Privacy rights and the standard of legal protection of these rights in the digital domain

This document was written as my submission for the computer science writing course I took in my third year of study at the University of York. It attempts to summarise the privacy issues associated with the development of new technologies in the information communications domain. Please don’t read with too much of a critical eye – it is old now and it was unfortunately a last minute effort, which I may one day improve.


Introduction

In order for one to consider the broad topic of ethics with regard to computer engineering, it is important to be sure that we understand precisely what “ethics” are. In her lecture notes, Susan Stepney defines ethics to be “right and wrong behaviour in a society” [1, p25], a definition expanded upon in Computer Ethics: “the code or set of principles by which people live” [2, p14]. These broad definitions suggest each of us have a good idea what is right and what is wrong, but a question central to the topic of this review is “can we judge the use of the Internet with existing ethical frameworks?” [1, p9].

Traditionally, ethical considerations help us make the right decision. [2, p10] suggests that “information technology transforms the context in which old ethical issues arise.” In what situations do these issues arise? When a musician, artist or author creates a new masterpiece, it makes sense that their rights to the work are protected by some kind of copyright and therefore a software developer should have similar rights to their work on a piece of software; it is their intellectual property. More and more people feel it is acceptable to download illegal copies of another’s intellectual property, particularly via peer-to-peer services, which are difficult to regulate. As another example, when companies take our personal details during an online purchase, who decides how the data we provide should be used? Artificial intelligence expert systems could replace thousands of humans in certain job roles. But given the number of people without employment, is it ethical to replace a human with a computer? If the computer were to make a mistake, who should be held responsible? As a last example, hackers and malicious virus writers have caused a lot of damage to companies and individuals, however they also point out significant flaws in security systems. “Is hacking merely harmless fun, or is it the computer equivalent of burglary, fraud, and theft?” [2, p12].

Having established that each of these areas of ethics in computing require careful consideration, the question begs to be asked: why not simply apply our previous ethical principles to the digital domain? A key reason is that traditional assumptions upon which our thoughts were based can no longer be made in cyberspace. The Internet spans continents with little regard for the oceanic barriers between them, and as data travels from country to country, whose laws apply to its use? We are effectively considering that our concepts of property, privacy, crime and rights may not be so clear cut where they cannot be defined as a physical phenomenon [4a, p16].

Particularly prevalent during the last decade has been the debate over the rights of the individual online. Widespread media coverage of landmark cases in countries all over the globe have enthused the public to enter the discussion over their basic rights to privacy, both on the Internet, and the use of their personal data stored on private commercial and government databases. Most recently, Google, the company behind the internet search engine, was reported to have denied the US government access to its database records regarding its users’ search patterns due to concerns that the information may identify users and violate privacy rights. [3]

The following review seeks to consider the issue of the right to privacy where computers are concerned, and to touch on the legal response to these issues over the past two decades. The review uses three primary sources for comparison, the first, Liberating Cyberspace [6], reviews the effects of communications interception. Information Technology Law [5] is an in-depth review of the law concerning all aspects of IT, and Privacy As Censorship [7] is a paper providing a unique perspective on the effects of imposing more stringent privacy laws.

Review

Ian Lloyd, author of Information Technology Law, defines the right to privacy as “the right to be left alone…the right not to be subject to surveillance” [5, p33, 3.3]. It turns out that these rights extend to a right to control the use of our personal data. However, can it be assumed that an individual has any right to privacy? [5, p42, 3.24] states that in the UK “there is no tradition of a legally enforceable right to privacy”. Tradition has given way to changing times, and it can be safely assumed that individuals have a right to privacy in general. In cyberspace however, the sudden development of new communications technology has left it unclear as to who has what rights. Two key abuses of traditional privacy rights which apply online are communication interception (or surveillance) and data abuse.

When considering surveillance in cyberspace, a major problem is that use of digital communications is seemingly so transparent to the user that we do not consider where our communications travel en route to the recipient. An e-mail will probably pass through at least one government server before reaching its destination, and therefore it would be easy for the government to read or store this data without one knowing. The question at this point is ‘should I worry that the government has access to my communications?’ This would depend on how the information is to be used. [6a] argues that surveillance techniques enabled by the Internet empower totalitarian governments to spy upon and suspect innocent citizens. The author refers to the example of Dr Prihadi Beny Wluyo of Indonesia, who was “reportedly accused of distributing e-mail messages” relating to a series of high profile political protests [6a, p72] and was subsequently arrested, apparently for expressing an opinion. This use of surveillance technology could be seen as justified if the subject is a true threat to society, however it could be seen as a violation of ones right to free speech, and could “adversely affect the delicate balance pursued by an emerging democracy” [6a, p73]. The decision as to whether a person is a true threat to society is very subjective, and the law should make it as clear as possible how this is decided, and by whom.

The second major violation of privacy rights is the abuse of our personal data. When making purchases, whether they are online or by mail, it is likely that a set of our personal data will end up on a computer somewhere. Retailers are likely to store a history of what we purchased and when, and much insight can be had into the people we are, based solely on the products and services we purchase. Should all of the separate sets of data come together by some form of data matching, an accurate profile of anybody could be in the hands of a stranger whose intentions for the data could be unknown and undesirable, even if not sinister. This form of database owned by a company or retailer is referred to as a private database. By contrast, data could be controlled by the government, gathered via government bodies including Inland Revenue, national census, identity card/passport applications etc.

A lot of the paper Privacy As Censorship [7] debates whether personal data could be used by both private and governmental bodies, and concludes that government databases pose a much greater threat than private databases. The foundation for this assertion is in the power which the government holds. Through the channels mentioned above, a government has a much more complete data collection system, and one which it is very difficult for a citizen to avoid. As for the potential for abuse, [7, p16] states that whilst private companies use their data to market goods and send out ‘nuisance’ leaflets, the government uses their data to enforce the law, where abuse of the data would have much more severe consequences than some unwanted mail.

Having asserted the rights we are entitled to in cyberspace and how they might be abused, it is necessary to ask what legal measures protect these rights. With regard to the issue of data protection there are two approaches. The first, an approach adopted by the US, involves placing restrictions on different types of information handling [5, p44, 4.1]. In the EU however, an umbrella approach has been adopted, where a single statute regulates “all (or almost all) instances where personal data is processed by a computer” [5, p44, 4.2].

In the UK, the Data Protection Act 1984 (later repealed by the DPA 198) was passed, laying down explicit obligations for data controllers (those in possession of others’ personal data) and rights for the data subjects, both documented within eight “data protection principles” [5, p108, 7.1]. This went some way to protecting the public from data abuse, but gaps in the Act allowed misuse of data. Private companies added terms stating they would use the data in ways other than those one might expect, and therefore bypassed some of their obligations. Filling these gaps in the law however means pushing a fine balance between privacy rights and rights to freedom of speech. This balance is debated in [7], where it is the author’s opinion that “cordoning off information behind a wall of new privacy rights violates principles of free speech, threatening to shrink the total domain of freely flowing information” [7, p5].

The debate over more strict data protection legislation revolves around the issue of intended use, especially in [7], where the author focuses upon the possible resolution of problems by use of an ‘opt-in’ mechanism. This would require data subjects to explicitly state that they want their data to be used in any way other than specified by the agreement terms upon which the personal data was initially given (e.g. for inclusion on a marketable address list). The author does not approve of this proposal, and comments upon the “similarity between the information collected in databases about consumers and the information we regularly exchange with one another informally” [7, p6]. He continues his comparison with everyday ‘gossip’ to draw conclusions regarding the potential effects of such an ‘opt-in’ law, and concludes that “The brunt of an opt-in law would thus be borne by small, new businesses or nonprofits struggling to establish a customer base” [7, p5], and that large, well-established companies would benefit from reduced competition and could operate comfortably with their existing databases. It seems that the author holds economic fairness dearer than properly enforced rights, but the continued development of the Data Protection Act and similar acts internationally would indicate that the public have a strong interest in maintaining their privacy.

Conclusion

It can be concluded above all else that privacy will remain a key issue, and legislation will no doubt define the extent to which technology can be used as it becomes more powerful. For example, as data matching technology improves, its use may well be restricted by the law.

In Privacy As Censorship [7], Sloveig Singleton concluded that restricting the sharing of data would in fact result in benefiting large companies, and putting smaller start-up independent companies at a disadvantage due to the larger volume of information controlled by established companies. Does this matter? Are economic effects a consideration when our right to privacy needs protecting? I am of the opinion that our rights according to intuition are more important than side effects of basic measures to protect them. The advent of the Internet and its associated technologies opened a lot of doors and many people, particularly technologists, hate the thought of the full potential being restricted by artificially imposed rights. However, without a firm ethical foundation, the Internet will no doubt eventually become so abused that regulating this abuse will be impossible. This is already plain to see in the case of intellectual property. Intellectual property published in the cyberspace, including music, software and texts, are subject to such levels of theft and piracy that it is beyond regulation in some cases. In the absence of a code of ethics suited to cyberspace, perpetrators have used existing ethically acceptable arguments to justify their actions, for example, peer-to-peer file sharing: ‘I’m simply sharing my property with my friend’.

In the case of surveillance, I think it ought to be obvious to those with even the most dubious ethical grounding that spying upon an individual with no cause or reason is unethical, in the same way as entering a persons house just because you can is wrong. Warrants should be required to snoop upon personal communications, and traditional law provides a basis for a judge to make the decision as to whether the warrant is necessary.

The authors of [6a] obviously believe that universal surveillance is not acceptable. I would agree, my belief being that the freedom of an individual to communicate opinions privately is an essential prop behind a secure democracy, ensuring individuals can make up their minds and discuss thoughts without fear of punishment. It is through these communications that the public can gather to fight back against oppressive government, which is also the reason totalitarian governments abuse the power of technology available so frequently.

In summary, privacy rights online enable technology users to communicate freely without fear of eavesdroppers, and the legal enforcement of high standards of data protection ensure users feel at ease with disclosing personal details online.

Bibliography

[1] S. Stepney, PD1 Notes on Ethics, http://www-course.cs.york.ac.uk/pd1/ethics.pdf, accessed 14 January 2006.

[2] Tom Forester and Perry Morrison, Computer Ethics, 2nd Edition, The MIT Press, 1994.

[3] BBC Technology News, http://news.bbc.co.uk/1/hi/technology/4630694.stm, last accessed 20 January 2006.

[4] Deborah G. Johnson and Helen Nissenbaum, Computers, Ethics & Social Values, Prentice Hall, 1995.

[a] John P. Barlow, Coming Into the Country

[5] Ian J. Lloyd, Information Technology Law, 3rd Edition, Butterworths, 2000.

[6] Liberty, Liberating Cyberspace: Civil Liberties, Human Rights & The Internet, Pluto Press, 1999.

[a] Ch. 3 – Simon Davies and Ian Hosein, Privacy I: Liberty on the Line

[7] Solveig Singleton, Privacy As Censorship: A Skeptical View of Proposals to Regulate Privacy in the Private Sector, Cato Institute Policy Analysis 295, January 1998.

Not Cited, but Influential

David R. Johnson and David G. Post, Law and Borders – The Rise of Law in Cyberspace, Stanford Law Review 1367, 1996.

Links of Interest :

Recent government plans to dissolve measures in place to prevent the union of separate government databases.

Liberty are concerned with how the state, the press and others strike the balance between privacy and other interests.

Leave a Reply