The privacy versus safety debate examines the wrong dilemma,
according to Geoff Ebbs.
Numerous podcasts and current affairs programs have raised privacy concerns this week around track and trace software proposed by the Australian government. They generally framed the debate with safety as one horn of the dilemma and privacy as the other. The question is most regularly posed in the form, “How much privacy we are prepared to sacrifice to obtain the safety offered by the track and trace application proposed by the Australian government?”
Privacy is threatened
This article does not seek to devalue privacy concerns.
There is no doubt that governments have aggressively adopted surveillance and centralisation of data to strengthen their power over the population. Although essentially a democrat rather than an anarchist, I have a great deal of sympathy for Proudhorn’s view that “To be GOVERNED is to be at every operation, at every transaction noted, registered, counted, taxed, stamped, measured, numbered, assessed, licensed, authorized, admonished, prevented, forbidden, reformed, corrected, punished.”
Despite the High Court ruling last week that the Australian Federal Police used an illegal warrant to enter the home of journalist Annika Smethurst, they made no ruling to prevent the police from keeping the data they had illegally gained. Despite the High Court ruling last week that the Australian Federal Police used an illegal warrant to enter the home of journalist Annika Smethurst, they allowed the federal police to keep the data they had illegally gained. It is beyond irony that the AFP used illegal means to shut down a journalistic investigation into spying on Australian Citizens by the Australian Signals Directorate. The story involves layers of abuse by government agencies carrying out surveillance on citizens.
So, concerns about privacy are completely legitimate. The problem emerges in the assumption that there is an inverse relationship between privacy and safety. That there is a direct trade-off and we must choose how far we want to push the slider along a spectrum between full privacy at one end and full safety at the other.
A thought experiment
Without going into the deeper technical details of the various approaches being proposed to track and trace we can carry out a simple thought experiment between two possible and radically different approaches to reaching the end goal of tracking and tracing.
One approach, commonly called the Bluetooth approach, is to provide unique IDs to each citizen and then to record what other citizens you have spent more than 15 minutes with in your phone. The other approach is commonly referred to as the GPS approach and it maps your location over time, providing the possibility of identifying who you were near at any given time over a certain period.
The Bluetooth approach is considered superior for a number of reasons, and a version of it has been selected by the Australian government. The most widely discussed reason is the better accuracy of the system. The GPS data is easily confused when people are in the same building, but not near to each other, for example. The Bluetooth method ensures you are close enough to share a signal, which roughly equates to breathing the same air.
There is a fundamental difference to the nature of the data and the world model involved. This is really important, if a little abstract.
The Bluetooth model, at its simplest, simply stores a list of ids that you have shared space with for more than 15 minutes. It requires a date to be stored along with the ID so that you can eliminate people who you shared space with outside the incubation period of the virus. Other than that, nothing else is required. So, when you are found to have CoViD19, ie test positive for a response to the virus named SARS-CoV2, you supply the list of IDs you have had contact with to the government and they are duly notified. That’s it.
The model of the world maintained by this method is a record of interactions. If that was fully shared, we could build a day by day account of who was with whom, which may be useful for lots of reasons, especially if shared with other data, but in itself it need not constitute surveillance of a particularly invasive kind. It also requires a relatively small amount of data. 1 billion people, each recording a couple of hundred interactions a day, involving two numbers for each transaction – the ID and the date. That is two hundred billion numbers a day, roughly a trillion numbers a week.
The GPS model, on the other hand, records the location of every individual on a map of the world at some time interval, say every minute. This necessarily has to be centrally stored, because the amount of data required to record your location like this would swamp many people’s phones. The result is that your every move is available to the data holder, and everyone who has access to it, for as long as it is stored. The amount of data required is phenomenal. Every person requires at least two numbers to identify which of the 149 million, million square metres of the earth’s land surface that they occupy and another number (or, more usually, pair of numbers) to identify which minute of which day that space is occupied.
Tracking the same billion people requires (1,000,000,000 * 4 * 86,000)= 346 thousand trillion numbers per day or roughly one and half million, trillion numbers a week. That requires one million times the storage of the alternative.
There is little wonder that the Morrison government has opted for the Bluetooth model.
The purpose of this analysis is not to confirm the wisdom of the Morrison government’s decision, indeed they may not implement the simple and benign solution outlined above, but to identify the different dimensions involved in building such solutions and the relationships between the social, political and technical aspects of those solutions.
Extracting some principles
The simplest Bluetooth approach offers a solution that reduces the quantity of data by a factor of one million, that is six orders of magnitude. The elegance of that approach seems inherently valuable just because of these data savings. It also provides a much less intrusive data model by focusing on the data required to achieve the specific outcome.
In this case, the desire to identify who might infect whom requires us only to record the encounter, not its location, or time. The recording of the encounter obviates the need for mapping any individual’s journey. The improved requirements analysis reduces the problem significantly.
The general preference for simple solutions is generally captured by technologists under the heading of elegance. The value of elegance in programming has similarities to the core principle of Occam’s Razor, “Entities should not be multiplied without necessity” or in modern business English, “Keep It Simple Stupid.”
Similar logic applies to the concerns expressed over the nature of targeted advertising in late 2019. Scott Morrison insisted that Google and Facebook provide data on who had been shown what advertisements. They resisted on the basis that it would be impossible. You only have to think for a moment about the amount of data storage that such an endeavour would require to realise that it is inordinately easy to imagine systems that generate more data than it is capable to process. I have crashed more than a few computer systems in my time with such infinitely expansionary code.
One thing that results from the simple, elegant solution of capturing only the ID of those in close contact is that it separates the requirement or tracking and tracing from any external surveillance concerns. The important thing in this case is that it removes any purported relationship between privacy and safety.
The bigger picture
Some artificial Intelligence systems apply similar simplification to resolving navigation problems. I studied an introduction to Robotics with Professor Agris Nikitenko at Riga Technical University in Latvia. His team has produced world champion sumo robots using AI sensors that predict the movements of their opponents.
He told me that the research they are carrying out mimic the sonar systems of bats and other biological navigation techniques. He said that one of the key findings was to lose the notion that they had to build a map of the world and then identify their place in it. “That is a very modern rationalist approach to the world,” he said, “We can build far more effective solutions just by recognising what is a door or, more generally, what is a possible entrance or exit, rather than trying to build an entire map.”
The general approach of modern AI to simply identify successful results in masses of data, rather than trying to construct a system of meaning (or map) of how that data might hang together is at the basis of many systems we use every day. Recommendations of music, entertainment and consumer goods that we might like, route mapping across cities, risk assessments by insurance companies and banks; all these use AI that develops solutions from the bottom up examination of detail rather than the top down application of meaning.
Our understanding of virology and the development of vaccines has moved in a similar direction, leaving behind the development and testing of hypothesis to the generation and testing of models based on large data sets.
This mimics the random nature of evolution. It is always tempting to anthropomorphise evolution by attributing intention to specific genes. The truth is that quite complex behaviours can be generated and explained by relatively simple variations in the base coding. The evolution of an ant colony, for example, can be explained with eleven rules or less, including simple things like “put waste far away from food.” That includes quite complex social behaviours such as “older, established ant nests are more mellow than younger ones which need to be more aggressive to establish their basic infrastructure.”
Technical co-founder of Sun Microsystems, Bill Joy, once explained the notion of the company’s slogan “the network is the computer” to me by describing “the ballet of the network” as data flowed between people. He said we have moved beyond the Information Age to the Participation Age. His view was that the network is the wiring for the organism that is civilisation.
In the Selfish Gene, Richard Dawkins proposed the concept of a meme as conveying “the idea of a unit of cultural transmission, or a unit of imitation” in a similar way that a gene provides a physiological unit of transmission.
In 1992 I wrote in PC Week that the concept of Gaia, that the planet is an organism, meets Dawkins’ concept of the meme and Joy’s concept of the network in the concept that computer codes is the DNA of civilisation. In the same way that ancient bacteria exist as individual entities in their original habitat and also as enzymes in our digestive tract. Just as we humans are meta-organisms containing the evolutionary history of the cells from which we are built, so are we nodes in the network which is the organism of the future.
Architect, philosopher and accidental grandfather of modular programming, Christoper Alexandar addressed the 1996 convention of Object Oriented Programmers (OOPSLA) in San Jose with a challenge. His recognition as a founder of Object Oriented Programming was based on its use of his modular combination of patterns in architecture to create “good buildings.” He noted that his life’s work had been to identify what was morally good in architecture and what was amoral or worse. His challenge to the 1996 conference was that while they had adopted his approaches to generate efficient, fast and elegant code, there had been no attempts to build a moral framework into the code itself.
“What I am proposing here is a view of programming as the natural genetic infrastructure of a living world which you/we are capable of creating, managing, making available, and which could then have the result that a living structure in our towns, houses, work places, cities, becomes an attainable thing.”
In the discussion of how we best design and manage the computer systems that increasingly dominate our lives, we need to keep a very clear head about exactly what it is we are doing.