Enacting Privacy in Internet Standards

Doctoral Dissertation

Nick Doty

UC Berkeley, School of Information

December 18, 2020

Abstract

The functionality of the Internet and the Web are determined in large part by the standards that allow for interoperable implementations; as a result, the privacy and security of our online interactions are greatly impacted by the work done within standard-setting organizations, like the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C). This is one instance of a phenomenon variously referred to as values-in-design or from another angle technological delegation: basic matters of public policy importance can be determined or regulated by software architecture, in much the way that urban architecture has. We must understand and improve these multistakeholder processes and how they enact privacy and other values to achieve the potential of the Internet.

Status of This Document

This dissertation was filed in December 2020 in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Information Management & Systems from the UC Berkeley School of Information.

The full dissertation document, as filed, is available:

You can read on the Web by following the links below. Each chapter also has a standalone PDF version.

To cite this document, you can use this BibTeX file or this suggested citation:

Nick Doty. Enacting Privacy in Internet Standards. Ph.D. dissertation. Advisor: Deirdre K. Mulligan. University of California, Berkeley. 2020. https://npdoty.name/enacting-privacy/.


0 Introduction

Thanks

1 Internet Standard-setting and Multistakeholder Governance

Why is technical standard-setting important as a model of governance and design and why am I studying it to understand the Internet values of privacy and security.

2 The Ethics of Engineering

How are ethical implications considered in (software) engineering; how have approaches to ethics in engineering changed and what role do individuals, organizations and communities play in that development.

3 Privacy and Security: Values for the Internet

Why privacy and security are values of particular importance in the design of the Internet and the Web; how those values are defined and related; and, an introduction to the illustrative cases used in this work.

Encrypting the Web, a “handoff”

Whether your online communications are secured from prying eyes and tampering depends both on the architecture of the Internet and the World Wide Web and on legal and normative protections of privacy and security.

Do Not Track, a “handoff”

Do Not Track is distinctive in being a proposal for a technical mechanism to support user privacy that is expressive rather than self-enforcing and a system that relies on broad, multi-party cooperation.

4 A Mixed-Methods Study of Internet Standard-Setting

Technical standard-setting for the Internet and the Web involves distributed, mediated sites not easily constrained by geography or organizational affiliation. It can be a challenging, engrossing, atypical set of spaces at different scales and requires a distinctive methodology.

5 Findings

How standard-setting accomodates, succeeds and fails

Success and factors for success can be examined in each of several stages of a multistakeholder standard-setting process: in incentivizing; in convening, communicating and learning; in agreeing; in implementing; and, in using.

Competition and standard-setting

In the case of an anti-trust concern arising over a DNT compromise in the spring of 2013, we can get particular insight into the different roles that transparency may play in the effectiveness and legitimacy of governance processes and how policymakers contribute.

Individuals vs organizations

The Internet standard-setting process attempts to accommodate both the stakeholder-balancing and the technocratic view of process and both the representational and collaborative views of participation.

Who participates and why it matters

In order to evaluate multistakeholder processes for developing techno-policy standards, we must consider access and meaningful participation – essential criteria for both the legitimacy and the long-term success of these governance efforts.

How participants see privacy

How standard-setting participants considered privacy as part of their work, in their lives personally and for users of the Internet.

Towards integration

Key to the answers to both research questions is integration: of values into engineering, of different kinds of expertise, of technocratic and democratic process.

6 Directions

What this leaves for the future is the question, or rather, the challenge, of what practices we could use in technical standard-setting to more effectively enact privacy and security for the Internet and the Web.

References

Appendices

Appendix: Interview Guide

Appendix: Privacy-as-x


Questions, comments, corrections and links to related or responding work are all welcome. Contact me at npdoty@ischool.berkeley.edu.