Privacy — even, or especially, on the internet — is a human right. Privacy impacts freedom, liberty and our democratic process as a whole. Lack of privacy can result in self-censorship, fear to speak freely or force people to act differently than they would otherwise.
Unfortunately, we tend to think of internet privacy as something solved by adding individual privacy features. But to meaningfully improve privacy, the internet as a system must be private.
The starting point for building privacy into the fabric of the internet would be a federal privacy law that provides a level of privacy protection at or above existing state laws. A federal privacy law would not only result in more consistency for people’s rights — there is no reason why someone in Texas should have fewer privacy rights than someone in California — but would also make it easier for businesses to comply with standardized law.
While the law is necessary to build privacy into the internet, it is not enough. We need to bridge the gap between the privacy rights in the law and the technologies that implement them. Privacy rights on their own will be meaningless if they are not effectively and efficiently implemented. Privacy standards through the World Wide Web Consortium (W3C), Internet Engineering Task Force (IETF) and other organizations can provide reliable and concrete directions for browser vendors, publishers, manufacturers of IoT devices, cloud service providers, app stores and other stakeholders to implement technologies that satisfy the legal requirements.
Lawmakers can use regulations or informal guidance; for example, provided in the form of FAQs or similar illustrative documents to point to standards they view as satisfactory for compliance with the law. We can bring privacy rights to life via regulations or informal guidance pointing toward standards that provide directions to implementers.
Still, we can only obtain more privacy if we consider all dimensions of privacy. Privacy is not a purely technological problem. It is crucial that all technologies that implement privacy rights are usable. Privacy considerations are often secondary to other tasks someone primarily wants to accomplish online, for example, getting in the way of browsing a website. Thus, laws and standards should be drafted with an eye on implementing usable technologies.
We also need economic incentives for business to focus on actually improving privacy rather than just ensuring minimal compliance. Good behavior — for example, the use of privacy-preserving technologies — should be rewarded with business credits or tax relief. On the other hand, there should be fines for non-compliance to such extent that it does not pay to break the law. We also need to account for behavioral nudges and sociological considerations of providing members of vulnerable groups the special privacy protections they need.
Thinking about how we can apply existing technologies to the privacy challenges ahead will prove useful. Privacy assistance technologies present a promising path to relieve people from some of the extra burdens that come with personal privacy management. For example, machine-learning technologies deployed locally on-device may be able to learn people’s privacy preferences and make privacy settings for them the way they want. Such technologies may also be used to make data collection and sharing practices more transparent; for example, by observing network traffic and alerting people of those practices that matter to them. It is important that privacy is not only legally enforced but also technologically; for example, by preventing API access to data if an individual did not give permission to collect such.
Privacy is a multi-dimensional problem. We need to tackle the privacy problem from all its angles. It’s not just enough to look at the technological challenges, but also sociological and business aspects as well. To truly protect our privacy online, we need an integrative approach.
Sebastian Zimmeck is an assistant professor at Wesleyan University’s mathematics and computer science department and the organizer of the 2022-23 Shasha Seminar for Human Concerns at Wesleyan University, “A Roadmap for Internet Privacy.”
