Avastians embed fundamental privacy values into their work by developing a “privacy rule of THUMB”
There are a number of important principles and values to keep in mind when discussing privacy and data protection. One of the clearest statements of privacy principles can be found in Article 5 of the EU’s General Data Protection Regulation (GDPR), namely: Lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These are fundamental to the European approach to privacy and data protection.
In fact, whenever I need to give someone a ‘crash course’ in the GDPR, and they’re really short on time, I tell them that if they align their processing with those principles, in most cases, they’ll be on the right side of GDPR compliance. That’s because these fundamental principles permeate the rest of the GDPR and form the basis for the various rights and obligations found within.
These principles and others (such as proportionality and “data-protection-by-design-and-by-default”) play a big part in how any company should treat personal data. Without going into a detailed discussion on each of these principles, but keeping them in mind, I’d like to briefly discuss just three important values and how they apply to Avast’s approach to privacy.
Avast looks at privacy from a European perspective: It’s a fundamental human right. Online interactions which involve people’s personal data aren’t just economic transactions, but instead are inextricably linked to digital identity or personality.
Informationelle Selbstbestimmung (“informational self-determination”) is a term that comes from German constitutional law, which covers rights like privacy and data protection, and I think does a good job at explaining where these rights come from conceptually. Privacy and data protection aren’t just about what companies, states, or other people can or can’t do with your information, but instead they emerge from the very idea of human dignity and personality, and the freedom of the individual to have control (self-determination) over their own (digital) life and identity.
This is a key component of Avast’s approach to privacy, and one of the many reasons why the user is at the center of Avast’s whole business philosophy. Avast works to both respect these rights in our own work, as well as giving users the tools to vindicate their rights in practice in the online world. These are rights, not privileges.
One of the key ingredients to respecting users’ fundamental rights and ensuring that they remain aware and in control of how their personal data are used is to ensure that the processing of that data is done in a lawful, fair, and transparent manner.
This transparent approach should permeate everything that’s done with personal data. It’s particularly important for ensuring we take a data-protection-by-design-and-by-default approach. Before anything is done with a user’s personal data the questions “Would this surprise the user, would they expect it?” and “Can I explain, and how do I explain this in a way that’s actually accessible and clear to the user?” need to be addressed.
Any use of personal data should be fair towards the users and avoid being unexpected, misleading, or deceptive. Avast will review and redesign, on an ongoing basis, any policies, information, or resources that are aimed at providing users with this transparency, to ensure they remain up to date, clear, and honest, and in a format that is concise, easily accessible, easy to understand, and presented in clear and plain language.
One of the most important functions of transparency is that it supports users’ control over their own personal data, in particular their right to further information on any processing, to access their personal data, and to be informed of how to exercise other data protection or privacy rights. Rights aren’t much good if you’re not aware of them.
Avast approaches privacy as empowering users to be an active participant in their online interactions, rather than just the passive subject of unwanted or uncontrolled surveillance, tracking, or analysis. Users are partners in the digital economy, not passive economic units to be marketed to.
So, Avast’s focus is on how to give users clarity on what is or might be done with their personal data, and choices as to how to approach interactions that may involve their personal data. This is also why Avast builds tools aimed at the vindication of users’ fundamental privacy rights - tools which puts control back in the hands of users. Supporting users exercising their rights is a key piece to the privacy puzzle, where policymaking and regulation can’t cover everything, and this is where companies like Avast can do their part.
What does it look like in practice to apply these values to our work at Avast? Well, one way in which we have approached embedding fundamental privacy values into the work that all Avastians do is by developing our “privacy rule of THUMB,” which is a handy checklist for applying some of these values in practice. Following the rule of THUMB, in everything we do, we take the following goals into consideration:
You can see how, by focusing on each of those questions when we design a new product, or evaluate a new internal procedure, we can ensure that our privacy values are reflected in our work. Asking these questions regularly and making choices based on how they might impact user privacy is a key way we can demonstrate what a belief in privacy as a fundamental right or the importance of user control looks like in practice.
At this year's Collision conference, Avast CISO Jaya Baloo led a panel that explored several myths and misconceptions about tech abuse.
In the fifth episode of our podcast Avast Hacker Archives, Avast CISO Jaya Baloo talks with cybersecurity expert Eva Galperin about her work fighting stalkerware and protecting the rights of journalists.