Am I nothing but net? Tasuku Mizuno 2020.02

Data Privacy and the Future of Identity

The Data Double and Identity

In January and February 2021, 2 workshops by YCAM + Kyle McDonald, "Am I nothing but net?" was held in January and February 2021. This workshop was positioned as the first public event as part of the three-year research and development project Sakoku [Walled Garden].

The workshop consisted of two major activities and feedback/discussion about the experience. The first was an activity using a special browser called the "Sakoku Browser". Participants were asked to answer questions prepared by YCAM as quickly as possible using the "Sakoku Browser," a browser with a Google search-like appearance. However, this special browser uses a so-called "man-in-the-middle" (MITM) technique to get in between the user and the Internet and tamper with the communication. For example, certain keywords and numbers in the search results are rewritten, or the 20th page of the search page rank is displayed first, making it impossible for the participants to reach the answers as they wish. This kind of processing, if done without the participants' consent, could violate the "secrecy of communication" and privacy protected by the Constitution, the Telecommunications Business Law, and the Unauthorized Computer Access Law. This activity through the "Sakoku Browser" will make us realize how much we rely on Internet searches to make decisions, and how much we trust search results without thinking.

The second activity was a web application called "Sakoku Explorer". In advance, participants download their data using tools provided by Google and Facebook for the users themselves to export user data. These tools, called "data portability tools," were prepared by the organisation like Google and Facebook after the GDPR came into effect as a function to realize the data portability right stipulated by the EU's GDPR (General Data Protection Regulation), which allows users to obtain their personal data and transfer it to other services at their will. When participants uploaded their personal data collected by Google and Facebook to the "Sakoku Explorer," their activities on each service were visualized in easy-to-understand infographics. Of course, these personal data collected by Google and Facebook are regulated in Japan by the Personal Information Protection Law, which stipulates the obligations of private businesses to handle personal information appropriately, and by the right to privacy guaranteed by the Constitution. However, by visualizing again the vast amount of data that we are not even aware of, all the participants were amazed at how much they know about me that I do not know.

The theme of this workshop is "Am I nothing but net?". As you can see from the title, the theme of this workshop is the way information is handled on the Internet today, especially the way information about individuals is handled and the issue of so-called "data doubles". A data double is an alter ego created by data, and information processing systems create a separate identity outside of the individual.1 These days when networked information processing systems such as the Internet are constantly connected by cloud computing, we are producing data doubles on the Internet every second of every day, but we cannot grasp the existence and content of these data alter egos. Besides, these system networks do not only create identities that are different from my own, but they also have the ability to understand my behaviour and to control my actions, analyze, predict, and guide. The data double reverberates in the formation of our own identity by predicting and guiding not only our behaviour but also our desires.

Overview of the Dynamic Legal System

The debate on the legal system for the handling of personal information and privacy is very dynamic as of 2021, so we would like to provide an overview rather than a detailed explanation of the system.

In the EU, the GDPR, which I have already mentioned, was enacted in 2016 to strongly allow individuals the right of self-determination in the handling of personal data, and this powerful rule has had a significant impact on the legal systems of other countries.

In the U.S., the CCPA (California Consumer Privacy Act) was also passed in response to the EU's move to give individuals more control over their personal data. Also, among the platform companies, GAFAM (Google, Apple, Facebook, Amazon, and Microsoft), the idea that the right to self-determination of information is one of the basic human rights is beginning to spread (at first) as self-regulation different from the legal system, especially among Apple and Microsoft. The idea that the right to information self-determination is one of the basic human rights is beginning to spread (at least superficially).2

In China, the historical background and traditional moral values that have not placed much importance on the debate on privacy and personal information, and the fact that there is still no general law on personal information protection, have led to an environment that is easier to accept new technologies with privacy risks than in other countries. On the other hand, the Internet Safety Act enacted in 2016 defines "personal information" at the legal level for the first time, and various laws have been enacted in different fields. In Japan, as mentioned above, there are various legislations for private use.3

In Japan, as mentioned above, the Personal Information Protection Law is the main regulation for the handling of personal information, and since the law is subject to review every three years, it has just been revised in 2020 to strengthen the rights of individuals in response to the GDPR.

In general, as represented by the phrase "Data is the new crude oil of the 21st century," foreign countries are eager to realize innovation through the utilization of data based on the premise that data has a growing economic value. At the same time, the EU is rushing to develop legislation to ensure the proper protection of personal information on the Internet. In this context, the EU is taking a unified approach to data privacy legislation, while the US is taking a situation-specific, individual rules, market-based approach, and a voluntary code of conduct approach to this issue. This is said to be mainly due to the U.S. ideology that prioritizes freedom of speech and expression.4 Besides, with the exception of China, since the Cambridge Analytica case, it has become clear that an individual's propensity to vote can be easily hacked by digital platforms, and there is a tendency to reevaluate the idea that proper protection of data privacy contributes not only to the legal interests of the individual but also to the public interest of a sound democratic foundation. This is a trend.

The Future of Data Privacy

The Internet has been hailed as a device that accelerates the free flow of information, i.e., freedom of expression and the right to know as its flip side. However, the data privacy issue we are facing now is how to balance the two legal interests of a free circulation of information and the right to self-determination of personal information, which can easily be traded off. This conflict is becoming more acute as it becomes clear that being constantly connected to the Internet has become the norm, that "freedom to get off the Internet" is not secured, and that the public interest aspect of privacy, as mentioned earlier, is also essential to the realization of democratic values.

As we become increasingly digitalized, the real and the digital become more integrated, our real selves will be grasped, analyzed, and predicted as data more than ever before. As a result, personal identity and the construction of relationships with others will shift from physical to digital-centric. From the perspective of ensuring the dignity of the individual and the formation and development of one's own personality, there will be an increasing need to protect the right to self-determination of information about the individual as a fundamental human right. This is the direction in which the GDPR, CCPA, and some of the platforms such as GAFAM are oriented.

On the other hand, in an advanced information society that requires high-speed, high-volume information processing, we have to be sceptical about the effectiveness of consent and the quality of decision-making regarding the handling of information about individuals. It is also clear that relying on individual consent alone is not sufficient to properly protect information about individuals.5 The "post-privacy" debate is also gaining ground. The post-privacy debate is premised on the sense of a generation that has been "monitored" on the Internet since birth and does not care about privacy, and the idea that a better society can be realized if transparency is thoroughly pursued, the "death of privacy" is actively accepted, and everything is shared openly. On the other hand, there are a variety of approaches, including those that aim for technological solutions to current privacy problems through the evolution of anonymizing technologies.6 Data sharing by the government in China seems to have some influence as a model of a happier world that actively accepts a certain kind of "death of privacy" (in this way, the choice of a nation and its people to choose "happiness" over "freedom" is becoming a larger option in the Corona disaster transition). (Thus, the choice of a nation and its people to choose "happiness" over "freedom" has become a greater option in the Corona disaster). On the other hand, some would argue that China's very existence reveals a fatal flaw in the post-privacy debate, in that it can undermine democratic values.

How to solve the aporia of privacy? Privacy itself is a rather fluid and continuous solution to a social problem that is in constant flux. As such, there is no simple solution to the problem of privacy, and perhaps we should not seek such a simple solution.7 Even if there were, the only thing we lack to determine what stance to take on data privacy is a basic knowledge of how the Internet works, how it collects and uses our information. That's for sure. During the workshop, one of the student participants said, "I wish I could have lived in a time without the Internet. We are already tamer than we can imagine, but we need to keep thinking about privacy without stopping. If we are to choose the "death of privacy," it should at least be a deliberate choice, not a lazy one. Sharing and discussing activities through artworks, such as this workshop, might be a powerful means of nourishing literacy to continue to think about the aporia of privacy, rather than seeking a single right answer for the handling of personal information on the Internet. It is a powerful tool for nourishing literacy to continue thinking about the aporia of privacy.

The theme of this workshop is "Am I nothing but net?" As you can see from the title, the theme of this workshop is the way information is handled on the Internet today, especially the way information about individuals is handled and the issue of so-called "data doubles". A data double is an alter ego that is created by data, and information processing systems create a separate identity outside of the individual.

Masahiro Sogabe and Tatsuhiko Yamamoto, "On the Right to Control One's Own Information" (Information Law Research No. 7, 2020), p. 128 https://www.jstage.jst.go.jp/article/alis/7/0/7_128/_pdf/-char/ja. For example, Apple will distribute a PDF titled "A Day in the Life of Your Data" in January 2021, which will provide a simple introduction to how information about individuals is handled on the Internet (https://www.apple.com/privacy/docs/A_Day_in_the_ ( Life_of_Your_Data.pdf).

Reference taken from Takeyuki Matsuo and Hu Yue, "Privacy and Personal Information Protection in China," & (Personal Information Protection in the ICT and AI Era, edited by Naoya Bessho)

Meg Letta Jones, Ctrl+Z: The Right to be Forgotten (Keiso Shobo, 2021), p. 12.

The view that emphasizes the "big self-determination" of which platform or network to entrust with the operation and management of one's own information, rather than individual consent to process information (Sogabe and Yamamoto, note 2 above, p. 134), or the view that privacy should be replaced or supplemented by privacy as trust or fiduciary duty to the platformer (Jack M. Balkin, "The Fiduciary Model of Privacy", Harvard Law Review Forum Vol. In addition, there is a view that privacy should be substituted or supplemented as a fiduciary duty (Jack M. Balkin, "The Fiduciary Model of Privacy", Harvard Law Review Forum, Vol. 134, No. 1 (Nov. 2008), p. 134). 134, No. 1 (November 2020) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3700087. Kunifumi Saito, "Privacy Protection as a Fiduciary Duty" (Journal of the Institute of Information and Communication Engineers, Vol. 36, No. 2, 2018) https://www.jstage.jst.go.jp/article/jsicr/36/2/36_127/_pdf/-char/ja) is also available. In addition to these, information banking systems that predict a person's privacy preferences and support data management and decision-making on behalf of the person, and personal digital twins, such as AI agents, that substitute or supplement consent are also attracting attention.

Approaches such as differential privacy and data obfuscation are gaining attention.

Finn Brunton & Helen Nissenbaum “The Fantasy of Opting Out” https://thereader.mitpress.mit.edu/the-fantasy-of-opting-out/

Tasuku Mizuno

Lawyer/Attorney at City Lights Law in Tokyo, specializes in Tech, Art and Design Law. He is also a board member of Creative Commons Japan and Arts and Law, a Part-time lecturer at the University of Tokyo and Keio University SFC, and a jury for the Good Design Award. He is the author of the book "Legal Design - Accelerating Creativity and Innovation through Law" and the co-translator of "Open Design".

Twitter : @TasukuMizuno