Information security with particular emphasis on privacy, online privacy and data protection
REMEDYING ZERO PRIVACY:
AN ANALYSIS OF ONLINE PRIVACY AND DATA PROTECTION MEASURES IMPLEMENTED BY THE EU AND OTHER COUNTRIES
Table of Contents
III. Protection of Privacy: By Using Technology
A. Privacy Enhancing Technologies
B. The Potential of Encryption
C. Managing Identity: Platform for Privacy Preferences (P3P)
IV. Protection of Privacy: Through the Privacy Regime
A. European Convention on Human Rights (ECHR)
D. Data Protection in other Countries
I. Introduction
Information equates to power, as the age old maxim goes. Amassing a considerable amount of information will essentially lead to having the equivalent amount of power. The problem in this regard is that the ones who, more often than not, end up in a disadvantage are those who are subject of that information. Decades before, it has been shown as one of man’s greatest fears. Images of the all Seeing account of Big Brother manifest these deep seated fears. In this day and age, everyone has access to a considerable amount of information. However, there are some who have the propensity of using this information for unscrupulous ends. As seen in the account of , those who amass this amount of power will most definitely use it for oppressive means. It is in this instance where issues of information security, data protection, and online privacy emerge.
With the technologies that society possesses and the interconnectivity that it tenders the public, claims of the death of privacy surfaces. The internet has become an engine that impelled the new world towards the information age.[1] To a certain extent, there is some veracity on the claim of having no privacy nowadays. However, this does not mean that society can’t do anything about it. Specifically, there are technological and legal means that could protect information from falling to the wrong hands. This paper will be looking into the means on which privacy is protected. In the same manner, an examination of other regimes will be provided to show the specific actions carried out in different settings.
II. Definition of Privacy
Social sciences have characterised man as a social being. Interaction and communication are said to be inherent traits of a person. It is the foundation on which communities and societies are built. So much as man has an inherent need to intermingle and build a network with his/her peers, so is his/her need to exercise his/her “right of solitude.”[2] Plainly, this means that every one has the right to be let along.[3] This right is collectively known as privacy. Studies have claimed that it is a type of civil liberty which every single individual is entitled.[4] Some studies even intimated that the individual needs privacy in order for him/her “develop a sense of self.”[5] This is important because having a sense of self tends to prevent the state from manipulating the behaviour of the public. Nonetheless, one must realise that man is innately a social being; he/she does not live in isolation. He/she has the constant need to communicate. This is seen in the early types of communiqués and correspondence through drums and smoke signals. [6] To this end, one must realise that privacy is not merely a right to be left alone, it is more of a right against scrutiny or surveillance from others. [7]
However, invasion of privacy is a very real issue nowadays. The access of the government and business entities has been reportedly taken actions tantamount to the intrusion of the privacy of people. Moreover, this is exacerbated by the emergence of internet and computer technologies. Though the communication between individuals has considerably improved, certain privacy risks materialised into the fray. Even business transactions through the online means has become rather commonplace in today’s society. Nonetheless, convenience, interactivity, and ease of communication have a high price. In any transaction or activity made in the web, people are required to disclose some information. The problem lies on the security of this information. There are instances where this data is used for illegal means. Bainbridge sums it all up when he claimed that privacy rights can be compromised by the unauthorised access to the personal and private information stored in information systems regardless on whether consent is given or otherwise. [8]
III. Protection of Privacy: By Using Technology
Privacy has become an “elusive concept.”[9] Nowadays, no one is safe as invasion of privacy has taken so many forms and methods as provided by advancements in technology. Even before the emergence of ICTs, the problem of privacy has been a recurring social issue.[10] The tone of the discussions above imply that emergence of new technology has compromised the right to privacy of individuals. This idea has been reflected in the recent work of claiming that as new technologies materialise the individual’s right to privacy will essentially gain higher risks.[11] It was mentioned that in instances that people access the internet, they leave a trail. This trail could include the user’s name, address and even sensitive access numbers on financial accounts. These set of data are said to go through the process of storing, controlling, cross-referencing and consequently exchange through the internet. With this bulk of information open for access, it is apparent that technologies have made significant threats on the safety and security of the private information of the public. The following discussions will be pointing out the courses of actions taken to use technology as a means to limit the possibility of invasion of the right to privacy.
A. Privacy Enhancing Technologies
Privacy enhancing technologies (PETs) are merely one of the many aspects of technology that assists in securing information and maintaining privacy for the public. In the study of Wright (2007, 1) he mentioned the importance of PETs in keeping sensitive information secure and how the European Commission (EC) have taken strides to help develop these PETs in the region. [12]
The idea of PETs is far from being a new concept. The said concept has been floating around as long as ICT has flourished in the recent years. The EC defined PETs as ICT “measures that protects privacy by eliminating or reducing personal data or preventing unnecessary and/or undesired processing of personal data, or without losing the functionality of the information system.” [13] This means that PETs are employed to keep technologies from collecting personal data and induce a certain level of strict compliance with an established set of rules and regulations geared to protect the data.
In the article of he also mentions that the implementation of PETs would be useful so as to complement the existing regimes of data protection and security. The EC have taken steps to make this initiative implemented all over the region. Thus, in Europe, PETs has consequently been a part of the regulatory framework that protects the public from invasion of privacy and other crimes against their right to privacy.[14] The following discussions will be discussing several types of PETs that are available at the disposal of any state government. In the same manner, a description on how they help in the protection of data and privacy will be given and eventually be the basis of this study’s analysis.
B. The Potential of Encryption
The process of encryption is normally used to protect information that are stored in a computer and data which are sent out using the web. On account of recent literature, encryption is normally equated to an instrument of security. This is mainly because it is used as a means to protect sensitive information from unauthorised access.[15] There are studies that have indicated the effectiveness of encryption tools and software in protecting data. However, one must realise that encryption alone would not be a sufficient instrument in battling all forms of privacy invasion techniques.
This form of PETs is rather important for huge corporations whose correspondence are often classified and normally includes certain trade secrets. Thus, to protect these secrets, complex encryption software is employed by numerous companies. This is especially true in the financial sector.[16] With the development of online banking and the countless amounts of transactions done online, encrypting these data is imperative to protect the welfare of their consumers.
One great criticism of this process is that the entire procedure is cumbersome. It fails to provide a more convenient and efficient way to use. There are numerous inexpensive and even free encryption software available at the disposal of the public.[17] However, the knowledge of such existence or which encryption software works the best remains to be the primary hurdle of its effective use. This hurdle is also manifested in the inability of most of the users to operate specific types of encryption software. In the end, instead of using them, they end up being overlooked and totally disregarded. Correspondence thus takes place explicitly with its contents open to anyone who has the skills to access it.
C. Managing Identity: Platform for Privacy Preferences (P3P)
Another means of protecting data is called platform for privacy preferences or P3P. It is a format for online policies involving privacy concerns that are readily understood by the common computer. It is compiled by the World Wide Web Consortium (W3C) in 2002.[18]
Basically, this is a means of protecting the users who access sites for e-commerce. In the application of P3P, the user is able to specify his/her own user setting to protect his/her private information.[19] Some of the existing internet browsers in the market have instituted the P3P functionality in their software. The problem is that the applications imposed in these softwares are not comprehensive. At the most, it could carry out programmed processing of cookies and display privacy policies.[20] In the same manner, the user is also given the liberty to choose the level on which cookies are automatically blocked. In the same manner, there is also the possibility that P3P could improve the privacy policies of new jurisdictions which essentially have gaps in their policies. It could also be used to monitor the compliance of sites in jurisdictions where P3P are the standard privacy levels. In any case, the implementation of P3P permits the users to be aware of the privacy policies without combing into the entire site.
The main criticism in this application is that it is too complex for the common user to comprehend and even use. For instance, the average user does not know how to activate the default P3P settings in their PCs. Furthermore, the policies made by the W3C do not have enough bite to make the websites comply with their terms.[21] These also mean that there is the possibility that non-compliant sites may not be accessed by the users with P3P as their sole privacy security.
D. Automated Tools on Privacy
Instituting an automated privacy audit will also help a particular individual or company to protect its data. Nonetheless, this method does not actually enforce policies or even provide a definite protection for the data. These technologies are present to give the user assistance and allow them to be acquainted with the flow of information and the practices that comes with it.[22] In addition, this measure will be able to make companies aware if they are complying with the policies enforced unto them like those P3P policies. Knowing the level on which the company’s course of information allows them to adjust to the prescribed standards given by the policy. In the same regard, it would also be handy in keeping its operation within the prescribed criterions of their respective policies.
The main problem seen in these types of application is that it does not provide a comprehensive audit on which the company requires. This equates to the fact that the review of the flow of information in the company will be limited. Given that information flows everywhere, either within the confines of the company or even outside the reach of a tracking system, it is understandable why there is yet an audit tool that could effectively monitor the overall information in a company.
E. Downfall of Spam-a-lot
One of the most common, and arguably most annoying, methods of invasion is through spamming. With the obvious effect of congesting the email accounts of users, it is also a way to advertise among web-based retailers. The problem in this context is most of the time their products are explicit and somewhat offensive.
It is also described as one of the most dynamic means of invasion of privacy, which regrettably has only one way of addressing it: spam filtering.[23] However, there is no all-encompassing spam-filtering programme that could be used for users. Spammers find a way to bypass any barrier or filtering programme that are placed in their way. There are attempts to create a super-filter but developers are still yet to come into grips with the practicality of the application.[24]
F. Cookie Monsters
Cookies are often used by websites for authentication purposes. For instance, online stores like Amazon.com tend to use cookies to verify the location of the users of their sites. However, there are risks in this method as the stored information could be used for unethical means by other individuals. This is the reason why cookie cutters are created.[25] These are utility programmes that make browsers steer clear of any form of exchanging cookies.
To date there are several means of managing cookies though cookie cutters. There are some that obstruct all cookies from exchange. There are some programmes that are calibrated to block certain types of cookies.[26] Aside from blocking cookies, these programmes are also useful in sending sensitive information and block pop-ups or some other banner ads that could be irritating.
Normally, these programmes are free. There are some web browsers that have incorporated their cookie cutters in their systems which displays how easy it is to use. The main issue is seen in the user as some may not be aware on how to activate these programmes in their respective PCs.
G. Anonymity
One of the ways that privacy and data are protected is through anonymity. Recent improvements in technology have introduced internet anonymizers. These are applications that help users in keeping their identity under wraps as they go online or send correspondence on the net. The application works by limiting the possibility of an IP address being connected to a particular user as he/she uses web applications. Anonymizers often work as proxies to cut off the recognizable data that could identify the user. [27]
Though this process tends to be cost-effective, the issue of trusting a third party as proxy tends to show signs of high uncertainty. This may well be the troublesome element found in this type of PETs. However, more advanced anonymity services, to deal with the uncertainty issue, totally taken third party proxies out of the equation.[28] They operate independently but studies show that their services tend to be rather costly making them viewed as impracticable money-wise. All in all, this type of PETs allows the user to guarantee that none of his/her personal information is given in the web. This also shows that the end users have a pre-emptive means of protecting their data and privacy.
H. Promise of Cryptography
Arguably, one of the most effective and widely used PETs is cryptography. Basically, the principle behind this process is by reducing the need to acquire information.[29] In this manner, the less information required and given in a particular transaction or correspondence, the lesser possibility of other people invading others’ privacy and personal data.
This process is normally seen in sites that engage in e-commerce with the reliance of electronic currency to complete the transaction. These are also used simultaneously with anonymizers to ensure that the limited information provided is secured.[30] This is also considered as one of the more seasoned PETs in the market. However, it has been observed that its use has yet to be embraced by a good number of organisations. One interpretation is that businesses shun this application because they could earn more profits with more information from their customers. Normally, these data are used to determine the overall behaviour of the market.[31] On the part of the financial institutions, they tend to discourage the use of encryption techniques as it works to their disadvantage. Specifically, these applications limit their ability to keep track of clients who owe loans and mortgages.[32] For credit card companies, they tend to place importance on the information provided by the clients like the reflections on their purchases or their respective billing addresses.
I. Subconclusion
The discussions above have manifested the potential of PETs as a means of maintaining privacy for individuals. This shows that to some extent, the public is able to protect their privacy and personal data even in the emergence of a highly technological and internet-driven world. However, it must be emphasised that with the potential of PETs to protect, it could also be used as invasive tools as well. To prevent this, a balance between the application of these PETs and the complementing policies should be achieved. The following parts will be taking these regimes and individual policies into consideration.
IV. Protection of Privacy: Through the Privacy Regime
As mentioned in the earlier part of the paper, the right to privacy is essentially a civil liberty. This means that the right of a person to be left alone is backed up with some legal foundation. In the case of the Europe, there are several directives that deal directly with the protection of privacy. These regimes often cover both national and regional applications. The following discussions will be focusing on the laws being implemented in UK and the European Union in terms of data protection and securing privacy.
A. European Convention on Human Rights (ECHR)
The European Convention on Human Rights (ECHR) has been one of the instrumental laws in shaping the legal framework for rights to privacy. Specifically, the ECHR claims to an individual’s right to privacy in Article 8. It states that
“ 1. Everyone has the right to respect for his private and family life, his home and correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”[33]
In UK, this is infused in the Human Rights Act 1998 which focuses on the general entitlement of an individual to his/her own privacy. In the study of Benjamin he mentioned that the act compels the state to establish legislative measures to ensure that the privacy of the public is precluded from any form of interference.[34] However, the Act also mentioned that there are exemptions on which this right could be displaced: in accordance with law; legitimate objectives; and if it is necessary in a democratic society. The first category indicates that the interference of the state on private matters should be based on established legislations and laws. This means that for an act of state or law enforcement to be legal, they should comply within what is written and prescribed by the law. In the case of legitimate objective, elements like national security, crime and disorder, morals, and other civil liberties should be in imminent danger of being applied. Basically, this means that a matter should first be subject to public interest and may compromise the social order before the states interfere with private lives. In all of these, the ECHR also pointed out one, and probably most important justification of infringing one’s right to privacy is the indispensable nature of the interference. In the case of UK, these requirements of privacy are all detailed in the Human Rights Act 1998 which similarly points out the role of the public authorities in the protection of a person’s rights as maintained in Article 8 of the ECHR. In Article 6 of the Human Rights Act 1998, the authorities of the state are mandated to act in compliance of the claims of Article 8 of the ECHR.
The need of the state to comply with the obligations under the ECHR rules and concurrently operate effectively as an authority of the state is manifested in the Regulation of Investigatory Powers Act 2000 (RIPA).[35] In Section 1(5) of the said law, it states that
“ Conduct has lawful authority for the purposes of this section if, and only if
(a) it is authorised by or under section 3 or 4;
(b) it takes place in accordance with a warrant under section 5 (‘ an interception warrant’ ); or
(c) it is in exercise, in relation to any stored communication, of any statutory power that is exercised (apart from this section) for the purpose of obtaining information or of taking possession of any document or other property…”
This means that the state could also establish some level of control in the World Wide Web in terms of protecting personal data and ensure privacy protection. called it as a measure of progress in the context of surveillance as a whole.[36]
In the same manner, cases like the R. (on the application of NTL Group Ltd) v Ipswich Crown Court[37] have also taken strides in protecting the privacy rights of the public. This case basically sealed the requirement of authorization for any act that will infringe the right to privacy of a private person. Thus, the state or any other non-state body has been precluded in carrying out initiatives in a random manner, especially if the said act infringes the rights of the person.
B. Privacy and Electronic Communications (EC Directive) Regulations 2003 (Collecting personal information)
One of the more recent developments in protection of privacy in the EU is seen in this Regulation. This was ratified in 2002 and adopted for transposition in 2003. Basically, this Regulation covers not only those carried out though telephone class and services, it covers the entire ambit of electronic communications. This Regulation is an improvement from the earlier Telecommunications (Data Protection and Privacy) Regulations. In the new Regulation, it covers new technologies like SMS, internet messaging, and even mobile communications. In the same manner, the use of cookies has been covered by this Regulation. Specifically, it provided the website controller a standard on which cookies are allowed to be used to identify the preference of a user. The ratification of this Regulation has affected the areas of direct marketing, specifically through online means and through the telephone. As Regulation 22(2) of the Regulation indicates, transmission of unsolicited marketing is barred unless the user has responded his/her consent in the matter.
C. Directive 95/46 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data
This Directive was implemented in 1995 to protect the personal data of the citizens of member states. In this piece of legislation, personal data is characterised as
"any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;"
In looking at the definition provided, it appears that the directive has given a considerably broad definition of the term. In its simplest sense, a personal data exists when another person in able to connect a set of information to a particular individual.
Basically, the directive states that the personal data of an individual should not be, in any way, processed. This indicates that any operation that is tantamount to the use of the data for storage or dissemination is barred from any individual in EU. However, there are conditions on which personal data could be processed. These conditions include transparency, legitimate purpose, and proportionality.
In Article 10 and 11 of the said Directive, it encourages the controllers of the data to inform the individual that his/her personal data is being processed. This also indicates that it is imperative that the controllers of these personal data should ensure that the process comes in a fair course. In the instance that transparency is satisfied, the data subject is allowed certain rights. As indicated in Article 12 of the Directive, the data subject is allowed to rectify, delete, and block the data that are being processed inaccurately or in total contrast with the data protection regulations provided by the state.
In addition, Article 6 of the Directive also indicated that personal data could be acquired if there is a legitimate purpose. Specifically, these set of legitimate purposes may well be reflected from the standards set by Article 8 of the ECHR. In the same manner, any person or organisation is not permitted to veer away from these set of legitimate purposes.
Lastly, the requirement of proportionality is reflected in several stipulations in the Directive. For instance, Article 6 maintains that that state have the responsibility of installing the appropriate safeguards for personal data. This Article specifically points out to those stored for scientific or statistical use. On the other hand, certain restrictions are added in instances where personal data are classified as sensitive. These include information informing the political orientation, religious beliefs, or race among others.
D. Data Protection in other Countries
The initiative pertaining to the protection of privacy is a universal occurrence. This is not limited to huge economies alone. The following discussions will be focusing on the initiatives taken by Spanish and Malaysian governments in protecting the personal data of their constituents.
1. The Spanish Experience
The protection of personal data in Spain is manifested in numerous state legislations. However, it is important to point out that the main element of the right to privacy of Spain is based on Article 18.4 of the Spanish Constitution. [38] Specifically, this part of the Constitution intimated that the state “shall limit the use of computerized information to guarantee the honour and privacy of all the citizens and their families and the full exercise of their rights.” The study of has been very informative in providing information on how Spain protects its people’s right to privacy.[39] In the study, it was pointed out that a distinction regarding the privately and publicly owned files should first be distinguished. Regulations have been established to readily know which type is considered private or public. The problem in this regard is that the law only establishes the individual rights of the people. Sanctions and consequent repercussions on its infringement are said to be inexistent.
2. The Malaysian Experience
In the study of (2006) they discussed the capacity of the Malaysian laws in protecting the rights of the public in terms of privacy protection. Their definition to the right to privacy is based on Art.12 of the United Nation's Universal Declaration of Human Rights 1948 which claims that “no one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence, nor to attach upon his honour and reputation. Everyone has the right to the protection.”
Like the rest of the world, the individuals in Malaysia are also concerned for their personal data. In this regard, the state has taken the initiative to ratify several legislations that would protect the rights of the people. These include the “Computer Crimes Act 1997, the Digital Signature Act 1997, the Communication and Multimedia Act 1998, the Penal Code, the Official Secrets Act 1972, the Consumer Protection Act 1999, and the Banking and the Financial Institutions Act 1989.”
All of the noted laws above are geared towards the protection of what called as e-privacy.[40] As seen in the titles alone, it appears that the infringement of such rights in Malaysia is tantamount to a crime. This shows immense comfort for the public because these laws not only serve to protect their rights but also to serve as a deterrent for future violations.
V. Analysis
The discussions above have shown that the measures taken to protect the privacy and secure the personal data of people, particularly in the European context. It has been observed that there are indeed specific courses of action that individuals could undertake to protect their privacy and personal data. However, the imposition of numerous laws and legislation that seemingly overlap tends to imply that individuals themselves do not want to use applications like PETs as Lloyd claimed in his book.[41] This could be triggered by the lack of proper knowledge to operate these applications or mainly because they are too lethargic to protect their own privacy. To an extent, one could not blame the public if they tend to lack knowledge or be frustrated on these applications as they are indeed complex and as discussed above, overly cumbersome.
This dilemma is realised by the European Union and its member states. The availability of technologies and the inability of the users to make the most out of it compel the EC to take action and establish laws that would compensate the elements lacking in the data protection in the region. As seen above, the directives imposed by the EC has consistently developed throughout the years. This shows that the EC is doing its best to keep up with the developments of technology and the consequent effects on securing the privacy of the public. The way this paper sees it, so long as personal data is a basic requirement in transactions, the need for complementing technologies and legislation is also required. There is much promise in the area of privacy enhancing technologies. However, these will never be effectively applied if the complement legal frameworks are not established.
VI. Conclusion
Securing privacy will always be a continuing battle for both the individual and the state. This paper sought to provide a reaction on the statement that claiming that privacy is dead. This paper begs to differ. Personal data will always be secure provided that the data subjects will continue to be watchful of their rights and carry on being vigilant of any possible infringement. Privacy will be secure to a certain extent provided that the end-users will be willingly gaining knowledge on the means of enhancing their own privacy through PETs. Though it may sound overly optimistic, there will come a time that PETs would be as user-friendly as any other applications related to online activities.
In the same regard, the member states of the EU should eventually find solace in the fact that their leaders and representatives are constantly finding ways to control and manage the flow of personal data through electronic means. Every time that a law relating to this area is ratified, it adds up to the overall security of the personal data of people. In the same regard, it established a firm and compelling support system for the public in the instance that their right to privacy has been infringed in any way. All in all, the future of an individual’s right to privacy lies on the capacity of the state to keep it safe from unscrupulous entities or at the very least ensure that proper justice is given once a particular person is aggrieved.
comments powered by Disqus
Comments