Privacy, Transparency and Trust in a digtial World

Privacy, Transparency and Trustin a Digital World

A report into attitudes in the civil societies of five countries

Enabled by:

betterplace labgut.org gAGSchlesische Str. 2610997 BerlinGermany

www.betterplace-lab.org

This report is published under a Creative Commons Attribution-ShareAlike 4.0 International License.

creativecommons.org/licenses/by-sa/4.0/

There is much to gain and benefit from this massive analysis of personal information or 'big data'. But there are also complex trade-offs.

– Alessandro Acquisti TED Global Edinburgh, June 2013

4

Ben Mason studied Philosophy and German at Oxford and joined the betterplace lab in 2013. He managed the project, analysed the interviews and survey, and authored the final report text. Contact: [email protected]

Our sincere thanks go to our partners at Mozilla, whose support made this research possible. The betterplace lab then conducted the research and compiled the following report with complete editorial independence.

ResearchersBen was ably assisted by Jella Fink, who worked as a Researcher in the lab after finishing her Masters in Anthropology and before setting off to Myanmar to begin researching her PhD. She conducted a number of the interviews by Skype and in person, transcribed many more, and contributed much of the background research.

Brazil Anja Adler is an Associate Researcher for the betterplace lab and is currently completing her PhD in Political Science.

China Joana Breidenbach is an anthropologist and author of numerous books and articles. She co-founded the betterplace lab in 2011.

Pál Nyíri is a Professor of Global History from an Anthropological Perspective at Vrije University in Amsterdam and has co-authored several publications with Joana. Helpfully, he also happens to be fluent in Mandarin.

Germany Kathleen Ziemann holds a Masters in Cultural Studies, and in 2012 – the same year as joining the betterplace lab – she also trained as a Design Thinker at HPI Potsdam.

India Medje Prahm has an MA in Philosophy and Economics from Bayreuth. As an undergraduate she also studied Indology and speaks good Hindi.

Indonesia Dennis Buchmann has a background initially in biology, then in journalism, followed some years later by a Masters in Public Policy. Dennis co-founded the betterplace lab with Joana.

Author

5

Contents6 Foreword

7 Summary of Key Findings

Part I: Introduction

8 Data deluge

9 The aim of this report

10 A moving target

Part II: Country Profiles 11 Brazil

14 China

17 Germany

20 India

23 Indonesia

Part III: Comparative Analysis

26 How do people think about privacy? How do they define privacy?

How much do they care?

What do they want to be protected from?

Which data do they want to protect and why?

Are their opinions changing?

30 How do people think about transparency?

31 How do people behave online? What measures do they take?

Is your name really washingtonirving2000?

Does concern actually translate into action?

34 Who do people trust? Which services do they trust?

On what grounds?

How trusted are NGOs, the government and others?

So who do people think should act?

37 Conclusion

38 Appendix & Notes

6

Foreword

The Web is here to stay – yet it still divides opinion. There are optimists, like the Mozilla community and like

the betterplace lab team, that believe the Internet can be a powerful force for good in our society – by making information and services available to all, by letting citizens speak, be heard, and hold the powerful to account.

But this is not the full picture. Through-out the Internet’s relatively short history, we have had to contend with a series of men-aces threatening to shackle or undermine this public resource. At one time we were suffocating under an avalanche of spam emails and pop-ups. Today we’re asking how we can protect individuals’ privacy when every click may be monitored by data mining corporations and state surveillance agents.

Seeing the challenges arising from the new abundance of digital data in this his-torical context is enlightening. It shows that keeping the Web in the hands of its users is possible, but it requires ongoing work, determination and vigilance. Mozilla has played its part in this, for instance with the “Do Not Track” and “Lightbeam” projects.

However, issues of data privacy are much less straightforward and riddled with di-lemmas than virus protection, for example. Maintaining my private sphere might have to be balanced against access to good software, or personal or national security.

The social sector, which this report focus-es on, throws up some particularly interest-ing dilemmas to do with data. Increasingly NGOs, foundations and governments are realizing the potential benefit to their work

not just of using a range of digital tools, which might act inappropriately with their data, but also collecting, storing, analyz-ing and disseminating data for themselves. Data-centered approaches let social sector organizations better understand the prob-lems they seek to solve, work more effec-tively, and demonstrate that effectiveness to the outside world. But these opportuni-ties come with risks attached.

What’s needed is global public discussion about when and which kinds of privacy are important for us to protect online, and how we can do this. This is an important issue for everybody and should not be left to a small number of “experts”, so we also need education so that people understand the issues, risks and dilemmas involved.

This report is both a contributions to this nascent discussion, and it shows the current state of knowledge of, and current opinions of, groups which will be absolutely key participants.

Dr. Joana BreidenbachFounder, betterplace lab

7

Summary of Key Findings

• Everybody, when asked, will tell you privacy is important. A significant result, but not a very enlightening one. Only by approaching the issue more obliquely do you reach a differentiated understanding.

• German and Indian philosophers, Chinese and Indonesian pragmatists. Everybody we spoke to in Germany (p.17), and almost everybody in India (p.20), felt what we might call a “philosophical” attachment to privacy, as something inherently worth protecting. To our surprise, this seemed less universally felt in Brazil (p.11). And at the other end of the spectrum, the attitude in China (p.14) and Indonesia (p.23) seems to be more pragmatic: people are concerned about protecting information when the consequences of not doing so are tangible and direct, such as fraud or defamation.

• Some action … and a sense of guilt. Most people take just simple steps to guard their privacy online. It’s rare for people to make a principled shift to software that is more secure but less usable. And we encountered a lot of self-criticism, people felt guilty about not doing more.

• Transparency is more opaque. Or at least, much more so than privacy, the term means different things to different people. In China, data transparency isn’t much bothered about. In Indonesia they demand it from their government more than from their software. In Germany and Brazil they want data policies that are not just public but clear and accessible. In India they also want to know about motives: not just ‘what’ and ‘how’ but also ‘why’.

• Trust is personal. The main criterion everywhere for trust was a personal connection or recommendation. In China and Indonesia this runs deeper, with an underlying mistrust of automated processes generally.

• Blurred concerns. In the minds of many people these issues are strongly associated – perhaps even conflated – with more familiar strands of cybersecurity: protection from viruses, hacking, and fraudsters of various types. In China and India especially, these remain more pressing concerns than data mining.

8

Data has become ubiquitous. As our lives become ever more digitized, more and more of what we do is

leaving a digital trail. Perhaps this was once a coincidental by-product of the way we built our software. But companies, govern-ments, and others soon realized the many uses and the formidable power of “Big Data”. Now, whether we welcome it or not, how we want our data to be treated has become a pressing question of our time.

It is a little over one year, at the time of writ-ing, since the actions of Edward Snowden caused global tumult by making the world aware of mass government surveillance of online activity. In the intervening months is-sues of privacy, transparency and trust in digital communications have gone from to an esoteric concern of specialists to con-tentious topics many people care about. But levels of knowledge and concern are not evenly distributed – they vary between places and different groups.

This report aims to understand and com-pare attitudes towards data privacy and related issues among people working in the social sector in Brazil, China, Germany, In-dia and Indonesia.

BACKGROUNDSince 2009, the betterplace lab has been

investigating the intersection of the digital and the social. The dawning of the “digital age” has caused huge changes for organ-izations in every sector – the social sector included. Many of these are positive, and much of our work is involved with show-ing the potential for digital tools to make the social sector more effective. But this

change also requires new skills and raises unfamiliar problems. We try to understand these too, and help where we can.

LAB AROUND THE WORLD 2014This year we abandoned our desks in

Berlin Kreuzberg and set off on our first major research expedition. “Lab Around the World 2014” saw our team of ten re-searchers setting off to 14 countries across five continents. We wanted to uncover pio-neering new projects using digital technol-ogy to address social problems. And we wanted to talk to the people behind such projects about their experiences, and get a better understanding of which factors are important in provoking and sustaining innovation.

OUTLINE METHODOLOGYOur research brought us into contact with

people from a range of organizations in the social sector, from more “traditional” NGOs in civil society to digitally focused social entrepreneurs, from academics to activist bloggers. In the five countries selected for this report, we conducted qualitative inter-views with a broad range of these to try to understand their attitudes and assumptions around these issues. In addition we pro-duced an online survey in four languages and collected responses from others in the sector to more concrete questions about online behaviour. Our analysis in what fol-lows is drawn from these two data sourc-es, combined with desk research about background context and conditions in each country. (See appendix for more detailed metho dology.)

Data deluge


9

WHY CIVIL SOCIETY?Our target group as described above,

which we will refer to collectively as the “civil society”, is broad. But in their diversity, its constituents share one central characteris-tic: they belong to organizations committed to addressing social problems. One way or another, they aim to help people.

To those who are interested in data policy and internet governance, the opinions of this group matter. They are opinion leaders whom people listen to. What’s more, their values tend to be progressive, and their priorities are primarily social rather than commercial. You might ask who, if not this group, will be concerned and vocal about protecting individuals from those with ma-lign intent – online as offline.

And to those interested in helping the helpers, these are important issues. For organizations that routinely deal with sen-sitive information, questions about how to handle it appropriately will get more urgent, not less. Gauging will only get more urgent levels of understanding and engagement are a precondition for knowing how to edu-cate and support.

PICKING APART SEMANTICSDiscussions about personal data online

are awash with loosely defined terms such as “privacy” and “cybersecurity”, “transpa-rency” and “accountability”. Whilst in the mouths of technology or policy experts the-se words have a clearly defined meaning, to many non-experts they summon only a vague sense or feeling. Or mean different things to different people.

This can quickly lead to people talking past each other, and is a major obstacle for a con-structive public discussion of these issues.

A central aim of this report is to discover what members of particular groups mean and understand by key terms, what defini-tions and connotations come to mind. We focused on three words in particular – pri-vacy, transparency and trust – and sought to find points of consensus or divergence in the way people understand, think and talk about these concepts.

WHO CARES? WHAT ABOUT?Beyond scratching away at what peop-

le know or understand by certain terms, we sought to find out how seriously these groups take such questions. Are they felt to be important? Or an irritating distraction? Or not worth bothering with at all? Which aspects of these issues do people care about?

People say actions speak louder than words. We also tried to discover to what extent professed engagement translated into actual changes in behavior. How might people’s perceptions about these issues in-fluence their future choices?

Finally, we have tried, in both content and presentation, to make this report as acces-sible as possible – including to those with little prior expertise around matters of digi-tal data, or little prior knowledge about the countries studied. This includes presenting our findings within a broader context, by drawing on other sources to give a fuller picture. We hope the result is accessible and engaging to anybody who also feels these are issues worth thinking about.

The aim of this report

To maintain the anonymity of our interviewees, we refer to them only by initials in what follows; the online survey was anonymous.


10

A moving target

interviews when the European Court of Ju-stice upheld an individual’s “right to be for-gotten” (see p. 18); the list could go on. Even in the space of a few months, attitudes and perceptions continue to develop.

That we’re trying to take a reading whilst the ground is moving comes with the ter-ritory. It’s therefore impossible to present the objective and definitive situation in each country (our limited resources and sample size would also make such claims hubri-stic). What we can do is offer an insight, a snapshot of these influential groups’ per-spectives at a certain moment. For this group, these are valuable questions to ans-wer for the reasons outlined above and, to the best of our knowledge, this is the first research trying to do so in a systematic way.

T his subject matter is not standing still. For one thing, digital technology generally, and technologies for har-

vesting and analyzing data specifically, are progressing and changing constantly. Mo-reover, people’s perceptions of and attitudes towards these topics – that is to say, the ob-ject of study here – are arguably changing even more rapidly, as public discourse tries to catch up with the technology.

News stories play a significant role in sha-ping these attitudes (exactly how significant is among the questions we try to answer), and fresh stories continue to emerge. Our interviews in Brazil were already completed, for example, by the time the NETmundial conference took place in São Paulo (see p. 12); as were almost all of our German


11

Brazil

Part II: Country Profiles

At the same time, though, Brazil is be-coming a beacon in data privacy policy, both internationally and domestically. In September 2013, President Dilma Rousseff gave a speech to the UN attacking spying by US agencies 5, and Brazil co-sponsored a UN resolution on the “Right to Privacy in the Internet Age”.6

In April 2014, São Paulo hosted NET-mundia, a “global multi-stakeholder meet-ing” on the future of internet governance. This was the most concerted effort seen so far to push the issue internationally. Ad-mittedly, commentators such as Privacy In-ternational and Index on Censorship were disappointed with the results, which they found to be watered-down and conserv-ative.7 At the opening of the conference, President Dilma signed into law Marco Civil da Internet, the first national “Bill of Rights for the Internet” anywhere in the world.

Our field research took place before the conference, and whilst the details of the Marco Civil were still being debated. In fact, rather than its various measures on data protection, it was the bill’s enshrining of the principle of net neutrality that sparked the most discussion and attention, because this was opposed by telecommunication companies.

These then-current political events were rarely raised in our interviews. In fact, inter-viewees were also in unanimous agreement that they remained “elite topics”, and not generally considered important beyond a clique of political and civil society activists.

BRAZIL IN 2014Brazil is digitizing rapidly. The number of

broadband subscriptions has more than doubled since 2009.1 It is also a startlingly young country: of over 200m inhabitants, more than half are aged 30 or below.2 A combination of these two factors means that a large portion of the population will to some degree have grown up with the inter-net – and specifically with web 2.0 services. They are avid users of social media: only the USA has more Facebook users than Brazil.3 And on the whole, the users view these products with enthusiasm and with-out much (critical) media literacy.

PRIVACYBrazilians have an established and

far-reaching culture of sharing. For instance, in a time when many Brazilians lacked ac-cess to basic services such as electricity and water, improvised (and often illegal) sharing of these between neighbors be-came common. The name for this, “Gam-biarra”, has come to denote such sharing of services at the base of pyramid.4 And there are reasons to suppose this mentality of openness has flowed into people’ s atti-tudes to privacy online.

Interviewees agreed that most don’t have a problem with sharing personal informa-tion such as their location and search data. To put it differently, people when asked would offer a fairly “conventional” definition of privacy – along the lines of an individu-al’s right to determine what information is kept about them and how it is used. But the way Brazilians use the internet does not suggest it is a dominant priority.

12


TRUST AND TRANSPARENCYTransparency was generally understood

to mean that a website or piece of software makes it clear which data is being used and how. Three interviewees went beyond this, stipulating in addition that this information

must be presented in an accessible way. P.M. suggests flowcharts which visualize for the user what is happening to their data. O.F. says: “Normally the important informa-tion is there, but it is hidden behind a whole load of less important information and so it deliberately gets lost. The companies know this and so do we. They should be more open and direct.”

In practice, all interviewees agreed that the public trusted companies much more than they trust NGOs or the government. Facebook and Google are not generally seen as sinister or untrustworthy but rath-er as innovative and inspirational brands. (There are some exceptions: O.F. says: “I don’t trust any company any more, and it will take a lot of time to win that trust back.”) More or less everybody we spoke to uses at least some Google products.

This mistrust on NGOs and the govern-ment is largely down to the fact that for many decades the two have been work-ing far too closely together and there have been numerous scandals of corruption and inefficiency. 8 In response, the government seems to be cleaning up its act with regards to transparency with a couple of pioneering e-government projects. 9

CIVIL SOCIETY ORGANIZATIONSUnfortunately, no such movement to-

wards transparency and encouraging par-ticipation has been evident amongst the bulk of Brazilian NGOs. Most local NGOs are not particularly professionalized. They lack expertise when it comes to privacy protection and related issues. Even bigger and more established organizations who are more conscientious about such mat-ters seem to lack a codified data handling policy. The exceptions seem largely to be the local branches of global organizations;

a large, predominantly internet-focused campaigning organization we spoke to, for instance, has its own national manager of privacy and data protection issues.

There seems to be a growing awareness amongst many in the social sector that the nature of their work in civil society requires an increasing level of transparency in their digital activities. N.V. says: “Professional-ly, everything I do is public. I work with so many stakeholders and they need all the information to do their work.” Similarly, O.F. says: “We need to be open and collabora-tive. Our work is based on building trust.”

Since 2011, all NGOs that receive gov-ernment funding are required to actively provide information about their finances, organizational structure and the like. We weren’t able to establish how well this system is working, and to what extent it is prompting organizations to be more ac-countable. As noted, it does not yet seem to have improved the general reputation of NGOs.

Companies like Google are much more trusted than NGOs or the government.

“We need to be open. Our work is based on building trust.”– O.F.

13


WHAT’S CHANGED?There was certainly a peak of public

and media attention last summer as the Snowden revelations were unfolding (not least when it was alleged that President Dil-ma had had her personal phone tapped). To look at the newspapers, it would seem this interest has persisted: O Globo, Bra-zil’s foremost paper, still contains fairly fre-quent mentions of the terms “NSA” and “Snowden”, and an exclusive interview with Edward Snowden on the Fantastico current affairs program in May generated consider-able media excitement. 10 However, our in-terviewees tell a different story, and describe interest as short-lived, at least on the level of the general public.

Within the social sector on the other hand, there is some evidence, albeit anecdotal, of increased awareness, specifically around data security. We spoke to the founders of a “School of Activism” who said they have seen increasing concern on this issue. Among the various courses they offer to NGOs and activists, the workshops on data security have been the most requested – so much so that they had to organize five ad-ditional courses last year to meet demand.

The interviewees typically did not adopt new tools or change the software and services they used due to privacy con-siderations. Only two of them mentioned encryption, for instance, and both were in some way active in the area of digital priva-cy. (Similarly in the online survey, only one Brazilian respondent said they used email encryption, the lowest rate of any country – see p 32). Instead, people were more likely to claim they had adapted their behavior so as to use the same services as before but in a more careful way. Several mentioned habits such as not logging in when not nec-essary, not using a Facebook-login to ac-cess other sites, or being more reluctant to upload photos and other data.

SUMMARYWhilst Brazilian politicians are leading the

world in terms of data privacy legislation, the same engagement does not seem to be reflected in other parts of the popula-tion. In the social sector, and even more so in the population at large, there is some latent awareness of these issues, but it is not a central topic of discussion and seems to result in almost no practical action. The attitude, in the words of D.M., is rather “a mixture of resignation and not caring”. Possible reasons for this include a young population who are inclined to use online services eagerly and uncritically, as well as practices of sharing rooted in pre-internet traditions.

14

become extremely concerned about ac-cusations of taking bribes or embezzling funds. This is driven by the phenomenon of Renrou Sousuo (literally: “search for human flesh”), whereby an individual is publically exposed online for violating social, legal or moral norms, thanks to information ob-tained digitally. The practice sits in a gray area, both legally and morally, but has be-come widespread. Hence this kind of per-sonal information – for instance what kind of watches or cars an individual owns – has become socially explosive.

For ordinary members of the public and people in civil society, protecting their pri-vacy online simply isn’t an issue. On the strength of our interviews, people mainly seem to think in terms of protection from vi-

ruses, and perhaps to a much lesser extent about data theft. When we asked about special measures or software for safe-guarding privacy, interviewees immediately assumed we were talking about climbing the wall (see box below).

There is unanimous acceptance in China that the government will record and monitor internet activity, to the point of resignation. P.N. says: “Whatever the government wants to know about you, they will find out [...] The general attitude is that there’s nothing you can do about data security, so let’s not be

China

“Everyone in China knows their data will be seen by the government.” – L.F.

CHINA IN 2014China’s status as an emerging super

-power, not only in the economic and polit-ical but also the digital domain, is unques-tionable. It has by far the highest number of internet users of any country – an esti-mated 621 million.11 The population’s re-lationship with the internet is complex and deeply rooted in socio-political tensions and transformations.

China presents a real challenge to the idea of the internet as a global, and globalizing phenomenon. Firstly, because the internet that most people have access to is strict-ly policed by means of a state-imposed firewall (see box below). And secondly, because the way the internet is used – in terms of the most popular sites and soft-ware, and in terms of culture and behavioral norms developing around it – are so far re-moved from other parts of the world.

PRIVACYThe very concept of personal privacy in

China is different from the model found in Western liberal democracies. Traditional ascriptions of identity at a collective level, such as the family, are evolving into a more “individualized” understanding, according to some scholars.12 However, individual privacy as a value deserving of protection remains a fairly new concept. The concept has nevertheless become widely used and refers to a person’s intimate sphere: family information, address, where children go to school, and financial information.

The latter has become an extremely sen-sitive topic amongst economic and social elites. Public officials in particular have


15


formulas to financial scams and corrupt of-ficials, is ubiquitous, trust in organizations such as businesses, hotels, restaurants etc, is very low. In response to this, mul-tiple systems of government certification, including brass plates put up outside the establishment, provide some indication of trustworthiness (despite some skepticism about the process).

NGOs are widely mistrusted – see below.General opinion of foreign companies

such as Google is not clear, although they are generally more trusted than their do-mestic counterparts. Google specifically has gained a lot of fans within a niche user group, where it has been seen as a hero since refusing the government’s demands to filter search results.

Immediacy in communication is extremely important to users, and real-time commu-nication is much more widely used than in the West, both in personal and professional settings. This is in large part a question of trust: people are less trusting of automated processes and services, believing that di-rect personal contact is the best way to get things done. People use email much less, and trust its effectiveness much less – rightly so because many people never respond.

CIVIL SOCIETY ORGANIZATIONSCivil society organziations are widely

viewed with suspicion, after numerous high-profile scandals.14 Many NGOs today are attempting to (re)establish trust by pro-viding highly detailed proof of their work and how funds are being used. For example, all donors to the charity Free Lunch receive a daily text message detailing precisely how many meals were provided and what was served.

Most social enterprises, NGOs and foundations seem to have formalized a data handling policy. Larger organizations and companies have very detailed and

too worried about it”. G.Y. says: “There is no way to avoid the government looking in. I will just say the same thing within private and public.” Even in the hacker community, although there might be more of a fighting spirit, very few think they can really protect themselves against surveillance or that it’s worth the effort.

The question of personal data protec-tion did arise in a spat between two of the country’s digital giants in 2010. Qihu 360 accused QQ, one of the most popular in-stant messaging platforms in China, of collecting users’ private data and moni-toring their computers. Qihu developed a free patch which let users disable some of QQ’s features, and QQ retaliated by mak-ing their software incompatible with that of Qihu 360, forcing users to choose between them. Following government pressure, the two companies stepped down from their battle, but the flickering debate around pri-vacy was left unresolved.13

TRUST AND TRANSPARENCYWhen asked about transparency, our

interviewees talked exclusively about fi-nancial transparency and not about a data transparency policy. Why? There is simply no public discourse about this topic.

As such, trust in a website is couched not in terms of data transparency but rather whether or not the site is real, in the sense of offering real services and information rather than a fake or scam. This is judged partly by advice and recommendations from friends, and partly by the level of usage. W.J., who works for a donation platform says: “the main criteria for trust is whether there are a lot of people using it. That’s why it’s so important that our site looks so full. Trust is established not only by people donating, but by people watching their friends do so.”

Since fear of being cheated in all sorts of ways, from fake foods and poisonous baby

16


strictly guarded policies (so they say). But all agreed that giving or selling data to third parties isn’t good practice. We spoke to a large crowdsourcing platform which sends all users a statement about their data, con-firming it will not be used by third parties.

WHAT’S CHANGED?The Snowden/NSA stories were reported

in the Chinese media, but they fit in as just a part of a much broader narrative of internet politics. In the state media, the revelations were treated as evidence of US hypocrisy on cyber-theft and hacking (the general tenor being that the US likes to complain about Chinese hackers, but in reality every-body is at it).

Since then, the government has used arguments of this kind to ratchet up a dis-course of cyber-protection and vigilance – with volume peaking when hackers linked to the Chinese military were indicted by a US court in May 2014.15 Many interpret this as a ploy by the state to justify and extend their practices of surveillance; others have claimed it has more to do with protecting Chinese business interests. In April 2014 the government held a “Cybersecurity Day”

WALL-CLIMBINGIn 2003 the Chinese government first implemented the Golden Shield Project (金盾工程), a censorship and surveillance project which restricts the internet sites accessible from within the country. A primary purpose is to restrict access to information the government deems threatening or inflammatory, such as about human rights activ-ism and political dissidents. Perhaps unsurprisingly, it has become more commonly known as “The Great Firewall of China”, or simply “the wall”.

It is public knowledge that the wall exists, and that strategies exist that let one “climb the wall” and access the (truly) World Wide Web beyond, often involving the use of proxy servers. Climbing the wall is fairly common amongst educated Chinese in-ternet users, and in some circles is a kind of badge of honor. Admittedly, it seems people may be climbing the wall less than they used to as more and more information becomes available in Chinese. But certainly amongst university students and digital professionals, wall-climbing is normal.

in Beijing, but this seems to have been more a gesture than a genuine campaign for awareness.

SUMMARYThe framing of issues of online privacy

and transparency – and indeed of the in-ternet more broadly – is fundamentally dif-ferent in China than in other countries. In in civil society as we encountered it, and the wider population, it seems that issues of government surveillance and commercial data mining are not much thought about or discussed. Instead, concern focuses on protection either from viruses that cause direct harm or activities that cause direct financial loss such as theft of banking in-formation, fake sites or scams. A notable exception is personal information about senior officials and people in positions of power, which may be used against them in online “human flesh searches” – on ei-ther side, people have become passionate about respectively unearthing or suppress-ing such data. Government surveillance of the internet is universally accepted as inevitable.

17


GERMANY IN 2014As a highly developed and prosperous

European economy, uptake of digital tech-nology is more established and widespread than in the other countries in this study. A large majority of the population – 84 percent – uses the internet.16 But since the popula-tion is older (meaning proportionally fewer Digital Natives), we might expect them to approach technology more cautiously or critically.

PRIVACYOur interviewees were clearly concerned

not only with the amount of information about them that has been digitized, but also feel vulnerable about its potential to be used by others with questionable motives. Half said they felt transparent or “glassy” (“gläsern”) – an idiomatic German phrase expressing that one can be seen through by anybody who wants to know anything about you.

It is clear that the majority feel they cur-rently have unsatisfactory levels of privacy online and that they would prefer to use the internet anonymously or, as G.S. says, “be left alone”.

Germans are comparatively sensitive on matters of individual liberty and priva-cy. This may be in part traceable to their twentieth-century experience of oppressive regimes. Until the 1990s, state surveillance of citizens in what was then East Germany was extensive, leaving greater awareness of the dangers posed in the collective con-sciousness even today.17

Certainly in the aftermath of the NSA revelations in 2013, outrage was fiercer in

Germany than most other countries. This sentiment was only exacerbated when it was alleged that the phone of Chancellor Merkel, a popular figure, had been tapped by American security services.18 Even many months after the first revelations, it contin-ues to be a frequent topic in the German press, and proves an ongoing point of ten-sion in German-US relations. Prominent journalist Holger Stark criticised the Ger-man government for reacting to the crisis so diplomatically, calling it a threat to the foundations of democracy. 19

The Pirate Party (Piratenpartei), an inter-national political movement campaigning for individual privacy and rights online, has had its greatest success in Germany, winning seats in several regional elections, though its popularity has declined and its future is unclear. 20

The legal situation is in flux. Germany has a Federal Data Protection Act, which is drawn from clauses in the constitution securing personal rights. But Germany is also subject to regulation on a European level, such as the European Commission’s planned General Data Protection Regula-tion (GDPR) 21 and the European Court of Justice’s “right to be forgotten” ruling in May 2014. 22

Germany

The majority of interviewees feel they currently have unsatisfactory levels of privacy online.

18


Several interviewees said they had to ac-cept a trade-off of paying for services with their data rather than money. However a re-cent study showed that Germans, relative to other nationalities, are unwilling to make such a trade (see p. 21–22).

Most were critical of their own behavior to some degree, saying that they could and should do more to safeguard their own pri-vacy. If this suggests people believe these matters are the responsibility of the indi-vidual, other statements point in the other direction. J.P. sees data security as “a po-litical-structural problem and not necessar-ily based on the user’s responsibility”. F.R. also feels that the government is not doing enough on the issue.

Two interviewees say they have a feeling of relative protection in Germany, and oth-ers say they prefer German email providers to American ones, believing them to be more secure.

TRUST AND TRANSPARENCYTrust and transparency are often men-

tioned in the same instance; S.P. says “transparency is one component of trust”. Transparency is also clearly related to per-sonal data, S.P.’s contention that “transpar-ency stands for being able to review things that are related to me” reflects the general view.

Nearly all interviewees felt that compa-nies did not offer high enough levels of

transparency. S.S. accuses them of “trying to maintain an image of trustworthiness whilst not acting trustworthily”. A.I. sug-gests that to be trustworthy, a company would have to go beyond what is legally required in terms of transparency.

The NSA scandal did considerable dam-age to the trustworthiness of government in the eyes of the interviewees (note the interviews took place before further claims of German cooperation with American security services). 23 J.P. talks explicitly of protection not just by but also from the government.

Only a minority (two interviewees) were less critical when it came to government surveillance, saying that its purpose is to prevent terrorism and they personally had nothing to hide.

All of this leaves interviewees uncertain which of the two – governments or corpo-ration – they can trust more, seeing both as unsatisfactory.

As a source of information about soft-ware, interviewees clearly trust friends and colleagues above all. Some mentioned oth-er sources, such as the specialist magazine Gründerszene.

CIVIL SOCIETY ORGANIZATIONSAll interviewees were aware that their or-

ganization had a data handling policy in place. Requests or questions by users or beneficiaries regarding data handling were not common, but all interviewees said they would be willing to meet with such requests.

Interviewees generally agreed that it was important for civil society organizations to appear transparent, which M.S. and G.S. both said “simply means being transparent.”

One of the organizations we spoke to provides a service where users write their own profile, meaning the user is in control of what data is collected and what is made public. Another organization uses data for

Interviewees were unsure of who they can trust more between government and corporations – seeing both as unsatisfactory.

19


research and analysis, but with a policy of not saving IP-addresses to ensure that data remains anonymous.

WHAT’S CHANGED?All interviewees were well aware of the

NSA revelations and surrounding contro-versies, although some said the revela-tions had only confirmed what they already suspected. All interviewees now assume that their online communication is, or can be made visible and adapt their behavior accordingly.

J.P. uses TOR, Bitcoin, PGP, TextSecure, Threema and DuckDuckGo, in an attempt to leave as few traces as possible online. Two other interviewees said they had un-installed the Facebook app because it de-manded too much data.

However, more common than switching to different software, is a strategy of with-holding personal information, providing only the minimum amount. Every person we interviewed claimed to do this.

At a certain point, such action runs up against the convenience of these tools. The sale of WhatsApp to Facebook was a much-cited example in the interviews, and many said that although they felt they should stop using it, they had not done so because their contacts had stayed with the service.

SUMMARYOn the whole the interviewees had a high

level of privacy awareness online. In terms of how they acted on this knowledge, the group divided roughly in half, with one set of advanced users employing various tools to protect their privacy as much as possi-ble, and the other half either unsure what action they should take or sticking with the same tools and practices for the sake of sheer convenience – albeit often with a bad conscience. Many said they wished for more protection from the government or other institutions, but there was also a clear sense that the individual bears some responsibility for protecting him- or herself.

20


enshrines various kinds of freedom, but there is no legislation specifically protecting citizens’ privacy when it comes to digital data. 25 This means the government was able to introduce a Central Monitoring

System in 2013 which tracks all domestic internet traffic and well as email content and mobile phone activity. 26 It’s not yet clear what this data will be used for, and although some activists made vocal their opposition, it received little attention in the mass media and none of our interviewees brought up the subject.

A.S. echoes several other interviewees when she says “for me privacy is intrinsi-cally tied to security”, implying that they see more risk from external appropriation by hackers for instance, than misuse by those that collected the data. R.S. took a different perspective, arguing that unjust appropria-tion and selling of data was more a prob-lem of corruption than security. R.J. cited as an important requirement for trusting a piece of software that it could not easily be hacked.

Possible abuse of banking information was the greatest cause for concern, not only due to risks of fraud and theft but also because of the sensitivity of the information.

A 2013 survey found people in India most prepared of the 15 countries examined to “trade privacy for convenience” (Germans

India

“Privacy is intrinsically linked to security.”– A.S.

INDIA IN 2014Economically, and specifically in terms

of digital technology, India is much tout-ed as a rising giant. The country’s “digital elite” comfortably keeps pace with Western counterparts, with the latest smartphones and laptops, as well as world-class exper-tise. However, this elite is increasingly re-moved from the majority of the 1.2 billion population, of which only 16 percent use the internet. 24 In the coming years, this gap may narrow as mass availability and uptake of cheap smartphones drive up usage.

PRIVACYConceptions of privacy varied between

respondents. Most framed their answers in terms of access to personal data, but some felt it important to actively restrict who had access to which data, while others adopted the more passive stance of simply wanting to know and have their permission asked. R.J. defined privacy as follows: “that [data] is not used in that sense for a commercial gain, without the permission of the people who are going to be involved.”

Our interviewees were essentially unani-mous in claiming they held privacy to be very important – only one said he was not con-cerned about the privacy of his online data.

However, this abstract awareness of the issue seems in large part not to translate into users becoming better informed and acting accordingly. Three interviewees de-scribe themselves as “digitally illiterate” and several say they should make more effort to secure their data.

This ambivalence also plays out on a legal level. In principle, the national constitution

21


were the least prepared to do so). 27 From our interviews there was some reason to believe that the same mindset is shared by our sample group. Two interviewees gave responses couched explicitly in terms of a “trade-off” between privacy (in terms of handing over data) and value.

TRUST AND TRANSPARENCYAlthough Indian interviewees were cer-

tainly aware that their personal information was frequently being passed on, most stated that they do not understand the pro-cesses or motives involved. Their under-standing of transparency seems to come down largely to this point: not only which data is used and when, but also why.

This is most concretely shown in regard to advertisements. Interviewees sensed that the targeted advertising they received stood in some relation to personal data, but the opaque process leading from one to the other was identified as a case of intranspar-ency by nearly all interviewees. Google is viewed particularly negatively in this regard.

Whether or not interviewees trust a par-ticular piece of software often seems to have a large intuitive element. Many of them recounted personal anecdotes of experi-ences that caused them to lose trust. When G.G. connected with somebody named Sarah on LinkedIn and was suggested other people with the same forename, his first reaction was bemusement, finding it “stupid”, but said the experience had also diminished his trust in LinkedIn.

Interviewees above all said they trusted their social network – friends, families and colleagues – as sources of information on the data credentials of different software programs, with only two mentioning online ratings services or forums: A.S. says “For me, it depends on the trust in people who recommended it [the software]”.

CIVIL SOCIETY ORGANIZATIONSInterviewees generally took more care

with data protection when using other people‘s data in their line of work than their own – highlighting email addresses and bank details as especially important to protect.

All of them said their organizations had a data handling policy and several cited spe-cific technical measures such as software that manages the bank details of donors whilst preventing employees of the organ-ization from accessing them. Nearly all of them knew the location of the servers they used for data storage.

Disclosure of the religious affiliation of an organization’s beneficiaries was a major worry amongst several interviewees. This seems to be an extremely charged topic in India with various forces (we weren’t able to establish very clearly who) agitating for or against preferential support for different religious groups. Some went so far as to say disclosure of this information would be “dangerous”.

Regarding transparency, several inter-viewees talked about the legal and moral obligations of social organizations working with public money to be more open and transparent. R.J. said: “In the private sector a lot of expenditure is incurred in trying to ensure the privacy of the data remained, and that it does not go into the public do-main. That is not applicable when it comes to organizations which use public money.“

Disclosing the religious affiliation of an organization’s beneficiaries would be “dangerous”.

22


WHAT’S CHANGED?When asked about changes in their atti-

tude over the past two years, nearly all in-terviewees agreed that they have become more aware of potential dangers online, but only four out of ten referred specifically to media coverage of the NSA and Edward Snowden.

Certainly these stories have been exten-sively covered by the major Indian newspa-pers. However, in general the media seems to treat the subject of technology with a certain tone of optimism.

The extent to which this increased awareness has translated into changes in behavior varies. Two interviewees use the email encryption software TextSecure and one uses SnapChat specifically to prevent tracking. But adopting alternative software does not seem to be a common strategy. Although Google applications were most frequently cited as services people were cautious of, only one said they had adopt-ed an alternative service (DuckDuckGo). This might have to do not only with being uninformed but also a kind of widespread cynicism. K.J. recalls: “WhatsApp was acquired by Facebook and a lot of people said: ‘let’s move to Telegram’, and it turns out Telegram’s promises were not true either.” Two interviewees stopped using Facebook, but in the absence of adequate alternatives sooner or later started using it again.

More common is choosing to withhold certain information – particularly bank de-tails – in digital activity, and refusing to in-stall software which appears to demand too much data intrusion.

SUMMARYData privacy and transparency are re-

garded as important topics by almost all of our Indian interviewees, and are taken all the more seriously in the context of their professional work. There is a moderate awareness of data mining practices, which tend to be viewed critically. But these rel-atively new concerns are outweighed (and perhaps to some degree mixed up with) cybersecurity fears more broadly: hackers, fraudsters, and parties who would seek to use information about an organization to discredit it on political grounds. Only a cou-ple of interviewees with prior expertise on these issues had developed a clear strate-gy to protect their data; the majority might behave slightly more discreetly online, but seem more prepared to accept a “trade-off” of privacy against receiving quality ser-vices free of charge.

23


INDONESIA IN 2014Since the fall of the authoritarian “New Or-

der Regime” under Suharto in 1998, Indone-sia has been on a trajectory of rapid change. On a political level, there has been a con-certed shift towards democracy and greater transparency. Economically there has been strong growth. 28 This change has also in-cluded society enthusiastically embracing digital technology, smartphones, the internet and – above all – social media. Indonesians, at least in the major cities, tweet fanatically and use WhatsApp incessantly.

INDONESIA’S ATYPICAL CIVIL SOCIETY

Because the country was closed off until so recently, a social sector and civil society as such are now emerging for the first time, and with a very different composition to the model that has developed in other coun-tries. Few Indonesian NGOs fit the mould familiar in Western countries. More prevalent are loose-knit and more or less informal net-works of activists and individuals engaging and campaigning around a particular issue.29

This structural variation, or at least the extent of it, was a surprising finding of our research. In the context of the current study it poses some challenges for our analysis, since not only is the group being examined different from the other countries, it also stands in a somewhat different relationship to society at large. Just over half of our in-terview partners belong to this new breed of informal network organization, which tend to be tech-savvy, with generally high levels of awareness around the topics of this report. (Although anonymous, the bulk

of survey responses appear to have come from this group.) The interviewees were at pains to point out that their views were not the norm amongst the general population, or indeed other parts of the social sector.

In what follows we try to counteract this inadvertent selection bias and present a more general picture of the sector and pop-ulation as we perceive it to be.

PRIVACYThe enormous propensity in Indonesia to

share, noted above, doubtless has some cultural roots. As in other Asian societies, identity has traditionally been conferred more strongly by family and ethnicity than in more individualistic Western cultures. And in part it’s the exuberance of being able to spe ak so freely; D.B. says: “since the end of the dictatorship, people just love to talk – a lot!”

When it comes to the importance of pri-vacy in online activities, our interviewees gave the impression that Indonesians were

neither especially informed nor concerned. “Yes, it’s important to us,” said D.S., “but we don’t think about it a lot.” A.S. says: “ [Data] security is not a big issue for us now”. Those that were themselves engaged with the topic were clear that this put them in a minority; in the words of one: “Indonesians are simply not interested in a private sphere online.”

Indonesia

“Data security is not a big issue for us now.” – A.S.

24


When using services such as Google and Facebook, people seem to have very few qualms about entering personal data, in-stead enthusing about getting so many qual-ity services free of charge. “I heard that some people take this [privacy] quite seriously,” says D.S., “but up until now me and a lot of my friends just think that it’s useful for Google to increase and improve their own services.”

Although government transparency is an important issue in civil society (see below), government surveillance was barely men-tioned by interviewees as a potential danger. Instead, M.R. mentioned a concern with keeping their data private from journalists. He said that as a public figure, he didn’t want people talking about his private life.

We were assured by two of the activists who are more familiar with these topics that the great majority of Indonesians would be unwill-ing to pay for a service on the grounds that it offered greater privacy protection, not if there were a free (but less private) version available.

Security, rather than personal privacy, is an issue gradually gaining in importance, particularly in online banking and com-merce. B.R., who has worked advising banks on this topic, says: “The demand for more data security is growing, but not as quickly as we were anticipating.”

TRUST AND TRANSPARENCYGoogle in particular seems to enjoy a high

level of trust – people either believe or assume that it must be taking care of data privacy in a satisfactory way. P.S. says: “I use Gmail, which handles all the privacy issues automat-ically. We assume that popular services like Drive and Dropbox handle privacy quite well.”

D.S. said he trusts Google because it sends you a notification telling you whether there is any unusual activity with the account. How-ever, the most frequently cited criterion for trustworthiness is how widely used a service is: “If many people use it, then I trust it,” says

P.S.. Several interviewees also mentioned as a criteria of both transparency and trust that a service has a clear disclaimer about data use.

Trust is also strongly connected with hav-ing direct contact with a human, rather than solely with automated processes. Many In-donesians refuse to engage in (purely) online shopping for fear that it is a scam, but will instead browse goods online and then estab-lish contact with a salesperson by telephone or instant messaging to carry out the transac-tion. Similarly, people place great importance on personal recommendations and advice from friends and colleagues when deciding which software and services to use.

When it comes to the government, things are different. Government accountability and transparency is the single most dominant topic of civil society. H.T. says: “The topic which almost everybody engages with is the fight against corruption”.

NGOs seem not to be very widely trusted – to the extent that conventional NGOs exist (see below).

CIVIL SOCIETY ORGANIZATIONSIn terms of a data privacy policy, the few

large international NGOs – WWF, Greenpeace and the like – bring one with them, drawn up in the headquarters overseas.

Smaller groups do not have them. In many cases, developing an official data privacy policy had clearly not registered as a con-cern – indeed the very concept seemed to be an unfamiliar one. When asked why, interviewees either said they had too little time for such things, or simply stated it was not an active concern, V.M. says: “We don’t think about that [...] the concern is rather producing the data.”

The networked campaigning organiza-tions with, as discussed, a greater aware-ness of potential dangers of data gave different answers. Their work is, they said, outward-facing: their aim is to connect and

25


mobilize. Their activities, combined with their structures of decentralized networks often operating through social media, means that at no stage do they end up ac-cumulating data which might be sensitive – so the question of safe internal processes doesn’t arise in the same way.

One notable example we spoke to was a group campaigning for minority rights, who collected sensitive data, for instance about the identities of activists, and went to some lengths to protect it. This is consistent with a very pragmatic interpretation of people’s attitudes: they are not engaged because they cannot see the relevance for them in issues of data privacy; in the cases that the relevance becomes more acute, people’s reaction is to inform themselves and modify their behavior.

WHAT’S CHANGED?A search through online archives of na-

tional English-language newspapers turns up no shortage of articles reporting on the NSA/Snowden story. However, although most people are vaguely aware of the story, the majority seems indifferent. D.S. says: “I didn’t really read about it, but I heard peo-ple talking about Microsoft working with the CIA and things like that…but it doesn’t impact us now.”

B.R. said that in recent months Indo-nesians have been more aware and con-cerned about issues of privacy, but cited more apprehension of aggressive adver-tising rather than data’s influence on news

stories or public discourse. One such inter-viewee said this had caused him to “sig-nificantly reduce” the amount that he used Facebook.

SUMMARYThere is a divide, unique to Indonesia,

within our working definition of civil soci-ety. On the one side there are NGOs and “conventional” civil society organizations, and these are much less established than elsewhere. On the other side is this phe-nomenon of networked, decentralized groups campaigning and mobilizing around particular issues. The latter group is often considerably better informed and more engaged with data privacy and transparen-cy, but universally report that these remain niche topics, in which the vast majority of the population has little or no interest. They share this with the former group of conven-tional CSOs. These seem to know little and care little about questions of data privacy, showing concern only when perceived threats are immediate and direct, such as a personal criticism from journalists. Trans-parency tends to be understood in terms of political accountability, and in this sense it is something most people care passionate-ly about. By contrast, transparency seems not to be talked about in terms of the in-ternet or digital data. When using the inter-net, people have no problem with handing over data to service providers (to the extent that they really considered that this was taking place): indeed in the case of Google in particular, users welcomed the fact that the company was trying to optimize their services and offer them free of charge. Big-name brands such as Google, Facebook and Twitter enjoy a very positive reputation, both in general and on questions of data specifically, where majority opinion seems to be that they take these issues seriously and (presumably) act appropriately.

“I didn’t really read about it, but I heard people talking about Microsoft working with the CIA and things like that… but it doesn’t impact us now.” – D.S.

26

HOW DO THEY DEFINE PRIVACY?Our interviews began by posing a simple

question: “How do you understand privacy in an online context?” It was clear that the majority of people did not have a concise understanding to hand – it wasn’t a question they had really asked themselves. Answers were given broadly along similar lines, with little variation between countries. Almost everybody answered that it was a question of who had access to their personal infor-mation (a few immediately began to speak in terms of “data”) or could see their online ac-tivity. The most commonly given criterion for achieving or securing privacy was restricting (forcibly if necessary) who had such access, but several people formulated it more mildly, instead talking about the user being made aware at all times who had access to what.

Taken as a whole, our interviews support the conclusion that a basic understanding of privacy is shared across different groups and nationalities. As noted above, this indi-vidualized conception of privacy has taken hold much more recently in China and Indo-nesia than, say, Germany; and the fact that a fundamental understanding exists in the different cultures of course doesn’t mean everyone attaches the same importance to the concept.

HOW MUCH DO THEY CARE?Asked how important they felt privacy on-

line to be, not a single survey responded with “Not at all important”. Two thirds said it was very important, and one third some-what important.

Whilst this clear result is worth noting, we gained a more nuanced understanding

from our interviews. In China and Indone-sia, for example, our research suggests that with the exception of a small engaged minority, the social sector and the popula-tion at large is not actively concerned with protecting their privacy online. Germany, and to a lesser extent India, represent the opposite: the desire to protect personal privacy and awareness of possible threats to it are fairly high among those we spoke to. Finally, Brazil seems to fall somewhere between these two camps, with privacy campaigning still considered a minority or “elite” concern. This came as a surprise, given that on an international political level, Brazil is a leading light for tighter internet governance. 30

WHAT DO THEY WANT TO BE PROTECTED FROM?

In our questions we asked about protect-ing data and privacy, purposely leaving open the question of protection from whom.

Resisting data mining by big companies and large-scale government surveillance seems to be a broadly held concern in Ger-many, with nearly all answers couched in such terms. In India concern is also broad but perhaps slightly less keenly felt. How-ever, in Indonesia and Brazil, such concern seems to be limited to niche interest groups. Targeted advertising was the most com-monly named factor making people aware that their data was being used (and most seemed to find it objectionable with some perceiving it as “aggressive”). A non-negligi-ble minority, though, were unconcerned and thought it good that Google et al improve their services through data analysis.

How do people think about privacy?


27

But perceived threats do not stop at data miners and state spies. Often people re-sponded in terms of protection from vari-ous malicious hackers and fraudsters. This was the main thrust in China, where sur-veillance is accepted as a given, but these themes cropped up in India and Indonesia too. Indeed, interviewees fairly regularly started talking about anti-virus software and malware, suggesting that all issues which might fall under the umbrella “cyber-security” – data privacy alongside hacking and viruses – are closely connected or even conflated in people’s minds.

WHICH DATA DO THEY WANT TO PROTECT AND WHY?

In addition to general concerns outlined above, in some circumstances, people feel vulnerable to particular threats and certain kinds of data become extremely sensitive. A striking example is the Chinese officials at risk of “human flesh searches” (see p. 14), who closely guard information about their wealth or indicators of it, such as where their children go to school, the cars and watches they own, and so on.

Some people we spoke to felt a duty to

protect sensitive data collected by their or-ganization in the context of their work. In some cases the sensitivity is obvious, such as the Indonesian group campaigning for minority rights. Other instances came as surprises, such as the fact that in India the religious affiliation of the beneficiaries of a program can become highly politically charged and can be used to criticize or dis-credit the organization’s work.

Where the objection was not so directly pragmatic and more principled – that is, based on a general sense that one’s per-sonal data should not be monitored and stored – the conclusion was unsurprising: the more personal and more detailed the information, the more people cared about protecting it.

For example, protection of banking data was mentioned repeatedly in all countries, not only for the obvious reason of prevent-ing fraud but also because how a person spends their money is felt to be highly per-sonal information.

Survey respondents were asked how much they cared about different kinds of information being visible only to them. Their responses are shown in chart 1.


20

%

40

60

80

100

Chart 1: How important is it that this data is available only to you?

Browsing history

Your location Searches you perform

Content of your e-mail

Content of your chat

e Not at all

e Somewhat

e Very

See note on charts below

28

Privacy in email content is most cherished with 94 percent calling it very important, fol-lowed by chat content, ranked very import-ant by 82 percent. Respondents were less concerned about the other three categories, with just under half marking them very im-portant.

There was minimal variation between countries in the responses, with the coun-try averages very close together. The small number of relatively blasé individuals – that is, people who said they were less con-cerned – were scattered evenly between countries. The converse – that is, individu-als who answered “very important” to every question, about one fifth of all respondents

– were also present in all countries, but most concentrated in China. (This came as a sur-prise, given that we concluded from our in-terviews people in China accept surveillance as inevitable – see p. 16.)

When asked a corresponding question about data from mobile phones, the ans-wers followed the same pattern: the content of the calls was the most important, data such as location less so (although by no means unimportant).

ARE THEIR OPINIONS CHANGING?By a margin of two to one, people said

that there had been a change in their attitu-de over the past two years.

%

20

40

60

80

100

Chart 2: Has there been a change in your attitude in the past two years?

Brazil China Germany India Indonesia Total

e No Change

e Change



29

People who gave an affirmative answer were asked what had caused this chan-ge – see chart 3. Personal experience was the most commonly cited reason for this (and from our interviews we interpret this to be primarily awareness of targeted adver-tising). In close second place were media reports.

Interestingly, Germans were much more swayed than all other nationalities by media reports – these were cited as a reason by every German respondent.

Chart 3: What caused the change in attitude?

e Personal experience

e Media reports

e Friends and Family

e Company



30

Unlike “privacy”, asking people about “transparency” highlighted differenc-es even on the level of initial and fun-

damental understanding. In China for ex-ample, interviewees tended to start talk ing about financial transparency: it seems that the concept of data transparency is simply absent from the popular discourse in that country.

Brazil and Germany shared a broad un-derstanding of what it meant to be trans-parent: disclosing to the user of a service which information about them will be used for what. Interviewees in those countries generally felt the topic to be important. In both countries an additional caveat was raised several times: it is not enough, many people insisted, to merely disclose a pol-icy in an incomprehensible or inaccessible way, e.g. tucked away in a long “Conditions of Use” agreement; genuine transparency also entails presenting this information in an legible way and making it accessible to users. German interviewees felt most

strongly that many service providers today offered inadequate transparency, which for them was an important factor in mistrusting these providers.

In India the emphasis was slightly differ-ent. Several interviewees expressed puz-zlement about the motives of those collect-ing and using their data. For these people, transparency involves disclosing not just the “who” and “which” questions of data collection and use, but also the “how” and “why”.

In Indonesia, attitudes among those in-terviewed are rather bipolar. In terms of government accountability and exposing corruption, transparency is a massive issue which everyone seems to feel passionate about. However, this zealous demand for transparency seems not to extend to on-line service providers. Instead, most peo-ple seem content to accept or assume that companies such as Google take these is-sues seriously and do the right thing.

How do people think about transparency?


31

F rom our interviews we drew a detailed impression of how much the people we spoke to cared about privacy and

transparency, and what issues were of parti-cular concern. But actions are supposed to speak louder than words. So were people’s concerns reflected in their online behavior?

WHAT MEASURES DO THEY TAKE?Our interviews produced plenty of an-

ecdotal evidence about measures people take to protect their privacy. The survey also asked about specific measures.

Starting with the most basic measures, more than 85 percent of respondents across all countries delete cookies from their brows-er. Use of the “private mode” in the browser is also fairly widespread in all countries; nearly half of respondents claim to do this.

On email encryption, a more varied pic-ture emerges. Indonesian respondents were way ahead with half saying they en-

crypt their communication, 31 compared to around a quarter in other countries. Ho-wever, there is more appetite: many peo-ple selected the option “no, but I would if encryption services were easily available”. Overall two-thirds of respondents either do encrypt or would like to. This is hig-hest in Germany and Indonesia, at over 80 percent; Indians were more indifferent with more than half uninterested.

With anonymous browsing a similar pic-ture: 69 percent of Indonesian respon-dents said they had used a proxy server

or Tor, compared with only 16 percent of Indians; the other countries polled around 30 percent.

It’s worth reiterating a recurring lesson from our interviews, namely that some be-havioral change – quite possibly most of it – is of a more subtle kind and not picked up by this sort of question. Many interviewees described how they had started using a ser-

How do people behave online?

%

20

40

60

80

100

Chart 4: Measures individuals take to protect their privacy online.

e Delete Cookies

e Encrypt emails, or would if easy

e Browse anonymously

Brazil China Germany India Indonesia



32

vice like Facebook more discreetly, by being more sparing with the data they uploaded, or refusing to use Google or Facebook to log in to other sites. A handful of respon-dents even said that for truly sensitive infor-mation they would now prefer communica-ting face-to-face or over the phone.

IS YOUR NAME REALLY WASHINGTONIRVING2000?

Using a fake name when posting com-ments online may not be a very sophisti-cated strategy, but is effective at protecting some (not all) kinds of privacy, and, mo-reover, demonstrates a personal attitude towards whether an individual wants to be anonymous when they are online.

The majority of survey respondents do not use a pseudonym, and most post under their own name (and of those who do use a pseudonym, many do not always do so).

However, our survey showed a wide vari-ance between the countries, which does not correspond with our other conclusions about general attitudes in those countries. This sug-gests that pseudonym use may not in fact be

a strong indicator of engagement, and more dependent on extraneous cultural factors.

DOES CONCERN ACTUALLY TRANSLATE INTO ACTION?

During our interviews we sometimes had the feeling that, to varying degrees, people’s professed concerns often did not translate into changes in their behavior. Our survey data gives us a chance to test whether this was actually the case.

By combining answers to several questions about attitude, we gave each respondent what we will call an “Engagement Score”, re-flecting how much they claim to care about personal privacy. Similarly, we awarded an “Action Score” based on a points system no-ting which active measures respondents took to protect their privacy: anonymous brows-ing, email encryption, deleting cookies, etc.

Such ratings are unavoidably imprecise, but serve our purposes by letting us com-pare different respondents. (See appendix 2 for detailed methodology.) Chart 6 shows all respondents plotted by Engagement Score and Action Score.

Chart 5: Do you post comments online under your own name or a fake name?

e Real name only

e Pseudonym only

e Neither

e Both



33

There is essentially no correlation. Even when countries are taken individually or plot-ted against each other, no coherent picture emerges. Professed opinion seems to have little or no observable effect on behavior – at least within our sample.

In our interviews we found a number of possible reasons for this pessimistic conclu-sion: pragmatic convenience outweighing abstract worries, lack of knowledge about what countermeasures are available, or else merely resignation.

OPEN SOURCEThe open source movement has strong links with campaigners for online privacy and

transparency. The extent to which people know about, and support, the open source movement, is thus one indicator of their engagement with these issues.

Our findings were mixed. Certainly both awareness and use is fairly widespread – but this use tends to be more pragmatically than ideologically motivated.

When we asked our interviewees about open source, the terms which came up time and again in their answers were piracy (apparently widespread in all countries researched except for Germany) and cost. The biggest attraction of open source software certainly seems to be that it is free to use. For a small minority this dimension comprises their entire understanding of what open source means; however most are aware as well of the openly accessible code dimension. The conclusion which emerged clearly from all four of these countries was, in the words of Chinese interviewee C.M.: “Most people only use open source when they don’t want to spend money and don’t want to use pirated versions.” A smaller number also said they thought, in the words of G.G. in India, “that these are the good guys.”

So much for motives, what about usage? Just under half of our survey respondents said that they used some sort of open source software: 41 who did versus 45 who did not. Usage was somewhat higher in Indonesia and lower in China. When invited to name which software they used, OpenOffice and Libre Office were mentioned repeatedly (sup-porting the idea that not having to buy licences is a strong motivating factor), as were Firefox and WordPress.

0 5 10 15 20 25 30

0

1

2

3

4

5

6

Chart 6: Plotting “Engagement” (0= totally indifferent, 25+ = care very deeply) against “Action” (0 = do nothing, 6 = take a wide range of measures)

Act

ion

Sco

re

Engagement Score



34

The question of trust came up in our find ings in different respects: firstly the more simple question of which

online tools people trust or distrust and on what grounds, and secondly who is trus-ted, in their conduct or as sources of in-formation. This latter question is important for putting the former into a societal cont-ext, and is a question not just for, but also about, social sector organizations.

WHICH SERVICES DO THEY TRUST? We asked our survey respondents to rank

different programs on a scale from 1 to 8 based on their privacy protection (exclu-ding China – see below). On Chart 7 the light green represents a rating of 1 or 2, i.e. the highest protection; the dark green re-presents the lowest ratings of 7 or 8.

The first thing to note is that there are not extreme differences, with some programs unanimously seen as far better than others.

Who do people trust?

Chart 7: Ranking various programs for the privacy protection they offer.

Twitter Facebook Instagram Google + WhatsApp Skype

20

%

40

60

80

100

e High protection e Medium protection e Low protection



35

Indeed, when average scores were cal-culated, there was a gap of just 1.3 bet-ween highest and lowest. Facebook and Google+ scoring lowest. WhatsApp polari-zed opinion with lots of very positive and very negative ratings. Twitter did consider-ably better than the other social media gi-ants. And way out ahead was Skype, the only one to have more positive than nega-tive feedback.

When subjected to the same ranking, va-rious web browsers fared much better than these programs. Not a single respondent gave a score of 7 or 8 (very low protecti-on) to any browser. Firefox scored the best for protection, followed by Google Chrome, with Internet Explorer faring worst.

Chinese respondents were asked cor-responding questions reflecting the most commonly used programs and browsers, mostly native Chinese ones. Nevertheless, the same answers emerged: Skype scored more highly than all other messaging plat-forms, followed by 人人. Firefox was the best-rated browser and Internet Explorer the worst, with all Chinese browsers ran-king somewhere between the two.

ON WHAT GROUNDS?In all countries, recommendations and

advice from family and friends seem to be not only the most trusted (hardly surpri-sing), but also the most common source of information about which software to use. This finding was confirmed both by the in-terviews and the survey.

In China and Indonesia we found a strong strain of “following the crowd”, whereby a service is assumed to be trustworthy if and because it is widely used. It’s important to note that in those countries, arguably peo-ple’s primary worry is fake sites and scams, and against this threat, corroboration by following the crowd may well be an effec-tive strategy.

HOW TRUSTED ARE NGOS, THE GOVERNMENT AND OTHERS?

This question is very important for any-body with an interest in campaigning or alliance-building on these issues.

NGOs in Brazil and in China are viewed with deep-rooted suspicion due to past corruption scandals, inefficiency, and mal-practice – real or perceived – which persists today.

In the relatively new democracy of Indo-nesia, citizens keep a very close eye on government activities and guard fastidious-ly against corruption – this suggests a low level of latent trust in government. It is clear that in Germany, the NSA inflicted serious damage on citizens’ trust in government ac-tivity, particularly on the issue of online sur-veillance. There is reason to believe many people are skeptical of the government in Brazil and India too, but our research nei-ther confirmed nor refuted this. In the case of China, the relationship between citizens and state is deeply complex and far beyond the current scope of this report; it’s interest-ing for present purposes just to point out the growing phenomenon of holding public officials to account through “human flesh searches” (see p. 11).

As for the big technology companies themselves – Google, Facebook and oth-ers – they seem to enjoy a high level of trust in Brazil and Indonesia, with the exception of a small activist minority. In China the sit-uation is reversed, with a small minority be-longing to the Google fan club, applauding the company’s resistance to filtering search results. In Germany and India people seem on the whole to be more skeptical of such corporations.


36

SO WHO DO PEOPLE THINK SHOULD ACT?

In all countries we found people vocal in the opinion that current levels of transpar-eny and privacy available to internet users are inadequate (the proportions of course varied by country from large majority to slim minority). But what do the critics think should be done? And by whom?

Few of these concerned people seemed to believe companies would cease what they felt were objectionable practices of their own accord – driven, as it were, by a principled stance or perhaps market pressure. Certainly, some were in favor of stricter internet governance, either by the state or, as suggested by some Indian and German interviewees, an independent reg-ulatory body.

An opinion widely shared amongst peo-ple with an interest in these topics was that the individual carries a lot of the responsibil-ity for protecting him- or herself, rather than expecting the government or others to find solutions. We were surprised at the level of self-criticism amongst the people we spoke to; very many said they knew it was impor-tant and felt that they should do more – and that they felt guilty about compromising principles for convenience.


NOTE ON CHARTSThese charts have been produced using data from an online survey with 94 responses.

This allows us an insight into broad trends, but the sample size is too small to give a sta-tistically sound representation of precise ratios and relations. Anybody reproducing this data elsewhere should take care to make this clear.

37

W hen it comes to privacy and ac-countability,” writes scientist and author David Brin, “people always

demand the former for themselves and the latter for everyone else.” There’s undoubted-ly some truth in this rather glib assessment, but in this report we hope to have contribu-ted to a subtler understanding.

Yes, people might “always” desire privacy, but probe a little further and you found out that for Indian NGOs the most sensitive in-formation is the religious affiliation of those they help, and the Chinese public official is passionate that the model of car he drives does not become public knowledge. And how people understand and value accoun-tability is more splintered still: many Indone-sians for instance will hold their government to the most stringent standards, whilst un-questioningly handing over a wealth of data to software manufacturers.

Appreciating distinctions like this is crucial for anybody who believes the increasing di-gitization of our everyday lives, and the ope-rations of the social sector, raise questions about data privacy and transparency that we should be seriously discussing.

It bears emphasizing that we are clear-si-ghted about the scope of our research so far. This report draws its conclusions from 58 qualitative interviews and 94 online survey responses (a per country average of 11.6 and 18.8 respectively). This gives a solid basis for an insight into our target group(s), but we do not overstate our claim to defini-tive objective answers – if such a thing were possible.

We hope that this report will be just the first stage of more extensive research into what the new abundance of digital data me-ans for civil society organizations worldwide.

Conclusion

38

SELECTING INTERVIEW PARTNERSWe wanted as far as possible to talk to a

broad cross-section of civil society. To do this, we developed five categories, each with defining criteria, of different kinds of actor within the sector: social entrepreneur, activist, expert perspective (this included, for example, academics whose research focused on the sector), and also employ-ees of NGOs and multipliers (including, for example, networking organisations in the sector and grant-awarding foundations).

Armed with these categories as a guide, who we interviewed was dictated in part who our research for Lab Around the World brought us into contact with – a combina-tion of the make-up of the sectors in each country, and an unavoidable degree of happenstance. Below the breakdown of interviewees:

The majority of the interviews took place during “Lab Around the World” (see p5) in the countries in January-March 2014, how-ever in the time available we weren’t able to complete our desired quota of 10-15 per country and so conducted further inter-views by Skype in March-April 2014.

ONLINE SURVEYWe produced an online survey in English,

Brazilian Portuguese and Mandarin, and spread it through our networks and connec-tions in the various countries, promoted it in blog posts, and through some cold acquisi-tion. We collected a total of 94 responses, with at least 15 from each country.

“ENGAGEMENT” AND “ACTION” SCORES (PP. 32–33) Survey respondents were asked: (1) How important they considered privacy

protection(2) How much they worry about their per-

sonal information being accessible online

(3) For different kinds of information, how much they cared about it being kept private

All question were answered on a 3-point scale (very/somewhat/not at all). These rat-ings were translated into numerical values, with 3 denoting most concern. For the third point – that is, (3) – an average was taken of the answers; so each respondent had three numbers between 1 and 3, and the “En-gagement Score” was calculated by mul-tiplying these together, for no reason other than to achieve a visible and manageable spread of data points – hence scores range from 1 to 27.

The “Action Score” was a simple points system based on the responses to a num-ber of questions: email encryption, pseu-donym use, open source use, deleting cookies, anonymous browsing, with uses of such strategies tallied up to give a score between 1 and 6.

Appendix

Brazil China Germany India Indonesia

NGO 3 2 2 2 2

Social Entrepreneur 2 2 2 4 2

Activist 2 3 2 1 5

Expert Perspective 1 5 1 1 2

Multiplier 2 3 3 3 1

Total 10 15 10 11 12

39

1 http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx

2 https://www.cia.gov/library/publications/the-world-factbook/geos/br.html

3 https://www.quintly.com/blog/2013/02/facebook-country-stats-february-2013-top-10-countries-lose-users/

4 http://pt.wikipedia.org/wiki/Gambiarra

5 http://www.democracynow.org/blog/2013/9/24/video_at_un_brazilian_president_dilma

6 http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/68/167

7 https://www.privacyinternational.org/blog/netmundial-a-long-way-to-go-to-combat-mass-surveillance

http://www.indexoncensorship.org/2014/04/netmundial-disappointed-expectations-delayed-decisions

8 http://socs.civicus.org/?p=3748

9 http://link.springer.com/chapter/10.1007%2F978-3-642-29958-2_26

10 http://g1.globo.com/fantastico/noticia/2014/06/se-o-brasil-me-oferecer-asilo-aceito-diz-edward-snowden.html

11 Rate of internet use (source: http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx?) by estimated population (source:

https://www.cia.gov/library/publications/the-world-factbook/geos/ch.html)

12 Yuan et al. 2013

13 https://www.privacyinternational.org/reports/china/i-legal-framework

14 The Chinese Red Cross in particular has been dogged by a series of scandals of cronyism, embezzlement and inefficiency, (source:

http://blogs.wsj.com/chinarealtime/2013/04/30/chinas-red-cross-tries-to-rebuild-after-self-inflicted-disaster/)

15 http://www.bbc.com/news/world-us-canada-27475324

16 http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx?

17 This is a speculative thesis, and one which some of my colleagues disagree on. I stand by the thesis, despite the fact that they are

German and I am from England (but have lived in Germany for some time and studied German culture at university level). By its

nature, it’s difficult to corroborate, let alone prove. What is beyond doubt is that the Stasi has given Germans a common referen-

ce point, and this is cited frequently in current discussions about the NSA, even if it is not made into a central point. To give two

examples: http://www.faz.net/aktuell/feuilleton/debatten/mathias-doepfner-s-open-letter-to-eric-schmidt-12900860.html?printPage-

dArticle=true#pageIndex_2 || http://www.theguardian.com/world/2013/dec/17/merkel-compares-nsa-stasi-obama

18 http://www.bbc.com/news/world-europe-27695634

19 http://www.spiegel.de/kultur/gesellschaft/journalistenpreis-fuer-spiegel-redakteure-stark-und-rosenbach-a-940297.html

20 http://www.guernicamag.com/daily/ben-mason-pirates-of-the-parliament/

21 http://www.zeit.de/digital/datenschutz/2014-01/datenschutzreform-nicht-mehr-vor-europawahl

22 http://www.handelsblatt.com/unternehmen/it-medien/nach-eugh-urteil-google-wird-mit-loeschantraegen-ueberhaeuft-/9896598.html

23 http://www.spiegel.de/international/germany/the-german-bnd-and-american-nsa-cooperate-more-closely-than-thought-a-975445.html

24 http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx?

25 https://www.privacyinternational.org/reports/india/iv-privacy-issues.

26 http://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system

27 http://www.emc.com/campaign/privacy-index/global.htm

28 http://data.worldbank.org/indicator/NY.GDP.MKTP.KD.ZG

29 For more detailed analysis see Nugroho, Y. “Citizens in @ction: Mapping contemporary civic activism and the use of new social

media in Indonesia” (2011)

30 The survey data did not correspond to this relative appraisal, in terms of ratio of responses given “very important” vs, “somewhat

important”. We’re inclined to give precedence to our interview findings, which are of richer quality.

31 Recall that we have reason to suspect selection bias here, and that these respondents are disproportionately likely to take such

measures relative to their countrymen.

Notes

In the case of URLs: accessed between May and July 2014.

Privacy, Transparency and Trust in a digtial World

Documents

Transcript of Privacy, Transparency and Trust in a digtial World