There is already evidence that ‘governmental mass surveillance emerges as a dangerous habit’. Despite the serious interests at stake, we are far from fully comprehending the ramifications of the systematic and pervasive violation of privacy online. This article underscores the reasons that policy-makers and lawyers must comprehend and value privacy not only as a human rights issue, but also as a fundamental technical property for the well-functioning of the Internet. The analysis makes two main arguments. Firstly, it argues that the effective protection of online privacy cannot be thought of only in terms of compliance with legal frameworks but that—in practice—it also needs to be secured through technological means, such as privacy enhancing technologies and, most importantly, Privacy by Design. Recent developments in the standardization work of the Internet Advisory Board and the Internet Engineering Task Force suggest a paradigm shift with respect to integrating Privacy by Design into the core Internet protocols. The consideration of privacy as a requirement in the design of the Internet will have a significant impact on reducing states’ capability to conduct mass surveillance and on protecting the privacy of global end-users. Secondly, the article argues that Internet standards should not be seen as ‘living a parallel life’ to, or as displacing or merely complementing, international human rights law. Technical standards and international law can actively inform one another. The analysis and findings demonstrate how the technical perspective on privacy can inform and enrich policy-making and legal reasoning.
Recent revelations that states conduct mass and indiscriminate surveillance and eavesdrop on digital communications demonstrate that ‘governmental mass surveillance emerges as a dangerous habit rather than an exceptional measure’.1 The right to privacy is seriously and extensively threatened online without users being aware of. The consequences of pervasive monitoring2 cannot be duly appreciated unless one underlines that the exercise of the right to privacy is also a prerequisite for realizing other human rights—online and offline.3 Furthermore, serious and systematic attacks on online privacy undermine relations among states, confidence of the citizens in the rule of law and trust in the digital economy.4 Despite the serious interests at stake, we are far from fully comprehending the ramifications of the violation and abuse of privacy by means of pervasive monitoring. Affirming that human rights apply equally offline and online is an invaluable and timely pronouncement,5 but international lawyers and courts as well as policy makers, have just started to explore the implications of the Internet’s technical features to policy-making and legal reasoning.6 The article underscores the reasons that policy-makers and lawyers must value privacy not only as a human rights issue, but also as a fundamental technical property for the well-functioning of the Internet.
The article makes two main arguments. First, it argues that the effective protection of online privacy cannot be thought of only in terms of compliance with legal frameworks but that—in practice—it also needs to be secured through technological means, such as privacy enhancing technologies and, most importantly, Privacy by Design.7 The article addresses how privacy is hardwired into the core Internet protocols that form the Internet’s basic architecture,8 by introducing the privacy-related work of the Internet’s technical bodies. The Internet Architecture Board (IAB) and the Internet Engineering Task Force (IETF) are the most prominent and influential standardization bodies in this area. The design of the network9 and Internet protocols (as engineered via technical standards) by default encapsulate regulation and, therefore, prescribe a certain level of privacy protection for Internet users. The analysis looks at recent developments in the standardization work of the IETF and IAB and provides evidence of a paradigm shift with respect to integrating ‘privacy by design’ requirements in the Internet protocols. The consideration of privacy as a requirement in the design of the Internet will have a significant impact on reducing states’ capability to conduct mass surveillance and on protecting the privacy of global end-users. Secondly, the article argues that Internet standards and the technical point of view on privacy should not be seen as ‘living a parallel life’ to, or as displacing or merely complementing, international human rights law. Technical standards and international law can actively inform one another and converge in their application with respect to protecting privacy online. In fact, the technical perspective reinforces human rights arguments concerning the protection of privacy. The analysis and findings come to reinforce the point of the UN Special Rapporteur on privacy with regard to fully exploring the potential of international law including binding and non-binding instruments.10
The discussion is structured into four parts. The second part briefly explains the role of the IAB and IETF and it shows that protecting privacy online falls within the remit of the IETF’s standardisation work. However, the IETF does not value privacy as a human right per se, or as a legal consideration, but rather as an instrumental value that must be understood as a necessary condition for restoring and maintaining users’ trust in the Internet. The work in progress of these bodies with regard to integrating Privacy by Design into the core Internet protocols11 qualifies as a technical ‘solution’/response to mass surveillance. This solution includes the creation of a privacy threat vocabulary, the introduction of encryption in the Internet traffic and implementation of privacy into all the layers of the network. The analysis demonstrates how Internet standards are being informed by, and in turn shape and nurture, legal standards and business practices. At the same time, however, the overall impact of Privacy by Design incorporated into the Internet’s architecture is subject to Privacy by Design policies by service providers and states’ practices. The third part proceeds to explore how the technical perspective on privacy can inform the manner in which the legal advisor argues about privacy, the legislator articulates the interests at stake and the academic and practitioner interpret international human rights law. Pressing questions, such as the relevance of the location and nationality of individuals in the digital environment or the interrelation of privacy, freedom of expression and security, require us to revisit our take on interpreting and applying international human rights law. The fourth part concludes.
DEVELOPING INTERNET STANDARDS TO SECURE PRIVACY ONLINE
Internet governance is highly fragmented in terms of the distribution of authority, reflecting the decentralized nature of the network itself. The creation and evolution of the Internet are shaped by standards, principles, norms, rules and business practices, which are developed in a multi-stakeholder ecosystem. States, the technical community, industry, civil society, academia and global users participate to varying degrees to formal and informal governance arrangements.12 Despite this fragmentation and lack of formal authority, a limited de facto hierarchy exists in the day-to-day management of the Internet.13 The Internet’s engineers and, in particular, the IETF and the IAB are responsible for making the Internet work better and managing the technical aspects of the Internet by creating Internet Protocols.14
Internet standards and standard-setting process
Internet protocols are engineered on the basis of technical standards, known as Internet standards, set by the IETF and the IAB.15 Internet protocols constitute the backbone of the Internet upon which all the layers of the network are created.16 As such, they define—to a significant extent—how the Internet functions and they frame the context of its legal regulation.17 The core architecture of the Internet is a strong mode of regulation itself: technological capabilities and design choices impose rules/constraints on the online user regarding access and use of information.18 The default settings—from the design of the Internet protocols to a particular application or a browser—shape the user’s choices Consequently, Internet protocols are a ‘hidden’ yet powerful regulatory force complementing the law, the market and social norms developed online.19 Although Internet standards are not legally binding, industry, organizations, Internet users and states adhere to and implement them.20
The Internet standard-setting does not observe formalities traditionally associated with the production of domestic or international law in terms of the processes followed, the actors involved and the final output.21 This informality, however, does not necessarily mean that these bodies and the respective standardization process lack legitimacy. On the contrary, there is strong evidence to suggest that the IETF meets high standards of transparency and inclusiveness.22 Much has been written about the legitimacy of the IETF’s standardization work. Froomkin, in his seminal study, found that the IETF standard process ‘harbors an environment capable of providing the “practical discourse” that Habermas suggests is a prerequisite to the creation of morally acceptable norms’.23
The establishment of the Internet’s standardization bodies is informal. The IETF is organized as an activity of the Internet Society (ISOC)—a US non-profit entity—and the IAB is chartered both as a committee of the IETF and an advisory body of ISOC.24 Informality extends to the internal structure of the two bodies. The IETF does not have an elected board and it enjoys financial independence.25 Participation is free and open to all interested individuals and on an equal footing for all stakeholders (including States).26
Turning to the outputs of the informal law-making process, Internet standards and other deliverables, such as guidelines, or best current practices,27 are adopted by consensus-making mechanisms. Each new proposal for a specification undergoes a period of review and revision and is initially published as a ‘Request for Comment’ (RFC) until (if) it reaches a certain level of maturity and turns into an Internet standard.28 There are no formal voting rules and new standards are approved by ‘rough consensus and running code’, which means that the value of the ideas is assessed by the empirical proof of their feasibility and the combined engineering judgment of the participants.29 For an Internet standard to be adopted the specifications needs to be of the highest technical quality and it needs to be supported by widespread community consensus. Of particular interest is the fact that a third requirement needs to be met, namely that the IETF must assess the interests of all affected parties as well as the specification’s contribution to the Internet.30 Consequently, the standard-setting process is porous to external concerns. The IETF can value and accommodate in its assessment specific societal interests and considerations, including arguably the impact of Internet protocols on the users’ privacy.
States and other stakeholders underlined in the Tunis Agenda the immense contribution of the technical community to the shaping and evolution of the Internet, hence, acknowledging the legitimacy of the IETF and IAB to regulate the Internet.31 Moreover, the positive and widespread reception of the standards by their addresses is a significant indicator of the bodies’ legitimacy.32 The industry sector and Internet users think ‘the courts and politicians are so naïve [and] the only way to retain the ability to communicate privately is to come up with a long-term technical solution’.33 Even though the perception of the technical solution as replacing or displacing the law could lead to a technocratic government of experts,34 standardization, in the present context, does not necessarily have a negative connotation. ‘The geeks will save the Internet and privacy’ is a prevalent narrative among the Internet users.35 The Internet’s technical community is, or at least is perceived as being, the legitimate guardian of the network and the respective values it carries within it.
The mandate of the internet standardization bodies to protect online privacy against mass surveillance
Even though privacy has always been a peripheral issue in the work of the IETF and IAB, the recent disclosures on mass surveillance by states36 have forced the engineering community to face one of their major concerns, namely, the need to avoid exceeding their technical mandates or getting involved in politics. This section argues that the protection of online privacy falls within the remit of the standardization bodies’ work. The IETF and IAB have, in fact, decided to defend the network against (mass) surveillance. The IETF, however, does not value privacy as a human right per se or as a legal consideration; privacy is an instrumental value and it is viewed as a necessary condition for restoring and maintaining users’ trust in the Internet.37
It should be clarified that the work of the IETF, although technical, is not neutral or value-free.38 Since Internet protocols are a form of regulation by default, standardization bodies also make choices by default.39 Furthermore, the IETF’s mission statement clearly states that ‘the Internet isn’t value-free and neither is the IETF’.40 The IETF chooses to create certain technology by embracing specific technical concepts and ideas (decentralized control, edge-user empowerment and sharing resources).41 The IAB, for its part, is entrusted with protecting the reliable operation of the Internet and the free flow of information, which is a broadly defined responsibility.42
The mandate of these bodies is not static: as the function and scope of the Internet evolves, so too will the role of the expert bodies entrusted with a public policy role in Internet governance. Protocol designers are more than familiar with the evolutionary nature of the Internet. In their view, the only principle of the Internet that will survive indefinitely is the principle of constant change: the architectural structure of the Internet is aimed at providing a set of rules (protocols) that generates a continuously evolving space of technology.43 This is clear both in how the Internet is envisioned and how Internet standards develop.44 Therefore, although these bodies are bound by their technical mandates, these mandates have to be read in the light of the needs of the users in whose name they act.45 The protection of users’ privacy is a serious and legitimate concern when designing and updating protocols. As discussed earlier, the affected parties’ interests46 and the specification’s contribution to the Internet’s evolution are requirements to be addressed in the standardization process. Even though the engineers’ ability to anticipate threats to privacy is limited,47 the choices made in designing Internet protocols have profound implications for identifying and mitigating these threats.48
The IETF and IAB have accepted that their mandates encompass privacy issues by their recent acknowledgment that serious and systematic violations of users’ privacy pose significant risks to the reliable operation of the Internet. The IETF Chair proclaimed that pervasive monitoring is a threat against which the Internet’s engineers should defend.49 Many strong voices from within the technical community took the position that engineers should reconsider the impact of protocol and system design choices in light of the serious issues involved in the protection of privacy.50 In 2014, the IETF asserted its strong consensus that ‘[pervasive monitoring] is an attack on the privacy of Internet users and organizations’.51 The pervasive nature of monitoring by specific states in collaboration with non-state actors is considered to constitute a breakdown in trust: the capabilities and activities of the attackers are greater; monitoring is highly indiscriminate and on a very large scale; and the surveillance is pervasive in terms of content.52 In response to this attack on the network the technical bodies decided to expand their work by integrating privacy as a design requirement for the Internet standards (Privacy by Design).
Nonetheless, one should not lose sight of the fact that the IETF does not regard privacy as a human rights issue, but rather as a technical matter related to the functioning of the network.53 Due to the unique features of the Internet’s architecture, any threats to users’ privacy equally qualify as threats to the fundamental value of the network: trust among its users. The core architecture of the network is its end-to-end design; this design, however, is based upon the presumption of trust.54 Threats and risks to privacy, and especially pervasive monitoring, directly impact the level of trust placed by users in the network: compromising users’ privacy undermines the network because the network is its end users. According to the engineering community’s mindset, pervasive monitoring is an attack because users’ participation in the network is adversely affected, the free flow of information is inhibited and the integrity and confidentiality of information are endangered. Threats to users’ privacy undermine the reliable operation and the responsible use of the network as a whole.
Engineering privacy by design into the internet protocols
This section discusses how the IETF and IAB embed Privacy by Design requirements into the Internet protocols with the aim to protect end users from surveillance and serious threats to their privacy. Three specific threads of the ongoing standardization work have been selected: the introduction of a privacy vocabulary, encryption and the implementation of Privacy by Design in all layers of the network. It is argued that the development of Internet standards takes into consideration and, in turn, informs legal aspects of, the right to privacy as well as business practices.
It needs to be stressed from the outset that Privacy by Design affects the way the Internet is designed as well as the IETF’s philosophy. The foundational end-to-end design principle encapsulates the choice made in the early development of the Internet to leave security and privacy issues to be addressed by the end users. This choice served the purpose of keeping the core communication Internet protocols as simple as possible.55 It is for this reason that the Internet’s engineers did not deem privacy to be a requirement when designing the Internet but rather something to be addressed by the end users.56 This essential design principle, however, rests upon the fact that the Internet was originally built by a community of like-minded professionals who trusted each other.57 In light of the unprecedented expansion of the Internet, and the recent revelations about state surveillance, the IETF re-examined its decision to leave privacy and security issues to the end users. In this sense, the integration of privacy requirements into the Internet standards signifies a rearrangement of the IETF’s standardization philosophy and it indicates that privacy will be considered prior to designing new protocols or updating existing ones.58 The consequence of shifting from the approach of leaving privacy to the end user to introducing Privacy by Design into the Internet protocols is that the core architecture of the Internet will encapsulate a higher level of privacy-protection features on a global level. This level of protection ensures stronger privacy protection than the (additional) measures taken by the individual user. The global interoperability of the network also ensures that privacy protection is ensured regardless of national borders, thereby mitigating threats to privacy and weakening the technical feasibility of conducting mass surveillance. The protection embedded in the technology of the Internet standards is, however, subject to any restrictions imposed by states. Similarly, the extent to which Privacy by Design features in the Internet protocols will impact end users depends on whether other stakeholders in the Internet’s ecosystem, such as service providers, implement these protocols in all layers of the network, as it will be discussed below.
Developing a privacy vocabulary
In 2012 the IAB issued a report proposing, for the first time, a privacy-threat model with a specific focus on pervasive monitoring.59 The model addresses the question of how surveillance can be countered on a technical level.60 A notable contribution of this model is the creation of a privacy vocabulary, which defines privacy threats and establishes relevant terminology.61 The main aim of this vocabulary is to introduce privacy-related concepts to the engineering community. Protocol designers need to be aware of specific engineering choices that can impact on privacy when crafting standards.62 Just as the legal community is struggling to comprehend the technical aspects of privacy, the technical community is also in the process of realizing the value of privacy as a consideration in its work.63
What is particularly interesting about the development of a privacy vocabulary is its interrelation with privacy from a legal point of view. On the one hand, the technical community uses legal standards to inform its guidelines. The IETF not only documents the technical means employed to conduct mass surveillance, but also draws upon existing legal and policy privacy frameworks, such as texts by the Council of Europe, the Fair Information Practices, the Organization for Economic Co-operation and Development (OECD) guidelines concerning the collection and use of personal data and the Privacy by Design concept.64 On the other hand, the technical community’s work makes a relevant contribution to the legal community regarding the conceptualization of privacy in cases of (mass) surveillance.65 A user-centric approach to privacy risks focuses on the ways in which end users feel threatened or suffer harm. The different types of privacy harm, including harm to financial standing, reputation, autonomy and safety, are discussed at length.66 The IETF notes that ‘when individuals or their activities are monitored, exposed, or at risk of exposure, those individuals may be stifled from expressing themselves, associating with others, and generally conducting their lives freely. They may also feel a general sense of unease’.67 ‘[T]he effects of surveillance on the individual can range from anxiety and discomfort to behavioral changes such as inhibition and self-censorship… The possibility of surveillance may be enough to harm individual autonomy.’68 The impact of surveillance, or the possibility of surveillance, on the autonomy and behaviour of Internet users is crucial from a technical point of view in assessing the erosion of trust placed in the network. From a legal standpoint, the Court of Justice of the European Union (ECJ) aligns with this perspective as far as the meaning of interference with the right to privacy is concerned. The ECJ found that mass and indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the EU Charter on the right to privacy and data protection, respectively.69 More specifically, the ECJ held that the retention of traffic and location data without users being informed is likely to generate in the minds of the persons concerned the sense that their private lives are the subject of constant surveillance.70 The collection of such data constitutes an interference with the right to privacy and it ‘does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way’.71 An interference with the right to privacy takes place regardless of whether the data has been subsequently processed, used or accessed by state authorities; these acts qualify as separate interferences.72 There is already empirical evidence supporting the chilling effects of mass surveillance on the trust placed in the network and the exercise of freedom of expression online.73
Moreover, according to the IETF the possibility of covert surveillance suffices to threaten and adversely impact one’s privacy. A similar nexus between the possibility of secret (mass) surveillance and the rights of personal autonomy and privacy is reflected in the approach of the European Court of Human Rights (ECtHR). In the recent Zakharov case the applicant claimed that there had been an interference with his privacy as a result of the mere existence of legislation permitting covert interception of mobile telephone communications and the risk of having been subjected to interception measures. The applicant was not in a position to furnish evidence that specific interception measures had been ordered against him. The ECtHR, by taking a rather flexible approach to the applicant’s victim status and standing, accepted his arguments: when it comes to cases in which the secrecy of measures renders them effectively unchallengeable at the domestic level, the individual does not have to demonstrate the existence of a risk that surveillance measures were actually taken against him.74 This position was reaffirmed in the Szabó and Vissy case.75 It remains to be seen whether the ECtHR will reinstate this approach in the high-profile pending case brought by Big Brother Watch, Open Right Group, English Pen and Constanze Kurz against the UK Government Communications Headquarters (GCHQ). In a similar vein, the applicants argue that GCHQ conducted generic surveillance and that it is likely that they have been subjected to such interference. The applicants also contend that the generic interception of communications is an inherently disproportionate interference with the right to privacy of thousands, perhaps millions, of people.76 If the ECtHR leans towards the Zakharov line of reasoning, it will be at variance with the Clapper judgment of the US Supreme Court. The Supreme Court dismissed by a slim 5–4 majority the applicants’ claims as highly speculative fears and found that they had no standing.77 In an unpersuasive judgment the Supreme Court held that there was no real likelihood that the government will at some point intercept some of the applicants’ communications, and consequently that there was no actual or imminent injury (no injury-in-fact).78
Creating an encrypted web
The IETF is currently focusing on security and encryption as one of the means to mitigate privacy threats.79 The Internet’s engineers classify online surveillance as a combined security and privacy threat, underpinning the fact that security and privacy are interrelated.80 In November 2014, the IAB issued a Statement on Internet Confidentiality in which it reaffirmed that the growth of the Internet depends on users having confidence that their private information is protected in the network.81 The IAB underscored the importance that protocol designers, developers and operators should make encryption the norm for Internet traffic. The ongoing standardization work on ‘opportunistic security’ is aimed at ensuring some security, even when full end-to-end security is not possible.82 A few new working groups have been set up, focusing on areas within the Internet protocols that have been neglected from a privacy point of view, such as Internet traffic and metadata. The working group on using transport layer security (TLS) in applications was established to increase the security of transmissions over the Internet, including email communications.83 The Group has identified best practices in using TLS and unauthenticated encryption in future application definitions.84 Furthermore, the working group on domain name system privacy considerations is developing a private exchange mechanism so that Domain Name System (DNS) transactions and queries become more private.85
The Article 29 Data Protection Working Party, in its Opinion 8/2014, and the European Data Protection Supervisor also acknowledge the interconnection between security concerns and privacy risks and violations.86 In general, however, policy-makers and lawyers have not digested the complex interrelation between network/national/individual security and privacy online: privacy and security are in many cases in a symbiotic rather than an antithetical relationship, and privacy can be a prerequisite for ensuring security.87 Moreover, the emphasis placed by the IETF on increasing security and anonymity regarding Internet traffic and metadata mirrors the serious concerns over the (illusive) distinction between the content of communications and metadata (other non-content information). The UN High Commissioner on Human Rights has stressed that the distinction between content and metadata of communications is not persuasive, since metadata effectively reveal an individual’s behaviour, social relationships, private preferences and identity.88 The ECJ in the Digital Rights case has held that traffic and location data, taken as a whole, may allow very precise conclusions to be drawn concerning private lives.89 Nonetheless, US courts have not (yet, at least) extended the Fourth Amendment protections on privacy to metadata used to route internet communications, including sender and recipient addresses on an email, or IP addresses.90 In November 2015 the US Supreme Court rejected an appeal to the USA v Davis case to determine whether it is necessary to obtain a search warrant when law enforcement requests access to cell phone location data.91 Although the introduction of encryption as the norm on the Internet is a necessary condition for ensuring secure and private online communications, it is not sufficient notwithstanding that the impact of Internet Protocols is subject to their implementation by other stakeholders in Internet governance, as the next section will discuss.
Implementing and mainstreaming privacy by design
An innovative feature of the IETF’s ongoing work is that it encourages the implementation of Privacy by Design into all layers of the Internet—and not only in the core (low-layer) Internet protocols.92 The IETF has thus far focused mostly on the design and update of Internet protocols since it is difficult for protocol designers to foresee all pertinent privacy risks when browsers and web services implement standards. Privacy by Design, entrenched in the Internet’s architecture, should ideally be implemented by Privacy by Design policies set by service providers and Privacy by Design legal/regulatory obligations prescribed by states. In this sense, Internet standards can nurture and shape privacy-protection practices in business practices,93 and they have the potential to guide future regulation.94 At the same time, the precise impact of the IETF’s work on the end user is dependent on Privacy by Design policies and Privacy by Design legal regulation.
Many states have taken certain steps towards Privacy by Design policies. Privacy by Design is now prescribed as a legal standard in the EU General Data Protection Regulation which replaced the EU Data Protection Directive.95 More specifically, Privacy by Design is a requirement that must be implemented by any person or organization controlling the collection, processing, holding or use of personal information.96 It is the first document to define Privacy by Design as a legal obligation. Article 25 provides that ‘the controller shall […] implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing […]’. Despite the high hopes invested in this provision, its concrete implementation remains unclear due to the vague caveats to the scope of the obligations of the data controller.97 In addition, the Asia-Pacific Economic Cooperation (APEC) Privacy Framework provides for the principle of preventing harm. The principle recognises that all means of regulating privacy—including technology, self-regulation and the law—must be designed to prevent privacy harm to individuals.98 In a similar vein to the new EU Regulation, the principle affords no specific rights to individuals and no concrete obligations are imposed on data controllers.99 It remains, therefore, to be seen how these principles will be formulated and implemented in the national context of EU and APEC member states. The APEC Privacy Framework retains its importance, if one bears in mind that APEC member states’ economies are located on four continents and account for one-third of the world’s population and almost half of world trade.
Privacy by Design policies cannot be effectively implemented and mainstreamed unless they are supported by appropriate technological security measures. Despite the business sector’s chronic reluctance to increase privacy-protection features,100 the post-Snowden arena provided a greater incentive, by transforming privacy into a business advantage. Silicon Valley’s leading companies (eg Apple, Google, Twitter, Facebook and Snapchat) concentrate their efforts on introducing device encryption and incorporating end-to-end encryption into online services.101 Google now tracks the encryption efforts—both at Google and on other popular websites by monitoring the progress made towards implementing HTTPS by default.102 Interesting synergies between human rights organizations, such as the Electronic Frontier Foundation (EFF), companies and other stakeholders in Internet governance are also forged with respect to transport encryption in the form of HTTPS: ‘Let’s Encrypt’ is an initiative that aims at setting up an HTTPS server and running a certificate management agent on the web server. Hewlett Packard, Facebook, the Internet Society, Cisco, Mozilla and Gelmato are some of the stakeholders involved.103
These initiatives have been received by states in an ambiguous fashion and one could say that state practice is in flux. On the one hand, data protection and other national authorities align with the need for security measures in order to ensure users’ privacy. For instance, Article 29 of the Data Protection Working Party strongly recommends the application of Privacy by Design and Security by Design, including cryptography, when designing and manufacturing technology.104 Moreover, states impose specific obligations on data controllers to ensure data security in order to avoid privacy breaches. The US Federal Trade Commission has sanctioned companies for having insufficient data security.105 The French Data Protection Authority has imposed fines on companies for violations of the security and confidentiality of their customers’ personal data, on the basis that they did not provide secure access to the Internet or had not implemented HTTPS (encrypted) or other security protocols.106 Recently, the UK Information Commissioner Office has released updated guidance on the use of encryption stressing that encryption software should be used and that if data breaches occur where encryption was not used regulatory action may be pursued.107
On the other hand, and in contradiction to the aforementioned, states are divided as to whether they should regulate encryption and anonymity tools. The current, highly politicized debate in the US nencrypted iPhones or the issue of accessing WhatsApp encrypted instant messaging in Brazil108 are the tip of the iceberg. States, including Russia, Morocco, Pakistan and Iran, have banned the use of encrypted communications altogether.109 Against this backdrop, Germany and the Netherlands are two of the few states strongly supporting end-to-end encryption.110 Interestingly, Germany has released the ‘Charta for Strengthening Confidential Communication’ stressing that encryption should become a standard for the masses in their private communication.111 It seems that for the majority of states adopting a position is work-in-progress, which could be a positive indicator of subjecting possible changes to debate. The US after many back and forths decided (for now) that it will not regulate encryption; the Indian government withdrew a draft encryption policy after public uproar over the proposed measures;112 and France seems to have abandoned its plans on banning Tor and other anonymity mechanisms.113 Encryption in communications is unlikely to be banned. Similarly, suggestions to build ‘backdoors’ into systems or purposeful weaknesses that can be exploited to gain access have been officially dropped, although informal discussions with the private sector are on the table regarding granting access to unencrypted data or undermining data security and privacy. Most states, including China, France, the UK and the USA, opt out for the ‘moderate’ position of introducing targeted decryption orders.114
From a human rights law point of view, restrictions to encryption and anonymity as enablers of the right to privacy and freedom of expression must meet the well-known human rights three-part test: any limitations need to be provided by law, serve a legitimate aim and conform to the necessity and proportionality requirements.115 Moreover, when states request disclosure of encrypted information procedural and judicial safeguards should be in place, including a judicial warrant. There is also merit in the argument that states have the positive obligation under the right to freedom of expression and the right to privacy to actively promote and facilitate security of online communications.116 If such an obligation is read into the scope of these rights, the scrutiny of states’ regulation of encryption and anonymity could be raised to a higher standard. Overall, the relevance of the international human rights law framework is noteworthy so that a clear point of reference is provided for policy-makers and judges on a universal level. Relying solely upon domestic law guarantees ignores the existing international safeguards and hinders their progressive development. Threats to privacy online are not anymore a matter to be framed and discussed in terms of (western) democratic and non-democratic states, as it is being presented.117 Such distinctions are informative but they do not accurately reflect state practice and, therefore, they are meaningful to a certain extent.
To sum up, from a technical point of view, privacy protection is no longer a mere concern, but is now a guiding, structural principle of protocol design embedded into the DNA of the Internet and further disseminated to the deployment of Internet protocols. Privacy protection has become a thread running through the fundamental fabric of the Internet tapestry.118 Following IETF’s emphatic 2014 statement describing pervasive monitoring as an attack, and having demonstrated in this article the rigorous and systematic technical work in progress, it is reasonable to expect that the efforts to support Privacy by Design in the Internet standards will be further intensified.119 Internet standardization is not, however, watertight and compartmentalized from legal and regulatory developments. The development of Internet standards towards protecting privacy online and enhancing security of communications is in a symbiotic relationship with international human rights law and business practices.120 This also involves that Privacy by Design entrenched into the Internet’s technology and its impact to the Internet user is conditioned to how states will regulate Privacy by Design in law and how they will receive encryption and anonymity online.121
INTERNATIONAL HUMAN RIGHTS LAW 2.0: HOW THE TECHNICAL PERSPECTIVE ON PRIVACY INFORMS INTERNATIONAL HUMAN RIGHTS LAW
One of the main aspects of the international law discussion on privacy (vis-à-vis either the domestic protection of privacy or other international angles on privacy) is privacy’s status as an international human right. The added value that the international human rights paradigm brings is that it ‘provides the universal framework against which any interference in individual privacy rights must be assessed’.122 Online privacy as a human right concerns first the applicability and second the application of international human rights law to the digital environment. A series of recent developments in the United Nations has formally acknowledged that human rights apply online. The UN General Assembly, in its 2014 Resolution, affirmed for the first time that the right to privacy applies in digital communications and called upon states to respect their associated obligations.123 Similarly, the UN Human Rights Council has confirmed that the same rights that people enjoy offline must also be protected online, and has stressed that all states must address security concerns on the Internet in accordance with their human rights obligations.124 The Human Rights Council also established the mandate for the UN Special Rapporteur on Privacy.125 Turning to the application of the right to privacy online, the United Nations Office of the High Commissioner on Human Rights (OHCHR), the UN Special Rapporteur on the Freedom of Expression and the UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism have made important contributions in setting out the human rights law framework applicable to recent practices of states and other actors.126 They have underlined, in this respect, that mass or indiscriminate surveillance may be deemed arbitrary127 or even an inherently disproportionate interference with the right to privacy.128
Yet the discussion is flux. It is not clear whether the international framework needs to be updated in order to accommodate technological advancements or whether a dynamic interpretation of the existing body of law will suffice. Suggestions at the UN level include the adoption of a new Optional Protocol to the International Covenant on Civil and Political Rights (ICCPR) with regard to protecting privacy in the digital sphere,129 or that the Human Rights Committee revisit General Comments 16 and 31.130 Despite the possible usefulness of all the aforementioned ideas, one cannot fail to note that international law struggles to grasp and accommodate the concept and function of privacy in the online environment. This part argues that not only does the standardization work of the IETF operationalize privacy by design and enrich our perception of privacy; it also provides an opportunity to inform the mindset of the international lawyer. Few international and/or human rights bodies and international lawyers have substantially engaged with the legal implications of the Internet’s design principles and special features.131 The technical perspective on privacy, and the technical solutions to threats to privacy, should expand our legal imagination in terms of how the legal advisor argues on privacy, how the legislator articulates the interests at stake and how the academic and practitioner interpret existing law. The discussion that follows builds upon three examples which demonstrate the ways in which we could rethink our take on interpreting and applying international human rights law to privacy online. The first concerns the interrelation between privacy on the one hand and freedom of information and freedom of expression on the other, and how courts and legislators alike could take this interrelation into consideration. The second example addresses how the technical perspective could inform the policy-maker’s mindset with regard to certain values invoked as limitations to privacy. Finally, the third case study attempts to revisit the relevance of the location and nationality of individuals and/or data in the digital environment.
The Triptych of privacy, freedom of expression and security
Recent developments demonstrate that many states are openly subjecting the free flow of information and the Internet’s global reach to their national jurisdictions.132 These policies frequently take the form of introducing restrictions regarding data location and data export. The motivations driving such policies vary, but privacy is the primary justification put forward. States—ranging from Russia and Saudi Arabia to Brazil, Germany and France—argue for their right to ‘digital sovereignty’, invoking their citizens’/residents’ right to privacy, national security or even the development of the local economy.133
Addressing privacy as an intrinsic value for the integrity of the network provides informative insights on the human rights analysis. Protecting users’ privacy, and their trust in the network, is tightly interconnected to freedom of information and the interoperability of the Internet at a global level. In other words, within the context of ‘privacy as a technical issue’, freedom of information and privacy are interlinked, and states are not able to easily invoke privacy as a possible limitation to freedom of information and transborder data flows. In addition, a rigorous understanding of the value of privacy and trust from the technical point of view updates our comprehension of the complex relationship between privacy, security and freedom of expression. In the online environment, these interests are interconnected in a distinctive fashion when compared to the offline environment. In many instances, the effective protection of privacy is a precondition for ensuring network, national and international security as well as safeguarding freedom of expression.134 The UN Rapporteur on Privacy has already underlined the critical role of privacy online both as complementary to security and as an enabling right to other human rights.135
International and domestic bodies and courts should explore how this perspective informs legal reasoning in two respects. Firstly, the strong interconnection between privacy and freedom of expression can be taken into account when freedom of expression is assessed as a proportionate and necessary restriction to the right to privacy, and vice versa. This is all the more the case since certain international courts—for instance, the ECtHR—seem to be predisposed towards protecting the right to privacy to the expense of acknowledging modern pronouncements of freedom of expression online (eg re-use of or turning data and databases to readable and searchable formats).136 It would be also interesting to see how the ECtHR, in the Bureau of Investigative Journalism and the 10 Human Rights Organisations cases, will discuss the allegation that the generic surveillance conducted by GCHQ violated both the right to privacy and freedom of expression and whether it will read the interests in accordance with international legal and technological developments.137 Secondly, the symbiotic relationship between security on the one hand and privacy and freedom of expression on the other hand needs to be articulated in legal and human rights law terms. The fact that privacy and security can be mutually supportive goals entails that courts need to appreciate their interrelation in a non-conflictual fashion.138 Security measures that aim to strengthen the protection of privacy, including encryption, ought to be carefully assessed. Weakening encryption will have serious ramifications not only to the right to privacy and freedom of expression,139 but also to national and international security.140 In this regard, the role of national and international courts will be instrumental in articulating and, if necessary, balancing the respective interests in ad hoc cases as well as pronouncing on the compatibility of recently introduced pieces of legislation regulating or banning encryption and/or anonymity (discussed earlier) or implementing domestic surveillance programmes.141 The views of data protection authorities will also weight as Hamburg’s data protection watchdog proved with respect to the right to use pseudonyms online and preserve anonymity.142
Privacy and bringing values and cultural considerations into play
Furthermore, the human rights perspective brings debates on values and cultural diversity to the surface. Certain states contended, in a draft resolution to the General Assembly, that respect for human rights online, including privacy, should be balanced against the cultural considerations and social systems of all countries.143 Despite the fact that the HRC adopted the 2014 resolution on the right to privacy in the digital age without a vote, China, supported by South Africa, brought an oral amendment to the discussion of the draft resolution. The amendment concerned the inclusion of a paragraph in the resolution warning of the dangers that the Internet poses in terms of terrorism, extremism, racism and religious intolerance. Although the oral amendment was voted down,144 15 states supported the amendment, which makes it clear that there is no global consensus on Internet-related or privacy-related issues.145 Therefore, even though the human rights angle puts pressure on states regarding the protection of online privacy, it also brings considerations which are invoked to place limitations on the effective exercise of privacy rights and which are usually construed very broadly. In this way, legal regulation undermines the interoperability of the Internet.146
At the other end of the spectrum, the technical approach to privacy lays the basis for a less heated cultural debate and promotes a language that certain states would perhaps be more willing to accept. The technical perspective highlights the significance of users’ privacy to the development of the digital economy. The growth of the Internet depends on users having confidence that their private information is secure and, consequently, privacy online is not only a human right, but also an enabler of public trust in the network.147 Such a strategy can be persuasive when addressing policy-makers from specific regions of the world as well as when motivating law-makers in general to enhance legal and technical privacy safeguards.148 The International Conference of Data Protection, Privacy Commissioners and the European Data Protection Authorities as well as the APEC leaders have acknowledged the importance of safeguarding the integrity of the network as a value in itself.149 There is, however, merit in arguing that the technical approach to privacy deprives the discussion of its socio-political dimensions.150 It cannot go unnoticed that the human rights approach to cyberspace does not only refer to strictly speaking the applicability and application of human rights online but also introduces a ‘humanisation’ narrative of the Internet. This narrative brings in the mediation of power between State and individual and sets the parameters for defining the issues at stake or even prioritizing dissonant interests. Many state and non-state stakeholders endorse a rights-based approach to cyberspace. The NETmundial Multi-stakeholder Statement on the Future of Internet Governance devoted a section to ‘Human Rights and Shared Values’ and proceeded to proclaim that the Internet standards must be consistent with human rights.151 The Council of Europe’s Committee of Ministers has underlined (in the 2011 Declaration on Internet Governance Principles) the need for a ‘rights-based approach to the Internet’.152 ISOC also employed human rights language and discourse by welcoming the ‘formal endorsement of a rights-based approach for the Internet’. 153 To conclude, understanding and arguing for privacy could and should include different narratives and strategies highlighting different aspects of the discussion depending on the geographical/political context and the stakeholders involved.
The requirements of nationality and location of individuals (or data)
Safeguarding privacy as a sine qua non for the network’s proper functioning casts a new light on the discussion of the nationality and location of individuals as requirements under international human rights law. These questions do not seem to be entirely settled in human rights law and practice, despite the recent strong pronouncements by the UN High Commissioner for Human Rights and the UN Special Rapporteur on Torture.154 According to the technical viewpoint, neither the nationality nor the location of the individuals under surveillance is a critical—or even relevant—variable, since the Internet transcends national boundaries. A threat to users’ privacy, and consequently to the network, exists regardless of nationality or the geographical particularities in question. It is of particular interest that claims that have been regarded until recently as policy considerations at best are now raised as legal arguments before courts and other bodies, and are given great weight by judges and policy-makers, respectively. The work of Article 19, an international NGO dedicated to the protection of freedom of expression, is noteworthy. Article 19, in its oral statement to the Human Rights Council Panel Discussion on Privacy, argued for the human right to online privacy by adopting the technical community’s own mindset; it states that:
‘[w]here privacy online is threatened, trust in the Internet evaporates. Pervasive, untargeted and unchecked surveillance, including the interception, collection or retention of communications or meta-data, is a systemic and structural attack on the Internet, regardless of the nationality or location of the “target”’.155
Access Now and the Center for Democracy & Technology (CDT), in their amicus curiae briefs to US District Court of California regarding the matter of the search of an Apple iPhone seized during the execution of a search warrant, have devoted large sections of their arguments to the unintended detriment to end users, public trust in technology and digital security around the world, should the US Court decide to grant the Federal Bureau of Investigation’s request.156 These arguments have become legally relevant because we are now exploring and conceptualizing the legal implications of the nature of the Internet. The arguments underline the global implications of acts of state authorities even if these acts take place within a state’s territory. Clearly, although this does not entail that the nationality and location requirements under international human rights law became somewhat obsolete, such considerations and arguments inform a judge’s approach.
Conversely, a state cannot extend its jurisdiction outside its national borders by way of circumventing privacy protection. The US Supreme Court has recently approved a rule change that could allow law enforcement to remotely search computers around the world.157 Under the proposed change the government would be able to obtain a single warrant to access and search—essentially hack—any number of computers simultaneously regardless of their location or whether the users are a threat to national security or suspected of any crime.158 Such a practice not only subverts legal safeguards of privacy both in the US and in third states but also compromises the functioning of the network. It is difficult to anticipate how the unpredictable nature of government malware to infiltrate user devices will perform in the real world. Government hacking also broadly undermines the security of the global Internet.159 Similar suggestions for government hacking are being debated in the UK160 and the Netherlands.161 The execution of a US warrant to hand over a customer’s email stored in a data centre in Ireland is also an attempt to evade human rights law safeguards in the territory of another state by putting pressure on a corporation (Microsoft).162 It is true that data does not follow the predictable paths of the physical world and that the law and law enforcement need to keep up with the evolution of technology. The legal means to do so, however, need to serve transparency and respect international and national standards of online privacy. The use of means of transnational cooperation, such as Mutual Legal Assistance Treaties, is a preferable way of thinking the way forward in such instances.
Internet standards, set by the IETF and IAB, are not legally binding nor do they have the potential to evolve into something binding. Nonetheless, Internet standards, constitute a powerful regulatory force by framing, and to a great extent shaping, the user’s choices online. The discussion examined the computer engineers’ approach to privacy online. The IETF has declared in the most emphatic terms that mass surveillance and serious threats to users’ privacy are an attack on the reliable operation of the network. In this context, privacy online has an instrumental value as a necessary condition for retaining trust in the network. The IETF decided to integrate Privacy by Design into the core Internet architecture as a requirement when creating and updating standards. In this way, the level of privacy protection entrenched into technology is reinforced.
Three significant threads of the IETF’s ongoing work are the development of a privacy vocabulary, the creation of an encrypted web and the renewed focus on implementing Privacy by Design in all layers of the network. It was argued that the technical discussion of many aspects of privacy interacts in manifold ways with the legal and human rights approaches to privacy: they enhance each other’s understanding of the specificities of the online environment and they converge in their understanding of the meaning of interference in cases of surveillance or the protection of metadata to name a few examples. At the same time, the precise impact of Privacy by Design incorporated into protocols for the benefit of the end user is dependent on the practices of service providers on the application layer of the network and on state legislation. Currently, state practice is in flux regarding Privacy by Design as a legal obligation as well as the regulation (or the lack thereof) of encryption and anonymity tools that are indispensable to support privacy online.
Furthermore, the technical community’s approach to privacy issues is an opportunity for international lawyers to rethink how we articulate, and argue for, privacy online from the point of view of international human rights law. This is a pressing need given the fact that national and international courts and bodies are expected to play a significant role in scrutinizing interferences with and restrictions to the right to privacy. The distinctive interconnection between privacy and freedom of information/expression online; the symbiotic relationship of privacy and security in many instances; or the relevance of the users’ location and nationality, are issues that we need to consider seriously in legal reasoning and when conceptualizing and balancing the relevant interests.