Private-Public Partnership

As a citizen of a country that is based on a constitutional democracy, which acknowledges an inalienable right to privacy, one would expect that respective government to protect its citizens from cyber-attacks and illegal surveillance. However, the latest after Snowden’s revelations we know that reality looks different. Since governments themselves may initiate and/or become targets of cyber-attacks, individuals can’t solely rely on governments to ensure their constitutionally mandated protective function. With the knowledge gained thanks to Snowden, we can change our behavior accordingly - at least theoretically. By we, I mean each and every one of us. I say theoretically because society is distracted easily and technological knowledge and abilities are often lacking. Be that as it may, at least we now know about the occurrence and the scale of government surveillance. What society generally doesn’t appreciate though, is the role the big data economy plays as a facilitator (voluntarily or not) of privacy attacks inflicted upon us. And these private companies are typically not subject to constitutional notions of privacy but rather possess wide discretion to use our data as set forth in their terms of use.

The internet is as a system without clear country borders and where private and public sectors converge. This means that we live in a world where big data companies might become (voluntary or involuntary through e.g. decryption backdoors) henchmen of governments. If mandated for the wrong reasons, the government’s availment of big data companies isn’t much different morally than the 18th century-style issuance of general warrants. What is very different in the digital age though is the scale, speed and simplicity with which a disagreeable individual can be traced and manipulated. Even more severe are the potential chilling effects the technological possibilities in the digital age imply to a society as a whole (see Xinjiang): The big data surveillance is not merely about the data collection of individuals but about the study of contextual and collective human behavior. Other reasons for concern are the sometimes opaque motives of big data companies themselves, let alone the difficulty for consumers to know with certainty the implications of all the data they give away for free. These technological possibilities and the shamelessness with which certain political proposals treat privacy issues (such as the Feinstein-Burr decryption bill) should have all of us concerned. The technological possibilities spur politician’s Benthamian-kind utilitarian hopes and, if misappropriated, could end-up in (maybe still science-fiction-like seeming) realities as described in Yuval Noah Harari’s Homo Deus or Frederick B. Skinner’s Walden Two.

Given (private) big data companies’ role, I believe we should respond twofold: Firstly, regulation has to be amended to address the changed reality, particularly with respect to big data companies. Secondly, individuals have to be educated in order to have the desire to protect themselves.

In regards to regulation, the principles set forth in the EU’s General Data Protection Regulation (GDPR) seem to me to be a step in the right direction. The new sanction system that will enter into force – a fine of the higher of either up to 4 % of a company’s worldwide annual turnover or up to 20 million EUR – should finally cause companies to take data protection seriously. The privacy by design principle encourages encryption of private data. Further, the extra-territorial reach of GDPR might foster the development of converging rules and provide an equal level of privacy protection, but that is far from certain. Especially the current US administration doesn’t seem to be too bothered by the fact that the future of the US – EU and US – Swiss, respectively, Privacy Shield framework’s future is unclear, given the concerns that the EU Article 29 Working Party has expressed regarding the self-certification procedure of US companies (https://www.hldataprotection.com/2017/12/articles/international-eu-privacy/article-29-working-party-sets-deadline-to-address-privacy-shield-concerns/). Furthermore, the European Commission recently announced that it will make it a priority in future trade and investment agreements to counter rules from other countries – including Russia, China and India – that require companies to store data on local servers (https://www.forbes.com/sites/davidschrieberg1/2018/02/11/e-u-hoping-new-data-protection-under-gdpr-will-have-global-impact/#57258c042dc1). However, it seems unlikely that non-EU countries will follow these demands them due to fundamentally divergent views and interests when it comes to privacy. Also, unfortunately private sector companies are likely to cave into demands on local data storage and sharing, as recently observed with the demands made by China and followed by apple (https://www.cnet.com/news/apple-moving-icloud-encryption-keys-to-china-for-china-based-users/). While these EU policies may be well intended they have the further major shortcoming in that they focus on a bilateral transactional relationship. The governance of the bilateral relationship is necessary but far from sufficient since the big issue relates to behavior collection on a large scale that affects society as a whole. On this point, GDPR remains silent.

Another essential pillar, if privacy is to be taken seriously in the digital age, is the education of individuals and the establishment of networks devoted to ascertaining privacy. With data breaches and negative news of (centralized) big data companies on the rise, one would expect that privacy becomes a topic that individuals start to care more about. A promising example of this can be seen in blockchain technology and the communities built around it. In its set-up, these networks inherently cut-out the middle-man and are user-controlled. However, without additional layers of protection, blockchain technology itself is not safe from big data analytics (http://peerproduction.net/issues/issue-9-alternative-internets/peer-reviewed-papers/the-interplay-between-decentralization-and-privacy-the-case-of-blockchain-technologies/). Blockchain-based projects such as “Chainiac” (developed at the Swiss Federal Institute of Technology in Lausanne (EPFL)), which tries to make it impossible for governments to force software companies to deliver software updates with secret backdoors in them, spur hope (https://www.fanaticalfuturist.com/2017/08/blockchain-experts-are-putting-a-stop-to-governments-putting-backdoors-in-software/). Ultimately, it seems to be a constant fight between privacy proponents and their adversaries, the outcome of which will heavily influence how society will develop. Individuals' technological literacy will play a significant role in the outcome.