Human Rights Day: Network neutrality key to preserving online privacy

Access is celebrating International Human Rights Day by bringing you a series of blog posts about our work and its intersection with the right to privacy. Privacy is a fundamental human right codified in Article 12 of the Universal Declaration of Human Rights, which was signed 65 years ago today.

Human rights are universal, interrelated, interdependent, and indivisible: we must protect each one to enjoy them all. The right to privacy ensures the protection of our rights to freedom of expression, association, and conscience, and is the foundation of democratic governance. With privacy under attack all around the world, Access is taking today to recognize its importance.


Net neutrality gets at the heart of many of the rights enshrined in the Universal Declaration of Human Rights, whose 65th anniversary we celebrate today. While freedom of expression and access to information are often mentioned in the same breath as net neutrality, net neutrality also has an important privacy component. Recently proposed legislation in the EU offers the opportunity to enshrine net neutrality into law, potentially adding important protections for user communications.

Network neutrality – the guiding principle of the open and universal internet – means that all traffic is treated on an equal basis, no matter the origin, type of content, or means used to convey traffic (e.g. equipment or protocols). Any deviation from this rule — for traffic management purposes, for example — must be targeted, proportionate, necessary, temporary, transparent, and in line with data protection standards.


Net neutrality protects privacy

On a very practical level, when a network operator intentionally violates this principle, for example, by throttling peer-to-peer traffic or giving a certain platform faster access to users, the operator must inspect all of the traffic flowing over its network to do so. Indeed, even for more noble reasons, like stopping spam and malware, internet services providers (ISPs) must surveil all traffic. This is typically accomplished through a technology known as Deep Packet Inspection (DPI), which allows operators to see the full content of internet packets, whether virus source code or the contents of an email. Similarly, DPI can be used to see which websites a user visits and when they send and receive email.

While DPI is often used by ISPs to detect and mitigate attacks on their networks, this technology can also be deployed for reasons that fall far outside the scope of securing the network. Indeed, this highly intrusive tool can be used not only to implement discriminatory practices – such as blocking or prioritisation of certain types of traffic – but also to monitor and even copy all information that travels across a network. This is not hypothetical, it happens everyday in countries like China, Iran, and Russia – whose governments frequently deploy this technology to censor political speech and suppress dissenting activity online. It is also implemented in democratic countries such as Germany and the United Kingdom.

Without rules laying down what constitutes “reasonable” traffic management, it is unclear just how much ISPs (or third parties) can interfere with the privacy of our communications.

In fact, it has long been the opinion of Europe’s privacy watchdog, the European Data Protection Supervisor (EDPS), that net neutrality rules are necessary to stop internet service providers (ISPs) from infringing individuals’ data protection and privacy rights.

By inspecting communications data, ISPs may breach the privacy of communications, which is a fundamental right guaranteed by Article 12 of the Universal Declaration of Human Rights, Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Furthermore, the information revealed through these inspection techniques can be used by other parties for other purposes, raising further privacy concerns.

Net neutrality is thus not only guiding principle for the open and free internet, but also — in conjunction with relevant data protection laws — a framework to reinforce the protection of privacy. Access’ position paper, Net neutrality: Ending Network Discrimination in Europe, describes in greater detail the importance of this guiding principle, including the relationship between traffic management (particularly through DPI) and the right to privacy and data protection.


Net neutrality around the world

Around the world there have been few, but, signi?cant legislative initiatives to codify network neutrality. In 2010, Chile was the ?rst country to adopt legislation explicitly laying out network neutrality principles, followed by the Netherlands which, in 2011, became the ?rst European Union Member State to guarantee that “providers of public electronic communication networks which deliver internet access services and providers of internet access services do not hinder or slow down applications and services on the internet.” The Dutch law is notable for its inclusion of limitations on the use of DPI. In 2012, Slovenia also enshrined the fundamental principle of net neutrality in law, and other countries – such as Brazil, Belgium, France, Germany and Luxembourg– are currently moving in the same direction.

Notably, the European Commission has proposed net neutrality rules in its recently announced Regulation for a single market for electronic communications. While this legislation could enshrine net neutrality in all 28 member states, as currently written, the law contains several loopholes — particularly around what is considered “reasonable” traffic management — which must be closed in order to truly ensure the preservation of net neutrality, and by extension, the enjoyment of human rights.

For more information on this legislation, see our page on network discrimination in Europe, and stay tuned to take action soon to get net neutrality enshrined in law across the EU.