August 19, 2013

Why privacy laws should be based on data use, not data possession

For years I’ve argued three points about privacy intrusions and surveillance:

Since that last point is still very much a minority viewpoint,** I’ll argue it one more time below. 

*There are actually two papers at the same link. The first 17 pages contain the one I cited as supporting the chilling effects point, and …

**… the second paper is a rare case of somebody else making the use-based controls argument.

Whether or not you personally believe that terrorism is a Big Scary Deal, a largish fraction of your fellow citizens long will. After all:

The obvious conclusion is: Anti-terrorism-oriented surveillance will be with us for a long time. Privacy controls will not be accepted if they (seem to) much hamper governments’ attempts to forestall terrorist acts. That eliminates the possibility of sweeping “Keep the government in the dark” kinds of laws.

Privacy observers nonetheless hope that data-flow controls alone can strike the needed balance between:

But I think their hope is vain, since technology is now much too complex and fast-changing for such rules ever to be gotten right. In particular:

The biggest point that most privacy commentators underestimate may be this: Monitoring of our daily activities is on track to become utterly pervasive, and foregoing this monitoring would require sacrificing a large fraction of future technological progress. Most of what we do leaves electronic trails, and most of the rest will before long. For example:

And whatever data is gathered, it all — or at least all its significant bits — will be collected and analyzed in the cloud, where nosy governments will find it easy to access.

The story gets more confusing yet. Besides the Vs of “big data” itself — volume, velocity, variety and so on — there are also the vagaries of “data science”. For the purposes of this discussion, it is reasonable to caricature modern analytics as “gather a lot of data; shake vigorously; and see what conclusions fall out”. My point in saying that is — you don’t know the consequences of letting somebody have some data until after they’ve thrown a range of machine learning techniques at it. And so, for several reasons relating to to the difficulty of technological analysis, lawmakers, regulators and judges don’t have a realistic hope of establishing appropriate rules about possession of data, because they can’t predict what the consequences of those rules will turn out to be.

It’s always been the case that lawmakers are a bit slow in adapting to new technologies, while judges don’t prohibit privacy intrusions until the needed laws are (somewhat belatedly) written. I hope I’ve shown that, with the intensity of the technological change and the fears of terrorism, the gap this time will be much wider. But the story gets worse yet, because there already are instances in which legal enforcement of privacy has gone too far. First, there are the cases when privacy is used as pretext for bureaucratic or other official nonsense. I’ve vented about that in the past over the case of medical care and HIPAA; police harassment of citizen observers may be a more serious problem, although that depends on how jurisprudence eventually shakes out. Second, medical research is seriously restricted by privacy regulations. Depending on how privacy rules shake out, it is easy to imagine other forms of research — including national security or anti-terrorism! — being inhibited as well.

I don’t think that possession-based data controls can overcome these myriad challenges. So why am I hopeful that use-based ones can? Well, consider the use-based privacy control guidelines I recently offered:

Maybe what I’m suggesting are exactly the right rules; maybe they aren’t. But in any case, they — or rules like them — don’t depend upon the specific kinds of data source or analytic technique covered. And so they can be robust against unforeseen developments in the collection, retention or analysis of data.


8 Responses to “Why privacy laws should be based on data use, not data possession”

  1. Robert Pope on August 19th, 2013 12:56 pm

    Curt, another great post. Clearly stated logic on a complex topic.

  2. Mike on August 19th, 2013 1:45 pm

    Curt,It has been demonstrated that certain governmental organizations do not follow existing rules and then lie to congress under oath about them. So in order for any new laws to have any effect, it must have teeth, an “or else…” that is sufficiently threatening BOTH to the organization and the individuals involved that they would not dare break the rules. What is the “or else…” you propose for (1) breaking the law; (2) covering up such illegal activity; (3) perjuring oneself about it? For example, would running afoul of such law and hiding it cause total defunding of the agency for 5 years, criminal prosecution of all individuals involved and banning the hiring of all individuals from the agency by the government for 5 years? I realize that this is step 2 of the thought process, but without mandatory penalty for BOTH the agency and individuals any “laws” are merely suggestions with no recourse.

  3. Curt Monash on August 19th, 2013 1:53 pm


    One big advantage of my suggestions is that they’re more enforceable than the alternatives. Current rules say “You can’t secretly tap the Internet for email contents.” Mine say “You can’t introduce email contents into evidence in open court.”

    I should have said that already in my post. Thanks for nudging me.

  4. Mike on August 19th, 2013 2:15 pm

    Curt, Evidentiary limits are insufficient when the police (or others) simply “recreate the investigative trail”

  5. Curt Monash on August 19th, 2013 10:26 pm


    That’s not very responsive to what I said.

    You’re complaining — correctly — that the government lies about its secret investigations. I’m saying that controls should be applied at points when matters necessarily get non-secret.

  6. Surveillance and privacy intrusion — further notes | DBMS 2 : DataBase Management System Services on September 17th, 2013 7:37 am

    […] privacy intrusion do, of course, have real benefits. That’s a big part of why I advocate a nuanced approach to privacy regulation. Several of those benefits are mentioned […]

  7. Misconceptions about privacy and surveillance - Sports Forums on September 16th, 2014 9:54 am

    […] for asking! In answer, see for example links at the bottom of that post, such as Why privacy laws should be based on data use, not data possession | DBMS*2 : DataBase Management Sys… and What our legislators should do about privacy (and aren?t) | DBMS*2 : DataBase Management System […]

  8. Notes on machine-generated data, year-end 2014 | DBMS 2 : DataBase Management System Services on January 9th, 2015 12:24 am

    […] core arguments about privacy and surveillance seem as valid as […]

Leave a Reply

Feed: DBMS (database management system), DW (data warehousing), BI (business intelligence), and analytics technology Subscribe to the Monash Research feed via RSS or email:


Search our blogs and white papers

Monash Research blogs

User consulting

Building a short list? Refining your strategic plan? We can help.

Vendor advisory

We tell vendors what's happening -- and, more important, what they should do about it.

Monash Research highlights

Learn about white papers, webcasts, and blog highlights, by RSS or email.