First published: 10th December 2010
This is the speech made by Yui Kee Computing Chief Consultant Allan Dyer at the The Professional Commons' Open Forum on Privacy.
I think the biggest issue with this Legislative Proposal is what is left out. I'm talking about the complex relationships between Copyright, Privacy, Obscenity and Free Speech. The Information Age has changed things in ways we do not yet fully understand, and our laws on all of these cannot cope.
For example, when intimate pictures are published, what could or should be done? Credit to Edison Chen for raising this err... point. Under our current legislation, there is no protection for the subject of the pictures. The photographer has copyright, but is copyright appropriate? Copyright is a contract between the creator of an artistic work and Society: the creator gets time-limited rights to make money, and Society gets the work in the long run, but intimate pictures are not intended to be published.
My thought is that the Data Protection Principles fit this case very well. Take a look at Principle 3 - personal data should be used for the purposes for which they were collected or a directly related purpose, so distributing to strangers on the internet is forbidden, unless the subject gives permission. That matches how I would like the law to protect this type of information. The problem, however, is enforcement. All the Privacy Commissioner can do at the moment is to issue an "enforcement notice", then, if the offence is repeated, the offender can be prosecuted. Why do you need to leak private information TWICE – once it is leaked it stays leaked.
Once a leak has happened, the damage is done. Therefore there must be a deterrent punishment. What surprises me is that the Commissioner has even shied away from issuing an enforcement notice – I'm talking about the results of the investigation into the Octopus Rewards Program. In that case, the information was sold to third parties for millions of dollars, yet apparently it was not likely that a contravention would continue.
So now we come to economics: information can be worth money. Who has a supermarket loyalty card? Do you realise how much valuable information about your family's shopping habits you are giving out? Of course, it is a trade, I get 0.2% discount, they get to know more about how I shop than I know. Hong Kong is known for its free market economy, but, any economist will tell you, markets are efficient when buyers and sellers have the same level of information. If I was a supermarket, I would be planning to put RFID chips in the loyalty cards, and update the prices as you approach the shelves.
It is not just supermarket economics. I predict a crisis in the health insurance market. All insurance is based in ignorance: neither the insurer nor the insured knows what is going to happen, so the insurer sets the premium according to the probabilities. Too much knowledge destroys that, and medical science and information technology are providing that knowledge. Already, genetic factors involved in many diseases are known, and more are being discovered and DNA sequencing is becoming cheaper. Will we be required to provide a genetic sample when we apply for health insurance, and some people get very low premiums (they are not at risk), and others get unaffordable premiums? DNA is personal information, how much more personal can you get? Do we want privacy laws that prevent insurers demanding a sample? What if an insurer takes your enquiry form and carefully processes it to recover DNA from the sweat left by your fingers?
One of the things the consultation asked was whether "sensitive" data should be given greater protection. I don't think you can divide data by sensitivity. It depends on how the data is used. I constantly shed DNA, as dead skin cells, without worrying, until someone uses my DNA to decide my health insurance premium. I do not find my HK ID card number to be embarrassing, I hold birthday parties, and even tell people my mother's maiden name. These are not items of information that need to be kept secret. Until, of course, some idiot who knows nothing about security decides that they can be used to authenticate my identity for something, like activation of my credit card or access to my phone records.
I would like to see this mis-use of personal data as supposedly "secret" authentication tokens stamped out. The practice always was insecure, but we have increasing repositories of shared personal information that can be searched by strangers. I'm talking about social networks. A friend posts a remark about how much fun their had at your birthday party, and suddenly a criminal has the last piece of information they need to mis-use your credit card.
We need a review that takes a holistic view of how laws should control the Information Society we are building.