Privacy, Transparency and Trust in a Digital World A report into attitudes in the civil societies of five countries
Enabled by:
betterplace lab gut.org gAG Schlesische Str. 26 10997 Berlin Germany www.betterplace-lab.org
This report is published under a Creative Commons Attribution-ShareAlike 4.0 International License. creativecommons.org/licenses/by-sa/4.0/
There is much to gain and benefit from this massive analysis of personal information or 'big data'. But there are also complex trade-offs. – Alessandro Acquisti TED Global Edinburgh, June 2013
Author Ben Mason studied Philosophy and German at Oxford and joined the betterplace lab in 2013. He managed the project, analysed the interviews and survey, and authored the final report text. Contact: ben.mason@betterplace.org
Researchers Ben was ably assisted by Jella Fink, who worked as a Researcher in the lab after finishing her Masters in Anthropology and before setting off to Myanmar to begin researching her PhD. She conducted a number of the interviews by Skype and in person, transcribed many more, and contributed much of the background research.
Brazil
Anja Adler is an Associate Researcher for the betterplace lab and is currently completing her PhD in Political Science.
China
Joana Breidenbach is an anthropologist and author of numerous books and articles. She co-founded the betterplace lab in 2011. Pál Nyíri is a Professor of Global History from an Anthropological Perspective at Vrije University in Amsterdam and has co-authored several publications with Joana. Helpfully, he also happens to be fluent in Mandarin.
Germany
Kathleen Ziemann holds a Masters in Cultural Studies, and in 2012 – the same year as joining the betterplace lab – she also trained as a Design Thinker at HPI Potsdam.
India
Medje Prahm has an MA in Philosophy and Economics from Bayreuth. As an undergraduate she also studied Indology and speaks good Hindi.
Indonesia
Dennis Buchmann has a background initially in biology, then in journalism, followed some years later by a Masters in Public Policy. Dennis co-founded the betterplace lab with Joana.
Our sincere thanks go to our partners at Mozilla, whose support made this research possible. The betterplace lab then conducted the research and compiled the following report with complete editorial independence.
4
Contents 6
Foreword
7
Summary of Key Findings Part I: Introduction
8
Data deluge
9
The aim of this report
10
A moving target Part II: Country Profiles
11
Brazil
14
China
17
Germany
20
India
23
Indonesia Part III: Comparative Analysis
26
How do people think about privacy? How do they define privacy? How much do they care? What do they want to be protected from? Which data do they want to protect and why? Are their opinions changing?
30
How do people think about transparency?
31
How do people behave online? What measures do they take? Is your name really washingtonirving2000? Does concern actually translate into action?
34
Who do people trust? Which services do they trust? On what grounds? How trusted are NGOs, the government and others? So who do people think should act?
37
Conclusion
38
Appendix & Notes
5
Foreword
T
he Web is here to stay – yet it still divides opinion. There are optimists, like the Mozilla community and like the betterplace lab team, that believe the Internet can be a powerful force for good in our society – by making information and services available to all, by letting citizens speak, be heard, and hold the powerful to account. But this is not the full picture. Throughout the Internet’s relatively short history, we have had to contend with a series of menaces threatening to shackle or undermine this public resource. At one time we were suffocating under an avalanche of spam emails and pop-ups. Today we’re asking how we can protect individuals’ privacy when every click may be monitored by data mining corporations and state surveillance agents. Seeing the challenges arising from the new abundance of digital data in this historical context is enlightening. It shows that keeping the Web in the hands of its users is possible, but it requires ongoing work, determination and vigilance. Mozilla has played its part in this, for instance with the “Do Not Track” and “Lightbeam” projects. However, issues of data privacy are much less straightforward and riddled with dilemmas than virus protection, for example. Maintaining my private sphere might have to be balanced against access to good software, or personal or national security. The social sector, which this report focuses on, throws up some particularly interesting dilemmas to do with data. Increasingly NGOs, foundations and governments are realizing the potential benefit to their work
6
not just of using a range of digital tools, which might act inappropriately with their data, but also collecting, storing, analyzing and disseminating data for themselves. Data-centered approaches let social sector organizations better understand the problems they seek to solve, work more effectively, and demonstrate that effectiveness to the outside world. But these opportunities come with risks attached. What’s needed is global public discussion about when and which kinds of privacy are important for us to protect online, and how we can do this. This is an important issue for everybody and should not be left to a small number of “experts”, so we also need education so that people understand the issues, risks and dilemmas involved. This report is both a contributions to this nascent discussion, and it shows the current state of knowledge of, and current opinions of, groups which will be absolutely key participants.
Dr. Joana Breidenbach Founder, betterplace lab
Summary of Key Findings • Everybody, when asked, will tell you privacy is important. A significant result, but not a very enlightening one. Only by approaching the issue more obliquely do you reach a differentiated understanding. • German and Indian philosophers, Chinese and Indonesian pragmatists. Everybody we spoke to in Germany (p.17), and almost everybody in India (p.20), felt what we might call a “philosophical” attachment to privacy, as something inherently worth protecting. To our surprise, this seemed less universally felt in Brazil (p.11). And at the other end of the spectrum, the attitude in China (p.14) and Indonesia (p.23) seems to be more pragmatic: people are concerned about protecting information when the consequences of not doing so are tangible and direct, such as fraud or defamation. • Some action … and a sense of guilt. Most people take just simple steps to guard their privacy online. It’s rare for people to make a principled shift to software that is more secure but less usable. And we encountered a lot of self-criticism, people felt guilty about not doing more. • Transparency is more opaque. Or at least, much more so than privacy, the term means different things to different people. In China, data transparency isn’t much bothered about. In Indonesia they demand it from their government more than from their software. In Germany and Brazil they want data policies that are not just public but clear and accessible. In India they also want to know about motives: not just ‘what’ and ‘how’ but also ‘why’. • Trust is personal. The main criterion everywhere for trust was a personal connection or recommendation. In China and Indonesia this runs deeper, with an underlying mistrust of automated processes generally. • Blurred concerns. In the minds of many people these issues are strongly associated – perhaps even conflated – with more familiar strands of cybersecurity: protection from viruses, hacking, and fraudsters of various types. In China and India especially, these remain more pressing concerns than data mining.
7
Part I: Introduction
Data deluge
D
ata has become ubiquitous. As our lives become ever more digitized, more and more of what we do is leaving a digital trail. Perhaps this was once a coincidental by-product of the way we built our software. But companies, governments, and others soon realized the many uses and the formidable power of “Big Data”. Now, whether we welcome it or not, how we want our data to be treated has become a pressing question of our time. It is a little over one year, at the time of writing, since the actions of Edward Snowden caused global tumult by making the world aware of mass government surveillance of online activity. In the intervening months issues of privacy, transparency and trust in digital communications have gone from to an esoteric concern of specialists to contentious topics many people care about. But levels of knowledge and concern are not evenly distributed – they vary between places and different groups. This report aims to understand and compare attitudes towards data privacy and related issues among people working in the social sector in Brazil, China, Germany, India and Indonesia. BACKGROUND Since 2009, the betterplace lab has been investigating the intersection of the digital and the social. The dawning of the “digital age” has caused huge changes for organizations in every sector – the social sector included. Many of these are positive, and much of our work is involved with showing the potential for digital tools to make the social sector more effective. But this
8
change also requires new skills and raises unfamiliar problems. We try to understand these too, and help where we can. LAB AROUND THE WORLD 2014 This year we abandoned our desks in Berlin Kreuzberg and set off on our first major research expedition. “Lab Around the World 2014” saw our team of ten researchers setting off to 14 countries across five continents. We wanted to uncover pioneering new projects using digital technology to address social problems. And we wanted to talk to the people behind such projects about their experiences, and get a better understanding of which factors are important in provoking and sustaining innovation. OUTLINE METHODOLOGY Our research brought us into contact with people from a range of organizations in the social sector, from more “traditional” NGOs in civil society to digitally focused social entrepreneurs, from academics to activist bloggers. In the five countries selected for this report, we conducted qualitative interviews with a broad range of these to try to understand their attitudes and assumptions around these issues. In addition we produced an online survey in four languages and collected responses from others in the sector to more concrete questions about online behaviour. Our analysis in what follows is drawn from these two data sources, combined with desk research about background context and conditions in each country. (See appendix for more detailed methodology.)
Part I: Introduction
The aim of this report WHY CIVIL SOCIETY? Our target group as described above, which we will refer to collectively as the “civil society”, is broad. But in their diversity, its constituents share one central characteristic: they belong to organizations committed to addressing social problems. One way or another, they aim to help people. To those who are interested in data policy and internet governance, the opinions of this group matter. They are opinion leaders whom people listen to. What’s more, their values tend to be progressive, and their priorities are primarily social rather than commercial. You might ask who, if not this group, will be concerned and vocal about protecting individuals from those with malign intent – online as offline. And to those interested in helping the helpers, these are important issues. For organizations that routinely deal with sensitive information, questions about how to handle it appropriately will get more urgent, not less. Gauging will only get more urgent levels of understanding and engagement are a precondition for knowing how to educate and support. PICKING APART SEMANTICS Discussions about personal data online are awash with loosely defined terms such as “privacy” and “cybersecurity”, “transparency” and “accountability”. Whilst in the mouths of technology or policy experts these words have a clearly defined meaning, to many non-experts they summon only a vague sense or feeling. Or mean different things to different people.
This can quickly lead to people talking past each other, and is a major obstacle for a constructive public discussion of these issues. A central aim of this report is to discover what members of particular groups mean and understand by key terms, what definitions and connotations come to mind. We focused on three words in particular – privacy, transparency and trust – and sought to find points of consensus or divergence in the way people understand, think and talk about these concepts. WHO CARES? WHAT ABOUT? Beyond scratching away at what people know or understand by certain terms, we sought to find out how seriously these groups take such questions. Are they felt to be important? Or an irritating distraction? Or not worth bothering with at all? Which aspects of these issues do people care about? People say actions speak louder than words. We also tried to discover to what extent professed engagement translated into actual changes in behavior. How might people’s perceptions about these issues influence their future choices? Finally, we have tried, in both content and presentation, to make this report as accessible as possible – including to those with little prior expertise around matters of digital data, or little prior knowledge about the countries studied. This includes presenting our findings within a broader context, by drawing on other sources to give a fuller picture. We hope the result is accessible and engaging to anybody who also feels these are issues worth thinking about.
9
To maintain the anonymity of our interviewees, we refer to them only by initials in what follows; the online survey was anonymous.
Part I: Introduction
A moving target
T
his subject matter is not standing still. For one thing, digital technology generally, and technologies for harvesting and analyzing data specifically, are progressing and changing constantly. Moreover, people’s perceptions of and attitudes towards these topics – that is to say, the object of study here – are arguably changing even more rapidly, as public discourse tries to catch up with the technology. News stories play a significant role in shaping these attitudes (exactly how significant is among the questions we try to answer), and fresh stories continue to emerge. Our interviews in Brazil were already completed, for example, by the time the NETmundial conference took place in São Paulo (see p. 12); as were almost all of our German
10
interviews when the European Court of Justice upheld an individual’s “right to be forgotten” (see p. 18); the list could go on. Even in the space of a few months, attitudes and perceptions continue to develop. That we’re trying to take a reading whilst the ground is moving comes with the territory. It’s therefore impossible to present the objective and definitive situation in each country (our limited resources and sample size would also make such claims hubristic). What we can do is offer an insight, a snapshot of these influential groups’ perspectives at a certain moment. For this group, these are valuable questions to answer for the reasons outlined above and, to the best of our knowledge, this is the first research trying to do so in a systematic way.
Part II: Country Profiles
Brazil BRAZIL IN 2014 Brazil is digitizing rapidly. The number of broadband subscriptions has more than doubled since 2009.1 It is also a startlingly young country: of over 200m inhabitants, more than half are aged 30 or below.2 A combination of these two factors means that a large portion of the population will to some degree have grown up with the internet – and specifically with web 2.0 services. They are avid users of social media: only the USA has more Facebook users than Brazil.3 And on the whole, the users view these products with enthusiasm and without much (critical) media literacy. PRIVACY Brazilians have an established and far-reaching culture of sharing. For instance, in a time when many Brazilians lacked access to basic services such as electricity and water, improvised (and often illegal) sharing of these between neighbors became common. The name for this, “Gambiarra”, has come to denote such sharing of services at the base of pyramid.4 And there are reasons to suppose this mentality of openness has flowed into people’ s attitudes to privacy online. Interviewees agreed that most don’t have a problem with sharing personal information such as their location and search data. To put it differently, people when asked would offer a fairly “conventional” definition of privacy – along the lines of an individual’s right to determine what information is kept about them and how it is used. But the way Brazilians use the internet does not suggest it is a dominant priority.
At the same time, though, Brazil is becoming a beacon in data privacy policy, both internationally and domestically. In September 2013, President Dilma Rousseff gave a speech to the UN attacking spying by US agencies 5, and Brazil co-sponsored a UN resolution on the “Right to Privacy in the Internet Age”.6 In April 2014, São Paulo hosted NETmundia, a “global multi-stakeholder meeting” on the future of internet governance. This was the most concerted effort seen so far to push the issue internationally. Admittedly, commentators such as Privacy International and Index on Censorship were disappointed with the results, which they found to be watered-down and conservative.7 At the opening of the conference, President Dilma signed into law Marco Civil da Internet, the first national “Bill of Rights for the Internet” anywhere in the world. Our field research took place before the conference, and whilst the details of the Marco Civil were still being debated. In fact, rather than its various measures on data protection, it was the bill’s enshrining of the principle of net neutrality that sparked the most discussion and attention, because this was opposed by telecommunication companies. These then-current political events were rarely raised in our interviews. In fact, interviewees were also in unanimous agreement that they remained “elite topics”, and not generally considered important beyond a clique of political and civil society activists.
11
Part II: Country Profiles
TRUST AND TRANSPARENCY Transparency was generally understood to mean that a website or piece of software makes it clear which data is being used and how. Three interviewees went beyond this, stipulating in addition that this information
Companies like Google are much more trusted than NGOs or the government. must be presented in an accessible way. P.M. suggests flowcharts which visualize for the user what is happening to their data. O.F. says: “Normally the important information is there, but it is hidden behind a whole load of less important information and so it deliberately gets lost. The companies know this and so do we. They should be more open and direct.” In practice, all interviewees agreed that the public trusted companies much more than they trust NGOs or the government. Facebook and Google are not generally seen as sinister or untrustworthy but rather as innovative and inspirational brands. (There are some exceptions: O.F. says: “I don’t trust any company any more, and it will take a lot of time to win that trust back.”) More or less everybody we spoke to uses at least some Google products. This mistrust on NGOs and the government is largely down to the fact that for many decades the two have been working far too closely together and there have been numerous scandals of corruption and inefficiency. 8 In response, the government seems to be cleaning up its act with regards to transparency with a couple of pioneering e-government projects. 9
12
CIVIL SOCIETY ORGANIZATIONS Unfortunately, no such movement towards transparency and encouraging participation has been evident amongst the bulk of Brazilian NGOs. Most local NGOs are not particularly professionalized. They lack expertise when it comes to privacy protection and related issues. Even bigger and more established organizations who are more conscientious about such matters seem to lack a codified data handling policy. The exceptions seem largely to be the local branches of global organizations;
“We need to be open. Our work is based on building trust.” – O.F. a large, predominantly internet-focused campaigning organization we spoke to, for instance, has its own national manager of privacy and data protection issues. There seems to be a growing awareness amongst many in the social sector that the nature of their work in civil society requires an increasing level of transparency in their digital activities. N.V. says: “Professionally, everything I do is public. I work with so many stakeholders and they need all the information to do their work.” Similarly, O.F. says: “We need to be open and collaborative. Our work is based on building trust.” Since 2011, all NGOs that receive government funding are required to actively provide information about their finances, organizational structure and the like. We weren’t able to establish how well this system is working, and to what extent it is prompting organizations to be more accountable. As noted, it does not yet seem to have improved the general reputation of NGOs.
Part II: Country Profiles
WHAT’S CHANGED? There was certainly a peak of public and media attention last summer as the Snowden revelations were unfolding (not least when it was alleged that President Dilma had had her personal phone tapped). To look at the newspapers, it would seem this interest has persisted: O Globo, Brazil’s foremost paper, still contains fairly frequent mentions of the terms “NSA” and “Snowden”, and an exclusive interview with Edward Snowden on the Fantastico current affairs program in May generated considerable media excitement. 10 However, our interviewees tell a different story, and describe interest as short-lived, at least on the level of the general public. Within the social sector on the other hand, there is some evidence, albeit anecdotal, of increased awareness, specifically around data security. We spoke to the founders of a “School of Activism” who said they have seen increasing concern on this issue. Among the various courses they offer to NGOs and activists, the workshops on data security have been the most requested – so much so that they had to organize five additional courses last year to meet demand. The interviewees typically did not adopt new tools or change the software and services they used due to privacy considerations. Only two of them mentioned encryption, for instance, and both were in some way active in the area of digital privacy. (Similarly in the online survey, only one Brazilian respondent said they used email encryption, the lowest rate of any country – see p 32). Instead, people were more likely to claim they had adapted their behavior so as to use the same services as before but in a more careful way. Several mentioned habits such as not logging in when not necessary, not using a Facebook-login to access other sites, or being more reluctant to upload photos and other data.
SUMMARY Whilst Brazilian politicians are leading the world in terms of data privacy legislation, the same engagement does not seem to be reflected in other parts of the population. In the social sector, and even more so in the population at large, there is some latent awareness of these issues, but it is not a central topic of discussion and seems to result in almost no practical action. The attitude, in the words of D.M., is rather “a mixture of resignation and not caring”. Possible reasons for this include a young population who are inclined to use online services eagerly and uncritically, as well as practices of sharing rooted in pre-internet traditions.
13
Part II: Country Profiles
China CHINA IN 2014 China’s status as an emerging super -power, not only in the economic and political but also the digital domain, is unquestionable. It has by far the highest number of internet users of any country – an estimated 621 million.11 The population’s relationship with the internet is complex and deeply rooted in socio-political tensions and transformations. China presents a real challenge to the idea of the internet as a global, and globalizing phenomenon. Firstly, because the internet that most people have access to is strictly policed by means of a state-imposed firewall (see box below). And secondly, because the way the internet is used – in terms of the most popular sites and software, and in terms of culture and behavioral norms developing around it – are so far removed from other parts of the world. PRIVACY The very concept of personal privacy in China is different from the model found in Western liberal democracies. Traditional ascriptions of identity at a collective level, such as the family, are evolving into a more “individualized” understanding, according to some scholars.12 However, individual privacy as a value deserving of protection remains a fairly new concept. The concept has nevertheless become widely used and refers to a person’s intimate sphere: family information, address, where children go to school, and financial information. The latter has become an extremely sensitive topic amongst economic and social elites. Public officials in particular have
14
become extremely concerned about accusations of taking bribes or embezzling funds. This is driven by the phenomenon of Renrou Sousuo (literally: “search for human flesh”), whereby an individual is publically exposed online for violating social, legal or moral norms, thanks to information obtained digitally. The practice sits in a gray area, both legally and morally, but has become widespread. Hence this kind of personal information – for instance what kind of watches or cars an individual owns – has become socially explosive. For ordinary members of the public and people in civil society, protecting their privacy online simply isn’t an issue. On the strength of our interviews, people mainly seem to think in terms of protection from vi-
“Everyone in China knows their data will be seen by the government.” – L.F. ruses, and perhaps to a much lesser extent about data theft. When we asked about special measures or software for safeguarding privacy, interviewees immediately assumed we were talking about climbing the wall (see box below). There is unanimous acceptance in China that the government will record and monitor internet activity, to the point of resignation. P.N. says: “Whatever the government wants to know about you, they will find out [...] The general attitude is that there’s nothing you can do about data security, so let’s not be
Part II: Country Profiles
too worried about it”. G.Y. says: “There is no way to avoid the government looking in. I will just say the same thing within private and public.” Even in the hacker community, although there might be more of a fighting spirit, very few think they can really protect themselves against surveillance or that it’s worth the effort. The question of personal data protection did arise in a spat between two of the country’s digital giants in 2010. Qihu 360 accused QQ, one of the most popular instant messaging platforms in China, of collecting users’ private data and monitoring their computers. Qihu developed a free patch which let users disable some of QQ’s features, and QQ retaliated by making their software incompatible with that of Qihu 360, forcing users to choose between them. Following government pressure, the two companies stepped down from their battle, but the flickering debate around privacy was left unresolved.13 TRUST AND TRANSPARENCY When asked about transparency, our interviewees talked exclusively about financial transparency and not about a data transparency policy. Why? There is simply no public discourse about this topic. As such, trust in a website is couched not in terms of data transparency but rather whether or not the site is real, in the sense of offering real services and information rather than a fake or scam. This is judged partly by advice and recommendations from friends, and partly by the level of usage. W.J., who works for a donation platform says: “the main criteria for trust is whether there are a lot of people using it. That’s why it’s so important that our site looks so full. Trust is established not only by people donating, but by people watching their friends do so.” Since fear of being cheated in all sorts of ways, from fake foods and poisonous baby
formulas to financial scams and corrupt officials, is ubiquitous, trust in organizations such as businesses, hotels, restaurants etc, is very low. In response to this, multiple systems of government certification, including brass plates put up outside the establishment, provide some indication of trustworthiness (despite some skepticism about the process). NGOs are widely mistrusted – see below. General opinion of foreign companies such as Google is not clear, although they are generally more trusted than their domestic counterparts. Google specifically has gained a lot of fans within a niche user group, where it has been seen as a hero since refusing the government’s demands to filter search results. Immediacy in communication is extremely important to users, and real-time communication is much more widely used than in the West, both in personal and professional settings. This is in large part a question of trust: people are less trusting of automated processes and services, believing that direct personal contact is the best way to get things done. People use email much less, and trust its effectiveness much less – rightly so because many people never respond. CIVIL SOCIETY ORGANIZATIONS Civil society organziations are widely viewed with suspicion, after numerous high-profile scandals.14 Many NGOs today are attempting to (re)establish trust by providing highly detailed proof of their work and how funds are being used. For example, all donors to the charity Free Lunch receive a daily text message detailing precisely how many meals were provided and what was served. Most social enterprises, NGOs and foundations seem to have formalized a data handling policy. Larger organizations and companies have very detailed and
15
Part II: Country Profiles
WALL-CLIMBING In 2003 the Chinese government first implemented the Golden Shield Project (金盾工 程), a censorship and surveillance project which restricts the internet sites accessible from within the country. A primary purpose is to restrict access to information the government deems threatening or inflammatory, such as about human rights activism and political dissidents. Perhaps unsurprisingly, it has become more commonly known as “The Great Firewall of China”, or simply “the wall”. It is public knowledge that the wall exists, and that strategies exist that let one “climb the wall” and access the (truly) World Wide Web beyond, often involving the use of proxy servers. Climbing the wall is fairly common amongst educated Chinese internet users, and in some circles is a kind of badge of honor. Admittedly, it seems people may be climbing the wall less than they used to as more and more information becomes available in Chinese. But certainly amongst university students and digital professionals, wall-climbing is normal.
strictly guarded policies (so they say). But all agreed that giving or selling data to third parties isn’t good practice. We spoke to a large crowdsourcing platform which sends all users a statement about their data, confirming it will not be used by third parties. WHAT’S CHANGED? The Snowden/NSA stories were reported in the Chinese media, but they fit in as just a part of a much broader narrative of internet politics. In the state media, the revelations were treated as evidence of US hypocrisy on cyber-theft and hacking (the general tenor being that the US likes to complain about Chinese hackers, but in reality everybody is at it). Since then, the government has used arguments of this kind to ratchet up a discourse of cyber-protection and vigilance – with volume peaking when hackers linked to the Chinese military were indicted by a US court in May 2014.15 Many interpret this as a ploy by the state to justify and extend their practices of surveillance; others have claimed it has more to do with protecting Chinese business interests. In April 2014 the government held a “Cybersecurity Day”
16
in Beijing, but this seems to have been more a gesture than a genuine campaign for awareness. SUMMARY The framing of issues of online privacy and transparency – and indeed of the internet more broadly – is fundamentally different in China than in other countries. In in civil society as we encountered it, and the wider population, it seems that issues of government surveillance and commercial data mining are not much thought about or discussed. Instead, concern focuses on protection either from viruses that cause direct harm or activities that cause direct financial loss such as theft of banking information, fake sites or scams. A notable exception is personal information about senior officials and people in positions of power, which may be used against them in online “human flesh searches” – on either side, people have become passionate about respectively unearthing or suppressing such data. Government surveillance of the internet is universally accepted as inevitable.
Part II: Country Profiles
Germany GERMANY IN 2014 As a highly developed and prosperous European economy, uptake of digital technology is more established and widespread than in the other countries in this study. A large majority of the population – 84 percent – uses the internet.16 But since the population is older (meaning proportionally fewer Digital Natives), we might expect them to approach technology more cautiously or critically. PRIVACY Our interviewees were clearly concerned not only with the amount of information about them that has been digitized, but also feel vulnerable about its potential to be used by others with questionable motives. Half said they felt transparent or “glassy” (“gläsern”) – an idiomatic German phrase expressing that one can be seen through by anybody who wants to know anything about you. It is clear that the majority feel they currently have unsatisfactory levels of privacy online and that they would prefer to use the internet anonymously or, as G.S. says, “be left alone”. Germans are comparatively sensitive on matters of individual liberty and privacy. This may be in part traceable to their twentieth-century experience of oppressive regimes. Until the 1990s, state surveillance of citizens in what was then East Germany was extensive, leaving greater awareness of the dangers posed in the collective consciousness even today.17 Certainly in the aftermath of the NSA revelations in 2013, outrage was fiercer in
Germany than most other countries. This sentiment was only exacerbated when it was alleged that the phone of Chancellor Merkel, a popular figure, had been tapped by American security services.18 Even many months after the first revelations, it continues to be a frequent topic in the German press, and proves an ongoing point of tension in German-US relations. Prominent journalist Holger Stark criticised the German government for reacting to the crisis so diplomatically, calling it a threat to the foundations of democracy. 19
The majority of interviewees feel they currently have unsatisfactory levels of privacy online. The Pirate Party (Piratenpartei), an international political movement campaigning for individual privacy and rights online, has had its greatest success in Germany, winning seats in several regional elections, though its popularity has declined and its future is unclear. 20 The legal situation is in flux. Germany has a Federal Data Protection Act, which is drawn from clauses in the constitution securing personal rights. But Germany is also subject to regulation on a European level, such as the European Commission’s planned General Data Protection Regulation (GDPR) 21 and the European Court of Justice’s “right to be forgotten” ruling in May 2014. 22
17
Part II: Country Profiles
Several interviewees said they had to accept a trade-off of paying for services with their data rather than money. However a recent study showed that Germans, relative to other nationalities, are unwilling to make such a trade (see p. 21–22). Most were critical of their own behavior to some degree, saying that they could and should do more to safeguard their own privacy. If this suggests people believe these matters are the responsibility of the individual, other statements point in the other direction. J.P. sees data security as “a political-structural problem and not necessarily based on the user’s responsibility”. F.R. also feels that the government is not doing enough on the issue. Two interviewees say they have a feeling of relative protection in Germany, and others say they prefer German email providers to American ones, believing them to be more secure. TRUST AND TRANSPARENCY Trust and transparency are often mentioned in the same instance; S.P. says “transparency is one component of trust”. Transparency is also clearly related to personal data, S.P.’s contention that “transparency stands for being able to review things that are related to me” reflects the general view. Nearly all interviewees felt that companies did not offer high enough levels of
Interviewees were unsure of who they can trust more between government and corporations – seeing both as unsatisfactory.
18
transparency. S.S. accuses them of “trying to maintain an image of trustworthiness whilst not acting trustworthily”. A.I. suggests that to be trustworthy, a company would have to go beyond what is legally required in terms of transparency. The NSA scandal did considerable damage to the trustworthiness of government in the eyes of the interviewees (note the interviews took place before further claims of German cooperation with American security services). 23 J.P. talks explicitly of protection not just by but also from the government. Only a minority (two interviewees) were less critical when it came to government surveillance, saying that its purpose is to prevent terrorism and they personally had nothing to hide. All of this leaves interviewees uncertain which of the two – governments or corporation – they can trust more, seeing both as unsatisfactory. As a source of information about software, interviewees clearly trust friends and colleagues above all. Some mentioned other sources, such as the specialist magazine Gründerszene. CIVIL SOCIETY ORGANIZATIONS All interviewees were aware that their organization had a data handling policy in place. Requests or questions by users or beneficiaries regarding data handling were not common, but all interviewees said they would be willing to meet with such requests. Interviewees generally agreed that it was important for civil society organizations to appear transparent, which M.S. and G.S. both said “simply means being transparent.” One of the organizations we spoke to provides a service where users write their own profile, meaning the user is in control of what data is collected and what is made public. Another organization uses data for
Part II: Country Profiles
research and analysis, but with a policy of not saving IP-addresses to ensure that data remains anonymous. WHAT’S CHANGED? All interviewees were well aware of the NSA revelations and surrounding controversies, although some said the revelations had only confirmed what they already suspected. All interviewees now assume that their online communication is, or can be made visible and adapt their behavior accordingly. J.P. uses TOR, Bitcoin, PGP, TextSecure, Threema and DuckDuckGo, in an attempt to leave as few traces as possible online. Two other interviewees said they had uninstalled the Facebook app because it demanded too much data. However, more common than switching to different software, is a strategy of withholding personal information, providing only the minimum amount. Every person we interviewed claimed to do this. At a certain point, such action runs up against the convenience of these tools. The sale of WhatsApp to Facebook was a much-cited example in the interviews, and many said that although they felt they should stop using it, they had not done so because their contacts had stayed with the service.
SUMMARY On the whole the interviewees had a high level of privacy awareness online. In terms of how they acted on this knowledge, the group divided roughly in half, with one set of advanced users employing various tools to protect their privacy as much as possible, and the other half either unsure what action they should take or sticking with the same tools and practices for the sake of sheer convenience – albeit often with a bad conscience. Many said they wished for more protection from the government or other institutions, but there was also a clear sense that the individual bears some responsibility for protecting him- or herself.
19
Part II: Country Profiles
India INDIA IN 2014 Economically, and specifically in terms of digital technology, India is much touted as a rising giant. The country’s “digital elite” comfortably keeps pace with Western counterparts, with the latest smartphones and laptops, as well as world-class expertise. However, this elite is increasingly removed from the majority of the 1.2 billion population, of which only 16 percent use the internet. 24 In the coming years, this gap may narrow as mass availability and uptake of cheap smartphones drive up usage. PRIVACY Conceptions of privacy varied between respondents. Most framed their answers in terms of access to personal data, but some felt it important to actively restrict who had access to which data, while others adopted the more passive stance of simply wanting to know and have their permission asked. R.J. defined privacy as follows: “that [data] is not used in that sense for a commercial gain, without the permission of the people who are going to be involved.” Our interviewees were essentially unanimous in claiming they held privacy to be very important – only one said he was not concerned about the privacy of his online data. However, this abstract awareness of the issue seems in large part not to translate into users becoming better informed and acting accordingly. Three interviewees describe themselves as “digitally illiterate” and several say they should make more effort to secure their data. This ambivalence also plays out on a legal level. In principle, the national constitution
20
enshrines various kinds of freedom, but there is no legislation specifically protecting citizens’ privacy when it comes to digital data. 25 This means the government was able to introduce a Central Monitoring
“Privacy is intrinsically linked to security.” – A.S. System in 2013 which tracks all domestic internet traffic and well as email content and mobile phone activity. 26 It’s not yet clear what this data will be used for, and although some activists made vocal their opposition, it received little attention in the mass media and none of our interviewees brought up the subject. A.S. echoes several other interviewees when she says “for me privacy is intrinsically tied to security”, implying that they see more risk from external appropriation by hackers for instance, than misuse by those that collected the data. R.S. took a different perspective, arguing that unjust appropriation and selling of data was more a problem of corruption than security. R.J. cited as an important requirement for trusting a piece of software that it could not easily be hacked. Possible abuse of banking information was the greatest cause for concern, not only due to risks of fraud and theft but also because of the sensitivity of the information. A 2013 survey found people in India most prepared of the 15 countries examined to “trade privacy for convenience” (Germans
Part II: Country Profiles
were the least prepared to do so). 27 From our interviews there was some reason to believe that the same mindset is shared by our sample group. Two interviewees gave responses couched explicitly in terms of a “trade-off” between privacy (in terms of handing over data) and value. TRUST AND TRANSPARENCY Although Indian interviewees were certainly aware that their personal information was frequently being passed on, most stated that they do not understand the processes or motives involved. Their understanding of transparency seems to come down largely to this point: not only which data is used and when, but also why. This is most concretely shown in regard to advertisements. Interviewees sensed that the targeted advertising they received stood in some relation to personal data, but the opaque process leading from one to the other was identified as a case of intransparency by nearly all interviewees. Google is viewed particularly negatively in this regard. Whether or not interviewees trust a particular piece of software often seems to have a large intuitive element. Many of them recounted personal anecdotes of experiences that caused them to lose trust. When G.G. connected with somebody named Sarah on LinkedIn and was suggested other people with the same forename, his first reaction was bemusement, finding it “stupid”, but said the experience had also diminished his trust in LinkedIn. Interviewees above all said they trusted their social network – friends, families and colleagues – as sources of information on the data credentials of different software programs, with only two mentioning online ratings services or forums: A.S. says “For me, it depends on the trust in people who recommended it [the software]”.
CIVIL SOCIETY ORGANIZATIONS Interviewees generally took more care with data protection when using other people‘s data in their line of work than their own – highlighting email addresses and bank details as especially important to protect. All of them said their organizations had a data handling policy and several cited specific technical measures such as software that manages the bank details of donors whilst preventing employees of the organization from accessing them. Nearly all of them knew the location of the servers they used for data storage. Disclosure of the religious affiliation of an organization’s beneficiaries was a major worry amongst several interviewees. This seems to be an extremely charged topic in India with various forces (we weren’t able to establish very clearly who) agitating for or against preferential support for different religious groups. Some went so far as to say disclosure of this information would be “dangerous”.
Disclosing the religious affiliation of an organization’s beneficiaries would be “dangerous”. Regarding transparency, several interviewees talked about the legal and moral obligations of social organizations working with public money to be more open and transparent. R.J. said: “In the private sector a lot of expenditure is incurred in trying to ensure the privacy of the data remained, and that it does not go into the public domain. That is not applicable when it comes to organizations which use public money.“
21
Part II: Country Profiles
WHAT’S CHANGED? When asked about changes in their attitude over the past two years, nearly all interviewees agreed that they have become more aware of potential dangers online, but only four out of ten referred specifically to media coverage of the NSA and Edward Snowden. Certainly these stories have been extensively covered by the major Indian newspapers. However, in general the media seems to treat the subject of technology with a certain tone of optimism. The extent to which this increased awareness has translated into changes in behavior varies. Two interviewees use the email encryption software TextSecure and one uses SnapChat specifically to prevent tracking. But adopting alternative software does not seem to be a common strategy. Although Google applications were most frequently cited as services people were cautious of, only one said they had adopted an alternative service (DuckDuckGo). This might have to do not only with being uninformed but also a kind of widespread cynicism. K.J. recalls: “WhatsApp was acquired by Facebook and a lot of people said: ‘let’s move to Telegram’, and it turns out Telegram’s promises were not true either.” Two interviewees stopped using Facebook, but in the absence of adequate alternatives sooner or later started using it again. More common is choosing to withhold certain information – particularly bank details – in digital activity, and refusing to install software which appears to demand too much data intrusion.
22
SUMMARY Data privacy and transparency are regarded as important topics by almost all of our Indian interviewees, and are taken all the more seriously in the context of their professional work. There is a moderate awareness of data mining practices, which tend to be viewed critically. But these relatively new concerns are outweighed (and perhaps to some degree mixed up with) cybersecurity fears more broadly: hackers, fraudsters, and parties who would seek to use information about an organization to discredit it on political grounds. Only a couple of interviewees with prior expertise on these issues had developed a clear strategy to protect their data; the majority might behave slightly more discreetly online, but seem more prepared to accept a “tradeoff” of privacy against receiving quality services free of charge.
Part II: Country Profiles
Indonesia INDONESIA IN 2014 Since the fall of the authoritarian “New Order Regime” under Suharto in 1998, Indonesia has been on a trajectory of rapid change. On a political level, there has been a concerted shift towards democracy and greater transparency. Economically there has been strong growth. 28 This change has also included society enthusiastically embracing digital technology, smartphones, the internet and – above all – social media. Indonesians, at least in the major cities, tweet fanatically and use WhatsApp incessantly. INDONESIA’S ATYPICAL CIVIL SOCIETY Because the country was closed off until so recently, a social sector and civil society as such are now emerging for the first time, and with a very different composition to the model that has developed in other countries. Few Indonesian NGOs fit the mould familiar in Western countries. More prevalent are loose-knit and more or less informal networks of activists and individuals engaging and campaigning around a particular issue.29 This structural variation, or at least the extent of it, was a surprising finding of our research. In the context of the current study it poses some challenges for our analysis, since not only is the group being examined different from the other countries, it also stands in a somewhat different relationship to society at large. Just over half of our interview partners belong to this new breed of informal network organization, which tend to be tech-savvy, with generally high levels of awareness around the topics of this report. (Although anonymous, the bulk
of survey responses appear to have come from this group.) The interviewees were at pains to point out that their views were not the norm amongst the general population, or indeed other parts of the social sector. In what follows we try to counteract this inadvertent selection bias and present a more general picture of the sector and population as we perceive it to be. PRIVACY The enormous propensity in Indonesia to share, noted above, doubtless has some cultural roots. As in other Asian societies, identity has traditionally been conferred more strongly by family and ethnicity than in more individualistic Western cultures. And in part it’s the exuberance of being able to speak so freely; D.B. says: “since the end of the dictatorship, people just love to talk – a lot!” When it comes to the importance of privacy in online activities, our interviewees gave the impression that Indonesians were
“Data security is not a big issue for us now.” – A.S. neither especially informed nor concerned. “Yes, it’s important to us,” said D.S., “but we don’t think about it a lot.” A.S. says: “ [Data] security is not a big issue for us now”. Those that were themselves engaged with the topic were clear that this put them in a minority; in the words of one: “Indonesians are simply not interested in a private sphere online.”
23
Part II: Country Profiles
When using services such as Google and Facebook, people seem to have very few qualms about entering personal data, instead enthusing about getting so many quality services free of charge. “I heard that some people take this [privacy] quite seriously,” says D.S., “but up until now me and a lot of my friends just think that it’s useful for Google to increase and improve their own services.” Although government transparency is an important issue in civil society (see below), government surveillance was barely mentioned by interviewees as a potential danger. Instead, M.R. mentioned a concern with keeping their data private from journalists. He said that as a public figure, he didn’t want people talking about his private life. We were assured by two of the activists who are more familiar with these topics that the great majority of Indonesians would be unwilling to pay for a service on the grounds that it offered greater privacy protection, not if there were a free (but less private) version available. Security, rather than personal privacy, is an issue gradually gaining in importance, particularly in online banking and commerce. B.R., who has worked advising banks on this topic, says: “The demand for more data security is growing, but not as quickly as we were anticipating.” TRUST AND TRANSPARENCY Google in particular seems to enjoy a high level of trust – people either believe or assume that it must be taking care of data privacy in a satisfactory way. P.S. says: “I use Gmail, which handles all the privacy issues automatically. We assume that popular services like Drive and Dropbox handle privacy quite well.” D.S. said he trusts Google because it sends you a notification telling you whether there is any unusual activity with the account. However, the most frequently cited criterion for trustworthiness is how widely used a service is: “If many people use it, then I trust it,” says
24
P.S.. Several interviewees also mentioned as a criteria of both transparency and trust that a service has a clear disclaimer about data use. Trust is also strongly connected with having direct contact with a human, rather than solely with automated processes. Many Indonesians refuse to engage in (purely) online shopping for fear that it is a scam, but will instead browse goods online and then establish contact with a salesperson by telephone or instant messaging to carry out the transaction. Similarly, people place great importance on personal recommendations and advice from friends and colleagues when deciding which software and services to use. When it comes to the government, things are different. Government accountability and transparency is the single most dominant topic of civil society. H.T. says: “The topic which almost everybody engages with is the fight against corruption”. NGOs seem not to be very widely trusted – to the extent that conventional NGOs exist (see below). CIVIL SOCIETY ORGANIZATIONS In terms of a data privacy policy, the few large international NGOs – WWF, Greenpeace and the like – bring one with them, drawn up in the headquarters overseas. Smaller groups do not have them. In many cases, developing an official data privacy policy had clearly not registered as a concern – indeed the very concept seemed to be an unfamiliar one. When asked why, interviewees either said they had too little time for such things, or simply stated it was not an active concern, V.M. says: “We don’t think about that [...] the concern is rather producing the data.” The networked campaigning organizations with, as discussed, a greater awareness of potential dangers of data gave different answers. Their work is, they said, outward-facing: their aim is to connect and
Part II: Country Profiles
mobilize. Their activities, combined with their structures of decentralized networks often operating through social media, means that at no stage do they end up accumulating data which might be sensitive – so the question of safe internal processes doesn’t arise in the same way. One notable example we spoke to was a group campaigning for minority rights, who collected sensitive data, for instance about the identities of activists, and went to some lengths to protect it. This is consistent with a very pragmatic interpretation of people’s attitudes: they are not engaged because they cannot see the relevance for them in issues of data privacy; in the cases that the relevance becomes more acute, people’s reaction is to inform themselves and modify their behavior. WHAT’S CHANGED? A search through online archives of national English-language newspapers turns up no shortage of articles reporting on the NSA/Snowden story. However, although most people are vaguely aware of the story, the majority seems indifferent. D.S. says: “I didn’t really read about it, but I heard people talking about Microsoft working with the CIA and things like that…but it doesn’t impact us now.” B.R. said that in recent months Indonesians have been more aware and concerned about issues of privacy, but cited more apprehension of aggressive advertising rather than data’s influence on news
“I didn’t really read about it, but I heard people talking about Microsoft working with the CIA and things like that… but it doesn’t impact us now.” – D.S.
stories or public discourse. One such interviewee said this had caused him to “significantly reduce” the amount that he used Facebook. SUMMARY There is a divide, unique to Indonesia, within our working definition of civil society. On the one side there are NGOs and “conventional” civil society organizations, and these are much less established than elsewhere. On the other side is this phenomenon of networked, decentralized groups campaigning and mobilizing around particular issues. The latter group is often considerably better informed and more engaged with data privacy and transparency, but universally report that these remain niche topics, in which the vast majority of the population has little or no interest. They share this with the former group of conventional CSOs. These seem to know little and care little about questions of data privacy, showing concern only when perceived threats are immediate and direct, such as a personal criticism from journalists. Transparency tends to be understood in terms of political accountability, and in this sense it is something most people care passionately about. By contrast, transparency seems not to be talked about in terms of the internet or digital data. When using the internet, people have no problem with handing over data to service providers (to the extent that they really considered that this was taking place): indeed in the case of Google in particular, users welcomed the fact that the company was trying to optimize their services and offer them free of charge. Bigname brands such as Google, Facebook and Twitter enjoy a very positive reputation, both in general and on questions of data specifically, where majority opinion seems to be that they take these issues seriously and (presumably) act appropriately.
25
Part III: Comparative Analysis
How do people think about privacy? HOW DO THEY DEFINE PRIVACY? Our interviews began by posing a simple question: “How do you understand privacy in an online context?” It was clear that the majority of people did not have a concise understanding to hand – it wasn’t a question they had really asked themselves. Answers were given broadly along similar lines, with little variation between countries. Almost everybody answered that it was a question of who had access to their personal information (a few immediately began to speak in terms of “data”) or could see their online activity. The most commonly given criterion for achieving or securing privacy was restricting (forcibly if necessary) who had such access, but several people formulated it more mildly, instead talking about the user being made aware at all times who had access to what. Taken as a whole, our interviews support the conclusion that a basic understanding of privacy is shared across different groups and nationalities. As noted above, this individualized conception of privacy has taken hold much more recently in China and Indonesia than, say, Germany; and the fact that a fundamental understanding exists in the different cultures of course doesn’t mean everyone attaches the same importance to the concept. HOW MUCH DO THEY CARE? Asked how important they felt privacy online to be, not a single survey responded with “Not at all important”. Two thirds said it was very important, and one third somewhat important. Whilst this clear result is worth noting, we gained a more nuanced understanding
26
from our interviews. In China and Indonesia, for example, our research suggests that with the exception of a small engaged minority, the social sector and the population at large is not actively concerned with protecting their privacy online. Germany, and to a lesser extent India, represent the opposite: the desire to protect personal privacy and awareness of possible threats to it are fairly high among those we spoke to. Finally, Brazil seems to fall somewhere between these two camps, with privacy campaigning still considered a minority or “elite” concern. This came as a surprise, given that on an international political level, Brazil is a leading light for tighter internet governance. 30 WHAT DO THEY WANT TO BE PROTECTED FROM? In our questions we asked about protecting data and privacy, purposely leaving open the question of protection from whom. Resisting data mining by big companies and large-scale government surveillance seems to be a broadly held concern in Germany, with nearly all answers couched in such terms. In India concern is also broad but perhaps slightly less keenly felt. However, in Indonesia and Brazil, such concern seems to be limited to niche interest groups. Targeted advertising was the most commonly named factor making people aware that their data was being used (and most seemed to find it objectionable with some perceiving it as “aggressive”). A non-negligible minority, though, were unconcerned and thought it good that Google et al improve their services through data analysis.
Part III: Comparative Analysis
But perceived threats do not stop at data miners and state spies. Often people responded in terms of protection from various malicious hackers and fraudsters. This was the main thrust in China, where surveillance is accepted as a given, but these themes cropped up in India and Indonesia too. Indeed, interviewees fairly regularly started talking about anti-virus software and malware, suggesting that all issues which might fall under the umbrella “cybersecurity” – data privacy alongside hacking and viruses – are closely connected or even conflated in people’s minds. WHICH DATA DO THEY WANT TO PROTECT AND WHY? In addition to general concerns outlined above, in some circumstances, people feel vulnerable to particular threats and certain kinds of data become extremely sensitive. A striking example is the Chinese officials at risk of “human flesh searches” (see p. 14), who closely guard information about their wealth or indicators of it, such as where their children go to school, the cars and watches they own, and so on. Some people we spoke to felt a duty to
protect sensitive data collected by their organization in the context of their work. In some cases the sensitivity is obvious, such as the Indonesian group campaigning for minority rights. Other instances came as surprises, such as the fact that in India the religious affiliation of the beneficiaries of a program can become highly politically charged and can be used to criticize or discredit the organization’s work. Where the objection was not so directly pragmatic and more principled – that is, based on a general sense that one’s personal data should not be monitored and stored – the conclusion was unsurprising: the more personal and more detailed the information, the more people cared about protecting it. For example, protection of banking data was mentioned repeatedly in all countries, not only for the obvious reason of preventing fraud but also because how a person spends their money is felt to be highly personal information. Survey respondents were asked how much they cared about different kinds of information being visible only to them. Their responses are shown in chart 1.
Chart 1: How important is it that this data is available only to you? 100 80 Not at all
60
Somewhat Very
40 20 % Browsing history
Your location
Searches you perform
Content of your e-mail
Content of your chat See note on charts below
27
Part III: Comparative Analysis
Privacy in email content is most cherished with 94 percent calling it very important, followed by chat content, ranked very important by 82 percent. Respondents were less concerned about the other three categories, with just under half marking them very important. There was minimal variation between countries in the responses, with the country averages very close together. The small number of relatively blasé individuals – that is, people who said they were less concerned – were scattered evenly between countries. The converse – that is, individuals who answered “very important” to every question, about one fifth of all respondents
– were also present in all countries, but most concentrated in China. (This came as a surprise, given that we concluded from our interviews people in China accept surveillance as inevitable – see p. 16.) When asked a corresponding question about data from mobile phones, the answers followed the same pattern: the content of the calls was the most important, data such as location less so (although by no means unimportant).
ARE THEIR OPINIONS CHANGING? By a margin of two to one, people said that there had been a change in their attitude over the past two years.
Chart 2: Has there been a change in your attitude in the past two years? 100
80
60
No Change Change
40
20 %
Brazil
China
Germany
India
Indonesia
Total See note on charts below
28
Part III: Comparative Analysis
People who gave an affirmative answer were asked what had caused this change – see chart 3. Personal experience was the most commonly cited reason for this (and from our interviews we interpret this to be primarily awareness of targeted advertising). In close second place were media reports.
Interestingly, Germans were much more swayed than all other nationalities by media reports – these were cited as a reason by every German respondent.
Chart 3: What caused the change in attitude?
Personal experience Media reports Friends and Family Company
See note on charts below
29
Part III: Comparative Analysis
How do people think about transparency?
U
nlike “privacy”, asking people about “transparency” highlighted differences even on the level of initial and fundamental understanding. In China for example, interviewees tended to start talking about financial transparency: it seems that the concept of data transparency is simply absent from the popular discourse in that country. Brazil and Germany shared a broad understanding of what it meant to be transparent: disclosing to the user of a service which information about them will be used for what. Interviewees in those countries generally felt the topic to be important. In both countries an additional caveat was raised several times: it is not enough, many people insisted, to merely disclose a policy in an incomprehensible or inaccessible way, e.g. tucked away in a long “Conditions of Use” agreement; genuine transparency also entails presenting this information in an legible way and making it accessible to users. German interviewees felt most
30
strongly that many service providers today offered inadequate transparency, which for them was an important factor in mistrusting these providers. In India the emphasis was slightly different. Several interviewees expressed puzzlement about the motives of those collecting and using their data. For these people, transparency involves disclosing not just the “who” and “which” questions of data collection and use, but also the “how” and “why”. In Indonesia, attitudes among those interviewed are rather bipolar. In terms of government accountability and exposing corruption, transparency is a massive issue which everyone seems to feel passionate about. However, this zealous demand for transparency seems not to extend to online service providers. Instead, most people seem content to accept or assume that companies such as Google take these issues seriously and do the right thing.
Part III: Comparative Analysis
How do people behave online?
F
rom our interviews we drew a detailed impression of how much the people we spoke to cared about privacy and transparency, and what issues were of particular concern. But actions are supposed to speak louder than words. So were people’s concerns reflected in their online behavior?
WHAT MEASURES DO THEY TAKE? Our interviews produced plenty of anecdotal evidence about measures people take to protect their privacy. The survey also asked about specific measures.
crypt their communication, 31 compared to around a quarter in other countries. However, there is more appetite: many people selected the option “no, but I would if encryption services were easily available”. Overall two-thirds of respondents either do encrypt or would like to. This is highest in Germany and Indonesia, at over 80 percent; Indians were more indifferent with more than half uninterested. With anonymous browsing a similar picture: 69 percent of Indonesian respondents said they had used a proxy server
Chart 4: Measures individuals take to protect their privacy online. 100 80 60
Delete Cookies
40
Encrypt emails, or would if easy Browse anonymously
20 % Brazil
China
Germany
India
Indonesia See note on charts below
Starting with the most basic measures, more than 85 percent of respondents across all countries delete cookies from their browser. Use of the “private mode” in the browser is also fairly widespread in all countries; nearly half of respondents claim to do this. On email encryption, a more varied picture emerges. Indonesian respondents were way ahead with half saying they en-
or Tor, compared with only 16 percent of Indians; the other countries polled around 30 percent. It’s worth reiterating a recurring lesson from our interviews, namely that some behavioral change – quite possibly most of it – is of a more subtle kind and not picked up by this sort of question. Many interviewees described how they had started using a ser-
31
Part III: Comparative Analysis
vice like Facebook more discreetly, by being more sparing with the data they uploaded, or refusing to use Google or Facebook to log in to other sites. A handful of respondents even said that for truly sensitive information they would now prefer communicating face-to-face or over the phone.
IS YOUR NAME REALLY WASHINGTONIRVING2000? Using a fake name when posting comments online may not be a very sophisticated strategy, but is effective at protecting some (not all) kinds of privacy, and, moreover, demonstrates a personal attitude towards whether an individual wants to be anonymous when they are online. The majority of survey respondents do not use a pseudonym, and most post under their own name (and of those who do use a pseudonym, many do not always do so). However, our survey showed a wide variance between the countries, which does not correspond with our other conclusions about general attitudes in those countries. This suggests that pseudonym use may not in fact be
a strong indicator of engagement, and more dependent on extraneous cultural factors.
DOES CONCERN ACTUALLY TRANSLATE INTO ACTION? During our interviews we sometimes had the feeling that, to varying degrees, people’s professed concerns often did not translate into changes in their behavior. Our survey data gives us a chance to test whether this was actually the case. By combining answers to several questions about attitude, we gave each respondent what we will call an “Engagement Score”, reflecting how much they claim to care about personal privacy. Similarly, we awarded an “Action Score” based on a points system noting which active measures respondents took to protect their privacy: anonymous browsing, email encryption, deleting cookies, etc. Such ratings are unavoidably imprecise, but serve our purposes by letting us compare different respondents. (See appendix 2 for detailed methodology.) Chart 6 shows all respondents plotted by Engagement Score and Action Score.
Chart 5: Do you post comments online under your own name or a fake name?
Real name only Pseudonym only Neither Both
See note on charts below
32
Part III: Comparative Analysis
Chart 6: Plotting “Engagement” (0= totally indifferent, 25+ = care very deeply) against “Action” (0 = do nothing, 6 = take a wide range of measures) 6 5
Action Score
4 3 2 1 0 0
5
10
15
20
25
30
Engagement Score See note on charts below
There is essentially no correlation. Even when countries are taken individually or plotted against each other, no coherent picture emerges. Professed opinion seems to have little or no observable effect on behavior – at least within our sample.
In our interviews we found a number of possible reasons for this pessimistic conclusion: pragmatic convenience outweighing abstract worries, lack of knowledge about what countermeasures are available, or else merely resignation.
OPEN SOURCE The open source movement has strong links with campaigners for online privacy and transparency. The extent to which people know about, and support, the open source movement, is thus one indicator of their engagement with these issues. Our findings were mixed. Certainly both awareness and use is fairly widespread – but this use tends to be more pragmatically than ideologically motivated. When we asked our interviewees about open source, the terms which came up time and again in their answers were piracy (apparently widespread in all countries researched except for Germany) and cost. The biggest attraction of open source software certainly seems to be that it is free to use. For a small minority this dimension comprises their entire understanding of what open source means; however most are aware as well of the openly accessible code dimension. The conclusion which emerged clearly from all four of these countries was, in the words of Chinese interviewee C.M.: “Most people only use open source when they don’t want to spend money and don’t want to use pirated versions.” A smaller number also said they thought, in the words of G.G. in India, “that these are the good guys.” So much for motives, what about usage? Just under half of our survey respondents said that they used some sort of open source software: 41 who did versus 45 who did not. Usage was somewhat higher in Indonesia and lower in China. When invited to name which software they used, OpenOffice and Libre Office were mentioned repeatedly (supporting the idea that not having to buy licences is a strong motivating factor), as were Firefox and WordPress.
33
Part III: Comparative Analysis
Who do people trust?
T
he question of trust came up in our findings in different respects: firstly the more simple question of which online tools people trust or distrust and on what grounds, and secondly who is trusted, in their conduct or as sources of information. This latter question is important for putting the former into a societal context, and is a question not just for, but also about, social sector organizations.
WHICH SERVICES DO THEY TRUST? We asked our survey respondents to rank different programs on a scale from 1 to 8 based on their privacy protection (excluding China – see below). On Chart 7 the light green represents a rating of 1 or 2, i.e. the highest protection; the dark green represents the lowest ratings of 7 or 8. The first thing to note is that there are not extreme differences, with some programs unanimously seen as far better than others.
Chart 7: Ranking various programs for the privacy protection they offer. 100
80
60
40
20 % Twitter
High protection
Medium protection
Google +
Skype
Low protection See note on charts below
34
Part III: Comparative Analysis
Indeed, when average scores were calculated, there was a gap of just 1.3 between highest and lowest. Facebook and Google+ scoring lowest. WhatsApp polarized opinion with lots of very positive and very negative ratings. Twitter did considerably better than the other social media giants. And way out ahead was Skype, the only one to have more positive than negative feedback. When subjected to the same ranking, various web browsers fared much better than these programs. Not a single respondent gave a score of 7 or 8 (very low protection) to any browser. Firefox scored the best for protection, followed by Google Chrome, with Internet Explorer faring worst. Chinese respondents were asked corresponding questions reflecting the most commonly used programs and browsers, mostly native Chinese ones. Nevertheless, the same answers emerged: Skype scored more highly than all other messaging platforms, followed by 人人. Firefox was the best-rated browser and Internet Explorer the worst, with all Chinese browsers ranking somewhere between the two. ON WHAT GROUNDS? In all countries, recommendations and advice from family and friends seem to be not only the most trusted (hardly surprising), but also the most common source of information about which software to use. This finding was confirmed both by the interviews and the survey. In China and Indonesia we found a strong strain of “following the crowd”, whereby a service is assumed to be trustworthy if and because it is widely used. It’s important to note that in those countries, arguably people’s primary worry is fake sites and scams, and against this threat, corroboration by following the crowd may well be an effective strategy.
HOW TRUSTED ARE NGOS, THE GOVERNMENT AND OTHERS? This question is very important for anybody with an interest in campaigning or alliance-building on these issues. NGOs in Brazil and in China are viewed with deep-rooted suspicion due to past corruption scandals, inefficiency, and malpractice – real or perceived – which persists today. In the relatively new democracy of Indonesia, citizens keep a very close eye on government activities and guard fastidiously against corruption – this suggests a low level of latent trust in government. It is clear that in Germany, the NSA inflicted serious damage on citizens’ trust in government activity, particularly on the issue of online surveillance. There is reason to believe many people are skeptical of the government in Brazil and India too, but our research neither confirmed nor refuted this. In the case of China, the relationship between citizens and state is deeply complex and far beyond the current scope of this report; it’s interesting for present purposes just to point out the growing phenomenon of holding public officials to account through “human flesh searches” (see p. 11). As for the big technology companies themselves – Google, Facebook and others – they seem to enjoy a high level of trust in Brazil and Indonesia, with the exception of a small activist minority. In China the situation is reversed, with a small minority belonging to the Google fan club, applauding the company’s resistance to filtering search results. In Germany and India people seem on the whole to be more skeptical of such corporations.
35
Part III: Comparative Analysis
SO WHO DO PEOPLE THINK SHOULD ACT? In all countries we found people vocal in the opinion that current levels of transpareny and privacy available to internet users are inadequate (the proportions of course varied by country from large majority to slim minority). But what do the critics think should be done? And by whom? Few of these concerned people seemed to believe companies would cease what they felt were objectionable practices of their own accord – driven, as it were, by a principled stance or perhaps market pressure. Certainly, some were in favor of stricter internet governance, either by the state or, as suggested by some Indian and German interviewees, an independent regulatory body.
An opinion widely shared amongst people with an interest in these topics was that the individual carries a lot of the responsibility for protecting him- or herself, rather than expecting the government or others to find solutions. We were surprised at the level of self-criticism amongst the people we spoke to; very many said they knew it was important and felt that they should do more – and that they felt guilty about compromising principles for convenience.
NOTE ON CHARTS These charts have been produced using data from an online survey with 94 responses. This allows us an insight into broad trends, but the sample size is too small to give a statistically sound representation of precise ratios and relations. Anybody reproducing this data elsewhere should take care to make this clear.
36
Conclusion
W
hen it comes to privacy and accountability,” writes scientist and author David Brin, “people always demand the former for themselves and the latter for everyone else.” There’s undoubtedly some truth in this rather glib assessment, but in this report we hope to have contributed to a subtler understanding. Yes, people might “always” desire privacy, but probe a little further and you found out that for Indian NGOs the most sensitive information is the religious affiliation of those they help, and the Chinese public official is passionate that the model of car he drives does not become public knowledge. And how people understand and value accountability is more splintered still: many Indonesians for instance will hold their government to the most stringent standards, whilst unquestioningly handing over a wealth of data to software manufacturers.
Appreciating distinctions like this is crucial for anybody who believes the increasing digitization of our everyday lives, and the operations of the social sector, raise questions about data privacy and transparency that we should be seriously discussing. It bears emphasizing that we are clear-sighted about the scope of our research so far. This report draws its conclusions from 58 qualitative interviews and 94 online survey responses (a per country average of 11.6 and 18.8 respectively). This gives a solid basis for an insight into our target group(s), but we do not overstate our claim to definitive objective answers – if such a thing were possible. We hope that this report will be just the first stage of more extensive research into what the new abundance of digital data means for civil society organizations worldwide.
37
Appendix SELECTING INTERVIEW PARTNERS We wanted as far as possible to talk to a broad cross-section of civil society. To do this, we developed five categories, each with defining criteria, of different kinds of actor within the sector: social entrepreneur, activist, expert perspective (this included, for example, academics whose research focused on the sector), and also employees of NGOs and multipliers (including, for example, networking organisations in the sector and grant-awarding foundations). Armed with these categories as a guide, who we interviewed was dictated in part who our research for Lab Around the World brought us into contact with – a combination of the make-up of the sectors in each country, and an unavoidable degree of happenstance. Below the breakdown of interviewees: Brazil China Germany India Indonesia NGO
3
2
2
2
2
Social Entrepreneur
2
2
2
4
2
Activist
2
3
2
1
5
Expert Perspective
1
5
1
1
2
Multiplier
2
3
3
3
1
10
15
10
11
12
Total
The majority of the interviews took place during “Lab Around the World” (see p5) in the countries in January-March 2014, however in the time available we weren’t able to complete our desired quota of 10-15 per country and so conducted further interviews by Skype in March-April 2014.
38
ONLINE SURVEY We produced an online survey in English, Brazilian Portuguese and Mandarin, and spread it through our networks and connections in the various countries, promoted it in blog posts, and through some cold acquisition. We collected a total of 94 responses, with at least 15 from each country. “ENGAGEMENT” AND “ACTION” SCORES (PP. 32–33) Survey respondents were asked: (1) How important they considered privacy protection (2) How much they worry about their personal information being accessible online (3) For different kinds of information, how much they cared about it being kept private All question were answered on a 3-point scale (very/somewhat/not at all). These ratings were translated into numerical values, with 3 denoting most concern. For the third point – that is, (3) – an average was taken of the answers; so each respondent had three numbers between 1 and 3, and the “Engagement Score” was calculated by multiplying these together, for no reason other than to achieve a visible and manageable spread of data points – hence scores range from 1 to 27. The “Action Score” was a simple points system based on the responses to a number of questions: email encryption, pseudonym use, open source use, deleting cookies, anonymous browsing, with uses of such strategies tallied up to give a score between 1 and 6.
Notes In the case of URLs: accessed between May and July 2014. 1
http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx
2
https://www.cia.gov/library/publications/the-world-factbook/geos/br.html
3
https://www.quintly.com/blog/2013/02/facebook-country-stats-february-2013-top-10-countries-lose-users/
4
http://pt.wikipedia.org/wiki/Gambiarra
5
http://www.democracynow.org/blog/2013/9/24/video_at_un_brazilian_president_dilma
6
http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/68/167
7
https://www.privacyinternational.org/blog/netmundial-a-long-way-to-go-to-combat-mass-surveillance
8
http://socs.civicus.org/?p=3748
9
http://link.springer.com/chapter/10.1007%2F978-3-642-29958-2_26
http://www.indexoncensorship.org/2014/04/netmundial-disappointed-expectations-delayed-decisions
10
http://g1.globo.com/fantastico/noticia/2014/06/se-o-brasil-me-oferecer-asilo-aceito-diz-edward-snowden.html
11
Rate of internet use (source: http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx?) by estimated population (source: https://www.cia.gov/library/publications/the-world-factbook/geos/ch.html)
12
Yuan et al. 2013
13
https://www.privacyinternational.org/reports/china/i-legal-framework
14
The Chinese Red Cross in particular has been dogged by a series of scandals of cronyism, embezzlement and inefficiency, (source: http://blogs.wsj.com/chinarealtime/2013/04/30/chinas-red-cross-tries-to-rebuild-after-self-inflicted-disaster/)
15
http://www.bbc.com/news/world-us-canada-27475324
16
http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx?
17
This is a speculative thesis, and one which some of my colleagues disagree on. I stand by the thesis, despite the fact that they are German and I am from England (but have lived in Germany for some time and studied German culture at university level). By its nature, it’s difficult to corroborate, let alone prove. What is beyond doubt is that the Stasi has given Germans a common reference point, and this is cited frequently in current discussions about the NSA, even if it is not made into a central point. To give two examples: http://www.faz.net/aktuell/feuilleton/debatten/mathias-doepfner-s-open-letter-to-eric-schmidt-12900860.html?printPagedArticle=true#pageIndex_2 || http://www.theguardian.com/world/2013/dec/17/merkel-compares-nsa-stasi-obama
18
http://www.bbc.com/news/world-europe-27695634
19
http://www.spiegel.de/kultur/gesellschaft/journalistenpreis-fuer-spiegel-redakteure-stark-und-rosenbach-a-940297.html
20
http://www.guernicamag.com/daily/ben-mason-pirates-of-the-parliament/
21
http://www.zeit.de/digital/datenschutz/2014-01/datenschutzreform-nicht-mehr-vor-europawahl
22
http://www.handelsblatt.com/unternehmen/it-medien/nach-eugh-urteil-google-wird-mit-loeschantraegen-ueberhaeuft-/9896598.html
23
http://www.spiegel.de/international/germany/the-german-bnd-and-american-nsa-cooperate-more-closely-than-thought-a-975445.html
24
http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx?
25
https://www.privacyinternational.org/reports/india/iv-privacy-issues.
26
http://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system
27
http://www.emc.com/campaign/privacy-index/global.htm
28
http://data.worldbank.org/indicator/NY.GDP.MKTP.KD.ZG
29
For more detailed analysis see Nugroho, Y. “Citizens in @ction: Mapping contemporary civic activism and the use of new social media in Indonesia” (2011)
30
The survey data did not correspond to this relative appraisal, in terms of ratio of responses given “very important” vs, “somewhat important”. We’re inclined to give precedence to our interview findings, which are of richer quality.
31
Recall that we have reason to suspect selection bias here, and that these respondents are disproportionately likely to take such measures relative to their countrymen.
39