On Notices of Privacy Policy Updates

Like you, these days I find my inbox flooded with GPRS compliance emails. Some come from services I use every day. Others are from services I signed up for a long time ago, and no longer use. Still others are from services I can’t recall signing up for. Did I open accounts with these companies unwittingly? Did someone open an account on my behalf? Did I open an account with another business that was then acquired by the company I’m getting the email from? I find myself at a loss, and quickly move on to the next email.

Compliance with the new rules is important to the companies sending the emails, but as a user the collective effect is a burden. I have little incentive to do anything other than archive the messages. Still, the (seemingly) endless stream of GPRS emails reminds me of how scattered my identity is in information environments.

Each of these companies has a digital representation of me somewhere in their systems. They aren’t centrally coordinated; each company’s dataset is an independent representation of my information. These snapshots of me vary in fidelity. For example, those that have my physical address as of five years ago are wrong. Others are newer, and therefore have better information. There is no one “true” representation they can sync to, and I have little incentive to keep them all up to date, since I don’t have plans to visit many of these places anymore.

As we move between physical places in the “real” world, our identity comes with us. When I visit my local grocery store, people know who I am. When I go next door to the local pharmacy, I’m the same person. In my pocket is a wallet with little plastic cards that identify me: a driver’s license, various credit cards, a transit card, etc. These identifiers travel with me as I go from place to place. I show them as needed, and they remain in my possession.

Moving through online places doesn’t work like this. When you first enter most information environments, you’re anonymous. As in the real world, you must identify yourself if you want to transact there. Once you do, your identity is somehow no longer in your possession; a new instance of “you” has been created in a database which you don’t own. This digital “you” starts life as (mostly) a blank slate and gets a history of its own as you interact with the company’s services.

When you’ve been online as long as I have, you have hundreds of such “yous” lying around. Some are dormant, others very active; all are scattered, out of your control in ways no government regulation can ultimately rein in. Occasionally you’ll read news about one of these “you’s” homestead being compromised, your personal information trickling out to — who knows where? — without much you can do about it other than changing your password, the damage long done. As the GPRS compliance emails remind us, we can’t speak of our online identity in the singular; each of us is a plurality that is only partially under our control.