This module is a resource for lecturers

Privacy and Security

Control and choice over disclosure of information is linked to an individuals' freedom to identify themselves and their actions at their own discretion and choosing and of their own volition (Maras, 2012). The right to privacy is, therefore, linked to freedom from identification. Anonymity enables users to engage in activities without revealing themselves and/or their actions to others (Maras, 2016). Online, anonymity "provide[s] individuals and groups with a zone of privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attacks" ( A/HRC/29/32, para. 16). In view of that, privacy affords users of information and communication technology with a space free from intimidation, retaliation, and other forms of coercion or sanction for the expression of thoughts, opinions, views, and ideas, without being forced to identify themselves. Accordingly, "technical solutions to secure and protect the confidentiality of digital communications, including [anonymity] measures…, can be important to ensure the enjoyment of human rights, in particular the rights to privacy, to freedom of expression and to freedom of peaceful assembly and association" ( A/HRC/RES/38/7). In light of this, "States [should] not to interfere with the use of such technical solutions, with any restrictions thereon complying with States' obligations under international human rights law" ( A/RES/72/175, para. 14; see also A/HRC/RES/39/6, para. 14).

This freedom from identification is believed to embolden some individuals to communicate cruel, discriminatory, racist, hateful, and/or other forms of harmful speech to others, which they would not otherwise have done if their identities were known (these types of behaviours are further explored in Cybercrime Module 12 on Interpersonal Cybercrime). While this is true for some individuals, there are others who are emboldened by revealing their identities when making these comments. This identification occurs in order to be recognized by like-minded individuals and mobilize supporters to act (Haines et al., 2014; Douglas and McGarty, 2001; Rost, Stahel, and Frey, 2016). Milos Yiannopoulos, a former writer for a far-right sensationalist news source (Breitbart), is known for making racist, misogynist, anti-immigrant, and anti-Muslim remarks, as well as communicating other forms of hate speech, to gain popularity among those with similar views in the alt-right and far-right movements and/or supporters of these movements, and to mobilize others to engage in similar acts by targeting those who were the subject of his hate speech (Fleishman, 2018; Maras, 2016).

World Map of Encryption Laws and Policies

Global Partners Digital published an interactive map online with worldwide encryption laws and policies, which can be found here.

The identity of the individual and their location can be difficult to ascertain due to anonymity and the use of privacy-enhancing technologies, such as Tor (discussed in Module 5 on Cybercrime Investigation). Another example of a privacy-enhancing technology is encryption. Encryption blocks third party access to users' information and communications. Governments around the world have argued for the need to access encrypted communications and information in order to fight serious crimes, such as terrorism, organized crime, and child sexual exploitation (Markoff, 1996; MacFarquhar, 2018; Meyer, 2018; Hawkins, 2018; for more information on terrorism, organized crime, and child sexual exploitation, see the Teaching Module Series on Counter-Terrorism, on Organized Crime, as well as Module 12 on Interpersonal Cybercrime). For these reasons, encrypted messaging services are considered illegal in certain countries (MacFarquhar, 2018; Meyer, 2018).

Telegram, an encrypted messaging app that has over 200 million users, has been blocked by judicial order in certain countries because the company refused to give these Governments decryption keys to monitor users' communications via the app (MacFarquhar, 2018; Meyer, 2018). Some countries have mandated the creation of backdoors and provision of decryption keys, while others, have requested the creation of backdoors and provision of decryption keys to fight serious crime, such as terrorism (Global Partners Digital, 2017; see for example, Apple-FBI debate over encryption). However, these backdoors and the provision of decryption keys could result in the abuse of access to data (e.g., data could be used by governments in unanticipated ways - above and beyond initial authorization in a specific case), and their use by criminals to gain access to this information for the purpose of viewing, copying, deleting, and/or altering it.

Did you know?

Encrypted information and communications can be accessed if cloud storage is enabled on digital devices. The US investigation of Paul Manafort, the former campaign manager of Donald Trump, on charges of bank fraud and money-laundering, revealed that prosecutors could access his encrypted messages via Telegram and WhatsApp, which were stored on his iCloud account.

Learn more about this case

Even though encryption makes it difficult to hold cybercriminals responsible and can be leveraged by them to commit cybercrime, its banning and restriction is unwarranted and legally unjustified. An outright ban of encryption limits the privacy of an individual in an arbitrary manner and thus is contrary to international human rights law (see A/HRC/29/32). The Inter-American Court of Human Rights has described privacy as "being exempt from and immune to abusive and arbitrary invasion or attack by third parties or the public authorities" ( Ituango Massacres v. Colombia, 2006, para. 192)and held thatstates have "an obligation to guarantee the right to privacy through positive actions, which may involve, in some cases, the adoption of measures to ensure that private life is protected against interference by public authorities as well as by individuals or private institutions, including the media" ( Fontevecchia and D'Amico v. Argentina, 2011).

Unanticipated Security Risks

Strava enables users of this fitness-tracking app to share their running routes with other users of these devices (Berlinger and Vazquez, 2018). In 2018, Strava published a world heat map online with the running routes of users. Even though the information posted could not be traced back to individual users, the heat map revealed movements on and around remote US military bases in foreign countries (Hern, 2018; Berlinger and Vazquez, 2018). The use of this app and similar apps on smartphones, as well as the use of IoT fitness wearable devices, can thus be particularly problematic for those who work on military bases and/or work in positions and areas where the tracking of their movements could place them, their organization, and others in danger.

Measures implemented in response to security threats that have significant adverse consequences for the exercise of human rights create insecurity. It is important to note that security and privacy are mutually dependent: security provides individuals with the freedom to live their lives with dignity and personal autonomy, and make life choices free from fear and coercion, and privacy enables individuals "to achieve self-determination and develop their personalit[ies] free from coercion" (Maras, 2009, p. 79). Privacy is thus a means to achieve security. In fact, protecting the privacy of individuals is integral to protecting data, and securing systems that contain this data and networks through which this data traverses. These protections and safeguards minimize vulnerabilities to security threats and mitigate the harm caused by unauthorized access, collection, deletion, modification, and disclosure of data.

Next: Cybercrime that compromises privacy
Back to top