15 September, 2016
Column by Bendert Zevenbergen, Internet Scientist @ Oxford Internet Institute and Academic Liaison @ Considerati
The legal and technical communities reason differently about the concept of privacy on the Internet, but understanding and combining both may become imperative. This is the main argument Adamantia Rachovitsa puts forward in her interesting and thought-provoking paper titled “Engineering and lawyering privacy by design: understanding online privacy both as a technical and an international human rights issue” which was published in the International Journal of Law and Information Technology. A siloed approach relying on, for example, compliance with the General Data Protection Regulation or relying on the development of technical standards on the Internet alone will not suffice, but “[t]echnical standards and international law can actively inform one another.”
The technical approach to privacy stems from the principle that end-users need to trust the network, because they are the network. An example hereof is the way in which the Internet Engineering Task Force (IETF) responded to revelations about government surveillance of Internet traffic. In their Request For Comments (RFC 7258) titled “Pervasive Monitoring Is an Attack” the IETF characterised these invasions of privacy as attack on the network. Nowhere in the document reference is made to fundamental rights or data protection laws. The technical community’s mandate to technically regulate privacy is summarised by Rachovitsa as “[t]hreats to users’ privacy undermine the reliable operation and the responsible use of the network as a whole.”
The European legal community does not consider the integrity of the network, but the state of mind of the individual. The European Court of Justice reasoned that the mere collection and retention of Internet traffic and location data and subsequent use without informing the person in question, generates a panopticon feeling of constant surveillance. Similarly, the European Court of Human Rights accepted the reasoning that the mere existence of legislation permitting covert interception of mobile telephone communications could already in itself be considered a violation of privacy. Finally, the UN High Commissioner on Human Rights states clearly that metadata, such as call details or websites visited, reveal much about individuals and that the collection of these data should also be considered as a violation of privacy.
To combine the legal and technical reasoning, the Internet Research Task Force – a mainly technical community that is aligned with the IETF – has for some years run the Human Rights Protocol Considerations Research Group (HRPC). This Group is currently focussing mostly on freedom of speech issues. The HRPC summarises its task as the duty to “explore the relations between human rights and protocols and to provide guidelines to inform future protocol development and decision making where protocols impact the effective exercise of the rights to freedom of expression or association.” It is to be expected that the Group will include other human rights in their work in the future.
Academic Liaison at Princeton University
An amendment to the law on data breaches and the Dutch Data Protection Authority (DPA) reveals that...