I had the pleasure recently of opening a Cambridge Union Society debate on the topic of “This House Fears The Large Scale Collection Of Personal Data“. This theme is partly what inspired my CIO Column on “The Internet of Thieves“. The issue of enterprise and Internet security (or more usually in my experience the lack of security) has occupied much of my career – and unfortunately seems likely to continue to occupy much of the rest of it!
Alongside me proposing the motion was Heather Brooke, the investigative journalist and freedom of information campaigner. And opposing us were solicitor and academic Professor Christopher Millard and journalist Edward Lucas. Both sides of the debate were complemented by a student speaker: supporting us with the proposition was Katherine Dunbar, student and competitive debater; and the opposers were supported by Katie Heard, Durham student and competitive debater – both of whom demonstrated their expert familiarity with the format and a commendable ability to have read and learned about the topic in remarkably short time.
The formality of the setting and format of the debate all seemed a very long way from the “debates” we used to have at my old south London comprehensive. It made me realise how rarely I engage in formal debate – most conference events consist of “panel discussions” and tedious broadcast-mode slideware instead.
The core of my opening proposition was that far too many digital businesses rest on a profit model centred on the relentless commercial exploitation of our personal data. Some of our personal data of course we may share voluntarily with others in return for a benefit – store loyalty discounts for example. But a great deal are taken, analysed, manipulated, sold and exploited without our consent – often indeed without even our knowledge.
Not so long ago it was a unique, unpleasant characteristic of totalitarian states that citizens were permitted no secrets – no private, personal spaces. No freedom. We pointed wagging, righteous, critical fingers at such regimes.
So it’s ironic that a worryingly similar invasion of nearly every aspect of our personal lives has now been adopted as the routine, prevalent, business model of many Western companies and even, shamefully, some of our governments.
Let’s think about this another way. What would we make of somebody we discovered rummaging daily through our dustbins to examine our discarded letters, beer bottles and food packaging? Of somebody who stalks a few paces behind us everywhere we go to observe who we meet and to eavesdrop on and record our conversations?
We would, I think, regard such an individual to be perverted. Possibly even insane. Certainly not someone you’d invite to your birthday party – somebody probably best subjected to a restraining order.
And now imagine this person also randomly and obsessively runs up to us from time to time and shouts “I think you might want to buy this car!”, or “Are you looking for a new house?” or “You’re drinking too much!”.
Yet this invasive and obsessive behaviour is precisely how our technology behaves. Every second of every day. We should regard this use of technology – to trawl, monitor, gather and mine our personal data – as no less perverse.
Instead of using new technology to partner with us as equals to our mutual benefit, far too many organisations are obsessed with fleecing us of our personal data for short-term gain, without any regard for the consequences. All in the vainglorious hope that it will provide them with the power of precognition, the ability to understand us better than we understand ourselves – in order to take even more money from us.
“But but but!“, my critics will counter, I am concerned for no good reason. We should all just enjoy the benefits bestowed on us by this largescale collection and use of our personal data. Where’s the harm?
Well, in response, consider the expert advice given by those who safeguard our critical national infrastructure. They warn of the grave risks of aggregating bulk personal data – creating a pool of valuable information that will be targeted, exploited and abused by everyone from foreign hostile powers to opportunist hackers.
We should heed such warnings.
If our bulk personal data is collected it will, without any doubt, sooner or later flow into the hands of whoever wants it. Whether by accident or design. So what? “Nothing to hide, nothing to fear.” Isn’t that what we keep being told? The same self-serving line trotted out by those totalitarian governments we once rightly criticised.
In any case, try parroting that nonsense phrase to a battered spouse, abused child, whistle-blower, informant, witness to a serious crime, journalist source, barrister and their client, or undercover law enforcement official. Do you really think they have “nothing to hide”? Of course they do, and for very good reason – this is part of the reality I was arguing in my column “Securing digital public services“. Access to personal data can, literally, become a matter of life and death.
This abuse of our personal data threatens us all in other ways too. It undermines our everyday security. What’s the point after all of protecting an online financial account with “secret” details of your first car, favourite colour and memorable place when those very same details are being Hoovered up and sprayed around the world?
The irony is that all of this sucking up of our personal data isn’t even necessary: it’s the by-product of a badly broken and ill-conceived business model. How much simpler it would be if we had better business models, ones designed to enable and secure the Internet age. Empowering technology that lets us maintain and control our own personal data, and choose with whom we wish to share it.
What a terribly brilliant, but dangerous idea that is. Rather like democracy itself. Yet we urgently need to adopt this type of imaginative new approach if we are going to end the toxic legacy of analogue thinking in the digital age. The intrusive and dangerous large scale collection of our personal data needs to end, whether by businesses or governments. Our democratic right to safeguard and control our own personal data must be strengthened.
Until this happens, we must do everything in our power to protect our data – by using ad blockers, virtual private networks, cookie wipers, onion routing, end-to-end encryption. Whatever it takes to keep our data, and us, secure.
The large scale collection of our personal data must not be seen as some sort of ransom or blackmail we have to pay in order to enjoy the benefits of our digital age: quite the opposite in fact. I supported the Society’s proposition that we should fear the current abuse of our personal data – because it has become the biggest risk to this emerging, amazing, exciting, digital age.
Reflecting on the debate afterwards, I think there was little significant distinction between either side – the underlying consensus seemed to be that we should all have better control over our own personal data. You can’t have security without privacy and vice versa.
The post-debate Press Release from the Society provides a high level summary of the debate, as does the short, edited highlights video below (I understand the “Director’s cut” full version will be available at the end of this academic term). This is an important topic that needs much more discussion and understanding – and not just in the debating hall of the Cambridge Union Society.