Privacy and data protection issues have increasingly gained prominence in Internet governance discussions. Indeed, one of the five themes of the Internet Governance Forum 2010 is “Openness, Security and Privacy”, and a number of workshops are devoted to these issues. Yet, the concept of privacy, opinions on what challenges are posed by the digital environment and approaches to protection of personal data vary from country to country, and within communities. Thus, it is important to understand these differences when developing Internet policy and laws concerning privacy.
The Survey
In May 2010, the Internet Society invited its members to participate in a survey on privacy and data protection.
Information was received from respondents in 65 countries.
The objective of the survey was to gather information from across our broad membership around the world, specifically focusing on how issues of privacy and data protection are dealt with in their regulatory environment.
While our principal objective was to gather information to help guide the Internet Society’s privacy efforts, we also hope that the information provided by our members will help inform international and regional dialogue on these issues.
The report is divided into 5 parts:
I: Definitions of Privacy, Personal Data and Personal Information
II: The Present
- Are privacy and data protection high priority issues?
- What are stakeholders doing to address these issues?
- What could and/or should they do?
III: The Future
- The top 5 emerging challenges in the digital environment
- Suggestions and principles to address the top 5 emerging challenges
IV: Laws, Regulations, Principles, Guidelines and other Resources
V: Internet Society Members’ Activities
and has the following annexures:
A: Legal definitions of “personal data” and “personal information”
B: Privacy and data protection priority issues
C: What stakeholders are doing to address these issues
D: What stakeholders should or could be doing to address these issues
E: The top 5 emerging challenges
F: Laws, rule, principles or guidelines for the protection of personal data
G: Places to look for guidance
H: Internet Society member activities
Extracts
The top 5 emerging challenges relating to privacy and the protection of personal data in the digital environment
It is difficult to succiently and comprehensively express the multitude of emerging challenges identified by the respondents in a few paragraphs. However, we have attempted to do this by category (below). The breadth of identified challenges is itself indicative of the complexity of issues associated with privacy and data protection in the digital environment.
- Competing issues: privacy vs. convenience; privacy vs. access to public services; privacy vs. security; privacy vs. law enforcement (e.g. of IPR rights); privacy vs. identification; anonymity vs. access to information regarding interests and proximity information
- Connectivity: Increased connectivity; increased online transactions; increased devices
- Culture: Developing/having a culture of personal data protection
- Data durability: Difficulty correcting false accusations on websites; information online is there “forever”; getting personal information removed
- Digital Identity: identity fraud and theft; validating identity without compromising personal data; lack of anonymity; protection of integrity of identity
- Ownership, control and responsibility: exchanging data without informing the individual and/or not seeking their permission/consent; personal responsibility for own data
- Regulatory: Lack of a legal framework; enacting laws; complexities of regulating online privacy settings for individuals; inadequate focus on auditable procedures for data retention; global availability of data but national laws; insufficient government interest and/or expertise; potential legislation to ban encryption; lack of resources
- Scope: Determining what is “personal data”
- Surveillance: e.g. by government; Deep Packet Inspection; data collected by search engines being used by government and enterprise to profile users
- Technology: Implementing technology to support privacy; Data aggregation, correlation and analysis tools; tools for speed of transmission; Cloud computing; No standard data format; IP addresses; lack of a cohesive set of tools to ensure privacy; lack of encryption
- The economics of privacy: Value of privacy to individuals; value of personal data to businesses; Impact on trade where countries are perceived as unsafe destinations for data; high profit margins for illicit use of personal data
- Transborder: Providing data protection across national borders; lack of international cooperation; inconsistent standards across countries (particularly developed vs. developing); lack of global approaches
- Transparency, knowledge and understanding: Insufficient or inadequate understanding of privacy, personal data, data visibility (i.e. knowing where data is stored); default settings; insufficient proactive examination of usage terms before sign-up
- Unauthorised access and use: Illegal and/or unauthorised access to personal data (e.g. via phishing, hacking, malware, botnets, spam, spyware, careless installation of file-sharing software etc. and/or insufficient security)
- Users: Inappropriate use of social media; need for adequate protection of children
and categories of personal data that were considered particularly challenging:
- Geo-location data
- Medical data
- Financial data
- Credit card data
- National ID cards
- Biometric data
Suggestions or principles to addess the top 5 emerging challenges
We also invited Internet Society members to provide suggestions or principles to address the top 5 emerging challenges they identified regarding “privacy” and the protection of “personal data” in the digital environment. Almost all of the responses proposed actions or principles to strengthen the protection of personal data and/or increase individuals’ awareness of the importance of protecting their personal data. However, one respondent expressed the view that society should place less emphasis on individual privacy.
A summary of the responses is set out below, separated into various categories (listed alphabetically):
Business Online
- The right to keep personal details private should be a basic human right that cannot be signed away by a waiver or “click-thru” agreement
- Assign the burden of protection of personal data to the organisation not the consumer
- Companies should be required to justify the intended use of personal data, in a regular review process
- When personal data is collected, the online service provider should provide a “statement of intended use” describing how the details will be used, selected from a list of approved statements
- Any privacy arrangement (right to use data) between a customer and a goods/services provider should expire within a specified period (e.g. 6 months) or require renewal when there are material changes to the provider
- Encourage business to protect data
Certification and Insurance
- Establish a widely publicised “trust mark” awarded by an independent body to websites and social media that:
- satisfy some defined minimum privacy protection standards
- provide good and secure default privacy settings
- clearly explain the effect of the privacy policy and privacy settings
- Establishment of a privacy mark system
- Creation of “Privacy Insurance”
Cloud Computing and ISPs
- Keep private data out of the cloud behind protective electronically protected firewalls that should be provided by ISPs
- ISPs should not communicate their customers’ personal data to collecting societies
Educate And Raise Awareness
- Build a targeted program to sensitize individuals in developing countries regarding the risks of disclosure of identity information online
- Help stakeholders and ordinary individuals to understand the dangers involved and how best to defend themselves
- Provide seminars and education in rural areas
- Educate users and the general public on the importance of privacy and personal data
- Launch a global campaign highlighting online privacy issues
- More workshops
- Raise individual awareness, and regarding precautionary steps needed to self-protect
General Principles
- Opt-in rather than Opt-out privacy settings
- The default for new applications using personal data should be “opt in”
- Privvacy online is no different than privacy online
- Users should protect their personal data
- Users should be responsible for their disclosure of personal data
- Privacy protection must not conflict with principles of net neutrality
- Users must control collection and use of personal data
- The data owner must always authorise data access and use (in advance)
- Online service providers should not make the sharing of personal data a prerequisite for access to their services
- “Sensitive” personal data should not be available
Institutional
- The default for new applications using personal data should be “opt in”
- Privacy online is no different than privacy online
- Users should protect their personal data
- Users should be responsible for their disclosure of personal data
- Privacy protection must not conflict with principles of net neutrality
- Users must control collection and use of personal data
- The data owner must always authorise data access and use (in advance)
- Online service providers should not make the sharing of personal data a prerequisite for access to their services
- “Sensitive” personal data should not be available
- An international organisation dedicated to personal data protection should be created
- Work together in a multistakeholder environment
- Seek input from the International Association of Privacy Professionals (IAPP)
- Create regional and global committees for privacy and protection of personal data
- The views of users and the general public should be taken into account when developing policies on privacy
- Local governments should remind their citizens of the risks of disclosing personal information online and provide them with information regarding services which allow users to block access to particular websites
- Software and hardware “back doors” should not be available to governments
International/Local
- Develop international requirements for the handling of personal data
- Strive for local or continent-based solutions as international solutions may not be politically achievable
- Global harmonisation of essential privacy principles in relation to social media and “cloud” computing …
Laws, Implementation, and Enforcement
- Promote and develop methodology and compliance measurement criteria
- Stricter rules, regulations and penalties
- Provide strong personal data protection
- Introduce laws covering privacy/data protection
- Laws should not allow automatic opt-in or automatic renewal of services
- Enforcement agencies should examine the practices of the ISP with access to users’ data
- Criminal penalties for misuse of personal data for marketing or harassment
- Encourage policymakers to formulate policy on privacy and leave implementation to the relevant actors
- Improve enforcement legislation/courts
- Give people channels to denounce abuse
- Mandatory reporting of breaches from private companies
- Update law to reflect new technology
- Educate politicians so they are able to pass appropriate laws
Other
- Consider alternatives for transmission of personal data (e.g. post rather than email)
Spyware, Malware, and Hacking
- Ban spyware and hacking (through laws)
- Involve the companies offering security solutions to stop spread of spyware and hacking
Technical Solutions
- The IETF should develop protocols for the verification, sharing and securing of personal data which are independent of local definitions
- Develop systems which allows individuals to tag personal data with a privacy policy that can be enforced by an automatic enforcement scheme (example provided: www.springerlink.com/content/l2u4488247134753)
- Privacy by design should not be optional
- Uniform adoption of last-login time-stamp for online accounts users login
- Fully customize MS Windows to avoid unattended use of the account system and related accounts of the operating system
- Restrict RFID applications to the Internet of Things. No embedded RFID in personal user applications
The Scope Of Privacy
- Develop differentials in privacy
- Corporate/Commercial privacy
- Personal privacy
Understand The Issues
- Conduct a field study
- Set up a taskforce to address the issues
- Case studies on the damage caused by invasion/violation of privacy
WHOIS
- Restrict access to Whois data to law enforcement and to authorised registries and registrars for the purposes of network management
We would like to thank all our members who participated in this survey. The responses to this survey are helpful in identifying the wide-ranging views on privacy and will be useful in guiding the Internet Society’s future work in this area.
Comments, views or ideas reported in this document are not necessarily held or endorsed by the Internet Society.