I Don't Want To Be A Nerd!

The blog of Nicholas Paul Sheppard

Chasing wild geese in search of privacy

2015-02-20 by Nick S., tagged as privacy

There's been a bit of stir recently concerning the behaviour of Samsung televisions. Samsung's privacy policy for its Smart TVs was reported to allow voice captured by the television to be sent to a third party for processing. The open-ended wording of the policy led to some speculation that the television could be used like the "telescreens" used to watch over citizens in Nineteen Eighty Four.

According to The Conversation's David Glance, there's really nothing to worry about; the television just sends the recording to an on-line system able to perform voice recognition, which the television does not have sufficient resources to do itself. Other well-known voice recognition systems for consumer electronic devices do the same. Samsung itself quickly revised its privacy policy to clarify this point.

The episode illustrates weaknesses in two very different, but well-publicised, approaches to privacy: the privacy policy, and privacy-as-secrecy. The first are notorious for being unread by users who have no real choice but to accept them anyway. The second, which focuses on secrecy as the proper way to deal with data, led to fantasies of Big Brother setting up shop in a Korean television factory.

I suppose that folks who hold that privacy is secrecy see themselves as ever-vigilant against the kind of abuse that might result from exploiting loopholes like that created by Samsung's open-ended wording. This might be fair enough as far as it goes. But a large part of the problem with the original privacy policy was a preoccupation with where data is stored rather than what is done with it. The original wording told us that data would be sent to a third party, permitting everyone to imagine the third party that most exercised their minds, instead of explaining the actual functioning of the system.

So far as I know, no one has suggested that anyone at Samsung exploited the loophole, only that Samsung's privacy policy needed clarification. But since hardly anyone reads or takes action on privacy policies anyway, will anyone benefit from the clarification? What users really need is trust that data will only be used to provide the service they've asked for, not a technical guide to distributed computing.

Imagine that, every time you bought an item of food, you were expected to peruse the grower's and/or cook's "edibility policy" to determine whether or not it was up to your personal standards of non-poisonousness. (People with allergies do do something like this, and I don't envy them.) Personally, I much prefer the system of regulation by which eaters can trust that all food offered for sale is edible.

I suspect that most of us are hoping that privacy works much the same way when we click through privacy agreements: we presume that any reputable company is only going to use data in ways that we'd expect. Maybe they actually do, most of the time, but no one would ever know because it's buried in legalese.