I Am Spartacus: Privacy through Obfuscation and the Right to be Forgotten
The Third Servile War was over. The slave army had been defeated, and their Roman captors offered the survivors a pardon. The only requirement was that they identify Spartacus, their leader (a sun-bronzed, cleft-chinned Kirk Douglas).
Rather than give away his identity, however, each of them cried out “I’m Spartacus!”—thus preserving his anonymity. The Romans could not identify him; they could not discern which of the men standing before them had been the leader of the rebellion.
(Spoiler alert: they all die as a result.) In short, their actions ensured a crucial part of Spartacus’ privacy—his right to be forgotten.
The right to be forgotten is considered a fundamental human right by numerous governments. Legislation such as GDPR and the California Consumer Privacy Act of 2018 (CCPA), for example, aim to establish this right for EU citizens and California residents, respectively.
In the past, the implementation of such regulations has revolved around search engines and the rights of users to request that their search results be removed — given they are no longer necessary or that they have a legitimate objection to their existence.
(One assumes that in this case a request by Spartacus to delete coverage of his being the leader of a massive slave army would be rejected by Google as neither of those.)
However, the Facebook and Cambridge Analytica scandal and a series of large-scale breaches have recentered the discussion on the privacy implications of this human right.
Now, privacy advocates have renewed their calls to have their account and personal data removed from social media platforms and other online services.
This seems to have widespread support, as most people agree that users should have the ability to remove accounts and material that they have created in the past—but with this comes new difficulties for today’s enterprises.
The solution here is clear: enterprises must offer the capability for users to delete accounts and any associated personal data. However, this is not as simple as it might seem at first.
Organizations are reluctant to give up this data as it helps them to improve their business models and might prove to be profitable information to have on-hand.
To realize the extent of the value of this data, one only needs to look at the cases where businesses, like free VPN services, resell user information to third parties. Enterprises need to feel compelled to part with this perceived value.
Governments are attempting to make parting with their customer’s personal data more compelling by imposing fines – enter GDPR and CCPA.
However, beyond the necessary business case lies technological challenges. Lingering personal data can be cause for concern, even if an online service has built-in deletion or removal options.
If this personal data is located in a structured database or an application, then the process is relatively straightforward. In this case, eliminate the associated account and the data stored within that account is also removed.
If the sensitive data is in files, detached from applications which are governed by the organization, these files will behave like abandoned satellites orbiting the earth, forever floating in the void of network-based file shares and cloud-based storage.
If the right to be forgotten is to be realized, then an essential task is locating that personal data and enabling its deletion to ensure the privacy of the end user.
As our online identities continue to expand and proliferate on the web, we must work to safeguard them as it is our fundamental right. The right to be forgotten, or to choose to withdraw from online services without leaving our data behind, is essential to our privacy foundation.
Organizations who value their customers’ privacy and their right to be forgotten will demonstrate so by taking measures to protect their sensitive data – effectively yelling “I’m Spartacus!” on behalf of the user.