“Know the past, secure the future – ignorance in history is the gateway to cyber warfare”

Introduction

Privacy is a crucial concept in the modern world for a variety of reasons. It enables individuals to retain control over their personal information and how it is used and processed, which is essential for maintaining their autonomy, dignity, and security [1]. Moreover, privacy is frequently intertwined with concerns of power and inequality, and it can be a critical instrument for rebalancing power between major companies and individuals or for protecting individuals and marginalised communities [2]. Privacy can be defined differently depending on the context, but it generally refers to an individual’s capacity to determine who gets access to their personal information, thoughts, and actions [3].

This article provides a brief history of privacy, in addition to an examination of its contemporary concerns with regard to individuals, organisations, and states. It will conclude with a discussion of privacy regulations as they pertain to addressing these concerns, followed by a description of different alternatives to addressing these issues more effectively.

How has the concept of privacy changed over time?

The concept of privacy has evolved and changed throughout history, and it continues to evolve today. As society has become more industrialised and technology has progressed, the concept of privacy has grown in significance. A greater emphasis has been placed on protecting personal privacy and data, with many data regulations being approved and revisited constantly to further support the concept of privacy.

Aristotle’s Politics

Some believe Aristotle’s Politics to be one of the earliest references to the private domain and one of the earliest instances in which the concept of privacy is stated, circa 350 B.C.E. In his writing, he makes a clear distinction between the oikos (private family life) and the polis (in the public realm). Aristotle characterises the former as a mixture of three hierarchies: master and slave, husband and wife, and father and son. Equally, discussing polis, he contends that it is the result of coupling diverse private family units, and hence placing the public state before to the private individual [5].
Of course, nowadays, several notions have changed since then, such as the relationship between husband and wife, which has evolved towards a partnership and continues to do so, reinforcing the concepts of gender equality in terms of rights, responsibilities, and respect, all of which support personal privacy.

Early privacy definition changes

In December 1890, Harvard Law Review published The Right to Privacy (by Samuel D. Warren and Louis D. Brandeis), which pioneered in the Unites States a discussion around the concept of the right to be left alone, and entertained new points such as the law of defamation, where, even in absence of visible physical damages, compensation shall be allowed for injury for feelings as in the action of slander and libel [6]. However, the door is left open to where the limit of the state’s control on privacy should be drawn – Shall the courts thus close the front entrance to constituted authority, and open wide the back door to idle or prurient curiosity?

Shortly after, in 1967, Alan Westin’s Privacy and Freedom first founds the concept of the social value of privacy, which enables individuals and groups in society the preservation of autonomy, the release for role- playing, a time for self-evaluation and protected communications, a growing concern following its technology’s rapid evolution [7].

Complimentary to previous definitions of privacy, Ferdinand Schoeman in 1992 added the aspect of human dignity, autonomy, and freedom in his paper, where he defended the views of privacy divided into two categories: coherence thesis (there is something common to most of the privacy claims) and distinctiveness thesis (privacy claims are to be defended morally) [8].

Privacy’s role in early protection laws and vice-versa

Early protection laws put in place to defend the privacy of individuals and their houses date back as early as 1361 in the United Kingdom with The Justices of the Peace Act, where a Breach of the Peace happens when there is actual intentional damages to one’s property during their presence [9].
Later, in 1789, the U.S. Constitution, although not explicitly guaranteeing the right to privacy, mentions such a right in the First, Third, Fourth and Fifth amendments, against unreasonable searches and seizures [10]. Shortly after, in 1948, the United Nations’ Article 12 drafted the UDHU (U.N. Declaration of Human Rights), where: no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks [11].

Since then, the concept of privacy, especially relative to the individual, has consolidated further as a human right, a pivotal building stone and an essential precedent to the advent of technology’s rapid growth.

Privacy in brave new worlds

As opposed to George Orwell’s dystopian novel set in 1984 and written in 1948 about the existence of a super-state whose inhabitants completely lacked their rights to privacy [12], the parallel proliferation and exponential growth of multiple technologies (computers, internet networks, mobile phones, etc.) awakened the need to better define online privacy and showcased the ever-evolving nature of these technologies. One of the first countries to support the right to online privacy through data protection laws was France, with Article 3 of the law of 6th January 1978, which triggered the digital rights movement that year, and states that every person has the right to know and to contest the information and the reasoning used in the automated treatments whose results are opposed to them [13].

Furthermore, the introduction of smart phones, next-generation computers, internet’s next evolution of infrastructure worldwide, IoT and smart wearables, together with their fast adoption, showcased that the existing legislative and regulatory system, instead of protecting the individual, organization, and state by default, it was rather playing catch-up with how these technologies were being used to exploit data and information.
As a reflection of such, one of the most impactful regulations that were drafted to support the concept of privacy was the European General Data Protection Regulation (GDPR) in 2016, which, outlines the breadth of personal data and provides a broad definition of data processing. Nowadays, the GDPR has inspired many other derivatives of the privacy law, such as UK’s own Data Protection Act, newer versions of EU’s ePrivacy Directive or Ukraine’s most recent Data Privacy Reform on June 2021 [11]. It proposes the creation of an independent government agency responsible for both policymaking and its enforcement, reinforcing data’s privacy.

To resume the above, the precise significance and meaning of privacy may vary from person to person and culture to culture, it remains a fundamental right that is essential to our personal and social well-being and encompasses both the boundary between the self and others, as well as the ability to control what to share [14]. It is important to highlight that, given the inherit differences between the physical realm and the ever- changing digital cyberspace, current and future definitions around the concept of privacy are going to be constantly challenged, as new technologies arise (virtual reality, cerebral implants, etc.), together with the directives and regulations required to further support online privacy.

What are the challenges of personal privacy in today’s online world?

Individuals, organisations, and states might have vastly different objectives and concerns regarding privacy. Privacy is frequently a key priority for individuals, as they wish to preserve their personal information. In contrast, organisations may emphasise the security of their systems and the protection of their intellectual property over the privacy of individuals. Parallelly, it is important to note that both organizations and states

might take into their advantage different techniques that strengthen the psychological notion of data security and privacy. In today’s modern and information driven world, there have been several examples that represent nicely the challenges between the costs, benefits, incentives, and trade-offs that individuals, organizations, and states constantly must balance, which will be explained in greater detail below. These include the Snowden Revelations, and the Web3 (public ledgers, DeFi, etc.) implications.

Snowden Revelations

Edward Snowden’s leaks have had a significant impact on the concept of privacy, especially how individuals, companies, and states perceive it. Prior to Snowden’s revelations, many individuals may have believed that their personal information and communications were mainly private. His leaks revealed that the NSA was collecting massive amounts of data on individuals, including their emails, phone calls, and online activity [15].

For individuals, the loss of privacy can have substantial personal and psychological repercussions. For firms, surveillance can incur economic costs, such as decreased production and creativity, as well as brand harm if their consumers and clients view them as untrustworthy or as violators of their privacy. The costs of surveillance for states and their potential international sanctions might include the expense of building and maintaining the requisite surveillance infrastructure [16].

However, there are potential advantages to surveillance, particularly for governments and organisations. For states, surveillance can give intelligence that can be utilised to safeguard national security and prevent crime and terrorism. For organisations, surveillance may give significant insights on customer behaviour and preferences, which can be leveraged to enhance goods and services and gain a competitive edge.

In the debate over monitoring and privacy, incentives and trade-offs are also crucial considerations. The motivation for individuals to safeguard their privacy may include a desire to keep control over their personal information and avoid illegal access to it. The need to preserve the confidence and loyalty of consumers and clients may motivate firms to safeguard personal information. The motivation for nations to engage in surveillance may stem from a desire to safeguard national security and prevent crime and terrorism. Nevertheless, these motivations must be weighed against the potential costs and trade-offs involved, such as the potential loss of privacy and the potential harm to reputations and relationships.

Overall, Edward Snowden’s revelations have had a significant influence on the idea of privacy and have increased awareness of the possible costs, benefits, incentives, and tradeoffs involved in surveillance and the protection of personal data, further challenging the shortcomings of personal online privacy in today’s world if combined with the perceived unlimited power of different states when it comes to online personal data privacy.

Web3

Web3 is the new, more secure, pseudonymous, and decentralised version of the internet. It is powered by blockchain technology, which is decentralised, immutable, permissionless and interoperable, with the goal of leveraging and implementing advancements in other technologies like AI or VR.
Regarding the individual, it is important to highlight that this technology is not anonymous, but rather pseudonymous, which plays an important distinction when it comes to privacy. On the other hand, in Web2, individuals are forced to give up their personal information and its processing control to the governing organizations, even though these organizations must comply with data protections laws and regulations, such as the European GDPR, which includes the right of data erasure. Contrary to the latter, in Web3, given the blockchain’s immutability property, it might prove impossible for the user to delete their data once it has been uploaded and validated by the network’s nodes.

Parallelly, regarding an organisation’s use of Web3, DAOs (Decentralised Autonomous Organisations) benefit from significantly faster and lower transaction fees, due to the innate ability to transfer money within the blockchain, as well as the lack of a potentially abusive and monopolistic central banking entity. However, the blockchain’s more complex and difficult technology may raise the total cost of development in an organization. Its self-governing control mechanism through smart contracts that are publicly available, together with its permissionless access, make it relatively easy to incentivise users and organisations to become early adopters and use this new technology. Finally, in terms of trade-offs, a bug in a smart contract might prove deadly, like YAM’s DAO, which killed the entire organization is less than 48 hours [17].

Furthermore, with the traditional internet, states have the power to obtain, store and process large amounts of personal information on their citizens, which can be used for surveillance and control. However, Web3 makes it harder for states to identify the individuals behind certain transactions, should they wish not to be identified, thanks to the pseudonymity attribute of the blockchain technology. Nevertheless, the states could theoretically be able to link every individual behind public addresses, by issuing blockchain-based passports and adopting cryptocurrencies as valid national currency [18].

Overall, Web3’s privacy advancements will provide individuals, organisations, and governments greater control over their online data.

How does modern privacy regulation address these challenges?

To briefly outline and pinpoint the key parameters that have proven to be challenging when it comes to online privacy, there are five concerns that must be addressed through regulations: extent of personal data, data controllers, data subjects, data processors and scope of the regulation in question. Three main regulations will be presented that support and tackle these five concerns, namely EU’s GDPR, California Consumer Privacy Act, and Canada’s PIPEDA. Equally, their shortcomings and how adequate they are at solving the issues at hand will be discussed, followed by a small conclusion with potential better approaches.

EU’s GDPR

The EU’s General Data Protection Regulation (GDPR) was first implemented in 2018 to safeguard the online privacy and data of any individual by regulating the scope of data processing capacity within European cyberspace. Ironically, the GDPR library has just one reference to privacy, which relates to another rule known as the ePrivacy. Regarding the scope of personal data and data processing, the GDPR takes a somewhat expansive stance. For the former, it includes any information pertaining to a recognised or identifiable natural person, as well as the collecting, recording, structuring, and storing of such information. This greatly enhances an individual’s possible defence against privacy abuses [19] by either states or organisations (data controllers). Moreover, a tangible illustration of how the GDPR handles these main areas can be found on all websites that process online data in Europe, with clear, brief, comprehensible, and easy-to-read pop-ups that are accessible to all users to read and approve or reject. This might be taken even further by requiring an equal number of clicks for affirmative and negative responses when accepting the terms and conditions. Unfortunately for the latter, there have been a considerable number of online businesses that make their forms appear compliant even when they do not follow these regulations. On the organization’s side, many businesses owners regard to this legislation as “high pain, no gain” due to the minimal, if any, benefits of using GDPR, particularly for marketing executives (working with massive amounts of data) and SME (small and medium-sized enterprises) demanding a GDPR-lite version.

In conclusion, although the EU’s GDPR is heavily focused on giving back control to the individual (regarding data collection, processing, storage, etc.), it has also strongly encouraged businesses to rethink their internal IT infrastructure and their true need to collect additional data for later use, both of which benefit the user. This is further reinforced by the heavy penalties neglecting corporations incur, up to twenty million Euros or four per cent of their annual revenue, whichever proves higher.

California’s Consumer Privacy Act

The California Consumer Privacy Act of 2018 (CCPA) is a California privacy law that became effective on January 1, 2020. It is intended to prevent organizations from collecting and selling the personal information of California residents without their consent.
The CCPA governs the collection of personal information by California-based businesses. It defines personal information as any information that directly or indirectly identifies, refers to, characterises, is capable of being associated with, or might reasonably be related to a specific consumer or household. This consists of information such as names, addresses, email addresses, phone numbers, and IP addresses.

Companies that gather personal information are deemed data controllers under the CCPA. Data subjects are the individuals whose personal information is being gathered by these businesses. Companies or persons that handle personal information on behalf of data controllers are known as data processors.

The CCPA grants Californians the right to know what personal information is gathered about them, the right to have their personal information destroyed, and the right to opt out of the sale of their personal information. It also requires data controllers to offer notice to consumers regarding the collecting of their personal information and to let consumers to opt out of the selling of their personal information.

Overall, the CCPA is an important step towards tackling privacy issues in the digital age. It gives California citizens more control over their personal information and more visibility into how their data is gathered and utilised.

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy legislation that regulates the collection, use, and disclosure of personal information in connection with commercial operations across the country. Individuals have the right to access, challenge, and update their personal information maintained by organisations.

Under PIPEDA, data collectors are entities that collect, utilise, or disclose personal information. Before collecting, processing, or disclosing the personal data of individuals (known as data subjects), these entities must seek their consent. This implies that data collectors must be honest about their purposes for collecting personal data, and that data subjects must be informed and allowed to make an educated decision regarding whether or not to provide consent.

PIPEDA also puts requirements on data processors, or businesses that process personal data on behalf of data collectors. Data processors are expected to adopt suitable technological, physical, and administrative protections to secure personal information, and they must only process personal data in line with the data collector’s instructions.

PIPEDA is intended to preserve the privacy of individuals’ personal information and make companies accountable for how they handle such information. It applies to data collectors, data subjects, and data processors, and it helps Canada solve several modern privacy concerns.

Are these adequate?

Modern privacy regulations aim to address the challenges of personal privacy in the current online environment by establishing clear rules and standards for the collection, processing, use, and disclosure of personal information and by granting individuals certain rights in relation to their personal information. This ensures that people’ privacy is maintained and that they have choice over how their personal information is used and shared. If online privacy is to remain a priority, it will be crucial for the next generations not to lose sight of these ideals and to ensure that the future does not ever resemble Orwell’s 1984, whether it is Web2, Web3 or beyond. Equally, these regulations might need to be even more restrictive on data collection, given the advancements in future mathematical and computational models, able to identify individuals from large collections of diverse datapoints.

Are there any other better approaches?

The General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Personal Information Protection and Electronic Documents Act (PIPEDA) are all key privacy rules designed to safeguard the personal data and privacy of persons. Nevertheless, there may be more techniques that may be explored as alternatives to or enhancements to existing regulations.

A potential alternative to current restrictions may be a worldwide privacy legislation that applies consistently to all companies and individuals, regardless of their location. This will eliminate the need for varying privacy laws across countries and create a standard and predictable framework for data protection and privacy. The use of privacy-enhancing technologies, such as encryption, anonymization, and pseudonymization, might be an alternate strategy for protecting personal data and preventing illegal access, disclosure, and abuse. This would move the focus from regulatory compliance to technical solutions, which might increase the security and privacy of personally identifiable information, by using blockchain-technology or equivalent.

A third possible method may be to offer individuals greater control over their personal data via personal data stores, data trusts, and other mechanisms. Individuals would be able to manage and control their own personal data, rather than depending on corporations to do so.

Overall, despite the future’s unpredictability and as an attempt to make it rhyme with current modern successful regulations, placing the individual’s right and interests to online privacy before any other larger organism’s might be a good start towards building and ensuring a better future.

References

1. [1]  R. Mahieu, N. J. van Eck, D. van Putten, and J. van den Hoven, “From dignity to security protocols: a scientometric analysis of digital ethics,” Ethics Inf. Technol., vol. 20, no. 3, pp. 175–187, Sep. 2018, doi: 10.1007/S10676-018-9457-5/FIGURES/8.

2. [2]  “Privacy Technologies, Law and Policy.”

3. [3]  “What is Privacy.” https://iapp.org/about/what-is-privacy/ (accessed Dec. 05, 2022).

4. [4]  Dr. Michael Veale, “Privacy Technologies, Law and Policy,” 2022.

5. [5]  “Lessons from the Greeks: Privacy in Aristotelian Thought.”

   https://www.priviness.eu/blog/lessons-from-the-greeks-privacy-in-aristotelian-thought

   (accessed Dec. 06, 2022).

6. [6]  “Warren and Brandeis, ‘The Right to Privacy.’”

   https://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html

   (accessed Oct. 24, 2022).

7. [7]  A. F. Westin, “Privacy And Freedom,” Wash. Lee Law Rev., vol. 25, pp. 3–4, Accessed: Dec.

   06, 2022. [Online]. Available: https://scholarlycommons.law.wlu.edu/wlulr/vol25/iss1/20.

8. [8]  “Privacy and Social Freedom – Ferdinand David Schoeman – Google Livres.”

   https://books.google.co.uk/books?hl=fr&lr=&id=yEq5KRs-t- YC&oi=fnd&pg=PR9&dq=An+aspect+of+human+dignity,+autonomy,+and+freedom+%22sch oeman%22&ots=pJYtcNycCw&sig=2bj4nTrA34_ZnJJh8v-LYLrI__k#v=onepage&q&f=false (accessed Dec. 06, 2022).

9. [9]  “Justices of the Peace Act 1361.” https://www.legislation.gov.uk/aep/Edw3/34/1/contents (accessed Dec. 06, 2022).

10. [10]  “The Constitution of the United States: A Transcription | National Archives.”https://www.archives.gov/founding-docs/constitution-transcript (accessed Dec. 06, 2022).

11. [11]  “Data Privacy Reform in Ukraine: What’s New? – Connect On Tech.” https://www.connectontech.com/data-privacy-reform-in-ukraine-whats-new/ (accessed Dec. 06, 2022).

12. [12]  “Brave New World by Aldous Huxley | Goodreads.”https://www.goodreads.com/book/show/5129.Brave_New_World (accessed Dec. 06, 2022).

13. [13]  “Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés – Légifrance.” https://www.legifrance.gouv.fr/loda/id/LEGISCTA000006095885 (accessed Dec. 06, 2022).

14. [14]  T. Caulfield and D. Pym, “Philosophy, Politics, and Economics of Security and Privacy Lecture 2,” 2022.

15. [15]  “Edward Snowden revelations have had limited effect on privacy – Open thread | Technology | The Guardian.” https://www.theguardian.com/technology/2014/nov/25/edward-snowden-privacy-open- thread (accessed Dec. 08, 2022).

16. [16]  “FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian Government | The White House.” https://www.whitehouse.gov/briefing-room/statements- releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the- russian-government/ (accessed Dec. 08, 2022).

17. [17]  “What’s the Deal With Yam Finance?” https://cointelegraph.com/news/defi-be-warned- the-short-unhappy-life-of-yam-finance (accessed Dec. 08, 2022).

18. [18]  “Government sets out plan to make UK a global cryptoasset technology hub – GOV.UK.”https://www.gov.uk/government/news/government-sets-out-plan-to-make-uk-a-global- cryptoasset-technology-hub (accessed Dec. 09, 2022).

19. [19]  Dr. Michael Veale, “Privacy Technologies, Law and Policy.”