Memories of Things Past
Innovation Times – The Federal blog
Posted by JR Reagan on June 30, 2014
|Follow JR @IdeaXplorer||Connect with JR|
In the European Union (EU), legislation grants citizens “the right to be forgotten” on the Internet and other forms of digital media. Protecting personal data is a “basic human right” over which consumers should have control.
Young professionals could request that all traces of embarrassing photos from their university years be deleted. Consumers who don’t want details of shopping habits stored in retail databases could ask for its removal. Erroneous information could simply be eliminated.
It’s a tantalizing idea in a world where digital memories don’t come with expiration dates, and our online identities live on in perpetuity.
But is it actually possible in to put this into practice? Will any of us – including the people of the EU, who now have a legal right to it – be able to erase digital snippets or even entire online identities? What is privacy in the 21st century?
A digital eraser
The European Network and Information Security Agency (ENISA), an expert body dedicated to cyber security of the EU and its member states, citizens, and the private sector, took a close look at the technical challenges surrounding privacy in an age where advertisers track online viewing habits, friends tag social media photos, co-workers share files on thumb drives, and handheld devices continuously broadcast location information.
Though legislation might provide expectations of digital privacy in the EU, ENISA focused on whether or not the right to be forgotten can realistically be achieved in a world of big data and open systems.
The cover art of its study, “The Right to be Forgotten – Between Expectations and Practice” (2011), conveys in a single image what the 20+ page report goes on to explain: It shows the eraser tip of a pencil attempting to rub out the word “Impossible.”
ENISA’s report identifies a number of serious challenges to implementing forgetfulness in open systems like the Internet. The difficulties spring from the fact that once someone publishes or posts or shares data, they lose control over it. It can be copied digitally or downloaded to a local device…and therefore can no longer be completely managed by the person who originated it.
Finding and keeping track of every bit of your personal information in order to manage or delete it is, in ENISA’s estimation, “ultimately impossible to prevent by technical means.” In other words, it’s virtually impossible (pun intended).
What if you didn’t just want to delete an embarrassing or angry online post, but instead wanted to disappear completely – both online and off? Setting your reasons for wanting to escape aside, would it be possible for you in this always-on era to not only cast off your real identity, but also escape the online remnants that keep track of you?
In 2009, a writer for Wired tried to do just that. To document the difficulty of disappearing in the digital age, Evan Ratliff “went on the run” himself – and a well-orchestrated one at that. Simultaneously, the magazine issued a challenge to readers: find him, and claim a $5,000 prize. The result: an elaborate chase documented by Ratliff in both a story and later a daily blog, “Vanish.”
Ratliff gave a magazine editor full access to the personal information any private detective worth his salt would be able to dig up: banking, credit card and phone records, and access to his email and social media accounts. These details would be made public, spread out over time, online.
His efforts to elude capture (by photograph) began with what you might expect: a new name, disguises to go with it, and plenty of cash withdrawn over a period of months. Fake business cards. Prepaid cell phones.
Then there was the software to mask his Internet searches, disabling the toll device in his car, gift cards to make anonymous Internet purchases, fake email addresses, and creating various social media accounts for Ratliff’s new identity.
According to the magazine’s blog, “What had started as an exercise in escape quickly became a cross between a massively multiplayer online role playing game and a reality show. A staggeringly large community arose spontaneously…the hunters knew the names of his cat sitter and his mechanic, his favorite authors, his childhood nicknames.”
And they eventually found him, using a combination of technology and good old-fashioned investigation techniques. Despite his many diversionary clues and use of anonymity software, Ratliff’s cat-and-mouse caper ended in New Orleans just shy of a month after he ditched his life in California.
Someone to watch over you
Most likely you don’t want to disappear like Ratliff did. But people could be hunting you nonetheless…and the location data you publish (or that your device and apps track) makes it possible.
Your real-time vacation photos might make your friends envious when you post them, but anyone with access to their social media accounts will also know that you’re far away from home. They could become as sure a sign to thieves as forgetting to stop the delivery of your mail and piles of newspapers in your driveway.
When you take photos of or geotag yourself, you reveal far more than you probably intend. Sure it’s okay if your friends know that you visit your favorite Starbucks at the same time every Tuesday, but would you want someone with less-than-pure motives to be able to find that out? What if you’re trying to sell a new laptop on any number of online buying and trading sites? The bad guys can trace the metadata in the photos you post to find out where they were taken...which was probably at your house—where they can find that laptop to potentially steal.
Deleting big data?
So if it’s impossible to enforce with any certainty the right to be forgotten in the 21st century, and if we can’t disappear without a trace, what is feasible?
It will be interesting to see how Europe’s right to be forgotten plays out in the cloud – and in its courts – over the next few years. It will give us ringside seats to a fight that’s possible to be waged here on our own shores.
Instead of being forgotten, “mostly forgetting” could be achieved by eliminating data from search-engine results pages, and filtering it out of social media sites. Data would still exist, but be difficult to find. The body recommends that compilers of data should make it easier for consumers to access and manage the information collected about them.
To policy makers, ENISA suggests the practice of “minimal disclosure” to limit the online storage of personal information, the use of encryption during data storage and transfer, and sanctions against those who don’t follow the rules established for online tracking.
And we could all learn to use our smart phones a little more smartly.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.