All watched, all watching?

The processing of data for domestic use is not directly covered by the GDPR: while « the regulation applies to controllers or processors who provide the means for processing personal data », it « does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity, and thus with no connection to a professional or commercial activity » (Recital 18). Yet today, everyone can have access to technological means to monitor or track those close to them, in a new « Big Other » society, which we already described in 2012 in the CNIL’s first IP Report, Privacy, Horizon 2020. While certain abuses are regulated in France by Article 9 of the code civil (infringement of individuals’ privacy) and by Article 226-1 of the code pénal (recording a person’s image without their knowledge in a private place), the diversity of forms and practices tends to expand.

An old issue, new forms

The issue was already addressed in 2012 from the perspective of surveillance enabled by self-exposure on social networks, and what was then still called Web 2.0, shaped by « the level of participation that determines the strength of participatory surveillance of everyone by everyone. […] While, in the case of institutional surveillance, the most appropriate form of regulation is certainly legal, in the case of mutual surveillance, regulation is more complex to organize because users voluntarily display their identity ». In the early 2000s, lateral surveillance mainly consisted of observing, sometimes even spying on, content publicly posted by individuals on their social media accounts, particularly in what Dominique Cardon described as the « light and shade zone » in his book La démocratie Internet : promesses et limites (Paris, Seuil, 2010). Already in the CNIL IP report, Dominique Cardon highlighted the specific nature of regulation in this context, which should « be more social and cultural, and rely on self-organisation ». Going against critical discourses targeting users of these networks, he suggested instead to « shift the critique from those who expose themselves to those who watch ».

The form has changed significantly over the past ten years, with the development of new offerings and new uses made possible by our smartphones and by the Internet of Things. Dedicated applications are available on online stores, as we will see below. We have thus witnessed a kind of weaponization of the means used to monitor those close to us, through diverted uses or through dedicated devices.

Surveillance by design?

The design choices implemented in social networks as part of the attention economy can, for example, result in a form of « social pressure » to use these services. An article as early as 2017 pointed to the case of delivery and read receipts on instant messaging services - WhatsApp and others - which produce unexpected effects for users. « Everyone finds themselves, without necessarily wanting to, in a position of spying on and entering into the intimacy of their interlocutors, simply because of a small presence signal (here, a read receipt) », creating a sense of discomfort for people who send and receive messages, and sometimes leading to the use of workarounds to avoid feeling guilty for not responding. In this example, « surveillance is not, a priori, the objective, but rather a side effect of attention-capturing strategies ». WhatsApp groups also generate their share of awkward situations, particularly when it comes to leaving them unnoticed, without each participant seeing the message « xxx has left the group ». As Solène L’Hénoret writes in Le Monde, « Whether on WhatsApp, Signal or Facebook Messenger, no one has learned how to leave an instant messaging group properly. And for good reason: it’s impossible ».

Hacker Surveillance

When they are not the result of unintended side effects, cases of peer-to-peer surveillance may arise from the « misuse » of connected devices, for example in the context of home automation. As early as 2018, Nelly Bowles, in an article for The New York Times, reported a « new pattern of behavior in cases of domestic violence linked to the rise of smart home technology. Internet-connected locks, speakers, thermostats, lights, and cameras that were marketed as the latest conveniences are now being used as tools for harassment, surveillance, revenge, and control ». The journalist explains how abusers remotely control everyday household devices in order to watch, listen, and sometimes frighten the person being harassed by activating features at a distance, thereby asserting a form of power. « Even after the partner has left the home, the devices often remain connected and are used to intimidate and confuse ». In its 2018 report on cyber domestic violence, the Centre Hubertine Auclert (French center for gender equality between women and men) makes the same observation, noting that among the tools « used to ensure cyber-surveillance without the victim’s knowledge » […] « the abuser can remotely control these household devices or personal assistance devices », such as voice assistants. This misuse in cases of intimate partner violence is documented in a paper presented at the IEEE Symposium on Security and Privacy, The Spyware Used in Intimate Partner Violence, which shows that while there are many spyware programs, most cases arise from the « dual use » of applications that may initially have a legitimate purpose such as child safety or theft prevention but can easily be used to spy on a partner. This is made even easier by the abundance of online tutorials. A device such as the AirTag, which allows objects to be tracked via Bluetooth for example, to find lost items has been widely misused. In one case, two women, a mother and daughter, received a notification on their smartphone indicating that an AirTag placed in the daughter’s bag had been used to track them throughout the four hours of their visit to Walt Disney World. To prevent this type of « unwanted tracking », AirTags alert nearby iPhones when they are separated from their owner. This feature, which has had some bugs, has been introduced and gradually refined for example, by reducing the delay before an alert is triggered following cases of misuse.

"Care Surveillance", or reduction of uncertainty?

«There has been a paradigm shift, from « the world is a safe place we can trust» to «if we don’t micromanage and control every moment, something terrible is going to happen». This quote from David Greenfield (The Center for Internet and Technology Addiction), taken from a Wired magazine article, Stop Tracking Your Loved Ones, sums up well the way we tend to perceive the world, and to equip ourselves with different services to prevent risks: «We have this kind of magical thinking that if we know where our loved ones are, we can somehow save them from a dangerous world…» 

With digital technology and the new tools available on the market, « helicopter parents » a term used in Canada to describe parents who « hover » over their child in order to steer them toward the «best» possible future, or who rush to their rescue as soon as a problem arises (Wikipedia) - are now equipped with surveillance drones fitted with sensors to monitor their children’s activities in real time. These drones no longer need to fly, since they are in their children’s pockets. Smartphone applications such as Life360, created as early as 2008, for example, make it possible to track family members’ routes, receive alerts when a child arrives at school, or know in real time where they are (Life360 was flagged by The Markup in 2021 for reselling users’ « precise location » data). Other services offer similar features, such as mSpy and FamiSafe.

Surveillance, the term itself is debated for this type of use, is not what concerns the people interviewed in the article, who are instead worried about the health of those deploying these devices, as illustrated by the article’s subheading: “Tracking apps hijack your psyche. Here’s how to regain control”.

Yet this type of practice raises questions for those being monitored that go beyond privacy protection, as danah boyd writes: «When parents choose to snoop, peek, track, they are implicitly trying to regulate teenagers’ behavior. Parents do this out of love, but fail to realize how surveillance is a form of oppression that limits adolescents’ ability to make autonomous choices». The CNIL also addressed this in 2021 in its recommendations on minors’ rights, regarding parental control tools, stressing that if they are too intrusive, they risk undermining trust between parents and minors and encouraging concealment strategies, as well as hindering the minor’s process of autonomy-building: « the feeling of being monitored can lead minors to self-censor, at the risk of limiting their freedom of expression, access to information, and the development of critical thinking». Xavier de la Porte, a member of the CNIL’s foresight committee, wrote in 2016 in Le Nouvel Obs: « All this illustrates our terrible ambivalence toward surveillance. What is the point of praising Edward Snowden if it is to behave like the NSA with our children? » In 2022, he added with this observation*: «by becoming surveillors, parents face the NSA’s problem: having too much data and being unable to process it. The multiplication of tools offered by all these platforms results in them actually monitoring poorly». The term surveillance is not appropriate for these domestic uses, according to Pierre Bellanger (founder and CEO of Skyrock, member of the CNIL foresight committee)*, because « it is associated with police control, whereas this is rather an attempt by parents to reduce uncertainty through information». These uses mainly reflect an evolution in our societies, according to Dominique Cardon: « we used to live with uncertainties, which we try to reduce: we demand security. […] Everything is being securitised, even our romantic encounters: we need to know in advance whether we have things in common. We should consider a right not to have access to all information».

BYOSD - "Bring Your Own Surveillance Device"

Lateral surveillance does not only concern people in one’s romantic or family circle, but also those in one’s immediate surroundings. The market for home surveillance devices is booming, driven in particular by domestic video surveillance systems, which do not fall directly under data protection law « if they are limited to the strictly private sphere » and do not film neighbours or domestic employees. For strictly private use, those who install them must ensure they « do not infringe on the privacy of the people being filmed, and respect the right to one’s image of family members, friends, and guests ». The CNIL is receiving an increasing number of complaints about these systems installed by private individuals.

In the United States, these systems are no longer purely domestic. The start-up Ring, owned by Amazon, has become the largest private video surveillance network in the country. «Launched in 2016, the company [had by 2019] signed more than 600 partnerships with local police forces. These agencies have access to the Law Enforcement Neighborhood Portal, which allows them to interact with camera owners and request access to their video recordings without any warrant». In a manner similar to new BYOD (Bring Your Own Devices) practices, private individuals are investing their own money to feed surveillance networks intended for public safety. This type of practice reveals a paradox, according to Lionel Maurel*: « while we seek to reduce uncertainty about our home environment, we create a new level of uncertainty by granting access to others, private companies and states, that can exploit the information».

***

These domestic uses reflect an evolution in the way we perceive risk, relying on tools that are as reassuring as they are unsettling, while also enhancing the potential for harm when misused by malicious actors. They invite us to question our relationships with others and are, as Philippe Lemoine notes, « a powerful lever for raising the issue of digital literacy (I can be monitored but I am also a monitor), as well as a lever for legal reflection ».

* during a foresight committee meeting