I attended two sessions on privacy yesterday and today. The first one was on Privacy, Literacy and Social Networking and the second today, was on Privacy Protection, Openness and Online Behavioral Targeting Advertising.
Both raised interesting points and approaches to the issue of privacy in a networked society. At the last IGF, privacy was a concern, but I definitely noticed a visible escalation of its importance this year. And it's being closely linked to the area of social networking (with an entire main session dedicated to it as an emerging issue), businesses and of course, young people.
There are some basic premise from which the discussions build from. Firstly, we are living in an increasingly networked world, with convergence of technologies, spaces and purposes. Not far off the mark. I have a biometric identity card that I am required by law to carry around with me at all times, a number that is tracked and necessary for all formal (and increasingly informal - do I need to give my ID number just to buy a movie ticket online?), which also gives me the option to top up my credit for toll payment and car park, services which are contracted to private entities.
Second, that young people are more intimate and familiar with this networked world and for them, its not an innovation, simply a reality. Very probably.
Third, that these networked environments are able to access, store, track and consolidate an immense amount of data about the user, which is not as closely scrutinised or interrogated in terms of how it's being shared, used, stored and controlled as should be the case. I don't know enough about current laws and policies to be able to say definitively yes or no, but am willing to risk it and say fair enough. And absolutely yes in my national context (the current draft of the Data Protection Act that's been discussed for 10 years is currently under the Official Secrets Act - lovely).
So, enter the debate. What should be done? And maybe to backtrack a little, what's the harm? An example was cited in yesterday's session, about a teacher-in-training who put up a picture of herself on a social networking site, holding a plastic cup with the caption "drunk pirate" accompanying it. She was subsequently unable to get employed as a teacher because surprise, they googled her, found this picture, and passed a judgement. The last point is important, since as remarked by Wolfgang Kleinwaechter, norms change. Those who make decisions in the future are those who grew up with social networking platforms as a reality. They might decide that *not* having a drunken picture of you somewhere when you're in your 20s is reason for not employing you. So not to take these moral lessons too literally.
I liked that point. Because it complicated an assumption, and did so by recognising children have agency and power - more than helpless things needing protection or "education".
Wolfgang spoke about how personal data constitutes a person's identity, and that it is the individual's responsibility to manage hers/his own identity. It is property that is owned by the individual, and that cannot be owned by any other body even if it is stored or located there. Therefore, it is the individual's responsibility to make a decision about what to do with one's own property/identity, which cannot be relegated to any other body, such as the State (through regulation) or the private entity (through contracts or implementation of technological solutions).
An interesting point, but I would take a slightly different slant. I agree that every person should be able to exercise control over their own personal data. But not so much because it constitutes as property, but as a part of their embodiment in the digital age. In other words, expression, representation and action that are transmitted and exchanged online also constitutes part of the "Self". When I write, populate a social networking space with pictures of myself, engage in conversations, play games - they are all productive moments that constructs a discursive subject of who "I" am and who "we" are, which is as embedded with symbolism, lines of power and norms as they are in face-to-face encounters. I can't say that these are simply words or pictures, separated from my person the moment they enter an interface. Likewise, If I walk around without my biometric identity card in the streets of Malaysia, I cease to become a legitimate "person". The "me" that is represented in these data, have also become a significant part of who I am, what I am able do and the consequences of this.
This becomes clearer in the context of sexuality and sexual violence. The sexed body in a networked context is also a body that is at the same time material, discursive and digitised. If a partner takes a picture of me in an act of sexual intimacy, then puts it in another space without my permission - it shifts both the context and the productive encounter. This is a violation not just of my privacy, but of my bodily integrity and dignity.
This makes me think about kinds of violence against women that finds huge challenges in getting recognition. For example, stalking, or even acts of emotional and psychological abuse in instances of domestic violence. Where the physical body does not manifest physical harm, but can have a lasting impact on a person's state of being, her sense of security, capacity to move around freely without the fear of immediate violence and . Can this be said as just being a case of violation to her property and identity? Or an act that violates her very personhood? In other words, the concept of privacy is shifting from space to embodiment.
So if embodiment is as distributed as the internet, and if governance is similarly distributed, then this also has implications on both conceptualising the "problem" and in identifying points for intervention in terms of who to hold accountable for what, and who has duty to protect what kinds of rights of which versions/parts/persions of the self-same person?
The Civil Society Madrid Privacy Declaration has been forwarded several times as a global privacy standard that calls for more comprehensive policy and legislative responses to the issue of privacy. Article 9 of the Declaration calls for a cessation of surveillance technologies that further translate, diffuse and digitise the body as data. This was also a point raised at the first workshop I attended. The right to "delete" and to "forget". Where instead of assuming and enabling data to continue to proliferate and perpetuate - decaying at a much delayed rate than the physical body (which is a curious phenomena in itself) - there are rules, regulation and technical protocols that allows people to control the duration of time in which data exists. Imagine everytime you post something, you have the option of clicking "this data and copies of it will only exist for 1 day, week, month, year, etc".
Interesting, but I'm not sure if it works. It doesn't speak to people's investment in ides of immortality and of multiple, contradictory personhoods both online, offline and in between. There's a lot more to think about from this point onwards, but at minimum, the capacity to exercise as much control as possible over my personal data is the most basic aspect of any approach to privacy. If I cannot control what happens to my body, then I have no right to privacy.