As more of us conduct an increasing portion of our daily lives online, we create a growing and permanent digital footprint with every Google search, Facebook “like” and eBay purchase. Yet few of us give much thought to the consequences of all this e-disclosure or its cumulative effects over time. We express concern over our digital privacy rights in the immediacy of news reports regarding lost or stolen client data and appear to disapprove of organizations tracking our online behavior. However, even the most vigilant and digitally aware among us is oblivious to most privacy violations because they occur unheard and unseen.
Privacy as a human right may be a novel concept to some; however, it is actually enshrined in the United Nations Universal Declaration of Human Rights. Moreover, digital privacy is emerging as an important human right particularly because it may be subjugated so easily. The Global Network Initiative states “Privacy is a human right and guarantor of human dignity…. important to maintaining personal security, protecting identity and promoting freedom of expression in the digital age.” Unfortunately, legislative priorities largely appear to exclude digital privacy. According to the Electronic Frontier Foundation, “… the law has yet to catch up to our evolving expectations of and need for privacy.” We see this in the U.S. where legislators have yet to update the Electronic Communications Privacy Act of 1986. At the same time, some question the motives of government action (or inaction) and express concern over what they perceive as an overstepping of authority, particularly regarding the collection, retention and analysis of personal data. In Germany, for instance, the Supreme Court ruled that country’s data retention law unconstitutional last year.
While the future state of regulation regarding digital privacy may be uncertain, many global companies are seeking to assure alignment between their human rights policies and practices and the United Nations Guiding Principles on Business and Human Rights: the “Protect, Respect and Remedy” Framework launched formally in April 2011. While the framework recognizes the State obligation to protect human rights, it also recognizes a “corporate responsibility to respect human rights, act with due diligence, and address adverse impacts.” Leadership companies, such as those in high tech, have been notably proactive in their efforts to address human rights. This is particularly true of Symantec who is intimately familiar with the intersection of digital privacy and security through its core business:
“The protection of individual privacy afforded by our products is critical to the protection of human rights. Indeed, many of our products, including encryption, endpoint protection, online backup, and antivirus software support the first three UNGC principles by enabling individuals to protect the secrecy of their communications and work products, to store their information with a trusted vendor, and to monitor and track attempts of intrusion into their information from other individuals and/or governments.“
With the increasing amount of information being stored in the cloud, companies such as Symantec find themselves hosting significant amounts of third-party personal and commercial data that may be of legitimate – or less than legitimate — interest to governments and law enforcement agencies. While Symantec may have little choice but to respond to a “subpoena, warrant or other process issued by a court of competent jurisdiction” as stated in the company’s privacy policy, the company will have to give careful consideration both to the nature of the request as well as the source of the request. We need look no further than Yahoo!, criticized for its role six years ago in providing a journalist’s personal data to Chinese state security officials that led to his conviction, for an example of a company that experienced unintended impacts on human rights simply by trying to comply with local law. (Last year Google reversed a long-standing practice of self-censorship). It is difficult to estimate the number of data requests made by governments to cloud computing companies. Going forward, however, it is imperative for a leadership company such as Symantec to be transparent regarding the number and nature of any such requests. Here companies such as Symantec can also turn to the Global Network Initiative for guidance.
Meanwhile companies such as Symantec are developing more and more sophisticated software in response to criminal and terrorist threats to the safety of information stored, shared or transmitted online. However, their efforts to secure online commerce and protect privacy may actually put them in direct conflict with governments concerned over the ability of criminals and terrorists to use encryption technology and for the need to have a sort of “master” key to unlock encrypted data. Earlier this year, for instance, India threatened to suspend Research In Motion’s BlackBerry Messenger services arguing that it needed access to the company’s encryption data after similar threat from Bahrain. In July, a mortgage fraud case in Colorado turned into a Fifth Amendment test as the Electronic Frontier Foundation supported arguments that the U.S. Department of Justice could not compel an individual to disclose an encryption pass phrase on a personal computer. Again, going forward, companies such as Symantec who play an integral role in the security of the Internet would have to weigh the potential human rights impacts of sharing encryption keys with governments where there is not an immediate and compelling criminal or terrorist threat.
Facebook CEO Mark Zuckerberg suggested in a recent interview that Google, Microsoft, and Yahoo collect far more information about users than Facebook does saying “It’s just that they’re collecting (it) about you behind your back.” We hope that companies see this more as a rallying cry than criticism: As digital privacy continues to become a more critical aspect of human rights, transparency will also become increasingly important to the ability of Symantec and other leadership companies in the high tech sector to earn the trust and confidence of Internet users, governments and other stakeholders.
Doug Bannerman is former secretariat to the United Nations Voluntary Principles on Security and Human Rights.
http://www.symantec.com/connect/blogs/digital-privacy-protecting-human-rights-cyberspace