PETs, Law and Surveillance
In Europe, privacy is considered a fundamental human right. Section 8 of the European Convention of Human Rights (ECHR) limits the power of the state to interfere in citizens’ privacy, ”except such as is in accordance with the law and is necessary in a democratic society”. Privacy is also granted constitutional protection in the Fourth Amendment to the United States Constitution. Both the ECHR and the US Constitution establish the right to privacy as freedom from government surveillance (I’ll call this “constitutional privacy”). Over the past 40 years, a specific framework has emerged to protect informational privacy (see here and here and here and here); yet this framework (“information privacy”) provides little protection against surveillance by either government or private sector organizations. Indeed, the information privacy framework presumes that a data controller (i.e., a government or business organization collecting, storing and using personal data) is a trusted party, essentially acting as a steward of individual rights. In doing so, it overlooks the fact that organizations often have strong incentives to subject individuals to persistent surveillance; to monetize individuals’ data; and to maximize information collection, storage and use.
Noticeably, the two frameworks for privacy protection, information privacy and constitutional privacy are premised on diametrically opposed conceptions of a data controller as a hero (information privacy) or villain (constitutional privacy). This tension is manifest, for example, in the highly contentious “third party doctrine”, which has taken hold in US privacy law in the 1970s. From a constitutional privacy perspective, the third party doctrine makes sense – “if you are concerned about surveillance, keep your secrets to yourself”. From an information privacy perspective, it is deeply flawed. “What do you mean you’re disclosing my data to the government? I gave you these data in confidence!”
In a new article titled Hero or Villain: The Data Controller in Privacy Law and Technologies, which will be presented at the upcoming Ohio State Law Journal Symposium on The Second Wave of Global Privacy Protection, my colleagues Claudia Diaz, Seda Gürses and I argue that privacy enhancing technologies (PETs) can fill gaps between the constitutional and information privacy frameworks to help individuals exercise their freedom from surveillance. We claim that given the genesis of information privacy laws in fears about surveillance, policymakers should recognize and expand by appropriate regulatory measures the role of technologies that enable individuals to enforce their right to privacy as freedom from surveillance.
The term “PETs” has been used loosely to describe a broad range of privacy technologies. We use it to mean technologies specifically aimed to enable individuals to engage in activities free from surveillance and interference. PETs allow individuals to determine which information they disclose and to whom, so that only information they explicitly share is available to intended recipients. Today, surveillance capabilities are no longer restricted to the realm of states. As more and more daily activities become mediated by technology, businesses have gained the ability to conduct surveillance at an unprecedented scale, including of individuals’ communications data, online and offline purchases, geo-location and health. We therefore address the role that PETs play in protecting individuals from surveillance by both government and private sector entities.
The legal framework for information privacy is organized around a set of “fair information practice principles” (FIPPs), which apply to data controllers. For the most part, the FIPPs are geared to impose information stewardship obligations on data controllers. These obligations, increasingly grouped under the title “accountability”, include devising a privacy compliance program; appointing a chief privacy officer; conducting “privacy impact assessments”; notifying regulators and/or individuals about data security breaches; maintaining a record retention policy; and more. All of these measures assume that a data controller is a trusted party, acting as a fiduciary for individual rights.
The notion of the data controller as a trusted party is ill at ease with the anti-surveillance gist of constitutional privacy and PETs. The technological community researching PETs departs from a radically different perception of a data controller, that of an adversary. Under this approach, information disclosed to a data controller is compromised and can no longer be viewed as private. The assumption is that once an organization collects personal information, it can use it in unforeseen ways, possibly to disadvantage the individuals concerned. Proponents of this view point-out that after disclosure, it is almost impossible to control how personal information is used. They conclude that PETs should prevent (or at least limit) information disclosure.
Given that constitutional privacy seeks to protect individuals from surveillance, we argue that PETs deserve a greater role in the privacy framework. We distinguish between four groups of PETs depending on the degree of data controller engagement required for their deployment. With respect to each category, we explore whether and how the legal framework should facilitate, or at least tolerate, PET implementation.
Certain PETs, such as private information retrieval or zero knowledge protocols, require collaboration by data controllers. They enable a data controller to provide a service that takes as input private user information without the controller becoming privy to such information. For example, a data controller can process a search query and return results without ever learning the query or the results. Other examples include protocols for pay-as-you-drive tolling systems that do not reveal the location of users; and protocols for smart metering that allow accurate periodic billing and real-time prediction of demand – while concealing from the utility the real-time energy consumption of individual households. These PETs thus permit modernization of large-scale infrastructure services without such systems becoming infrastructures of mass surveillance. To implement such PETs, active collaboration and potentially significant investment is required from data controllers. With respect to this category of PETs, we examine whether organizations should be mandated to include PETs in system design; and how the legal framework might incentivize the adoption of such PETs for a broader range of services.
An additional category of PETs can be deployed unilaterally by users within a service offered by a data controller. These include, for example, encryption tools that maintain the confidentiality of the contents of emails or social networking posts, including vis-à-vis the data controller. PETs in this category do not require active intervention on the part of the data controller nor modification of its service. Yet the data controller retains the power to disable or block the use of such PETs, and such actions may be in its business interest. With respect to this category of PETs, we ask whether organizations should be prohibited from blocking the use of PETs or denying service when a PET is detected; whether contractual terms of service that restrict PET use should be considered unfair; and how organizations could be incentivized to facilitate the use of the PETs.
A third category of PETs includes stand-alone systems, typically implemented by individuals who work collaboratively to collectively achieve privacy protection. These PETs may be used to access an external service run by a data controller. The most prominent examples are anonymous communications networks such as Tor. Here too, active participation by the data controller is not necessary to implement the PET; yet data controllers can disrupt a PET’s operation, for example, by rejecting access coming from the Tor network. Finally, PETs operated collaboratively can function as peer-to-peer services, where all participants concurrently act as both users and service providers. The objective of these PETs is to enable the collaborative provision of the service without a centralized party, which is in a position to conduct surveillance. For example, the distributed social network Safebook is based on a peer-to-peer architecture to avoid the creation of or engagement with a central all-knowing entity. For the third and fourth categories of PETs, which are implemented collaboratively to operate as general-purpose private communication channels or as standalone peer-to-peer services, we ask whether such PETs should be protected – or at least not delegitimized – by law.
We conclude by arguing that the current informational privacy framework fails to adequately address surveillance concerns. In particular, despite embracing the concept of privacy by design, policymakers have given short shrift to PETs protecting individuals from government or private sector surveillance. We claim that the information privacy framework should guarantee that the principles underlying constitutional privacy are not discarded with ease.