CCTV - how much privacy do we have? Copyrighted image Credit: photos.com

Privacy and surveillance
People typically think of privacy in terms of the separation of information from public interest: indeed, the Concise Oxford Dictionary defines privacy as ‘keeping some things withdrawn from interest by the public, being undisturbed, or avoiding publicity’.

The flip side of privacy is surveillance. For most of us, the word conjures up the nightmare world of George Orwell’s novel 1984, in which an all-powerful state spies relentlessly on its citizens and uses the information it gains to force conformity. Indeed, the term surveillance implies not merely observing someone, but doing so in order to influence, manage or control their behaviour.

Orwell and the sociologist Max Weber (who theorised about the technical efficiency and rational superiority of bureaucracy) together constitute one major theory of surveillance. That is, ‘Big Brother’ or classical surveillance by a monolithic, ruthlessly efficient, state of its citizens in order to control political or public behaviour (or private behaviour where this may jeopardise the objectives of the state). However, it is useful to look at another theory of surveillance.

This is Michel Foucault’s notion of the panopticon, again based on a notion of surveillance as centrally controlled and coordinated, but not necessarily as a function of the state bureaucracy. Where Weber/Orwell see surveillance as an imposed and coercive adjunct to policing, Foucault contends that it means that the observed actually police themselves.

Michel Foucault’s panopticism has been characterised as:

  • embedded, or pervasively present surveillance (every action is visible and potentially observed);
  • asymmetric: the observer can see the observed individual; the observed individual cannot see the observer (so the observer has a form of power over the observed);
  • the observed individual is isolated, physically or socially, from other observed individuals;
  • surveillance is automatic and ubiquitous.

Furthermore, the panopticon concept embodies a self-policing system in which the individual does not know from one moment to the next whether he or she is being observed. Therefore the individual must constantly comply because, if he or she slips for a moment, that may be the moment in which he or she is judged.

A prime example of Foucault’s panopticism is the CCTV video surveillance used extensively in the UK in public spaces:

  • you know you may be watched but you can’t see who is watching you;
  • CCTV is virtually ubiquitous in public places;
  • you may modify your behaviour lest you be observed ‘misbehaving’;
  • observers are more likely to take an interest in young men dressed in a certain manner, or members of certain ethnic minorities;

CCTV is a capital-intensive means of surveillance: the UK government spent £250 million installing public-space CCTV systems between 1992 and 2002. In the years between 1994 and 1997 this expenditure represented 78 per cent of the Home Office crime prevention budget
Studies indicate that CCTV may not be as influential in lowering crime as is sometimes imagined. It may merely displace crime – move it to a less-observed area – change it from one type to another, or cause a temporary diminution. There is some evidence that it works best in car parks, but this may be because of other factors that change at the same time CCTV is installed: such as improved levels of lighting.

What might be known about us
The storage and use of personal data is controlled in the UK by the Data Protection Act, 1988. Telemarketing, direct mail and internet marketing raise concern because of the power of computers to store and manipulate vast amounts of personal data, but collecting data of any sort involves ethical issues of privacy.

UK data protection law protects the rights of individuals to:

  • view data stored on them
  • correct any mistakes in it
  • prevent it being used for marketing purposes should they so desire

The words of the UK legislation state that information needs to be ‘fairly processed’ – for example it cannot be collected covertly on individuals. All data controllers (individuals in organisations who collect, store and manipulate personal data) need to be registered with the Information Commissioner.

There are many things about us, which in the past were more ‘private’. For instance, in a largely cash economy, what one bought or sold would only be known to those who witnessed the sale or, at worst, would be stored on paper records such as bills of sale or invoices.
Writing and storing these was laborious. Thus they rarely recorded more than a brief description of the item and its price.

Now we depend upon third parties, whom we may not even be aware of, to record such things:

  • the credit card company
  • the bank
  • the seller’s company

The data is collected by, and passes through, many anonymous hands. Any of these organisations will hold considerably more information than was the case in the pre-digital past.

For instance, a credit card company will record details of your purchases, know the method you use to pay, how much you owe and to whom (including ‘loans’ made from the credit card itself). They know a lot about your credit history, including who employs you, what your income is, and so on.

In the author’s case these organisations are:

  • Two credit card companies: they know my credit history, bank (as I pay by direct debit), movements (from purchase records), and purchases.
  • A department store (store card): it knows the same as above – but limited to one department store chain.
  • The DVLA: it knows my date of birth, when I passed my driving test, current address and about any endorsements for violations of the highway code within the past 10 years. It also knows the make, model, year and number plate of the car I own and whether I own it outright or not.
  • Employer: they know my date of birth, education, marital status, age, current address, salary, tax code, tax office, National Insurance number.
  • Bank: it knows the balances in all my accounts, banking transactions (including direct debits and standing orders), current address, banking history over the last 23 years, balances owing on any loans from them.
  • Insurance companies: as above, plus claims history and, for my home contents insurance, that I possess some items which are separately insured (computing equipment, for instance).
  • Web shopping sites: as above, plus records of past purchases, which they examine to see what my preferences are.
  • Doctor’s surgery: name, gender, marital status, age, address, health history and health records going back over more than 20 years, prescriptions, known allergies.

Cookies: not necessarily a treat
A 2003 study carried out by the University of Pennsylvania is the first to:

‘provide evidence that the overwhelming majority of US adults who use the internet at home have no information about data flows – the invisible, cutting edge techniques whereby online organizations extract, manipulate, append, profile and share information about them’

While the study was limited to American behaviour, it is relatively safe to assume that the same is broadly true in the UK.

‘Data flow’ refers to the gathering of information from different sources, combining, manipulating and (often) passing it on to others, usually in the interests of commercial activities. Much of the data flow activity begins when online companies obtain names and email addresses of people who visit their websites. This is then associated with a cookie that records various activities that the user carries out online during that and subsequent sessions.

DoubleClick’s website, for example, offers the following services to its customers through its SiteAdvance product’s customer segmentation module:

  • analysis of how recently visits have been; how frequently the site is visited and the monetary value of sales to different customer segments;
  • which segments of visitors become customers and which segments of customers become repeat customers;
  • demographic information about website visitors (such as whether they are located near to or far from a retail shop, their geographic location, and whether they are web surfing at work or at home).

By expanding this capability with technologies such as web bugs, spyware, chat-room analysis and data garnered from an individual’s transactions with databases, it becomes possible to follow an individual’s email and keyboard activities.

All these examples indicate that much more is known about us than we might expect – or wish.

This article is based on extracts taken from The Open University Business School courses Data Computing and Information (M150) and Winning Resources and Support (B624).