TedX Bay Area Talk: The Myth of Selective Sharing – Digital Health Futures: Empowerment or coercion?

I spoke about my concerns with the continued belief in selective sharing.  I argue at this TedX Bay Area talk that it is unwise to expect that digital information systems are capable of privacy or selective sharing.  In other words, it is a dangerous myth to believe in a feature that in practice fails regularly and by design.  In fact, it seems that it is practically impossible to create any digital information system that is secure.

In such a world we may want to reconsider our sharing practices, particularly if they were built on the idea of selective sharing.  If any of your digital information is something you would rather not share publicly, you may want to rethink the idea that you can keep your information private.

If you are building an information system, you may want to rethink the idea that you can offer selective sharing in a reliable form.

Thanks to the folks at TedX Bay Area, particularly Tatyana Kanzaveli for the opportunity to work out these thoughts and share them.

Here are the slides that were used in the talk:

The Myth of Selective Sharing: Why all bits will eventually be public (or be destroyed)

One Way

Bits exist along a gradient from private to public.  But in practice they only move in one direction.

Thus, there are two destinies for information: public or oblivion.

Information wants to be copied.

This is not the same as information wanting to be free (or expensive), or information wanting *you* to be free.  Information probably prefers to be free because it may increase the rate at which it is copied, not because it is inherently liberating to the user.  In fact, the “free” quality of some information is probably not liberating at all.  Copying and liberty are orthogonal.

Information diffuses over time: access rights to information can expand over time, but only rarely (ever?) does data become less available, and once available publicly, information is almost never entirely private again.

With enough copies on enough devices, information becomes essentially public. The state of being public may come in degrees, some things are more public than others.  Much information is public in principle but enjoys security by obscurity. Obscurity is eroded by increasing availability of computing resources that make collection and machine analysis affordable at large scales.  The banality of data is no protection.  “No one cares what I think/do/say/click” is not a valid assumption.  In aggregate the banal is data and fuel to many business models.  Maybe no one *cares* what you tweet, click, buy or search for, but many businesses make it their business to aggregate these scattered faint signals and build detailed profiles to drive commerce and customized views of data.

Some information is destroyed, never to be recovered.  This is the only way information can avoid eventually (potentially) becoming public. But less and less data now meets this fate.  Delete is a declining feature of many systems.

Information that is not public and has not yet been destroyed is just waiting to change to either state.

Despite security systems, many private bits are eventually exposed by people passing material to someone else who then accidentally makes them public, or they do so unintentionally themselves by leaving files in publicly accessible locations that are visited by search engine spiders and other web crawlers.  Even professionally managed private data repositories are subject to subsequent distribution, infiltration or error. Data spills are becoming more common. Billions of records are hemorrhaged  into the public regularly.  If well funded organizations cannot secure their information, the rest of us should take note.

It may not be possible for big organizations or any organization to secure their networks, or even do so sufficiently effectively to give users a practical period of privacy, however short.  Eventually private bits, even when encrypted (no matter how well), become public because the march of computing power makes their encryption increasingly trivial to break and their exchange over networks (no mater how well secured) is subject to leaking, intentional and otherwise.  Private bits may only have a “half-life” during which they retain their non-public existence.  The length of this half-life may itself be getting shorter.   Mary Branscome suggests that there could be a physical law in operation: the natural entropy of access control lists?

All bits that persist are destined to be public, and once public never to be private again. Unless they are destroyed.

I argue that the only bits that you cannot find are the ones you need right now. The only bits you cannot get rid of are the ones that are most embarrassing to you right now.  Just because you cannot find the bits you want does not mean that no one else can find those bits.

All your bits are belong to us.

This issue is getting more important as we are invited to use systems that promise selective sharing of data and other tools generate ever more data to potentially share.  Anything that puts your bits into the cloud promises selective sharing.  I believe and hope my much beloved Dropbox account is separate from all the others, except for the one’s I chose to share with. And I think it is, expect for that glitch they had, the details of which elude me (but I think we’re good now, and I so depend on Dropbox I do not know what I would do without it). But all these walls are just made out of a few lines of business logic and an Access Control List. ACLs rule our access to digital objects with an iron fist until they don’t for the many human and technical reasons mentioned.  Like most human infrastructures these selective sharing mechanisms are subject to failure and attack.

Now new sources of data captured from the details of everyday life by sensors and  services are increasingly recorded by external systems and by people themselves, generating new streams of archival material that is richer than all but the most obsessively observed biographies.

Many organizations are adopting social media and creating data sets that can map their internal social network structure as an accidental by-product of their communication practices.  Studying these data sets is a focus of growing interest.  Research projects like SenseCam are now becoming products and existing services like MingleSticks, Poken, FourSquare, and Google Latitude already deliver many of these features. Devices like iPhone and Android phones are weaving location information into every application.

Some steps are still in progress: when my phone notices your phone a new set of mobile social software applications become possible as whole populations capture data about other people as they beacon their identities to one another. Additional sensors will collect ever more medical data with the intent of improving our health and safety, as early adopters in the “Quantified Self” movement make clear.

But the  consequences of data diffusion are becoming difficult to predict.  Social media systems are being linked to one another to enable cascades of events to be triggered from a single message as status updates are passed among Facebook, LinkedIn, Twitter, and blogs.  Tools now automatically aggregate the results of searches and post articles that themselves may trigger other events.  Taking a photo or updating a status message can now set off a series of unpredictable events.

Add potential improvements in audio and facial recognition and a new world of continuous observation and publication emerges.  Some benefits, like those displayed by the Google Flu tracking system, illustrate the potential for insight from aggregated sensor data.  More exploitative applications are also likely.

The result will be lives that are more publicly displayed than ever before.  The collapse of roles (“lowest common denominator culture”) described by Bernie Hogan (listen starting in about 40 minutes – but the entire talk is good and worth a listen) as described by the sociologist Erving Goffman may be one consequence: we are interacting with everyone when we interact with anyone.  Secret shared meanings may still be possible — but selectively shared bits are not, at least not very reliably so in the short term and almost certainly not in the medium term.

Therefore, all services that promote the idea of “selective sharing” are selling a myth.  The more you trust that information you generate can be contained, the more potential there is for an “explosive decompression” as data intended for an individual or a small group becomes suddenly available to a large group or a complete population. Private bits are in a state of high potential energy, always poised to become public.

Engineering is the science, art and practice of containing and directing  forces. Information system engineers might be up to the challenge of delivering selective sharing.  And when combined with law, regulation and social practices, technology could make selective sharing real the way that engineers manage the flow of powerful but dangerous flows of high pressure steam through power plants.  However, recently even high pressure steam engineers working with nuclear fuels have faced some very bad failure conditions beyond their predicted scope.  Information technologists may face analogous issues when managing high pressure containers of selectively shared information.

My policy is not to give up all forms of privacy, I still keep my email and other data behind passwords that I do not (knowingly) share.  I share lots of pictures on flickr but not all of them are public.  I would prefer to keep lots of financial, medical, and personal stuff selectively shared.  I’d like these features to work.

But I have started to understand that my data is likely to be open to others, if not now then some day — and probably sooner than I expect. The net/cloud  holds a good sized and growing  chunk of my digital life and I would like selective sharing features (if I could handle the cognitive tax of managing them).  I just do not believe it is a reasonable expectation.  In a world of increasing interconnection and unifying name and search spaces, data may not be something you can keep local for long.

Tools that suggest that we can reliably segregate content and limit its diffusion are suggesting that water does not roll down hill.  Those who believe that are likely to get wet.

Video: The Social Life of Small Urban Spaces

Harry Brignull, a User Experience Consultant, recently mentioned this on the Anthrodesign email list:


This is one of the great works of empirical sociology: using a time lapse camera (and an analog clock) to study the flow of people over time through several spaces in New York City in the 1970s.

The associated books, City: Rediscovering the Center and the Social Life of Small Urban Spaces are masterpieces in the study of social interaction in specific locations.

Social Life of Small Urban Spaces
Social Life of Small Urban Spaces

The larger related work, City, ranges more widely to include sidewalks and the struggle between pedestrians seeking seating and property owners who want them to roost elsewhere.

City: Rediscovering the Center
City: Rediscovering the Center