The European Commission has opened a consultation on the Data Protection Directive from 1995 which has a submission deadline of January 15, not January 12 as I wrongly reported yesterday.
Apart from flawed implementations of data protection in member states I’ve pondered how a lack of protection for data abuse, and particularly profiling, could be fixed. Profiling is the process through which a state or a private enterprise collection large (or small) amounts of information about individuals to predict characteristics or future behaviour of that individual. Google adWords is an example, as is the Delhaize Plus Card. The Data Retention Directive from 2006 is also an effort to map the communication and movement patterns of individuals for easy determination of the risk they may or may not pose to their fellow citizens or the nation state.
American analyst Jerry Brito commented on his perceived lack of danger of RFID-chip profiling many years ago. He suggests that commercial entities will have very few incentives to coordinate databases for the purpose of profiling individuals. If it weren’t for mergers I’d be prepared to agree, but I also see that such a small number of large enterprises are taking over such a large part of our communication flows that privacy or anonymity protection could hardly be considered adequate (an example of which could be the merging of insurance companies and private health care, or, as is the case of the Dutch implementation of e-Dossiers, state mandated merging).
For a long time I imagined that my passport and ID-card was a state guarantee for me being who I say I am. A type of authentication wherein my authority to perform a certain action (buy cigarettes, withdraw money from the bank, travel across the British border) is guaranteed by the state with respect to a third party. In an authentication system we would, however, not necessarily have to be dependent on a single authenticator (in my case the Swedish state). Instead we could have several authenticators, perhaps different authenticators for different authentication needs. The Swedish state could guarantee my authority with respect to the bank. The bank could guarantee my authority with respect to the tobacconist. The authentication company Authenist would be able to guarantee my authority with respect to Great Britain based on the criteria education, postbox number, employment or civil status (or whatever). Who would guarantee my civil status? Presumably my landlord or the party that married me and my better half.
Now, we have an identification system. My identity is inherently connected to the papers proving that identity. All identity papers are derived from the same source: the Swedish state. Synchronising databases or connecting the many activites of a single individual to a single physical person, their home address or their social circles is made vastly simpler. It’s a single point of failure which is interestingly well represented by a Swedish family who were accidentally removed from all registers, unable to collect wages and pay off debts and also angry about the injustice done to them. Had they had several or separate authenticators they would perhaps have been unaffected (the employment authenticator would have not been the same as the mortgage authenticator).
It’s a philosophical reasoning, and has flaws and difficult considerations (imagine that you could die and keep the house despite being actually dead – who would pay the mortgage?). Private companies and nation states anyway seem to be much more interested in mapping the totality of our behaviour, communication and consumption patterns and that of our friends with respect to ours rather than guaranteeing our human rights, information flow control or anonymity.
Information flow control is an issue of our times, that many people, civilians as well as politicians, want to care strongly about. Finding solutions seems less than trivial to me though. :-/