Last week, I was in the offices of a credit card company. As I was shown around, we came across a massive screen with a map on it which was showing the density of credit card transactions happening in the world in real time. You could zoom in to Manhattan and compare which block had more transactions happening. It was a pretty neat visualisation of data.
As we continued to interact with it, we could apply filters to the data to show where transactions where occurring by cards registered in Canada were occurring versus cards registered in England and so on. By adding different layers together, different insights can be gleaned. This is a simple way of understanding big data and data analytics – it is less about individuals and more about groups.
Most credit card companies can not ‘see’ where I make a transaction because they do not have the data that connects my name to my card number; they just ‘see’ the transactions associated with my card. In data speak, they never see my personally identifiable information or PII for short.
Your name, age, gender, date of birth, address, biometrics, and many more pieces of information are considered PII. If you’ve read anything about GDPR or interacted with a European business or website over the past year, you’ll likely be familiar with the term. Most data protection and privacy discussions focus on it.
Our laws focus on protecting the individual from the group for various historical reasons (think WWII), however do little to protect groups from being identified. So our laws do little to protect the identity of an ethnic group, a tribe, a vulnerable group (elderly, health grouping, people living with disabilities, etc.). To illustrate this more, our laws protect us from revealing that John is John, but don’t protect us from revealing where all the Hutus live in Rwanda or the educated live in Cambodia. Group information is not considered PII.
So when humanitarians are nervous about WFP giving access to their data to Palantir, one of the many reasons, we are nervous because of the implications of DII/CII, especially when a large corporation with massive data analytics capacity is involved. The Do No Harm principle has left the building.