Introduction
Privacy is a core element of democracies and a key issue in Information and Communication Technology for Development (ICT4D), as it relates closely to concepts of social development and governance (Heeks 2017). Due to extensive digitalization and datafication, privacy rights are often hampered in regions with more extensive privacy regulations, such as the European Union (EU). While there are a variety of privacy enhancing technologies (PETs), Virtual Private Networks (VPNs) have become popular, especially since the Covid-19 Pandemic, with VPN connections in the EU reaching 24% in 2020 and rising (Top10VPN 2020). An observer may wonder whether VPNs hinder or encourage data justice within the EU.
This paper will first examine the theoretical perspectives of development in a digital world, data justice and data activism. It will then provide some background on privacy rights in the EU followed by a description of VPN technology, its uses and the EU stance and reaction. It will conclude with a discussion about how VPN technology can be a tool for development in a digital world considering its application to data justice and data activism.
Development in a Digital World
An aspect of ICT4D may be more specifically referred to as Development in a Digital World. Due to the increased prevalence of information technology in people’s lives, such as websites, apps, smartphones, and digitals services, people’s social interactions, economic activity, and other personal information are datafied, with “profound consequences for international development” (Roberts 2019). Often this process is hidden and unclear to the general public, yet is carried out by a variety of both public and private institutions, making its avoidance difficult. Increased datafication has led to a surge in surveillance and invasions of privacy, as demonstrated by the behaviors of big-tech, data brokers and government agencies (Roberts 2019). Therefore, there is a warranted discussion about why and how individuals may avoid this process and what tools they can use to accomplish such.
Data Justice
The concept of data justice is necessary to navigate the ethical framework of the digital world (Taylor 2017). It can be split into three main categories, each of which has its own subdivisions. First, visibility deals with privacy and representation, expressing issues of data as a public good, privacy of marginalized groups, and collective profiling. Second, engagement with technology deals with the ability to share the benefits of technology and datafication, and the ability to independently decide for autonomous use of technologies, thus dealing with issues of ICT4D where groups struggle with state or corporate authorities who impede development of the subaltern while recognizing that such technologies also offer a path towards improvement of power imbalance. Third, non-discrimination deals with the ability to challenge bias and to avoid discrimination, which relates to the ability to recognize and contest various forms of data bias and discrimination due to the complex, purposeful, and accidental systems in place (Taylor 2017).
Data Activism
Data activism can be defined along two axes, Stake-Repertoire and Individual-Collective (Beraldo and Milan 2019). The former is that of the relationship of activism to data. Therefore, data activism may be identified as either a sociological and political struggle over data itself (Stake) or as the practice of activism through datafication (Repertoire). One may consider a hypothetical protest over data protection, which seeks to secure additional privacy securities for individual users, which would be considered a struggle over data rights. On the other hand, collecting and exposing information to demonstrate government abuses or wrongdoings would be using data for activism. The latter is whether such activism occurs on an individual or group level. Deleting an account on a website can be interpreted as a solitary act of protest (Individual), while it may also be part of a larger activist movement (Collective). The lines are often blurred, meaning that acts often share multiple characteristics (Beraldo and Milan 2019).
Privacy in the EU
Privacy is part of the European Convention on Human Rights which in Article 8 declares the “Right to respect for private and family life” (Council of Europe 1950, p. 11). The General Data Protection Regulation (GDPR) is a European law which protects citizens’ online data privacy. It covers EU companies, as well as non-EU companies which may be used or viewed within the EU. It regulates how and what data is collected, its use or processing, the right to its access by its user or deletion per their request, amongst others (Regulation EU 2016/679).
Privacy as a right is valuable to society and individuals for a variety of reasons which support development for society and governance. Privacy limits power from governments and corporations. It offers freedom of expression, belief, and idea consumption. When observed, behaviors change eliminating the ability to act freely. Expressing unpopular ideas, protest, or any form of socially discordant activity are stunted. Faith, culture, and other personal attributes are oppressed. Privacy is required to freely engage in political and social activities. The right to free association is limited by one’s lack of privacy. Privacy is also a respect for personhood, guaranteeing self-determination over personal information and guarantees over one’s life in terms of physical and mental autonomy. Privacy protects trust, intimacy and sexuality, and their abuse hinders mental health, bodily function, gender self-determination, and relationships. Fourth, privacy is a barrier between public and private spheres (Solove 2021). Finally, privacy has a very real monetary value, as expressed through the multibillion-dollar industry which has grown around the harvesting and processing of personal data. One must consider the lack of monetary compensation when private data is collected (Van Lieshout 2015).
Virtual Private Networks
“A VPN is [a] private network constructed within a public network infrastructure, such as the global Internet.” (Ferguson and Huston 1998, p. 3). While using a VPN to connect to the internet the signal is first wrapped in an extra layer of code which hides its presence from your Internet Service Provider (ISP). This signal is then sent to a third server owned by the VPN provider, which receives the signal and strips the extra layer of code. It is then sent to its destination (Ferguson and Huston 1998). A VPN connection offers additional security for the information communicated through it, without which it could be monitored. Today, most VPN providers function as private companies which offer this service as a subscription.
The reasons for using a VPN are diverse. Following is a brief discussion on common uses and purposes for VPN, including individual, corporate, and security privacy, and geoblocking.
First, individual Internet users choosing to protect their data and anonymity online can be considered an integral feature to a healthy democracy. Moreover, concerns over governments and corporations infringing on individual rights, and abusing data in order to persecute or disenfranchise groups of people, may justify the use of technologies which increase online data privacy. For example, it is estimated that nearly 50% of websites do not respect the EU directive on profiling cookies (Trevisan et al. 2019) and websites continue to obfuscate user interfaces, such as opting out of data processing selection which are purposefully confusing or difficult to find (Kretschmer et al. 2021). Moreover, the widespread use of commercial trackers on most government websites and applications often violate GDPR, some of which are considered malicious and invasive, while also being susceptible to data leaks (Samarasinghe et al. 2022). Therefore, it is not surprising that individual VPN users reported that the primary reasons for using a VPN included security and privacy (Top10VPN 2020).
Second is the issue of corporate privacy, which is invaluable to businesses with virtual offices in various locations (Ferguson and Huston 1998). It is estimated that more than 40% of enterprises in the EU use VPN (Brodny and Tutak 2022). Third, security includes the work of military and law enforcement which may be conducting espionage, surveillance, or intelligence gathering. As such, anonymity and data protection are paramount for the security of officers and their data (Makin and Ireland 2019).
Finally, geoblocking is a tool used to block website access from a specific geographic location. It can be used for a variety of purposes, such as commercial security, legal limitations, or censorship, which a VPN can circumvent. First, in terms of commercial geoblocking, companies may block access to websites to secure intellectual property rights according to geographic location. Therefore, if something is available on a platform or service in one country, it may not necessarily also be available elsewhere on the same platform. By using a VPN, users can simply switch their location on their device and circumvent geoblocking features (Roy and Marsoof 2017). Second, data laws may require that certain information be geoblocked. Through the EU’s right to be forgotten, companies which are asked to delete user’s data must do so. However, should this data be kept outside an EU server, the request to delete this data does not extend to such. Therefore, once certain information has been deleted, it will not appear in a query taking place inside the EU; using a VPN would easily bypass the geoblock, displaying the information (Sarkhel 2021). Third, geoblocking is extensively used to censor information. Authoritarian countries, such as China, Russia, and Iran, frequently employ this strategy to block information from their citizens. However, VPNs are commonly used by citizens seeking to bypass such censorship (Farnan et al. 2019). While the EU may not have any internet censorship in its strictest sense, it is argued that search engines and algorithms are constructed to show specific results, creating a censored environment, which often favors racism and stereotypical imagery (Ieracitano et al. 2023), and which only VPNs can break through, allowing users to view the internet from their neighbouring countries’ perspectives.
EU position
Legal cases sought against VPNs (Riekkinen 2021) have reached the European Court of Justice. Some of the issues deliberated include a variance in laws and interpretations thereof, especially between legal systems. Careful study must be made concerning definitions of public versus private data which could determine to what extent service providers may record user information. Further, it is unclear whether a VPN provider can be considered a telecommunications provider, in which case they should be liable for similar legislation and rulings. Moreover, using VPNs to circumvent geoblocked websites is often in direct conflict with rights holders and their parent companies, who wish to protect their intellectual property from being inappropriately accessed. However, due to the overwhelmingly positive and legal uses for VPNs, a European court is highly unlikely to implement a complete ban against VPNs or advertisements for their services (Roy and Marsoof 2017).
However, there are cases in which police action was directly taken against VPN providers due to their allowance of criminal activity through their servers, such as the DoubleVPN take-down in 2021 (European Union Agency for Criminal Justice Cooperation 2021). In such cases, it is observed that authorities have insight of cyber crime despite PETs. It is also evident that international law enforcement which was involved in the case have clear cut guidelines and authority to arrest and confiscate VPN servers should they engage in criminal activity. While using anonymizing services to carry out cyber crime must not be encouraged, this leads one to consider to what extent these services offer any anonymity at all. After all, it has been demonstrated that VPNs do not in fact provide perfect protection and privacy by leaving users open to vulnerabilities to their security and privacy, including data interception by the VPN providers themselves(Ikram et al. 2016).
It is argued that pursuing legal action against VPNs can undermine future criminal investigations by forcing criminals to seek grey-area services which are harder to track and are more dangerous for citizen rights, impede legitimate business interests, and infringe on the rights, safety, and security of VPN users who do not break the law (Riekkinen 2021).
Conclusion
VPNs can be considered within the framework of data justice through the two pillars of its ethical framework. As such, it deals with (in)visibility in its ability to create anonymity for users, encouraging individual freedom of representation and acting as a public good. As a form of engagement with technology, individuals may decide to use VPN technology to avoid discrimination from authorities or contest algorithmic discrimination and censorship. The use of VPNs falls within the purview of data activism for stake as the act of hiding one’s identity online from corporations and governments is interpreted as a form of protest highlighting privacy rights. It is also a solitary act, as users subscribe to this service individually, for their own reasons; however due to the nature of the technology, which is organized through centralized networks run by a company, it may also be considered a collective act. In its collectivity, one must also consider the EU administration which allows for its continued existence, albeit to a degree, despite the known abuses by streamers. The EU’s difficulties in reconciling public safety, corporate profits, and privacy rights, is a development issue in governance, which will continue to evolve as VPN technology becomes more popular. However, seeing its significance in providing anonymity and privacy online, and considering their importance to the EU’s legal framework, the use of VPNs should be considered a substantial tool to development in a digital world.
Personal Reflection
Upon beginning this blogging exercise, I imagined the most difficult aspect would be the technical learning curve: getting involved in building a website and all the tools this involves.
There were technical difficulties, but most were solved with tutorials and instructional videos. The difficulty not solved was the paywall. On the surface, many wordpress features look accessible and user friendly. However, much of what makes a good website look truly professional and a pleasure to use, requires some sort of subscription, at least on wordpress. Perhaps if I had real technical knowledge, or some code writing experience, I would be able to create and make adjustments with more ease.
Another challenge in the project was the group work. Generally, groups have two options, either to delegate jobs or share the workload. Delegation means that certain people will invariably do more than others or perhaps be stuck in undesirable positions. Sharing means that everyone needs to learn the same information individually which consumes a significant amount of collective time. It is a difficult choice for teams everywhere, one I will more carefully consider and discuss with future professional teams.
On an academic note, the research I was able to conduct during this exercise was invaluable to my position as an advisor to a local NGO which is devoted to professional education. I am now able to better understand issues of data (ab)use by corporations and government agencies. Thus, in my role I can more comprehensively advise for data protection policies, while also providing the reasons, ethical and legal, for its significance.
Overall, I feel the entire exercise has provided me with excellent technological and academic tools for my future endeavours.
Literature:
Beraldo, D., & Milan, S. (2019). From data politics to the contentious politics of data. Big Data & Society, 6(2), 2053951719885967.
Brodny, J., & Tutak, M. (2022). Analyzing the Level of Digitalization among the Enterprises of the European Union Member States and Their Impact on Economic Growth. Journal of Open Innovation: Technology, Market, and Complexity, 8(2), 70–99. https://doi.org/10.3390/joitmc8020070.
Council of Europe (1950). Convention for the Protection of Human Rights and Fundamental Freedoms. Treaty Series 005 https://www.echr.coe.int/documents/d/echr/Convention_ENG [19/10/2023].
European Union Agency for Criminal Justice Cooperation. (2021). Coordinated action cuts off access to VPN service used by ransomware groups. https://www.eurojust.europa.eu/news/coordinated-action-cuts-access-vpn-service-used-ransomware-groups [19/10/2023].
Farnan, O., Wright, J., & Darer, A. (2019). Analysing Censorship Circumvention with VPNs Via DNS Cache Snooping. 2019 IEEE Security and Privacy Workshops (SPW), 205–211. https://doi.org/10.1109/SPW.2019.00046.
Ferguson, P., & Huston, G. (1998). What is a VPN?.
Heeks, R. (2017). Information and Communication Technology for Development (ICT4D) (1st ed.). Routledge. https://doi.org/10.4324/9781315652603.
Ieracitano, F., Vigneri, F., & Comunello, F. (2023). ‘I’m not bad, I’m just… drawn that way’: media and algorithmic systems logics in the Italian Google Images construction of (cr) immigrants’ communities. Information, Communication & Society, 1-20.
Ikram, M., Vallina-Rodriguez, N., Seneviratne, S., Kaafar, M. A., & Paxson, V. (2016). An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps. Proceedings of the 2016 Internet Measurement Conference, 349–364. https://doi.org/10.1145/2987443.2987471.
Kretschmer, M., Pennekamp, J., & Wehrle, K. (2021). Cookie Banners and Privacy Policies: Measuring the Impact of the GDPR on the Web. ACM Transactions on the Web, 15(4), 1–42. https://doi.org/10.1145/3466722.
Makin, D. A., & Ireland, L. (2019). The secret life of PETs: A cross-sectional analysis of interest in privacy enhancing technologies. Policing: An International Journal, 43(1), 121–136. https://doi.org/10.1108/PIJPSM-07-2019-0124.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L 119 (2016).
Riekkinen, J. (2021). VPN Services Between a Rock And a Hard Place: The Freedome Case. 24th International Legal Informatics Symposium IRIS, 349–358. https://research.ulapland.fi/en/publications/vpn-services-between-a-rock-and-a-hard-place-the-freedome-case [19/10/2023].
Roberts, T. (2019). Digital Development: What’s in a name? http://www.appropriatingtechnology.org/?q=node/302 [19/10/2023].
Roy, A., & Marsoof, A. (2017). Geo-blocking, VPNs and injunctions. European Intellectual Property Review, 39(11), 672–680.
Samarasinghe, N., Adhikari, A., Mannan, M., & Youssef, A. (2022). Et tu, Brute? Privacy Analysis of Government Websites and Mobile Apps. Proceedings of the ACM Web Conference 2022, 564–575. https://doi.org/10.1145/3485447.3512223.
Sarkhel, J. (2021). Protection Of Privacy In A Digital World – Analysing The Right To Be Forgotten In The Context Of The EU. Journal of Law and Legal Studies, 1(1), 1–13. https://doi.org/10.17613/8p0v-6h84.
Solove, D. J. (2021). The Myth of the Privacy Paradox. The George Washington Law Review, 89(1), 1–51. https://doi.org/10.2139/ssrn.3536265.
Taylor, L. (2017). What is data justice? The case for connecting digital rights and freedoms globally. Big Data & Society, 4(2), 2053951717736335.
Top10VPN. (2020). Global VPN Usage Report 2020. https://www.top10vpn.com/assets/2020/03/Top10VPN-GWI-Global-VPN-Usage-Report-2020.pdf [19/10/2023].
Trevisan, M., Traverso, S., Bassi, E., & Mellia, M. (2019). 4 Years of EU Cookie Law: Results and Lessons Learned. Proceedings on Privacy Enhancing Technologies, 2019(2), 126–145. https://doi.org/10.2478/popets-2019-0023.
Van Lieshout, M. (2015). The Value of Personal Data. In J. Camenisch, S. Fischer-Hübner, & M. Hansen (Eds.), Privacy and Identity Management for the Future Internet in the Age of Globalisation (pp. 26–38). Springer International Publishing. https://doi.org/10.1007/978-3-319-18621-4_3.
