Today is Data Privacy Day! This begs the question–why does privacy have its own holiday? This blog will explore key historical milestones that helped shape its primacy in our everyday lives.
We have always liked to talk about privacy
The concept of privacy has been central to the human experience for as long, at least, as storytelling. Take the Bible’s book of Genesis, where Adam and Eve develop a conscious desire to conceal their nakedness after consuming the forbidden fruit.
Or, consider the Greek god of silence, secrets, and confidentiality, Harpocrates, of Greek mythology. His symbol of the rose outlasted both the Greek and Roman empires that worshiped him. Painted on the ceilings of Roman banquet halls, the flower suggested that anything discussed under the influence of wine should be kept secret. It was also customary to hang a rose on the door of councils during the Middle Ages as a token of secrecy. Even today, we still use the expression ‘sub rosa’ to mean confidentiality.
Indeed, the Greek philosopher Aristotle first defined the difference between the public space (Polis) and the private (Oikos), setting the tone for our modern understanding and discussion of personal privacy. Eventually, many other great thinkers throughout history, such as Hannah Arendt, singled out privacy as a right, arguing that it is a fundamental source of security and space that enables us to develop and grow our true sense of selves.
George Orwell famously explored this concept to its extreme in “1984”, a mediation on constant government surveillance and its impact on individualism. Interestingly, despite a long-standing, emphatic attachment to privacy, we still encounter trouble locking down a satisfactory definition for it.
So, what is privacy?
Privacy is curiously difficult to define. According to the Oxford English Dictionary, “privacy” is “the state or condition of being free from being observed or disturbed by other people” or “the state of being free from public attention.” This definition is heavily inspired by Aristotle’s own binary definition. However, the term has been loaded with many more connotations as we have developed new means and contexts for privacy violations.
For example, what we consider necessary privacy has changed dramatically over time. Going back to ancient Rome, we would find public latrines that served as lively meeting spots shared by men and women. In the Middle Ages, royal wedding nights were considered matters of the utmost public interest that required public witnesses–as were births.
Subject to cultural change, these instances of what we would consider highly private acts stress the physical context of privacy. Nonetheless, our need for personal space can also extend well beyond our own bodies. Hiding spots and locks have existed for nearly as long as we have had the tools to make them. In sum, we have always felt a need to keep certain things to ourselves, even if the nature of those things changes or evolves.
Moreover, technology has created new means of capturing, communicating, distributing, and infiltrating information, generating new questions about the meaning of privacy and driving its evolution. Information, in particular, is a favorite area of privacy discourse. From sharing oral secrets to the development of espionage as a formal domain of expertise, details about ourselves can feel just as private as any physical part of ourselves.
This can include anything from our name to personal interests, aspirations, and future plans. Secret family recipes have remained private for centuries. Journals and letters have almost always been locked away in the name of privacy, too. However, the full extent and scale to which such information can be accessed and shared have shifted dramatically over the last few decades–necessitating an expansion of privacy discourse.
Privacy in modern times
By the 20th century, the height of newspaper publication coincided with the emergence of the first mass-market compact camera, accelerating our societal understanding and approach to privacy. With over 150,000 cameras sold in the first year, the Kodak Brownie democratized photography and led to important questions of when it was appropriate to photograph other people and what type of images should be barred from distribution. These questions weighed heavily enough on Samuel D. Warren and Louis D. Brandeis that they penned one of the most influential essays in American legal history.
Published in the Harvard Law Review in 1890, “The Right to Privacy” paved the way for “being let alone” to become the legal right as we know it in Western society. As a Supreme Court justice, Brandeis dedicated himself to enshrining privacy as a right; Over time, several high-profile cases dictated the right to privacy within the context of civil matters, business, state intelligence, and more.
As cybersecurity experts, we most readily connect to the 21st-century take on privacy, as keeping information technology safe is the core objective of our work. If our ancestors thought newspapers and a portable camera were privacy threats, few (aside from perhaps Orwell) could have properly foreseen what the digital revolution would bring. In fact, quite a number of contemporary thinkers argue that today’s technology has or will inevitably lead to privacy’s demise.
Today, we can create, store and disseminate assets at an unprecedented scale and pace. This has exponentially increased their exposure to threats. From email histories to personal photos stored on SaaS servers or our own personal cloud, there are more routes of access to our secrets than ever for bad actors to explore. Legally, governments and businesses are entitled to free access to many of those routes. In truth, it only takes a small degree of technological literacy for the properly motivated to access our data.
Public policy has attempted to keep up with privacy’s technological evolution. For example, we have expanded our privacy vocabulary to include terms like PII (Personal Identifiable Information). The term was coined in a 2007 memorandum from the Executive Office of the U.S. President and is defined as follows:
“The term “personally identifiable information” refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
In 2009, the International Assembly of Privacy Commissioners developed “The Privacy by Design Framework” under the leadership of Ann Cavoukian. It:
“provides readers with additional information, clarification, and guidance on applying the seven foundational principles of privacy by design. This guidance is intended to serve as a reference framework and may be used for developing more detailed criteria for application and audit/verification purposes.”
In 2013, the case of Edward Snowden necessarily led us to explore the matter of privacy against national security interests. The former NSA employee and subcontractor had leaked highly classified information revealing numerous global surveillance programs. And in 2018, the case of social media giant Facebook and political consulting firm Cambridge Analytica heaved the spotlight towards the vacuum of regulation around consumer data protection. That same year, the General Data Protection Regulation (GDPR) became enforceable and set the gold standard for future privacy regulations.
The privacy revolution
GDPR’s enactment was a watershed moment for privacy and once again calibrated privacy’s position as a human right in a rapidly digitizing world. To date, 128 countries have since enacted legislation to secure the protection of data and privacy. In the U.S., three states have legislated comprehensive consumer privacy laws: California (CCPA and its amendment, CPRA), Virginia (VCDPA), and Colorado (ColoPA). Four other states, Massachusetts, New York, North Carolina, and Pennsylvania, have serious, comprehensive consumer data privacy proposals in committee right now.
65% of the world’s population can expect personal data protection under modern privacy regulations by 2023, according to Gartner. Even the People’s Republic of China, a famous surveillance state, passed data protection laws of its own: The Data Security Law (DSL) and the Personal Information Protection Law (PIPL).
It’s worth noting that these regulations have serious teeth. GDPR has led to fines upwards of tens of millions of euros. Indeed, fines over €1.3bn or almost $1.5bn have been issued to major tech powerhouses, such as Amazon’s $877M fine for how it collects and shares personal data via cookies or WhatsApp’s $225M fine after failing to properly explain its data processing practices in its privacy notice in 2021. By comparison, Google’s $56.5M in 2019 and H&M’s $41M fine in 2020 seem like peanuts.
Privacy down the line
Though often taken for granted, we immediately feel a major sense of loss when our privacy is violated. Research tells us that information hacking victims can suffer similar trauma responses to physically violent attacks. Many of us, however, have been desensitized to its passive violation daily by organizations and governments and are willing to offer it in exchange for digital products and services.
Nonetheless, the Snowden and Cambridge Analytica cases have put pressure on public policymakers to address privacy’s place in a world where our information has become fundamentally vulnerable (by this, we mean that no information technology is safe from breach). Meanwhile, as companies work hard to prove themselves trustworthy in holding and sharing our data, bad actors are also increasing our anxieties around their capacity to keep that information safe. Not a day goes by without a major breach exposing consumer data.
Unprecedented innovation and new technologies will likely reshape the future of privacy again. The prominence of AI and the growing emergence of blockchain applications and cryptocurrency are already the next triggers of unprecedented change. New concepts, such as Web 3.0 and the Metaverse, will also challenge our current understanding of privacy.
We can learn from history to avoid being caught off-guard again. Knowing what we know now, we are responsible for building resilience into our processes and tools in the face of a potential coming storm. The next chapter of privacy history is already being written, and today’s privacy and security teams are a critical part of that story.
This is something we’re exceptionally passionate about. It’s why we developed Piiano and intend to shape this next chapter today. We are changing how organizations store and manage data both culturally and technologically. We are achieving this from the ground up by building infrastructure for developers that transform privacy and security workflows. Our dedicated sensitive information vault enables developers to easily build privacy and security within their own cloud environments, encouraging a privacy-forward approach to compliance. Meanwhile, our Code Scanner helps privacy leaders get their affairs in order by detecting PII across their code and where it flows.
We sincerely believe that the next transformation must start with culture and privacy infrastructure, starting with how products and services are developed. Piiano enables this shift left, ensuring that organizations and individuals gain and stay in control of sensitive personal data. We’ll also keep our eyes on the horizon to ensure we can start solving future threats to privacy before they manifest.