Nick Doty

UC Berkeley, School of Information

December 12, 2020

Also available as: pdf

Status of This Document

This is the introductory chapter of a published dissertation: Enacting Privacy in Internet Standards.

0 Introduction

What are technical standards and why look so closely at them? In Chapter 1: Internet Standard-Setting and Multistakeholder Governance, I provide background on the consensus standard-setting model and how standards are developed for the Internet and the Web. I then consider how Internet governance and multistakeholder standard-setting models compare to calls for new and collaborative governance approaches and set out the first high-level research question for this project: what are the impacts of multistakeholder techno-policy standards-setting processes on resolving public policy disputes for the Internet?

In Chapter 2: The Ethics of Engineering, I build a philosophical argument for engineering as an inherently ethically-laden practice and trace the competing impulses for separating out and more deeply integrating ethical considerations into technical design. Given the ethical importance of engineers and engineering, I introduce the second research question for this project: how do the designers of the Internet’s underlying protocols view privacy and how do their views ultimately affect the privacy of Internet and Web users?

Why look at privacy? In Chapter 3: Privacy and Security: Values for the Internet, I explain why privacy and the related but distinct property of security are and have been values of particular importance and ongoing contestation in the design of the Internet and the Web. To illustrate, I describe two cases where there has been a handoff of responsibility for some conception of privacy between technical, legal, organizational and individual actors. First, the movement to encrypt the Web, deploying security technology to maintain user privacy from network surveillance and intrusion; and second, Do Not Track, an effort to develop a cooperative mechanism to enable user choices about privacy from online behavioral tracking.

Having set out the theoretical lens, the key questions and the focus of my research, Chapter 4: A Mixed-Methods Study of Internet Standard-Setting describes the mix of methods I used to study the distributed, mediated, networked setting that is Internet standard-setting. Different methods can be most useful at different scales. This project involves interviews with standard-setting participants, with sampling across a distinctive set of dimensions, to elicit their individual and personal perceptions and feelings, as well as expertise, about privacy and about the working process of standardization. And at a macro scale, I use quantitative analysis of mailing list archives to measure the demographics of, and social connections between, participants. I have focused my empirical inquiry on Do Not Track and the related standardization process where I was most deeply involved.

Chapter 5: Findings lays out my findings from qualitative interviews and quantitative social network analysis that speak to those two research questions: how multistakeholder techno-policy standard-setting process affects public policy values and how participants’ views of privacy affect the privacy of Internet users.

For my first research question, I explore themes related to the process itself, the stakeholders involved, the roles of individuals and organizations and the patterns of participation. I review the standard-setting process itself at multiple stages and how the process either fails or succeeds at accommodating what participants saw as a mix of good faith and bad faith behavior and a range of diverse perspectives and backgrounds. Regarding a particular debate over anti-trust, I show the different purposes that transparency has in standard-setting processes and in governance generally that influence decision-making in the moment and how it’s understood and interpreted later. Transparency also influences the role of policymakers who participate in multistakeholder process, making it difficult to effectively apply a soft touch when discussions happen in private. I describe the tradition of individual participation in Internet standard-setting and the complicated interactions that arise from competing views of the individual’s role as an expert in a largely technocratic collaborative process or as a representative of a stakeholder group in a political process of balancing policy views. Because representation often affects how we see legitimacy, I provide some demographic metrics on who is participating, including initial results on gender disproportion, and detail the differing views of how many sides are involved, which may influence entrenchment and how to identify opportunities for cooperation. And in considering what makes standard-setting succeed, I document the importance of formal and informal leadership and the dense community structure of overlapping groups of repeat participants.

For my second research question, I look in detail at what participants in technical standard-setting processes related to privacy think about privacy itself: what their conceptions of privacy are and what privacy concerns they identify for themselves and in their work. Conceptions of privacy vary widely, from confidentiality to autonomy to freedom from intrusion, but most importantly participants explicitly anticipate and respond to the variety of views and priorities they expect from users. Interviewees identify some kinds of data as especially sensitive because of the potential for chilling effects, inferences about intimate areas of life or the risk of very direct intrusions. I also describe how they understand and are motivated by the privacy interests of others, from their own children to Internet users at large.

What this leaves for the future is the question, or rather, the challenge, of what practices we could use in technical standard-setting to more effectively enact privacy for the Internet and the Web. Having now characterized the process and the participants; having described the contestations over the concept of privacy and the purpose of standard-setting processes; and having identified some of the difficulties in using multistakeholder process to resolve these debates, in Chapter 6: Directions, I describe a triad of areas for intervention: people, processes and tools. Looking forward, we can recognize and analyze potential handoffs of responsibility between people, laws and technology and develop novel collaborative solutions to enact privacy, security and other human values.