This post was imported from my old Drupal blog. To see the full thing, including comments, it's best to visit the Internet Archive.

I wrote this earlier in the year but for one reason or another never posted it.

I was at the excellent ORGCon yesterday. I was speaking about open data in my capacity as Technical Director at the Open Data Institute but I stayed for the rest of the conference in my capacity as an interested UK citizen. It is in the latter capacity that I write this.

When my 9-year-old daughter asked me what ORGCon was about, I explained that it was about the rights that we have when we are online. With the recent revelations about Prism in my mind, I asked her what she thought about people being able to read the emails or listen in on the Skype chats of people they thought might do harm.

She replied that she thought it was good, that it made her feel safe to think that the communications of “cyber bullies” (these are the most concerning “bad people” she thinks of) would be watched (and, presumably, punished if they were caught bullying).

From recent conversations I’ve had, this feels like a common reaction. I’d venture that you don’t need much technical knowledge or much paranoia to believe, when you stop and think about it, that the NSA and GCHQ can get access to much of our online communication. We shrug because we assume that the people they will want to listen in on are the baddies. And if it helps to stop those baddies doing bad things, so what?

In his opening keynote, Tim Wu talked about the need for us to have a visceral sense of our online rights — of our ownership of our data, of our privacy — in order to protect those rights.

Reflecting on my daughter, I’m struck that she does have a visceral sense of privacy, but it is not about privacy from the (benevolent, protecting) state. It is privacy from her (nosy, interfering) sister.

And I feel the same. I don’t have a visceral reaction to the NSA or GCHQ having access to my online (private) communication, but I certainly have that reaction when I think about it being seen by my coworkers, my friends, my family. This isn’t because of anything in particular that I’m worried about being discovered, just because I’d prefer to have some control over what I expose to the people with whom I interact most.

In his closing keynote, John Perry Barlow spoke about growing up in a town where everyone knew everything about everyone else, but no one brought up the past because everyone had skeletons. A type of mutually assured destruction. He said something I often hear the over-30s saying, that the young people growing up with Facebook are not concerned about their privacy.

If you read the focus group responses from the Pew Research Center’s Internet & American Life Project, you can see that this isn’t true. Teenagers might be sharing a lot of information through Facebook, but there are definitely some people they don’t want to see it (my emphasis):

[Friending my parents] sucks… Because then they [my parents] start asking me questions like why are you doing this, why are you doing that. It’s like, it’s my Facebook. If I don’t get privacy at home, at least, I think, I should get privacy on a social network.

In the open data world, we worry about publishing information about people who can be identified from that information. The ICO Anonymisation code of practice talks about a ‘motivated intruder’ test:

The ‘motivated intruder’ is taken to be a person who starts without any prior knowledge but who wishes to identify the individual from whose personal data the anonymised data has been derived. This test is meant to assess whether the motivated intruder would be successful.

The approach assumes that the ‘motivated intruder’ is reasonably competent, has access to resources such as the internet, libraries, and all public documents, and would employ investigative techniques such as making enquiries of people who may have additional knowledge of the identity of the data subject or advertising for anyone with information to come forward. The ‘motivated intruder’ is not assumed to have any specialist knowledge such as computer hacking skills, or to have access to specialist equipment or to resort to criminality such as burglary, to gain access to data that is kept securely.

The ‘motivated intruders’ that most people will be concerned about are those who are already known to them. (The main exception would be those people who for whatever reason have come to the attention of the press.) They are the suspicious spouse, the nosy neighbour, the interfering parents, the jealous colleague.

When I think about those people I know who have felt their privacy has been infringed, it has always been by people they know, behaving in extreme ways out of a desire to retain or regain control.

But those engaging on campaigns of harassment do not need additional personal information to make their target feel exposed. They just need to demonstrate knowledge of something.

“I know where you live.”

“I can hear you.”

It doesn’t have to be important. It doesn’t have to be private. The goal is to demonstrate to their victim that they are being monitored, constantly: their movements watched, their tweets read.

To invoke a visceral sense of your right to privacy, think of your friends and family reading your messages. To test anonymisation, think of a suspicious spouse aiming to prove infidelity. Even information we would never think of as private can be used against us.

It isn’t the state’s knowledge we fear, it’s that of those who already know us.