Professor X’s Notice and Choice Privacy Dilemma

0
1585

Professor X, the founder and leader of the X-Men, is one of the most powerful mutants on the planet. His psionic powers include telepathy and the ability to identify other nearby mutants. With his powers enhanced by Cerbero, Professor X identifies mutants to attract them to attend the Xavier School of Gifted Youngsters. Professor X’s ultimate goal? Peaceful co-existence between mutants and humankind, a co-existence based on trust and understanding. While his goals benevolent, his methods and their disrespect for basic privacy principles serve to undermine his entire mission.

What exactly are the issues standing in his way and how can the Professor seek to address them to further his mission? To dig into this question, first a quick primer on privacy law.

What is Personal Data?

Privacy law protects “personal data”, generally defined as any information that identifies an individual or relates to an identifiable individual. Many countries define certain categories of personal data more sensitive than others. For example, these “sensitive” categories of personal data can include: “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life,” (EU Data Protection Directive, Article 8) as well as biometric, genetic or criminal records.

Privacy Law and the Fair Information Practices Principles.

While the philosophical rationale for privacy law varies by jurisdiction, (e.g. EU law designates privacy as a “fundamental human right” and the U.S. law focuses protecting individuals from the “harm” caused by the mishandling of personal data), in reality, privacy law and practices rely on the same underlying principles known as the “Fair Information Practices Principles” (FIPPs) developed by the Organization for Economic Community Development over 30 years ago. (OECD Privacy Guidelines and updated in 2013) The FIPPs provide that when a person/entity collects personal data, that it should ensure that the individual has:

  • Notice. of how her personal data is being collected and used and with whom it is shared.
  • Consent. to how her personal data is used, especially if the proposed personal data uses are not readily understood by the individual or if the data are sensitive. and
  • Access. to understand what personal data has been collected and make corrections to such personal data.

A person/entity collecting personal data must further adhere to principles of: (i) minimization collecting and keeping, only what is truly needed; (ii) quality/accuracy ensuring data is accurate; (iii) security keeping data secure; (iv) destruction, when data is no longer needed, destroying it securely; and (v) assurance/accountability make certain you’re actually practicing what you preach.

In my years of reading X-Men comic books and watching X-Men films, I don’t ever recall Professor X alone, or in his use of Cerebro, following these principles. Let’s delve a little deeper into the Professor’s practices and how he could improve. 

Privacy and Professor X

Professor X has the natural ability to scan his surroundings to identify mutants and read the thoughts of mutants and non-mutants alike. However, if you walked by the Professor in real life, would you recognize Professor X as someone with psychic powers? Even if you saw him with his mutant protégés (e.g. Angel with his wings or the blue haired Beast), you’d more likely think that the Professor was just your average mutant-positive human with some really cool friends.

The Central Park Scenario

Clearly, the Professor has a problem with notice and consent, two key privacy principles. Let’s assume the Professor is traveling through Central Park to find recruits for the Xavier School for Gifted Youngsters. As he scans the crowds of mutants and non-mutants alike, he’s collecting personal data and “sensitive” personal data (e.g. whether or not you were homo-sapien or homo-superior and the nature of your mutant power). However, humans and mutants would neither be aware of nor do they consent to such searches or the collection of information about them. Further, he’s gathering information from thousands of individuals to find that one proverbial needle in a hay stack. Finally, what about the mutant that just wants to be left alone. Just because the Professor can identify mutants, should he?

If the Professor wanted to adhere to privacy principles, what could he do? The simplest thing he could is stop scanning people without notice and consent. This might make his mutant hunts of Central Park a little impracticable, but at least he wouldn’t be violating people’s/mutant’s privacy.

Conducting scans in Central Park would be difficult due to the nature of the “genetic” trait information the Professor collected. Collection of such information would require explicit “opt-in” consent. If he wanted to do scans of individuals in Central Park, he could do so by posting clear notices at the park’s perimeter informing persons entering the park that psychic scans are being performed and if an individual wanted to ‘consent’, that individual would just have to “think” the words “I consent”. Upon receiving such a signal, the Professor could hone in on that individual’s thoughts and scan accordingly. This would be most effective because those individuals who either didn’t see the signs or did not otherwise take affirmative action to consent would not be scanned.

What if an individual initially consented and subsequently changed her mind and wanted to “opt-out” or unconsent? As a privacy principles go, revoking consent needs to be just as easy as giving consent. Thus in this case, the individual who initially thought “I consent” could merely think “I withdraw” to “opt-out” of subsequent scans.

The above approach is better than that described in the X-Men books, which present Magneto’s helmet as an “opt-out” option instead of an “opt-in.” When Magneto wears the helmet, the Professor cannot scan or locate him, but the opposite is true when he removes the helmet. Of course, the problem with the helmet is that it must be worn at all times which makes the opt-out onerous to say the least. Plus it requires the individual to take affirmative actions to “opt-out”, contrary to the obligations to obtain explicit consent when collecting sensitive personal data. One can only imagine the case of “helmet hair” Magneto has, especially if he can’t take the helmet off in the shower. The other more troubling aspect is that the Professor and his protégés have an awfully hard time respecting Magneto’s choice when they try to remove Magneto’s helmet against his will – that would hardly be consistent with allowing individuals to express freely given consent – a requirement under nearly every privacy law. Finally, it is also unreasonable for us normal folk to be expected to invest hundreds of thousands of dollars to create the equivalent of a tin foil hat and bucking against fashion and insisting that wearing psychic blocking helmets is “cool.”

Reaching the Mass Audience

Professor X might have to consider going the old school advertising route through online or television advertising. In this classic archived TV commercial from the ’80s, he’s clearly thought about this.

While this was a great attempt to attract those individuals who are truly interested in applying to the school minimizing the data collected, the Professor’s attempts fail again, because this commercial does not disclose that by calling the phone number you’re consenting to a scan of your homo-superior nature as part of the process. Consent can never be valid if you don’t know to what you are consenting. In fact, you’re more likely just get a simple rejection card in the mail.

To scan this poor uninteresting human, the Professor most certainly used Cerebro to amplify his mutant sensing abilities. Cerebro merely amplifies the Professor’s privacy dilemma. Was Cerebro designed with privacy principles in mind and in particular is Cerebro secure? It doesn’t take a mutant to recognize that creating a system that enables two-way psychic connections could be a security problem if the mutant connected at the other end has bad intentions.

Clearly, Cerebro is not really too secure. Seriously, your only option is to destroy Cerebro when a bad connection is made? How about making it “one way” only or a simple on/off switch? A little bit of advanced planning could have avoided some serious drama and uncalled for (alleged) casualties (yes, I’m calling out you Havoc! Show yourself!). Unlike the Professor, not all of us have a small band of mutants who can rebuild a mansion with a little bit of mental effort.

Where Mutants and the Real World Meet

You might think these issues of psychic or behavioral monitoring only exist in the world of comics, but even in today’s primitive, non-super hero world, such issues exist. When you walk around in a retail store today with your smartphone and wifi on, the retailer is often able to gather information about the parts of the store in which you walk and linger or the displays that attract your attention. Unlike Professor X, these systems gather only non-sensitive information about devices and stores are not tracking whether or not you’re a mutant menace trying to flex your homo-superior muscle, instead they use this information to try to better understand the flow of their stores to make them more efficient, more appealing and inviting to their customers. Retailers realize their customer relationships rely on trust and that technologies gathering information might raise concerns, so they’re working on ways to provide notice to individuals when their stores are using such technologies in an effort to both provide notice and choice. You can find an example of these efforts with organizations like the Future of Privacy Forum (www.fpf.org) and their smart places initiative at www.smart-places.org.

Perhaps Professor X could take a page from their book.

A Postscript

A final reminder that privacy principles and laws, just like the relationship of mutant kind to the Marvel universe continues to evolve. However, privacy principles and their protection of personal data will always engender the same basic goals that Professor X wants for mutant kind, those of understanding, fairness and not allowing the qualities that make all of us be gathered and used without our knowledge or to our detriment. So next time Professor X fires up Cerebro, he should ask himself, “Am I truly respecting humans in the way I want them to respect me?” This is a question applies as much to the real world of privacy as it does in the comic books.

Special thanks to the Legal Geeks, Jules Polenetsky, CEO of the Future of Privacy Forum (fpf.org) and Miriam Wugmeister, Partner at the law firm of Morrison & Foerster (mofo.com) for their willingness to review my geeky musings.

Previous articleSan Francisco Comic Con Schedule for The Legal Geeks
Next articleA Doctor on Doctor Strange’s Hippocratic Oath
Jack Yang
Jack Yang is a privacy and technology lawyer practicing in the Silicon Valley. When not advising clients on strategic data, privacy and technology issues, he squeezes in time to read books, comic books and watching television shows and movies across a variety of genres. He loves the work of Daniel Clowes, Matt Fraction, Neil Gaiman, Alan Moore and Gene Yang. Don't make him choose amongst Dr. Who, Star Trek or Star Wars, because he loves them all. However, he still prefers George A. Romero's Dawn of the Dead over all other zombie portrayals on film or television.

Leave a Reply