In the 1960s British comedy radio show, Beyond Our Ken, an old codger would, in answer to various questions, wheel out his catchphrase—in a weary, tremulous groan—‘Thirty Five Years!’ I was reminded of this today when I realized that it is exactly 35 years ago that my first book on privacy was published. And how the world has changed since then!
In 1980, personal computers were still in their infancy, and the Internet did not exist. There were, of course, genuine concerns about threats to our privacy, but, looking back at my book of that year, they mostly revolved around telephone tapping, surveillance, and unwanted press intrusion. Data protection legislation was embryonic, and the concept of privacy as a human right was little more than a chimera.
Technology has dramatically transformed all that. Today ‘privacy’ seems like a lost cause. New attacks proliferate in a variety of forms including the numerous threats we daily encounter online: monitoring, hacking, email interception, CCTV, big data, cloud computing, location data, biometrics, cybercrime, malware, phishing, identity theft, RFID, GPS, brain imaging, DNA profiling, ‘revenge porn’, drones, and so on. And on. Furthermore, the disquieting revelations by whistle-blower, Edward Snowden, of the extensive surveillance conducted by the National Security Agency (NSA) in the United States continue to shock. In the wake of these revelations, a British parliamentary committee this week described the legal framework surrounding surveillance as ‘unnecessarily complicated’ and ‘lacks transparency.’ It proposed a single law to govern access to private communications by UK agencies.
Our lives are now lived in the unsettling knowledge that almost nothing is private. We have witnessed an alarming explosion of private information through the development of blogs, social networking sites, and other devices of our information age. The methods by which our data are collected, stored, exchanged, and used have changed forever, and with it the very nature of our lives both online and in the real world.
The threats keep coming. Only last week a number of disturbing accounts emerged that sound alarm bells for champions of individual privacy. For example, researchers at Stanford University have developed the means to track mobile devices using battery charge data. Another recent report suggests that investigators are able to determine the physical characteristics of crime suspects from the DNA they leave behind; this could become a powerful new tool in the hands of law enforcement authorities. Police are increasingly equipping their officers with body-worn cameras, raising the question of who has access to their recorded footage.
The disconcerting spread of terrorism across the globe cannot be taken lightly either, but unless individual privacy is to be wholly extinguished, the effective oversight of our security services is essential. In the United States President Obama has promised that the NSA’s bulk collection of Americans’ telephone records would be terminated. He admitted that confidence in the intelligence services had been shaken, and pledged to address the concerns of privacy advocates.
What other weapons do we have in our armoury to arrest, or at least contain the relentless violation of our privacy? There are, amid the gloom, a number of positive glimmers of hope.
One other positive development is that those privacy-invading technologies (PITS) that attack us can be repelled by privacy-enhancing technologies (PETs). These include powerful encryption, communication anonymizers that conceal your online identity (email or IP address) and substitute a non-traceable identity such as a random IP address or pseudonym; shared false online accounts, and the set-up of ISPs that permit users access to their data in order to correct or delete them.
The European Commission, especially since its 1995 Data Protection Directive, and in 2012 its draft European General Data Protection Regulation, has been active in seeking to control the collection, storage, and use of personal data. Strictly speaking, these are not privacy-protection measures, but they do, in effect, curb the market in private information. The European Council is currently considering a new draft proposal that some see as strengthening the safeguarding of personal data.
Another unexpected development is the recent recognition of the ‘right to be forgotten.’ Article 17 of the 2012 draft regulation specifies that individuals have the ‘right to be forgotten and to erasure’ which means that they have the right to have irrelevant or obsolete personal data deleted. In a landmark ruling in 2014 the European Court of Justice upheld the right.
The decision—and its implications—have proved highly controversial largely on the ground that the public interest requires that relevant information remains accessible, especially in relation to elected politicians, public officials, and criminals. Google, while accepting the requirement to delete certain old or irrelevant information, has resisted its wholesale application.
More than one hundred countries have enacted comprehensive data protection legislation, and several others are in the process of doing so. But conspicuous by its absence is the United States which has resisted calls to fall in line with most advanced societies. Nonetheless, only last month the White House released what it called a discussion draft of a bill aimed at giving consumers more control over how data about them are collected. Could this signal a change in attitude towards some form of regulatory control over the massive collection and use of personal information?
The courts—particularly in England and Strasbourg—have reshaped the protection of privacy afforded to individuals under Article 8 of the European Convention on Human Rights. In a number of cases, this article has been (very broadly) interpreted to protect a wide-ranging assortment of privacy-invading conduct.
These constructive developments suggest that privacy may not have died, though we must look to both technology and the law to provide effective shelter. Technology generates both the ailment and part of the treatment. Although the law is seldom an adequate tool against a dedicated intruder, the advances in protective software along with the fair information practices adopted by the European Directive, and the laws of several jurisdictions, offer a rational and sound normative framework for the protection of our sensitive information. But it—and the law, ethics, and practice—stand in need of constant review and modification if privacy is to survive as a right to which we can continue to lay claim.