Privacy Harms vs. Covert Surveillance (Part 1)
The origins of data privacy law for engineers, a "privacy 101"
I remember talking to my operating systems professor one day after class about surveillance technologies. Nobody in the government, the professor said, really has a sense of how quickly technology has evolved and will continue to evolve, how small cameras can shrink while still being able to run facial recognition models, how pervasive practices like license plate detection have become, and how quietly credit card readers have evolved to collect and track our personal data. Surveillance will truly be everywhere. “And your generation is going to have to figure out what to do about it,” he said.
To some extent, we are figuring it out. In 2018, two major pieces of privacy legislation — the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) — became enforceable. Under the GDPR, major companies like Google and Amazon have already been fined 57 million euros and 746 million euros respectively.
How much of a role do engineers have to play in these fines and legislation? Our initial answer may be — not much, at least in the drafting of these laws. It is the government that will solve these problems, or so we want to believe.
The professor’s answer, however, is that software engineers don’t have to expect the government — the American government especially — to solve all of these problems. The state is an inefficient instrument of change. Congress cannot even get the public behind a global pandemic; how can we expect them to enact, let alone effectively enforce, legislation in an issue as complicated as data anonymization?
Software developers are the creators of the problems in these products. They are the engineers of both the help and the harm. While they are not lawyers, they do sometimes work with lawyers. In the grand scheme of policy creation, the engineer’s role is to have a sense of what is practical and not, of what is harmful, and exactly how harmful certain practices are. It is their role to advise both private businessmen and our public officials into practical steps of action.
The purpose of this series of documents is to give engineers pragmatic ways to address privacy concerns. It will begin by framing privacy in its historical context, since we are a direct continuation of that context. It will also simplify the problems of privacy into two main categories: privacy harms and covert surveillance. While it is a simplification, I have found it helpful while studying these problems to bucket debates surrounding privacy violations into these two categories, since they invoke different kinds of solutions and bring up separate ethical questions.
The origins of data privacy law
Privacy law in the United States originates from tort law, a class of common law (not formal legislation) that deals with civil (not criminal) claims of harm. Torts are claims of undue harm that private entities, like individuals and companies, can file against other private entities when their individual rights have been violated.
“Privacy” was not always discussed in terms of laws and rights. As a legal concept, it was first mentioned in a law review article published in 1890 by Warren and Brandeis, called The Right to Privacy. The authors argue that tabloid journalism creates undue harm on a person’s reputation by publishing articles about their private affairs without permission, and should be protected by law.
It took about a half a century after this initial idea for privacy tort law to be popularized in courts. Just as the personal computing era was beginning, Congress passed the Family Educational Rights and Privacy Act (FERPA) in 1974 — and the Health Insurance Portability and Accountability Act (HIPAA) in 1996. These laws prevent professionals from freely disclosing an individual’s academic data and medical data. Such data can cause damage to a person’s reputation and employment opportunities.
These privacy laws protect an individual from privacy harms, but do not necessarily protect an individual from covert surveillance. These are two different things. The first is undue harm to an individual’s opportunities in life that can arise from surveillance. The second — while morally reprehensible to some — has the potential to create harm.
To clarify this distinction helps engineers navigate the ethically murky waters of what the public most often means by a “privacy violation.” Most frequently, people simply mean “surveillance” when they say “privacy,” and forget about the explicit harms. However, the potential interventions and reactions to the two problems — institutional surveillance and privacy harms — are different. Software engineers should know this difference when discussing privacy concerns.
Read more
Origins of Privacy Law (this article)
Covert Surveillance (TBD)