British police made headlines a few weeks ago when they scanned in the faces of all 90,000 visitors to a music festival and then ran the results through an international law enforcement database. What some people regarded as a measure to safeguard the security of respectable citizens was seen by others as one more step towards total surveillance of our society.
In any case, “What are you doing with my data?” is a question that Malte Spitz, German Green Party politician and internet expert, has been posing for years. In 2014, he embarked on a quest to find out what sort of data about him had been captured and where it was being stored, and then proceeded to publish the results in a book of the same name. But he had already made a name for himself worldwide in 2011 when he obtained his own data from his telecommunications service provider and had it published at ZEIT ONLINE.
Malte Spitz recently spoke about this issue at a Deep Space LIVE event in the Ars Electronica Center. We had a chance to chat with him before his appearance.
Mr. Spitz, just last month the EU’s member states agreed to new EU Data Protection Regulations. Do you see this as real progress or just another PR campaign? What are the positive aspects of the new regulations and what leaves something to be desired?
Malte Spitz: This is the proposal submitted by the EU member states. There are also proposals from the European Parliament and the European Commission. Over the next six months, these three protagonists will hopefully reach an agreement and legislation will finally be enacted. With respect to data protection, however, the agreement reached by the EU’s member states is the weakest of the three. This is why I hope that, in the negotiation process, the positions advocated by the European Parliament will be the ones that prevail in order to implement data protection that can live up to the challenges the future will bring. These regulations should by all means maintain such principles as earmarking—whereby data may be used only for the purpose for which it was gathered—and total transparency—acknowledgment of what data is being processed, how, and by whom—and this should be mandatory throughout the EU.
Why is the proposal by the EU member states so weak?
Malte Spitz: The EU member states—Germany above all—complied to a very high degree with the wishes of certain elements of the private sector and, for that reason, softened their position in certain areas such as earmarking. Accordingly, the proposal of the EU member states is not very stringent or clearly formulated; rather, it has left several loopholes open, which is really a shame. But tough negotiations are upcoming now, and I hope that the others will be able to get their way.
In autumn of 2014, you published “What Are You Doing with My Data?,” your book about when, where and by whom data about you is being gathered and stored. What motivated you to do this research, which was surely quite arduous and time-consuming? Was this connected with a particular event, something that happened to you personally, or was this rather a matter of this issue’s political explosiveness in a democratic society?
Malte Spitz: I had already gotten started six or seven years ago, repeatedly submitting queries to public agencies and, to some extent, to private-sector firms too, to get them to disclose what data about me they’re storing. It didn’t necessarily become my hobby, but I was interested in this because I wanted to make it clear to certain organizations that they can’t just store data; that they also have an obligation to deal responsibly with this data and also to disclose to me what they have if I want to know. But, no, there wasn’t a sudden eye-opener, some situation in which I was somehow deprived of my data. In fact, the first time I submitted a query concerning the data about me that was being retained, I was motivated by a political confrontation with the matter of data retention. Then, back in 2009, I simply wanted to know whether this system was even functioning, that they were storing everyone’s data — 80 million people, 120 million SIM cards plus internet connections, landline phones, etc. Did this even work, this madness? So, coming with a certain degree of skepticism, I realized that it did work — seemingly very comprehensively and very well.
What has driven me since then and what moved me to write my book was the opportunity to enlighten people. My aim isn’t to dictate to people in detail how they have to deal with their data. If someone says they want to reveal their data, then they’re free to do so, but they should at least know what happens to that data and just what sort of data is in circulation somewhere. My mission is to uphold the value of self-determination, because, for me, self-determination means having been informed and being in a position to make a decision independently, free of any and all constraints. But you can’t really make an independent, self-determined decision if you have no idea what’s even going on here. That’s why I find it so important, especially in times like these, to know what sort of data is being generated. This, I would say, ultimately means making an effort to enlighten the general public. Occasionally, I also take a position, of course, and state how I assess certain procedures, and I hope as many people as possible see things the same way I do. And by doing so, maybe I can get some people to think about changing their ways, better protecting their data, using other applications or investing in data security.
In your book, you wrote that surveillance changes us. Considering how recklessly we deal with our data on sites like Facebook, one tends to get the impression that our awareness of being under surveillance has made virtually no impact on our behavior.
Malte Spitz: Well, I think that, right now, we’re already experiencing something of a shift due both to the digitization of everyday life that’s just begun to emerge as well as, of course, the development of the internet over the last 10 years with the emergence of Facebook and other social media channels, and all these apps that can be downloaded. Plus, there’s the fact that, for about two years now, we’ve been aware of what foreign intelligence agencies have been doing with these data worldwide—and, in Germany, what our own intelligence agencies are up to domestically—and how these data are being used against us. I believe that more and more people are giving some thought to this, and that when some people say it’s OK if Facebook has all this data about them and they disclose the details of their private life on Facebook, and they’re aware of the sort of consequences that can have, then I don’t condemn it, even if I myself would do things differently.
What I’m attempting to show in my book is where such things can also take place offline. We tend to think that we just have to be careful when we’re dealing with the internet, and few of us stop and consider that huge quantities of data are being gathered across the board in everyday life—when we pay for something with a debit card, when we sign up with a telecommunications provider, when we book a flight to the USA, when we visit our doctor, when we buy an insurance policy. What I consider important are thinking about this and knowing what kind of data these are. People should possess a certain fundamental sensitivity. Needless to say, this doesn’t mean you should go through life with a sense of paranoia, thinking. “Oh God, where oh where am I leaving behind data traces?” But one should at least be cognizant of the dimensions, and when everyone realizes this, then everyone can make an informed decision about how to behave in light of it.
Nevertheless, with some things, there have to be limits—for instance, sensitive information like patient data. Here, certain procedures shouldn’t be applied even if they’re technically feasible. It also shouldn’t be permissible to deny medical treatment to people on account of their medical data—for example, due to an unhealthy diet, because they don’t work out, which the physician knows from all these fitness apps & armbands, and the patient then has to pay a €200 health insurance surcharge to get medical treatment. That’s going too far. There have to be certain spheres in which a breakdown in social solidarity or hyper-individualism is unacceptable. Permitting this would mean abandoning our social welfare system because we’re capable of gathering very precise information about each individual so that there are no longer standardized premiums for all insured persons but rather fee structures custom-tailored to each individual. These are the things to which I say: “STOP! We don’t even need to consider this!” I’ve assessed these developments and found that they’re wrong, so I’ve made a commitment to seeing to it that something like this doesn’t go on.
What about your personal behavior? How do you use your smartphone and when do you refrain from using it? Do you have a Google account?
Malte Spitz: In this sense, I’m a totally average user—always was and still am today. I’m registered with Facebook, I have all kinds of apps on my cell phone, I use Google services, and I have a credit card I pay with to collect frequent flyer miles, but, of course, I’ve changed my behavior in certain ways. I have a different e-mail provider; in certain situations, I turn off my smartphone or don’t even take it along with me; I encode particular e-mails; and if my doctor would inform me that I have a serious illness, then I would also know how to deal with this. I would ask him to initially treat the information confidentially, and not to immediately report the details to my health insurance provider.
I learned pretty much all of this by doing research—which things I have to deal with a little more sensitively. What I don’t do is practice data abstinence and claim to be setting a good example. No way! Like I said—you can find me on Facebook. I’m not very active, but nevertheless I’ve posted my profile, I still use twitter and I send e-mails from my smartphone. And I think this is OK. But, as I said, I’ve made certain changes, and what I’m most interested in doing now is giving people the possibility of drawing their own conclusions. They should give some thought to situations in which they want to avoid leaving behind public traces, and what sort of changes they want to make to accomplish this.
What do you tell people who say they have nothing to hide and thus have no problem with all sorts of data being gathered and stored?
Malte Spitz: I get this a lot. On one hand, I’ve seen that when you talk to these people, you find out that there are areas in which even they say that they’re against certain types of information being stored somewhere. On the other hand, I believe this is deeply rooted in our thinking. In German and Austrian history, there have, unfortunately, been times in which authoritarian regimes gathered such information—needless to say, not like what’s possible today—and used it against certain individuals. Today, I’m happy to say, no one has to be afraid anymore of being hauled out of bed by the police at 5 AM and being unlawfully detained like in the Third Reich or other states like China and Vietnam. But what I see are people motivated by economic reasons to better protect their data. Their data pop up somewhere and all of a sudden an online offer is €5 more expensive than what others see, or you don’t even get the offer that your friends do. Solely due to data traces people leave behind, a vendor says: “This one gets the discount deal and this one doesn’t.” Or obtaining credit online, whereby one person has to pay 8.8% interest and someone else gets a rate of 11.5%. Now, these aren’t life-or-death decisions so it’s a less dramatic matter, but this has a lot of ramifications in everyday life.
No longer are scoring procedures used only when you want to open up a bank account or take out a loan; they’re now a part of many different processes in everyday life—if you want to buy something on the installment plan; when you want to contract services; or, for instance, when you order merchandise online, whether you have to pay in advance or you can pay after the delivery arrives. And then, maybe some people do have something to hide, or they say that maybe it’s a good idea after all not to be so transparent because you have no way of controlling what happens.
I think that people already realize that deviant behavior has various consequences. And such behavior doesn’t even have to be so extremely negative. But there’s a sort of formula whereby 95% of people are accepted and, for instance, receive a certain discount, and 5% are outliers and thus have to pay €3 more for the same product. That’s why everyone always tries to be middle-of-the-road: to get the better price. But I believe that a society needs diversity, it also needs extremes, and I don’t want everybody to be the same and just exhibit conformist behavior. Laying low in the thicket of the group as a whole—here, data and how we deal with them play an essential role.
At the recent Download music festival in Great Britain, the police conducted a surveillance action that got a tremendous amount of media coverage: they scanned the faces of all 90,000 festivalgoers and fed them into an international law enforcement database. Plus, they used RFID chips to track visitors’ movements around the festival grounds. At what point can you say that we’ve given up too much freedom in return for security? Or, in other words: have we already passed that point?
Malte Spitz: In certain areas, we’ve definitely already crossed the line—namely, that we’ve surrendered too much of our individual freedom to a collective security & surveillance establishment. Thankfully, it’s not as apparent here yet as it is in other countries, but data retention is increasing markedly. This is on the current political agenda because, at least in Germany, it’s being reintroduced.
The people with regulatory responsibility here frequently see this much too simplistically, like: we’re just saving data, we’re just performing surveillance, we’re only filtering data traffic, we’re just taking a look at where people are—because it’s simply so easy to do. But thanks to Edward Snowden, we’ve known for two years now that stored data isn’t secure; in fact, it’s very insecure. And I find that, in this process of balancing freedom and security, we’re mostly conducting a defensive battle and what we actually need is for the whole society to engage in a lot more discussion about what freedom we want and in which areas we’re willing to accept some infringements. It makes a difference if this is a matter of curtailing an individual’s basic rights due to well-founded suspicions or concrete evidence, or if this has to do with collective measures affecting all 90,000 visitors to some festival or the entire population of Austrian, Germany or the EU. You have to make it very clear that this sweeping, mass surveillance—simply saving everything—goes too far. You get a gigantic data-haystack in the hope of immediately finding the needle somewhere inside. This is a fallacy and there has never been proof that this system works. Therefore, I advocate a security system that’s technically well-equipped so as to monitor individuals in individual cases when it’s necessary, when there’s well-founded suspicion, but not huge segments of society.
Last question: How realistic is it, in your opinion, that the extent to which we are under surveillance will significantly decrease in the future and we’ll gain greater control over our own data? Do you regard this as a concrete objective or is your aim rather to sensitize people or raise the collective consciousness to such an extent that every individual can deal with this reality in the way they see fit?
Malte Spitz: I believe the two go hand-in-hand. When you raise consciousness and propagate some sort of enlightenment to increase sensitivity, then the control people exert over their own data will, in turn, increase. Just like people have become more aware when it comes to buying groceries or driving their cars, I believe that this sensitivity to data will also lead to a political rethinking process and also launch a discussion in society, and there will be more and more of an uproar about certain developments and people will say: “STOP! Here and no further!” But this is really a difficult confrontation, because it’s being waged on two fronts. There are both private enterprises and government agencies that are interested in our data. Now, these government agencies are perhaps not even storing the data themselves but they want the data that companies have accumulated—for example, airline passenger lists, telecommunications information and different kinds of payment data. And for that reason, private-sector and public-sector entities are directly or indirectly forming an alliance dedicated to knowing as much as possible about us. This is formulated as the logic of economic utility in that firms claim that they can thereby improve their offerings, provide better customer service and maximize revenues, and the state says that, if need be, they can gain access to these databases to evaluate or filter out something. Taking on these two opponents is unfortunately a tough struggle. We’re fighting against two sides that are very powerful and are attempting in numerous ways to curtail and weaken our right to self-determination. Now’s the time to lay the foundation to enable data protection and data security to gain significance in the 21st century, and to work together to implement these provisions.
Malte Spitz
Malte Spitz is a member of the party council of Alliance 90 / The Greens since 2013. Before that, he spent seven years in the six-member national board member of Alliance 90 / The Greens. Since 2014 he is member of the Regional Executive of Alliance 90 / The Greens NRW and spokesman for the Federal Association of Media and Internet policy. He is a member of the Green Party since 2001. In October 2014, his book was published by Hoffmann und Campe “What are you doing with my data?”. Malte Spitz is married and lives with his wife and two children in Berlin. He studied part-time political and administrative sciences at the University of Hagen, before he studied economics at the Humboldt University of Berlin studied without this study conclude.
From 3 to 7 September 2015, the Ars Electronica Festival takes place under the title “POST CITY – Habitats for the 21st Century“. Again, it will go to the issue of data collection, monitoring and mobility of data.