double take

I have taken quite a long break from blogging, but hope to begin again with renewed energy in the coming months. As the first foray back into writing, and the first blog post of 2011, I’m going to share the thoughts I sketched out in preparation for a panel at Hyperpublic at the Berkman Center last Friday.

Before I do, a quick comment. In these notes I identify a quote from Jonathan Franzen on the interplay between public and private and shame. It was a quote I found quite insightful and thought-provoking, but unfortunately during the panel at Hyperpublic the audience seemed to think I had asserted that privacy was only necessary for things that provoked shame. I certainly did not intend for that message to come across, clearly there are many reasons for an individual to seek privacy. I simply found it an interesting lens through which to examine the issue, particularly in the contrast I was painting between “hyperpublic” and “data-driven.” I recommend to anyone interested in the topic of privacy and/or publicity to take a read through Franzen’s 1998 essay, the Imperial Bedroom—it is quite thought provoking, and quite a different approach than that we so often see in today’s discourse.

With that, my thoughts for the panel, “The Risks and Beauty of a Hyperpublic Life.”

When they first asked me to join this panel I read over the word “risk” in the title and only saw “beauty of the hyper-public life.” My immediate reaction was—I have nothing to say about that, I reject the notion. Hyper-public life to me implies a Paris Hilton like existence, and while some of you may find that appealing I personally don’t. Even most mega-celebrities seek privacy in their lives, I don’t predict that will change.

But when reading the actual description of the panel, it struck me that the title doesn’t accurately represent what we’re theoretically talking about here. When we talk about unprecedented information gathered—we’re talking about a data driven life. That to me is a beautiful thing, albeit one that comes with risks. My claim is that the risk of a data-driven life is that it become a hyper-public one, but if managed correctly I believe that risk can be mitigated so that only benefits accrue.

There is a tremendous amount of data being collected about people, their behavior and the world around them. This data may represent clicks on webpages, GPS coordinates, purchases, communications between people. And from all that data, we can learn a tremendous amount about the world around us, things that will help us make a better world for the next generation.

The risk that many of us concerned about privacy have a natural tendency to focus on is “what if all that data is tied to me and used to create a dossier, which could be used to exercise power over me in unjust ways?” Until recently, this risk was hard to conceptualize because it was quite theoretical. Well, sure your credit card company knows something about your purchases, and sure a phone company or ISP knows about your communications, and yeah I suppose the websites you visit know what content you like to consume—but it’s all tied to different types of identifiers, held by different companies, it seemed impractical to aggregate it all together.

Meanwhile, analysis of that data provided unprecedented value, and not all of it (much of it?) easily quantifiable. The improved value in something as straightforward as Search—that Google can get you to a better result today than a year ago, and probably faster too—is the result of data analysis. Advertisers have enjoyed more efficiency in dollars spent on marketing—and consumers have enjoyed access to more free content than ever before as a result, to the tune of $100 billion in surplus according to McKinsey & Company and IAB. But those are just the easy gains, the low hanging fruit. What comes next?

Google has used search log data to advance the idea of “predicting the present”—learning something useful about macro-social behavior based on analysis of aggregate query data. This idea was behind the now-familiar Flu Trends and the more recent launch of Dengue Trends, two tools that barely scratch the surface of advances we might make in public health monitoring with the use of predictive analytics. Other sectors that stand to be transformed by big data include energy—where analysis of consumption patterns can enable service operators to manage their networks more efficiently, or end consumers to manage their consumption more efficiently. One of the most exciting areas of this type of analysis is language, where automated real-time translation and transliteration are rapidly becoming commonplace.

We often don’t notice these improvements made possible by predictive analytics because it’s not always clear how marginal data analysis led to incremental or step-change improvements. This is and will continue to be a struggle for companies in the data sector—being transparent not just about data practices, but about the consequences of data practices for the user’s experience. One of the best examples of doing this well today comes from the recommendation engines—sites that make a business out of predicting what content you’ll like best. These sites have perfected subtle design features that indicate, hey we think you’ll like this movie because you rated this other one over here highly, if we got it wrong help us correct it by telling us what you’d like better. Those subtle design features in no way convey the complexity of the predictive analysis happening behind the scenes, but they do convey the idea that data analysis of my past behavior is enabling this end user benefit.

It’s notable that the recommendation engine space is one where the benefits accrue to the individual. I see better recommendations for me—yeah, they probably use my data to improve everyone’s recommendations, but viscerally what I’m aware of is the direct improvement of my personal experience based on my personal behavior. As an industry we struggle more with building these design cues where the improvement of my experience is derived from the aggregate analysis of other people’s behavior. This is nowhere more obvious than in Search, where lots of other users’ clicks and searches over time enable a search engine to point me to the best answer today.

In all of these examples we can start to see that there is a real beauty in the data driven life. So what is the risk? I think the risk is that it becomes the hyper public life. We fear the day when aggregating data across contexts becomes so easy as to collapse all contexts onto one plane of existence, one which is visible for all to see. In practical terms the concern is as simple as the risk of re-identifying an individual from a series of search queries, or of a data broker amassing data from multiple service providers and collapsing it all into a single profile, then overlaying it with whatever we may have published ourselves via social networks and the web, and making it all available for sale to anyone. I don’t think this is necessarily an impractical concern, but I also think it is nothing close to a full picture of the landscape we’re talking about.

I took a late flight out to Boston Wednesday afternoon, and was trying frantically in the airport to download to my iPad a book I’d purchased for the flight. SFO, your free wifi while free (thank you for that!) let me down. I couldn’t get a signal, and when I did the data moved at an achingly slow pace. So I found myself on the plane with only my existing library, much of which I’ve already read. But I came across this book I’d purchased a while back, ‘How to Be Alone’ which is a collection of essays by Jonathan Franzen.

After reading a few of these, I stumbled on his essay, “Imperial Bedroom.” I was still a teenager when that essay was written and hadn’t yet overcome my general attitude toward technology (that it was a boys’ hobby, of course) so stumbling on this essay while en route to this workshop on publicity was a pleasant surprise, and an opportunity to glimpse how folks may have been thinking about these issues a decade ago. I imagine many in the room are quite familiar with it, but for those who aren’t let me offer an interpretation of his thesis: the problem is not a loss of privacy but an injection of too much private behavior into public spaces, where it erodes the quality of the public space.

Franzen says something interesting: “without shame there can be no distinction between public and private.”

(Note the definition of shame: “Emotional distress or humiliation caused by what may be perceived as wrong or foolish behavior.”)

That somehow makes some sense to me. Without having given this much more thought than a few hours after work yesterday allowed me the time to give, I’d posit that shame is tied to identity in a critical way. The shame one feels for wrong or foolish behavior may exist even if it is known to no one, but with the potential perceptions of an entire society weighing on your behavior there are a multitude of things one might feel shame about.

Recall Dog Poop Girl. Had she been unidentifiable, unrecorded, she may have felt shame—but in all likelihood nothing like she is rumored to have felt following the incident in which her identity and behavior were broadcast to a nation.

The data driven life is indeed a beautiful one, full of potential. If we can capture opportunities to really demonstrate the public good that arises from multiple individual contributions, to design that transparency into services directly, untold advances will be made. But there is also a risk that the data collected about an individual’s behavior is tied to their identity and published in a way the individual didn’t understand, expect or desire—a risk that the data driven life unexpectedly turns into a hyperpublic one.

A few closing thoughts. It strikes me, when I step back and look at these issues from this big picture perspective, that much of the solution that lies ahead of us rests on identity management. We need to enable users to be who they want to be, where they want to be—Alma Whitten put this quite well a few months ago.

It is my perception that many in the privacy community seem to have not quite given up on identity as a solution, but turned away from it for what seems a simple and obvious reason: theoretically, re-identification ought to become so trivial within a few years that the concept of having multiple identities online strikes some of us as an impossible future. Friday at Hyperpublic someone pointed to facial recognition as one example of the ways in which technology seems to be siphoning us into a single identity. I understand the theoretical direction folks are concerned about, and why they may be concerned about it—but I am not quite ready to give up on the idea that I can manage different facets of my identity across different contexts.

I mean this sincerely, and yet as I consider creating an OkCupid profile in the next few months, it has occurred to me that much of my public life can be aggregated so easily—if I’m to post a picture on my profile, perhaps instead of creating a pseudonymous username and revealing my identity to potential dates at my own pace, I simply ought to use my real name and allow the initial judgements to form based on my public identity.

Certainly there is no easy answer in this space, but as usual only questions. That’s what makes it interesting, I suppose!

I was in a graduate program with a bunch of engineers studying energy and environmental sciences, transportation systems, and civil engineering. When I first started the program, I didn’t fully understand that there were any significant parallels between my work and theirs. Over time, as with most things, I came to appreciate that unique assembly of multidisciplinary thinkers.

The other night I was thinking about regulation of air travel. Seems like a risky business, air travel — probability of a crash may be low, but if you crash it seems likely you won’t make it out unscathed. People die from plane crashes, although far less frequently than we think. We don’t limit air travel to prevent it though, we require safety measures be put in place and do our best to mitigate a risk that seems far greater to those of us perceiving it as infrequent air travelers than it actually is.

Auto travel, turns out, is more risky. Or so they say. Makes sense, people on average travel in cars more often than planes, so probability of accidents is more likely for the average person. We also regulate the safety of cars, though far less stringently than planes (how would you like a backscatter screening before getting in your car?).  And individually we perceive ourselves to be safer driving our cars than riding in airplanes, a perception that I believe has a lot to do with control. If you’re not flying the plane, you have to trust the guy who is. If you’re driving, however, you’re more likely to do what feels safe to you, sometimes overlooking the fact that a lot of driving safety is not in your control but in the hands of other drivers.

In environmental regulation there has been a lot of talk about the precautionary principle: if there is risk of an action harming public welfare, the assumption is that there is a risk until proven otherwise. If dumping chemicals is suspected of causing cancer, well, don’t dump them until you’ve proven it doesn’t cause cancer. Seems to make sense, if irreversible physical harm might result we ought to figure out whether it will (though, one has to wonder how we figure that out…)

So I was thinking the other night, with privacy, where are the parallels? Well, I’ll observe just a few at a very superficial level for now. Airplane crashes make the news in part because they are so rare, but after hearing about plane crashes on the news it seems as though we as individuals fear flying more. Look at the security measures taken up after 9/11, some would argue in disproportion to the threat posed. We want to feel safe, because we aren’t in control. Similarly individual privacy gaffes with life-destroying outcomes make the news — is that because they are relatively rare? The teacher who loses a job because of an incriminating photo, do we hear about that because it is representative of many instances of similar behavior, or because it was one rare event worth reporting on? Do the news reports, whatever their root cause, lead people to fear invasions of privacy more after hearing about them?

And how does driving fit in here — it’s often been observed that users express concern about privacy in the abstract but do not behave in accordance to those expressions, is that because when they feel in control they misperceive risk? If so, should we treat privacy like we treat cars: establish basic rules of the road for auto makers and drivers alike, approach curves with caution, learn to drive defensively to mitigate the risk of another driver’s recklessness?

Where should the precautionary principle play a role, if at all?

Questions not answers, as usual. I’d love to see policy intellectuals delve into these types of questions with their research.

About once a month one of my Google calendars rises up from hibernation to remind me of birthdays. I’ll never forget as a child going to visit my grandmother, who every week would sit down with her calendar in front of her and write birthday notes to the friends and family she cared for. My grandmother was an extremely social person, with more friends than anyone else I know had pre-Facebook, so this weekly ritual really took an hour and required quite a lot of dedication. She would every January sit down to copy the birthday calendar anew, presumably making edits where appropriate to reflect new friends and those who had drifted away. I was always impressed by this and other rituals she relied on to demonstrate her love for others, and upon reaching adulthood vowed to maintain some sort of ritual myself.

Of course, Facebook birthdays supplanted the thoughtfulness of a ritual like that of my grandmother’s. Suddenly, everyone can demonstrate such thoughtfulness and devotion just by posting a message on a wall whenever Facebook prompts him. For this reason I’ve never found Facebook “happy birthday” wall posts to be very personal or meaningful, and am not one to send them. Somehow a thoughtful email or card seems far more personal and far more meaningful — at least, this is how I feel when I receive them. So, I send emails and cards, I don’t do wall posts.

But I still need that birthday calendar, like the one my grandmother kept. So, a couple years ago I created a Google calendar and set reminders for the entries of all the birthdays I entered in. Every few weeks I get an email reminding me of the birthdays ahead, the people whom I ought to send cards or emails wishing them well. I have not gone back through and audited the calendar since creating it, though, so many of these reminders increasingly bear the names of people with whom I have not spoken for well over a year, sometimes two.

We keep building these tools to simplify the effort required to do the little things that matter so much in friendships: send a birthday card, check in to see how someone is doing, share photos and news of our lives. As the cost of doing these things go down, the gestures lose their meaning. Well, of course you remembered my birthday and said so on my Facebook wall, at some point five years ago you clicked yes to a friend request and it was sealed then that each year you would be reminded to say happy birthday. There are a lot of commentators who claim that the social web is bringing us closer together through tacit and passive information sharing, and I don’t wholly disagree. But there is something that gets lost when we rely on automation for the little gestures that once signaled so much. I’m not one for tradition, so I’d be very happy to leave the birthday tradition behind and accept that a new tradition is signaling the type of devotion, care and love that my grandmother’s birthday calendar once signaled — but I’m not sure I know what new tradition is replacing the old?

Over in Europe there is an interesting debate raging about a “right to be forgotten.” I find it a fascinating debate on many levels, and as a primer point you to this analysis written up by a colleague. At the core of this debate is the ongoing struggle between the right to control one’s reputation and the right of others to say what’s on their mind. But I want to focus on one small piece of the “right to be forgotten” as it is framed: has such a right ever existed?

I for one don’t believe any of us has the right to be forgotten, as a simple statement of reality. My memories are my own, they are etchings of experiences I have had and people I have met. They aren’t anyone else’s to decide I should forget. But, like the oft-spoken wisdom, even if we can’t forget we can forgive.

Take the example of a murderer acquitted who wants to leave his alleged criminal past behind him, but cannot thanks to the Internet, and suffers poor social treatment in work, love and life forever afterwards. The murderer is not poorly treated later in life because someone has remembered or discovered he is a murderer; he is poorly treated because society cannot respect the forgiveness bestowed upon him presumably by his government.

One of my great concerns, generally, with information policy is that we find it so easy to cast blame on the information itself as the cause of social ills. I have this gut instinct that such an approach may create a great many unintended consequences, without actually solving the root of the problem. This is I suppose similar to Nicklas’ observation that the debate around forgetting has actually very little to do with technology. In most cases, the existence of the information is not the problem, it is what we as a human society do with that information that causes concern.

Perhaps instead of a right to be forgotten, which to me invokes things like delete and restrict, it seems to me that we need to develop information institutions that could be charged with disseminating “forgotten” information under appropriate circumstances. Achieving that type of institutional development seems more difficult than making a proclamation, and layered on top of the Internet seems to require a degree of architectural and technical design if it is to succeed. So perhaps instead of debating about whether a right to be forgotten should be enshrined or not, we should do an unconference or two focused on the types of technically-supported institutions we need to adeptly forgive in the online world.

Earlier this week I was honored to have been invited to participate in an online symposium revisiting the ideas laid out in Jonathan Zittrain’s book The Future of the Internet.  There is a lot of fascinating material there to pour over, and I highly suggest setting aside the time to do so. I unfortunately only had the time to post twice, and am not going to cross-post them here but here are the links (Lessons in Designing for Privacy, How Can we Create Even Better Incentives?).

My only disappointment is that my call for hard questions in network design appears to have fallen on deaf ears. So I will raise it here again:

I’d love to see as an outcome of this discussion a curated list of difficult policy and design questions we will face as tethered and generative systems continue their mutual march toward the future. Could we come up with a list of “Hilbert’s problems” for network design? I’ll get that list started by asking: How can we preserve the ability to remain anonymous online while reaping all the benefits that an embedded identity system can provide?

If you have any tough questions to add to such a list, throw them in the comments!

I’ve been thinking about determinism lately, and wondering whether or not it matters for privacy. Specifically, if the audience of shared information is non-deterministic, are there circumstances in which that information should be considered anything other than public?

Twitter has this little feature I just learned about (though, as usual, I’m late to the party – it’s been here since 2008 at least). It turns out that if you begin a tweet with an @reply, only people who follow both you and the person to whom you are @replying are fed that tweet in their stream. I haven’t tested, and can’t easily find a description, of whether the tweet is visible to everyone who clicks on your profile, or only to those jointly following both participants. Regardless, it’s an interesting feature.

Similarly GMail Chat enables asymmetrical relationships. You can hide a GMail chat user without blocking them, in which case they can still see your chat status. I’ve made a lot of interesting choices with respect to this feature over the years; most commonly I hide people who I perceive to be invading my chat list, but whom I don’t want to outright block for fear of being rude. A few weeks or months later, I’ll run into one of these people or they will ping me unexpectedly and reference a recent chat status, which never fails to freak me out just a little. “I didn’t realize they could see my chat status!” But of course, I should have, since I made the decision to hide – not block – them from my chat list in the first place.

Both these features have a bit of non-determinism built in. It’s possible to share information not quite publicly, but to a contained audience that is perceived by the user as non-deterministic. My initial reaction upon hearing about the Twitter feature I describe above was, what an interesting privacy feature. Similarly my reaction as a user to my own use of Chat has at times been the feeling that my privacy was invaded. Which begs the question: does determinism matter to privacy, and/or should non-deterministic audiences be assumed to be public?

It’s gotten me thinking about another angle, as well. Some have used privacy to describe the feeling of having one’s physical space invaded. One translation of this, which I’ve heard discussed though not at length, is the online translation to information feeds. Is it an invasion of my privacy if unwanted information surfaces in my feed? Say, spam, for example? This was of course the motivation for hiding individuals from my chat list – I didn’t desire distant connections surfacing in my chat list inside my email client. Similarly, I would guess it’s a large part of why the Twitter feature is so useful – if a conversation is taking place between two users, it’s probably annoying at best to see only one half of that conversation. But do either of these scenarios invoke privacy?

I realize this is a semi-unfinished stream of consciousness but the thoughts are nascent at best in my mind. I’m interested to hear your comments and thoughts – perhaps someone has written about this before?

At some point in July my blog went down. I have been so preoccupied, I’m not even sure when exactly that happened. I discovered it July 31 and it took me a few days to get around to fixing it. It’s fixed now. Obviously, it’s a good thing I’m not a professional blogger.

When I discovered that my blog was down I was intending to post a few thoughts on defaults. Since I couldn’t, I unleashed a stream of thoughts into a doc to revisit later. I haven’t really revisited them, or taken the time to add in links (yet, perhaps I’ll update if readers send me relevant source links…hint hint). So, with that disclaimer…here they are, several days stale.

Anyone who thinks a lot about privacy is familiar with the paper “The Right to Privacy” by Warren and Brandeis, and the famous phrase therein that privacy is “the right to be let alone.” In the past couple of years though, conceptualizing privacy  this way has taken a back seat to notions of choice and control, in particular over who collects what information about us and how they share it with others. But I think it might be time to re-introduce this concept of being let alone into today’s privacy discourse.

There are a lot of believers in the social web here in Silicon Valley. I must admit, sometimes I wonder if “social web” is a useful way of talking about this future vision or not — which is a way of saying, everything that follows may be based on faulty assumptions and misinterpretations. Often what I start to imagine when I think about the social web is a future web in which my social life is overlaid on top of my Web experience: websites become places not publications, and in these places I find and interact with other people, some of whom I know and others of whom I do not. I believe many of the foundations of such an experience are in-place today, although I imagine the interface will be changing rapidly over the coming year or two.

The true shift to a social web will occur when, as a rule, the people I interact with on websites become as much if not more of an attraction than the content itself. Think about movies. Many of us watch movies alone, but more of us watch them with other people. Movies are a broadcast medium, but their consumption is often a social experience.  Now contrast movies with books. Some of us read books aloud to each other, but more of us read books alone. We discuss them with others after the fact, but the initial readings tend to take place alone. Books are also a broadcast medium, but their consumption is often a solitary experience.

Last Tuesday I was in desperate need of solitude. I hadn’t slept well the night before, I’d had back-to-back meetings all day, and I was tired. I needed some time alone to recharge my batteries. I went home and logged-on — of course. I’m not a terribly active user of the social web; I use Twitter now and then, and I occasionally log-in to Facebook, but my primary mode of communication remains email. (I hear this might mean I’m …<gasp>… old.) Even then, despite being a relatively inactive social web user, I felt somewhat inundated by people when I logged on that night. Twitter, friends sharing things in my RSS feed, chat, email. And then a vision of the future social web came to mind. If I felt inundated by this web, was navigating the social web going to be like making my way through a crowded party?

Some questions worth pondering: If the web we are building is fundamentally social, will we be able to find solitude online? If books are going digital, and digital is becoming social, will reading a book ever be a solitary experience? Or will the book be magically marked up with commentary by our friends by default, as if the book club were meeting in real time while we were reading? How easy will it be to turn on a “solitude” mode?

Phrased another way: will we build the social web to easily enable a right to be let alone online?

The past couple of months have been very busy but exciting ones here. In the past few weeks a couple big projects I’d been working on made their way out the door. First, a paper my colleague and I submitted for publication 6 months (!) ago was finally published, you can read about it on the Google Public Policy blog. Second, the project I am most proud to have worked on at Google launched: Government Requests.

I’m sure I’ll write something intelligent soon…

A couple months ago I spoke about Google’s Power Meter at a conference in Canada. Those who know me know that Canada confuses me on several counts, but I am rarely confused to the point of speechlessness. After my talk a woman approached me, introduced herself, and said “You must have the most boring job in the world.”

Two things: first, really? second, she had it so wrong. I absolutely love my job.

It was a privacy conference, and her explanation for this assertion had to do with her impression of privacy generally (one might have asked why she was at a privacy conference…). The thing is (and I don’t usually like to admit it) I can totally geek out on privacy without getting bored. More to the point, I completely enjoy geeking out on Internet architecture, economics and policy. I guess the fact that some folks find this boring explains why I have such a tough time landing a date. The whole thing really left an impression.

Next week I’m talking at my high school as part of a guest speakers series, and will be speaking alongside a far more successful and impressive classmate who happens to be one of my best friends. In pondering what I might say, and knowing my friend, it seems unlikely I’ll be able to match his advice and range of experience.  So instead of talking about myself, I’m thinking I’m going to say a thing or two about Kermit, the one guy important enough for me to have hung a photograph of in my cube at work.