Much ink has been spilt over personal privacy in the modern age – most of it has been over whether we have any expectation of personal privacy in our lives. I emphasize the word personal because it is generally agreed that it would be nice if we had personal privacy. That is I really do not want my credit card data, my health data and my banking information splattered all over. Without getting too far into this, I can agree that many of us have made the affirmative decision to, wittingly or unwittingly, to broadcast a ton of personal information about ourselves on the Internet through Facebook, Foursquare and the like. The argument is generally about whether we have any hope of maintaining the privacy of our personal information in this day and age.
But that is not what is interests me about Assange and his potential copycats. The area of privacy that Assange has threatened is more corporate privacy. I should say enterprise because this would include government and nonprofit but corporate privacy sounds better.
Assange, as we know, has facilitated the dissemination of private enterprise communications for all the world to see. His motivations are very clear; he seeks to expose wrongdoers by providing evidence of evil deeds. For the sake of argument, let us agree that, in the words of Richard Nixon, “mistakes were made” by the enterprises exposed by Mr. Assange. Let us also assume, for the sake of argument, that Mr. Assange’s motives were pure and he does this for the sole purpose of punishing the wicked and discouraging bad behavior in the future. While i have not met Mr. Assange, I actually have no reason to doubt this.
My question is this: do we have any right to or expectation of corporate privacy?
This is a trickier question than one of personal privacy. Almost all enterprises have policies that explicitly state that our communications over media owned by them (e.g. E-Mail) are owned by the enterprise. Having said that, there is an implicit expectation of the confidentiality of certain communications between parties in the corporate world.
Some examples come to mind where corporate privacy is beneficial to us as a society.
- Communications About Personnel
- Personal Information (e.g.Health Information)
- Corporate Secrets
- Sensitive Information
Now I am sure that Mr. Assange would agree with most or all of these points. I have never met Mr. Assange and can’t state with any certainty how he would respond but a possible response would be that he should be trusted to weigh these risks and decide what and should not be published based on the benefits of the dissemination and the potential harm.
I would also point out that we are entering a brave new world of whistleblower disclosures. journalists have long reported on instances of whistleblowing but they very carefully extract documents as opposed to disseminating vast quantities of microdata as Mr. Assange has. Additionally, journalists (at least in the US) are exposed to potential litigation if they cause harm by their actions. Mr. Assange has intentionally (by his own admission) set up in jurisdictions to minimize his risk of litigation.
My question is, is that really how we as a civilized society (or at least a society striving to be civilized) wants a decision that has potentially significant impact on corporate privacy to be made?
For the sake of argument, let’s look at another decision that we make. Punishment. There are millions of criminals in this country and others that violate the understood morals of the society in which they live. Do we allow individuals to decide to punish them? If I see someone stealing an old woman’s purse, do I grab him and lock him in my basement? Of course the answer is no. We have a codified system of laws and a judicial system made up of individuals who effect judgement and punishment of criminals. We do not leave these decisions to individual people or groups of people.
One can argue that Mr. Assange is basically a whistleblower (or a facilitator of whistleblowers). A whistleblower is someone who reports wrongdoing. There is some degree of legal protection for whistleblowers both in the US and internationally and I am personally certainly on board with the idea of exposing evildoers.
I guess that my question is whether dumping E-Mails on the Internet is the optimal way to do this. The question is, is there a better solution? The irony is that I think that the security community has actually already come up with a better solution. When a security researcher discovers a vulnerability, most will contact the vendor. The vendor is supposed to investigate the claim and crate and release a patch before the researcher releases the exploit. Now this system doesn’t always work perfectly but it at least allows the responsible party to do the right thing before the world knows that their system can be hacked.
Maybe this is a better model for whistleblowers. If a crime is committed, the evidence can be sent to the appropriate government authorities with a reasonable deadline for action. The government should be able to act while using its resources to scrub the communications and minimize the damage to corporate privacy. If the government fails to act and cannot convince the Assange’s of the world of their reasoning, then all bets are off. This problem, of course, becomes much trickier if the wrongdoer is the government but the government does have mechanisms to investigate itself. This idea is admittedly a Devil’s Bargain but it may be better than the situation we find ourselves in today. If Mr. Assange and his imitators continue to have success, it may be better for governments to try to strike deals with them rather than risk widespread dissemination of confidential information.