Analyzing privacy in a surveillance Analyzing privacy in a surveillance society: from biometric ID cardsociety: from biometric ID card

to social mediato social media

Pirongrong RamasootaPirongrong Ramasoota

Brief background about Thai society Brief background about Thai society and privacyand privacy

A long standing surveillance society A long standing surveillance society • Ancient system of wrist-tattooing for manpower controlAncient system of wrist-tattooing for manpower control• Citizen ID card a staple since 1940s and biometric technology Citizen ID card a staple since 1940s and biometric technology

incorporated since 1990sincorporated since 1990s An emerging privacy regime in a political divideAn emerging privacy regime in a political divide

• Personal data protection law under consideration since 1990s Personal data protection law under consideration since 1990s but never enactedbut never enacted

• Abuses of dissidents’ privacy politicized amidst color-coated Abuses of dissidents’ privacy politicized amidst color-coated conflict and clashesconflict and clashes

Evolution of citizen ID cards in Thailand – 1913, 1963, 1988, 1996, and 2005

LessigLessig’’s code: s code: adopted framework for analyzing privacyadopted framework for analyzing privacy

•Lawrence Lessig. 1999. Lawrence Lessig. 1999. Codes and other Laws of Cyberspace Codes and other Laws of Cyberspace. New York: Perseus Books.. New York: Perseus Books.

Four regulatorsFour regulators normsnorms constrain through the stigma constrain through the stigma

that a community imposesthat a community imposes marketsmarkets constrain through the price constrain through the price

they exactthey exact architecturearchitecture constrains through the constrains through the

physical burdens they imposephysical burdens they impose lawlaw constrains through the constrains through the

punishment it threatens punishment it threatens

The case of the cigarette

Case of biometric ID – Case of biometric ID – analytical dimensionsanalytical dimensions

Unique context of privacyUnique context of privacy Stakeholders Stakeholders Issue surrounding surveillance/privacy Issue surrounding surveillance/privacy

regime regime

Unique context for privacy – biometric ID Unique context for privacy – biometric ID Norms • Paternalistic state and disciplined citizens

•ID card as “necessary” means of identification and authentication while personal data collected for civil registration rationalized on ground of election

Law • Privacy as constitutional right, with multiple privacy -related legislations for different sectors -- health, banking, FoI, etc., but lacking comprehensive law • Civil registration law enables aggregate data collection and sharing across government departments, agencies of government, and contracted private sectors• New National ID Card Act enforced on 7-year-olds to ward against illegal immigrants

Market Unchecked sales, duplication and sharing of personal data esp. digitized data, as well as function creeps

Architecture • Centralized civil registration database and smart ID• two biometrics – fingerprints and biometric picture – used and shared in government’s UID projects• No built-in mechanism preventing merging of data across different databases

Strict screening

Provincial authorities are taking steps to ensure the new ID cards for children are not issued to the offspring of foreign migrant workers.

Stakeholders in biometric ID cardStakeholders in biometric ID card in Thailand in Thailand

People – as citizens and service beneficiariesPeople – as citizens and service beneficiaries Government agenciesGovernment agencies Public administratorsPublic administrators PoliticiansPoliticians Procurers – vendors and suppliersProcurers – vendors and suppliers Design and IT developersDesign and IT developers

BusinessesBusinesses Each has different expectations with respect to privacy Each has different expectations with respect to privacy intrusion, data security, accuracy, and retention and intrusion, data security, accuracy, and retention and can also play a different role in their variant sphere to can also play a different role in their variant sphere to affect to drive or impede privacy/data protection affect to drive or impede privacy/data protection

Other issues surrounding Other issues surrounding biometric ID card in Thailand biometric ID card in Thailand

Prevailing discourse • Technology and policy for modernization and efficiency of public services• Reliability of biometric technology and authentication• National security• Focus of media probing on discrepancy in card procurement rather than privacy dimensions

Problematic controls of data privacy

• control over unauthorized access to personal info• control over secondary use of info

Data aggregation and identity construction

• govt and commercial organizations aggregate data across different transactions and databases to compile new digital identity of users

SNS and surveillanceSNS and surveillance

Social networking thrives on surveillance Social networking thrives on surveillance and directly subverts individual privacy. and directly subverts individual privacy. SNS’s existence and business model SNS’s existence and business model depends on individuals’ voluntary (and depends on individuals’ voluntary (and sometimes inadvertent) revelation of sometimes inadvertent) revelation of detailed personal information and their detailed personal information and their activities to “friends” and corporate-owned activities to “friends” and corporate-owned sites that aggregate and mine their sites that aggregate and mine their information for commercial purposes information for commercial purposes (Regan & Steeves, 2010)(Regan & Steeves, 2010)

Unique context for privacy –Unique context for privacy – SNS in Thailand SNS in Thailand

Norms • SNS participation through disclosure of one’s identity as well as through exchanges/ mobilization•Interface between freedom of expression and privacy in SNS environment• Local research shows social learning increases with length of use

Law • Facebook is regulated under Californian law• Thai Computer crime law enables taking down websites, intermediary liability, and data retention

Market • Ambivalent privacy policy procedures to protect users’ personally identifiable information• local OSPs heightening traceability regulation as a result of computer crime law enforcement

Architecture • third parties like “friends of friends” inadvertently access users’ profile information, messages and pictures through RSS feeds or through a Web browser• easy ‘searchability’ of users’ digital trails via interactions makes this information susceptible to inappropriate use by third parties

History of Miss Jane History of Miss Jane Doe – detailing her Doe – detailing her real name, address, real name, address, her parents’ name, her parents’ name, their profession. their profession. Items 1. to 5. listed Items 1. to 5. listed her academic her academic background, her background, her being expelled from being expelled from school for lèse school for lèse majesté, her majesté, her participation in the participation in the red-shirts’ rally, and red-shirts’ rally, and her constant posting her constant posting of lèse majesté of lèse majesté content on her content on her facebook wall.facebook wall.

Cyber-witchhunting via privacy abuse became politicized

Content regulationContent regulation in computer crime law in computer crime law

Section 14 of the law defines as offences the import Section 14 of the law defines as offences the import into a computer system of such type of content:into a computer system of such type of content:• forged computer data, false computer data, in a manner that is forged computer data, false computer data, in a manner that is

likely to cause damage to a thirdlikely to cause damage to a third partyparty or the public;or the public;• false data in a manner likely to damage national security or to false data in a manner likely to damage national security or to

cause public panic;cause public panic;• data constituting an offence against national security under the data constituting an offence against national security under the

Penal Code; andPenal Code; and• pornographic data in a manner that could be publicly pornographic data in a manner that could be publicly

accessible.accessible. Section 15 provides that service providers who Section 15 provides that service providers who

knowingly or allow the above offences to take place in knowingly or allow the above offences to take place in their service are subject to the same penalty as their service are subject to the same penalty as offenders – offenders – intermediary liabilityintermediary liability

According to the law, competent According to the law, competent officialsofficials are allowed toare allowed to

summon alleged party to appearsummon alleged party to appear request information and evidence,request information and evidence, duplicate, decrypt, censor, access computer duplicate, decrypt, censor, access computer

informationinformation confiscate or freeze computer system. confiscate or freeze computer system.

Traceability regulationTraceability regulation Due largely to the enforcement of the computer crime Due largely to the enforcement of the computer crime

law, ISPs and online service providers (OSPs) law, ISPs and online service providers (OSPs) –– those those that host social networking services, blogs and websites that host social networking services, blogs and websites -- have growingly set up a system that enables -- have growingly set up a system that enables ““traceability regulation.traceability regulation.”” To access content and To access content and services on these websites, users are required to services on these websites, users are required to provide some sort of ID or certification first. provide some sort of ID or certification first.

With the availability and widespread diffusion of citizen With the availability and widespread diffusion of citizen ID number, many OSPs require that users submit a ID number, many OSPs require that users submit a scanned copy of their ID card upon first subscription. scanned copy of their ID card upon first subscription.

Lawrence Lessig describes Lawrence Lessig describes ““traceability regulationtraceability regulation”” as requirement by the as requirement by the state for service providers to employ software that facilitates traceability state for service providers to employ software that facilitates traceability by conditioning access on the usersby conditioning access on the users’’ providing some minimal level of providing some minimal level of identification.identification.

Timeline of Facebook’s privacy policyTimeline of Facebook’s privacy policy

Year Type of info Visible to

2009 All types of personal info submitted to FB

Only those belong to at least one of the groups specified by users in privacy settings

2006 Information displayed in users’ profile

“friends” from school, specified local area, and other reasonable community limitations that will be determined by Facebook

2007 Users’ name, school name, and profile picture thumbnail

available in search results across the Facebook network unless default privacy settings are altered

Year Type of info Visible to

November 2009

Information set to “everyone” = “publicly available information” (as defined by FB)

everyone on the Internet • people not logged into FB • third party search engines, • other websites that users visit• FB without privacy limitations.

December 2009

“Publicly available info” e.g. name, profile photo, list of friends and pages one is a fan of, gender, geographic region, and networks one belongs to

Everyone

2010 General Information e.g. name, “friends” ’ names, profile pictures, gender, user IDs, connections, connection, and any content shared using the Everyone privacy setting

Everyone

Timeline of Facebook’s privacy policy (cont.)

Other issues surrounding Other issues surrounding surveillance/privacy on SNS in Thailandsurveillance/privacy on SNS in Thailand

Prevailing discourse • kids (main users of SNS) are privacy illiterate • Information shared on SNS is self-generated so any risks or loss of privacy should be endured

Controls of data privacy

• local research on teens shows they take steps to manage their reputation online by curating content they and others post to social media sites. The determination about what to share and what not to share seem to be more important than privacy settings

Data aggregation and identity construction

• Little concern, although practices abound, on third party’s use of their personal information (for commercial or political gains)

Policy considerations for privacyPolicy considerations for privacy

• In order to be relevant, both public and private public In order to be relevant, both public and private public policies aimed at protecting privacy in both contexts policies aimed at protecting privacy in both contexts need to consider data subjects (citizens in biometric ID need to consider data subjects (citizens in biometric ID case and SNS users) practices, perspectives, and case and SNS users) practices, perspectives, and attitudes towards privacy, which might be different attitudes towards privacy, which might be different from general assumptions and may vary in different from general assumptions and may vary in different socio-cultural contexts. In other words, evidenced-socio-cultural contexts. In other words, evidenced-based policy-making which also needs to cope with the based policy-making which also needs to cope with the fast changes of technology as well as changing fast changes of technology as well as changing behavior of usersbehavior of users

• Public policy makers need to consider the full range of Public policy makers need to consider the full range of available approaches, not only law, but – importantly – available approaches, not only law, but – importantly – also education. Hence, the emerging privacy protection also education. Hence, the emerging privacy protection framework needs to incorporate mechanism of social framework needs to incorporate mechanism of social learning.learning.

• In the case of SNS, platform providers have a direct In the case of SNS, platform providers have a direct responsibility not only as far as consent and defaults responsibility not only as far as consent and defaults are concerned, but also in terms of educating users, are concerned, but also in terms of educating users, particularly the young ones, about privacy issues particularly the young ones, about privacy issues

• One key challenge to be addressed by policy-makers One key challenge to be addressed by policy-makers in the case of SNS is the question of third-party use in the case of SNS is the question of third-party use (commercial or political) of the data as well as dealing (commercial or political) of the data as well as dealing with long-term implication of data sharing, data with long-term implication of data sharing, data profiling (including cyber-witchhunt), and data profiling (including cyber-witchhunt), and data aggregationaggregation

• Crisis of privacy abuse could be turned into Crisis of privacy abuse could be turned into opportunity to raise public awareness through case opportunity to raise public awareness through case studies of real life high-impact stories. But constant studies of real life high-impact stories. But constant advocacy is necessary to make it stick in the public’s advocacy is necessary to make it stick in the public’s mind. mind.

Policy considerations for privacyPolicy considerations for privacy

• Thank you for your attention