What Is Internet Privacy, and Why Is It Important?

Internet privacy has become a defining topic of the internet age. Scarcely a week goes by without a new story detailing how our privacy has been undermined online — from huge data breaches to government surveillance programs.

Thanks to the internet’s ability to generate, transfer and handle near-endless amounts of data, our traditional expectations of privacy have been completely transformed. And although it can feel like our right to privacy has been completely lost, there’s still a lot up for grabs.

In recent years, there’s been legal and technological advances designed to protect our privacy online. From the EU’s General Data Protection Regulation to advancements in VPN technology, there are more tools at our disposal to protect our privacy than ever before.

However, in many countries, robust privacy protections are still lacking. And as surveillance technologies become increasingly sophisticated, the potential for misuse expands even further.

This guide will introduce you to the main components of internet privacy, the factors that put it at risk, and show you why you should care about internet privacy — even if you think you have nothing to hide.

Internet privacy, often referred to as online privacy or digital privacy, refers to the protection of personal information while using the internet. It includes the right to control what information we share, who we share it with, and how that information is used.

We all instinctively have some idea of what privacy means to us. But defining such a broad topic can still be challenging.

In his book, Why Privacy Matters, Neil Richards defines privacy as “the degree to which human information is neither known nor used.”^[1] Meanwhile, Carissa Veliz writes that “privacy is the quality of having one’s personal information […] unaccessed.”^[2]

To better understand the full scope of the term, it’s worth highlighting three separate categories of internet privacy: information privacy, communication privacy, and individual privacy.

Combined, these cover the control of personal data collection, secure digital communication, and the freedom to exist online without unwanted interruptions.

The Privacy of Data & Digital Information

Information privacy refers to the idea that individuals should be able to determine how their personal information is accessed and used. This includes, but is not limited to, informing people when their information is being collected online, explaining how long it will be stored for, and what it will be used for.

Many of these principles can be found in digital privacy legislation, like the EU’s General Data Protection Regulation (GDPR) and The California Consumer Privacy Act.

The type of information we want to keep private varies from person to person. However, there are some types of personal information that we almost all want to keep private, such as our banking information.

Everyday, we all choose to keep certain information about ourselves private from others. And that’s no different just because we’re online, though the risk of that information being obtained against our will is considerably higher.

Information privacy is an overarching principle that also covers the other two sub-categories of internet privacy.

The Privacy of Online Communications

Communication privacy is a subset of online information privacy that relates directly to our communication data, whether that’s generated when using social media platforms or messaging apps.

Communication data is some of the most sensitive information we generate. If compromised, it poses a significant risk to our privacy and could facilitate unwarranted surveillance or identify theft. In certain countries, communication data could also be used to persecute people based on their political views, sexuality or relationships.

For that reason, there have been several technological developments aimed at protecting our communication data. End-to-end encryption, for example, is now common among many messaging apps.

End-to-end encryption (E2EE) scrambles your message and only the person you’re messaging has the ability to decipher it, ensuring that nobody else – including the app provider – can read your conversation.

However, messaging apps are still at risk from suffering data breaches. For example in 2023, the video chat app, Tigo, leaked 100 million user chats.^[3]

The Individual Right to Privacy

Individual privacy means that people should have the autonomy to freely navigate the internet. They should be able to decide what they access without being unduly obstructed, observed or interrupted.

In extreme cases, this could relate to being bombarded with spam or ransomware viruses that prevent you from accessing your files. Additionally, targeted advertising, which relies on acquiring as much information as possible about you, could also be considered to interfere with this right.

Finally, the right to be forgotten is also an example of an individual’s right to privacy. It’s enshrined in the GDPR and means people can request that their information is removed by companies online.

Since the internet’s inception, there have been concerns about its potential impact on our privacy. However in the early years of the internet age, security was a more pressing issue.

In the 1990s, the EU and US both passed legislation aimed at protecting privacy online for the first time with the EU Data Protection Directive and COPPA Children’s Online Privacy.

The proliferation of social media platforms in the 2000s, coupled with widespread adoption of browser cookies and rise of digital commerce further amplified concerns.

A number of scandals in the 2010s, particularly from Edward Snowden, sparked outrage at the way our digital activity was secretly being monitored by governments.

Since then, smartphones and cloud computing have introduced even more significant privacy challenges, with location tracking, app-based data collection, and the storage of personal data on remote servers raising serious questions about surveillance and data security.

A Short History of Internet Privacy Scandals

Yahoo Data Breach (2013)

The Yahoo data breach in 2013 was one of the largest in history. It compromised all 3 billion user accounts and led to theft of personal information on a massive scale. It was later attributed to a state-sponsored actor.

The disclosure led to significant repercussions for Yahoo, including a $350 million reduction in its sale price to Verizon.

Edward Snowden Revelations (2013)

In 2013, a former NSA contractor, Edward Snowden, leaked classified documents that revealed extensive global surveillance programs conducted by the NSA and its international partners. It included the mass collection and monitoring of our phone and internet communications around the world.

Snowden’s revelations sparked a global debate about privacy, surveillance, and the balance between national security and individual rights. Since then, however, many of the calls for policy reforms and greater transparency have gone unanswered.

Equifax Data Breach (2017)

Equifax, one of the largest credit reporting agencies, experienced a data breach affecting 147 million consumers in 2017. The breach exposed sensitive information including Social Security numbers, birth dates, and addresses.

The breach was due to exploited software vulnerabilities and led to widespread criticism of Equifax’s cybersecurity practices and demands for stricter data protection regulations.

Cambridge Analytica Scandal (2018)

In 2018, it was revealed that Cambridge Analytica, a political consulting firm, had improperly accessed the personal data of millions of Facebook users without their consent, using it to influence voter behavior in the 2016 U.S. presidential election and other electoral processes.

The scandal raised serious concerns about data privacy on social media, leading to global scrutiny of Facebook’s data sharing practices and sparking debates on the ethics of data mining and political manipulation.

Alibaba Data Breach (2022)

In 2022, Alibaba experienced a significant data breach where a hacker claimed to have obtained data on 1 billion Chinese citizens from a Shanghai police database hosted on Alibaba’s cloud platform, involving 23 terabytes of personal information, including names, addresses, national IDs, and phone numbers.

The breach, attributed to a configuration error on the part of a client, underscored the vulnerabilities in data storage and security practices, highlighting the critical need for robust cybersecurity measures in cloud services.

23andMe Data Breach (2023)

In 2023, the genetic testing and analysis company 23andMe reported a data breach affecting 2.1 million customers, where an unauthorized third party accessed sensitive personal information including genetic data, though financial information remained uncompromised.

The incident raised significant concerns about the security of highly sensitive genetic information and the potential implications for privacy and personal security.

Every time we use a device connected to the internet, there’s a chance our data will be harvested and our privacy will be undermined.

That said, there are certain technologies and trends that have consistently been shown to threaten our right to internet privacy more than others.

Online Tracking & Targeting

Monitoring of our online activity has become so ubiquitous that many of us rarely even notice it.

Cookies, browser fingerprinting, locating tracking, IP-logging and many other strategies can be used to monitor which websites we access, when we access them, and what we do on them.

These tools build up an extensive profile about our interests, our personality and relationships. This information can then be sold on to advertisers for profit via the unregulated world of data brokers.

Your internet service provider, browser, social media platforms and apps are all likely to be collecting and analyzing information about you every day.

While legislation has been implemented in a number of countries that forces companies to tell you when you’re being tracked online, a lot of this still goes unnoticed.

Government Surveillance

Companies are far from the only actors involved in monitoring us online. Governments also have vast surveillance networks that are capable of documenting almost everything we do online.

Governments can access our browsing history from ISPs, social media companies regularly provide account information to governments, and law enforcement can download data directly from your devices via digital forensics.

An increasing number of governments now also have the capability of deploying targeted spyware technology which can covertly take complete control of a target’s device.

Meanwhile, many of the bulk data acquisition programs that Snowden first revealed are likely to continue, although they remain shrouded in secrecy.

Data Breaches & CyberCrime

Data breaches and cybercrime can expose our personal information and leave it vulnerable to exploitation. They can lead to financial harm, fraud and reputational damage.

While internet security standards have improved in recent years, data breaches are still common.

You can easily check whether your email address and/or password has been implicated in a data breach by checking online databases like haveibeenpwned.com

Not only are data breaches costly to individuals, they also negatively impact businesses. According to a report by ExpressVPN, cyber attacks cost the global economy $8 trillion in 2023, with that figure expected to rise to $10.5 trillion in 2025.

IoT & Smart Devices

The rapid proliferation of smart devices and the Internet of Things (IoT) is creating new ways to monitor us.

Smart home devices like thermostats and doorbell cameras collect data on our daily routines and even movements within our homes, potentially revealing sensitive information about our habits and preferences.

Voice assistants in our homes and cars can record our interactions, potentially capturing sensitive information like personal details, financial information, or even private conversations. As more devices become connected to the internet, so do the risks that this new data will be misused.

Our right to internet privacy faces an uncertain future. While many emerging technologies may pose significant threats to our privacy, they also have the potential to increase our control over our data in new ways.

Artificial intelligence

The rise of artificial intelligence (AI) and large language models, like ChatGPT, pose a significant risk to our internet privacy.

Firstly, they are trained on huge amounts of data, some of which is almost certainly personally identifiable information (PII). This massive data collection regularly occurs without informing the potential impacted and may be held forever.

Secondly, people often provide personal information to the program expecting that it will be held securely and privately. However, this is far from the truth.

As Google’s Gemini makes clear: “Your conversations are processed by human reviewers to improve the technologies […] Don’t enter anything you wouldn’t want reviewed or used.”^[5]

Storing this much data also inevitably generates data security risks and provides yet another opportunity for our data to be accessed by cyber criminals.

Finally, AI capabilities are increasingly being integrated with other internet surveillance technologies, such as Deep Packet Inspection (DPI). This middleware technology is used by ISPs and can inspect internet packets to determine what people are accessing online.

However, AI could also be used in ways that bolster our internet privacy via the likes of automatic phishing filters, federated learning and homomorphic encryption. Each of these could increase the security of our data and enhance our internet privacy.

Biometrics

Biometrics are set to become a hotly debated area of internet privacy. On the one hand, biometric verification can improve security by improving multi-factor authentication processes and creating data that is harder to falsify.

On the other hand, this highly sensitive data is also at risk of data breaches. Securely holding our biometric data is vital to prevent the data from being misused. If misused, the risk of identity fraud is severe.

As a statement from the UK’s Information Commissioner’s Office makes clear: “Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.”^[6]

There are also risks of acquiring biometric data as it can be used for discriminatory purposes and profiling, as seen in Xinjiang in China.

Quantum Computing

Although not yet fully developed, there is a risk quantum computing could break encryption methods, such as AES 256-bit encryption, in the future.

This could potentially undermine our security and privacy online on an unprecedented scale, impacting our financial information, personal messages and medical data.

However, privacy professionals have been working to subdue the threat.

In 2024, Apple announced a new “post-quantum cryptographic protocol” for iMessage,^{[7] while Signal announced support for the Post-Quantum Extended Diffie-Hellman (PQXDH) protocol.[8]}

Although quantum computing attacks remain a distant threat, “Harvest Now, Decrypt Later” (HNDL) attacks make them useful even now.

HNDL attacks involve someone accessing encrypted data now with the hope of being able to decrypt it in the future using quantum computers, potentially compromising sensitive information years after it was first accessed.

To combat the multitude of threats facing our internet privacy, various regulations have been introduced around the world. These laws aim to provide people with more control over their data, limit how companies can use your information, and set standards that ensure improved data security practices.

Although these regulations and laws aren’t perfect, they’ve undoubtedly improved our ability to hold companies accountable and lodge complaints when our internet privacy is wrongfully violated.

The following section will cover some of the most important global internet privacy laws and regulations.

The United Nations

In 2019, the UN adopted a resolution that reaffirmed the right to privacy in the digital age and urged governments to ensure its protection.

It described privacy as “one of the foundations of a democratic society” and noted how the rapid pace of technological development […] enhances the capacity of Governments, business enterprises and individuals to undertake surveillance, interception, hacking and data collection, which may violate or abuse human rights.”^[9]

Additionally, the UN established the Special Rapporteur on the right to privacy to monitor and report on related issues, promoting dialogue and accountability among member states. To date, the Special Rapporteur has published reports on the use of spyware, artificial intelligence, and the processing of personal data.^[10]

While the UN doesn’t have direct regulatory power, it plays a crucial role in setting international standards and encouraging member states to adopt frameworks that safeguard online privacy.

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) was implemented in 2018 by the European Union. It remains a landmark regulation that has significantly strengthened individuals’ control over their personal data.

It grants individuals various rights, including accessing, rectifying, erasing, and restricting the processing of their data.

Meanwhile, companies subject to the regulation, whether operating within the EU or handling data of EU residents, must now:

• Obtain a lawful basis for collecting personal data: This ensures responsible data collection practices.
• Be transparent: Companies must clearly inform individuals about the data they collect, how it will be used, and who has access to it. This fosters trust and allows informed consent.
• Implement robust data breach notification procedures: This ensures timely communication with individuals in case of security incidents, minimizing potential harm.

This regulation has been crucial for internet privacy as it empowers individuals and sets a high bar for data privacy practices, impacting not just the EU but also organizations worldwide that handle EU resident data.

The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) of 2018 aims to enhance online privacy rights for California residents. It incorporates many of the same principles as The GDPR and includes

• Right to know: Individuals can request information about what personal data is being collected about them, its source, and how it’s used.
• Right to deletion: Individuals can request their personal data to be erased, with some exceptions.
• Right to opt-out of sale: Individuals can prevent their personal data from being sold to third parties.

Although there is no federal internet privacy regulation in the US, CCPA remains significant as the first comprehensive data privacy law in the US, setting a precedent for other states to follow.

However, many US States still don’t have specific privacy legislation yet.

Source: IAPP US State Privacy Legislation Tracker.

This guide has introduced some of the core concepts of internet privacy, its importance and its threats. While the constant erosion of privacy can feel often overwhelming, the fight for a secure and private internet is far from over.

Despite the numerous threats we face, there is a growing global movement advocating for stronger privacy regulations, privacy preserving technology development, and empowering individuals with tools and knowledge to protect their data.

The future of our online privacy may remain uncertain, but by embracing innovation responsibly, demanding transparency from corporations and governments, and taking an active role in safeguarding our information, we can all contribute to building a more balanced and secure digital future.

^{[1] Neil Richards, Why Privacy Matters (OUP: USA, 2022) https://www.law.ox.ac.uk/content/event/why-privacy-matters ↩}

^{[2] Carissa Veliz, Privacy is Power (Penguin: London, 2020) https://www.penguin.co.uk/books/442343/privacy-is-power-by-carissa-veliz/9780552177719 ↩}

^{[3] https://www.bitdefender.co.uk/blog/hotforsecurity/video-chat-app-leaks-100-million-user-messages/ ↩}

^{[4] https://www.bbc.co.uk/news/technology-65686989 ↩}

^{[5] https://gemini.google.com/app ↩}

^{[6] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/02/ico-orders-serco-leisure-to-stop-using-facial-recognition-technology/ ↩}

^{[7] https://www.securityweek.com/apple-adds-post-quantum-encryption-to-imessage/ ↩}

^{[8] https://signal.org/docs/specifications/pqxdh/ ↩}

^{[9] https://digitallibrary.un.org/record/3837297?ln=en ↩}

^{[10] https://www.ohchr.org/en/special-procedures/sr-privacy ↩}