[nikcub]

There are a few schools of thought on where responsibility should lie in protecting user privacy. The first that it is a role of government and policy - in the same way the government sets standards for automobile and road safety they can set and enforce policies for user privacy.

The second school of thought is individual responsibility. Users should take steps to protect their own privacy on a case-by-case basis, in the same way they look after their own home security or personal safety.

The third would be a hybrid approach - that there is a role for the government to play in setting up a universal minimum level of privacy protection while users also have a role to play in their own protection. This is most akin to how healthcare works - i'm guaranteed treatment in an emergency room but I also might choose to keep myself healthy with diet, exercise etc.

I personally believe in user responsibility for personal privacy and security, where you can't and shouldn't depend on policy to protect you and that all users should be aware of the issues and actively educated on how to protect themselves. For a few reasons:

1. Policy is not universal. Some countries may have extensive and rigorous user privacy protections but that doesn't apply to users everywhere. While user privacy protections are strong in Europe, and consumers have access to recourse if they're privacy rights have been violated, that same advice doesn't apply to the majority of internet users, most of whom are residents of a nation or jurisdiction where there is no strong protection or user recourse.

2. Governments are a major party in privacy violations and are conflicted, so they can't be expected to behave in the interest of users. The most recent campaigns to roll out encrypted communications and connections in apps was prompted by the US government intercepting internal Google data. The government will almost always be incentivized to lower barriers to ease intelligence gathering and in most of the world government surveillance trumps individual rights.

3. Similarly, government can't be trusted. This is the point Ed Snowden made when he argued for individual and tech solutions to privacy over government policy[0]. Snowden cites the difference in Obama's campaign promises and what he delivered[1], and this isn't unique to Obama - the FCC ISP privacy rules being blocked this week is yet another example of how easily and quickly policy can be undone, while the mass surveillance Snowden disclosed is an example of how public policy and private actions can be different.

4. Tech solutions to privacy doesn't imply individual responsibility. We can, and do have, tech solutions that are universal - such as the campaign to roll out encrypted communications and connections with Whisper and LetsEncrypt.

5. Policing government policy is labour intensive and difficult. It relies on privacy researchers - usually individuals - to track what companies are doing with user data. With more data being shared between companies it is even more difficult to apply individual oversight to how policies are being enforced. See Natasha Singer's reporting in the NYTimes on data brokers[2]

6. There are usually very minor enforcement penalties for companies that violate user privacy policy. The FCC tracking opt-in rules were prompted by some ISPs adding tracking headers or cookies to user traffic. AT&T and Verizon were adding tracking cookies to user traffic and it took two years to notice, and there were zero implications for both companies[3] other than the new FCC rules which are now dead.

7. Even in the perfect world of good policy, good application of policy and good enforcement you still have more data than ever being stolen and leaked online. You only have to look yourself up on haveibeenpwnd or a similar database to find that for a lot of people, all of their PII has already leaked[4]

It is very clear to me that technology solutions have the primary role in protecting user privacy. Policy isn't a waste of time but it can't be relied upon. The question is how user privacy protection is packaged for a mass-audience. User privacy requires an equivalent of what 'use WhatsApp, use Signal' is for user security, what 'install antivirus, don't click on attachments' used to be for user security and the growing popularity and awareness of ad blockers.

I'm not sure what that will be or what it will look like, but warning people away from VPN's probably isn't going to help. Chances are that some form of VPN connection will become part of the standard solution (along with HTTPS/encrypted comms everywhere) now that the reality of ISPs and users not sharing privacy interests is here and many are aware of it.

Theres a great market opportunity here - perhaps not for VPNs as a product but VPN as a technology.

[0] https://www.wired.com/2016/11/despite-trump-fears-snowden-se...

[1] https://www.forbes.com/sites/thomasbrewster/2016/11/10/edwar...

[2] http://www.nytimes.com/2013/09/01/business/a-data-broker-off...

[3] https://www.techdirt.com/articles/20150115/07074929705/remem...

[4] https://haveibeenpwned.com/

[igk]

> The second school of thought is individual responsibility. Users should take steps to protect their own privacy on a case-by-case basis, in the same way they look after their own home security or personal safety.

I think this is a bullshit argument. Nobody looks after their home security or personal security the way we expect users to be careful of their privacy, nor do we accept the amount of intrusions into our house or personal space as we are told is reasonable in information.

Imagine you could get a free pizza every week, you just need to let the driver go through your house and correspondence. Imagine if you had to sign over the risk that your house might be burgled if you signed up for a bank account...And the police didn't act on it.

These examples seem ludicrous, but that is not because I'm making them like this, it's because the premise that we all do "personal responsibility" is a myth.

We have police, laws, community rules, all of these things to protect our houses and personal security. If you leave the door unlocked, robbing it is still a crime. Likewise, if you walk around on an unsafe neighbourhood and get robbed, it would be ludicrous to hear "well, the city warned you that part is unsafe, so the police isn't going to investigate"

[arca_vorago]

> We have police, laws, community rules, all of these things to protect our houses and personal security. If you leave the door unlocked, robbing it is still a crime. Likewise, if you walk around on an unsafe neighbourhood and get robbed, it would be ludicrous to hear "well, the city warned you that part is unsafe, so the police isn't going to investigate"

The irony of this statement is that this actually happens quite often in certain east of the track neighborhoods, especially when the victim is a minority. It goes to show that this attitude, while I don't agree with it, isn't so far from the reality as you might think.

Coming from out west, this is one of the cultural reasons I am pro-gun. The police are just there to draw the chalk line around your body, it is your responsibility to defend yourself, your loved ones, and your home.

Always remember that the constitution was created to protect, not establish rights, rights that you have independent of the constitution itself, and of these rights, the right to self defense is one. The second amendment is simply about defense against tyranny. Even if you got rid of the second amendment I still have the right to bear arms.

Which makes me wonder, how well could the right to self defense argument be applied to encryption?

It's almost like everyone forgot about the 90's crypto wars, but it makes me think of something Eben Moglen said about the 90's crypto wars being just a temporary setback to TPTB;

https://youtu.be/sKOk4Y4inVY?t=580

[igk]

This might be very cultural thing(I'm from Europe). But unless you want to live in a society dominated by warlords and gangs, laws and society is the better way imo. Again my opinion, but for me the gun defense is a myth perpetuated in the US for ideological reasons. Keep your guns,but they won't keep you safe against a gang which will just shiv you at night, or simply outgun you. The reason all civilisations of a certain density have centralised law enforcement is it's simply inefficient for everyone to defend themselves (think narco states: sure, you can hire a guard, but your neighbour also has to hire one. If you try to start a neighbourhood guard cooperation then you are one step towards government and police)

And coming from Europe, we create new rights all the time

[kupiakos]

This is actually the topic of an old xkcd: https://xkcd.com/504/

[Pharylon]

Agreed. Parent's analogy only works in a world where breaking and entering was legal, and it was everyone's personal responsibility to defend their home.

[zeveb]

We live in a world where breaking and entering is possible, and the police may only come after the fact, and might not come at all — it is everyone's personal responsibility to defend his home. Likewise, we live in a world where violating one's privacy is possible, which means it is probable, and thus it is everyone's personal responsibility to defend his privacy.

[matt4077]

What do you think would have more of an impact on the security of your home: repealing the laws against breaking & entering, or removing the lock from your door?

It's naive to think of oneself as strong enough to self-protecting. I know there's a certain appeal in the lone wolf myth that speaks to the (mostly male) psyche. But never in the history of mankind has it been the winning strategy to be strong and independent.

Since we were apes in trees, our security has relied entirely on a strong net of social bonds. Cooperation is the strongest force multiplier, and no matter how many guns you have, you wouldn't have chance against even against a small group. Laws are nothing but a formal manifestation of group behaviour.

Then, there's the attacker-defender asymmetry: defending yourself means defending yourself 100% of the time. There is no middle-class home in the US that I couldn't get into if I really wanted, nor are there any non-famous people that I couldn't kill with a bit of dedication.

It wouldn't be possible to protect against such threads without the rule of law. And even if it were, it would amount to a giant collective waste of resources. Personally, I also don't want to think of any stranger as a thread, but that's what it would require.

[zeveb]

> What do you think would have more of an impact on the security of your home: repealing the laws against breaking & entering, or removing the lock from your door?

Honestly, the latter. I don't believe laws prevent thieves from breaking in, nor do they keep honest people honest. I don't really buy the deterrent theory of law in general, anyway: law exists to punish in a civil and orderly fashion, not to deter.

[dboreham]

This is ridiculous nonsense (although living in the West of the US myself, I know a few people who have this mentality). We just don't live in a world where the fact that nobody is robbing you blind is entirely due to fear that you'll shoot them. That's pure fantasy. They're not robbing you blind due to things like : they have jobs and are gainfully employed doing something more profitable than robbing people; they'd (eventually) be caught and sent to jail; and so on..

[FussyZeus]

> We have police, laws, community rules, all of these things to protect our houses and personal security. If you leave the door unlocked, robbing it is still a crime. Likewise, if you walk around on an unsafe neighbourhood and get robbed, it would be ludicrous to hear "well, the city warned you that part is unsafe, so the police isn't going to investigate"

Agreed, and it still amazes me how these advertisers and startups can simply hand-wave away any responsibility for any compromising data about you ending up in the wrong hands with a simple shrug.

[jaredklewis]

I strongly disagree.

This policy fight isn't a fight to regulate the market (like the automobile regulations you mentioned). It's a fight for a fundamental right to privacy. Any technology improvement that can protect privacy can be made illegal, and enforced by a boot on the face (see China).

If the government makes encryption without government key escrow illegal (not at all outlandish, has been discussed in many countries), will you personally, nikcub, continue to use encryption without key escrow? If you are willing to risk imprisonment to do so, you are among the bravest people. It is a small group.

The policy fight is massively more important than the tech. A tech that takes 100 years to develop can be made illegal in a day.

If everyone starts using VPNs, ISPs will ban them. There might be some game of cat and mouse, but eventually the same lobbyists that lobbied to remove these privacy rules are going to lobby to take some of tech options off the table.

[TeMPOraL]

Maybe nitpicking, but:

> a fight for a fundamental right to privacy

Many don't consider this to be a fundamental right.

> A tech that takes 100 years to develop can be made illegal in a day.

As the recorded history goes, I think it was always the other way around - a new technological development suddenly invalidating a set of laws, and lawmakers playing catch-up with its use.

I wish governments of the world got their collective shit together so we could have sane privacy laws, but as it is now, technology is an important leverage to push the policymakers in the right direction. Maybe you can't focus 100% on it, but it would be foolish to just ignore it. It's the single most powerful tool we have here.

[jaredklewis]

I partially agree with your points, but I still insist the policy fight is more pressing, because the tech is only possible to use with the right policy.

If the US and Europe change to be like China, all that tech is worthless because the spooks can come knock down your door if they suspect you're "hiding something."

[youdontknowtho]

This really can't be overstated.

"Engineering around" the failures of democracy in the West won't work. We need to fix the issues with our democracies and change the policies.

[shwouchk]

> Many don't consider this to be a fundamental right.

Is that why everyone agrees that the constitution protects this right in the physical domain?

[TeMPOraL]

In physical world we differentiate between public and private spaces, with different expectations of privacy in each of them. There's a debate to be had about appropriate demarkations on the Internet.

[erelde]

Where I walk and what I do on the street is private even though it's in a public space (exceptions apply). Similarly what I do and where I go on the internet is private even though it is a public space (exceptions apply).

If someone follows me in the street for hours (days, weeks, life) and note everything that I do, I'd be right to call that a violation of my privacy ?

[dredmorbius]

And many do. The right is enshrined in several of the amendments to the U.S. Constitution, as well as the Universal Declaration of Human Rights:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.

https://www.un.org/en/universal-declaration-human-rights/

There is Warren and Brandeis, "The Right to Privacy", 1890, which specifically addresses the publication of private aspects of citizens' (and residents') lives:

* Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right "to be let alone" [10] Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops." For years there has been a feeling that the law must afford some remedy for the unauthorized circulation of portraits of private persons;[11] and the evil of invasion of privacy by the newspapers, long keenly felt, has been but recently discussed by an able writer.[12] The alleged facts of a somewhat notorious case brought before an inferior tribunal in New York a few months ago,[13] directly involved the consideration of the right of circulating portraits; and the question whether our law will recognize and protect the right to privacy in this and in other respects must soon come before our courts for consideration.*

https://en.m.wikipedia.org/wiki/The_Right_to_Privacy_(articl...

https://groups.csail.mit.edu/mac/classes/6.805/articles/priv...

The only possibly validity to your nit is that it might be applied to any subject of human discernment: some will differ.

Those differences are quite frequently exceedingly poorly founded.

[demonshalo]

> It's a fight for a fundamental right to privacy.

Where did this right come from? and since when is this a thing? Don't mean to be condescending but "the right to privacy" isn't really a thing in this particular domain (legally speaking)

[agentcoops]

Sticking to a Western context, this is a pretty fundamental distinction between the US and the EU in the understanding (and, crucially, in the implementation/enforcement) of human rights.

I can't pretend to do justice to the long history of the concept, but we can at least say that for the latter, privacy has been considered an important human right since at least the UN declaration of 1948. This has been carried over into European law, see all the iterations on EU data protection laws. The UN statement is Article 12: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

For the US, this dimension of human rights did not deeply inform policy. Here discussion around a "right to privacy" really began in a different context with Brandeis and a right to be "left alone", largely meaning from the press. Many of the cases that inform privacy law in the US are oriented towards such scenarios and do not necessarily translate well to the context of data. See http://groups.csail.mit.edu/mac/classes/6.805/articles/priva.... There is rather a discussion on the accuracy of financial data about a person that stems from credit reporting.

The other area that would have to be discussed is of course wire-tapping laws, but leave that for another day... In sum, the question of a "right to privacy" has a long tangled history even just within the West, but is decidedly a thing in the EU.

[jaredklewis]

Fair point. I certainly don't believe in natural law. I don't think we should fight for a right to privacy because it's inhenrently owed to us by the universe or some such.

I think we should fight for it because I think it makes life better and because I don't want to live under an oppressive government.

[lucideer]

I really don't understand this line of logic on fundamental rights. If you're referring to the UDHR, it's a piece of paper put together by Eleanor Roosevelt a little over half a century ago. It's a human document of arbitrary concepts put together by people who believed enforcing those would improve the world in aggregate.

The idea of basing our sense of right on what is law, rather than basing the laws we write on our sense of right seems to be bafflingly common.

[dredmorbius]

Re your final sentence, there's a possible third option (though your second has merits): coming up with both rules (law) and guidance (rights, ethics, morality) based on what improves the overall common weal.

Another archaic concept, I fear, most days.

[lucideer]

I guess I was conflating the latter two...

In my mind:

ethics = definition of what improves the common weal

law (should)= enforcement of said ethics

[dredmorbius]

Hrm. I'm wondering now if there's a possible ethical case for actions which don't improve the common weal. Or how to resolve conflicts between short-term present vs. long-term future outcomes, or other conflicts -- say, you classic Trolley Problem.

I also wanted to note that your dismissal of Fundamental Rights is a good point. I'm finding far more agreement with the Pragmatists (Dewey, James, etc.) than various Natural / Fundamental Rightists. If only because any idiot can jump up and claim "This is My Fundamental Right" and ... all rational discussion stops.

[sspiff]

> The second school of thought is individual responsibility. Users should take steps to protect their own privacy on a case-by-case basis, in the same way they look after their own home security or personal safety. > I personally believe in user responsibility for personal privacy and security, where you can't and shouldn't depend on policy to protect you and that all users should be aware of the issues and actively educated on how to protect themselves.

The problem is that while home security and personal security is something everyone understands on a basic level, the impact of personal information being public or being available to others is not.

Many people believe that whether other people, companies or government agencies or advertisers know some details about their private life doesn't matter much, but many don't understand the potential impact. Perhaps insurance policies go up inexplicably because you googled backache or headache remedies a few times. Perhaps certain political affiliation or opinions can be outlawed and put you on watch lists in the future (think of the McCarthy era in the US).

Many people also don't realize how much information can be derived from your network traffic, even if it is not explicitly present in the data itself.

Educating people on this kind of complexity and nuance is much more complicated than explaining what a fence does, or how curtains work. It would be expensive and hard, and many people won't understand the need for it anyway.

[wcummings]

The other problem is that most peoples' home security is not effective against anything except casual intrusions (i.e. drunk people accidentally entering the wrong house).

[wmf]

'use WhatsApp, use Signal' ... warning people away from VPN's probably isn't going to help.

When you put it that way, I think we should warn people away from "VPN" just like we (now) warn people against "military-grade encryption" because that term is more likely to indicate snake oil than working privacy. So there needs to be a brand like Signal that delivers what VPNs promised.

[mirimir]

What do you think "VPNs promised"?

Some VPNs do deliver what they say. They proxy your traffic, and they don't keep logs. Some, such as AirVPN and IVPN, have changed jurisdiction to protect user privacy. PIA has demonstrated in court that it doesn't keep logs.

[NoGravitas]

While I disagree with you in many particulars, I'm grateful for the depth of this comment.

Regarding VPNs, one issue that I'm sure you're aware of but didn't discuss, is that VPNs aren't really a technical privacy solution. Rather, they're a technical solution for moving your privacy concerns from one policy jurisdiction to another that you see as more favorable. That can be private policy (your VPN provider has a better privacy policy than your ISP), or public policy (the Netherlands have better privacy policy than the US). But the policy issues still matter. If every government had a dystopian privacy policy, and enforced it on all of their ISPs and VPN providers, then a VPN would be useless.

[dredmorbius]

VPNs aren't really a technical privacy solution. Rather, they're a technical solution for moving your privacy concerns from one policy jurisdiction to another that you see as more favorable.

Now that is a very insightful and illuminating observation.

[jupp0r]

> Users should take steps to protect their own privacy on a case-by-case basis, in the same way they look after their own home security or personal safety.

While I agree with your point, home and personal safety are completely broken analogies for this problem. They are regulated heavily by policy (criminal law) and violations enforced by the government (law enforcement).

[infogulch]

This is an important difference. Home locks are trivial to pick for even novices, yet we continue using the same locks. Why? Why isn't there an arms race between lock manufacturers/homeowners and burglars? Because there is external enforcement: if your house is locked, even weakly, that is signaling your intent to prevent access and opens a burglar to legal ramifications if they pick it and enter, regardless of how easy it is.

"Everyone is responsible for their own security" is a wild-west fantasy land that we don't live in. And just because you take actions to increase your personal security farther than normal (e.g. guns, dogs, better locks, etc) doesn't mean you get to put fingers in your ears yelling "lalalala" and pretend externally provided security doesn't exist.

[staticsafe]

Perhaps I should clarify that I am not discouraging the use of VPNs, but I am encouraging more involvement in the policy process. Indirectly, I guess I am encouraging a better understanding about the intricacies of VPN services.

A hybrid approach as you suggest seems agreeable to me.

[aklemm]

But does the individual have any chance of winning the battle without at least some policy on their side?

[matt4077]

I love how we've been so effective in protecting the users' privacy and freedom in places with adversarial administrations such as China.

How else could we be so confident in our technical abilities, allowing us to just dismiss attempts to influence policy as useless.