Encryptions "R" Us:
Self-Protection in the Big Corporate Brother Era

Technopolis 1.7, by Michael Jensen
originally published in Breeze, December 1996.

Two columns ago ( http://www.michaeljonjensen.com/tech5.htm) I described Informus (http://www.informus.com), the "potential employee validation" site that sells credit checks, nearest neighbors, motor vehicle records, criminal records, worker's comp claims records, and the like to any employer willing to pay a one-time $250 fee, and pay around eight bucks per report, on anyone the employer said s/he was considering employing. A total of $118 will get the employer everything offered.

As I said in that column, it's awful that our privacy is so blithely, cynically, and easily for sale. Awful that a little company can make it so cheap, awful that our county and state governments are allowing any company to get access to our private records, awful that there's not vocal and strident outrage being expressed.

That outrage must motivate us if we are to protect ourselves from an morally ignorant invisible hand reaching into our lives. It's not just our past--our previous address, our educational history--but our ability to escape from our past, to change ourselves, to become more than we were, that is at risk. Moreover, our ability to be ourselves without penalty is at risk.

Here's why: this information, available for a small fee from Informus, is only a tip of what will be possible. Our buying patterns, our life habits, even our genetic maps, are all becoming data to grind in the hopper of commerce. Those with money and power are implicitly asking us to accept that our lives are completely open to them. Not just our actions in the world, but our intentions, our likelihoods, our potentials.

Catch as Catch Can
Technology is far outstripping our ability to keep pace legally and culturally. We don't have social mechanisms for deciding whether it's right to give away our privacy so completely, because it's hard to believe, and is so far away from our day-to-day lives. In a small universe online, discussions of privacy concerns abound, while Informus is open for business, selling your life profile. In academic circles, discussions regarding the ethical imperatives of genetic information are just beginning, while the world of insurance and medicine is already applying that information, acting on it, planning on it.

The human genome--our DNA, the unique core of our physical being--is in the process of being mapped. Already the genetics community have identified genes which indicate a greater likelihood of colon cancer, of skin cancer, of diabetes, of Lou Gehrig's disease. This work is continuing rapidly.

The questions regarding that work are currently focused two issues--whether doctors have a responsibility to tell us about everything that might happen to us personally as a result of our genes, and whether insurance companies should have access to this information. It's this second issue that scares me the most.

Why I worry is that we see technology move very rapidly when there's lots of money involved. If we now have the means to do genetic analysis in an automated fashion, then I'm reasonably certain that in two years there'll be analysis labs in most cities, and in three years a device that, while expensive, could be afforded by every hospital. In five years, we'll having finger-prick gene analyzers which report back on the genetic map of the blood's owner.

Insurance companies want to have every bit of information they can on the risks entailed with any policy. Though I haven't done research on this opinion, I'd wager a year's salary on it. Already there's conscious, intentional "redlining" of insurance policies based on "previously existing conditions"; what they'll want to do is take every risk factor into account, and redline out those with "potentially existing conditions." Wouldn't you, if you were an insurance company? It would decrease so much those expensive health conditions which health insurance companies like to avoid.

They may do it this way: offer you a much reduced premium on your health insurance, but only if you submit to genetic testing. Like buying a used car if you have "approved credit," there would be no guarantee of receiving a policy, only a promise of cheaper insurance if you have an "approved genemap."

In the future I fear, the least among us will be penalized by those with the most for being who they are. Those with bad genes will pay twice as much for health insurance. Have a 20% chance of early Alzheimer's? Sorry, we have to have a termination clause in your insurance at age 55, unless you pay an extra 40% on your premium. Have a 13% chance of diabetes? Without an escrow fund included in your policy we will be unable to offer you protection. Live in Florida with a skin-cancer gene? We cannot process your application.

Those with any seemingly suspicious elements (or flat-out erroneous facts) in their "approved history" rating won't get interviewed for any jobs but the lowest. Ever have a fork lift fall on you, and took a month to heal while getting worker's comp? Sorry, your skills don't match our needs. Ever get busted for a roach in the ashtray? Sorry, we've filled the position from within. Ever live in a poor part of town, have trouble paying your bills, lose a job? We will keep your resume on file in the unlikely event that an opening occurs.

Just Say "Whoa"
Some of my acquaintences have said things like "the cat's out of the bag, we can't put it back." They know that the correlations are too easy, that Mastercard data can be joined with employment and housing history. They believe that we can't stop it.

I disagree, and believe that there are two ways to fight the privacy giveaway bonanza going on right now.

First is the legal--we must have policies in place which makes it illegal to provide information on someone without that person's expressed consent. That is, I must sign a release for each instance of a credit check on me, or an employment check, or the like. And we should require that the release be received in writing physically, not digitally and not by fax or page image. If we make it slow and clumsy, it helps; if we make it illegal, it makes it even slower and clumsier. This can only happen with a groundswell of popular outrage about privacy abuses, and calls and letters to congresspeople, and letters to editors, and calls to call-in shows (especially of the Rush Limbaugh variety). One embellishment that could even stand alone would be to require that any report of credit, employment, worker's comp, etc. also be copied to the person being reported on, accompanied by who asked for it.

The second solution seems more arcane, but is potentially more significant. It involves--now don't let your eyes glaze over yet--public-key encryption. This revolutionary coding structure, which now is at the heart of most secure Internet transactions, involves a two-part encoding and decoding sequence, each side of which uses a public key code--one both sides knows--and a private key code that only the owner knows. The way this works operationally is seemingly magical mathematics, but the way it works functionally is that nobody intercepting a message can decode it--only the intended recipient can decode it, with their own public and private keys.

Double-Blind Justice
Okay, no more eye-glazing. This approach could easily be used to make a great deal of our own information private, by using encryption systems like this to negate the data correlation capabilities of databases. If I have my social security number on my home mortgage, and my credit report, and my Mastercard application, then it's easy for those three companies to compare notes on me by relating all the data via that social security number. Same thing with driver's license numbers, even addresses.

In an ideal data world, I would have an encrypted identifier with each of those companies. It's as if I had three friends, one who thought I was named Sam, one who thought I was named Michael, and one who though I was named Paul. I answered to each of the names, when called upon by them, knew each friend well, and had shared experiences over the years with each individually. If my three friends happened to be at a party where they were telling stories, each friend could tell a story about me, but they wouldn't know they were talking about the same guy.

I wouldn't do that with my friends, but I'd sure like to be able to do it with the commercial world. If I gave the okay, then Mastercard could validate my credit with the appropriate mix of public and private keys--they would receive a report on 145-67-8843, who they knew me as. I would use my private key to do the encryption for both sides, and embedded in the message would be a verifier code that showed that the document had not been tampered with.

These tools are available now, though they aren't put to use this way yet. And of course, there's the small issue of the lack of deeply entrenched digital communication--those with the least aren't going to have a pocket communicator or ShoulderMonkey for years. But then, they wouldn't need a communicator--they'd only need to know their private key code when they went to the bank, to the driver's license bureau, to the unemployment office, to the public access computers to access their federally-funded online accounts.

If we don't put into effect some of the solutions outlined above (or some other solution which enacts the same degrees of responsibility), then we're going to be living in Big Brother country--and Big Brother won't be the government, but rather the commercial sector, who will have an ever-growing profile on your purchases, your crimes, your omissions, your foibles, your interests, your debts, your illnesses, even your genetic weaknesses. With this information, they'll say, they can better tailor their advertising, their insurance, their product development, their managed care, their messages, to *you*, thereby serving you better.

I'm frightened by such "service" (unless I ask for it). With great power goes great responsibility, but with the commercial sector, their primary responsibility is to profit. I don't want the profit-making enterprises in this world having that great power--the power to correlate all the facts about me they can rustle up. If we give them that power without restriction--and they already believe that this power is their right--then we will end up giving away our freedom to become whoever we choose to be.

Back to Michael Jensen's pubs page