Losing face


I-gaming, Privacy, and Big Tech

Part one of four parts

“Your face is a book, where people may read strange matters.”

 Shakespeare, Macbeth

It’s ironic. Also a little sinister. The efforts to protect our privacy online have put our privacy at risk like never before.

losing-face-minThe tools to protect us from identity theft and hackers are now trending toward biometrics, the measurement and statistical analysis of a person’s unique physical characteristics and behavior.

Right now, PIN numbers and passwords are the primary protection for access and delicate information. But these can be lost, forgotten, or hacked. Biometric identification uses cameras and sensors to record unique biologic information about you – your thumbprint, your retinal patterns, or your facial features, perhaps even how you walk. When you attempt to log on, you don’t use a number or password, but instead press your thumb or your eye onto a console, or step back and let the camera scan your face.

So you get your access, or you get safe storage for your information. But there’s a catch. Everything is digitized, reduced to ones and zeros and stored in the ID database that authenticates you. But without safeguards, your image is their property now.

Should we be losing our faces to big tech efficiency measures? Do you have a Constitutional right to your own face?

Under the current laws, a living person automatically has a say on how far, to what extent, his face, image and name may be taken and used by others, especially for money.

But what about other purposes? Law enforcement? National security? Public health? It is now entirely possible for Joe Average, walking down the street of any major city, to be recorded by cameras and other surveillance equipment. His facial features can be scanned, assigned digital values, turned into code and compared against official databases holding digital portraits of known felons and terrorists. Also, depending on the government involved, portraits of political dissidents, human rights activists, or just people the bosses don’t like. Like gamblers, for instance.

Private, sort of

Internet privacy has become a prominent issue, so say we all. But the first question is, do we really want privacy? Most of the time we don’t act like it. Especially in the U.S., we don’t merely give away information on ourselves, we thrust it on the world via cyberspace. Facebook pages are chock-full of what we had for dinner last night, whose birthday it is, what we got for Christmas. Instagram and Snapchat overflow with pictures of what we do, and where, and with whom, blasted out into the cyber sphere 24/7. This very much includes political opinions on blogs, picks, and comments on fantasy league teams. We bring Siri and Alexa into our homes, where they listen and record our conversations (for research purposes only, honest). When all else fails, we actually pay total strangers to analyze our most sensitive information of all – our DNA makeup – and report to us that we are 40% Italian, 28% Irish, or whatever it is. In terms of maintaining privacy, this is 100% nuts.

If you have been using the Internet for any length of time, then you have given personal information away in all directions. Especially at the beginning, no one stressed privacy, just all the wonderful things that online businesses were going to give away for free if you gave them all the dope on you. By now this information has been sold and resold until there’s simply no telling who has a line on you. The only safe thing is to assume they all do.

And yet we worry about privacy – with reason. Hardly a week goes by when some corporation, university, hospital, or even branch of government reports it has been hacked, and millions of lines of sensitive code have been spirited off to who knows where. Stolen ID information is a marketable commodity, auctioned off on what is called the Dark Web – that is, businesses and webpages that have not been indexed, and take advantage of their invisibility by serving as auction houses for all sorts of criminals, both cyber and regular. At one and the same time, we ask for maximum exposure while demanding protection. So we don’t really want privacy on the Web, except when we do.

By the book

Time to go back to basics. Legally speaking, what is privacy? When are we entitled to exercise it?

Black’s Law Dictionary defines it as “the right to be let alone, free from unwarranted publicity or interference “. But like all rights, it has its limits. In the landmark case of Katz v. U.S. ,1 the U.S. Supreme Court set forth that whether a particular piece of information could be used as admissible evidence depended on whether or not the individual being snooped on had a “reasonable expectation of privacy” at that time and place. Katz was a handicapper who phoned his basketball picks to bookies. He did this from a phone booth near his home (when’s the last time anybody saw a phone booth?). It being a public phone, the Feds assumed they could simply tap that phone and record the conversations. Not so, said the Justices. Even if the phone is public, the conversation is private, and so the Feds should have obtained a search warrant.

But what if Katz had shouted his information out loud on the street? How much privacy could he have expected then? Very little. No warrant is needed to obtain information that is, in effect, publicly displayed.

So now we come to the million dollar question: is Internet and interactive gaming conducted in private? After all, most people play from home, or on their personal device. Or is it public? After all, the Internet is generally acknowledged as the world’s biggest public square and forum. The Supreme Court has also set forth that the Internet and social media are “essential venues for public gatherings to celebrate some views, to protest others, or simply to learn and inquire.”2

Regulators have hit on what they hope is a solution. Any online business may collect the information on you that it needs to conduct relevant transactions, but that’s as far as it goes. The business proprietors may not turn around and sell that access information and data without your express consent.

Regulation trends

The strongest consumer privacy protection in the U.S. so far is the California Consumer Privacy Act, which took effect in January, 2020.

Businesses which collect data on California residents are now required to ask permission in advance. Customers have a right to refuse to give their data; moreover they may also ask for their existing personal data in that business’s files to be deleted. Requests to opt out or delete personal data must be responded to within a set timeframe. As a final precaution, The businesses that receive such requests must double check and verify that the request to opt out or erase are in fact coming from that actual person.

But this protection is not all-encompassing. To come under the CC PA, a business must be receiving the personal information of 50,000 or more customers and/or taking annual gross revenues of $25 million or more, and/or gets 50% or better of its annual revenues from selling customer information. This leaves a loophole, so far, for smaller operations to keep on collecting and selling personal data.

In the EU, the General Data Privacy Regulation (GDPR) has been in effect since 2018. That law differentiates between “data controllers”, who determine what your personal data is to be used for (advertising campaign, research, etc.), and “data processors”, the folks who actually crunch the numbers. “Processing” means the gathering, storing, organizing, use and even destruction of personal data.

Under the GDPR, the data controllers are ultimately responsible for ensuring that personal and sensitive data are properly collected and protected. Individuals can inquire what data of theirs a given controller possesses, and what it is used for. Inquiries must be responded to within 30 days. Misuse of data can result in the processor being fined up to €20 million or 4% of its annual gross, whichever is bigger.

Unlike California, however, the GDPR allows automatic collection of data in certain circumstances such as legal requirements, contract stipulations government departments, and education. California and the GDPR also differ in their approach to the question of opting in or opting out of data collection. California requires that the customer affirmatively opt in every time. The GDPR, on the other hand, simply forbids the use of the check- the- box opt out feature.

In the rest of the USA, there are a handful of states which have data privacy statutes on their books; at present most states are still negotiating the proper legislation, and some are still in the conceptual task force stage.

Likewise, in most of the rest of the world data protection is still a work in progress.

Your data future

But going forward, it won’t be enough simply to rely on statutory protection.

Ambitious companies have a way of slipping through loopholes; governments are constantly tempted to overreach. And for online gaming operations and their customers, this goes double. Gambling, gaming for money, and anything similar are still under a cloud, and a tinge of the disreputable clings to them even yet. They can’t count on the benefit of the doubt.

No, the thing to do is proactively take control of your own data from now on. Don’t provide your information to people who don’t need it. There may be a list of questions for applications or surveys- but what part of that information is really needed for the task at hand? Name and address, sure. How many brothers and sisters do you have? That’s another matter. Don’t be afraid to ask why they want that information.

For in the end, somebody who has control over your information has control over you.

losing-faceThere are ominous signs on the horizon. China is reported to be working hard to install an interconnected, all-encompassing network of surveillance and databases that will empower the central government to observe and control absolutely every aspect of their subjects’ lives.

A snapshot from that nightmarish not- too-soon- in- the- future scenario:

Citizen Wang walks down to the market to buy some vegetables. The surveillance cameras pick him up, and immediately compare his facial features to the government catalog of democracy activists, Muslims, Christians, and other folks whom the government considers bad actors.

While they’re at it, the surveillance sensors record his body temperature (you never can tell when there’s another virus busting loose), his body language, and of course any words he may say, at least while he’s within microphone range.

And if he does anything that the government doesn’t like, he will lose points from his “social index”. The government keeps a central registry of, well, everybody, and awards or subtracts merit points based on behavior.

Applaud loudly at a state-sponsored rally to praise the government’s policy on agriculture or industry or what have you? Good boy, Wang, here’s some extra points. Do something verboten like go to church or (gasp) hang out with the Falun Gong meditation sect? Relatives active in the Hong Kong protests? You lose points off your social index. Now you can’t get low interest loans for your business. You’re not allowed to live in certain regions. You aren’t allowed to buy airplane tickets, even just from one Chinese city to another. Permission to travel abroad? Are you kidding?

And before we say to ourselves “that could never happen here in America” we need to remember that lots of the technology and equipment that make this Orwellian nightmare state possible… are U.S. designed and U.S.-made. The U.K. has also made extensive use of face recognition and mass surveillance technology – there is now a surveillance camera for every 11 people in Britain.

Online Privacy, on and off

All right, when is the government entitled to conduct surveillance? In American law, the legal standard to determine whether or not surveillance is allowed centers on “the reasonable expectation of privacy”.

If you are in a place where you can reasonably expect privacy- that is, no one may enter and observe without your permission- then the gendarmes have to get a warrant before they listen or peek in. Expectation of privacy in your personal space is easily understood.

But when you’re out in public, what then? How much expectation of privacy do you have driving down the freeway or walking across the town square?

Much less, obviously.

For decades now, we have been promised that we would soon have 100% control over our online privacy and security, but still be able to get whatever information we want on request. But free speech and privacy are forever the sworn enemies of security and personal autonomy. This will soon be a hard choice for users of the Internet to make – provided they are allowed to choose at all.

Face Dances.

1    Katz v. United States, 389 U.S. 347 (1967)

2    Packingham v N. Carolina 582 U.S. ___ 137 S. Ct. 1730; 198 L. Ed. 2d 273 (2017)

Mr. Owens is a California attorney specializing in the law of Internet and interactive gaming since 1998. Co-author of INTERNET GAMING LAW with Professor Nelson Rose, (Mary Ann Liebert Publishers, 2nd ed 2009); Associate Editor, Gaming Law Review & Economics; Contributing Editor, TSN. Comments/inquiries welcome at [email protected].