Legal, Technical, and Common Sense Privacy

The legal and technical communities reason differently about the concept of privacy on the Internet, but understanding and combining both may become imperative. This is the main argument Adamantia Rachovitsa puts forward in her interesting and thought-provoking paper titled “Engineering and lawyering privacy by design: understanding online privacy both as a technical and an international human rights issue” which was published in the International Journal of Law and Information Technology. A siloed approach relying on, for example, compliance with the General Data Protection Regulation or relying on the development of technical standards on the Internet alone will not suffice, but “[t]echnical standards and international law can actively inform one another.”

The technical approach to privacy stems from the principle that end-users need to trust the network, because they are the network. An example hereof is the way in which the Internet Engineering Task Force (IETF) responded to revelations about government surveillance of Internet traffic. In their Request For Comments (RFC 7258) titled “Pervasive Monitoring Is an Attack” the IETF characterised these invasions of privacy as attack on the network. Nowhere in the document reference is made to fundamental rights or data protection laws. The technical community’s mandate to technically regulate privacy is summarised by Rachovitsa as “[t]hreats to users’ privacy undermine the reliable operation and the responsible use of the network as a whole.”

The European legal community does not consider the integrity of the network, but the state of mind of the individual. The European Court of Justice reasoned that the mere collection and retention of Internet traffic and location data and subsequent use without informing the person in question, generates a panopticon feeling of constant surveillance. Similarly, the European Court of Human Rights accepted the reasoning that the mere existence of legislation permitting covert interception of mobile telephone communications could already in itself be considered a violation of privacy. Finally, the UN High Commissioner on Human Rights states clearlythat metadata, such as call details or websites visited, reveal much about individuals and that the collection of these data should also be considered as a violation of privacy.

To combine the legal and technical reasoning, the Internet Research Task Force – a mainly technical community that is aligned with the IETF – has for some years run the Human Rights Protocol Considerations Research Group (HRPC). This Group is currently focussing mostly on freedom of speech issues. The HRPC summarises its task as the duty to “explore the relations between human rights and protocols and to provide guidelines to inform future protocol development and decision making where protocols impact the effective exercise of the rights to freedom of expression or association.” It is to be expected that the Group will include other human rights in their work in the future.

While these technical and legal reasoning are good, and combinations thereof even better, Cory Doctorow aptly explains that (informed) common sense is also crucial. In his recent provocative column about developments, such as the Internet of Things, he states that “[t]he best way to secure data is never to collect it in the first place. Data that is collected is likely to leak. Data that is collected and retained is certain to leak.” Informed consent may be somewhat of a legal fiction, but when data collection sensors become ubiquitous as well as tiny, there will not be any room to present a privacy policy for (unwilling) data subjects to accept. Informed common sense may be similar to data minimisation, whereby it can be agreed that sometimes, or often, it seems or just simply is pointless or even harmful to run the risks of collecting as much data as possible.