February 13, 2012

Ethical Issues in Information Technology - III

The Question of Privacy

On 10th January 2010, Mark Zuckerberg, the founder of Facebook -- the world’s largest gossip and chit-chat facilitation platform with nearly a billion active members, in a six minute interview on stage with TechCrunch founder Michael Arrington told a live audience that if he were to create Facebook again today user information would by default be public not private as it was for years. This statement highlights an issue that has been debated in IT forums for a very long time.

To put things in perspective, let us first identify the three types of channels through which personal data is revealed :

  • Deliberate disclosure : when someone deliberately reveals information about oneself while applying for services like bank loans and employment, during medical investigations and under statutory requirements like tax returns.
  • Deliberate investigation : when someone, for example market research professionals, investigative journalists or the police, deliberately gathers information about an individual for reasons that may be bonafide or malafide depending on the perspective.
  • Passive accumulation : when someone by virtue of his behaviour -- that includes presence, actions, purchases, comments, preferences and so on -- inadvertently reveals information about him that is observed, recorded unobtrusively and analysed by others for reasons not directly associated with the behaviour under observation.

None of these three channels are exclusive to or have been created by information technology but the usage of IT products and services has significantly expanded the bandwidth, or capacity, with which these channels can operate. What this means is that the ability to collect, store, analyse and disseminate or otherwise exploit this information has increased to such an extent that any inappropriate usage of this information can have consequences that can adversely impact a large number of people.

Ethical questions crop up on the issue of what is appropriate and what is not. For example ..

  • Using personal financial information is appropriate for deciding on the eligibility of bank loans but may not be appropriate for sending unsolicited offers for lifestyle products like TV, washing machines or camcorders.
  • Intercepting private communications -- telephonic or email -- between people suspected of terrorist inclinations may be appropriate for ensuring security but would not be appropriate in the case of individuals involved in romantic dialogue or in the case of a company submitting quotations against a Government tender.
  • The fact that a person has subscribed to the Facebook page “LGBT” may be appropriate while deciding upon whom to invite to a rainbow parade but may not be appropriate for, say, short listing applicants for employment.

An even larger question is, not what is appropriate, but who decides what is appropriate ? In each of the cases mentioned above and in all other similar situations while there will always be someone who believes that the usage of the information is appropriate and there will, in general, be someone else who believes that it is not. What is worse is that there will never be an unambiguous and objective way to determine who is right except of course in the case of a narrow set of situations where the law of the land takes an explicit stand.

Since there are no clear answers to either of these questions, the focus shifts on finding ways and means to minimise the impact of disclosure or at least the surprise associated with the disclosure of personal information. If a person is aware that his personal information can or will be disclosed he is less likely to be impacted by the disclosure. More importantly, if he is allowed to control the quantity and quality of the information that is being disclosed then the onus and responsibility for any adverse consequences of the disclosure can be safely shifted to the discloser who is also the possible victim.

How is this done in practice ? There are two approaches that can be followed for collecting data legitimately

  • When personal data is being provided voluntarily, the recipient of the data should make it clear to the provider the purpose for which the data is being acquired. Should the recipient intend to use the data for purposes other than for what it is being acquired then an explicit permission to do so should be sought from the provider of the data who in this case happens to be person about whom the data is being collected. 
  • When behavioural data is being collected unobtrusively, this fact should be made explicitly clear to the person about whom the data is being collected so that he, if he chooses to, may modify his behaviour to the extent that it conceals or reveals what he wants.

Issues related to deliberate collection of data is easier to handle. If personal data has been released or collected using either of the techniques described above then collecting this data either from the legitimate owner of the data or from the public domain, if the legitimate owner has placed it there, is perfectly acceptable. This is the basis of all legitimate market research and demographic studies. Any other way of collecting data, including but not restricted to patently illegal activity like hacking – unauthorised access to computers and communication equipment for the purpose of extracting or modifying data – is totally unethical. Rupert Murdoch’s hundred year old bestselling publication “News of the World” had to cease operations in 2011 when confronted with evidence of this illegal activity.

Even easier to address is the issue of personal information obtained by statutory bodies, like the police or other Government agencies, on the basis of explicit rules, regulations and laws. Whether an individual wants it or not, these agencies have the explicit legal mandate to, for example, intercept telephones and email, demand information from service providers like banks and telephone companies, or as in the case of Census or in issuing PAN or Aadhar numbers demand personal information on income, address and even biometric parameters like fingerprints and iris scans.

But while this issue is easy to address at the operational level -- the immediate transaction that results in the collection of data is immune to ethical or legal uncertainty -- the larger issue of whether the law is right or not or whether there is an adequate safeguard against misuse is always a matter of great debate. While there are many reasons why personal data should be collected by Government and used for benefit of society as a whole, there is also enough evidence of totalitarian and non-representative governments that have used such data for activities that are prejudicial to welfare of the population at large.

To be continued. Part III of IV

No comments: