Threats from lack of privacy

Tonight’s keynote by Daniel Solove (author of The Digital Person) fell on the privacy-as-a-means-to-an-end side of the debate, though he mostly only discussed one danger: identity theft.

Personally I think identity theft is one of the biggest boons to privacy advocates in the past decade, because it finally answers the question “why should I care about privacy if I don’t have anything to hide?” There are several other examples and classes of threat that I think are equally important though:

  • Direct threat: using what you know to directly cause me harm. Identity theft is one example, but so is using my contact information to spam or telemarket to me, using my location to know when to rob my house, and using personal information to create false trust when selling me something.
  • Profiling: punishing or restricting people with a set of features that are benign in their own right, but that are perceived as correlating with features that are undesirable. Racial profiling is the obvious example: there’s nothing wrong with being black or hispanic, but because these races are perceived as being “more likely to commit crime,” people of this race are singled out for extra hassle and restrictions. Age, religion and gender discrimination are other examples. Data mining brings profiling to a whole new level: now not only can you be harmed because of obvious traits like your race, gender or age, but also subtle things like your purchase habits, where you travel, who you know, what you read and what your politics are. This is both unfair to the individual singled out and harms society by dissuading activity we would rather allow, simply because the activity is sometimes correlated with activity we don’t want.
  • Cherry picking: breaking society’s risk-pooling safety systems (i.e. insurance) by giving insurance companies enough data to cherry-pick only the safest people. For the individual, insurance is a way to pool risk so that a catastrophic illness or event doesn’t wipe you out. For an insurance company, insurance is like being a casino owner: they profit by setting their payoff a little higher than the overall risk. If the insurance company has enough information to completely predict who will get sick and who won’t, that’s like playing poker against a psychic — they always fold before you get to bid on a good hand, and take your money when you have a bad one. Of course there’s never enough money to completely predict who will get sick and who won’t, but every extra bit of predictive power takes us further from the ability to effectively pool our risk.