Some governments don't want to discuss mass surveillance

Joe Cannataci was appointed by the United Nations in July 2015 as the organization’s first ever Special Rapporteur for Right to Privacy. His appointment came amid growing global concerns about threats to privacy in an age where corporations and governments collect mass data.

Cannataci talked to #mediadev on the sidelines of the Internet Governance Forum in Brazil, where leading experts had gathered to discuss the future of the Internet and Internet policy.

#mediadev: Many people criticize social media such as Twitter and Facebook because of their privacy policies. On the other hand, everybody is using social media to connect. As the UN Special Rapporteur, what is your take on this kind of schizophrenic situation?

Joe Cannataci: This is something we don't find only with reference to Twitter and Facebook. In a lot of the research we have carried out over the past five years, we have been trying to evaluate the perception of citizens compared to their behavior. There is clearly something very strange happening. People tell you that they value privacy. They tell you there should be a law about privacy and that they are unhappy if their data is shared. But then they behave in a different way. Whether it is schizophrenic or not, I don't know but it is certainly an interesting phenomenon.

But I am not convinced that so many complain about Facebook or Twitter's privacy policies because the evidence we have is that they don't read them. When we ask, “do you read the privacy policy?” in many cases it would appear that 80-85 percent don't read them. And out of the tiny minority who do read them, only 11 percent claim to understand them. So reliance on consent to process personal data in such cases is not advisable since the consent may be explicit but it is not informed. We are looking at an Internet era where most people don't read privacy policies and lots of people are not aware of the exact extent to which their data – and especially their transactional data and meta-data – are being used. That is something we need to fix – the awareness of the exact way data is being used and their implications for privacy. Once people understand better how their personal data is being used then it is likely that they will become more sensitive about its use.

Everybody is talking of privacy but what exactly are we talking about? What would be your notion of privacy?

As J.B. Young said in 1978, “privacy, like an elephant is perhaps far more readily recognized than described.” I would like to make it clear that I am not attempting any new definition here, but I would say that, in its modern context, privacy needs to be taken as a fundamental human right, together with two other rights which are freedom of expression and freedom of access to publicly held information. These three rights together are the tripod on which rests an over-arching fundamental right recognized by some countries as the right to free, unhindered development of personality.

Today corporations have monetized privacy, or rather monetized personal data. Corporations make personal data part of their data-driven business model and they put this in very fine print in their privacy policies. Governments have also taken personal data as part of their business model – in security. And this snooping on citizens makes us say, “wait a minute, when exactly did governments and corporations have an open structured debate with citizens in order to ask if this the kind of society we want to live in.” Because this didn't happen.

Instead we have had an organic development of business models both in terms of corporate business models using personal data and government surveillance business models. And then all of a sudden, we have what Peter Squires calls “the golden age of surveillance” and it is a bit difficult to reclaim privacy. It is difficult to go and tell companies, “hey, you are making hundred of billions every year with my personal data. I think we should change the business model.”

Are you suggesting the business model of these companies is not really compatible with privacy.

I am suggesting it needs to be revisited, possibly even from a perspective where companies compete with each other in terms of how much privacy they provide to their customers. Some companies already actively promote themselves as champions of privacy – they advertise themselves as using encryption as a means of securing data, saying, “your data is secure with us.” They are doing this to gain competitive advantage and that is a very interesting development to where we were two or three years ago.

But when we look at governments, they are not saying the same thing. Governments in Europe are increasingly bringing in laws that legitimize the state of affairs when it comes to surveillance. That is not necessarily a healthy thing. One of the key questions that need to be asked is: is that surveillance proportionate? Is it indeed cost effective? Is this the right way to achieve security?

Nobody would want to complain about living in a secure society. We want to have a secure society and we want to have a secure Internet but that does not mean that the gathering of too much personal data on the Internet is the right way to go. Gathering too much data could be an unacceptable risk for the individual. Therefore each proposal to use personal data must be examined very closely with a privacy impact assessment.

What would you consider then the major threat to privacy at the moment?

At the moment, we live in a strange kind of society where if I buy a mobile phone on the Internet: If I live in Europe, I have consumer rights and I have a two-year warranty and I have European law that assures me of my rights. I have this thanks to a European directive which guarantees the consumer shopping on the Internet the same conditions and the same safeguards anywhere in the European Union. The same types of guarantees and remedies without borders that apply to consumer goods in Europe do not apply to privacy on the internet.

If we are living in an Internet without borders, citizens could reasonably expect to have safeguards without borders and remedies across borders. Whereas currently, one of the biggest problems we have is that the safeguards are local and if there is a remedy, it remains very much a local remedy.
In addition, one of the things we have discovered in our research is that very often when people speak about privacy, they are also concerned about an abuse of their privacy leading to a diminishment or a loss of reputation. People want to protect their reputation. And can they do that in a cost effective manner online? The answer is no. So the notion of having a mechanism to protect your privacy, having a mechanism to obtain a remedy for the infringement of privacy or for the diminishment of your reputation across borders does not yet properly exist. We are still stuck in the days of territorial boundaries and that certainly needs to be changed.

You were assigned in July 2015 as the UN Special Rapporteur. What do you plan to make of this opportunity?

The first thing I would like to do is to listen very carefully – for the length of my mandate but especially for the first year – to what all the different stakeholders think. It should be clear that stakeholders are not only civil society but also security and intelligence services and law enforcement agencies, who have a very legitimate function in society. They help, or should help, protect us from a number of problems and we should do our best to ensure that they can also function. But functioning properly is one thing and gathering data which is disproportionate to the risk is another. So I want to listen very carefully to all the stakeholders.

I also think that we need to invest a fair amount of work in expanding, improving and deepening the international understanding of what privacy is because many people in different countries have different concepts of what privacy might be. And so as a point of action on our to-do list, I think we should look at Article 12 of the Universal Declaration of Human Rights and Article 17 of the ICCPR (International Covenant on Civil & Political Rights) and develop it further in order to understand and improve the definition of privacy. Because neither the Declaration nor the Covenant have a definition of what privacy actually is.

I think we should also look at existing legislation and legal instruments and the possibility of developing new legal instruments. Let us, in some instances, look at the European model to inspire ourselves for possible developments across the world globally. Europe has a Convention of Human Rights, which contains principles fairly similar to those of the Universal Declaration of Human Rights but the Europeans did not stop there. In 1981, they launched the European personal data convention because they realized that the European citizens, governments, and corporations needed more detailed guidance so that privacy could be better protected in the computer age. What is happening is this. We have very rapid development of technology and this rapid development changes the context. So it is no longer enough to say you have the right to privacy. Now you need to say, you have the right to privacy and in this context this is the best way to protect it and when context changes, the principles remain the same but the detailed guidance must keep up to date. Thus when the police are using your personal data for one purpose, these are the rules. When you have hospitals which are going to use your data for another purpose, these are the rules. And when you are on the Internet, these are the rules. And this is also part of the discussion that needs to take place within the Internet Governance Forum.

And are you optimistic about achieving this?

Yes, I am very optimistic. I am optimistic because after so many years in this business, I have seen us achieve things which people thought we would never achieve. One of the things that needs to be done next is that in the same way that we have seen framework conventions about, for example, climate change, we can tackle Internet governance. But a framework convention on Internet governance should not only protect privacy. Freedom of expression and reputation need to be protected, too. Writing a new international treaty will be even more difficult because of the issues of surveillance, espionage and cyberwar. Currently, we are in a situation where some governments don't want to discuss mass surveillance because they are doing it. But many more governments want to discuss mass surveillance. So what is going to make a difference?

I am confident that a reliance not only on law but also on technical measures may help people find a sensible compromise. In this, I refer also to encryption. The more people use encryption, the less valuable mass surveillance will become and that should make governments realize that is much better to act together in cyberspace for security and in the interest of citizens. This also would help improve the chances of peace in the world. Cyberspace risks being ruined by Cyberwar and Cybersurveillance but Governments and other stakeholders should work towards Cyberpeace. Privacy protection is also part of the Cyberpeace movement. That is another dimension of the on-line privacy debate. It will be a long process but if you don't start it, you won't finish it.

So my message to the Internet Governance Forum is, let's start it. Because it seems as if there is no other way in international law. How did we handle a law of the sea? By having a treaty of the law of the sea. How did we handle the space we call outer space? We have a law about space. How did we handle climate change? We continue to develop an international treaty on climate change.

What is holding us back from properly and adequately regulating the space we call cyberspace? We have problems of jurisdiction there, we have problems of territoriality there, how are we going to provide safeguards and how are we going to provide remedies for the citizen in cyberspace?
Part of the sensible way forward to resolve these problems is to have an international framework convention that helps us. It is not the only way forward and I am not saying it is a silver bullet. But it is one of a package measures which, together with technical safeguards, a better definition of privacy, and the use of existing laws and improving existing laws could make a better package for the citizen.

You really sound optimistic...

Yes, I am optimistic because there has never so much interest in privacy as there is in 2015. The case of the Internet is a bit like the invention of the motor car. First we invented the car and then we made it go faster. Then we saw a lot of people being killed so then we thought it was time to make it safer and we added safety belts and air bags and crumple zones and took out the sharp interiors and added padding. The Internet to a certain extent is the same thing. We have now invented the Internet and now we have to improve safety on the Internet. Let's find the equivalent of airbags and safety belts and crumple zones. Let's find everything we can do to make the Internet safer for everyone.

As well as being the UN's first Special Rapporteur on Right to Privacy, Joseph Cannataci is full Professor holding the Chair of European Information Policy and Technology Law at the University of Groningen in The Netherlands. He is also Head of Department of Information Policy & Governance at the University of Malta and an adjunct Full Professor at the Security Research Institute at Edith Cowan University in Australia. He has served as an expert on privacy, data protection, the Internet and cybercrime for the Council of Europe, the European Commission and UNESCO.