Since my last blog post, I got distracted and lost interest in my privacy research. Not because my research is boring or unnecessary; I believe privacy is one of our most important rights. It is the right to be left alone, and I really like that idea. No, it’s because the companies I’ve made a subject access request with, were very reluctant in providing any details. And the details I did receive, were far below my expectations.

I have learned that students from the Kerckhoffs Institute have done a similar research (for the Privacy Seminar course) in cooperation with Bits of Freedom with similar results. They concluded that of the 30 contacted organizations, 60-70% did not respond to the request, and if a company did respond, it was incorrect or curtly. For instance,  Trans Link Systems (the organization behind the Dutch transport card) incorrectly stated that they didn’t keep track of any personal information. It’s interesting to see that I’ve received a letter from TLS containing detailed personal and travel information, but more about that later in this post.

Privacy in the news

It is notable that such a relatively small research becomes news (even in off-season), but is probable that it was due to the fact that TLS made a mistake. Although this is not a pretty example, privacy is nowadays considered as a high(-ish) priority for those living in a knowledge economy. In the past half year, privacy made the news a few more times. When telecom provider KPN stated that deep packet inspection was performed to analyze the behaviour of their customers, it was widely denounced. A new law has since been passed,  effectively forbidding such practices in the future. With Google+, Google has respected the need of privacy for its users and has implemented ‘circles’, allowing users to share information only with some specific friends. However, that same Google was recently accused of privacy infringement with its Street View cars mapping Dutch wireless networks.

Recently, the College Bescherming Persoonsgegevens (the governmental organization responsible for enforcing the privacy legislation) announced that it is planning to put a serious fine on uploading CCTV clips of burglars. Many people are outrageous, as they see it as their right to put these videos online. I can only imagine the fear of the store owners that got near-dead experiences, but it can not be that anyone gets judged out-of-court. The police force has the right to put these clips online in the interest of the investigation, but only after proper consideration and approval. And even the police makes mistakes; in August 2010, the wrong people were identified as suspects in a stabbing. Exactly that is the reason that only a judge may impose any well-considered (including considering cases of self-defense, psychological force majeure, etc) infringement of any person’s rights, including those of burglars.

The list of privacy-related news continues: Tomtom made the news in April when it became public that the company’s satnav systems sent the driving speed of its customers (indirectly) to the police force, which may use it to put speed cameras at the places where speeding is common. And last, but certainly not least, the PlayStation Network was down for almost a month this spring when hackers had attacked the network and obtained the personal information of its 70 million users.

Films

However, all this happened after I started my research. My interest in the matter started in 2008 when Carbon Media made the short film ‘Privacy Matters’. It shows (English subtitles available) how privacy affects our daily lives and what ‘evil’ corporations and governments can do with my and your personal details. My interest has grown even more after seeing VPRO Thema: Wat nou privacy? (Dutch only), which shows the weaknesses in the current information systems (mainly CCTV and other security systems), by pretexting, hacking and ignorance.

The idea to perform my research comes almost directly from the documentary Erasing David, in which David tries to avoid getting caught by some private detectives. He has done exactly the same thing as me with 80 organizations, and what he received back is quite interesting. The entire film is interesting though, as it also shows how ‘privacy’ existed with the Stasi in the authoritarian post-WWII surveillance state DDR and what would happen if you get really anxious about your privacy. If you have the time and are interested in your privacy (I hope you do), I can recommend watching all three films.

Subject access requests

After publishing my first and second privacy-related posts, I’ve received numerous replies and comments of people interested in the progress and outcome of the research. However, I guess people forgot or lost interest, as I haven’t heard about it for over two months. I especially blame myself, because I haven’t hushed it up, but I do think it is typical that privacy is so easily forgotten. I guess it is considered so common that it is only notable when it isn’t there.

My research went further then writing to companies and requesting information based on Article 35: I did not include a copy of my passport to see whether they would ask me for one. I’m satisfied that I did not receive much information without proper identification. I’ve received some phone calls, was asked to identify myself several times and have send out a dozen or so copies of my passport.

Since my last post, I’ve sent some additional letters to the non-responding organizations. The Dienst Uitvoering Onderwijs (Dutch student administration) responded finally and asked me to reply with a copy of my passport. I haven’t yet received a response on that.

The Dutch tax services have responded with an invitation to their office, where I was shown how their systems are linked together. In the two hour crash course, I’ve learned that they have a wealth of information, including my current wages, my rent, debts (if I had any), home situation, etc. I really like their approach of letting me understand how they gather information.

TLS, the operator of the Dutch public transport card, responded to me with a list of all my transactions, including those that are not visible online, and my personal information. It did take some time to gather this information (5 months), but I did receive it. Google responded mentioning their online overview, and TNT responded that they do not keep track of information regarding track and trace numbers (it is only kept for a limited time). The NS has me on file as ‘Broenink, jr’ and was the only one that mentioned that the request I sent was on file at the time of response.

Vodafone sent me a shallow copy of their file, with a list of all transactions, but did not list all my telephone calls. The ING revised their response, and now includes my creditcard and car insurance. My municipality finally responded with an almost complete printout of the Dutch central administration (GBA). Finally, I’ve received a phone call from KPN, telling me that the information they have on file about me (which was denied in a letter), was only for historical purposes and was kept on file for a total of about 2 years.

Unfortunately, my primary school and my employer failed to respond to my second request. T-Mobile did not respond either. Communicating with the ANWB (Dutch AA) and Albert Heijn (supermarket) was difficult and I haven’t had the time to complete my request.

The numbers

After some correspondence, from the 33 organizations I’ve done a subject access request with, most of them responded to the first or second letter. About 70% has responded with my details or had some kind of procedure to follow, which is more then double the amount the research of the Kerckhoffs Institute concluded. I haven’t paid a penny for the requests, apart from the 4 dozen post stamps. The total weight I received via mail is about 1 kilogram and this does not include five phone calls and a dozen emails.

The information I received is not striking in any way. I haven’t received any files that conclude that I “was angry at date X”, as David received in ‘Erasing David’. It’s a bit disappointing for this research, but it is good to see that Dutch organizations haven’t gone as far as the British. However, I might as well have concluded that I’ve written the wrong companies, I’m not interesting or the written organizations didn’t respond truthfully. I do know that there are many more databases which contain my entries and only time will tell what is in those databases.

Conclusion

We might not realize what privacy means to us. In the documentary of the VPRO (at the end), a man answers that he’d better like a camera watching through is windows than a pole in is view. Earlier in the film, a woman complains about the yellow sign, but sees no harm in the CCTV. It seems that we want to be safer, at the cost of our privacy. There’s no reason why obsessive monitoring of all our behaviour, online and offline, would make us more secure; it’s dangerous to collect all this data, since that is exactly what can be used against us; by attackers, but also by the government, as the case Kowsoleea illustrates. We might be safer in a physical way, but identity theft is rising to become the number one crime. Can we trust our databases? Do we trust the people that have access to these databases? And aren’t we (physically) safe without all those extended security measures and isn’t the government using terrorism as an excuse to monitor our daily lives?

The public’s point of view has changed with regard to our privacy. In 1994, an obligation to carry identification papers was introduced. This met with great resistance from the Dutch population. However, when ten years later, the same law was extended to require everyone at age 14 or older to be able to identify themselves, it was widely accepted as this would supposedly help the war against terrorism.

My privacy research is done, for now. I’m still interested in privacy and will probably take the Privacy Seminar course in the next year, and you may hear from me again when something privacy-related news makes it to the press. I’m particularly interested in the plans of the current Dutch government, wanting to make The Netherlands ‘safer’, probably at the cost of our privacy and probably with some changes to the Wet bescherming persoonsgegevens.

Until then, please keep your personal details safe and don’t share everything on social networks or with any organization. Be careful with what you share and with whom. It’s nonsense that you don’t have anything to hide. Privacy is important and you still have some. Don’t lose the right to be left alone.

All sources are linked in the article, come from my own research or are my own opinion. In case you have specific questions about my research, including the responses I received, I’m happy to provide you with more details. You can reply below, via Twitter (@ralphje) or via email.