January 2021
This was a short paper I had written for a course called "Ethical and Legal Aspects of Computer Science". The prompt was this: Your smartphone is one of the most important threats to your privacy. Do you agree with this statement? Why? Is there anything that the GDPR can do to help you mitigate that threat?
Within the last 20 years, the way we interact with the world around us, and by extension the people around us, has changed drastically. Where we used to have to write something down or send a letter in the mail, we can now take a video or send a text message that can be read instantaneously. Instead of interacting physically, we now interact with the world using our data. Further proving that point is the fact that we all create massive amounts of data. Every time we order something on Amazon, or do a fact check on google, or send an email, we create data about ourselves that can show the right eyes our basest desires. While this data used to be constrained to a non-portable desktop or even a semi-portable laptop (restricted to Wi-Fi zones unless you have an LTE modem), we can now create and move data with a device that fits in our pocket and can access the internet from almost anywhere on the planet. The smartphone has changed the way we create and use data, and it could’ve led to the quiet destruction of personal privacy for individuals everywhere, had it not been for the push back of the GDPR.
When a user visits a website, the website will want the browser to remember certain facts about the user. This makes things easier for the website – it can quickly determine whether a user has been to the website before, whether it has a shopping cart open on the website (as well as a way back to that shopping cart), or even whether the user is authorized (i.e., a valid login) to be on the user account portion of the website. So, the website will leave a bit of data (usually stored in a text file) in the browser. This is known as an HTTP cookie, or just cookie for short. As previously mentioned, cookies can be good for businesses. Other features not mentioned include analyzing (and therefore improving) the usability of a website and remembering preferences (dark mode vs light mode, etc.). However, cookies (specifically persistent cookies) can also be used to track users across the internet, allowing big companies and data vendors to gain valuable data from users for free. Almost every website uses some form of cookies and pre-GDPR, persistent cookies were everywhere. GDPR dealt with cookies in Recital 30, which considers them personal data. This means that websites (or whoever the issuer of the cookie or holder of the data is) can only process the data gained from cookies with the explicit and express permission of the user (or with legitimate interest). This puts the decision making, in terms of personal browsing data on the internet, back into the hands of the user, where it should be.
Downloadable apps (apps for short) form a cornerstone of the smartphone experience. They allow users to bring specific experiences and tools directly onto our devices. However, from the moment you open these apps for the first time, they are taking and transmitting your data. Those buttons to onboard a user to a service by using Facebook or Google aren’t just there for convenience. They allow those companies to further track your actions and habits, even outside of the traditional web. The issues don’t stop there. Because apps are downloaded to your smartphone rather than accessed through the web, they have much more access to your device and can send companies very sensitive data, such as a user’s location. GDPR puts a halt to this. First of all, GDPR forces app developers to use the best or at least industry standard in terms of data security in article 25. This also means that from onboarding forward your personal data must be kept safe and again requires the user’s explicit permission to process and use. Further than that, GDPR also puts the onus on app developers to show and tell exactly what data they are collecting as well as why. This prevents app developers from taking a “shotgun approach” and collecting as much data as they can while hoping that some of it will end up useful to them or have value on the data market. These changes from the GDPR again puts the decision on what amounts of personal data can go where on the user.
In conclusion, our data is currently like a toll on a road. In order to meaningfully interact with the internet and the world around us, we have to pay with our data. However, it doesn’t need to be this way. Paying the toll - in the various ways a user can - should be a fair and free option, not an unfair obligation. Some companies are already catching on to this idea. There are more niche outfits like Librem 5, which is a pairing of a low-cost smartphone and OS that are almost completely open-source, community-driven, and most importantly, privacy-focused. There are also major corporations taking note. Apple’s "Sign In With Apple" feature creates placeholder email accounts that sign a user up for a service and forward them the emails they would normally get with the service, but create a level of abstraction between the data collected about the user and their actual identity. In short, GDPR, while not the be-all-end-all of privacy legislation, helps users keep their data where it belongs – with them.
Sources
What Is GDPR? How Does It Affect Mobile App Development?
General Data Protection Regulation (GDPR) – Official Legal Text
Horizon 2020 Framework Program of the EU.