Do you trust your smartphone?
Is there anything you would refrain from communicating or recording on your phone? If so, how do you decide where the threshold is?
Each time we consider disclosing information online, we are faced with an ambiguous and dynamic tradeoff. One which we generally avoid even contemplating. And yet there are implications associated with the totality of our disclosure, especially when the Internet never forgets.
Can we say anything meaningful about the risk-reward tradeoff associated with incremental disclosure? My sense is that we can’t say much about the tradeoff but we can frame out the risks in general terms. In this post, I’ll focus mainly on clarifying the risks as I see them. Defining language to characterize the existing risks is the first step along the path to discussing ways to mitigate them.
To describe the general tradeoff, I’m drawn to the term digital vulnerability because of its apt double meaning.
The Internet affords novel possibilities for connection if one is able to show up with vulnerability. By representing aspects of our true selves online, we open the door to connecting with others who share our beliefs, passions, struggles, anxieties, dreams, and aspirations. Irrespective of time and distance, we are now able to discover and connect with our tribes. The opportunities that emerge from these freedoms are profound and continue to reshape the world in fundamental ways.
Without question there are potential downsides to such disclosure as well. Unintended disclosure online can leave us vulnerable to outcomes ranging from embarrassment to life-threatening confrontations. It all depends on the context surrounding the disclosure. For many, certain types of disclosures are simply not an option. Therefore the benefits of serendipitous online connection are not equally available to all.
While we may think of disclosure risk primarily as risk associated with our witting disclosure of information online, simply the act of using online services may expose us to far more risk than we care for. When classifying types of disclosure, I find it helpful to highlight two aspects: the path of disclosure from the user to the service and the user’s awareness of the disclosure.
- Direct versus indirect disclosure makes the distinction between disclosure paths that go directly from the user to the service or via a series of one or more intermediaries.
- Witting versus unwitting disclosure describes the difference between user-initiated or approved disclosures and service-initiated disclosures that the user is unaware of.
For most of us, active management of our online identity occurs through witting, direct disclosure. Meanwhile the unwitting, direct and indirect disclosures are often those that create the most significant opportunities for violations of our privacy.
In thinking about threat actors, service providers and nation-states are the primary concerns. For the purposes of this discussion, service providers will be our main focus.
If we wanted to thoughtfully assess the possibility of exposing sensitive information indirectly through an incremental disclosure, we would need to contextualize it relative to past disclosures. What constitutes the totality of the information known about an individual by a service provider? I claim there are three classes of information in any user profile maintained by a service provider:
- Direct disclosures that are made directly to the service,
- Indirect disclosures that are made to any affiliated service that shares information with the service provider,
- Inferred attributes that have been predicted based on the user’s direct and indirect disclosures, user profiles for all users of the service, and possibly other data sources used for enrichment.
The inferred attributes are a source of risk stemming from the information asymmetry between users and service providers that only increases over time. Now that it’s possible to store and retain every bit of measurable data that a service provider can collect, the possibilities for prediction only expand over time. We have no idea what relationships can be easily inferred by the service provider given a particular disclosure on our part. What we may believe is innocuous might be all the information needed to infer sensitive attributes that are obvious given observed patterns at the population level.
Prediction risk in my mind is the most insidious form of disclosure risk precisely because of the tremendous information advantage maintained by the service providers and the lack of transparency about the nature of that advantage. In many respects, we are forced to place our faith in the benevolence of the monolithic services that we enjoy daily. While the nature of these relationships may on balance work in our favor, there are a myriad of ways in which the information asymmetry can work to our disadvantage, in some cases without our ability to detect the malfeasance. And this is before we even consider the consequences of nation-states as potential threat actors.
To claim a future where ubiquitous mass surveillance isn’t the default, we must reexamine the relationships between ourselves and the services we interact with. Moxie Marlinspike has deftly highlighted the nature of the choice we’ve been presented with. The online networks realized by these monolithic service providers have amassed so much collective value that to opt out of their use entails a significant cost. To opt out in totality implies that we opt out of ecosystems that have become enmeshed in modern life. The long road ahead is to imagine anew alternative systems that encompass the values we hold dear.
As a starting point, I’m returning to my relationship with my smartphone. I don’t trust my device and have to assume what I place on the device will ultimately be compromised. Given the privilege I have in society, that doesn’t amount to a significant burden. Yet that is not the case for all.
A macro question on the table is how can society benefit from population-level insights while protecting individual privacy? Ultimately answers to that question need to take shape in system design principles that are broadly understood and applied. My intention over the long term is to explore ways in which we might be able to elevate the state of the practice.
Stay tuned. There’s more to come.