Opinion

GDPR is a good start, but it’s up to us to protect our online privacy

GDPR might have started prompting change, but the current practices of internet giants needs we need to take our privacy seriously.

GDPR is a good start, but it’s up to us to protect our online privacy

Even if you didn’t read Kapilan’s article in last week’s Felix, the new General Data Protection Regulation (GDPR) will not have escaped your attention thanks to the barrage of emails you will have received over the past few weeks.

GDPR could have a profound influence on the future of the World Wide Web. Just as the Kyoto Protocol showed nations can come together to take meaningful action for the future of the natural world, GDPR shows nations can come together for the future of the cybernetic world. For too long the World Wide Web, originally a decentralized means of freely sharing information, has become centralized and monopolized by a few key players. The risks are demonstrated by countless data breaches, the worst revealed this year being the Cambridge Analytica files and MyFitnessPal cases. We each need to realise what information is being collected about us, and to take action not just as a society, but as individuals. Legislation alone is not enough to ensure that our information is not used to do harm – We must break up monopolies, change business models from profit to non-profit, and redesign our technology so it is physically impossible for information to be disclosed.

From allegedly influencing the outcome of elections (as in the Cambridge Analytica case) to revealing the location of secret army bases in Afghanistan (Strava, November 2017) breaches of data or the plain incompetence of centralized services are having real impacts on our society, right now. In the former the personal conversations and information of 87 million Facebook users was breached by a rogue questionnaire app without consent. This only emerged in March, three years after the event. In the latter, Strava released a map of every single route uploaded to their system – more than 3 trillion points. The map was sufficiently detailed to show routes uploaded by US soldiers in Afghanistan giving away sensitive information about the layout of military bases. Furthermore, the monopolization of global services by corporations tied to the laws of individual nations is harming competition and is inherently undemocratic.

Now is the time to think about exactly why your data are so valuable and what privacy these companies really can afford you. In particular, consider what data are collected about you and where they are stored. What information is collected by your FitBit? Do you trust the government of a country in whose elections you cannot vote to have power over sensitive information about you – say, about your sexual orientation? This is where GDPR comes in. Under GDPR, you are granted several important rights. GDPR gives you the right to object to your personal data being processed for marketing purposes. Furthermore, it allows you to obtain access to these personal data and to have them erased when they are no longer needed. GDPR also gives some further rights and imposes heavy penalties on organizations for not complying or if their user’s data is breached.

Your Rights under GDPR

As stated on the EU commission’s website under GDPR you have the right to:

  1. information about the processing of your personal data;
  2. obtain access to the personal data held about you;
  3. ask for incorrect, inaccurate or incomplete personal data to be corrected;
  4. request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  5. object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation;
  6. request the restriction of the processing of your personal data in specific cases;
  7. receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
  8. request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.

Companies found to be in breach of GDPR are subject to a maximum fine of €20 million or 4% of global annual turn-over

§

Organizations are taking GDPR seriously. That barrage of emails and popups may be annoying, but it is a sign that companies are concerned about not complying.

However, GDPR cannot protect personal information from being collected or guarantee it will not be compromised. Most websites on the World Wide Web today rely on personalized advertising in order to provide a free service, and therefore people have no option but to accept the status quo to continue to use the Internet. How can we know when you toggle a button on a website your choice is taken into account? Do you know in what form information about you is stored?

Furthermore, many apps and websites continue to collect sensitive information even if the most stringent privacy settings are enabled. Many advertisers claim to offer the option to opt-out of personalized advertising, but they make it as difficult as possible to do this. There are exceptions. MakeUseOf, for instance has a very clear interface which lets you toggle off the collection of data. However, most users who are sufficiently concerned use an adblocker which denies revenue to the website. They do so because it physically prevents the transmission of sensitive information so it gives them peace of mind. As it stands today, the World Wide Web is designed so copious amounts of sensitive information are collected in a manner not possible two decades ago. We have not had time to get an intuition for what risks we are taking when we use the World Wide Web.

As long as personal information is collected and stored in form to which a single organization has physical access , there is always a risk that it will be abused, whether that be due to hacking, interference from the government of the country where the infrastructure is located, or for the sake of making a profit.

As Francis Bacon said, knowledge is power. Information is knowledge. Knowledge about how people behave gives power to influence future behaviour. Today the power of information collected by websites and apps is largely used to influence our shopping habits through advertising. However, this power could be used to engineer society to various political ends. Legislation such as GDPR is like a soft measure against someone with access to data and a lack of moral compass crossing the Rubicon and turning the data against the users’ best interests. We should consider whether we need to redesign the World Wide Web to make it physically impossible for the data to be compromised.

One solution is to treat services such as social media platforms as crucial infrastructure, and divide up their administration among independent organisations. This would come at the advantage of greater robustness as well as security, since there would no single point of attack. An example is the social media network Diaspora as a replacement for Facebook, in which you can establish your own “pod” which manages data.

The primary issue with this option is that of apathy amongst Internet users. Social media have an inherent tendency to monopolization, because their value is increased by each user who joins the network. This makes the GDPR’s requirement for data portability rather weak, since there is no equivalent service where you can pack up bags and go if you are unhappy.

Another option would be to make a change in business model so as not to rely on personalized advertising, which would resolve the conflict in interests between the user and data holder. Large-scale voluntary collaborations such as Mozilla, Wikimedia, and the open-source instant messaging app Telegram demonstrate these are scalable and sustainable solutions. Alternatively, users could pay a monthly subscription fee for access to services like apps or websites, which would then be divided among the websites based on their usage. This idea already has immense traction – it is precisely what Spotify does for music and Netflix does for film.

Finally, new decentralized systems are currently being developed by the likes of MaidSAFE and InterPlanetary File System (IPFS) in which users contribute computing resources to the network (like Bit Torrent) and are rewarded using a blockchain-based currency. Such systems would reward the content creators (i.e. the users) and those who contribute data storage or computing resources to the network. With the costs to companies which base their business on surveillance for inevitable data breaches justly imposed by GDPR, this seems increasingly the more viable option.

GDPR is a fine achievement of European politics. The combination of clear guidelines, robust implementation, and a genuine commitment is making already making a real change to the attitude people and organizations have about privacy. The centralization of the World Wide Web is an unnecessary risk to the health of our society, concentrating knowledge which could be used to influence peoples’ behaviour in the hands of a small number of organizations.

We need to take action, using our rights to make sure the World Wide Web does no further harm to society. As a society we need to rethink the business models behind the services we use , and redesign technology so as to ensure that our data cannot be breached in the first place by replacing our current centralized systems.

As an individual, take the opportunity now to find out what information services collect about you. With exams over, why not download your Facebook data and play around with it if you are so inclined? Furthermore you do not have to agree to the terms and conditions if you are uncomfortable! Why not support efforts to make the web more open and try an alternative service such as DuckDuckGo instead of Google, or Telegram instead of WhatsApp. For more ideas on what you can do see below.

What you can do?

  1. Take a moment to review your privacy options over the next few days in your apps. Get to know what information is collected about you and if you can disable it.
  2. You don’t have to agree to the terms and conditions. Instead of Google, OneDrive, and WhatsApp why not try DuckDuckGo Search, CryptPad, or Telegram, which offer equivalent services for free but do not collect unnecessary amounts of personalized information. The website “PRISM Break” has further suggestions.
  3. Take part in making a better web. Are you are interested in the effects of technology on society? Would like to be involved in raising awareness? Do you have an interest in building a better Internet? If so, please contact artur.donaldson15@imperial.ac.uk.