Jacques Mattheij

Technology, Coding and Business

If you've got nothing to hide...

The Past

Since 1851 Amsterdam had a registry that recorded the following innocent pieces of data about the residents: Name, Date of birth, Address, Marital Status, Parents, Profession, Religion, Previous Addresses and Date of Death if deceased. For many years this system served well and was kept meticulously up to date.

Which undoubtedly well meaning civil servant long before World War II came up with the brilliant idea of registering religious affiliation during the census is lost in the mists of time. What we do know is that that little field caused untold thousands of people to die once the occupiers decided to use it to locate Jewish people. And there were many of those in Amsterdam, which was home to roughly 80,000 Jews (Dutch) of the total of about 104,000 in all of the Netherlands at the outbreak of the war. 70,000 of them had their data entered into the Amsterdam registry.

Once the civil registry was in the hands of the enemy the extermination program for Amsterdam based Jews (those that had not fled) moved into high gear and street after street was raided. Entire neighbourhoods stood empty. The importance of the registry was not lost on the resistance who planned and executed a brave attack (Dutch) to destroy as much of the registry as they could by firebombing it after subduing the guards. The attackers were betrayed to the Nazis and all but two were executed in the dunes near Overveen. Even though the attack was not a complete success a chunk of the registry was destroyed entirely (about 15%), and a large chunk of the remainder suffered substantial water damage thanks to the fire brigades doing their utmost to drown the parts that had not burnt (after dragging their heels as long as possible to let the building burn as much as they could get away with without raising suspicion that they knew what was up).

All in all more of a delaying action than a complete success but still, quite the coup and the Nazis were seriously angry they lost access to those records. 80% of the Jews in Amsterdam were killed by the Nazis, without the attack on the registry that percentage probably would have likely approached 100% except for those that had already fled the country at the outbreak of the war. That’s how much of a help the registry was in determining who to look for and where.

Because the attack on the civil registry in Amsterdam is widely appreciated as an example of the work the resistance did during the war it is still very much present in the Dutch collective consciousness (though, unfortunately, less so with the passing of time). Apparently innocent database fields suddenly came back to bite a very large group of citizens.

The Present

In the United States recently something related happened. The Office of Personnel Management (OPM) had an enormous breach leading to the release of 20 million+(!!) files on people employed by the government and those that they associate with. This database apparently existed to aid in determining who could be given what level of clearance and because of that contained all kinds of juicy tidbits as well as complete identity information and a large amount of meta information in terms of who is linked to who by family ties or friendships as well as co-workers (especially abroad) and other such information.

It doesn’t require much of an imagination to see how this information could be abused, note that it is closely resembling the situation with the Amsterdam registry in that the original goals of making the database may have been relatively innocent the data suddenly took on a totally different meaning when the ownership of the data changed.

The Future

One of the mantras that I keep hearing in the wake of the Snowden revelations is that ‘if you’ve got nothing to hide you’ve got nothing to fear’, usually bandied around by upstanding citizens who have done ‘nothing wrong’ and therefore applaud any and all privacy invasions because after all, those privacy invasions on the surface do not seem to affect them.

The Amsterdam civil registry take-over and the OPM breach are good illustrations of what can go wrong even if you have done ‘nothing wrong’, after all almost all of those affected have done nothing wrong and yet their privacy has been violated in a pretty drastic manner leading to death, identity theft or embarassement.

If they had nothing to hide because they had done nothing wrong then what’s the fuss about?

Well, that’s an easy one: The fuss is that even if you have absolutely nothing to hide the ‘privacy is dead’ crowd seems to miss out on the fact that privacy by itself is considered important enough to make it into the Universal Declaration of Human Rights, Article 12, and that ‘privacy’ is not the same as ‘secrecy’, in other words having done something wrong or not does not bear at all on the question of whether or not privacy is a useful thing or merely a luxury we can afford to do without since a lack of privacy only affects those that have done something wrong (which is clearly false!). You don’t have to have any dark secrets in order to to value your privacy.

If you really strongly feel that you have nothing that you consider private ask yourself this: Even if you have done nothing wrong, are you willing to publish your pin code, a high resolution scan of your signature, your passport, your SSN, your passwords, your photographs (naked, preferably), your medical records, the conversations with your attorney, the amount of money you currently have, your criminal record (if you have any), your bank statements, your tax returns for the last 10 years, your license plate and a copy of your driving license, your sexual orientation, your infidelities, the names of the people that you love, the names of the people you despise, the contents of your diary, all the emails you ever wrote and received, your report cards, your entire credit history, all the stuff you ever bought, all the movies you’ve ever watched, all the books you ever read, your religion, your home address and so on for all the world to see?

If you’re willing to do all of that then congratulations, you really have nothing to hide and the word ‘privacy’ means nothing to you. But if you answer so much as ‘no’ to any one of those or to any bit of information that you yourself come up with that you’d rather not share with the world then you too value privacy.

And if you’re not content with living in a world where all of that data is public then you’d better stop repeating that silly mantra ‘if you’ve got nothing to hide then you’ve got nothing to fear’, even if instead of death or identity theft your problems might merely be those of inconvenience or embarassment when your data gets re-purposed in ways that you could not imagine when you sent it out in the world in a careless manner, and when you helped erode the concept of privacy as a great good that needs to be protected rather than sacrificed on the altar of commerce or of national security (especially from some ill defined bogey man, such as the terrorists).

HN Submission/Discussion
If you read this far you should probably follow me on twitter: