A Growing Need to Protect Privacy in an Era of Growing Willingness to Give it Up

The Advent of Privacy Challenges

The Modern Issues

Earlier this month, former Facebook employee France Haugen released files revealing the results of the company’s internal research results regarding the impact of Instagram on teenage girls. A key statistic that has been highlighted in the media is that “32 perfect of teen girls said that when they felt bad about their bodies, Instagram made them feel worse” (2). One solution addresses that children under thirteen aren’t even supposed to be making accounts, because data collection on children under that age goes against our country’s privacy laws. Yet, I know many of my classmates signed up for Facebook before they were thirteen with fake birthdays. Facebook also mentioned a potential to create “Instagram Kids.”

Similarly, humans invariably offer up their data. Sometimes due simply to being unaware of what they’re revealing by doing so (as with the military base that was revealed when soldiers decided to compete with each other, uploading their fitness tracker data in the process and creating a map of their exercise route). In other ways, we do so for convenience, as with the FreeStyle? Libre sensors that have been using AI to recommend personalized diets based on individual’s glucose levels (4).

Attempts at Solving The Issue

Apple created a lot of buzz (and some very creative advertising campaigns) when they released a pop-up window that notifies users that an app is tracking their data, allowing users to prevent the app from doing so. (3) Many small businesses and apps were upset by the change, arguing that this was how they allowed users to access their services for free. Facebook responded saying that it was attempting to create a method of advertising that doesn’t rely on user data (3). But is it really that easy to dismantle a $350 billion digital industry? These companies have different views of how much they should roll back such advertising.

While BigTech? attempts to revamp their own privacy systems, can and should users do more to take privacy into their own hands? I’m positive that many people would rather use an app for free than pay to remove advertising (as evidences by the numerous app-store complaints when apps roll out pay-for-no-ads versions of their products). There has been a growing industry of products that market themselves as shirking ads (for example Brave, the private web browser), but how many people choose to use this service?

Furthermore, what is the state of media literacy in our country? One of the first ways we can protect young children who will undeniably sign up for these enticing social media services is to inform them about what they give up in exchange for access to endless streams of videos, 150-word posts, and their friends’ photos.

In the long run, I would argue that this education is a must if we’re to convince people to pay for subscription fees in lieu of paying for such services with their data.

(1) https://safecomputing.umich.edu/privacy/history-of-privacy-timeline

(2) https://www.nytimes.com/2021/10/13/parenting/instagram-teen-girls-body-image.html

(3) https://www.nytimes.com/2021/09/16/technology/digital-privacy.html

(4) https://www.theguardian.com/lifeandstyle/2021/oct/05/intimate-data-can-a-person-who-tracks-their-steps-sleep-and-food-ever-truly-be-free

:

What

Does the GDPR adequately protect individuals' privacy?

General Data Protection Regulation:

The GDPR addresses the power imbalance between data controllers, who derive significant commercial benefit from the use of data, and users who bear significant harms associated with the usage of their own data. The legislation does this by placing explicit consent and anonymization techniques at the core of data processing. However, by focusing on these two specific aspects, the European legislators construct “structural regulatory spaces that fail to understand the ongoing challenges in delivering acceptable and effective regulation”. By exclusively concentrating on consent and anonymization techniques as a way to ensure data privacy and security, the GDPR fails to address not only the issues these concepts create but also how these should be implemented by app developers.

There are two issues created by the GDPR regulation, and that consequently significantly affect individual users’ privacy and data. Firstly, by using individuals’ consent as the gatekeeper to the legal processing of data, the GDPR places heavy emphasis on internet platforms themselves to fulfill the necessary GDPR standards. While simply obtaining users’ consent to the processing of their personal data does not make the processing of such data lawful, the fact that it is up to internet organizations themselves to implement adequate privacy standards says very little in terms of the protection that such standards afford in reality. Secondly, the GDPR stipulates that when data is anonymized, the need for explicit consent of the processing of the collected data is no longer required. At its core, by placing emphasis on anonymization techniques, the GDPR aims to reduce harmful forms of identification by preventing the singling out of natural persons and their personal information. However, as Narayanan and Shmitikov’s Paper on De-anonymization of Large Datasets and Oberhauses’s article on anonymous browsing data underline, de-anonymization of large data sets is standard industry practice for a majority of internet platforms.

Is the GDPR the right standard for privacy protection?

As outlined above, there are several issues associated with using the GDPR as the standard for privacy protection, the two biggest ones being treating consent as the standard for privacy, and the ability to de-anonymize data. Despite these issues, there are a number of benefits associated with using GDPR as the standard for data protection, namely that it functions in what Profesor Moglen as part of his “The Union, May it Be Preserved” speech in a transactional sphere. While Professor Moglen sees this as a problematic quality of the GDPR, the fact that the GDPR functions as a transaction where users consent to collection and usage of their data as a “transaction” for which they receive the benefit of accessing internet platforms means that the regulation can easily be implemented by any type of corporation. The issue with the GDPR is that the standards of implementation are too lax, and upon drafting the GDPR in 2018 the impact of de-anonymization technologies was not sufficiently considered. One could argue that if amendments were implemented into the GDPR that would tackle the issues of de-anonymization technologies the current privacy issues would be adequately addressed. However, such an argument fails to address the fundamental power imbalance created by internet platforms such as Google, Yahoo, and Facebook, where individual users are not given a choice as to how their data is processed.

Instead of working within the confines of the GDPR as it exists currently, Professor Moglen argues that we need to challenge our basic assumption that privacy and our data is part of the “transaction”. To some extent this idea has merit, in that why should our own personal data be a transactional token by which our privacy is achieved? In this sense, Professor Moglen’s definition of privacy as “ecological” and “relational among people” rather than an issue of individual consent is one that seems to provide a stricter standard of privacy protection. While an ecological conception of privacy could provide a much stricter standard of individuals’ data protection, the means of achieving such protection are less concrete. Namely, what standard of privacy is going to be the baseline to which all protection is measured (if an ecological protection of privacy is adopted akin to environmental protection)?