This is a thread to discuss privacy in a broad and general context. Feel free to discuss and share anything and everything relating to privacy. What it means to you. Tips and tricks for protecting it. Privacy-related news.
What is Privacy?
There’s no simple answer, besides the rather succinct and somewhat unhelpful fact that it is a basic human right.
The dictionary broadly defines privacy as a state in which one is not observed or disturbed by other people. In reality, privacy can mean different things to different people. Privacy in nature is a very personal thing because we each have different boundaries; thus, so is how we define it. In short, it depends on who you ask! What is privacy to you?
Here’s a short video that broadly covers the concept of privacy in an ever-growing digital world:
One of my favourite takes on privacy comes from this Steve Jobs interview. I liked it so much that I even quoted and referenced it in my opening summary for the consent part of the privacy component of the thesis I wrote on privacy and security for one of my degrees.
Full interview here for those interested:
Now that we have a vaguely broad understanding of the concept of privacy, let’s discuss it and share resources!
That has to be the quote of your post, and something that many don’t seem to grasp.
Yes, it can be argued that phones, banks, etc can already collect an awful lot of data, but by being careful, we can choose how much data we let them have.
To me, privacy is probably how you describe the dictionary definition.
Or simply put, to be left alone to live my life how I want to with the minimum of interference from outside influences. (obviously within the law)
I hope that makes sense.
This is such a crucial component! Most privacy violations stem from not knowing what you’ve signed up for.
The usual cop out is you should have read the terms. But if we’re being brutally honest, who actually has the time to read every legal document for everything we sign up for. Let alone grasp it and actually understand it.
There’s been a pretty big paradigm shift in recent years from a lot of corporations to make this better though. We’ve seen companies overhaul their privacy policies, making them shorter, removing jargon, and emphasising the important components. They’re getting easier to read and that’s a good thing.
I don’t think it’s enough on its own though. But there are more initiatives that go beyond this, and they’re fantastic to see, though again, I still think there’s more to do. Apple in particular do a great job here. Next time you set up a new device, do it from scratch and don’t check the recommended settings box.
For every feature it needs to set up, you’re presented with concise but very informative excerpts from the privacy policy that relate to that feature and what it means for you if you enable it. They do this for almost each and every feature. I think it’s great example of where we should be heading. It takes a few minutes longer to set everything up, granted, but it’s much faster and easier to understand than reading a privacy policy. And it means we know what we’re signing up for before we sign up for it.
Another great step forward are they privacy nutritional labels for apps. In my view, this ought to become a standard and be applied to the web and search engines and their results too. I didn’t expect these to have much of an impact on the apps I used, but they have. It’s alarming to me how much I was handing over to some apps without being aware of it.
I think everything should have a privacy nutritional label. It’s a very concise way of conveying what you’re signing up for. And if something doesn’t look right to you, you can read more into that one component rather than read through the entire policy.
I think the definition you have quoted about being observed or disturbed is too broad to be used in the specific context of our human rights privacy. Using that definition would imply that someone looking your way while you were on the street was some sort of violation of a human right.
We all live in a society, total privacy is both impossible and undesirable. In everyday life ‘privacy’ is often secondary to just living like normal human beings. You can knock on someone’s door. You can photograph someone walking on the street. If you find someone’s wallet you are probably going to look into it to see who it belongs to. Then there’s all sorts of legal or moral reasons to justify much greater ‘intrusions’ - if social services are worried about a child they may need to question the parents and ‘invade’ their home, even if they turn out to be doing nothing wrong, child protection trumps a family’s right to a private life (this is more a personal opinion than a legal one by the way).
Morally I think it becomes an issue when there is a significant affront to your privacy, and I think that is bad when it wasn’t justified in any way. Unfortunately in the digital world, abuse of privacy became so commonplace that now we are on the back foot trying to recover some sense of personal privacy online.
The dangers of online privacy being lost though, I think they are greater than just what might happen to a single person. Mass surveillance and data collection combined with newer analysis techniques can be used to control populations, manipulate elections, as an incredibly powerful tool of suppression for autocratic governments. For me that’s the key, I’m extremely cautious with my online privacy in terms of what data I give to companies, but its not because they might send me a ‘more relevant advert’ or whatever, its because I want to avoid contributing to an ever growing pool of information that collectively gives the power of near total control to a very small number of people.
Yeah, I did consider sharing Privacy International’s definition as a baseline for the context we’re discussing here as it’s probably the most appropriate, but ultimately decided to share their video instead. More out of curiosity for how others define it, and what it means for them than anything. May be worth sharing anyway!
So here’s an interesting one, I received the following text message from Currys over the weekend:
Hi there! Your tech will arrive Fri 07 Jan.Ref:##### We’ll send you a reminder nearer the time. You can track its progress at https://trackit.currys.co.uk/
I haven’t ordered anything from them, so I went onto the website and put in the reference number and I could see an order from another customer being delivered to another address. My guess is that they entered their phone number incorrectly.
I contacted Currys via Twitter to let them know the customer’s error and asked them to remove my phone number from the order. They replied with the following:
Thank you for letting us know.
We would be unable to remove the contact number without the named purchaser contacting us to request this. I would advise removing/ignoring any future messages.
So I then went back mentioning GDPR and the right to erasure, once again asking for my number to be removed from their system. They came back with the following:
Hi, you can request and information that we hold under you name and address to be removed from our system. However, as you have mentioned this number is under someone else’s details.
I’m not fighting this any more, I have far more valuable things to be doing with my life, but it did leave me wondering, who was right here? Currys seem to think that because my number has been stored under somebody else’s name, it’s stopped being my data I have no right to have it removed.
In my eyes, my data is my data and they should be honouring my request to have my phone number removed from their system.
Your phone number can, in some cases, personally identify you though. Could be problematic when currys suffer a data breach, it’s partly why I have so many voip numbers that I can just burn compromised numbers. I might write an in depth post at some point that goes into detail exactly everything I do to protect my privacy, though I’m sure lots will be overkill for most people, but may be interesting to share.
Your data is your data, so in my view, you’re in the right here. I’m not sure about GDPR, but PECR does protect you if currys go on to use this to send you marketing messages. At that point you could issue a notice before action and if they don’t respond or do what you ask you could take them to the county court and very likely win.
Asking you to just ignore future messages isn’t a good enough response. Unsubscribe buttons in emails don’t stop companies being in violation of PECR either.
I’m not a lawyer, but this has me curious if our EU right to be forgotten still applies in the U.K. now we’ve left. If it does, you have a legal right to have this data permanently deleted from their system, even if it’s not associated with your account. I’ve done this dance with a lot of companies. Front line support might not be able to help you, but they should be able to escalate you to someone who can. Just be prepared to prove your identity and prove the phone number is yours.
I’d stand with Currys on this one. They have an unknown voice on the phone quoting law at them and telling them to remove data from the records of one of their customers. There’s no way they can validate the correctness or otherwise of the instruction and can’t update customer records on the say-so of someone else anyway.
I had the same with a US bank where someone had opened an account using my email address.
This is all really interesting, thank you for your responses. As I say, to me personally it’s not that big a deal to be worth my time chasing (for now anyway), so I’m not going to fight it any further.
I do still wonder why legalities aside, they don’t just remove the number. Surely the fact I’ve got the reference number in the first place should be proof enough that it’s my number, and if they’re still questioning it, they can just dial the number and I’ll pick up.
Not quite. You could have performed a sim swap attack on someone. Though who in the world would do that to intercept a currys reference just to get the number removed from the account!
For what it’s worth though, in the past when I’ve executed my right to be forgotten, I often only ever had to prove my identity, not that the data was mine.
To give you an example, back when I had twitter (the first time), a friend posted a screenshot of my contact card, I suspect to wind me up, because our friendship broke down when they refused to remove it. They were trying to make the point that I shouldn’t be so serious about my privacy because no one cares. Until the boyfriend of someone who I played Halo with back in the day turned up at my house making death threats (the final straw that cemented the idea of selling up and leaving England). They must have searched my gamertag on Twitter and found the screenshot.
I’d failed to get the tweet removed in the past, because per their privacy policy, none of the stuff in the screenshot was considered private, even if it was personally identifiable enough to be used to track down where I live. Something they actually rectified after I made my claim the second time, this time exercising my EU right to be forgotten. I didn’t need to prove the data in the tweet was mine.
I like this definition but to me it describes two very different types of privacy and therefore is too broad. I think that is where some of the frustration comes from when privacy is discussed or abused as people can be scrutinizing different elements of privacy.
There are some occasions where I might consent to being observed but not disturbed e.g. a fitness app with notifications turned off.
Or other occasions where I might want to be notified but not personally observed. e.g. a mass warning in an emergency.
I’m trying to come up with satisfying separate words that describe these two aspects but I’m struggling.
To me, privacy relates more to not being observed, rather than not being disturb although that is valuable to me as well.
I think if it were up to me, I’d affix without consent on to the end of the dictionary definition. It keeps the definition just as broad and all encompassing, but it adds on the often forgotten but crucial concept of consent, especially in the context of digital privacy. It’s hard to emphasise just how important consent is in relation to privacy unless you make it part of the definition.
Consent is what affords us the ability to choose our privacy boundaries. In your example it’s the thing that allows you to choose be observed but not disturbed, or vice versa.
I get what you mean though. The dictionary definition focuses more on the state of privacy rather than privacy as a human right. You experience privacy when you’re not observed or disturbed, granted, but in the context of human rights, it’s more about who you protect those boundaries from than the boundaries themselves, I think.
I suspect most people will have similar criticisms with the dictionary definition. It’s partly why I’ve used it here. It’s a foundation folks can build off from to define what privacy is for them. I like yours, and I think most people will be pretty close to your wavelength there.
Let’s talk about someone coming to your house uninvited.
If they knocked on the door, I wouldn’t say that’s invading my privacy, even if that knock disturbed me. But if they peer through the window to see me playing with my wi xbox, I would say that’s invading my privacy.
I don’t think that’s part of the definition of privacy itself though. Just because I invited these twenty guests over, doesn’t mean I have privacy now
Part of the dictionary problem is, it doesn’t tell us much about digital privacy at all. If someone is storing all your personal data, or an algorithm is using cookies to send you ‘more relevant adverts’, that’s not really observing or disturbing you at all.
The issue isn’t actually anything to do with GDPR - as noted, it’s not PII.
However, where I work, if someone submits incorrect contact details, we remove said details once we know they’re wrong, so we don’t keep trying to contact the wrong person. We’ll also put a note on the file. Common sense says something similar should have been allowed to happen here.
It’s not, but for me it would fit better with what I think privacy is for me.
In your example, if I’ve consented to all those folks coming over, sure I have no state of privacy, but those privacy boundaries haven’t been crossed either. They’ve been adhered to.
I think Cloudflare have a good description on data privacy here though:
Emphasis mine. This is part of my frustration with the definition though, with the term being so broad it’s hard to be specific on how much or what elements you are mandating or consenting too.
I’m not sure I agree with that honestly. The definition is broad in the sense it is free from context, and I think that’s important! It means you can take it as a concept and apply it to virtually any context. I can see why that’s frustrating though.
If we take it in the context of data privacy for instance, it’s all about observation.
As Cloudflare put it in the link above:
Data privacy generally means the ability of a person to determine for themselves when, how, and to what extent personal information about them is shared with or communicated to others.
Data privacy is about having control (the ability to consent) over organisations collecting and sharing (observing) your personal information.
