The online privacy debate: Understanding the basics

The current debate being waged around online privacy isn’t always straightforward and can often be filled with  legislative and technical jargon that confuses people. We frequently get questions on very fundamental aspects to understanding online privacy, such as the difference between privacy at the IP level and at the browser level, understanding what data retention is, or questions around the myriad of surveillance bills that seem to pop-up every month or so. Therefore, we thought it might be useful to provide a run-down of online privacy basics; a cheat sheet, if you will, for the important task of understanding and participating in the current debate.

Online privacy basics

Cookies and IP addresses

If you zoom out of the privacy debate, you’ll see two separate conversations taking place. One concerns advertising and data mining from ad companies and major online platforms such as Facebook and Google. The other concerns government surveillance of citizens’ online activities.

Advertising and cookies

When it comes to data mining and advertising, your privacy is potentially being compromised via ‘cookies’ in your web browser. A cookie is simply a piece of data that websites can store on your computer. Cookies deployed for various reasons, but they’re particularly useful to advertisers, because they can tell them what websites you’ve visited and what advertisements you have clicked.  This lets advertisers build a profile of you in the hope you’ll be more susceptible to marketing messages. Cookies have therefore become essential to the online ad industry. Not only do they allow advertisers to target ads to your individual tastes, they also track whether or not an advertisement is effective. It’s important to note that none of this data is necessarily stored with advertisers, it’s stored on your computer. However, this hasn’t stopped privacy campaigners raising concerns about how web users are being profiled and tracked.

Surveillance and IP addresses

Your IP address is numerical identifier assigned to the device you’re using to connect to the internet. Essentially, this identifier is used to determine where you’re located and who your ISP is, and is therefore a pretty good indicator of who you are. When it comes to surveillance, data can be gleaned based on activity linked to your IP address. Typically such surveillance will occur with the cooperation of your ISP, which brings us to the next key element to the online privacy debate.

What is data retention?

When we talk about data retention in the realm of online privacy, we’re usually discussing the issue of ISP data retention policies. Different countries and different ISPs have different laws and policies in terms of the data they store on individual customers’ web activity. This data usually contains web logs, which reveal what websites you’ve visited, email logs, which revealed who you’ve emailed (but not necessarily the contents of the emails), and billing info, so the data can be linked to your identity.

European Union member states currently must abide by the EU Data Retention Directive. This directive mandates all ISPs retain customer data for between 1 and 2 years after they leave the ISP’s service. In the US, there is currently no data retention law. However, ISPs are free to set their own policies. A Justice Department document from 2011 revealed that Verizon retained IP session information for one year. Time Warner on the other hand retained data for 6 months, while AT&T’s logging practices are not made public.

Given the EU’s mandatory data retention policy, other countries such as Australia and the US, are exploring the possibility of introducing similar policies.

How can the government spy on me?

There are numerous ways law enforcement would be able to obtain your private data. But the main channel would be to obtain a warrant to get data from your ISP, or to request the ISP start logging data on you if it isn’t already. But of course, as we saw with the NSA surveillance debacle in the US and with the RIPA in the UK, law enforcement doesn’t always play by the rules and obtain a warrant, which means they can get your data without judicial oversight and without any evidence you’ve engaged in wrong doing.  Drafted surveillance bills such as CISPA and the CCDP sought to make it easier for law enforcement to obtain private data.

The surveillance debate

As you probably already know, government around the world are trying to introduce new legislation to enhance their ability to conduct online surveillance. Governments are not incorrect when they say current surveillance legislation is out of date and needs to be updated for the internet age. But law enforcement agencies are clearly using this opportunity to increase their powers of surveillance to unprecedented levels. The debate also spills into the copyright and online piracy realm, as legislation such as SOPA and the TPP would appear to require privacy compromises in order to make it easier for copyright holders to prosecute copyright infringers.

Hopefully, the above helps clear-up some common misconceptions around online privacy for those of you new to the debate. If you have any questions, comments or suggestions on how we can improve this mini-guide please let us know in the comments below.

Comments icon
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to
Tags: Privacy

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.

You can't always get what you want: the eternal conflict between lawful access and privacy

Posted on April 19, 2018 by mirimir

In late March, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) took effect. And predictably, the US Supreme Court just dismissed United States v. Microsoft Corp. In that case, Microsoft was fighting a subpoena for data stored in an Irish data center.

Protect yourself today and get peace of mind

Shut out hackers, identity thieves and the global government surveillance apparatus — every time you go online.