This is still very much a draft. Comments and reactions are welcome. Here’s the link to the full paper @ SSRN. The abstract is below:
It has become cliché to observe that new information technologies endanger privacy. Typically, the threat is viewed as coming from Big Brother (the government) or Company Man (the firm). But for a nascent data practice we call “self-surveillance,” the threat may actually come from ourselves. Using various existing and emerging technologies, such as GPS-enabled smartphones, we are beginning to measure ourselves in granular detail – how long we sleep, where we drive, what we breathe, what we eat, how we spend our time. And we are storing these data casually, perhaps promiscuously, somewhere in the “cloud,” and giving third-parties broad access. This data practice of self-surveillance will decrease information privacy in troubling ways. To counter this trend, we recommend the creation of the Privacy Data Guardian, a new profession that manages Privacy Data Vaults, which are repositories for self-surveillance data.
In Part I, we describe the emerging data practice of self-surveillance, which has been enabled by various new measurement and communication technologies. We explain how self-surveillance can produce substantial benefits to both the individual and society, in both intrinsic and instrumental terms. Unfortunately, such benefits may never be achieved without substantial privacy costs.
Part II makes threshold clarifications about those privacy costs. It proffers two different metrics by which privacy might be measured and explains why the rise of self-surveillance will entail the net loss of privacy under either metric. We also point out that the problem of self-surveillance (our surveilling us) is, fortunately, more tractable than related privacy problems, such as third-party surveillance of us and our surveillance of third-parties.
Having cleared this brush, we turn to our central proposal – the creation of the Personal Data Guardian, a professional whose job it is to maintain a client’s self-surveillance data in a Personal Data Vault. In addition to providing technical specifications of this approach, we outline the specific legal relations, which include a fiduciary relationship, between client and Guardian. In addition, we recommend the creation of an evidentiary privilege, similar to a trade secret privilege, that protects self-surveillance data held by a licensed Guardian.
Finally, Part IV answers objections that our solution is implausible or useless. We conclude by pointing out that various legal, technological, and self-regulatory attempts at safeguarding privacy from new digital, interconnected technologies have not been particularly successful. Before self-surveillance becomes a widespread practice, some new innovation is needed. In our view, that innovation is a new “species,” the Personal Data Guardian, created through a fusion of law and technology and released into the current information ecosystem.