Spheres of Contextual Integrity

Upon finishing Helen Nissenbaum's book, Privacy in Context,  I was compelled to dwell on a disturbing nuance to her argument; that her concept of contextual integrity in privacy online could be warped by various actors, providing heterogeneous spheres of contextual integrity, which might impinge on others from a perceived legitimate perspective.

Nissenbaum pushes our conceptualization of privacy beyond mere binary definitions; her view is that privacy online relates to ones ability to appropriate the flow of his/her information online, while her definition leaves room for sharing bits of your life online as that is merely an extension of a 'real world' relationship with friends and the like. Contextual integrity is framework and benchmark for privacy, one that considers several factors; the moral and political factors of sharing information that might threaten autonomy or freedom of the source, the system or practices that impinge on 'real world' values and norms, what is the prevailing context of the information flow, what are the transmission principles and who are the actors involved.

Her definitions, arguments for, and supporting evidence for these two concepts is quite sound, and is thoroughly examined in her other papers, A Contextual Approach to Privacy and Privacy and Contextual Integrity: Framework and Applications. However, when we incorporate her view on norms into the mix, we arrive at a worrying conclusion. Nissenbaum adopts the prescriptive interpretation of norms, which is essentially an objective stance on what people ought to do. I draw much contention to this as I believe that each individual contains a myriad of opinions, producing populations with massive variance in world views. Even with some of the worlds most durable democracies subscribing to this interpretation of norms, the subjective streak in humanity is ever still articulated in perpetuity. 

 If we understand that there might be several actors, each imbued with a separate objective viewpoint, thus entrenched with the concept of prescriptive norms, we might find that spheres of contextual integrity emerge at various levels, rather than with the uniformity Nissenbaum hopes to see.

On a prima facie basis, there might be three major spheres; government agents and institutions, corporate and commercial interests, societal and individual actors. Each group will perhaps internalize this notion of contextual integrity in privacy online, yet will enunciate their understanding in wildly different ways. 

Consider the USA based National Security Agency and their Prism program. Within their informational norms, transmission principals, and indeed their modus operandi, the widespread surveillance of citizens and foreign aliens is accepted and encouraged. Their sphere of contextual integrity gives them the self-professed legitimacy to do so. Being a government actor, and thus on the side of the legal system, they cannot be challenged by other spheres, without some cost in legal fees, time, and effort. 

Consider Apple Inc and their integrated finger print scanners in their mobile devices. Their sphere of contextual integrity allows them to capture the bio-metric data of their customers and then store that data on the device's processor. As a commercial interest, the primary motivation is profits and the question of whether or not the privacy of the end user is compromised or not does not appear to be the main consideration. Another example is ChoicePoint, a USA based company which was fined $15 million due to the non-consensual transfer of customer data to identity thieves. ChoicePoint is an information company aimed at providing marketers with valuable consumer data. However, prior to their legal slap they were happily operating within a sphere of contextual integrity that allowed for the conversion of private data into profits. 

Consider the individual, perhaps even yourself, who has been the victim of the HeartBleed bug. Our sphere of contextual integrity calls for notice and consent and an appropriation of our information flow, yet our sphere was penetrated by a malignant flaw in the technical code of the Internet. Our sphere of contextual integrity is not motivated by control of the masses (as is the case of the government), or the pursuit of profits (as in the case of commercial interests), but is propelled by a longing to own ourselves, and maintain autonomy and the right to be hidden. 

The brief examples sketched up should illustrate that there are several ways in which contextual integrity can manifest, which can either be divergent or convergent with other spheres.

While I appreciate Nissenbaums arguments and the color of her writing, I am upset by the notion that prescriptive norms might produce such disparity between various spheres of contextual integrity, ultimately producing winners and losers on the web. 

Privacy Online

Privacy has become a dirty word; it stands for a paradox, a poor joke, and an aspect of life that has undergone a significant paradigm shift since the impingement of the Internet on our lives.
 The paradox here is that we seem to volunteer up our personal data quite freely, imprinting our tiny slice of cyberspace with our thoughts, feelings, likes and dislikes, yet we maintain a proclivity towards conjuring up grand sentiments of anger and fear when our perceived rights to privacy online are violated.
 The poor joke is that we are constrained by the irrelevance of choice; the compounding losses associated with opting out of social media, media sharing platforms, and whatever other online niches we might be intrigued by.
 The significant shift alludes to the way in which the handling of our personal data has undergone a transformation from when we used to selectively divulge personal information at the behest of government agencies, or private corporations, to be stored in a physical medium, to the way in which we can now transform those bland forms and contracts into pieces of digital information, to be stored, copied, downloaded, uploaded, manipulated, and transferred, in an instant.

Privacy is messy, complex, and fluid; we can examine the individual's right to seclusion, or the right to decide when, how, and to whom, your personal information is communicated, or we could consider the legalistic slant, of defining privacy as a right with the individual at the crux of the data, enabled with the choice to volunteer access and control to others. Ought we to consider privacy as a moral obligation, or as a societal norm? Should we apply existing laws to protect privacy online or should we simply leave it in the hands of the end-user?
Regardless of which approach we choose to begin the process of conceptualizing privacy, we can agree on a few basic values of privacy.

I would argue that privacy is a 'democratic' good, similar to the way in which the ancient Romans held wine to be a 'democratic' good; that is to say that every individual, regardless of socio-economic status, origin and environment, ought to enjoy the same benefits and pitfalls of the good. Just as a lowly born pleb might find himself inebriated after his third amphora of wine, the noble patrician would too feel the pangs of a hangover post alcoholic revelry. All users online ought to be afforded the same level of privacy online; that is to say that they ought to be able to decide when to volunteer up personal information, be safe in the knowledge that that information will not be sold or revealed to unseen forces, be afforded security via the ability to change and update that information, and not have an altered Internet browsing experience because of that information's presence on the server.

I would also argue that privacy is linked to autonomy, so that each individual user should be able to upload personal information, choose a pool of people to share that information with, and then restrict all undesirable forces from viewing and colonizing that information. If we allowed others to manipulate the information we've volunteered, we lose our ability to operate as self-interested autonomous actors, thus stripping away what decades of development in liberal-democratic nations have hoped to achieve in terms of liberty and freedom of thought, speech and expression.

Privacy online ought to be viewed as an intimate relationship between the user and the user's chosen set of entities to view that information. Just as we are constrained from installing wiretaps on our neighbors phone lines, we must see the same type of decency afforded to individuals online; to exploit loopholes on social media sites, or be the victim of an uninformed sale of personal information to ad agencies, it would be beneficial to instead allow only the user him/herself to decide on when to press ahead with sharing information with the world at large.

Inherent Tensions on the Internet

When Mr. Bungle first initiated his despicable sexual violation of female avatars on LambdaMoo, little did he know that he would be the catalyst to discourse regarding the boundary between cyber life and real life; at the outset of his cyber rape was the creation of the @boot function (to kick lowlifes off of the server) and a voting system, centered around the implementation of what users specifically wanted to see on LambdaMoo.

The LambdaMoo cyber rape, the first 'rape' in cyber space, has become a hallmark of Internet and new media studies, as it was something wildly offensive and never-before-seen on the world wide web. A decade or so later, and cyber rape and cyber-bullying are now mainstream issues to be dealt with by students of Internet governance; with one of the most recent and tragic events being the suicide of Amanda Todd, compelled by relentless cyber-bullying.

What compels a human being to act in such an anti-social manner? The fault lies with both the tool and the user; the Internet affords us the ability to act as anonymous actors, and the latent, or repressed, fantasies of mankind are allowed space to breathe, develop, and experiment. Academic Martha C Nussbaum states that "the internet is a self-enclosed, self-nourishing world that is remarkably resistant to the reality outside." However, there is a spill-over effect; when media posted online has a real-world consequence (as seen in the suicide of Amanda Todd).

Levmore argues that the Internet is a far less regulated place than any other institution, and that whilst we can physically remove denigrating media in the real world, such items can be hosted online indefinitely. Levmore also argues for the reformation of section 230 of the United States Code, where such reformation would allow content hosts to take down any material deemed inappropriate. However, this then is in tension with the free speech argument of the Internet, that the Internet has been, and should always be, a forum for unfettered expression.

This leads us to the inherent tension on the Internet; the struggle between what it represents and what it allows. If we are to use the Internet as a forum for free speech, ought not all speech be permitted? Who is to judge what is permissible or not, and by what stick would they measure suitability? Who has jurisdiction to prosecute offenders and ought we to create more fora of non-anonymous communication?

The spillover effect of media posted online ( this can be real life details such as home addresses, phone numbers, education details) must not be left out of consideration when lawmakers get around to amending legislature, but the degree to which the offender is penalized might stir up a storm of debate on the very nature and purpose of the internet (as seen when the DMCA is debated).

Heartbleed

For 2 years Heartbleed, aka CVE-2014-0160, has been affecting the way websites protect information, allowing access to secret, or proprietary data (such as login and credit card information, as well as metadata). When news of its existence hit the mainstream consciousness, a mad scramble toward understanding and subverting the bug was underway, with mass media coverage, online bug-check tools, and an attempt to patch up the exploit.

But what is Heartbleed and what does it attack? How does a coding error allow access to personal information and even enable to NSA to do their work with even more devious ease?

It is important to understand that Heartbleed is not a malicious line of code, floating around the Internet; it is an exploit made possible by coding errors in the OpenSSL design. OpenSSL is a protocol that allows for the basic cryptographic functions of the transport layer security (TLS) protocol. Basically, it allows the transport layer of the Internet, the code that allows us to connect to websites, servers, each other over VOIP applications, chat to one another, even write and post blogs, to function.
Coders are currently working to produce version 1.02 of the OpenSSL protocol that cleans up the issue, but as of now, the bug allows for hackers to send a 'heartbeat', a small packet of data, that prompts the recipient computer to respond with a line of data. This line of data could be any type of personal information, and thus the Heartbleed bug became a silent backdoor exploit for nefarious hackers and surveillance agencies.

While most users will be unable to do anything about the bug, the only afforded safeguard is to change all passwords and check back with your most frequented websites for news of a fix. The real uphill battle is for website owners, who must now wait on a fix in the OpenSSL protocol.

Free Wifi: A New-Age Human Right?

Introduction
In a post-modern, hyper-connected and increasingly globalized world, will access to the Internet become a human right? That is to say, will the governments of the world recognize the provision of Internet access to be on par with, for instance, access to education, clean water, electricity, healthcare, housing, food, and shelter? Perhaps the notion of "free wifi for all" has all the trappings of a Utopian work of fiction, but the consideration of this question might prove to be an interesting thought experiment. We shall briefly explore the concept of free Internet access for all in this blog post.

Niue
Located north-east of New Zealand, is the tiny island nation of Niue. Populated by only 1300 people and known for its unique indigenous red banana crop, its government passed legislation in 2003 that provided free Internet services to all citizens. It refers to itself as the first "Wifi nation", where citizens need not sign up with a service provider, all they need to do is logon to the islands wifi network. This allows citizens to be perpetually connected, even when on the seas!

However, this rather rosy picture is somewhat marred, as further research shows that the maintenance cost of keeping the system running is shouldered by the citizens themselves (either in their tax stipulations or by personally paying for upkeep). It is interesting to note that the island nation is currently embroiled in a dispute over the .nu domain, claiming that it belongs to them and not the corporation that has appropriate it.

iTaiwan
Taiwan has done a better job than Niue has, and being richer and more technologically savvy doesn't hurt! The iTaiwan system allows citizens and tourists the ability to surf the net for free, from a variety of wifi hotspots located around the city. To get on the network, users must register using their local cellular phone number, login details are texted to the user, and then access is granted. Launched in 2011, the service offers a 1MB connection  to all users, sans a pricetag!

The Outernet
The Outernet is an ambitious startup aiming to use small short wave satellites, known as 'cubesats', to beam the Internet to people around the world, for free. The system would bypass the censorship imposed by state governments, and provide unfettered access to the Internet without discrimination. If anything, this is the most utopia-worthy startup I've ever heard off, and a quick google search reveals that this system might come into use by mid-2015. Government reaction to this uncensorable internet though, might be decidedly anti-Outernet, however this remains to be seen.

Internet Rights
The UN Universal Declaration of Human Rights is a resolution of 30 operative clauses that seek to define the inalienable and inviolable rights afforded to all humans sans discrimination and disparity. Even though nations have refused to ratify this resolution, such as Saudi Arabia (citing reasons of inconsistency with Sharia law), the declaration has gone on to become one of the most memorable and instantly recognizable successes of the UN. What would happen if, for instance, Taiwan sought to amend to document with operative clause #31, making the right of unfettered access to the Internet a basic human right?

When considering this notion, we must weigh the cost incurred by each government in the provision of sufficient physical and digital infrastructure, against the benefit of access granted to each citizen. Debate would be polarized in several dimensions; the question of local or UN jurisdiction in enforcing access to all, the question of UN or regional privacy and decency laws, the issue of incompatibility with regional customary or religious law, and also a somewhat distracting philosophical debate on the nature of access to information as an inviolable and inalienable right.

If, by some miraculous sense of foresight, the UN were to incorporate this as a human right, what would our world look like? Would we see a global shift toward political and societal liberalization, the adoption of western norms in conservative societies perhaps? Or will the digital divide be only more pronounced, as millions of new users are unable to assimilate the technology with haste?
As I mention in the introduction, this is a valuable thought experiment for any student of Internet Governance, yet may be beyond the scope of the discipline alone in answering.  

Privacy Laws on the Internet: Differences Across the Pond

Intro
When it comes to regulating the Internet, it stands to reason that the maxim, "one size does not fit all", ought to apply; the existence of conflict, socio-economic resistance to adoption, and disparity in Internet usage should convey the need for various Internet laws, enforced in distinct and separate jurisdictions. Up to now, working models of Internet governance have embraced the existence of these separate and independent legal systems working simultaneously, yet these systems have remained unchanged since the NSA-spying revelations of 2013.
The fallout of the NSA revelations was clear on the European side, with the German chancellor calling for stricter EU online privacy laws and the EU parliament passing resolutions calling for inquiries into the extent of US digital spying. However, the US response to these near-damning revelations was tepid at best, with the efforts of Congress culminating in a series of purely symbolic and superficial hearings, where NSA officials glossed over certain salient details of the NSA programs, even hinting at the possibility of spying on members of Congress.
Clearly, there is great disparity in terms of how the US and EU prioritize privacy online, and whilst no government will ever be anti-surveillance, the degree to which the public is protected from surveillance is disparate between the two entities.

Disparate Laws
The major difference between EU and US privacy policy revolves around the drafting and implementation of a cohesive and wide-scoped privacy policy.

The EU has two such privacy policies in place, the first is the EU Data Protection Directive (DPD), which defines the guidelines to be followed in the event of digital surveillance being necessary (a great article details the specifications of this policy out), and the second is the E-Privacy Directive (EPD), which compels private companies to seek consent in the use of cookies, customer information, and internet usuage monitoring. The DPD establishes principals and procedures to be followed by the surveillance team when honing in on a subject. It provides a sense of security to the user, as he/she must be informed of the surveillance, and must be assured of some compelling reason as to justify to initiation of the surveillance. The EPD establishes and clarifies the type of information to be surveilled, how the surveillance is carried out, and what happens to the data post-surveillance. Together, these laws place the safety and security of the personal data of the end user against the covert abuse of surveillance technology by government authorities and private corporate interests. Given that the EU is currently working on refining these laws, by imposing fines and fees on errant governmental and corporate institutions, we can only expect more stringent safeguards and constraints on those who survey.

The US does have privacy laws, but they approach the topic from the top down; that is to say that they draft the laws from the perspective of institutions, not end users. As a result, the privacy laws at a Federal level are constrained to only specific sectors of the political community, and at the State level, there is a variance of law from state-to-state. The Fair and Accurate Credit Transfer Act, for example, deals with the protection of citizens from identity theft, either online or in real life. However, this law does not explicitly address online identity theft, and instead delegates the responsibility of dealing with any, and all, identity theft to newly created regulatory and banking institutions. The Digital Millenium Copyright Act, is another example of how a Federal law approaches the protection of online rights from a top-down perspective, in this case looking out for the rights of corporate interests over those of the end user.

Conclusion
Given the Europe's historial experience with facist and totalitarian states, it is clear that the championing of privacy laws and civil liberty as an ethos, have proven well in the EU legal tradition; it is easier to provide addenda and amendments to already wide-reaching privacy laws to empower the end user instead of the service provider and government agency. This attitude is lacking in US socio-legal culture, vying instead for the protection and safeguarding of interests from a top-down perspective.

Democratic Decentralization and the Internet

Participatory democracy embodies the notion that an individual can go beyond the purely symbolic act of voting to have a degree of autonomy in decision-making and the ability colonize, and put to use, government resources. We might liken this concept to the ways in which online communities self regulate; the acts of governing their cyberspace are conceived and implemented by users, either high-level senior members or administrators. The instruments of governance are held by the people, a rather vox populi imbued paradigm.

In political science, we learn that one of the enabling conditions, or pre-requisites, of participatory democracy is the process of democratic decentralization; an increase in the scope and depth of subordinate group participation in authoritative resource allocation (to paraphrase Patrick Heller in his 2001 paper, Moving the State: The Politics of Democratic Decentralization in Kerala, South Africa, and Porto Alegre) What this implies is that the state does not recess, but delegates a wider sphere of powers to the lowest echelons of the political community, imbuing them with the resources required to improve their lives. The state retains oversight and an advisory role, acting as enablers of the entire process, rather than active participants in the entire scheme. We see this sort of governance in the Panchayati Raj Institutions of India, which essentially creates venues of village governance with state resources at the disposal of the villagers, and the Orçamento Participativo (Participatory Budgeting Forum) of Porto Alegre.

What would our understanding of democratic decentralization mean when we consider Internet governance? How might these two fields intersect? Whilst I briefly examine these questions, it might be better left to a PHD candidate to thoroughly examine this topic (hopefully I might be able to assume such a role in the coming years!) and it does go well beyond the scope of this blog post to both clarify and list out all the assumptions, critiques, and evidence of success here. I will instead, attempt to provide a vision of what the Internet might look like if democratically decentralized.

With the recent US Federal Court decision to strike down some of the FCC's open Internet rules, we see that Internet service providers, such as Verizon, are now able to capitalize on user trends and open up new revenue streams on the Internet by bundling up access to certain sites in a cable-tv-esque system. This signals a recession of the state, but not in a way that is consistent with the ideals of democratic decentralization. To be consistent, the US Federal Court would have to place the interests of end-users above those of commercial private interests; ISPs included. The role of the ISP would be clarified as one which provides a service as a public good, instead of a luxury good., where it is alright to reap a profit off the provision of services, but the generation of profits is not placed as the first goal of the organization. The idea of net neutrality would place end-users above private commercial interests and enable equal access to all netizens.

Participatory democracy institutions that operate under a democratically decentralized state apparatus form a part of an empowered population, able to voice societal demands for development, and most importantly, able to receive the improvements they decide are most important. If this was the case, the US Congress would pay keen attention to the general consensus regarding the preservation of Network Neutrality, and we would not have seen a Federal Court of Appeal strike down the previous FCC rules. Ideas of what the Internet should look like, or how it should operate, ought to be decided upon by those who hold the end-user interest at heart, rather than the commercialization of the Internet. 

 If democratically decentralized, states would no longer be able to impose censorship over content and expression on the internet, making it a truly "free" space. However, the state would still be able to engage in surveillance and the prosecution of criminals (pirates, pedophiles and the like), as they will assume the role of an enabler of a safe and clean public space. This dispels the naysayers notion of democratic decentralization leading to a truly anarchic and "moral-free" operationalization of the Internet. Just as the way in which the Indian government provides oversight over its PRI, the various governments of the world would actively engage in policing the code of the Internet for worms, trojans, and other maligned pieces of software that regularly wreak havoc on the end-user. Pause for a moment and envision a world in which the NSA, instead of spying on hundreds of thousands of people, put its computing power to cleaning up the Internet; we would possibly be able to operate on quite a different, and definitely safer, Internet wavelength. 

To conclude, the notion of democratic decentralization on the Internet seems almost utopian at this point; the current trajectory of government involvement on the Internet is tending towards the glorification of private commercial interests at the expense of the interests of the end-user. What might be a premature concept right now, I'm sure that as I progress in my independent study, I will be able to conceive of ways in which we might promote this idea of a nexus between political science and Internet governance, in a way that might produce incentives to states in placing more importance on netizens rather than ISPs.