I think it's an interesting idea to discuss, to sacrifice some aspects of your personal privacy to gain benefits. However, despite how willing a person is and how self informed they believe they are of what their sacrifice entails, I still think its important for privacy laws and legislation to protect them (and all that would follow them) from what may appear seemingly harmless but are potentially disastrous sacrifices.

Being able to skip a queue at the airport by simply supplying your facial pattern is an attractive idea and I think there would be a lot of people willing to do so for that benefit - but that's where its dangerous because only a handful will understand what some/most of the implications will be, but most won't and will be blindly making a sacrifice without a second thought or even a first thought. So the likely minority will know that they've just supplied their photographic identity to an organisation who can easily, under the radar, use that information for other purposes or be forced to supply the captured information to authorities. Both of these are meant to be protected by current legislation, however, as it has been for many years, technology often escapes laws.

The latest incident I've witnessed and raised to the Privacy Commissioner was in relation to TicketMaster, iiNet and alarmingly likely a lot of other organisations who store passwords in plain text in their databases [1]. Given a lot of us are guilty of using the same password for different services, the weakest of these databases represents a critical point of vulnerability to the security of much greater private data (ie, the same password for TicketMaster being used for Internet Banking - not good). The reason I raise this example is not to focus on password security (which I do think is a serious issue) but because it highlights the expectations and beliefs we have about how our private data is being used, protected and the implications involved in its storage and use. Too often these do not match up with reality.

The other important aspect to be wary of when liberating your own privacy is you may unintentionally be liberating others as well, without their consent [2]. An example of this recursive liberation is seen by most Facebook users who are able to make their accounts public, that person has made a decision for their privacy, however they've also made a decision for all the people tagged in their photos and who have posted on their wall - at least wall posts are consciously written, but the former makes you think twice when there is someone with a camera around - that is if you are sober enough to have such thought processes. Which leads quite directly to another example of where we need government to protect us and our privacy from... well ourselves and our willingness to give it away.

Recently I went to a nightclub in South Melbourne that as a condition of entry required you to supply your Driver's License, a 5 second video footage of your face and lastly a casual request for your fingerprint. Now in the light of day alarm bells ring quite clearly, however for the over 300 people that probably visit that club every weekend they are submitting more data to a privately run business than what the government or even themselves know about their own identity. At the time of the request I wasn't told video footage was being taken, just asked to look at a machine, furthermore the fingerprint is taken under the premise of being a "FingerPIN" so you can skip the whole process next time by simply scanning your finger (similar to the airport example). The problem here is I don't believe anywhere near the majority of people entering that venue are either in a clear/sober state of mind to be making such a decision, nor are they given an understanding of the implications. I think one of the strong subconscious factors that allows us to somewhat blindly hand over these pieces of our identity is that we expect the organisations to be legitimate and to protect our data from the eyes of others. These expectations I think have been formed over the years by efforts government have made (ie, the National Privacy Principles) and I think its important that rather than telling the government that we can take care of ourselves, we should work with them to bring policy to the present day and ensure it evolves with the future. We need to realign our expectations again with reality. Maybe at that stage we'll have the right protection around us to be making decisions about our privacy.

It needs to be a balance between the protection of our privacy and the innovation that awaits us. Already though it seems quite unbalanced, and although we are excited about the power, efficiency and other benefits that can be gained from relinquishing aspects of privacy. I'd be keen to see more focus by us who are on "the cutting edge" in making sure we are respecting others, not just wrapping up their right to privacy in pages upon pages of legal jargon and terms of use policies [3]. Personally, I believe I'm quite conscious of the implications of my actions in relation to handing out personal information, but I don't presume that all I've handed out is protected or that it's only being used for what it was said it'd be used for. Despite that, my main concern is for those who are less conscious of their privacy decisions - for example my parents, or even my 1 year old niece who no doubt has an embarrassing photo or two on Facebook already (a subjectively non alarming example, but the point of non consensual release of privacy still exists).

The idea of balance is really what I wanted to focus on, not tearing down everything we've built, the idea of a structured society that Steve pointed out I think can also exist but rather than passively embracing we should be actively negotiating the privacy sacrifices involved. It's important to keep us engineers and innovators on our toes. We want to share and we want to innovate but lets innovate not only with efficiency gains, cool web apps, etc but at same time invest innovation in protecting and legislating the protection of the new data we have been given access to (or released access of). We are web engineers and innovators, we should really be consistently mindful of the trust people are giving us and actively responsible for protecting them from implications they may not realise - which could even mean not inventing a nightclub fingerprint scanner or airport facial scanner.

Anyway Pete, thanks for posting your discussion on a different view on privacy, the thought of giving away privacy in an active manner isn't one I've heard expressed or that I've considered before, but I've enjoyed the thoughts it raised - which have been much more than I expected but good fun to have an opportunity to talk about.

Footnotes

1. Unfortunately the Privacy Commissioner's office and current legislation doesn't deem the encryption of passwords as something worth protecting, rest assured though because our email address is definitely protected from being shared with 3rd parties!... awesome.

2. "consent" is a difficult word to use because anyone who is using services such as Facebook, Twitter, etc has officially consented to some form of terms and conditions and as your initial thought (and that of many) is "if you are concerned don't use the stuff". The problem is people don't always understand what they've actually consented to, so a "knowing consent" for a particular service or resulting event is never really given.

3. The most incredible of these I've seen so far is the 101 pages that Apple would like me to read every few weeks when they change their terms and conditions... hmmm I'm not going to read that... particularly not when it stands between me and playing Fruit Ninja. :P