By CHARLES SIMENGWA -
THE pressure on Internet intermediaries such as Google, Facebook or Amazon can also cause substantial negative effects on Internet privacy.
Unlike off-line interactions in which it is extremely difficult to see personal, economic or political interactions on a broad scale, online interactions leave a ‘data trail.’
Freedom of expression online
Freedom of expression is established under Article 19 of the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR).
Article 19 of the UDHR reads: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”
This right, therefore, covers the freedom to express and publish content as well as to have access to such content.
As such, it provides for the right to Press freedom and the right to information, and these apply across media platforms and national frontiers.
In 2012 the United Nations Human Rights Council adopted a landmark resolution affirming that ‘the same rights that people have offline must also be protected online’.
It acknowledged the 2011 reports on the right to freedom of opinion and expression exercised through the Internet by UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression Frank La Rue, which highlighted how freedom of expression can be fostered as well as violated through the Internet.
La Rue warned of rising restrictions on the Internet through the use of increasingly sophisticated technologies to block content, monitor and identify activists and critics, criminalisation of legitimate expression, and adoption of restrictive legislation to justify such measures.
A particularly complex role in this context is played by State-owned ISPs. The fact that they are in State ownership and typically control much of the underlying Internet infrastructure leads them to be less independent from the State than would otherwise be the case.
This can often have a detrimental effect on users’ privacy, especially in countries where the State has little regard for privacy and more generally the human rights of Internet users.
Conversely, privatisation of State-owned ISPs, together with local loop unbundling, is likely to provide an ISP market structure more conducive of protecting privacy.
Privacy of children
Concerns about privacy require different types of consideration for different individuals. In a recent study, the European Network and Information Security Agency (ENISA) suggested that protecting the privacy of young people is one of the key strategies of combating cyber-bullying and online grooming.
They identify improperly designed Internet platforms and unnecessarily high levels of complexity, as well as a lack of awareness as key vulnerability for young peoples’ privacy online.
As a result, one of the main recommendations by ENISA is that the generation and use of user profiles for underage persons should not be possible in general, together with stricter financial penalties for companies that break these laws.
In the United States of America, the Children’s Online Privacy Protection Act is designed to ensure that Internet sites receive parental consent before collecting data from individuals under the age of 13 years.
As a result, many Internet sites including Facebook choose to exclude individuals under 13 from their website.
At the same time academic research suggests that many parents assist their children in getting around age restrictions in order to access Facebook.
This clearly raises questions about the capacity of current legislation to protect the privacy of children and young people on the Internet.
Analysing personal information
Increased computing power means that vast quantities of information, once collected, can be cheaply and efficiently stored, consolidated and analysed.
UNESCO notes that technological advances allow databases of information to be connected together, allowing even greater quantities of data to be processed. The potential for privacy violations increases exponentially as technologies are combined together.
For example, linking facial recognition databases (as used on Facebook for example) with CCTV cameras would allow tracking of individuals on an unprecedented scale.
The practice of merging and consolidating different informational databases is pervasive. Privacy issues clearly arise from matching data from different sources, for example tax data against health data, or finance data against social security data.
In addition, personal data can be extracted from the various techniques and then matched with publicly available data to build a detailed personal profile.
The US-based privacy organisation EPIC states that “collectors of consumer information are willing to categorise, compile, and sell virtually any item of information”.
For instance, the Medical Marketing Service sells lists of persons suffering from various ailments.
These lists are cross-referenced with information regarding age, educational level, family dwelling size, gender, income, lifestyle, marital status, and presence of children.
The list of ailments includes diabetes, breast cancer, and heart disease. Other companies sell databases of information relating to individuals’ lifestyle habits, reading preferences, and even religion”.
Combined databases have numerous uses. They can be used for data mining, which is the process of finding patterns in information contained in large databases.
Data mining itself has many uses, many of them beneficial such as to identify patterns indicating fraudulent credit card use.
But while some commentators claim that data mining is neutral, it can have privacy implications.
The mining of data or merging data often involves using people’s information in a way that they did not consent to and are not even aware of.
Furthermore, the wide array of data drawn upon often includes personal details and can easily be linked to individuals without their knowledge.
Another common use is data profiling which is the use of aggregated data to “identify, segregate, categorise and generally make decisions about individuals known to the decision maker only through their computerised profile”.
Companies and governments can use data profiling to build comprehensive profiles on individuals.
EPIC gives an example of a woman who sued the US-based Metromail after one of their data entry clerks stalked her based on information she submitted in a survey.
During the case it emerged that Metromail maintained a 25-page dossier on the woman including “her income and information on when she had used haemorrhoid medicine”.
Personal data loss
In mid-2011 citizens of the Republic of South Korea experienced by far the largest loss of personal data in the country’s history.
SK Communications Co. informed the public that personal information of 35 million customers had been hacked, with personal data stolen mainly from its Cyworld social networking site and its Nate search engine, two of the largest websites in South Korea.
Personal information included user names, passwords, social security numbers, resident registration numbers, names, mobile phone numbers, e-mail addresses and personal photographs.
According to the ITU, there are approximately 40 million Internet users in the Republic of Korea, which suggests that more than 70 per cent of the Korean population, or almost 90 per cent of all Internet users in the Republic of Korea, had the personal information they stored in the cloud stolen.
Before the attack the South Korean government had a ‘real name’ policy, which forced users of large websites to use their real names and provide their social security numbers to prove their identity.
However, the government announced that this policy would be changed following the attack and it was eventually struck down by the Korean Constitutional Court in August 2012.
It is often argued that users of social networks explicitly consent to these uses of personal data in the terms of service and privacy policy.
While this argument may shield social networks from legal liability, ‘meaningful’ or ‘substantive’ consent would assume that users were aware of the privacy policy, able to understand the complex legal language used within these policies, willing to spend time reading these policies, and able to accept certain parts of the privacy policy while rejecting others.
Similarly, there are issues associated with the ‘publicness’ practised in social networks that extend far beyond the actual social networks themselves.
It has become common practice for automated programmes to ‘mine’ publicly available personal data on social networking sites.
Consequently, it can be sufficient for personal data to be publicly available only for a short period of time before it is already distributed onto many other sites, online spaces and technical systems.
While this risk may exist analogously for other Internet services as well, the sheer amount of personal data stored on social networking sites makes the risk of inadvertent public exposure of private data far greater than for other comparable services.
These problems are worsened by the day-to-day operations of many social networking sites that are typically driven by computer scientists and engineers.
In this context, products and services are developed following an engineering logic of providing customers with the most advanced new products and a privacy policy is then bolted on at the last minute.
Mobile phones, smartphones and mobile Internet
The explosion of the mobile Internet in the 21st Century has contributed to many of the existing concerns about privacy and data protection on mobile phone networks.
UNESCO notes that beyond specific privacy concerns with mobile networks themselves, smartphones also raise additional privacy issues in comparison to ‘less smart’ mobile phones, often termed ‘feature phones.’
Smartphones are generally used as mobile Internet devices and are typically able to transfer far greater amounts of data than normal mobile phones through what are known as second (2G), third (3G) or fourth (4G) generation mobile networks.
This means that they are also capable of transferring far more personal data onto the public Internet than a typical mobile phone.
Furthermore, these phones are designed to be ‘always on’ the Internet. Moreover, a variety of services are built into smartphones, which regularly send data across the Internet, often without the knowledge of the phone user.
It has been documented that both Google Android and Apple iPhone smartphones regularly ‘phone home’, thereby transferring information about their location, their user and other potentially personal information such as Wi-Fi networks in range across the Internet.
This further contributes to the overall trend in smartphone privacy, namely the fragmentation of control of personal data in mobile Internet platforms.
An important point worth considering is that the mobile ISP, device manufacturer, operating system provider and app providers all have a certain level of control over user personal data.
In the case of a typical smartphone user sending emails in Argentina, some of their personal data would conceivably be controlled by their mobile Internet device manufacturer (Samsung), mobile operating system provider (Google), mobile ISP (Movistar), their e-mail App (K-9 Mail), their e-mail service provider (Yahoo) and the e-mail service provider of the individual they are sending the e-mail to (Microsoft).
This does not even include data leakage issues when passwords and e-mail content are sent unencrypted across the Internet, potential additional access to personal data by local or international law enforcement, or unauthorised third party access to personal data.
Nor does it begin to consider the additional layer of complexity introduced by the installation of additional smartphone applications (‘Apps’), which may also have access to users’ personal data.
Moreover, smartphones combine a wide array of different sensors and communications chips and platforms, making it difficult for smartphone users to understand the privacy implications of each additional sensor or specific communications chip.
Depending on the extent to which smartphones are used, they can quickly become complete digital repositories of the lives of their owners.
This means that if smartphones are lost, stolen or simply taken from their owners, the implications for the privacy of individuals can be severe.
As Adam Salifu from the Department of Development Studies at the University of Cambridge, in the United Kingdom, holds, the Internet is a “double-edged sword” providing many opportunities for individuals and organisations to develop and prosper.
“But at the same time it has brought with it new opportunities to commit crime,” Salifu argued in a 2008 write-up carrying the title, ‘The impact of Internet crime on development’.
Therefore, Internet users should be careful when divulging their personal information as that might expose them to the numerous security risks.