Yesterday, I had some snark for the assertion that Apple using biometric identification in a consumer product amounted to then taking your fingerprints "against your will". I also considered the ethical aspects of whether your neighbor's privacy choices affect yours. But from a technical perspective, I find myself still very interested in Jacob Appelbaum's assertion that this will have an impact on overall privacy (or, specifically, his privacy) via "network effects," and found myself thinking through what this might mean. What follows is a probably overly pedantic analysis of the idea of privacy network effects in general.
First, let's define what a "network effect" is in this context: technically, network effects of technology are ways in which the adoption of a technology by someone else makes that technology more or less valuable for me. As an example of a positive network effect, e-mail is more valuable if more people use it, because I can reach more people using e-mail. An example of a negative network effect is traffic or network congestion: the more people who use cars, the more traffic I have to contend with. I think, technically, we would construe a network effect on privacy for the iPhone fingerprint scanner to be one in which adoption of the device by others reduces @ioerror's privacy if he uses the same device. However, I think we can safely conclude that @ioerror won't be using an iPhone 5S, or if he does, he'll use a sharpie to disable the fingerprint scanner. So, more broadly construed, we might consider network effects in which other peoples' adoption of the iPhone 5S reduces @ioerror's privacy, or even more generally, reduces the privacy of other people who don't use the phone in general.
It's important to distinguish this from simple consumer choice: there may be an overall reduction in privacy because of peoples' choice to use the iPhone 5S fingerprint scanner, but they may make that choice entirely based on considerations of convenience. This is an important distinction because, in the absence of network effects, it means that there's effectively no moral angle to the fingerprint scanner: the very fact that a large market exists for such devices means that community standards accept such choices as valid*.
There are a few mechanisms by which we can imagine privacy network effects being propagated. I think it's clear from context that the case that @ioerror is worried about is the normalization of biometric identification: including fingerprint scanners in phones which lots of people use will make people less more complacent about fingerprint scanners in general. Is there evidence for this? There are certainly a lot of cases of the public accepting lower privacy standards for specific purposes. For instance, when TSA imposed full-body scanning at airports, a lot of people shrugged and walked through the scanners. But, there was no obviously identifiable network effect: we didn't start to see full-body scanners replace metal detectors at federal buildings or schools (although it may be too soon to tell.) It may be the case that there are downstream effects: have we seen a profusion of metal detectors in public places (ball games, emergency rooms, schools) in general? Probably; I can't find statistics on this, but casual observation strongly suggests it. Is there a case to be made that this is due to normalization of security technology into our everyday lives? Again, very possibly. But is that due to a network effect, or due to simply government policy and heightened media attention? That is much harder to establish.
Perhaps a more compelling example is the profusion of sites that now let you log in using your Facebook ID instead of tracking logins on their own. As such logins become more common, it's easier to shrug at the (very real) privacy considerations of linking your Facebook account to each additional site. An important difference between these two cases is cost: metal detectors and full body scanners are expensive. Software is cheap. Which leads us to a second potential mechanism for network effects: By including such devices in their mass produced phones, Apple will effectively bring the cost of such devices down to the point where other phone manufacturers may start using them, and it may come to the point where it is difficult to buy a smart phone without one. This, I think, is a much more easily demonstrated mechanism of network effect. However, both are highly indirect: the adoption of the technology by party A does not directly impact party B's privacy: it's only through a very indirect set of policy, economic, and attitude changes that such effects could be propagated, and it's far from clear that these effects are even close in magnitude to the simple market demand for such devices.
Then, of course, it bears questioning: how would fingerprint scanners actually impact our privacy? First, there's what I call The Strong Hypothesis:
The Strong Hypothesis is that the NSA will gather fingerprints en masse from iPhones and other devices, then use them to create a national database. Six months ago I would have rated this tinfoil-hat-silly. But, of course, the revelations of the last few weeks make a lot of us look pretty silly for thinking that way, so it's no longer possible to simply disregard that possibility out of hand.
The Weak Hypothesis is that, for instance, the FBI will be able to subpoena your fingerprints from Apple in order to compare them against fingerprints they've collected, when previously they would have had no way of getting your fingerprints short of hauling you in. Whether or not this could happen depends a lot on how the technology is managed, and it seems more likely than not that Apple will store the fingerprint data on the device in a way that precludes remote access. But Apple has done stupider things before, and trusting their commitment to privacy is probably not a good strategy.
So, to close the loop, a network-effects-privacy-impact might look something like this: Apple's introduction of the fingerprint reader to the iPhone 5S lowers cost and social barriers to similar devices, and we start seeing fingerprint scanners not just on phones, but on laptops, cars, at the airport, and even at the gym. Oh, wait...
*The same argument doesn't necessarily hold for things like cigarettes though: sale and consumption of cigarettes imposes externalities on people who don't consume them, in the form of second-hand smoke, and increased public healthcare costs. Even if the sale of cigarettes is evidence that the community approves of cigarette consumption in and of itself, the effects on others have highly complicating moral effects. This is why it's important to establish whether there are network effects in deciding whether there's a moral aspect.
First, let's define what a "network effect" is in this context: technically, network effects of technology are ways in which the adoption of a technology by someone else makes that technology more or less valuable for me. As an example of a positive network effect, e-mail is more valuable if more people use it, because I can reach more people using e-mail. An example of a negative network effect is traffic or network congestion: the more people who use cars, the more traffic I have to contend with. I think, technically, we would construe a network effect on privacy for the iPhone fingerprint scanner to be one in which adoption of the device by others reduces @ioerror's privacy if he uses the same device. However, I think we can safely conclude that @ioerror won't be using an iPhone 5S, or if he does, he'll use a sharpie to disable the fingerprint scanner. So, more broadly construed, we might consider network effects in which other peoples' adoption of the iPhone 5S reduces @ioerror's privacy, or even more generally, reduces the privacy of other people who don't use the phone in general.
It's important to distinguish this from simple consumer choice: there may be an overall reduction in privacy because of peoples' choice to use the iPhone 5S fingerprint scanner, but they may make that choice entirely based on considerations of convenience. This is an important distinction because, in the absence of network effects, it means that there's effectively no moral angle to the fingerprint scanner: the very fact that a large market exists for such devices means that community standards accept such choices as valid*.
There are a few mechanisms by which we can imagine privacy network effects being propagated. I think it's clear from context that the case that @ioerror is worried about is the normalization of biometric identification: including fingerprint scanners in phones which lots of people use will make people less more complacent about fingerprint scanners in general. Is there evidence for this? There are certainly a lot of cases of the public accepting lower privacy standards for specific purposes. For instance, when TSA imposed full-body scanning at airports, a lot of people shrugged and walked through the scanners. But, there was no obviously identifiable network effect: we didn't start to see full-body scanners replace metal detectors at federal buildings or schools (although it may be too soon to tell.) It may be the case that there are downstream effects: have we seen a profusion of metal detectors in public places (ball games, emergency rooms, schools) in general? Probably; I can't find statistics on this, but casual observation strongly suggests it. Is there a case to be made that this is due to normalization of security technology into our everyday lives? Again, very possibly. But is that due to a network effect, or due to simply government policy and heightened media attention? That is much harder to establish.
Perhaps a more compelling example is the profusion of sites that now let you log in using your Facebook ID instead of tracking logins on their own. As such logins become more common, it's easier to shrug at the (very real) privacy considerations of linking your Facebook account to each additional site. An important difference between these two cases is cost: metal detectors and full body scanners are expensive. Software is cheap. Which leads us to a second potential mechanism for network effects: By including such devices in their mass produced phones, Apple will effectively bring the cost of such devices down to the point where other phone manufacturers may start using them, and it may come to the point where it is difficult to buy a smart phone without one. This, I think, is a much more easily demonstrated mechanism of network effect. However, both are highly indirect: the adoption of the technology by party A does not directly impact party B's privacy: it's only through a very indirect set of policy, economic, and attitude changes that such effects could be propagated, and it's far from clear that these effects are even close in magnitude to the simple market demand for such devices.
Then, of course, it bears questioning: how would fingerprint scanners actually impact our privacy? First, there's what I call The Strong Hypothesis:
I've updated the iPhone fingerprint scanner diagram with an important detail Apple left out. pic.twitter.com/k63flx8y6j
— Dylan Tweney (@dylan20) September 10, 2013
The Strong Hypothesis is that the NSA will gather fingerprints en masse from iPhones and other devices, then use them to create a national database. Six months ago I would have rated this tinfoil-hat-silly. But, of course, the revelations of the last few weeks make a lot of us look pretty silly for thinking that way, so it's no longer possible to simply disregard that possibility out of hand.
The Weak Hypothesis is that, for instance, the FBI will be able to subpoena your fingerprints from Apple in order to compare them against fingerprints they've collected, when previously they would have had no way of getting your fingerprints short of hauling you in. Whether or not this could happen depends a lot on how the technology is managed, and it seems more likely than not that Apple will store the fingerprint data on the device in a way that precludes remote access. But Apple has done stupider things before, and trusting their commitment to privacy is probably not a good strategy.
So, to close the loop, a network-effects-privacy-impact might look something like this: Apple's introduction of the fingerprint reader to the iPhone 5S lowers cost and social barriers to similar devices, and we start seeing fingerprint scanners not just on phones, but on laptops, cars, at the airport, and even at the gym. Oh, wait...
*The same argument doesn't necessarily hold for things like cigarettes though: sale and consumption of cigarettes imposes externalities on people who don't consume them, in the form of second-hand smoke, and increased public healthcare costs. Even if the sale of cigarettes is evidence that the community approves of cigarette consumption in and of itself, the effects on others have highly complicating moral effects. This is why it's important to establish whether there are network effects in deciding whether there's a moral aspect.
Have we established that your fingerprints, face shape, and other biometrics are actually private data? You are leaving fingerprints everywhere you go.
ReplyDeleteI'd like to see the argument explaining how verifying your identity (whether or not you are present) is actually private.
Actually, Todd, I agree. I didn't really get into it above, but I think there are two arguments you can make:
ReplyDelete1) Apple having biometric information about me is, ispo facto, an intrusion into my privacy. This is weak sauce, because Apple has a LOT more personal information about me (which they can sell, divulge to the government etc) that is far more valuable.
2) I think the real argument goes something like: the government thinks I'm bad, and wants to tie me to a crime, so instead of following me around and lifting my fingerprints from my doorknob, which is labor intensive, they can easily ask Apple for 10,000 peoples' fingerprints, including mine, and compare them against whatever crime scene or bomb fragment or typewriter they wish to match against. Worst case scenario, the FBI receives every fingerprint ever used, and they now have fingerprints for millions of citizens who have never done anything wrong and have no reason to have submitted them.
In the end, privacy is a tricky issue, and some people just like more privacy than others about their identifying information.
That said, Apples' latest claims about the data (that it's not stored in the cloud at all and will not be accessible by them) make these scenarios highly unlikely, assuming you're the kind of person who takes them at their word.