Privacy - the great forgotten in today’s digital landscape
Plotted, profiled, monetized: this sums up the current situation regarding our Internet activity. The ‘free’ template has been the norm on the Internet for a few years now. Even if the services proposed by large companies such as Google and Facebook are known for offering free-seeming services, their business model is excessively profitable.
There are several reasons for this:
- The free nature of services enables a significant amount of data to be accumulated, and analyzed to draw interesting correlations for advertising purposes.
- There is a very strong belief in the value of users’ personal data. Collection capacity has therefore become an index of company growth, which drives investors to invest. Personal data is a new refuge value - or a new bubble.
Monitoring and predicting, in defiance of user privacy: the situation is not going to improve. Google and Doubleclick, Alphabet’s advertising agency, are now cross-referencing their data to more accurately target users.
Regulating practices: the role of states
In response to this growing intrusiveness, attempts at regulation are cropping up all over the place. At the European level, it’s the G29 - the meeting of all the European DPAs (Data Protection Authorities) that is most concerned with limiting the collection of personal data. Until now, their business has essentially been to require companies to comply with the law. But in the meantime, the question of personal data has grown both in size and importance: when someone is punished it’s because the harm has already been done, the data have already been collected, there has already been a violation of user privacy. As a result, the DPAs have become both legislative and legal regulators: the results are clear with, notably, GDPR implementation as of April 2018, which puts in place numerous preventive measures and focuses on an increasingly important concept: Privacy by Design.
What is Privacy by Design?
The idea of Privacy by Design is simple: instead of risking punishment, a company is better off integrating respect for privacy at the design stage of its product. For this, it must follow 7 simple rules:
- Act before there is a problem
- Process the minimum amount of data possible and keep it only for as long as is strictly necessary
- Design projects with a view to privacy right from the start
- Consider everybody’s interests (security, economic impact)
- Secure data from start to finish
- Ensure the transparency and visibility of processed data
- Respect user privacy
In theory, Privacy by Design is therefore an interesting piece of regulation: it provides standards to respect, it allows companies to easily protect themselves from the problems of privacy and personal data.
In fact… it’s a little more complicated than that. The idea of privacy by design poses several problems:
- imposing criteria to define privacy and telling companies to get on with it, is very top-down
- today, most Internet services operate on the personal data they have retrieved: do all Internet users define privacy in the same way?
- most importantly: to suggest that adhering to the seven rules of privacy by design is enough to ensure the privacy of users is to give them a false sense of security which could be far more damaging than telling them nothing at all.
A false sense of security
Let’s give an example: you want to communicate something very important and very confidential to someone. Without a computer, it’s quite simple : if you meet up with the person in a desert, far from any microphones and Internet devices, you can normally deliver the message in complete confidentiality.
If you want to communicate the same information digitally, good luck! Even using a “privacy by design” application, you will have to rely on a long, too long chain of trust …
You are sure about your email application. Great. Are you sure about your correspondent’s, too? Sure your browser is not saving what you type? Sure your computer does not pass on what you type on your keyboard? And the BIOS, have we thought about the BIOS?
Speaking of privacy by design is very nice, but if you are not sure of the foundations, it only creates a false sense of security. Respect for privacy has not only to ensure that no data will be disclosed: above all, it’s about making it possible to circulate our data in a framework of trust, according to our needs and desires, and having confidence in the third parties with whom we share them. Only one option is possible: choosing our own solution. We can never audit everything. Absolutely perfect security does not exist. On the other hand, by encouraging competition, by facilitating the transfer of data from one player to another, users can boycott software or a chain of confidence they do not like. To do this, portability is an essential issue. We’ll tell you more about this in the next post!