Friday 02 August 2019

Does the concept of ‘privacy’ still exist in the digital era?

On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force in the European Union, unleashing a torrent of e-mails and making the protection of our privacy a key topic in the debate on digital technology. Since then, and following a series of scandals, such giants as Apple and more recently Google have made the protection of their consumers’ data a priority.

Despite the progress that has been made in terms of the protection of our privacy, the Internet is still very much like the Far West, where rules are not really important. Eighty percent of all websites still have third-party trackers that spy on our traffic and data brokers continue to quietly harvest our data to sell them for advertising purposes. While the situation is gradually improving, thanks to legislation and the tireless efforts of many activists, organisations and researchers, there is still plenty of work to be done to achieve a more responsible collection and use of digital data.

Like most issues related to the use of digital technology, this fight to protect our privacy is a new issue, both in terms of its scope and its importance. While numerous innovations were a cause for concern about our privacy in the past, the advent of digital technology, which is characterised by the increased capacity for data calculation and storage, has made it even easier to harvest our personal data, on an unprecedented scale even.

One consequence of the novelty of this situation is that we are not yet legally and technically capable of responding to the challenges it poses. The GDPR provides an example: by definition, the regulation does not apply to ‘anonymised’ data, i.e., all data that cannot be linked to an individual. This definition is very vague and several researchers have demonstrated that many ‘anonymous’ data sets were anything but. A study by MIT from 2012 showed that, in 95% of all cases, simply knowing where someone was at four different times during a year is sufficient to be able to distinguish this person’s movements among millions of others. This study, which used phone metadata, was replicated using several other types of data (credit card purchases, Netflix history…), but in all cases, it drew the same conclusion: our behaviour is very unique and you only need a tiny fraction of our data to re-identify us, with the equivalent of a behavioural digital fingerprint.

A second consequence for citizens is that they wonder whether the fight to maintain their privacy is worth it. One vital question, which I’m often confronted with as a researcher on this topic, is: “If you have nothing to hide, why worry about the collection of our data?”.

Activists and authors who publish on the subject often argue that we need to protect our privacy to protect minorities. Saying that “I have nothing to hide so surveillance does not bother me” is an egoistical approach. But one argument that I find particularly important is that the constant surveillance of what we do, how we behave, is subconsciously influencing us.

In 2014, a study by two American researchers demonstrated that the volume of searches in Google that were related to sensitive subjects, i.e., government-related or private information (e.g. medical problems) had dropped by 10% around the world, following the revelations by Edward Snowden. Surveillance, whether performed by a government agency or an invisible third-party tracker, inhibits our thoughts and limits our access to information. That is what one of the roles of privacy protection: to protect everyone’s ability to develop an opinion, to be able to share it and qualify it. In that sense, it is one of the cornerstones of our democracy, and we recently realised how fragile it is.

But there are reasons for hope. The GDPR only took effect very recently – just a year ago – and a sustained effort was made to enforce it. But while the GDPR is a victory, there are still many battles to be won before we will have recovered our right to privacy.

Florimond Houssiau
Civil engineer in Applied Maths
PhD student at the Computational Privacy Group, Imperial College Londen