elevenM’s Tessa Loftus on the experience of technology solutions that are actually privacy intrusions in our everyday life.
Last week, I needed to take my daughter for an early morning urgent medical appointment in Rhodes. My initial delight at easily finding a park quickly turned to consternation when it seemed that the only option to pay for my parking — on a public street — was to download an app.[1]
As anyone who’s ever needed to get to a specialist appointment on time (i.e., everybody) would know, you don’t have the luxury of being late. So, my options seemed to be: download the app without reading the privacy policy, do not download the app and risk a parking fine or find alternative parking.
Despite being a privacy professional, I did as most people would do and downloaded the app, which immediately asked to access my motion and fitness activity (why?), and to send me push notifications. For the app to work, I was required to provide my full name, email, phone number, credit card details and access to my real time location data. This gave the options of once only, only while using the app, or, again oddly, always.
Even if I’d had time to read the privacy policy (which I didn’t in view of our looming appointment), there was no privacy policy linked in the app store, and the page entitled ‘App Privacy’ was blank.
As we noted in our recent blog on the consent catch-22, “Information privacy is often defined in terms of individual control — the ability to determine for yourself when others may collect and how they may use your information.” But moving basic services into privately-operated technological solutions and making them ‘accept or don’t use’ undermines the basic notion of consent. If my options are ‘not parking in this suburb’ or providing my name, email, phone, credit card and real time location to an organisation that doesn’t provide a privacy policy in its app, that is not a real choice, nor is it genuine consent.
Further, where personal information must be provided to use public facilities or to access government services, there is no possibility of a valid ‘consent’ to data processing. I should not have to give up my information to sit on a public bench or park in a public space.
Needless to say, I deleted the app when I left my park. But how do I divorce myself entirely from this app? While deleting the app stops it accessing my location data, it is unlikely that it deletes my data from the database. So now I have to trust in perpetuity that the app developer is protecting my full name, email, phone number, credit card details and location data.
There are simply too many situations where unnecessary collection of information has been slipped into everyday life without people noticing. It is easy to see why a local council and frequent parkers would value the convenience of an app like this, which offers remote extensions of time and linking to a credit card for repeat payments. But what if I don’t want to share my profile with a company I don’t know (or haven’t had time to investigate), or I just want to remain anonymous? What if I am a person who is only thinking about getting where I’m going, and not about digital risk while I’m parking my car, which causes me to make a decision that later causes me harm?
We should all know by now that with innovation and digital convenience come new risks. And it should not be incumbent on consumers to navigate those new risks (especially when they’re under pressure), but rather to be able to trust the system knowing that the rules of participation for data collectors require that people and our social values are protected.
As organisations – both business and government – increasingly look to technology for solutions to the ‘everyday’ we need to ensure that they meet baseline protections. I feel entirely comfortable in buying the cheapest available car seat for my child, because I know that Australia has strong product safety laws and that someone with more expertise than myself has checked that we will be kept safe.
If I must download an app to park my car, the starting assumptions should include data minimisation, strict use limitation and high standards of security. It should not be used as an opportunity to track and monitor me under the fictional guise of consent. I should be able to feel confident that, even if I do not understand the privacy policy, someone who does has ensured that my welfare is protected.
[1]The Canada Bay council website indicates that app-area parking also offers regular parking meters. However this option wasn’t conspicuous to me – the parking sign said ‘phone ticket’, it was underneath a larger sign saying ‘app-name parking area’, and no parking meter was obvious in the vicinity.
Photo by Anne Nygård on Unsplash