This is the abstract of a published dissertation: Enacting Privacy in Internet Standards.
The functionality of the Internet and the Web are determined in large part by the design of technical standards that allow for interoperable implementations. Those design decisions are important both in terms of functionality and in maintaining basic public policy values including accessibility, freedom of expression, privacy and security. This is one instance of a phenomenon variously referred to as values-in-design or from another angle technological delegation: fundamental matters of public policy importance can be determined or regulated by software architecture, in much the way that urban architecture has.
Technical standard-setting bodies, like the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C), are multistakeholder organizations that host groups that define Internet standards. In contrast to multilateral bodies (like the United Nations) or state bureaucracies or firms, participants are drawn from competing companies across different industry sectors, as well as governments and civil society groups, and make decisions based on rough consensus and working implementations. This represents a distinct form of new governance where collaborative development of technical and policy solutions can be enacted outside traditional legislative or administrative bodies.
Standard-setting participants are most often engineers; their discussions are technical and wide-ranging, distributed between in-person meetings, email lists, online chat and version-controlled text and software. Web standards include HTML, the foundational markup language that defines Web pages, and Do Not Track, a syntax and system for communicating user privacy preferences about online behavioral tracking. Some standards, like HTML, have been widely adopted and support some of the world’s most used software, while others, like DNT, have seen limited adoption and little direct effect.
This work seeks to understand how privacy and other values get enacted in the technical standards and running software that make up the Internet we use. At the highest level, it considers these two related research questions:
To start to answer these questions, I have explored the community of standard-setting participants and their beliefs about privacy and security in their lives and work. And I have investigated the unusual consensus decision-making process used in technical standard-setting and perspectives, from newcomers and long-time participants, on its fairness and efficacy and how it applies to values such as privacy.
Private interviews with participants working on Do Not Track and other standards provided candid and diverse perspectives on the concept of privacy, multistakeholder processes and the role of technical standards for interoperability and for public policy. And the extensive documentation and technologically-mediated communication methods of these Internet standard-setting venues enabled some supplementary quantitative analysis of the patterns of participation.
Multistakeholder standard-setting processes bring together diverse participants from a wide variety of organizations with a wide variety of backgrounds and goals. Individuals navigate a tricky balance of being both experts collaborating and representatives negotiating. While this novel cross-boundary process provides real opportunity, it also provides real difficulties of bad faith behavior, entrenchment and conflict. And while access and transparency of processes may improve upon some alternatives, technical standard-setting continues to be Western-oriented, male-dominated and intensely time-consuming.
Participants hold competing views of privacy and recognize that the priorities and concerns of Internet users may vary widely. While privileged community members may not have as much to risk when it comes to their own online privacy, the distinct wants and needs of their own children provide a compelling touchstone. Sometimes the work of privacy has been reduced to compliance with laws or best practices, but it remains an area where professionals actively pursue debate and development of policy.
The social, legal and technical architecture of the Internet and the Web determine so much about the lives of people around the world and deserve the attention of research on their impacts. Using consensus-based multistakeholder processes focused on interoperability for the Internet presents real, new opportunities to enact privacy by intentionally taking advantage of handoffs between social, technical and organizational factors. At the same time, this work highlights some of the challenges to convening for, equitably designing, agreeing on and implementing these techno-policy standards. Training people in intersecting disciplines, developing systematic processes and building technical and decisional tools can all contribute to better support for privacy, security and the other fundamental but still contested values we want to see in the Internet.