studies conducted to assess whether or not the expenditure is effective. The organization argues that spending the same percentage of the budget to increase the number of law enforcement officers on patrol would go a lot further to improving public safety. [6]

‘Talking CCTV’ supporters, on the other hand, cite statistics that would please any elected official. In Middlesbrough, where the pilot program took place, officials claim that the system adds an “additional layer of security”:

But measured against what? In their 1999 study of CCTV in Britain, Clive Norris and Gary Armstrong demonstrated how government and law enforcement officials often present CCTV as a panacea without proving it provides the dramatic results attributed to it. Their review of the numbers suggested that, throughout the 1990s, publicly-quoted figures about the benefits of CCTV were often inaccurate or did not tell the whole story, yet they were used to convince taxpayers to buy into the surveillance system. [7] This is not to say that Middlesbrough is faking its numbers. It is quite likely that 100% of individuals exhibiting the anti-social behaviour of littering, who were publicly reprimanded when caught on camera, put their garbage in the bin as directed.

The ‘talking’ modification to the existing CCTV system is being sold to the public as a way to clean up the streets and create a safe, law-abiding community. The Home Secretary, John Reid, states that the new measure is aimed at “the tiny minority who make life a misery for the decent majority.” Safe, clean streets sound great but one academic has noted that public debate about CCTV tends to be shaped more by the government’s focus on how technology can improve law and order and far less on other, more complex, issues about the appropriateness of using the technology. [8]

Government employees now have a powerful tool to single out and shame an individual in public. The fact that “100%” of litterbugs in Middlesbrough obeyed the authoritative, disembodied voice ought not to be underestimated. They likely did so out of shame and embarrassment. Before signing on to such a program, it is worth noting that video surveillance operators, no matter how well-intentioned they may be, are human and they bring their very human biases to their jobs. Norris and Armstrong’s 1999 study showed that the workers watching the monitors disproportionately targeted males, youths, and black people as surveillance subjects. [9] Biases may change depending on the era and the community. The past few years, for example, has seen an aggressive crack-down on panhandling in Liverpool, along with laws designed to minimize youth loitering about urban shopping districts. [10]

Will youth people, the urban poor, and members of visible minority communities be disproportionately targeted by ‘Talking CCTV’? Officially, the answer is likely to be “no” but it has been observed that:

Public shaming of individuals engaged in so-called anti-social behaviour may result in British cities ‘designing away’ social problems as those who are targeted too often by authorities will find other spaces in which to spend their time. [12] The rest of the community may find itself enjoying litter-free streets and ‘Talking CCTV’ will be given credit. But it will all have happened without the benefit of serious public debate about whose behaviour is anti-social behaviour and why that makes people uncomfortable. Britain has been trying to rid itself of anti-social behaviour for a long time now and it seems unlikely that a few talking cameras will get to the root of the problem.

[1] http://www.forbes.com/2007/06/11/urban-surveillance-security-biz-21cities_cx_cd_0611futurecity.html
[2] Clive Norris et al., “The Growth of CCTV: a global perspective on the international diffusion of video surveillance in publicly accessible space.” Surveillance & Society 2:2/3 (2004).
[3] Anti-social behaviour has been seen as such a problem in Britain for the past few decades that the Crime and Disorder Act 1988 gave it a legal definition and criminalized it. That was followed by the Anti-Social Behaviour Act 2003. Legally defining the problem doesn’t appear to have helped much as the government continues to struggle with anti-social behaviour across Britain.
[4] Clive Norris and Gary Armstrong, The Maximum Surveillance Society: The Rise of CCTV (Oxford: Oxford University Press, 1999): 3. (Note that this was a 1999 study. While this continues to be the figure quoted it is possible the number has increased in the past eight years.)
[5] Clive Norris et al., “The Growth of CCTV”.
[6] Norris and Armstrong also quote the ‘78% of the budget’ figure in their 1999 work. It is unclear if this continues to be the expenditure or if Liberty is quoting their work. See Norris and Armstrong, The Maximum Surveillance Society: 54.
[7] Norris and Armstrong, The Maximum Surveillance Society, 60-7.
[8] William R. Webster, “The Diffusion, Regulation and Governance of Closed-Circuit Television in the UK,” Surveillance & Society 2:2/3 (2004): 237.
[9] Norris and Armstrong, The Maximum Surveillance Society: 109-10.
[10] Roy Coleman, “Reclaiming the Streets: Closed Circuit Television, Neoliberalism and the Mystification of Social Divisions in Liverpool, UK,” Surveillance & Society 2:2/3 (2004).
[11] Coleman, “Reclaiming the Streets”: 304.
[12] Bilge Yesil, “Watching Ourselves: Video surveillance, urban space and self-responsibilization,” Cultural Studies 20:4 (2006).

Hi, I’m Alana. I’m a techno-luddite who confesses to rarely participating (well writing at least) in weblists, chatrooms or blogs. In the fall of 2006 I felt compelled, however, to respond to a posting in the closed list server, cyberprof. The posting in question concerned public access to personal information found in a legal database known as projectposner. Projectposner is a database developed by Tim Wu and Stuart Sierra containing many influential judgements of the late American Judge Richard A. Posner. One such judgment referred to a sexual harassment case where the plaintiff was fired for allegedly refusing to have sex with her boss. The plaintiff (who shall remain anonymous) requested the removal of her name (or the entire case) from a judgement found in projectposner. This request for removal triggered a long debate amongst cyberprof colleagues as to the scope of anonymity (and pseudonymity) with regards to online public access to court records.

Privacy was seen as important but absolute privacy was neither seen as desirable nor possible. Some argued that there was already an appropriate mechanism in place, namely a protective order to remove all references to a party’s name during the course of litigation. The ability to remain anonymous in court proceedings is at the discretion of the judge residing in the matter (at least it is in the United States). It was argued that protective orders are better made as a matter of public policy by judges rather than disclosure decisions done on an ad hoc (or post hoc) basis by individual website owners. Some further argued that there was no objectively significant invasion of privacy in the case at hand. There were references to star chambers, decreasing access to case reports, and the social utility of online searching.

A country’s constitution can be described as the mirror into the national soul. A constitution is a foundational instrument, reflective certainly of its country as it exists, but also aspirational in nature. In countries, like Canada, where the constitution protects individual rights and freedoms, citizens are empowered by the values that shape the legal guarantees. This is at least, the hope behind Canada’s Charter of Rights and Freedoms. What then to make of the fact that an interest or value in ‘privacy’ is not expressly protected by our constitution?

The question of the role privacy plays as a foundational constitutional value has been addressed by the Supreme Court of Canada on numerous occasions. It is well-settled law that sections 7 and 8 of our Charter do contain protections for some aspects of a privacy interest. What is less clear is whether a robust concept of privacy, and privacy-related interests, are adequately and wholly protected in Canada’s Charter. Given the constraints of the privacy protections recognized in sections 7 and 8, finding another home for privacy in the Charter might open up new potential. In my view, it would be both helpful and appropriate to consider privacy in the context of the section 15 equality guarantee.

I stress here that I am proposing “another” and not a “new” home for constitutional recognition of privacy interests, because I agree that sections 7 and 8 offer important and necessary protections for certain privacy interests. These two sections are, however, limited in their scope. They appear in a part of the Charter labeled “Legal Rights”, a heading that has been interpreted as placing boundaries on the application of sections 7 and 8. In Gosselin v. Quebec (Attorney General), [1] a majority of the Supreme Court of Canada affirmed that the guarantees under the “Legal Rights” section of the Charter are triggered by state action involving the administration of justice. In most situations, the “Legal Rights” guarantees are triggered in the criminal law context, though these protections can be used in administrative contexts too (as they were, for example, in the case of New Brunswick (Minister of Health and Community Services) v. G.(J.) [2] , involving challenges to child protection processes). While Gosselin left open the question of whether an adjudicative context was required for “Legal Rights” to apply, the majority insisted that it was appropriate to restrict the applicability of the “Legal Rights” protections to the administration of justice. [3] In Gosselin, this meant the section 7 guarantee to life, liberty and security of the person was useless in challenging an inadequate welfare regime. If privacy protections are housed only in sections 7 and 8 of the Charter, the nature of the interests protected are necessarily limited. These limitations mean that only certain kinds of privacy interests are protected by the Charter, and that a “right” to privacy only comes into play in situations captured by section 7 and/or 8. In my view, this is an impoverished interpretation of what privacy could offer as a constitutional value.

Since the Canadian Charter does not recognize the same sort of “penumbral effects” as the Americans see in their Bill of Rights, we are required to locate our constitutional values within specific Charter guarantees. If there is potential for constitutional recognition of privacy outside of the “Legal Rights” context, privacy must find another resting place. In my view, section 15 offers significant hope and advantages as another home for privacy. Chief Justice McLachlin of the Supreme Court of Canada describes “equality” as perhaps the most difficult of the Charter rights to interpret and define, and indeed, section 15 has had a tumultuous history since it came into force in 1985. In the 1990s, the Court was particularly divided on the proper interpretive approach to section 15, until in 1999 the Court reached a tentative consensus on a “test” for equality violations in Law v. Canada (Minister of Employment and Immigration). [4] [Most section 15 scholars agree the Law test is problematic and that the Court has in any event fractured into differing views on equality rights in recent years, however, Law remains in theory and in practice at least, the prevailing structure for section 15.] In Law, the Supreme Court decided to make “human dignity” the central focus of the equality guarantee, explaining the purpose of section 15 as:

Section 15 claimants must show, as one of the three required steps in the Law test, that the legislative provision they contest violates or demeans their human dignity. [6] Justice Iacobucci, writing for the Court in Law, outlined his version “human dignity” in the equality context, intending his approach to be comprehensive but non-exhaustive:

Connections between privacy and human dignity have long been acknowledged and explored by theorists [8] and the Supreme Court of Canada has declared, “a fair legal system requires respect at all times for the complainant’s personal dignity, and in particular his or her right to privacy, equality, and security of the person.” [9] It seems almost natural, then, that privacy should find a new home outside of the “Legal Rights” portion of the Charter, within human dignity, as it is understood and protected under section 15.

There are many benefits to interpreting section 15 to include a privacy interest, broadly captured by two significant features. First, protecting privacy as part of the Charter’s equality guarantee provides opportunities for a set of privacy-related claims that do not fall within the boundaries of the “Legal Rights” section to be brought forward. A claimant whose privacy interests have been violated outside of the Legal Rights context (meaning sections 7 and 8 are not triggered), may now have an avenue under section 15 to bring forward the claim, expanding the Charter’s spectrum of privacy protections. For example, in contexts including (dis)ability discrimination, social welfare or employment regimes, access and funding for abortion or contraceptive services, poverty and homelessness, government relationships with aboriginal peoples, as well as other pressing equality concerns, arguments around privacy interests might be helpful in unpacking and explaining the human dignity step of the Law framework.

Second, an understanding of privacy embedded within the Charter’s equality framework could open up more expansive possibilities for protecting a range of privacy interests beyond those that fall within sections 7 and 8. Section 8 has been interpreted as protecting three specific ‘classes’ of privacy interests: personal, territorial and informational privacy. Section 7’s protection for security of the person, which includes bodily integrity, includes decisional privacy interests. A number of theorists, however, including feminists Allen, Roberts, Gavison, McClain and others, have argued that a robust understanding of privacy includes more than simply protecting these manifestations of recognized privacy interests, and may include such features as positive obligations on the state to provide the conditions necessary for true private choice to be exercised. It is possible that interpreting privacy within section 15 could lead to the legal recognition of new or different ‘kinds’ of privacy, over and above those protected by sections 7 and 8.

Whatever the content of privacy is understood to include, there is general agreement in law and society that privacy is worth protecting, as a “core value of a civilized society,” [10] and as a requirement both of “inviolate personality” [11] and human dignity. Expanding the possibilities for protecting privacy by including it within the ambit of the section 15 equality guarantee is further and uniquely Canadian recognition of the foundational role that privacy plays in our society. Equality, and by necessity a constitutional right to equality, is at the heart of a compassionate democracy. While the Charter protects and advances many of our most cherished values, section 15 is at the heart of the Charter’s vision for Canada. Finding a home for a privacy interest in our understanding of human dignity, not only promotes a more fulsome understanding of the many facets of privacy as a core value, but also opens up new equality arguments for vulnerable and marginalized groups.

[1] 2002 SCC 84
[2] [1999] 3 S.C.R. 46.
[3] Then Justice Arbour took a different and radical approach to section 7, and would have removed it from the limitations of its placement in the “Legal Rights” section of the Charter. She left the Court soon after the Gosselin decision and her views have not gained traction at the Court so far.
[4] [1999] 1 S.C.R. 497.
[5] Ibid. at para. 59.
[6] The first two steps in the Law test are that the claimant establish that he or she is a member of one of the enumerated or analogous grounds listed in section 15 and that the impugned legislative provision imposes a burden or denies a benefit to the claimant on the basis of the ground.
[7] Ibid. at para. 53.
[8] A number of philosophers have connected privacy to human dignity, and explained the relationship between the two as harmonious and even symbiotic in nature. Edward J. Bloustein reasoned:

The man [or woman] who is compelled to live every minute of his [or her] life among others and whose every need, thought, desire, fancy or gratification is subject to public scrutiny, has been deprived of his [or her] individuality and human dignity. Such an individual merges with the mass. His [or her] opinions, being public, tend never to be different; his [or her] aspirations, being known, tend always to be conventionally accepted ones; his [or her] feelings, being openly exhibited, tend to lose their quality of unique personal warmth and become the feelings of every man [or woman]. Such a being, although sentient, is fungible; he [or she] is not an individual.

See: Edward J. Bloustein, “Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser” in Schoeman, Ferdinand, eds. Philosophical Dimensions of Privacy: An Anthology, (Cambridge University Press, 1984 at page 188). See also: Jeffrey H. Reiman, “Privacy, Intimacy and Personhood” in Ibid, at page 305; Helen Nissenbaum, “Privacy as Contextual Integrity” (2004) 79 Wash. L. Rev. 119.
[9] R. v. O’Connor [1995] 4 SCR 411 at para 154.
[10] See Olmstead v. United States, 277 U.S. 438 (1928) (Brandeis J., dissenting).
[11] Warren & Brandeis, “The Right to Privacy” 4 Harv. L. Rev. 193, 194 (1890).

Picture this: you are traveling to an important conference in Ottawa, titled the Revealed “I”. While getting your boarding pass, the airline attendant asks for a piece of government-issued photo ID. You provide it and wait for him to smile and print your boarding card. He doesn’t smile. In fact, he looks concerned, makes a phone call and tells you to step aside. You are prohibited from boarding you flight because, in that moment, you were silently labeled “an immediate threat to civil aviation”. [1]

While this hypothetical will remain an incredulous story for most Canadians, it will realize for some over the course of the next year. [2] If your name, age and gender match that of an individual on Canada’s Specified Persons List, implemented on June 18th, 2007 as part of Transport Canada’s Passenger Protection Program, you might be barred from boarding an aircraft. Regulation [3] responsible for the program requires all airline carriers in Canada to screen passengers over the age of twelve [4] on domestic and international flights against those described on the List. Once a match is made, the airline carrier is obligated to contact the Minister of Transport or his authorized official and have him or her verify the individual’s identity and decide whether or not to permit boarding. If individuals find themselves on the list, they can have their case independently reviewed by applying to Transport Canada’s Office of Reconsideration (OoR). [5] If they remain unsatisfied, they can appeal the OoR decisions to the Federal Court, the Security Intelligence Review Committee, the Commission for Public Complaints against the RCMP or the Canadian Human Rights Commission.

While this program superficially appears to further Canada’s goal of increasing aviation security, many concerns have been raised regarding the impact of the program’s design and implementation on privacy and anonymity in Canada. This ID Trail Mix will briefly survey the main concerns raised by such public interest groups as the BC Civil Liberties Association (BCCLA) and the Council for American Islamic Relations (CAIR-Canada). It will explore: i) the potential inadequacy of the Passenger Protection Program in light of forgery techniques, ii) concerns regarding how the list is compiled, iii) the potential for violations of Canadians’ privacy rights through the sharing of personal information with foreign governments, iv) the possibility for mistaken inclusion on the list and v) the potential that Canada’s no-fly list could lead to the targeting and profiling of racialized groups.

Forged Documents

It remains unclear how the Passenger Protection Program will get around the practical problem of forged documents. With ID cards so easily forged, how does asking for one reduce the threat of on-board terror? Moreover, are terrorists or other threatening individuals likely to fly under their own name? Speaking to this concern in an interview with CBC News, Barry Prentice, Director of the Transport Institute at the University of Manitoba in Winnipeg, commented, “I don’t think it’s going to help one bit. What terrorist is going to travel with their own name and passport? These people are going to steal or create a forged passport and identification if they’re going to do anything, anyway”. [6]

Also pertaining to the program’s efficacy, in 2005, the Privacy Commissioner submitted the following question to Transport Canada: “what studies, if any, has the department carried out to demonstrate that advance passenger information will be useful in identifying high-risk travelers”? Transport Canada provided the following response on their website, “the Passenger Protect program proposes to use a watchlist to prevent specified individuals from boarding flights based on practical global experience and risk assessment rather than specific studies”. According to Allen Kagedan, Chief of Aviation Security Policy for Transport Canada, such lists are increasing air travel safety as, “they do work”. However, when asked by reporters, he could not cite any specific instances of when it worked. “The problem with giving examples” he said, “is that they defeat security and also, ironically, defeat the privacy rights of those individuals”. [7]

How is the list compiled?

Does notification of one’s inclusion on the Specified Persons List also defeat security? It may because the list is not available to the public. [8] People can only find out if they are on the no-fly list once they are prevented from boarding their flight. [9] The wording of the regulation [10] is such that anyone who i) poses a threat to aviation security, ii) could endanger the security of any aircraft or aerodrome, or iii) the safety of the public, passengers or crew members would be placed on the list by the Passenger Protect Advisory Group [11]. This will result in a “dynamic” list, according to Mr. Kagedan, as intelligence agencies must re-assess their “reliable and vetted” security information every 30 days. [12] While it is clear that this would likely include “an individual who has been involved in a terrorist group [or] has been convicted of one or more serious and life-threatening crimes against aviation security”, [13] it is unclear if it would also include such people as Andrew Speaker, the Atlanta lawyer, who was placed on the American no-fly list because he had a rare form of tuberculosis. In the Canadian context, would a communicable disease constitute a threat to aviation security?

Will Canada’s no-fly list be shared with foreign governments?

The extent to which the regulation allows Canada to share information contained on its no-fly list with foreign governments is also unclear. According to the Privacy Impact Assessment (PIA) Executive Summary of the Passenger Protection Program, “law enforcement and intelligence information on Specified Persons received from Canadian, or foreign or multilateral, law enforcement or security intelligence agencies” will be kept and gathered using the Passenger Protection Program. It will be used for the sole purpose of increasing transportation security. [14] Moreover, comments made by Brian Brant, who serves as Director of Security Policy for Transport Canada, during the Air India Inquiry presided over by former Supreme Court Justice Major, indicated that “names of Canadians on the forthcoming federal list could end up in the hands of foreign governments, whether or not Ottawa gives its official consent to sharing the information”. [15] While the list of names will only be initially released to commercial airlines, foreign governments could access the names without the consent of the Canadian government by going to the airlines. The lists could be accessed via the airlines that are based in the foreign country. “Should their national government require that information of them”, Brant testified at the inquiry, “that's up to them to decide what they want to do with that information. We recognize that possibility exists”. [16] As such information sharing, either voluntary or involuntary, between Canada and foreign governments is likely.

It wasn’t me: the possibility for mistaken inclusion on the list

While the new no-fly list may add the kind of excitement to one’s travel plans as experienced by Conservative MP John Williams - who was temporarily grounded because his name appeared on the American no-fly lists - it also means that many innocent people are going to be swept up in the list’s identity net. One need only look at how the American no-fly lists ballooned out of control. At one point, it contained more than 70, 000 names including those of civil libertarians, peace activists and most notably Senator Ted Kennedy. [17]

Although individuals who have been wrongfully identified on the Canadian list retain the right to reconsideration through the OoR process (see above), Canada’s Privacy Commissioner, Jennifer Stoddart, warned that the list could become “a nightmare for ordinary Canadians”. [18]

On the bright side of things, one retains a statistically smaller chance of being on Canada’s no-fly list than on America’s. This is because fewer than 1,000 names are thought to be on Transport Canada’s Specified Persons list at the moment. [19] Advocates for CAIR-Canada, however, argue that this statistical good news will disproportionately apply to non-racialized groups. CAIR-Canada fears that Canada’s no-fly list has the potential to lead to the targeting and profiling of Muslims and Arabs in Canada.

The chill sets in: fears of racial profiling

People within Canadian Muslim and Arab communities already report that they disproportionately experience the effects of social and technological changes aimed at ensuring “national security”. In Faisal Babha’s article, “The Chill Sets In: National Security and the Decline of Equality Rights in Canada”, he writes that in a post-9/11 era “ensuring ‘national security’ has become a euphemism for ethnic and religious profiling, and that the Anti-Terrorism Act (ATA) has become a guise for the systematic targeting and demonization of Muslims and Arabs”. [20] While hard data indicating that Muslims are being systematically profiled by government agencies is challenging to acquire, [21] it is clear that “Muslims and Arabs in Canada have been thrust involuntarily into the spotlight of the national consciousness”. [22] The effects of the no-fly list are likely to intensify that light as “Muslims are already subject to increased scrutiny at airports” [23] and “among Muslims, there’s a great similarity in names and it’s very easy for names to be the same or similar”. [24] While this will practically translate into Muslims and Arabs being disproportionately mistaken for those on the list, it might also have the corollary effect of generally increasing the sense of insecurity and incidents of discrimination experienced by these populations. [25] As Faisal Babha wrote, “profiling is a simplistic response to a complex problem; it involves highlighting a specific characteristic about a person, unrelated to that person’s actual deeds, and extrapolating to reach a presumptive conclusion about the person’s intentions and probable conduct”. [26]

While fears of racial profiling are being voiced in relation to racialzed members of society, Jennifer Stoddart phrased the same concern of the use of one’s identity more generally. As she sees it, the problem is that the list exemplifies “the increasingly intrusive use of your identity in order to make decisions about you as an individual, [decisions] that are pretty drastic… Every time we go to the airport, are we going to expect to be challenged?” [27]

[1] A threat to aviation security is explained in the section 4.72(2)b of the Aeronautics Act, as threat to “any aircraft or aerodrome or other aviation facility, or to the safety of the public, passengers or crew members”.
[2] According to section 4.72(3)(b)(i) of the Aeronautics Act, the Act that provides the Minister of Transportation with the statutory authority to create the new Passenger Protection Program as a “security measure”, the Minister must repeal the security measure before the day that is one year after the notice of the measure was published. Notice of the Identity Screening Regulation was published on April 26th, 2007.
[3] Section 3.2 of the Identity Screening Regulation outlines the screening protocol that airline carriers must follow. They are required to obtain either one piece of valid government-issued photo ID or two pieces of valid government-issued ID prior to boarding. The Identity Screening Regulation was created by the Department of Transport Infrastructure and Communities on April 26th, 2007, is under the statutory authority of the sections 4.71 and 4.9 Aeronautics Act which gives the governor in council the statutory authority to make regulation with respect to aviation security. The Public Safety Act, 2002, which received Royal Assent on May 6, 2004, made these changes to the Aeronautics Act as part of Canada's National Security Policy. The Identity Screening Regulation was registered by the Department of Transport Infrastructure and Communities in order to create the Passenger Protection Program.
[4] An exception to the identification requirement is currently being granted to children between the ages of 12 and 17. They only need to present one piece of government-issued ID until the mid-September.
[5] Transport Canada, Office of Reconsideration, available online: http://www.tc.gc.ca/reconsideration/menu.htm. [6] Barry Prentice, in an interview with CBC News reporters on Monday, June 18th, 2007. [CBC News, (Monday, June 18, 2007) Critics alarmed by Canada's no-fly list, online: http://www.cbc.ca/canada/story/2007/06/18/no-fly-list.html]
[7] Allen Kagedan in an interview with CBC reporters on Monday, June 18th, 2007. [CBC News, (Monday, June 18, 2007) Critics alarmed by Canada's no-fly list, online: http://www.cbc.ca/canada/story/2007/06/18/no-fly-list.html].
[8] During the question period on Monday, June 18th, 2007, Liberal MP Joseph Volpe demanded that the government release the names of those on the no-fly list. Meanwhile, NDP MP Joe Comartin proposed that while the government should not get ride of the list, it should at least set up an ombudsman to handle cases where innocent people find themselves on the list. [CBC News, (Monday, June 18, 2007) Critics alarmed by Canada's no-fly list, online: http://www.cbc.ca/canada/story/2007/06/18/no-fly-list.html]
[9] CBC News, (Monday, June 18, 2007) Critics alarmed by Canada's no-fly list, online: http://www.cbc.ca/canada/story/2007/06/18/no-fly-list.html.
[10] Section 50.(4)(b) of the Canadian Aviation Security Regulation of the Aeronautics Act.
[11] The advisory group, led by Transport Canada, is comprised of a senior officer from the Canadian Security Intelligence Service (CSIS), a senior officer of the Royal Canadian Mounted Police (RCMP) and a Transport Canada representative. Once on the list, membership is reevaluated every 30 days. [Transport Canada, (June 8th, 2007) Passenger Protects: Privacy Impact Assessment (PIA) Executive Summary, available online: < http://www.tc.gc.ca/vigilance/sep/passenger_protect/executive_summary.htm >]
[12] Allen Kagedan told CBC reporters on Monday, June 18th, 2007 from CBC News, (Monday, June 18, 2007) Critics alarmed by Canada's no-fly list, online: http://www.cbc.ca/canada/story/2007/06/18/no-fly-list.html.
[13] Cited by Transport Canada as possible instances where a person would be placed on the list in the article by CBC News, titled Critics alarmed by Canada's no-fly list.[CBC News, (Monday, June 18, 2007) Critics alarmed by Canada's no-fly list, online: http://www.cbc.ca/canada/story/2007/06/18/no-fly-list.html]
[14] Transport Canada, (June 8th, 2007) Privacy Impact Assessment (PIA) Executive Summary, available online: < http://www.tc.gc.ca/vigilance/sep/passenger_protect/executive_summary.htm>.
[15] CBC News, (June 5th, 2007) No-fly list could end up in foreign hands, Air India probe is told, available online: http://www.cbc.ca/cp/national/070605/n0605112A.html.
[16] CBC News, (June 5th, 2007) No-fly list could end up in foreign hands, Air India probe is told, available online: http://www.cbc.ca/cp/national/070605/n0605112A.html.
[17] CBC News, (June 5th, 2007) No-fly list could end up in foreign hands, Air India probe is told, available online: < http://www.cbc.ca/cp/national/070605/n0605112A.html >.
[18] CBC News, (June 13th, 2007) Privacy commissioner ordered to testify at Air India inquiry, available online: http://www.cbc.ca/canada/british-columbia/story/2007/06/13/airindia.html; Barry Prentice, Director of the Transport Institution at the University of Manitoba Winnipeg, told CBC reporters that some travelers are going to be wrongly identified as security risks under the Passenger Protection Program. [CBC News, (Monday, June 18, 2007) Critics alarmed by Canada's no-fly list, online: http://www.cbc.ca/canada/story/2007/06/18/no-fly-list.html]
[19] CBC News, (Monday, June 18, 2007) Critics alarmed by Canada's no-fly list, online: http://www.cbc.ca/canada/story/2007/06/18/no-fly-list.html.
[20] Faisal Babha, (2005) The Chill Sets In: National Security and the Decline of Equality Rights in Canada, 54 U.N.B.L.J. 191 at 192.
[21] A report by the International Civil Liberties Monitoring Group, In the Shadows of the Law: A report by the International Civil Liberties Monitoring Group (ICLMG)in response to Justice Canada’s 1st annual report on the application of the Anti-Terrorism Act (Bill C-36) (14th May, 2003); online: Development and Peace www.devp.org/pdf/shadow.pdf, argues that the ATA’s reporting process is too narrow in scope. Consequently, it does not accurately indicate and reflect the ATA’s effect on Muslims and Arabs, as well as other aboriginal rights and anti-globalization activists.
[22] Faisal Babha, (2005) The Chill Sets In: National Security and the Decline of Equality Rights in Canada, 54 U.N.B.L.J. 191 at 195.
[23] CBC News, (Monday, June 18, 2007) Critics alarmed by Canada's no-fly list, online: http://www.cbc.ca/canada/story/2007/06/18/no-fly-list.html.
[24] Larry Shaben, former Alberta MLA and current president of the Edmonton Council for Muslim Communities, cited in CBC News, (Monday, June 18, 2007) Critics alarmed by Canada's no-fly list, online: http://www.cbc.ca/canada/story/2007/06/18/no-fly-list.html.
[25] Canadian Arab Foundation, Arabs in Canada: Proudly Canadian and Marginalized, (Toronto: Canadian Arab Federation, 2002).
[26] Faisal Babha, (2005) The Chill Sets In: National Security and the Decline of Equality Rights in Canada, 54 U.N.B.L.J. 191 at 197.
[27] Don Butler, (June 8th, 2007) “No-fly list curbs privacy rights: commissioner ‘Quite a nightmare’ ahead for some; Stoddart urges updated privacy act”, The Ottawa Citizen.

Every now and again I Google my own name. If you’ve never Googled your own name, try it. It’s a strange way to spend fifteen minutes—there’s not much to be found, in my case—but every time I do it something different pops up in the search results. Sometimes I check to see if a new piece of information associated with me has trumped the usual results, other times, and for reasons still not clear to myself, I simply want to make sure that my stuff is on the first page of hits.

I know there are other individuals out there who share my first and last names. I met one once. Recently, while undergoing a security check for some work I was doing, it wasn’t until I provided my fingerprints and middle name that I was eventually cleared. I can only surmise the existence of another Jason X Millar (maybe the one I once met) who is less trustworthy than myself according to those who know and care.

One thing I have noticed, I’ve been Googling my name for years, is that there are more and more pieces of information associated with various Jason Millars popping up in the results. Many of those pieces of information are associated with me. But there are other individuals named Jason Millar out there—artists, soccer players and a host of other random individuals with random interests and opinions have posted information about themselves. I can only imagine that anyone interested in compiling all of the stuff exclusively associated with me would have some fancy guesswork to perform in the filtering. This is because it isn’t at all clear which of the information belongs to a single Jason Millar.

The same problem occurs when trying to piece together random information collected about random individuals. When trying to aggregate it under a name, complications arise due to the problems associated with authenticating the data.

This assumes, of course, that someone would be interested in stitching together what are ostensibly disparate chunks of information into an aggregated whole that would describe various aspects of a single individual’s life in a more holistic manner. To be sure, one could imagine data mining projects that involve this type of aggregation, such as the kind that could be used for psychological profiling. But for a great many applications—perhaps profiling for marketing purposes—the kind of complete data mining that would involve stitching together information under the heading of a name, might not be as important as it first seems.

Stitching a person’s information together based on first and last names is complicated. Authentication can be a tricky business where privacy laws are in effect, and the fact that there are so many “Jason Millar”s in the search results makes one wonder how useful names really are to those who know and care to authenticate information as mine.

In fact the more I do these searches the more I’m convinced that, in the information age, traditional identifiers that tend to make us want to associate complete sets of information with a “me”, or “her”, or any “particular individual” in the first place, are becoming obsolete. The type of association that seeks an identifiable individual at the focal point of the relevant information may soon be replaced by newer means of association and identification, which will allow individuals to aggregate information about other individuals through the various proxies indirectly associated with them.

I can only imagine that my name, address, phone number and other personal information traditionally used as a starting point when aggregating information about me will cease to be of primary relevance to the vast majority of individuals interested in accessing me for, say, marketing purposes. In their places, sets of numbers uniquely associated with the things I wear and carry with me on a daily basis will provide a highly reliable, and oddly descriptive, means for identifying {me}.

Here’s why this is plausible…

Consider the fact that in the near future every item that rolls off of an assembly line will have an Electronic Product Code (EPC) associated with it, and often embedded in it. Simply put, an EPC is a unique number, or identifier, for every product; every shoe, can of pop, bag and watch will have one—Wal-Mart says so. EPCs will be readable by any compatible reader operated by anybody who owns it (or them), and they will be very cheap. Now consider the fact that every communication device already has a unique identifier associated with it; every cell phone, Wi-Fi device, laptop, Bluetooth device, PSP and Nintendo DS has some hardware identifier associated with it per the relevant communication protocol—international telecommunication standards say so. Our future includes visions of wirelessly (ad-hoc) networked municipalities in which individuals are perpetually connected by means of their portable communications devices.

Any one of those numbers can function as a proxy in identifying an individual, even though only one number would be relatively unreliable if the task were ensuring that the same individual is carrying it at any given time. But with these two pieces in place it is easy to imagine networks of EPC readers constantly logging the information associated with the products I carry, and computer networks constantly logging the presence of communications that my wireless devices are constantly transmitting by virtue of their perpetual connectedness.

Let’s focus on EPCs for a moment, and imagine that consumer profiling is the application of the day (though it could easily be employee profiling). Every day I get dressed and leave the house carrying various products with me. Every set of numbers that is read at a given time will represent the set of EPCs I am carrying. On any given day that set will be different, owing to various possible combinations that I might possess at the time. However, over time the complete set can be built up by whatever network is logging the EPCs given that EPCs will begin to associate themselves with one another in the database. For example, my shoes will form a common link between many of the shirts and pants I wear, such that my EPCs will allow complex inventories to be built about my possessions. After a given time, by reading a subset of EPCs, a relatively unintelligent system could be extremely confident which complete set of EPCs it was dealing with, meaning that any future subset that is read and associated by relatively few common EPCs could be deemed part of the same larger set. Of course, every reader is associated with a location, such that a smart network of readers would be able to track the movement of the EPCs through space.

If you add the known locations of wireless ad-hoc network routers into the mix, sets of EPCs moving through space can be associated with particular communications devices. This means that information flowing to and from those devices on privately owned networks could be associated with the sets of EPCs. Anonymous blog postings, emails etc. could all potentially be associated with the set of EPCs and wireless devices.

Anyone interested in understanding a set’s purchasing patterns, its certain eating habits, daily movements, etc. need not know anything about credit card transactions, names, phone numbers, addresses or any of the other traditional pieces of personal information deemed sensitive. In fact, the particular individual at the locus of the set of numbers simply disappears, replaced by the things that matter most to marketers: information about an inventory of products and a means of communicating with whoever is associated with them. Access to whatever is at the locus of buying power, or at the locus of influencing buying power, is all that counts in profiling for marketing.

Speculating about the kinds of information that can be gleaned about the sets in this kind of environment could run pages. The point I want to make is that there will be the ability to identify clouds of numbers that self-associate through the indirect association they have with the individuals carrying them. The other point is that aggregating the associated sets does not involve directly identifying the individuals carrying the items.

I am not a lawyer, but I have heard a lot of mention of emanations lately (search the ID Trail blog for “Tessling”). Given the sketch provided here the questions I would raise are these:

a) Are the emanations coming from an individual’s possessions personal information or not, especially where identifying the individual in the traditional sense becomes unnecessary?
b) Does an individual have a reasonable expectation of privacy with respect to these kinds of data?

Kathy Sierra used to run her own blog, one that had attained No. 11 on the Technorati.com Top 100 list of blogs (as measured by the number of blogs that linked to her site). These days, however, when one logs on to Kathy Sierra’s blog Creating Passionate Users one is presented with a post from April 6, 2007 where she writes:

Sierra first went public in March 2007 about threats she had received on her own and other sites that included: photos of her with a noose around her neck; photos of her with a muzzle over her mouth apparently smothering her; and violent and sexual messages that included her home address. She cancelled public appearances and has ceased blogging (at least for the time being).

Nor is this issue confined to the so-called blogosphere, as the recent controversy around AutoAdmit shows. (Anonymous) posters on AutoAdmit, which bills itself as “the most prestigious college discussion board in the world”, and an allegedly related web-based contest rating the “Most Appealing Women at Top Law Schools” featured photographs, personally identifiable information, sexually explicit and derogatory comments on a number of womyn. Some of these womyn spoke to Ellen Nakashima of the Washington Post about the situation, alleging that the postings were not only personally but also professionally damaging.

As these incidents have garnered more attention, debates have primarily focused on the question of censorship versus free speech, with such attacks glossed over as an unfortunate side effect of (important) anonymous internet participation but ultimately unrepresentative of the majority of Internet readers/speakers. Where the issue of gender is put in the forefront, discussions have tended towards what Joan Walsh, writing at Salon.com, characterized as “…telling them to stop wearing such provocative outfits online, lest they get that they deserve.” Dahlia Lithwick, at Slate.com, suggests that discussions about the issue have too often been framed in terms of “are women tough enough?” or “are women playing victim.” Such approaches have the unfortunate effect of seeming to focus on gender, without ever truly examining the underlying equality implications of such actions.

Lithwick claims, in her article Fear of Blogging: why women shouldn’t apologize for being afraid of threats on the Web that “…the Internet has blurred the distinction between a new mom’s whimsical blog about the new baby and Malkin or Ann Althouse blogging about politics. The intent of these writers is totally different, but on the Internet, that difference evaporates.” Although Lithwick is arguing that not all womyn bloggers are public figures, in doing so she seems to accept that at least some bloggers are public in such a way that such attention(s) may not be entirely unexpected. In a similar vein, the operators of AutoAdmit commented in the Nakashima article in the Washington Post that “…some of the women who complain of being ridiculed on AutoAdmit invite attention by, for example, posting their photographs on other social networking sites, such as Facebook or MySpace.” In fact, it seems that the mere presence of a womyn in online spaces may be enough to attract unwanted attention -- a University of Maryland study of IRC chatrooms in 2006 found that female usernames received 25 times more threatening and sexually explicit messages than did those with male or ambiguously-gendered usernames – an average of 163 messages a day.

Existing remedies to these problems seem either non-existent or ineffective. A panel discussion , convened at Harvard University to discuss the issue of Internet Speech, focused extensively on the AutoAdmit issue. Much of the discussion revolved around what, if any, remedies might be available to the affected womyn and against whom they could be exerted. Various panelists suggested that the students might seek redress via: suits against the ISP and/or the website operators, from the individual posters themselves, from the individual universities under a claim that the posts constituted sexual harassment and the Universities had obligations under Title IX to take action against it, and through the medium of defamation or privacy torts.

The womyn affected have taken various forms of action already. Kathy Sierra reported her harassment to the police as well as going public about it online. Some of the womyn in the AutoAdmit conflict have hired Reputation Defender to try to address the issue. Joan Walsh admits that pervasive misogyny on the Web has impacted her own voice, but still concludes that “[a]nd yet, mostly, women on the Web just have to ignore it. If you show it bothers you, you’ve given them pleasure.” A 2005 Pew Internet & American Life Project report suggests that other womyn have internalized this lesson and are simply avoiding participation – the report, entitled How Women and Men Use the Internet, shows that participation in chat and discussion groups dropped by 11% between 2000 and 2005 due to womyn choosing not to participate.

I am concerned about these remedies, concerned that womyn’s options seem to be to fight an isolated and individual battle, to just “deal with it” or to walk away, silenced. I am concerned that the remedies offered all seem to be focused on individual situations and harm. By focusing on individuals and individual remedies, we may lose sight of the larger issue.

Dahlia Lithwick’s article examined the differences between offline and online communication and argued that there are quantitative differences at work when it comes to these kinds of attacks and threats. She concludes:

With all respect to Ms. Lithwick, gender differences may only be the beginning of the discussions, but they are a beginning that has neither been fully explored nor fully weighted in these debates. Gendered, sexualized threats are inherently serious, not only because of the violence or danger of it, but because of their impact on equality.

Another Washington Post article from April 2007 suggests that:

The problem with looking at this issue through individual lenses is that while individual redress (of some limited kind and in some limited cases) may be available, in doing so we leave in place the existing norms that created the situation in the first place. When womyn are being singled out more and being subjected to greater and more sexualized violent harassment, we must continue to explore this issue. Not, as so many writers have done of late, to ask “how should womyn respond” but rather to question “where does this come from and what are its overarching effects?” In examining this issue, we become aware that the online environment has become a new, broader environment for these things to emerge, be expressed, proliferate and to some degree become accepted.

I must confess – I have no answers. Many issues come up in this discussion – free speech, fear of censorship, the importance of anonymity, and the problem of whether we can or should regulate the Internet. As we seek to weigh all the issues and arrive at some understanding – ideally some solution – it is imperative that we not forget to add to the mix and weight appropriately our social commitment(s) to equality and the recognition of the communal benefits of equality. Any solution that is arrived at without taking this into account will hinder the transformative potential of these new spaces just as the current gendered, sexualized violence and harassment is now doing.

Biometrics regularly are described as technologies able to provide both "mechanical objectivity" [1] and race-neutrality. The suggestion is that biometrics can automate identity inspection and verification and that these technologies are able to replace the subjective eye of the inspector with the neutral eye of the scanner. In this way, biometric technologies are represented as able to circumvent racism: they are held up as bias-free technologies that will objectively and equally scan everyone's bodily identity. Frances Zelazny, the director of corporate communications for Visionics (a leading US manufacturer of biometrics systems) asserted that the corporation's newly patented iris scanning technology "is neutral to race and color, as it is based on facial features recognized by the software" (2002). In an online discussion on the use of iris scanners at the US-Canada border, one discussant claimed he would prefer "race-neutral" biometric technologies to racist customs border officials:

Biometrics are central to the attempt to make suspect bodies newly visible. This is a complicated task, and one that is regularly tied to problematic assumptions around race, class and gender identity. It is not surprising therefore, that when biometric technologies are enlisted in this task they fail easily and often. What is most interesting about biometric malfunctions are the specific ways that they fail to work. Thus, as biometrics are deployed to make othered bodies visible, they regularly break down at the location of the intersection of the body's class, race, gender and dis/abled identity. In this way, biometrics fail precisely at the task that they have been set.

As biometric technologies are developed in a climate of increased anxiety concerning suspect bodies - stereotypes around "inscrutable" racialized bodies are technologized. For example, biometrics technologies significantly are unable to distinguish the individual bodies of people of colour. Research on the use of biometric fingerprint scanners has regularly found that it is difficult to fingerprint "Asian women . . . .[as they] had skin so fine it couldn't reliably be used to record or verify a fingerprint" (Sturgeon, 2004). Arguably, stereotypes concerning the inscrutability of orientalized bodies thus are codified in the biometric iris scanner.

These biometric failures result in part from the technological reliance on outdated and erroneous assumptions that race is biological. These assumptions partially can be noted from the titles of the studies that describe the biometric identification technologies. For example, one paper is titled "Facial Pose Estimation Based on the Mongolian Race's Feature Characteristic" (Li et al., 2004). Others titles include "Towards Race-Related Face Identification" (Yin et al, 2004) and "A Real Time Race Classification System" (Ou et al, 2005).

This image is taken from A Real Time Race Classification System. Its caption in the original article reads: Two detected faces and the associated race estimates.

The suggestion that race is a stable biological entity that reliably yields common measurable characteristics is deeply problematic. Such conclusions are repeated in a number of articles that claim to classify "faces on the basis of high-level attributes, such as sex, 'race' and expression " (Lyons et al, 2000). Although the quotes around the word "race" would suggest that the authors acknowledge that race is not biological, they still proceed to train their computers to identify both gender and race as if it were so. This task is accomplished by scanning a facial image and then identifying the gender and race identity of the image, until the computer is claimed to be programmed to classify the faces itself. Unsurprisingly, error rates remain high. Neither gender nor race are stable categories that consistently may be identified by the human eye, let alone by computer imaging processes.

The assumptions concerning the dependence of biometric performance on racial and ethnic identity can also be noted in the locational differences in hypotheses around race and biometrics that are specific to each site of the study. In the US, biometric technologies have failed to distinguish "Asian" bodies. In the UK, biometric technologies have difficulty distinguishing "Black" bodies. In Japan, one study posited that it would be most difficult for biometrics to identify "non-Japanese" faces (Tanaka et al, 2004).

Nor do the failures of biometrics end with the errors that result from the codification of a biological understanding of race. Biometric technologies consistently are unable to identify those who deviate from the norm of young, able-bodied persons. In general, studies have shown that "one size fits all" biometric technologies do not work. For example, biometric facial recognition technology works poorly with elderly persons and failed more than half the time in identifying those who were disabled (Black Eye for ID Cards, 2005; Woolf et al, 2005). Other studies on biometric iris scanners have shown that the technologies are particularly bad at identifying those with visual impairments and those who are wheelchair users (Gomm, 2005).

Class is also a factor that affects the functioning of biometric technologies. Those persons with occupations within the categories "clerical, manual, [and] maintenance" are found to be difficult to biometrically fingerprint (UK Biometrics Working Group, 2001). Biometric iris scanners failed to work with very tall persons (Gomm, 2005) and biometric fingerprint scanners couldn't identify 20% of those who have non-normative fingers: "One out of five people failed the fingerprint test because the scanner was 'too small to scan a sufficient area of fingerprint from participants with large fingers'" (Black Eye for ID Cards, 2005). Many kinds of bodily breakdown give rise to biometric failure. "Worn down or sticky fingertips for fingerprints, medicine intake in iris identification (atropine), hoarseness in voice recognition, or a broken arm for signature" all gave rise to temporary biometric failures while "[w]ell-known permanent failures are, for example, cataracts, which makes retina identification impossible or [as we saw] rare skin diseases, which permanently destroy a fingerprint" (Bioidentification, 2007).

In addition to having technologized problematic notions around the comprehensibility of difference, biometrics are discursively deployed in ways that continued to target the specific demographics of suspect bodies. For example, biometric facial recognition technology requires Muslim women to completely remove their veils in order to receive new forms of id cards while older forms of identification such as the photos on driver's licenses only required their partial removal. In this way, biometric technologies are literally deployed to further the invasion by the state of the bodily privacy of Muslim women – an application that surely is not "race-neutral."

The examples cited above demonstrate that the objectivity and race-neutrality of biometrics needs to be called into question.

[1] I take this phrase from Daston and Galison (1992).

References

This post is an attempt to collect and organize some thoughts on how the rise of so-called Web 2.0 technologies bear on privacy and surveillance studies. After presenting a few examples of unintended consequences of Web 2.0 that bear on privacy and surveillance, I will introduce the term “netaveillance,” which might provide a useful concept around which a more robust theory of surveillance about the Web 2.0 phenomena might be built.

The rhetoric surrounding the Web 2.0 movement presents certain cultural claims about media, identity, and technology. It suggests that everyone can and should use new Internet technologies to organize and share information, to interact within communities, and to express oneself. It promises to empower creativity, to democratize media production, and to celebrate the individual while also relishing the power of collaboration and social networks. Websites such as Flickr, Wikipedia, del.icio.us, MySpace, and YouTube are all part of this apparent second-generation Internet phenomenon, which has spurred a variety of new services and communities – and venture capitalist dollars.

This cartoon of a room full of people arguing at a cocktail party after someone mentioned the provocative theories of Marshall McLuhan reminds me of today’s emotional debates over the relative impact – and even the very existence – of Web 2.0. Many hail Web 2.0 as the “new wisdom of the web,” and “a new cultural force based on mass collaboration,” while others deride it as merely a marketing jingo, “amoral,” and even an extension of Marxist ideology.

This last notion, the relationship between Web 2.0 and Marxism, was suggested by Andrew Keen, one of the loudest provocateurs of the Web 2.0 ideology. Keen has received considerable criticism for making comparisons between the Web 2.0 meme and Marxism, but, between the vitriol, he does make some valid points about the utopianism and solipsism that seems to underlie much of the Web 2.0 discourse. In particular, he criticizes the fervent commitment to technological progress:

This moral obligation to question the development of technology compels Keen to identify some of the unintended consequences of the emergence of Web 2.0 infrastructures, including the flattening of culture, the overabundance of amateur authors and producers, and narcissism run wild.

As I begin to study the Web 2.0 meme from the perspective of privacy and surveillance theory, a different set of unintended consequences emerges, including shifts in the flow of personal information that might threaten personal privacy in ways much more damaging than Keen’s concern that content is now made and distributed by mere amateurs instead of honed professionals.

For example, Web 2.0 applications often rely on rich metadata to create value in information, such as the geotagging of images uploaded to Flickr. While it might be useful and fun to have locational data automatically associated with your images, considerable privacy concerns emerge as an externality. For instance, law enforcement officials can simply search for all photos online matching the location & timing of a certain political rally in order to broaden their ability to keep records of who was present. Or, combined with the development of facial recognition technologies with shared online photos, stalkers (or other annoying folks) might soon be able to search for a certain person’s face, and discover the GPS coordinates of the coffee shop they seem to be pictured in every Tuesday morning. Someone even developed a tool, FlickerInspector, to facilitate this kind of mining of the datastreams users leave behind on Flickr.

Of course, one doesn’t need a fancy application like FlickerInspector to reap the benefits of the new datastreams facilitated by Web 2.0 applications. Inherent in Web 2.0 evangelism is an overall faith in the network to be the processing platform: users are encouraged to put as much of their lives as possible online, to divulge and share their personal lives, their professional development, their favorite websites, their music, their friendships, their appointments, and even where they’ve connected to wi-fi. If you know a person’s “handle” on one Web 2.0 site (“michaelzimmer” at del.icio.us), you probably can find them on many more (Plazes, LibraryThing).

The prevalence of sharing so many details of one’s life through various Web 2.0 and social networking sites, and the relative ease of finding users across these services, leads to a second key externality: the rise of amateur data-mining. Fueled by the power and reach of Web search engines, it seems anyone can now engage in the kind of tracking and data-mining of user’s online activities that was once possibly only by the most powerful of computer systems.

An interesting case of amateur data mining made possible through Web 2.0 involves “Don, the camera thief.” The blog BoingBoing posted a story of a woman who lost her camera while on vacation, but was contacted by the family who happened to find it. Unfortunately – and oddly – the family who found it refused to return the camera because their child liked it so much. BoingBoing thought the actions by the finders of the camera were “shameful.” A few days after posting this, BoingBoing received an e-mail from someone who claimed his name was “Don Deveny,” purportedly a Canadian lawyer, who implied that the post was illegal and that BoingBoing was liable for making it. The folks at BoingBoing doubted the legitimacy of the email (the word “lawyer” was misspelled, for example), and decided to see what he could find out about “Don.”

They first contacted many of the law societies in Canada, none of whom had any record of a “Don Deveny” licensed to practice law in Canada. (by the way, it is illegal to pretend to be a lawyer). From their e-mail exchange, they were able to isolate the writer’s real e-mail address from the message headers, and through a Google search, located other pages that contain that address. That led them to a profile page for a user of the website called “Canada Kick A**” who shared the very same e-mail address. That profile page had a different person’s name (perhaps “Don’s” real name?), and also listed a location and profession for the user (he’s not a lawyer). It didn’t take much to figure out (or at least get a better clue) as to who this e-mailer was, and his profile page on a Web 2.0-inspired discussion board made it much easier.

Readers of BoingBoing did some amateur data mining of their own: a commenter at the original camera owner’s blog seemed to share many of the same sentiments of “Don,” along with many of the same spelling errors. This commenter used a different screen name, but when asked to identify himself, also said he was a lawyer. Another reader then discovered that a user with that same screen name recently bid on memory cards at eBay that would have been used in the stolen camera. More amateur data mining ensued, and discovered another user profile at a different discussion forum with the same user name and same “favorite sites” listed in the signature file. And this page included a photo of the user: Is this “Don” our camera thief?

Another example of the ease of amateur data mining with the help of Web 2.0 services is the outing of Lonelygirl15. Lonelygirl15 was the mysterious girl leaving video confessions on YouTube, garnering a huge following of devoted fans, yet know one knew who she was or if they were really just a kid’s video diary or perhaps a large hoax or advertising campaign. After some amateur data mining, the truth came out:
A reader was surfing an article on Lonelygirl15 at a random website when he came across a comment that linked to a private MySpace page that was allegedly that of the actress who plays Lonelygirl15. Since the profile was set to “private,” very little information one could glean from the page. However, when he queried Google for that particular MySpace user name, “jeessss426,” he was able to access Google’s cache from the page a few months ago when it was still public. A lot of the details of the girl’s background quickly emerged: She was an actress from a small city in New Zealand who had moved to Burbank recently to act. The name on the profile was “Jessica Rose.” When he happened to query Google image search for “Jessica Rose New Zealand” he was instantly rewarded with two cached thumbnail photos of Lonelygirl15, a.k.a. Jessica Rose, from a New Zealand talent agency that had since removed the full size versions. A search on Yahoo for “jeessss426” also turned up various pictures from her (probably forgotten) ImageShack photo sharing account. Lonelygirl15 was revealed.

Little effort was needed to link up the various e-mails, user names, personal data flows, and photos shared across blogs, discussion forums and other Web 2.0-style sites to track down “Don the camera thief” or “LoneyGirl15”. Moving more and more of our activities to Web 2.0 makes it harder to remain anonymous, and the myth of “security through obscurity” seems to be disappearing as various crumbs of our true identity are being scattered across the Web 2.0 landscape.

A final externality of Web 2.0 relates to a new form of informational voyeurism that these platforms enable. While Web 2.0 sites have enjoyed incredible growth and heavy viral participation, only a small fraction of overall users actually use the services to upload content – the vast majority just likes to lurk and watch. According to one report, only 0.16 percent of YouTube’s total traffic is made up of users who upload videos. Similarly, only 0.2 percent of Flickr’s regular users are there to upload photos. And slick new tools emerge daily to facilitate the surveillance and voyeurism of people’s daily activities. For example, “feeds” on Facebook allow users to be notified immediately when a friend updates their profile (changing their mood, their friend list, their relationship status, etc), dodgeball helps users find friends (and unknown friends of friends) within a 10 block radius of their present location, DiggSpy allows real-time monitoring of user’s activities on the popular news ranking site Digg, and Twitter has quickly emerged as the hottest new voyeuristic service, allowing users to share text snippets of their day-to-day activities, and monitor others’ streams of the mundane details of their lives (such as “a whole gang of women with dogs just walked past my window”).

What seems to be emerging is a new form of voyeuristic surveillance of people’s everyday lives, fueled by Web 2.0. This has been referred to varyingly as “peer-to-peer surveillance” or even as a new kind of “participatory panopticon.” Yet these terms – and the theories embedded within them – seem insufficient to fully grasp the significance of the emergence of this new voyeurism of the mundane. Surveillance, of course, implies the “watching over” of subjects from above, with an explicit power relationship between the watchers and those placed under its gaze. Trying to describe surveillance as “peer-to-peer” suggests a flattening of the power relationship that is counter to its very definition. Similarly, the notion of a “participatory panopticon” is at the same time redundant and contradictory. Foucault revealed how panoptic power becomes internalized by the subjects, thus, they necessarily “participate” in their own subjugation. Yet the top-down power relationship within the panoptic structure remains. The participation by the subjects does not make them equal with the watchers. Yet the informational voyeurism associated with Web 2.0 seems to imply a balance between the users: one shares their data streams in order to improve the overall worth of the network, coupled with the presumption that they’ll be able to observe and leverage others’ streams as well.

This notion resembles that of “equiveillance,” a state of equilibrium between the top-down power of surveillance, and the resistant bottom-up watching of sousveillance. Yet, this notion implies merely a balance in access to surveillance information, and is focused more on how to reach some kind of harmonious relationship with our rising surveillance society. With the informational voyeurism of Web 2.0, however, the goal isn’t to resist or come to terms with the power yielded by traditional surveillance, but rather to participate in a widespread and open sharing of the mundane details of one’s daily life. To give one’s peers a glimpse into one’s own personal universe. These snapshots of the minutia of people’s lives have been compared to the Japanese concept of “neta”, the tidbits of people’s lives that are shared with family and friends as a kind of social currency. The Japan Media Review (an affiliate of Annenberg’s Online Journalism Review) recently made an insightful connection between “neta” and Web 2.0 voyeurism:

Building on this Japanese concept of “neta,” I propose a new kind of “veillance” has emerged with Web 2.0 infrastructures: “netaveillance”. Netaveillance can be defined as the process of openly and purposefully providing an almost continual stream of the details of one’s daily life – the mundane, the profane, and the vain – through Web-based technologies, coupled with the ability to capture similar data streams from one’s peers. Netaveillance constitutes an emerging ecosystem of personal data flows – not the exceptional information meant to be protected from state or commercial surveillance, but the free and open sharing of the minutiae of our lives.

My conceptualization of netaveillance is, to be sure, in its most nascent of stages. Much work needs to be done to contemplate how it relates to existing theories of privacy and surveillance, how power relations between and among participants might still exist, how such data flows could be captured by state or commercial interests, and so on. Theorizing and understanding netaveillance is no small task, but it might provide a new language and framework from which to understand the informational voyeurism and related unintended consequences of the Web 2.0 phenomenon.

Whether you want to bring it up at a cocktail party is up to you.

A few weeks ago I watched the 1950 movie “All About Eve.” It is a classic I am told, nominated for 14 academy awards and winner of the award for best picture. Mind you, in an age that emphasizes the role of experts, I do not claim to be a film critic, novice or otherwise, so I’ll leave it at that. I can say that I found the performances in the film to be compelling, something confirmed both by the DVD extras and a cursory web search which suggest this to be, in specific, Bettie Davis’ best performance. The film has its interesting plot twists and turns, clearly a film set against the backdrop of a bygone era, but with several themes that pervade into our lives today, namely the intricacies of social relationships, how much others know about us, and the potential for this knowledge to turn into manipulation.

In the film, the character “Eve” (whom we are to learn all about) sets out seemingly innocently to bathe in the glow of Davis’ character, the actress Margo Channing, but ultimately subverts this glow into her own personal limelight. The film begins at the end, as it were, with Eve Harrington receiving an award for an exceptional performance in a role we soon learn was taken from Channing. In the midst of this ceremony, a narrative voiceover mentions Eve directly:

Plenty, apparently, and the next hour and a half is a journey into the history of intricate relations between Eve, Margo and their group of friends. Despite the new found knowledge of Eve’s character in these relational histories, there is something to be said about Eve playing a part, following a scripted role. If in fact we had been able to read the accounts of her life mentioned in the voiceover, to see the profiles and her coverage in the media, we would know something about who she was and what she was like that the revelations of the remainder of the movie, however stark the contrast with mediated reports, would not have shown us. In the end, these would only augment to some extent our expectations of how Eve is to be understood.

I realise that by now I may have lost any number of you who have not seen nor care to see the film. But I use it here to suggest something about which I can claim at least some expertise – the relationship between our sense of identity and its inherent relationship to how we are identified by others. As Richard Jenkins (2000) points out, “we know who we are because, in the first place, others tell us.” Yet in our society, our understandings of self, our identity is increasingly related to how we exist under socially and technically created systems of identification that seemingly know “all about us.” To put it in the terms of the film, the way in which we are profiled, covered, revealed and reported affects our sense of who we are.

I wish I could say that my watching of classic film was inspired by a maturation of my entertainment tastes: an increasing desire to read classic literature and watch the great films of our age. I am afraid this would be less than honest. In fact, the motivation to watch this film was driven by my personal academic research. Andrew Smith and Leigh Sparks, British marketing researchers at the University of Nottingham and Stirling (respectively), entitled a 2004 article in the Journal of Marketing Management “All about Eve?” In the article they describe the purchasing habits of a woman they give the pseudonym “Eve.” Smith and Sparks were given access to two years worth of purchase data based on a particular retail store’s loyalty card program. With this data, they surmise the following things about Eve:

• She is overweight and very concerned about her appearance, especially her poor complexion
• She has long hair, usually wears contacts but wears glasses occasionally, and has numerous problems with her feet
• She has hay fever and struggles to overcome a common cold several times a year
• She has a boyfriend or partner she occasionally buys items for
• She is someone who plans holiday gifts and cards well in advance

These could be intimate details about a person’s life, and the authors readily admit to the fact that they could be wrong about any and all of these descriptions. However they (as am I) are reasonably sure that they know more than Eve herself would be comfortable with. They further recognize that without personally identifiable data or even aggregate sets of data that pertain to her (like geodemographic profiles), they know far less than what the retailer may in fact “know” about Eve.

What I want to suggest is that in a world in which, in the words of Zygmunt Bauman (1992), consumption has become the “cognitive and moral focus of life, the integrative bond of the society, and the focus of systematic management,” marketers do know much about us. In the midst of the increasingly desperate situation with Eve, Margo Channing states “so many people know me. I wish I did. I wish someone would tell me about me.” Ms. Channing can be assured that today marketers are keen to tell her exactly who she is. Based on her affinities with certain products, her past purchasing behaviours, the neighbourhood in which she lives, the relations she has with others, and far more information which is increasingly knowable, known and quantified, Channing could be situated as a consumer quite readily. We have become statistically significant sets of data (see Zwick and Dholakia 2004), something which affects both how we understand ourselves and how we are understood by consumer systems.

In many cases, we may be seen to “sort ourselves out” as Richard Burrows and Nicholas Gane’s recent article on geodemographics suggests (2006), specifically as a form of “commercial sociology” aids us in deciding the type of people we would like to live with – splitting up neighbourhoods into lifestyle clusters and reengineered class constituencies. On the other hand, loyalty programs, such as the ones Smith and Sparks discuss, are keen to use the data we have given over to “help us solve our problems.” These problems are of course indicative of who you are, your life stage, your income and career, your family, your personal appearance, your diet, etc. In return, they only ask and hope for more patronage, and of course, more data. How else would they be able to know who we are and meet our needs?

After several years of studying the means by which corporations monitor the current and potential customers and after several interviews with executives of loyalty programs, I am convinced that corporations know much about us. Ironically, though the film “All About Eve” suggests we will know all about her, it is the character Eve who in fact seems to know all about us. While we learn all about Eve’s rise to stardom, she does so by means of clever and subtle manipulation. I am reminded quite succinctly of the ways in which marketing practices remain covert and subtle. In one interview I conducted it was suggested to me that the loyalty program (read: data collection program) was meant to know all about you, not in a “big brother” like way, rather in a “best friend” sort of way – to target advertisements meant specifically for your situation, your context. This is never overt of course, both for fear of “getting it wrong” and for fear of appearing as a form of ominous surveillance, but these are clearly and specifically meant to connect with your personal life and I am convinced this has an affect on one’s self concept.

In the end, despite a concern for appearing ominous, it is consumer surveillance and it is ubiquitous. The personal knowledge surmised from the collection of consumer data may not always be right, but based on that information one may begin to experience life differently because of the way it serves to distribute certain resources and penalties (Jenkins 2000). Increasingly, our personal identity – our conception of self – is produced and reproduced in institutionalized contexts and as corporations gather and integrate more and more personal data, the potential for the expectations of this data to become lived out in the experiences of the lives to whom it correlates is high. While this may prove a particular advantage for upwardly mobile consumers, it likewise leaves a rather dismal future for those who may be seen as “collateral damage” for an economic system focused on particular types of consumers (Bauman 2007). Which is to say, knowing all about “us” applies to only a certain categories of people, like Eve, but even for her, what is known about her inevitably affects how she understands herself in the context of a society in which consumption is both a focus and a social bond…

References:

In recent weeks, the popular social networking website, facebook.com has found itself at the centre of much discussion. From government and employer bans on the use of the website in workplaces, to sanctions and expulsions against students and employees stemming from information posted on facebook accounts, it seems of late that the site has never been far from media attention. Ironically, this has all come at a time when I have faced increasing pressure from friends to finally get with the program and join the network, being that I am one of the few people I know not already connected. I admit that the above mentioned issues surrounding the website are not the reason I have yet to become a member – I am more simply concerned with the time that would be lost in my schedule to keeping up with this phenomena, having witnessed it firsthand with friends. However, being a virgin to the social networking game, its recent newsworthy attention does give me reason to pause before logging in and signing on, but not for the reasons most would think. In fact, it shocks me that what I see as the most concerning aspect of this new way of sharing and communicating seems to be somewhat flying under the radar, overshadowed by the predominant concerns surrounding lost productivity. The bigger picture that seems to be misplaced in the recent wave of attention is the more concerning issue of privacy, or lack thereof, surrounding information posted in such a forum.

Facebook started in 2004 by a sophomore student at Harvard University keen on bringing the idea of university paper ‘facebooks’ into the technological age. Since then the site has developed and grown tremendously. It now boasts more than 19 million registered users and is in the top ten most trafficked websites in the United States. But it is Canada that can currently lay claim to the title of the nation with the fastest growing membership to the site, estimated at representing 11% of users, up from 5% last year. Canadians, in fact surpass both the United Kingdom and the United States in rates of new membership. The site works by allowing registered users to essentially create a profile and link into numerous networks based on interests, geography, etc. Each member’s profile acts like a personalized website, and can include a list of friends, as well as showcase photos. The page also features a message board that each member can choose to make public. However, gaining access to a friend’s page that is not publicly available is as simple as placing a request that is yielded. After granting access to another user, all control over what the grantee can post is lost. It is easy to see how concerns over posting content and lost productivity of employee and student users has arisen, with members utilizing the site to post thoughts and keep up with relationships. But what of the matter of privacy in regards to information posted on member profiles?

There appear from first glance to be numerous issues surrounding anonymity and privacy with regards to social networking websites. The obvious ones that emanate with all web pages, such as data mining and information sharing with third parties are arguably possible and occurring. But the concerns that are specific to sites like facebook.com are conceivably more intrusive. For example, since a member who grants access to another user has no control over what that member posts on their message board, even personal information not divulged by the member could end up posted on their own page. Not to mention that such information is always possible as being posted on the other user’s page. Even in a private profile, this information becomes instantly accessible to all those having admission, and where the profile is public, the information automatically would be spread further. Another privacy concern surrounds ‘RSS feeds,’ which function to allow ongoing updates, capable of being posted from your Blackberry. Such minute details of daily life and location could prove dangerous in the hands of a stalker. While these are concerning enough issues, they lead to the broader question over who exactly may be interested in accessing your information. Colleges, universities and police have all utilized facebook in investigations, and recently it has been suggested that employers may be interested in looking up potential employee’s profiles as part of their hiring processes. For a site specifying itself as being available, “for your personal, noncommercial use only,” many users are naively being misled. Beyond the issue of maintaining control over and some semblance of privacy in the information posted, the notion of who should be examining posted information is important. While it is arguable that police and school intervention is a good thing, possibly solving crimes and stopping hateful or derogatory postings, should job appointments really be determined partially on the basis of what someone has posted on their facebook account?

The question to be answered then is how do we classify such social networking forums? Are they simply open public spaces where members lose any claim to their privacy and anonymity once becoming a user? Or, should such venues simply be seen as the modern version of private conversation with technology simply providing the global link, and thus off limits to those not knowingly in the circle? One thing is for sure, at the present rate of growth of over 1 million new users each week online social networking sites like facebook.com are not going away anytime soon. Simply avoiding such forums may not provide a feasible solution when trying to maintain modern relations. Perhaps then it is time to think hard about the privacy problems these forums raise and develop a strategy to handle these concerns without stunting access. I have managed to hold out joining until now, but the temptation to connect and reconnect with friends and acquaintances is increasingly tempting. With member friends already displaying my picture and information on their pages, can avoidance really be seen as a measure in maintaining my anonymity and privacy?

Robynn Arnold is an LL.M. Candidate at the Faculty of Law, University of Ottawa.

My first thought was that a website called On the Identity Trail, with a research stream on Constitutional, Legal and Policy Aspects, would feature a lively debate on a right to anonymity. Yet a search on 'right to anonymity' on this website offers only one hit: a December 2003 piece announcing that lawyers in the ID Trail project will study a right to anonymity. Since then, the term as such does not recur, and the anonymity focus webpage - although covering a fascinating range of subjects - does not offer much for the reader who wants to know whether or not she has a right to anonymity.

This, of course, was only to be expected. A right to anonymity does not exist, has never existed, and will never exist. At some point, there will always be someone with a right to know your identity. In certain contexts, it is eminently possible that you remain anonymous, to your hairdresser, reader, or (sperm-donated) child, and you may even claim a certain right to this. But there is always a conflicting right to identification that may outweigh your claim to anonymity, for your hairdresser (if you leave without paying), for your reader (who feels slandered), for your child (looking for his father), and, ultimately, for the police (looking for a serial killer). If a right to anonymity were established as a generic right, it would be so relative as to become meaningless.

My second thought was that things may be different in cyberspace, that illusive but oh so attractive space where no-one knows you're a dog. Or in Second Life, where you can be a dog and where no-one knows who you really are. What is more, where you yourself may not know who you really are. Isn't Second Life - today's hyped epitome of cybercommunities and massive multi-player on-line role-playing games - a space where we can start from scratch and build a parallel universe where a right to anonymity is the most normal thing in the world? Where anonymity is available to anyone desiring some privacy, some fun, some room for weird statements that won't be held against her tomorrow?

If only life, even Second Life, were so simple. Ever since John Perry Barlow's Cyberspace Declaration of Independence and the subsequent tsunami of laws and regulations that refuted Barlow's rhetoric, centering on the one-liner "What holds off-line, also holds on-line" [1], we know that cyberspace and real space are inextricably intertwined. You and your avatar are two of a kind: they're different, but linked. You may want your avatar to be anonymous, or to have a famous avatar without anyone knowing it's really you who pushes the buttons, but how do your avatar friends, the avatar cops, the game providers, and the other players feel about that?

The evolution of virtual game spaces mirrors the evolution of the Internet: no sooner does it reach a wider audience, than it becomes commercialised, criminalised, regulated, normalised. The thrill of novelty disappears. Real life enters. In Second Life and its next-generation clones, avatars will use foul language, slander, commit vandalism, abuse children, rape dogs, offer drugs and crackz, discuss Al-Qaeda, launder money, and infringe trademarks. Politicians are shocked and will criminalise animal abuse in on-line games. Trademark holders will sue Internet and game providers to give the log-in data of infringing players. You yourself will want to know who assaulted your daughter's avatar and stole the dragon sword on which she spent half-a-year's pocket money. Registering the identity of game players will become routine practice, and at some point, there will always be someone with a right to know your identity.

This is a missed opportunity, since virtual spaces offer a unique occasion to experiment. In their second lives, people dare take risks they would never dream of taking in their first life. In particular, people can develop parts of their identity that they dare not develop in real life. How does it feel to be a boy? I never knew I had this tender streak in my character. How exciting to experiment with same-sex sex. How good it feels to tell this black guy that if he doesn't get out of the way, I'll chop up his ghettoblaster! As your avatar experiments, grows, and develops, in some way, you yourself grow and develop too.

This unique, identity-fostering potential of virtual space is at risk if anonymity is not a given in games. The risk of being recognised will prevent not a few experiments with roles and identities. Yet tragically, anonymity can not be a given in virtual space, because virtual space is never absolutely virtual. Real people live in virtual spaces, and real people can be hurt. If legal protection is taken seriously, absolute anonymity - of avatars and of players - is impossible. A virtual and strong right to anonymity is an attractive idea, but we must have second thoughts about this.

The bright side of this is that the resulting need for identity and identification in cyberspace raises a whole range of fascinating issues that beg to be researched. How do we identify the people behind the avatar, when millions of the world community are living in a single cyberworld, when multiple users share an avatar, and when the first people who can give identifying information - ISP's, game providers - are likely to be in foreign jurisdictions? Do people identify themselves with their avatar? Is someone's ipse identity (her sense of self) affected by the way her avatar is treated in virtual space, or by her being identified - by her idem identity (her sameness) - as the person behind the avatar [2]? Since most virtual games seem to decree that in case of conflicts, the law of California applies, do I want my identity to be governed by a law-maker who used to be a terminating cyborg? And while we are on the topic of cyborgs, when will avatars become semi-autonomous and remain active when you log out, thus acquiring some sort of identity of their own? When will they start talking back, asking you who you are, this guy that is playing around with them?

A right to anonymity is perhaps not such an interesting issue to research after all, not even in virtual spaces. At some point, there will always be someone with a right to know your identity. You yourself, for instance. Or your avatar.

Bert-Jaap Koops is Professor of Regulation & Technology at TILT - Tilburg Institute for Law, Technology, and Society, the Netherlands.

[1] M.H.M. Schellekens (2006), 'What Holds Off-Line, Also Holds On-Line?', in: B.J. Koops et al. (eds.), Starting Points for ICT Regulation. Deconstructing Prevalent Policy One-Liners, The Hague: TMC Asser Press, pp. 51-75.

[2] This is one of the many identity questions that will be addressed in the coming year by the EU FIDIS network.

By all measures, the amount of internet fraud is rising. Morgan Keegan reports the number of new phishing sites increased in its order of magnitude from 4,367 in October 2005 to 37,444 in October 2006. And phishing is not the only source of online fraud, the number of victims of identity theft is growing as well.

In response to the escalation of phishing attacks, a plethora of anti-phishing tools have been unleashed—Firefox extensions, IE toolbars, and psychedelic colour-shifting borders for your browser, as well as, perhaps more sensibly, blacklists of known phishing sites including a list maintained by web titan Google. Of course, these tools only work in so far as users take the time to install them and learn how to use them. On the latter point, news on the usability of security front is equally despairing. A user study conducted by Rachna Dhamija (Harvard), J. D. Tygar (Berkley), and Marti Hearst (Berkley), presented last year at the Conference on Human Factors in Computer Science, had participants evaluate 20 websites—7 legitimate, 13 fraudulent—and differentiate between them. The best phishing site fooled over 90% of the participants, with many users reasoning that page’s nice layout and animated graphics were a sure sign of its legitimacy. Numerous other usability studies have examined the effectiveness of various anti-phishing technologies, and its typical to hear them described as unintuitive at best and unusable at worst (not to mention an eyesore).

All of this brings us to the magnificent architecture of some of Ottawa’s oldest banks. With their tall pillars, imposing lobbies, marble floors, and brass railings, bank architecture showcases impressive work by great architects like John M. Lyle. (Okay, pardon the non sequitur. I assure you I am going somewhere with this). What is perhaps most intriguing about bank architecture is the reason for the notable buildings. Why exactly were banks so impressive and what happened? There is an easy answer: the magnificent designs were a consequence of competition (an answer easy enough to be articulated in The Canadian Encyclopedia). The problem with this answer is that it does not adequately explain why bank buildings have become less and less impressive over the past century while there is still substantial competition, nor does it explain why there was not a similar architectural arms race in hardware stores, feed mills, or other competitive industries.

A better answer comes from the work of economist Michael Spencer on asymmetric information and signaling theory (for which he shared the 2001 Nobel prize). Before the days of governmental oversight and a banking oligopoly, there existed the threat that the new bank that opened up down the street might be a fraud with crooks planning to run off with your money. By building impressive buildings, legitimate banks sent a signal of quality to customers that fraudulent banks could not afford to send. An expensive building assured potential customers that the bank was planning on long-term establishment and was committed to high standards of service.

These types of scenarios are called signaling games in game theory. A basic signaling game has two participants, a sender and a receiver. The sender knows something about herself (called her type) that is not observable to the receiver. The sender’s objective is to signify her type in a signal that differentiates her from other senders of different types, and to provoke an appropriate response from the recipient. Examples of signals include the education level of a job applicant, a full-page advertisement in the New York Times, or the striking blue-green plumage of a peacock.

The problem of phishing and fraudulent websites is also a signaling game, where legitimate websites need to find the online equivalent of an impressive building to signal their type to users. The problem is that the most obvious parallel to the offline world—an impressive website—is completely inadequate. Whether or not the bank customers of lore worked out the game theory of their situation, the signal worked because customers naturally gravitated towards banks with nice buildings. Once the signal became common, most customers did not need an education campaign in how to differentiate between legitimate and fraudulent banks to make the correct choice. In other words, their ulterior motives led them to the right decision. As the user study mention above indicates, this natural instinct is still instilled in modern internet users. When presented with an impressive website with fancy graphics and a cutting edge layout, a significant proportion of users conclude that is a signal of its legitimacy. While designing the kind of full-featured websites banks commonly use does cost a small fortune, the problem lays in the fact that all this hard work can be copied effortlessly. Phishing is thus a twofold problem: (1) we do not have a good signal, and (2) the signal that users naturally look for is not good.

It may be possible to address the second through user education if only we could solve the first. One potential signal might be website seals offered by watchdog organizations like TRUSTe and BBBOnLine. Benjamin Edelman of Harvard empirically studied websites baring these seals. He found that while a BBBOnLine seal slightly increased the probability of the site being trustworthy (but not enough to be an adequate signal), a TRUSTe seal actually decreased the probability that is was trustworthy. That is to say, a site with no seal at all is more likely to be trustworthy than one with a TRUSTe seal. Thus the seal not only fails as an adequate signal, it actually results in adverse selection. In the same paper, presented last year at the Workshop on the Economics of Information Security, Edelman also found that search engine advertisements are more than twice as likely to be untrustworthy as the accompanying search results—another display of adverse selection.

Perhaps a more promising area of third party accreditation is through website certificate authorities. The largest certificate issuers are, respectively, Verisign, GeoTrust, Comodo, GoDaddy, and Entrust. Until recently, a certificate from any of these authorities evoked the same response in browsers—a padlock being displayed—despite the fact that the verification process varies radically from authority to authority. Recently, however, Microsoft has agreed to implement a new, tiered approach to displaying certificate indicators. In new versions of Internet Explorer, the address bar will display a red toolbar if the site is a suspected phishing site, yellow if the site has a traditional certificate, and green if it has an extended validation (EV) certificate (and as always, white for no certificate). Receiving an EV certificate requires an extensive investigation process that will likely catch any fraudulent attempts at certification.

The Canadian case law on hate propaganda, obscenity and child pornography features numerous analyses and discussions on the right to privacy, almost exclusively in the context of the privacy claims of those accused of related offences. Shaped as they are by the contexts in which they are raised, these analyses tend to mirror the negative, individualistic, control-over-access-to-information paradigm that has dominated thinking on the issue for several centuries. Notwithstanding that the vast bulk of Canadian legal analysis focuses on the right of an individual accused against state intrusion on a “private” sphere of activity to the exclusion of consideration of the privacy-related rights of the targets of hate propaganda and obscenity, Canadian courts have recognized that child pornography intrudes upon the privacy-related interests of the individual children abused in its production. The failure to recognize that hate propaganda and obscenity trigger similar intrusions for the members of the groups they target does not necessarily mean that no such intrusions are in fact triggered. Instead, the failure to recognize the triggering of those privacy interests might be understood to be the result of the selection of an individualistic privacy paradigm that, by and large, is conceptually inadequate to capture the collective nature of the privacy-related harms that can be occasioned by all three of these forms of expression.

Individuals targeted directly within hate propaganda and obscenity could muster arguments to squeeze the related privacy intrusions they experience as a result of that targeting into the individualistic paradigm, as has been the case with the analysis of the privacy-related intrusions on the children abused in production of child pornography. In the case of hate propaganda, however, the typical modus operandi of hate purveyors avoids attacks on individuals, generally focusing on broad categories. In the case of obscenity, the individualistic control-over-information paradigm, combined with patriarchal presumptions that women can be assumed to have consented to sexual activity and abuse is likely to impose a preliminary threshold of proof of non-waiver. Re-making what are essentially collectively-based claims into individual claims for the purpose of fitting the paradigmatic mould is unlikely, however, to form the basis of a meaningful long-term strategy for equality-seeking groups and their members.

Just as the analyses of privacy in the contexts of abortion and the counseling records and sexual histories of complainants in sexual assault cases have tended to re-personalize political issues, undermine calls for affirmative state action and reinscribe gendered and raced notions of privacy, so too may privacy-based arguments by the direct targets of hate propaganda and obscenity crafted to fit the paradigm. The privacy-related harms of hate propaganda, obscenity and child pornography need also to be understood in the context of social inequalities that allow empowered narratives to constrain the autonomy of otherized individuals by limiting their opportunities for self-definition with presumed, imposed characteristics attributed to the equality-seeking groups with which individual targets are identified. The personal intrusion is integrally and intrinsically related to systemic, group-based power imbalances. Claims framed within the individualistic privacy paradigm are more likely to bury that dynamic than to make it understood. Without that recognition, the potential role for state action to address those imbalances – or at least a call for state action reflecting a conscious choice not to reinforce those imbalances is likely to be ignored.

Rather than trying to fit collectively-based harms into an individualistic paradigm, it may be preferable to re-think the paradigm to encompass collective, social considerations. The seeds for this idea were originally sown within aspects of work by authors such as Westin that were largely sidelined in the wake of an individualistic, libertarian drive against state intrusion. They have since been replanted in the work of authors such as Allen and Gavison who have advocated privacy as a producer of social goods such as better social contributions and relationships. However, the drive to articulate privacy as a social value can be found more directly in the work of authors such as Gandy, Regan and Cohen in the context of rising concern as to the broad-ranging privacy implications of digital data collection and use. As fragmented individual data collected for one purpose is aggregated and re-used in other contexts as the basis for labeling and making judgments affecting individuals’ lives with little or no opportunity for reciprocity, the adequacy of individualistic models that focus on control over access to information has increasingly come under scrutiny.

The push, in the context of digital data collection and use, for recognition of privacy as a public value, a common value and a collective value and the potentially invidious collective forms of discrimination to which its inobservance can give way offers both threats and opportunities for members of equality-seeking groups. To the extent that those accused of offences relating to hate propaganda, obscenity and child pornography would then be positioned to bootstrap their individualistic privacy argument with one premised on societal interests, the competing equality-based interests of the members of target groups may be undermined. On the other hand, thinking collectively about the value of privacy opens up the opportunity to better articulate a more group-based conception of the privacy violation occasioned by perpetuation of group-based stereotypes prevalent in hate propaganda, obscenity and child pornography. It suggests an opening to argue that privacy shouldn’t simply be conceived of as a producer of individualistic goods like free expression, freedom of conscience and liberty, but also the equally important, but too frequently unmentioned democratic right to substantive equality.

The parameters of a collectively-based privacy argument might work from accounts of authors such as Delgado, Crenshaw, Tsesis and MacKinnon on how hate propaganda, obscenity and child pornography can work to impose social constructions of inhumanity on targeted groups that are both externally reinforced and sometimes internalized in a way that undermines their abilities to self-define. To the extent that these effects lead individuals to choose to dissociate or to attempt dissociation from the groups so targeted, both the groups themselves and society as a whole stand to lose - our aspirations for diversity, plurality and mutual respect are undermined.

If hate, obscenity and child pornography are understood in this way, certain aspects of the current push for a social conception of privacy within the context of digital data collection might be usefully analogized. Simplistic data derived from these forms of “expression” are used to render social profiles of targeted groups that become a basis for imposed definitions not only on those groups, but their members as well. These socially constructed definitions then form the basis and justification for discriminatory action and treatment of individual members of those groups that can, in some cases, be internalized within their own processes of self-definition.

In less than a couple of weeks, I’ll be attending the Computers, Freedom, and Privacy Conference in Montreal to participate in a workshop presentation with other members of the project. The theme of the discussion is the reasonable expectation of privacy. This morning I’d like to give a snapshot of what I’ll be contributing.

Let me start off by noting what seem to be two very general conditions on the reasonable expectation of privacy in informational contexts. First, it seems obvious that in order for someone to have a reasonable expectation of privacy with respect to a piece of information, she can’t have voluntarily exposed it in a general manner. When I walk across the quad on my university’s campus in broad daylight during a busy term weekday, there’s an obvious sense in which I’m voluntarily exposing lots of information about myself: I know that if I walk across the quad, various people are likely to cast an occasional glance in my direction and thereby acquire visual information about my present appearance, location, activity, etc.; and I’m okay with that, so I walk. But no one would say that I have a reasonable expectation of privacy with respect to it, since I’ve voluntarily exposed it – made it known or at least easily knowable – to whomever happens to be in the area.

Second, in order for an individual to have a reasonable expectation of privacy with respect to a bit of information, it must be personal information of a certain sort about her. To say that information is personal is to say, at the very least, that it is about persons. The information that lightning is a rapid discharge of electrons, say, or that the average annual rainfall in Montevideo is 1100mm, is not personal because it’s not about persons – at all. Moreover personal information, in the usual sense, must be personal information about specific persons. Consider, for example, the following pieces of information, all of which are about persons: that Canada has a population of over 30 million, that all people have certain inalienable rights, and that recent polls show that a majority of Americans favor national anti-obesity programs. Despite being about persons, these bits of information are not about specific persons, and hence don’t count as pieces of personal information in the usual sense.

But not just any personal information counts. In order for an individual to have a reasonable expectation of privacy with respect to a bit of personal information, it must be personal information of the right sort. For consider the following examples of personal information about me: that I am self-identical (to borrow an example from earlier exchanges on this blog with Steven Davis), that it is logically impossible for me to be a circle, and that my rate of free-fall is the same as that of a small pebble. Even if we admit these as examples of personal information, because they are about specific individuals, no one would be inclined to say that they are of the right sort of personal information to be covered by the reasonable expectation of privacy. They can be rationally inferred about specific individuals merely on the basis of nonpersonal pieces of information such as logical or scientific laws.

Let’s call personal information of the right sort – of the sort with respect to which one can have a reasonable expectation of privacy – “deeply personal information.” Accordingly, we can say that in order for an individual to have a reasonable expectation of privacy with respect to a bit of information, she must not have voluntarily exposed it and it must be deeply personal information about her.

I want to resist the suggestion that deeply personal information is to be distinguished by means of its sensitivity. The basic idea of this suggestion is that deeply personal information is sensitive personal information, i.e. personal information that individuals don’t want widely known by others. Sensitivity in this sense, according to certain privacy theorists, might come in one of two basic forms. The personal information in question might be sensitive because the person it is specifically about does not want it widely known by others. It might also be sensitive because it is the sort of information that most members of her society don’t want widely known about themselves.

The reason I want to resist this suggestion is two-fold. First, consider the problem of hypersensitivity. This has to do with the fact that some people can be excessively sensitive about information, including personal information that is not deeply personal. Suppose, to illustrate, that for one bizarre reason or another I happen to be very sensitive about the information that I am self-identical, that it is logically impossible for me to be a circle, or that my rate of free-fall is the same as that of a small pebble. It’s quite silly of me to be sensitive about this sort of rationally inferable information, but, nonetheless, let's suppose, I am. And since it’s sensitive information specifically about me, it turns out to be deeply personal information on the sensitivity approach. But that seems wrong. Whether personal information about me is deeply personal in the relevant sense can’t surely depend simply on my sensitivities, which may stray quite wildly away from the realm of where they ought to be.

There’s also the problem of hyposensitivity. This arises because some people can be excessively insensitive about information, even deeply personal information about themselves. We all know that sort of person who opens up at the drop of a hat and shares all sorts of intimate details about themselves to anyone with open ears. Encountering that sort of person is disconcerting, because we want to say that they shouldn’t be sharing so much deeply personal information with us, total strangers.

Of course, an advocate of the sensitivity approach could agree with us here, and point out that the reason the information such a person shares is deeply personal is that it’s the sort of personal information that most members of their society don’t normally want widely known by others. It may not be sensitive personal information for them, but it is for most of their society, and so it is in fact deeply personal.

But it’s not too hard to think of cases in which even the sensitivities of most members of society are deficient. Suppose that the government, or even a large corporation – call it Big Brother – embarks on a propaganda campaign, for one bad reason or another, to convince most members of society not to be sensitive about the intimate details of their sexual and romantic lives, their medical statuses, their on-line activities, etc. Suppose further that the campaign is very successful. We get the result that virtually no one in society cares how widely such personal information about themselves is known by others. Does the very success of the propaganda campaign absolve Big Brother, who then goes on to get his hands on such details about many members of society, from the charge that he’s inappropriately gotten his epistemic hands on deeply personal information of many members of society? Surely not. The right thing to say of this sort of scenario seems to be that Big Brother has, wrongly and sadly, convinced most members of society not to care about large swaths of what remains their deeply personal information.

So if we don’t characterize the nature of deeply personal information along the lines of the sensitivity approach, what’s the alternative? It seems to me that one plausible alternative, at any rate, can be gleaned from paying careful attention to the language that the Supreme Court has employed in such well-known cases as R. v. Plant (1993) and R. v. Tessling (2004). Deeply personal information, the Court says, is what lies at the “biographical core” of personal information, and information whose disclosure may affect the “dignity, integrity, and autonomy” of the individual it is about.

This suggests two very important points about the nature of deeply personal information. First, deeply personal information has something to do with what might be described as the telling of a story about an individual’s life – that’s the “biographical” bit. Second, it also has to do with the individual’s telling her own story, for herself and on her own terms – with “dignity, integrity and autonomy.”

The narrative language of “biography” and the “telling of one’s own story” may be largely metaphorical, but I believe it captures a very familiar element of our day-to-day experience. We are all, everyday, telling stories about ourselves to others in the sense of revealing to (and concealing from) others different pieces of information about ourselves in different contexts. And the capacity to do so in accord with our own considered convictions about who should know what about us in which context is crucial, I think, to our dignity, integrity and autonomy as persons.

We can bring these points together into something like the following (call it) “self-narrative” approach to the nature of deeply personal information. On this approach, deeply personal information is personal information open access to which would seriously undermine the individual’s ability to tell her own unique story. (When I talk about “open access” here, I mean more or less unrestricted access for the public at large, i.e. access for pretty much any member of society who cares to learn the relevant information, regardless of whether the individual that the information is about has voluntarily exposed it.)

To evaluate the plausibility of the self-narrative approach, consider its application to cases already mentioned. The rationally inferable information that I am self-identical, that it is logically impossible for me to be a circle, or that my rate of free-fall is the same as that of a small pebble, despite being about a specific individual, is not deeply personal information. Does the self-narrative approach give us that result? It would seem so. It is very difficult to see how open access to any of these pieces of personal information about me would seriously undermine my ability to tell my own unique story. After all, none of these pieces of information could itself be used to distinguish me from others in any significant way. That it is logically impossible for me to be a circle is certainly about me in particular, but exactly the same sort of information can be known to apply to every other individual in society, simply by rational inference from non-personal information. That’s also true of the information that I am myself or that my rate of free-fall is the same as that of a small pebble. Everyone is self-identical. Everyone’s rate of free-fall is the same as that of a small pebble.

It is generally believed that you have to take the extra step to protect your privacy: look for the SSL lock on your browser, shred your old bank statements, scan your computer for key loggers etc. Convenience and easy of use are often regarded as antagonists to security or privacy. I have recently come to discover a useful website that seems to contradict this paradigm.

Remember all those popular websites that force you to register just because you want to read the entire article, user comments or download some piece of free software? They all claim that the registration process is simple but you often find yourself entering your email address, gender, full or partial postal address, phone number and at the end they ask you to fill out a survey with how many hours you spend on the internet each month, what’s your income level, age, education and so on. But probably most important, you tend to set your password from the two-three passwords that you use on tens of websites. Clearly an exposure of what you consider to be private information.

* This piece is a summary of the arguments contained in a longer paper that is currently a work-in-progress.

It seems likely, then, that the potential uses for implantable RFIDs will only increase in the future. Indeed, as the examples above illustrate, it appears that the use of RFIDs, both external and implantable, could shift from a voluntary and consensual model of use, to one that is neither voluntary nor consensual, which is of considerable concern to those concerned not only about privacy, but about ethics more generally. It is thus imperative to examine the ethical concerns; concerns about how we treat other human beings; surrounding the use of implantable RFIDs in more detail.

Many of the same privacy arguments made in the context of non-implantable RFIDs apply equally to implantable RFIDs. However, there is an additional factor within implantable RFIDs that raises our moral antennae; something more than just the typical informational privacy and anonymity concerns articulated by those writing on RFIDs generally; something that is unique to RFIDs that are implanted in human beings or otherwise used to track the actions and movements of human beings that has not yet been accounted for in the existing literature. [5] This additional factor in the implantable RFID context has been casually described as a concern for ‘human dignity’ in the popular media. Thomas C. Greene articulates it like this:

And, as stated by Cédric Laurant, Policy Counsel at the Electronic Privacy Information Center:

While this concern for ‘human dignity’ has been raised, it has not been explored in any philosophical or legal depth within the academic literature. As such, it remains, to some, mere rhetoric. Such an exploration, however, is necessary in order properly articulate the concerns that have been raised by these writers. It is also important to look at how such an analysis relates to, or even encompasses, our concerns about privacy and anonymity in the implantable RFID context, allowing for a new discourse on the myriad of concerns surrounding RFIDs that track the movements and actions of human beings. Such a discourse is important in the legal context, as human dignity, unlike privacy, has been continually recognized one of the underlying principles of the Canadian legal system, as enshrined by the Charter of Rights and Freedoms. By viewing the tracking of human activity through RFIDs as an infringement of human dignity, an argument against the legality of the use of RFIDs in these ways could be greatly bolstered through the infusion of one of the most fundamental values enshrined in Canadian law, and thus any legal argument against their use could be viewed as much stronger and likely more effective.

Human dignity is a concept that has longstanding meaning both within philosophy and within the law, most notably as the basis for modern human rights law, although it is not a particularly well-defined concept, as it often has very different meanings in different contexts. [8] Most recently, the concept of human dignity has received renewed attention in the field of bioethics, with experts striving to get to the root of the concept and to determine how it is being used by law and policy makers and to determine the ‘correct’ conception of the term. The most widely accepted theory of human dignity is that based on Kantian deontological philosophy, where it is viewed as the “essence of humanity” [9] that provides each human being with intrinsic worth by virtue of possessing a certain quality or qualities (usually agency or autonomy). Based upon possession of this quality, this intrinsic worth, all human beings are to be accorded respect and are to be treated as ends in themselves and not merely as a means to an end. However, the use of both implantable and external RFIDs to track the actions and movements of human beings clearly betray this imperative in using human beings to achieve ends unrelated to the well-being of the subject her/himself, ends that are usually related to the accumulation of information; information which may in fact be used against the person about whom it is collected.

Given that Canadian law aims to protect people from violations of their human dignity, at the very least from intrusion by the state under the Charter, any attempt by the state to use RFID in a non-consensual and non-voluntary manner may indeed be considered contrary to Canadian legal values and could run the risk of being declared of no force and effect under s. 52(1) of the Charter.

In the fall of 2006, the Ottawa Citizen broke a leading news story based, in part, on work done by the Canadian Internet Policy and Public Interest Clinic, (CIPPIC). Pursuant to an access to information request, CIPPIC learned that the Royal Canadian Mounted Police (RCMP) had purchased consumer information from Canadian data brokers for law enforcement purposes. The information that the RCMP obtained from data brokers included individuals’ telephone numbers and addresses, as well as personal information available from public records (On the Data Trail: A Report on the Canadian Data Brokerage Industry, April 2006).

Commercial data brokers on both sides of the border collect personal information from various sources such as public registries, contest ballots, product warranty forms, newspaper and magazine subscriptions, travel bookings, charitable donation records and from companies that track credit-card use. In its coverage of the issue, the Ottawa Citizen reported that since September 2001, the RCMP has been buying and retaining this kind of personal information from data brokers, and in some instances may have forwarded that information to U.S. law enforcement.

The statutory definition linked terrorism to criminal activity motivated by religion, ideology or political belief. Judge Rutherford reasoned at para 58 that the “inevitable impact” of making motivation part of anti-terror investigations would be that a “shadow of suspicion and anger” would fall over certain groups in Canada, raising concerns about racial and ethnic profiling. In his decision, Justice Rutherford severed the invalid motive clause in the definition of terrorist activities from the rest of the anti-terrorism legislation; leaving the remainder of the provisions in force. To date, Mr. Khawaja has not proceeded to trial as there are aspects of his case that are currently before the courts.

While Khawaja, for now, stands as a bar to using motive as evidence of terrorist activity under the ATA, law enforcement’s potential use of personal information collected by data brokers raises the same concerns about racial profiling and creating groups of suspects that Justice Rutherford mentioned in his decision.

Information supplied by data brokers is unreliable. Brokers gather information from a variety of sources and have few incentives to determine and ensure the veracity of the information they collect and sell to law enforcement. Compounding this problem is the lack of transparency for consumers. It is virtually impossible for individuals to be aware of all of the organizations that have collected and retained their personal information over time. Consequently, consumers have minimal recourse to access, challenge and correct the myriad of what Professor Daniel Solove calls “digital dossiers” that often contain inaccurate personal information. The absence of recourse and access rights to ensure the reliability of information sold to law enforcement without consumers’ knowledge or consent also raises concerns about due process.

Nor is it clear what criteria law enforcement would use to assess the relevance, accuracy and reliability of information provided by commercial data brokers. What type of information is being purchased? How would the information interpreted and contextualized? What valid conclusions or predictions, if any, can be drawn from such information?

The inaccuracy or misinterpretation of information supplied by data brokers to law enforcement combined with the lack of transparency and oversight surrounding the use of that data can have dire consequences for targeted individuals and identifiable groups.

Identifying an individual as a security threat, terrorist, or terrorist sympathizer based on questionable information provided by data brokers can destroy a person’s livelihood, family life, reputation, and in some cases their physical security. Although it is not established that information from data brokers played a role in the “extraordinary rendition,” detention and torture of Canadian citizen Maher Arar, it is not difficult to contemplate the worst case scenario for an individual who is profiled according to information provided by data brokers based on what we know about Mr. Arar's terrifying ordeal. Identifying an entire group as suspect using information complied by data brokers could result in criminalization, stigmatization and marginalization, violating equality provisions as well as freedom of religion, thought, expression and association rights contained in the Charter.

Law enforcement’s potential practice of using information compiled by commercial data brokers isn’t only problematic for certain racialized groups or suspicious individuals; the practice implicates all of us. The private sector collects and uses personal information about nearly everyone. A criminal profile could be pieced together from various purchase records on any individual, based on the information complied by data brokers. That data could be used to establish a motive and identify individuals as suspects or potential suspects for any crime – including those not yet committed.

We could all, then, be profiled based on fragments of information about us that may be wrong, outdated, distorted, and removed from context. If information collected by the private sector is purchased and used by our government and law enforcement agencies without transparency, oversight and safeguards, it can be dangerously misinterpreted in ways that could prejudice people’s lives.

On August 25, 1995, LE, a 42-year-old single mother of two, attempted to pay for a cab with an invalid credit card. [1] The cab driver refused LE’s subsequent offer to pay with cash she had quickly arranged to borrow from another tenant in her building. Instead, the driver notified the police. After a CPIC search, the officer called to the scene found evidence of an outstanding warrant for failing to appear at trial relating to charges of obtaining credit by false pretences. In the 18 hours that followed, LE was strip searched, confined to a cell under video surveillance, denied a blanket despite the cold temperature in the cell (since apparently no blankets were available at the time), after which she was observed pretending to hang herself from the cell bars with her bra strap, forcibly stripped of her clothing after she refused to remove them, told not to position herself in the cell so as to escape video surveillance (which she refused to do) and ultimately handcuffed naked to the cell bars where she was visible to all those passing by for at least 20 minutes until blankets (ironically) were taped to the outside of the bars, according to the trial judge, “in order to give [her] some privacy” [para. 41].

LE’s civil action alleging, amongst other things, negligence, assault and breach of her ss. 7 and 12 Charter rights was dismissed. Almost as disturbing as the facts of the case itself, are the motifs of privacy’s gendered legacy present in the trial and Court of Appeal decisions. Even more fundamentally, what emerges from the case is a transparent example of what Lise Gotell has referred to as the “nothingness” of privacy as it is currently framed in law and the seeming futility of purely privacy-based claims for members of many equality-seeking communities [(2006) 43 Alta. L.R. 743].

The trial judge found that the authorities’ forcible removal of LE’s clothing was consistent with an established policy of removing the clothing of both male and female prisoners who have attempted suicide or who, as in LE’s case, have pretended to attempt suicide. The judge further found that the policy was reasonable and noted that LE was left “without the blankets protecting her modesty for a period not exceeding 20 minutes”[para. 42]. LE’s “modesty” is referred to four more times in the reasons of the Court of Appeal – generally in the context of the Court’s conclusion that the trial judge adequately considered LE’s privacy and dignity claims. As Anita Allen and Erin Mack have carefully demonstrated, the gendered legacy of privacy has frequently meant that privacy claims are afforded different content, depending upon the gender of the person asserting them [(1990) 10 N. Ill. U. Rev. 441]. The privacy of male claimants has typically been understood in the case law as necessary for independence and autonomy of choice, while for women “privacy” has too often been analysed as necessary for maintaining “modesty” – a term simply serving as code for a classed and raced analysis that saw women’s forced seclusion in the “privacy” of the home as the preferable means to protect their most highly prized possession – their “virtue”. To understand what happened to LE as primarily an affront to her “modesty” is to ignore both its impact on her status as a thinking, independent, autonomous human being, as well as the way in which that affront depended for its dehumanizing impact on the stereotypical shaming associated with public exposure of women’s bodies.

Apart from the unnamed, but gendered characterization of privacy in the judgments, the Court of Appeal’s perhaps most jarring line states: “[LE] properly conceded in oral argument before this court that there is no free-standing right to dignity or privacy under the Charter or at common law” [para. 63]. In the absence of a s. 8 claim relating to unreasonable search and seizure or a claim premised on some other specific statutory authority (like that provided, for example, to convicted sex offenders whose information or DNA is sought for inclusion in a government-run registry or databank), as far as the law is concerned, it seems women in the position of LE can really only talk about whether the conduct of authorities is consistent with Charter values – with privacy being one of them. Unless they can wedge their claims into one of these other pigeon-holes, they have no independent legal grounds for asserting a claim that being handcuffed naked to cell bars in full view of passersby, while also under video surveillance, constitutes a violation of their privacy. (And presumably, similarly, no independent basis for asserting a claim that a policy that automatically requires stripping prisoners of their clothing after they have attempted suicide or feigned such an attempt, violates the “right” to privacy – since no such independent right exists.) Interestingly, the Court of Appeal’s jarring statement was more recently relied upon by a court as the basis for striking out a privacy claim asserted by a Black woman lawyer in relation to alleged racist epithets by another lawyer [[2006] OJ No. 4134].

It is striking to so directly confront the idea that for Canadians privacy is little more than an interpretive principle for assessing the conduct of the authorities unless the claim arises in the context of a “search and seizure” or under a specific statute that adverts to a right of privacy, when so many of us (particularly in socially disadvantaged communities) are so regularly exposed to exercises of authority that have little or nothing to do with these situations. In the context of claims such as LE’s, where the gendered and raced legacy of privacy and dignity are so evident, I cannot help but revert again to the need for an understanding of privacy and dignity premised upon and framed within the “free-standing right” to substantive equality. Under that rubric, we might interrogate some different questions. While the policy of stripping all prisoners who attempt or feign an attempted suicide is facially written to apply equally to men and women, we must ask against persons of which race and gender is it statistically more likely to be applied? And how might such a policy’s meaning and effect be interpreted differently if it were considered in the context of gender and race inequality and the discriminatory sexualized stereotypes of Aboriginal and Black women that Gotell, and Allen and Mack have shown to be the basis for denying some women even the minimalist patriarchal protection of “modesty” historically afforded middle class white women? How are we to understand the meaning of privacy and dignity for those of us in equality-seeking communities unless the law is required to interrogate them in context?

It seems the best hope for privacy and dignity is equality.

[1] The following discussion is based on: LE v. Lee, [2000] O.J. No. 4533 (SCJ) ; rev’d [2003] O.J. No. 4239 (SCJ, Div Ct); rev’d (2005) 77 O.R. (2d) 621 (CA); leave to appeal refused, [2005] SCCA No. 516. Prior to dismissing LE’s application for leave to appeal, the SCC had dismissed a motion by Aboriginal Legal Services of Toronto, Inc. to intervene on the application for leave to appeal.

Note: this posting essentially represents snippets of my current research in progress.

Anyone familiar with J.K. Rowling’s world of Harry Potter cannot help but be struck by its devices of wizardry. These devices provide some idea of what it might mean to embody awareness in the physical world, precisely the shift we will experience as computational power moves beyond the desktop into everyday objects. Much of the charm from this popular series comes from the quirky magic objects that surround Harry and his friends. Rather than being solid and static, these objects embody initiative and activity - read surveillance capability. Take for example, the Pensieve which stores thoughts and memories for later retrieval: think cameras, chips and tags that capture ever-bigger parts of our experience, especially as they are integrated with devices that know our agenda, the places we visit and the people we are meeting with; or the Weasley’s clock - completely useless if you wanted to know the time, but able to pinpoint where each family member might be, work, school, home or even travelling, lost or in the hospital, and the Marauder’s Map having icons that represent people as they move around Hogwarts Castle: think geo-spatial technologies that bring the same feature to open spaces. Next generation magic or next generation technology? By whatever label, they prompt us to start thinking more about space, the space of our everyday lives, how it is being transformed and increasingly vulnerable to a new wave of technologies that make us more visible and more exposed. This, in turn, raises questions about spatial privacy, its nature and scope, and its viability for legal protection.

Emerging location, or geo-spatial technologies, such as Global Positioning Systems (GPS), Radio-Frequency-Identification (RFID) and advanced wireless devices are being introduced into all facets of everyday real life. This new wave of powerful technologies are finding their way into our homes, cars, cellular phones, identification documents and even into our clothing and bodies. Within the context of growing technological convergence, they have the unique ability to locate and track people and things anywhere, anytime and in real time. There is nothing new, nor necessarily sinister about wanting to locate people and objects and track their movement from one place to another. Clearly, there are some compelling advantages to such enhanced capability. For example, emergency services are better able to find accident victims, commercial organizations are able to improve the way they do business by fleet, product and employee tracking; parents may want to be sure their children are safe; and retailers, stadiums and other service-oriented facilities can adjust staffing levels and product inventory to best accommodate consumer patterns. For government intelligence and law enforcement, serving the public interest includes managing risk, which translates into increased security applications for monitoring people and things, especially given the shift towards a safety and security state. Overcoming many of the limitations inherent in the passive mainstream technologies, this generation of location-based technologies makes all of these things possible, automatically, remotely, accurately, continuously and in real time.

The obvious privacy and surveillance implications, however, are staggering and these concerns are rendered more pressing and more complex as the technologies are combined, integrated, connected, invisibly and remotely to networks, forming part of a wider movement towards a society characterized by ubiquitous computing (UBICOMP). In the ubiquitous networked society, computing devices are embedded in everyday objects and places with the potential for comprehensive monitoring and surveillance that is not contained by space or time, thus crossing both physical and social boundaries. This, in my view, is deeply problematic because the core privacy interests individuals have in sustaining personal, physical or even psychological space are potentially diminished, particularly over the long term as networked location technologies destabilize personal spheres and challenge our fundamental ideas about personal space and boundaries and the privacy expectations that go with them.

Canadian law, principally s.8 of the Charter, recognizes a reasonable expectation of spatial privacy, and purportedly its protection, at least in theory, extends to people. However, the parameters have been confined to ownership or at least, the physicality of the place. In other words, the territorial spectrum of protection has been narrowly constructed by the Supreme Court of Canada. On the current spatial assessment of privacy interests, you can point to barriers that are sustaining its protection. In most cases it is a tangible barrier that clearly delineates the boundary crossed triggering section 8. However, even where there has been no actual physical boundary crossed (trespassed), the intrusion has been assessed as an expectation of privacy in the place under surveillance. In other words, the context engaging section 8 protection is not what capacity the person is acting, but where physically the person is and a tangible boundary that can be identified as being crossed. As more of our lives in private places, personal spaces and movement across all spaces are potentially caught within a web of constant accessibility, the current spatial privacy construct does not take into account the nature of changing technologies, rendering irrelevant protections afforded by the traditional analysis because there is no tangible boundary crossed and the surveillance is capable of moving with people as they leave their homes and move from place to place. The current spatial privacy protection does not get at the core of what is ultimately objectionable: our desire to limit intrusions into our space, affairs, bodily sphere, attention paid to us, freedom from observation and of movement without the threat of being watched – visible and exposed. Thus, there is a need for a new conceptual apparatus for spatial privacy capable of sustaining legal protection for the entire array of privacy interests articulated by the Supreme Court of Canada.

Should we be concerned? Yes. Rhetoric and over-reaction? Perhaps. However, identifying the need for a renewed consideration of spatial privacy interests in response to location-based technologies is compounded by an on-going concern, namely, that the discourse on privacy and privacy protection has centered on assessing interests principally in informational terms. I would go so far as to suggest that the predominant theoretical, analytical and practical emphasis in policy, legal and scholarly discourse has been on the data protection model of informational privacy.

i want you to want me: the effect of reputation systems in online dating sites
By: jennifer barrigar

February 13, 2007 

This piece is abstracted from a longer paper that is currently seeking publication venue.

By now it is almost trite to point out that the scale and breadth of the internet opens up the possibility of reaching large numbers of people quickly and easily, facilitating social and commercial matching on a scale hitherto unimaginable. At the same time, however, the internet is fraught with ambiguity. Text communications are denuded of gesture, tone and the million nuances that inform our interpretation of meaning. Even in visual arenas such as You Tube, recent events show conclusively that the lines between vlogging, fiction and commerce are fluid and difficult to discern. [1]

Reputation systems have been developed as a technological means to harness the potential of the Internet by making trust possible in online environments. This technology is used on many well-known sites. eBay’s feedback system, for instance, allows both the buyer and seller in a transaction rate each other, and the cumulative ratings are available for perusal by any eBay user attempting to determine whether to enter into a transaction with a particular individual. Amazon also uses a variation of a reputation system, allowing users of the site to submit their reviews of materials. A reviewer may rise to the rank of “top reviewer” based on feedback of other users, while all users come to understand that a reviewer’s status is predictive of the helpfulness of her review. Slashdot.org has a similarly dynamic reputation system in place, where site users submit and review news items as well as actively reviewing the contributions of others. Users of the site are able to modify their settings to show only top-rated items, and top-rated authors acquire “karma points” which increase the weight of their reviews and ratings. In each of these systems, the “reputation” of an individual is established by meeting the needs/expectations of other users, whether for trustworthy buyer/seller behaviour, reliable reviews, or a good eye for interesting and newsworthy items.

I step outside of my comfort zone, and my identity as a criminologist, to provide the following commentary on authentication and ‘new media’ technologies, specifically in the context the popular video sharing website Youtube.com. I call the text that follows a commentary, as the thoughts and ideas presented herein require further development. This being said, I look forward to your challenges and comments, so I can further develop this piece into an article.

Authenticity and the Authentication of Identity
I believe it is important to define how I understand and use the concepts of authenticity and authentication. In order to be authentic the object in question must be genuine and reliable or trustworthy. The authenticity of an object is often determined through a process for gaining confidence that the object is what it appears to be; this process is referred to as authentication, and such processes may vary in their formality. By no stretch is authentication new, nor does it emerge with the rise of a networked society. Whether it is ancient artefacts, video statements allegedly released by terrorist organizations, or individual identities, all undergo a process of authentication. As described by Stephan Brands, “[i]n communication and transaction settings, authentication is typically understood as the process of confirming a claimed identity” (Brands, 2005: 1, emphasis in original).

Stranger Society: Authenticity in the City and Virtual World
As I have indicated above, authentication is not new to social life. While individuals once lived their lives in the absence of anonymity, industrialization and the rise of the city significantly altered the dynamics of social living. The emergence of the city facilitated the growth of individualism, privacy, and anonymity, leading some to suggest that we have become a society of strangers (Lofland, 1973). The ‘stranger society’ thesis simply suggests that most of our interactions in everyday life occur with strangers who cannot vouch for our reputation based on first-hand personal knowledge. The unknown reputations / motives of others are a source of uncertainty and insecurity, and various institutions began using surveillance technologies, such as photo identification to authenticate valid clients.

In the early 1990s, we began to see the emergence of the World Wide Web. Early proponents of the internet promised an anonymous playground, impossible to regulate. However, the more popular the internet became, the more incentive dominant institutions had to establish themselves online. In less than a decade, the vast expansion of information technology made it possible to engage in urban social life without actually being present. Shopping and banking can now conveniently be done online from the comfort of home, while professional and personal relationships (local and global) may be mediated through the internet without any actual (physical) meeting. David Lyon (2001) refers to this declining requirement for co-presence in our day-to-day interactions as the disappearance of bodies.

As internet usage has become more mainstream, so too have new social fears, which have had an impact on settings that allow for online transactions and communications. These fears include, but are not limited to, fears of identity theft and cyber-predators. First, it was quickly realized that for the majority, the internet did not make good on its promises of privacy and anonymity. Most of our online interactions require that we divulge information about ourselves, which may later be pieced back together to reveal a better picture of our real identities. As most of us are aware by now, our personal information had been commodified, and may be used for both lawful and illicit purposes. Second, fears have emerged around the threat of cyber-predators, whether it is paedophiles, child pornography rings, or even callous men hunting vulnerable women to date for financial gain.

Not surprisingly, institutions have responded to these new fears, in an attempt protect the online economy, spawning an entire industry around online privacy protection, surveillance, and authentication. Parallel to the budding online security industry emerged an ethos of online responsibilization. While I will not go into any further detail on the subject, I will acknowledge (whether I agree with them or not) that great strides have been made by institutions to authenticate the identities of individual engaging in financial transactions online. What I would like to discuss in more detail for the remainder of my commentary is authentication that occurs in online communication settings.

Many of us have had the experience of establishing an email account of some sort. Whether we choose Yahoo or Hotmail as our email service provider, or whether we open an account on Blogspot or MySpace, the process is usually similar. Each of these typically requires the user to create a self-generated username and password, which is usually verified using some form of cryptographic technology. But again, as anyone who has created such an account is aware, the information we often provide to establish such accounts is rarely, if ever, accurate.

A quick cruise through the user profiles of YouTube members confirms that I am not alone in providing inaccurate profile information. Given the above, allow me to suggest that, unlike their counterparts responsible for transactional settings, the creators of online social and communication spaces are not preoccupied with authenticating the true identities of its users. Does authentication not occur in social spaces online? This is a question I began to explore within the confines of the YouTube community.

Video Sharing and the YouTube Community
For those who have been hiding under a shell, or simply have not been paying much attention to the media hype enjoyed by the video sharing website YouTube.com, this website had its official debut in November 2005, and by summer 2006 was the fastest growing website on the internet. In November 2006, the start-up was purchased by Google Inc. for a purported $1.65 billion US. In addition to sharing music videos and movie/television clips, the YouTube allows amateurs to post videos or share their experiences and/or opinions via vlogs. Consequently, YouTube has created several internet celebrities, several of whom have gone on to experience fame beyond the YouTube community. While some of these YouTube celebrities have achieved fame as a result of their film making talents, others have done so as a result of contested online identities.

This past week a viral video posted on YouTube entitled Bride Has Massive Hair Wig Out made national headlines after receiving over 2 million hits. The clip appears to be an amateur recording of a twenty-something woman chopping her hair off during a tantrum an hour before her wedding. Debate immediately emerged regarding the authenticity of the video. As it turns out, the clip was an initiative launched by hair product company Sunsilk Canada, and the individuals in the video are aspiring Canadian actresses.

Another contested YouTube identity was that of Bree, more popularly referred to by her username lonelygirl15. Lonelygirl15 debuted on YouTube in June 2006, as a coming of age story through which the audience shares in Bree’s life experiences. In addition to her video postings on YouTube, lonelgirl15 also established a MySpace site to facilitate communications with fans. Despite these efforts to make Bree’s identity as believable as possible, in just over one month, several fans began to question the authenticity of the lonelygirl15 video blogs, and by September it was revealed that Bree, a.k.a lonelygirl15, was actually an actress named Jessica Rose. The YouTube community was divided as several members responded to the lonelygirl15 controversy. While some YouTubers became upset when to Bree’s true identity was revealed, others provided their support for the series’ creative efforts.

While I am not necessarily concerned with which side individuals took in this controversy, I am struck by how YouTubers, and even members of wider society (including popular media), have demanded authentication of the identities portrayed within this virtual social space. Whereas in online financial transactions authentication is top-down, from institutions to users. Authentication in the context of the examples provided from YouTube, indicate that demands for authentication in communication transactions is more likely to be lateral.

Further, after examining the user profile information of selective YouTube participants, I have also come to question whether the lonelygirl15 controversy is really about Bree’s contested identity, given that it is not uncommon for YouTubers to mask their real-life identities. Ironically, even some of those who have rebuked lonelygirl15 are not forthcoming with their true identities, often providing inaccurate user profile information. Rather than these controversies being about authentic identities, I believe the controversy is more rooted in the authentication of the medium used to present video clips such as the lonelygirl15 storyline (vlogging) or the wig out bride. While the traditional medium of movie and/or film may be understood as fictional, the vlogs and viral videos presented on YouTube, for the most part, are conceptualized as authentic, and surely the creators of lonelygirl15 and the executives at Sunsilk Canada have intentionally exploited the authenticity of the YouTube medium.

Recently, a reporter asked an advertising executive whether ‘net seed’ clips such as wig out bride are going to become the ‘new normal’ of advertising. If they are, and if the post-911 ‘new normal’ is any indication of the events to come, I conclude my commentary with the following questions: Will YouTube.com become a virtual battleground, and will YouTubers become the foot soldiers in a ‘war on authenticity’?

References:

BRANDS, S. (2005) Authentication. Available online at: http://www.idtrail.org/files/Authentication_Brands.pdf

LOFLAND, L. (1973) A world of strangers: Order and action in urban public space. New York: Basic Books.

LYON, D. (2001) Surveillance society: Monitoring everyday life, Open University Press; Philadelphia.

Patrick M. Derby is an MA Candidate with the Department of Criminology, University of Ottawa.

It is increasingly commonplace for video of events, captured by ordinary individuals, to make the news. With the ubiquity of camera phones, the likelihood that someone will be on hand to record incidents otherwise lost to the news media increases significantly. To give an illustration, in the first week of January, a Nova Scotia cabinet minister was forced to resign when the media broadcast images from a cell phone video which showed him leaving the scene of an accident. The video was captured by a witness to the accident.

Examples like this are only one variety of so-called citizen journalism, which can take many forms. In some cases, citizens capture video, or provide commentary on news stories to major media outlets which report and communicate these contributions alongside their professionally prepared content. In other instances, individuals or collectives become the news intermediaries by creating alternative web sites to disseminate news or information on the theme or topic of their choice. Individuals may also dispense with intermediaries entirely, and create their own blogs, or post video footage or verbal commentary on their own website or on a content-sharing forum such as YouTube. These phenomena have given rise to a lively debate about the very nature of journalism.

Citizen journalism raises interesting privacy issues. Online video footage, photographs and even written commentary can feel extremely invasive of one’s private sphere. This is particularly the case where one has no expectation that one’s activities are being recorded. Yet in Canada, for example, legislation such as the federal Personal Information Protection and Electronic Documents Act (PIPEDA), the Personal Information Protection Act (PIPA) in each of B.C. and Alberta, the B.C. Privacy Act, (to give a few examples), contain exceptions for information collected, used or disclosed for journalistic purposes. These exceptions from basic privacy norms recognize that the public interest in news events will tend to outweigh individual privacy interests.

What is news, then? And what is journalism? Is it anything that takes place that someone considers worth reporting or worth reading about? Or is news defined in terms of either who gathers it (journalists) or who reports it (established media). To a large extent, the legislated exceptions from privacy legislation mentioned above seem premised on a particular understanding of journalism – one that involves an executive editorial control that acts as a filter for inappropriate content, and that follows accepted norms for news reporting. Yet there is a push in some quarters to recognize ordinary citizens acting as news intermediaries as being engaged in journalism. (See, for example, the discussion by Michael Geist in “We are all Journalists Now”, http://www.michaelgeist.ca/index.php?option=com_content&task=view&id=1280)

Where citizens send their cell phone videos to news outlets to be broadcast as part of television news programs, the result can be characterized as traditional media outlets expanding the scope of sources on which they rely for news footage. The screening mechanisms, quality control, verification measures and so forth, presumably remain in effect. Thus it is likely that cell phone footage broadcast over television networks will benefit from journalism exceptions in privacy legislation.

The situation is less straightforward, however, when so-called citizen journalists avoid the intermediation of professional news outlets and offer their footage online by posting it on private, non-professional news sites, on content-sharing sites such as YouTube, or on their own personal websites. Absent the formal infrastructure, do their activities constitute journalism? To put it another way, do the exceptions protect an industry, or a particular kind of activity? And if it is the activity, then is there a basis for distinguishing between activity that merits the label ‘journalism’ and that which falls below the unarticulated standard? (And here again, a journalist might be defined in terms of the acceptance of their work by an established media industry). It is interesting to note that in a recent decision from the U.S. District Court of South Carolina, a judge, in considering whether a blogger’s comments were ‘journalism’ proposed a functional analysis “which examines the content of the material, not the format, to determine whether it is journalism.” (BidZirk, LLC v. Smith, April 10, 2006).

Of course, with a statute such as PIPEDA, which only applies to the collection, use or disclosure of personal information in the course of commercial activity, making one’s cell phone video footage freely available to all interested parties does not trigger the application of the Act in the first place. B.C’s PIPA does not apply to a person acting in a “personal capacity”, whatever that might mean. (If someone is not acting in a “personal capacity” when they post video footage of events online, then in what capacity are they acting? Is it necessarily journalistic?) It also does not apply where the collection, use or disclosure is for journalistic purposes “and for no other purpose” (Query: what is a journalistic purpose? Is it just to see something in print, or does it include a desire to right a wrong, see justice done, fight crime, fight pollution, etc.? If these goals are part of the purpose for posting footage, for example, then is this a journalistic purpose alone, or a journalistic purpose combined with some other purpose?) B.C.’s Privacy Act, which creates a cause of action for a violation of an individual’s privacy rights, provides that a publication of material does not violate privacy if “the matter published was of public interest”.

The wording of these various exceptions raises interesting questions about the scope and purpose of journalism exceptions in privacy legislation. Is the goal to allow an industry to continue to operate in its customary manner? Or do the exceptions serve a broader public interest objective? The B.C. Privacy Act (to use an example) focuses on the issue of the “public interest” in determining whether a publication is a violation of privacy rights. With cell phone footage posted online, therefore, the issue under might be whether disclosure of the footage served a “public interest”. One may wonder whether the choice by the drafters of such statutes as PIPEDA or PIPA to use “journalism” as the basis for the exception aims to capture more than simply the public interest. In other words, is it possible that those statutes focus on a more traditional concept of journalism which assumes the added protective layer of editorial choice and unwritten norms or conventions?

Some say citizen journalism will ultimately make politicians, police, public figures and corporations more accountable, as they can no longer assume that their conduct will remain largely insulated from public view. However, others raise concerns about the impact of some forms of citizen journalism on personal privacy. They note that the targets of such journalism may not just be public figures and institutions, but may be private citizens captured committing minor infractions in their course of their daily lives. For example, if municipal by-laws say that trash cannot be put on the curb until the morning of pick-up day to prevent animals from getting into the trash and making a nasty mess, does a person who puts their trash out the night before deserve to have their photograph posted on a website which denounces those who contribute to urban pollution? Perhaps they do. But the level of exposure may be more than is warranted by the public interest. It might expose that individual to a backlash that is out of proportion to the offence. It is also not particularly nuanced; it does not all for a consideration of the “other side”. Is there a difference between journalism and vigilanteism? In Oklahoma City, one man decided to post on his web site video footage of johns soliciting sex from prostitutes in his neighborhood in an effort to combat prostitution in his neighborhood. (http://showmenews.com/2006/Aug/20060817News023.asp) Is this citizen journalism or vigilanteism? Or a bit of both?

To side track for a moment, it is interesting to consider the debates that have arisen regarding the online publication of court decisions. The publication of court decisions has always been an important part of an open and transparent system of justice. However, the impact on individuals of the internet publication of sensitive personal information has required some modification of this general principle of openness. The Canadian Judicial Council (CJC) has developed a protocol for the drafting of reasons for judgment by judges which is intended to balance the principle of openness with the reasonable privacy interests of litigants. (http://www.cjc-ccm.gc.ca/article.asp?id=2814) Yet in the absence of a court-ordered publication ban, the CJC would only restrict the publication of personal information in court decisions in the most extreme circumstances:

Of course, the publication of judicial decisions is not citizen journalism. The motivation towards openness in the reporting of judicial decision-making is supported by both a strong sense of an underlying public interest that is being served, and confidence in a professional and accountable judiciary. To return again to the journalism exceptions in privacy legislation, perhaps it is a sense of the public interest served by the professional news media combined with a certain confidence (whether warranted or not) in the professionalism and accountability of the established news media that lies behind the legislated exceptions to privacy norms in the collection, use and disclosure of personal information. If this is the case, then citizen journalists should be wary.

Teresa Scassa is Associate Professor and Director of the Law and Technology Institute at the Dalhousie University Law School.

Events deemed “national emergencies” have long provided justification for infringing civil liberties. In some instances, “security concerns” have led to the complete revocation of even basic rights, as was the case during the World War II internment of more than 22,000 Japanese Canadians on the basis of an alleged security “threat.” As we are well aware, “security” against the “terrorist emergency” has become the unofficial trump card of the post-9/11 world.

As a result of ballooning security issues and the threats that security “solutions” often pose to privacy interests and civil liberties, understanding the tension between privacy and security has grown both increasingly important and progressively more troublesome. In response to escalating levels of unwelcome surveillance and the scores of other unsolicited, privacy-invasive practices that pepper our day-to-day lives in the name of security, privacy advocates continue to call for appropriate limits on privacy-eroding laws and technologies that threaten to eat away at our privacy interests and civil liberties.

In the Netherlands the government has proposed a public ban on covering the face with clothing such as the burqa, the Islamic head-to-toe robe. Similar restrictions have been suggested, and in specific contexts are in place, elsewhere in Europe. For Dutch leaders in a government facing re-election, the issue reflects contemporary religious and political conflicts, however miniscule the number of effected women. But the issue goes beyond current events to broader questions involving expectations about public behavior.

In modern societies the law is relatively clear about the rights others have with respect to the image an individual offers in “public”. Unlike some traditional societies in which the eyes must be averted or where veils are mandatory, in our culture appropriate looking is permitted (and can even be a sign of respect). In Canada and the United States what can be seen in public can also generally be photographically captured.