Networked Privacy

The individual agency that privacy laws offer were designed for a time before networked privacy. As a result we cannot just rely on laws and regulations to protect our data but need to do considerable additional work to secure it.

This article was first published in The Mint. You can read the original at this link. If you would like to receive these articles in your inbox every week please consider subscribing by clicking on this link.


I remember an audience member once asked Justice B.N. Srikrishna a pointed question about privacy in the context of social media at one of the public consultations held in relation to his report on data protection. 

“What happens," she asked, “when a group of friends takes a selfie and one of them uploads it onto social media? While we all may have agreed to pose for the picture, I did not consent to having it posted online. Is she obliged to obtain my consent before posting it? And how can social media companies make an image like this public if I haven’t agreed to allow them to do so? They certainly don’t have my consent and there are no other legitimate grounds they can avail off to process my personal information."

That was the only time I’ve seen Justice Srikrishna at a loss for words. Even though he had, by then, spent countless hours deliberating all sorts of provisions that should and shouldn’t go into India’s draft privacy law, that question forced him to confront the complexity of networked privacy.

Individual Rights

We have be trained to think of privacy as an individual right. Our laws have been designed to give individuals agency over their personal data—so that they get to decide who can process their personal data and for what. This is also why tech companies design privacy settings to be configurable at an individual level—so that users can determine what can and cannot be done with personal data. But individuals have very little actual control over their privacy.

In her book The Private is Political, Alice E. Marwick argues that given the deeply networked world we live in, individual agency is futile. When our social networks were offline, it was easy to exercise agency over how our personal information would be shared in a given context. The internet does not respect these social contexts. It was designed to connect nodes of information with each other and does so with such ruthless efficiency that it has rendered our traditional privacy instruments utterly ineffective. Marwick calls this as the problem of “networked privacy"—the inability of existing data protection laws to adequately safeguard personal privacy on digital networks.

Even if you’ve never heard the term ‘networked privacy’ before, you most certainly have suffered its consequences. We’ve all shared some personal news with a family member only to find, a few hours later, that its been proudly posted on some WhatsApp group or the other and a bunch of ‘uncles’ are gleefully discussing it. We’ve all posted comments on a social network only to have it resurface elsewhere— more often than not quoted entirely out of context. Since there is no way to anticipate any of these consequences, what is the use of trying to exercise our agency in guarding against them?

Privacy Work

Anyone who has been burnt by the problem of ‘networked privacy’ intuitively knows that our privacy laws don’t go far enough. If we want to protect our privacy, we will need to put in some effort. This is what Marwick calls “privacy work," referring to the additional measures we must all take to ensure that our personal data isn’t used to cause us harm.

Privacy work takes many forms. For the more technically savvy among us, this means using VPNs, proxy servers, end-to-end encryption and a host of other tools to mask our digital footprints, so that no one knows where we are or can make inferences about us from the online trails we leave. Others practice social segmentation, consciously choosing which audiences they share what information with—so that, for instance, their parents are not privy to conversations with friends and colleagues. Among young people, this has taken the form of ‘Finstas’ or fake Instagram accounts that they create to conduct private conversations with a small group of friends who are the only people who know of the existence of that account.

There are some who choose to secure their privacy through obscurity, purposely maintaining a low profile so that they never, even by accident, allow any light to shine on any part of their life. They choose handles that are purposely neutral, masking any hint of their real name, age or location, so that nobody can infer who they are from their online persona. Others practice steganography. This involves communicating through coded language embedded within public posts that nobody other than those for whom these messages are intended can decode, or even recognize that such posts contain any deeper meaning than what’s apparent.

Share Less

But, by far, the most common form of privacy work we practice is simply sharing less. Anyone who has been online long enough knows that everything you post can and will become public, no matter how well you trust the chat group to which you have sent it or the diversity of measures you’ve put in place to make sure it doesn’t leak. In my own social circle, I’ve noticed more and more people starting to take this so seriously that they are now only reachable via SMS and email, having chosen to disengage from all social media platforms.

I am not sure if everyone needs to go that far. Not all of us need to suffer the trade-offs that this level of online de-escalation demands. What we must do is adjust the filters in our brains, so that we make sure we aren’t sharing anything we’d rather keep to ourselves.

Speaking for myself, I have decided that I am not going to post anything unless I don’t mind seeing it against my name on the front page of The New York Times.