by Ben Kamis
Martin, my most cyber-literate colleague and all-around nice guy, recently posted about privacy, arguing that privacy is something categorical that can be protected or violated, not just a word to describe certain practices of divulging or withholding and always as a question of more or less. Here I’m going to reply that he’s right in a certain context, but that context doesn’t go far enough, and so neither does he. Along the way, I hope to explain some differences between how people are conceived in modern and post-modern philosophy, and why privacy is actually a huge deal with very important consequences in certain conceptualizations of security, especially in the context of cyberspace. I’m setting the bar pretty high, so I’ll try to keep it short and sweet, which also means that I’m going to be taking some huge leaps that would normally require a lot more careful argumentation. But this is definitely an important question, and the answer will hopefully be interesting.
How you look at privacy has a lot to do with how you conceive of human beings. In European pre-modernity, which is the historical origin of our current conception, individual humans were subjects under God and aggregated in an ecclesiastical congregation to achieve salvation individually and collectively as a species, the only species God modeled after Himself. People were what God made them to be, and any fine details that had to be interpreted further were the responsibility of the clergy. The only thing that’s relevant here to the context of cyberspace is that there was no privacy before God. Even though people had to tell God their secrets in the sacrament of confession, He would have known anyway.
The modern view started with Descartes, who made the individual capable of recognizing and constituting itself, and it progressed through Kant, who made the individual autonomous. Autonomy means roughly ‘self-ruled’, so this pretty much set people free from the path described by theology and made them responsible for and free to determine their own paths. Now we can speak of ‘the subject’, which isn’t too far from its grammatical meaning of the thing a predicate is predicated upon, the thing that is moving or doing or being in any statement. Modernity was selling an autonomous subject, which means that the actors in question are free to determine things for themselves.
In cyberspace, this corresponds pretty much to the ‘digital self’. It’s common knowledge that there is a whole gamut of data about all of us in cyberspace, about our income and expenses in commercial and government servers, about our contacts and communications on email and cloud servers, about our work and hobbies, about our interests and experiences, etc. Put all of this together, and the result is a parallel person composed of data leading a parallel biography in the digital world. It’s all more or less about ‘real’ people, but it doesn’t cover everything about them. For example, my digital self likes Gyorgi Ligeti, just like I do, but Digital Ben’s mind wasn’t blown when he heard some of his more experimental stuff for the first time, because Digital Ben is just data and correlations without subjective experiences.
Martin’s argument that privacy is categorical is exactly right in terms of digital selves and autonomous subjects. On that level, he and the Wired article he criticizes are on the same page in that they conceive of the subject similarly as an autonomous agent and master of her own data. The real person behind the data is and should be the final owner of the data, and maybe s/he can trade it with a social media or email provider for certain services, but this should be considered more of a lease that can be terminated than a transfer of ownership. No corporate or governmental body should be allowed to contribute to your digital self’s biography against the wishes of the real person that corresponds to it. Security is a question of digital-self-defence. In a cyberspace of digital selves, autonomy means being able to control the data that constitutes the self, just like autonomy in meatspace means being able to choose the rules that the self will follow and the acts that the self will commit. Starting here, the outrage over the NSA’s abuses of technological power and various corporate abuses of user gullibility makes perfect sense as a violation of that autonomy. God watched and judged as the source of all rights and the arbiter of good and evil; the NSA imputes to itself the right to watch, which implies judgment on some implicit standards of good and evil. In this mode, Martin’s argument is right on.
But the modern conception of the subject was hardly the last word in the matter. There’s also the post-structuralist view that there is no such thing as a free-standing subject, free to make decisions out of context. Rather, every subject exists in a web of social relations and has any number of socially determined statuses and roles attributed to it. It just wouldn’t make any sense, for example, to say that a wealthy, white, middle-aged banker who grew up in a western metropolis with parents who themselves had noble titles* and a dalit hijra who grew up as an orphan in a Dhaka slum are both autonomous in the same way. Social relations and institutions pre-determine the terms of anyone’s subjectivity in terms of what that subject can conceivably do and know and be.
Just as the autonomous subject of modernity corresponded to the digital self in cyberspace, the subjectified individual of postmodernity corresponds to the ‘virtual self’. The idea of the ‘virtual self’ recognizes that there is no neutral, autonomous way to manage data in cyberspace that doesn’t also affect the social relations of the subject and, in consequence, its subjectivity. The virtual self is the composite of the digital representations of the self and their interactions with the ‘real’ subject. For example, if a user’s social media presence were deleted, that person might feel violated, robbed, even though the autonomous decision-making self is whole. The digital self was amputated, the ‘real’ subject persists as before, but the virtual self combines these to include the real subject’s attachment to the digital representations of it.
So how does this change what privacy and its protection means? Let’s use a fashion analogy. Imagine various levels of privacy protection in terms of women’s fashion. Privacy ranges from burqa-privacy through chador-privacy to pants-suit-privacy to mini-skirt-privacy to one-piece bathing suit-privacy to bikini-privacy to birthday-suit privacy,** which would approximate’s Zuckerberg’s ‘frictionless sharing’. This should make it clear that there is no neutral way to set privacy settings. Every choice, from burqa to birthday suit, also communicates some message about the subject in light of prevailing social institutions, and this changes the subject's position, role and status in those institutions. Not participating in social networks or using a secure browser or encrypted proxy connection isn’t a free act to defend some pre-existing self, it is a response to certain social institutions, and meanings will be attached to these practices that will change who the subject is considered to be and how that subject can relate to others. Privacy is not categorical, it is one way of characterizing acts that modulate the character of the virtual self.
So what does this have to do with security? The security of modern subjects tends to focus on their physical integrity, often supplemented with some rights and freedoms. This means that privacy as a security issue relates to the protection of rights in a legal sense. Because the subject has a right to privacy, others have a duty not to violate that subject in terms of endangering its physical safety (i.e. not divulging information that could put it in physical peril), and not violating its right to manage its data autonomously, or at least to contest the accuracy and ownership of its representations.
For the post-structural virtual self, security is somewhat more fundamental. Steele has the concept of ‘ontological security’, which is the impulse of a subject to protect their sense of self, who and what they represent themselves to be to themselves. Although he applies this concept to states and draws its origins from Anthony Giddens's sociology, it makes more sense applied to individuals and as an extension of psychoanalytic ideas relating to ego-defence. Let’s avoid that digression, however, and focus on the point, which is that the security implications of privacy are much more complicated than just a question of who has access to what data relating to whom on what grounds. Instead of just affecting one’s digital self, privacy violations would constitute violence against the virtual self, including both the digital and ‘real’ subjects. If the NSA looks under the privacy burqa, the shame is real. The subject’s representation of herself as a chaste and pious user is raped. By being sucked into the NSA’s dataset, a part of her is also kidnapped. Sending an email that she knows will be intercepted is like walking down the street to visit a friend and getting fondled by strangers along the way. Clearly, her virtual self’s interactions with these social institutions is going to change how she sees herself in corrupt ways, and how she is and can act in the world is going to change radically because of it. In ontological terms, she’s about as insecure as she can get.
Of course, this puts certain corporate narratives about careless users being at fault for the abuses to their data in a different light. The bikini-wearers were asking for it. The NSA and other security agencies’ narratives about doing it to protect certain superordinate social values amounts to saying that these violations are required to protect the social order that sanctions these violations, and daddy knows best. It’s not that I disagree with Martin’s outrage; I wonder whether he’s outraged enough.
If this sounds extreme, consider this thought experiment. What would seem like a bigger violation? A) a hacker or government agency downloads your browser history and keystrokes, so that they know what you've seen and read, how much you have in your bank accounts, and with whom you've communicated, but they don't change anything or B) they hack into your social media profiles and email accounts and communicate with your contacts as if they were you, spreading rumours and misinformation? (A) would be a violation of your digital self's privacy. (B) would be a violation of your virtual self's identity.
Returning to the original question of what privacy is, it’s not just categorical. It’s a condition of being for virtual selves, and violating their security is tantamount to annihilating their subjectivity.
*Did you assume I was talking about a man? If so, you kind of proved my point.
**Does this seem like an extremely gendered, sexualized and enculturated analogy? You’re catching on.