Privacy: the more we know, the more we care….

To some people, the PRISM revelations have been deeply shocking. The idea that the authorities could be spying on pretty much all our activities on the internet was something that they had never really believed – indeed, they had thought that those of us who had been going on about this kind of thing were, to be blunt, paranoid geeks. Now that Edward Snowden has brought it out in to the open, that’s not something so easy to maintain.

Snowden

The initial response of the authorities was to deny it all. The next was to say it was all being misinterpreted, and wasn’t what Snowden was saying at all. Both of those approaches seem to have been largely abandoned – the denials seem hollow, and instead they’re falling back on the old chestnuts ‘we’re doing it for your own good’, and ‘if you’ve got nothing to hide, you’ve got nothing to fear’. Their problem is, it looks as though a great many people simply don’t believe them on either count. Why? Because, I would suggest, the more people know about what’s really going on, the more they care. Now that people know what kind of activities the NSA, the CIA and GCHQ are up to, they don’t like it. They don’t like it at all.

This shouldn’t really be surprising, as it follows a pattern that people who study privacy should recognise. It happens again and again. The more people realise the extent to which our privacy is being invaded, and the ways in which those invasions of privacy can have an effect, the more they want to have their privacy protected. It happens in relation to internet surveillance by the authorities – but it also happens in relation to the way that businesses invade our privacy. It happens with behavioural advertising – the more people know about what advertisers are doing to track us, the more they want it to be stopped, or at the very least limited. That’s why advertisers are so keen to have Do Not Track as an ‘opt-out’ rather than ‘opt-in': they realise that if they have to actually explain to people what they’re doing in order to get them to opt in to tracking, people probably won’t. The key study on the field, by Turow, King, Hoofnagle, Bleakley and Hennessy (which can be found here) found the following:

“Contrary to what many marketers claim, most adult Americans (66%) do not want marketers to tailor advertisements to their interests. Moreover, when Americans are informed of three common ways that marketers gather data about people in order to tailor ads, even higher percentages – between 73% and 86% – say they would not want such advertising.”

This last point is particularly important. The more people knew what was really going on, the more they cared, and the more they rejected the privacy-invasive practices. The converse also seems to be true: the more ignorant people are about how things really work, the less they care. It should be no surprise that the strongest advocates for the Communications Data Bill (the Snoopers’ Charter) have been amongst those who understand the internet the least. Theresa May and William Hague, in particular, from the pronouncements they make, seem to have almost no grasp of how the internet works – let alone what the impact of the programmes they actually promote would be. Those few MPs who do understand the internet are pretty much without exception strongly opposed to the Snoopers’ Charter, regardless of their political affiliation: David Davis for the Tories, Julian Huppert for the Lib Dems and Tom Watson for Labour.

Perhaps the best thing to come out of the PRISM farrago is a raising of awareness of the issues around internet privacy. The more this awareness is raised, the more chance we have of getting positive, privacy-friendly results – and the more chance we have to fight off the oppressive, privacy-invasive stuff. Tom Watson and David Davis have now suggested that the Snoopers Charter now has ‘practically zero chance of becoming law’ primarily as a result of the impact of the PRISM saga. I hope they’re right. If so, it could be a pivotal moment for internet privacy. I hope so.

Communications Surveillance, Protest and Control…

Protest against the badger cull in Bristol

What is the real reason that certain of the authorities are so keen on universal surveillance of communications data? Is it the fight against terrorism? It doesn’t seem very likely. It’s a supremely ineffective method of dealing with terrorism at best – even the examples quoted by the security services as ‘proof’ that it works have pretty much all been swiftly debunked (see for example here). In practice, it seems, targeted, intelligence-driven, almost ‘traditional’ methods seem to do the job far better. So why do the authorities all around the globe seem to be so enthusiastic about communications surveillance? One word: control

Control is the key

Despotic regimes have always wanted to have as complete a level of surveillance as possible – they want to know what is going on, who is meeting who, what they’re talking about, what they’re planning. That way, they can get control over their people. They can find subversives and dissidents, they can infiltrate those who resist or plot against them, they can snuff out the plans of their enemies before they gather sufficient momentum to have a real effect. That’s been fundamental to pretty much every oppressive regime throughout history – and the capabilities of the internet, and in particular of internet surveillance, offer possibilities beyond the dreams of the despots of yesteryear. However, it’s not just despots who like surveillance – or rather, it’s not just those that we usually label as ‘despots’ who like it. It’s anyone who wants more control – or who thinks that things are going out of control. It’s those concerned with ‘public order’. It’s those concerned with ‘protest’. That, sadly, means it’s all of our governments today – even that in the UK.

Snooping on the badger-cull protestors

News came out this week that ‘Whitehall chiefs scan Twitter to head off badger protests‘. As reported to the BBC,  ‘[t]he Department for Rural Affairs uses “horizon scanning” software to gain an “early warning” of public protests.’ Relatively speaking, this is a primitive form of snooping – and a legal one, since it scans public messages on social media services such as twitter. This isn’t a secret plan like PRISM, but an official and key part of the government’s communication plan – but it reveals a good deal about how the government (and other authorities) see the potential of communications surveillance. If they can find out what people are thinking and planning, they can nip protests in the bud.

Pretty much all of this, of course, is legal, and much of it is justifiable in ‘public order’ terms – but as anyone who saw the recent and deeply shocking revelations that the McLibel leaflet was co-written by an undercover police officer who had infiltrated an environmental campaign group would know, the tactics and techniques used by ‘law enforcement’ to deal with protestors and related groups can often stretch not just the law but our imaginations. Ideas presented and proposed for good or at least defensible reasons can easily morph into something much more sinister. Give the authorities leeway, and they use it…

The real use of communications surveillance…

…which is what, it seems likely, is one of the keys behind the enthusiasm for all kinds of communications surveillance, from the Snoopers’ Charter in the UK to PRISM and so forth in the US, to all the massive new programme in India etc. They know that if they have full surveillance capabilities their ability to control what is happening will be magnified enormously. Not only can they effectively unmask protestors, they can find out who their friends are, what websites they visit, where they’re planning to meet and so on. If they take it a few steps further, they can  block them from communicating with each other, shut down their blogs – or warn them off with anonymous threatening emails, or leak their details to their enemies.

Does this sound far-fetched? Perhaps, but not nearly as far fetched as the McLibel story, let alone the other horrendous details surrounding police infiltration of environmental and anti-racist groups. What’s more, most of the surveillance systems planned are designed for precisely this kind of surveillance – linking into Facebook, Google etc is far better at this that it is at fighting terrorism, paedophilia etc. Terrorists and paedophiles don’t do their planning on Facebook etc – but those organising legal, peaceful protests like that against the badger cull DO. Terrorists and paedophiles do everything they can to keep ‘dark’ – and they learn how to do so, what technology to use to bypass the authorities. Peaceful protesters don’t – they don’t often feel that they need to, and they don’t have the capabilities. They’re the obvious targets of this kind of thing: universal internet surveillance isn’t so much about fighting the big things as it is about keeping ‘public order’.

Whether that is an acceptable thing is another story. Public order IS important – but so is the right to protest, and not just in countries like Turkey. Protest is fundamental to our democracy, to our freedom of expression, to our ability to hold our governments to account. It’s important everywhere, and letting the authorities design and operate systems to stifle and control it is something about which we should be very wary.

Guest post: Identity Crisis?

Cyan Identity

Guest post by @Super__Cyan

Who said it only happened to super heroes?

Though not quite as enthralling as its DC counterpart, this post takes a look at the very recent High Court decision and argues that Article 8 of the European Convention on Human Rights could have helped too.

The decision of the High Court in Mengesha v Commissioner of Police of the Metropolis is a welcomed reminder that public authorities (such as the police) aren’t allowed to do what they aren’t legally prescribed to do (hence it being unlawful). Basically, the claimant, as a legal observer, attended a public sector trade union march. There was some trouble which prompted the Chief Superintendent to authorise police containment because of an apprehended further breach of the peace, the legal basis for containment was not the issue at hand.

The crux of the legal dispute arose because the Chief Superintendent decided that those who were being released from the containment would be filmed and asked for their details. The claimant enquired about what authority the police acted upon in requesting such information, but this was not answered until after filming and details were disclosed. So the important question was whether disclosure of details was a voluntary condition for being released from containment, which the Commissioner accepted such an instance would be unlawful. But the Commissioner argued that the information disclosed was done on a voluntary basis, thus the identity crisis continued.

After looking at all the relevant evidence, Moses LJ, using a staff instead of his gavel concluded to ‘let my people go’ – ok, not quite, but that would have been awesome had the judgment had been on the containment itself. What Moses LJ actually believed was that the evidence was ‘overwhelming’ as those leaving the containment were required to give their details and to be filmed before they were allowed to be released, which was also conceded by the Chief Superintendent. Moses LJ maintained that ‘[i]t was not lawful for the police to maintain the containment for the purposes of obtaining identification, whether by questioning or by filming.’ Importantly Moses LJ in finding against defendant uttered that the absence of any statutory power to obtain identification in the circumstances in this case establishes conclusively the unlawfulness of the police action in requiring the claimant to be filmed and give her name and address and date of birth before she was released from containment. This therefore seemed to be a case of simple ultra vires (acting beyond ones powers) (see Attorney General v Fulham Corporation [1921] 1 Ch 440). So to sum that up, the law does not allow police officers to contain and then only release those contained on the basis that they will give out details.

Here is where Article 8 of the European Convention on Human Rights (ECHR) comes into play. The wording of Article 8 is as follows:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

So everyone has a right to privacy, you know, mind your own business and all? This can be compromised in certain circumstances, which is why it is regarded as a qualified right. It is accepted that Article 8 arguments were not used for this particular issue but instead used for the filming and retention of said information. The interesting question is, would an Article 8 argument also have succeeded in regarding to the involuntary disclosure of information? For any violation of Article 8, first it has to be engaged or interfered with. Private life which is not susceptible to exhaustive definition which includes an individual’s name and other means of personal identification (the claimant’s address and date of birth) therefore falling within the ambit of private and family life for the purposes of Article 8 (see S and Marper v United Kingdom 30562/04 [2008] ECHR 1581)

The Grand Chamber in S and Marper noted that in determining whether the personal information retained by the authorities involves any of the private-life aspects mentioned above, the Court will have due regard to the specific context in which the information at issue has been recorded. This therefore would suggest importance is attached to the way in which information pertaining to private life has been obtained. This is precisely so as the European Court of Human Rights (ECtHR) in Friedl v Austria (1996) 21 E.H.R.R. 83, at para 52 noted that:

“The questioning of the applicant on 19 February 1988 in order to establish his identity, and the recording of these personal data, though taking place in the course of the above public incident, was closely related to his private affairs and constituted, therefore, an interference with the right guaranteed by Article 8(1) of the Convention.”

As said earlier, Article 8 is qualified and therefore interference with that right can be justified if it meets the requirements of Article 8(2), the qualified limb. This is determined by going through a series of (let us call them) legal tests, firstly is whether interference is in accordance with the law. This requires there to be some basis in domestic law for the power exercised. The High Court already accepted that personal details were unlawfully obtained this would be sufficient to not satisfy the in accordance with the law requirement and would ultimately lead to a violation. What this seems to suggest is that had the claimant had relied upon Article 8 in this context, it would have been violated.

But it does at least in the circumstances of this case show that the common law can be just as useful as the Convention, because pursing the argument either way would have resulted in the conduct being unlawful.

PRISM: Share with the CIA – and Facebook!

new-facebook-privacy-options

Going out for a pizza? Who wants to know?

There’s been a joke going around the net over the last couple of weeks, inspired by the PRISM revelations. The picture above is just one of the examples – variants include replacing the CIA with the NSA, or adding the two together so that it says, effectively ‘Share with Friends, the CIA and the NSA’ and so on. It’s a pretty good joke – and spot on about the nature of the PRISM programme (and indeed the equivalents elsewhere in the world, such as the UK’s Communications Data Bill, the ‘Snoopers’ Charter’), but ultimately it misses one key element from the equation. It should also include ‘share with Facebook’…

Share with only me, the CIA, the NSA and FaceBook!

Something that seems to be forgotten pretty much every time is that whenever you put something on Facebook, no matter how tightly and precisely you select your ‘privacy’ settings, Facebook themselves always get to see your stuff. It’s never ‘just you’, or ‘just you and your close friends': Facebook themselves are always there. That means a lot of different things – at the very least that they will use that information to build up your profile and to choose who is going to target advertising at you. It might be used directly for Facebook themselves to target products and services at you. It might mean that they put you on various lists of people of a certain kind to receive mailings – lists that could then be used for other purposes, potentially sold (perhaps not now, but in the future?) or even could be hacked…

Data is vulnerable

…and that is point that shouldn’t be forgotten. If you put something on Facebook, or if Facebook infers something from the information that you put up, that information is potentially vulnerable. Now it’s easy to worry about spies and spooks – and then to dismiss that worry because you’re not really the kind of person that spies and spooks would care about – but there are others to whom the kind of information you put on Facebook could be valuable. Criminals intent on identity theft. Other criminals looking for targets in other ways (if you’re going out for a pizza, that means you’re not at home…. burglary opportunity?). Insurers wanting to know whether they should put up your premiums (aha, they often go out for pizzas – doesn’t sound like a healthy diet to me! Up with the premiums!), potential employers checking you out (if you’re going out for a pizza at an unsuitable time of day, you might be an unsuitable employee) and so on.

Don’t imagine your ‘privacy’ settings really imply privacy…

This doesn’t mean that we shouldn’t ‘share’ anything on Facebook (or Google, or any other system online, because what happens with Facebook happens just as much with others), but that we should be a touch more aware of the situation. The PRISM saga has highlighted that what we share can be seen by the authorities – and has triggered off quite a lot of concern. That concern is, in my opinion, only a small part of the story. What the authorities do is only one aspect – and for most people a far less important one than the rest of the story. Having your insurance premiums raised, having credit refused, becoming a victim of identity-related crimes, being socially embarrassed or humiliated, becoming a victim of cyber-bullying etc are much more common for most of us. What we do online can contribute to all of these – and we should be a bit more aware of it.

Martin Bernal

Martin

Martin Bernal, academic, author – of amongst other things Black Athena – husband, father, grandfather, linguist, lover and singer of folk music, political activist and so many other things, died on 9th June 2013. He will be very greatly missed. My dad.

—————————————————

There is an obituary for him in the Ithaca Journal – here. I hope there will be more in the next few weeks, to which I will link.  I may also write more myself when the time comes.

PRISM: lessons for the future?

The news surrounding PRISM, from the stories surrounding whistle-blower Edward Snowden to the technical analyses of what (if anything) PRISM might actually be, seem to be multiplying every day. This is likely to continue – and in the short term though more and more information seems to be coming out it does not look as though we’ll really know what went on for some time – if ever. What is more interesting to me at this stage is how the reaction is playing out – in the media, with politicians, with the ‘geeks’, in the social media and so on. Even without knowing the technical details – let alone the ‘truth’ of what’s happening – there are some things that we can see.

People DO care – and that matters

This point is perhaps the most important – when people are told that their phone calls, their internet activity and so forth are being monitored, particularly without their knowledge and without proper checks and balances, they care about that. The scale of this particular furore has been bigger, in most ways, that any before – which goes pretty much directly against the often-repeated claims that people don’t care about privacy. What’s more, it appears from a number of surveys that young people care more about it than older people – again, going pretty much directly against the suggestion that privacy is somehow an outdated thing only the concern of old fogeys and geeks (like me). There are many possible reasons for this – it may be that young people understand the internet more, so have a clearer understanding of the implications of monitoring internet behaviour, it may be that young people have even less trust in the authorities than older people, it may be that young people are less convinced by the ‘war on terror’ than older people. It’s hard to be sure – but it is interesting.

The Snoopers Charter is substantially similar to PRISM

In effect, what is envisaged in the Snoopers’ Charter (the Communications Data Bill) is almost identical to the ‘worse case scenario’ for PRISM: it allows for ‘black boxes’ to be installed in ISPs, and potentially in at the servers of the likes of Facebook, Google etc, it allows for ‘direct access’ to those servers and so forth. If PRISM sounds like a nightmare – then so is the Snoopers’ Charter. I was in the US when the news of PRISM broke – at a privacy conference – and the reaction of many Americans was very interesting. Europeans often see Americans as less concerned by privacy than they should be – things like free speech and free enterprise always seem to take priority – and yet here was outrage and anger, and frustration at overreach by the authorities. If the Americans are worried about PRISM, then we should be doubly worried about the Snoopers’ Charter – and I hope we will use this mess as a bit of a wake-up call.

There are plenty of lessons to learn along these lines, particularly in relation to laws such as the Snoopers’ Charter. One is that whether something is technically legal is not necessarily the key – because the laws themselves may not be what we think they are. On both sides of the Atlantic lawmakers pass laws that they may not understand (something that has been painfully evident during the debate on the Snoopers Charter) and when reality bites they find themselves surprised and upset. They need, as many of us have said before, to listen far more carefully to the right people – in the case of the Snoopers’ Charter, they need to really read and understand the submissions to the committee. Another is that when a law is written in an open-ended way (as in the US the PATRIOT Act seems to have been) then authorities will be likely to take advantage, and end up going beyond the apparent intentions of the law. The primary implication is that we need to be much more careful about how these laws are written – and leave less scope for ‘interpretation’. It’s just not enough to ask us to ‘trust’ the authorities, and assume that they will stay within the spirit as well as the letter of the law. That will not do.

We fought off the Snoopers’ Charter once – and we must make sure that it is not revived in anything like its original form.

Arguments and old chestnuts…

Another thing that’s clear is that all the old chestnuts will be brought out in the arguments. Two particular ones get brought out pretty much every time: the idea that ‘if you’ve got nothing to hide’ then you’re OK, and that ‘we’re not listening to your phone calls’. Neither holds water in any way. The ‘nothing to hide’ argument has been debunked at huge length by a vast array of scholars and journalists over the years, from Daniel Solove’s classic piece here to danah boyd’s piece yesterday. The ‘we’re not listening’ argument focusses on traditional wiretapping – and makes far less sense today. The ‘meta-data’ or ‘traffic data’ that surrounds calls, and more particularly internet activity may well be more useful, especially for analytical purposes. It doesn’t just say when you call whom – but things like where you are when you call, the kind of technology you’re using (which device, which software, which provider etc) – and that data can be used for profiling and predictions far more than the content. We shouldn’t be reassured when William Hague or Barack Obama tell us they’re not listening to our calls – it’s pretty much irrelevant. They’re doing things that are far more intrusive.

If we care about governments – we should care about business!

It is interesting to me how much people are now worried about governments getting access to their private ‘stuff’ – when they were (and to an extent still are) far less concerned about businesses having similar access. People seem to trust Facebook, Apple, Google etc with their most intimate details but be deeply upset if the NSA or GCHQ might see it – and yet, for most people, the potential for harm is in many ways greater from businesses than from the authorities. Not only would businesses share their information with the authorities anyway – but they’ll also share it with advertisers, with credit agencies, with insurance companies and others who can have a very direct impact on our lives. They’ll also build up behavioural profiles of us that can be used by the authorities and all of those other groups – profiles that might well end up being sold or even given to those groups.

What does this mean? That we shouldn’t worry about PRISM etc? Precisely the opposite – that we should also worry much more about business gathering and use of data, about businesses tracking us and so forth. We need protection from both governments and business.

Strong data protection is crucial

This should be one of the key lessons from all this – particularly for those of us in Europe. Right now, the Data Protection reform package is being negotiated, and there is strong pressure from some groups – notably business lobby groups and the UK government – to weaken it. We should resist that pressure at all costs – and indeed we should look at ways to strengthen our data protection regime, make it tougher for businesses to hand over data or allow authorities access, bring in more checks and balances. Better, more transparent and more ‘privacy friendly’ business models are needed – amongst other things to increase our trust. That trust is currently quite precarious.

A privacy-friendly future is needed!

People seem to like privacy – and they should. I’ve written about this before, but I think both the desire and the need for a ‘privacy-friendly future’ is getting more intense. The technical side of things is developing apace – cryptography, systems for anonymity and so forth exist and are becoming a bit more than just the preserve of the ‘geek’ community. That has to continue – and should be embraced by mainstream providers. If people like Apple, Google, and Microsoft start to find ways to incorporate the better, stronger and more robust privacy-friendly systems into their own, that could be a selling point as well as helping users. If those developing ‘Do Not Track’ make it stronger, more effective, more clearly ‘do not track’ and less ‘do not target’, and most importantly ON by default, that would help even more. Just as for the business models, we need to have a sense that the technology can be trusted.

Trust in me…..

…because, in the end, trust is important. Trust, however, has to be earned, and has to be deserved. Right now, governments and businesses are losing that trust – and don’t seem to be able to find a way to win it back. It will take more than words – and hearing William Hague tell us that we should trust him, if anything makes me trust him less. He has to do a great deal more to earn it – as do Apple, Google, Microsoft and so on.

Trust in me

Dear Larry and Mark….

Larry Page, Google

Mark Zuckerberg, Facebook

8th June, 2013

Dear Larry and Mark

The PRISM project

I know that you’ve been as deeply distressed as I have by the revelations and accusations released to the world about the PRISM project – and I am delighted by the vehemence and clarity with which you have denied the substance of the reports insofar as they relate to your services. The zeal with which you wish to protect your users’ privacy is highly commendable – and I’m looking forward to seeing how that zeal produces results in the future. To find that the two of you, the leaders of two of the biggest providers of services on the internet, are so clearly in favour of individual privacy on the internet is a wonderful thing for privacy advocates such as myself. There are, however, a few ways that you could make a slightly more direct contribution to that individual privacy – and seeing the depth of feeling in your proclamations over PRISM I feel sure that you will be happy to do them.

Do Not Track

As I’m sure you’re aware, people are concerned not just about governments tracking their activities on the net, but others tracking them – not least since it appears clear from the PRISM project that if commercial organisations track people, governments might try to get access to that tracking, and perhaps even succeed. As you know, the Do Not Track initiative was designed with commercial tracking in mind – but it has become a little bogged down since it began, and looks as though it might be far less effective than it could be. You could change that – put your considerable power into making it strong and robust, very clearly do not track rather than do not target, and most importantly ensure that do not track is on by default. As you clearly care about the surveillance of your users, I know that you’ll want them not to be tracked unless they actively choose to let advertisers track them. That’s the privacy-friendly way – and as supporters of privacy, I’m sure you’ll want to support that. Larry, in particular, I know this is something you’ll want to do, as perhaps the world leader in advertising – and now also in privacy – your support of this will be both welcome and immensely valuable.

Anonymity – no more ‘real names’ policies

As UN Special Rapporteur on Freedom of Expression and Opinion, Frank La Rue, recently reported, privacy, and in particular anonymity is a crucial underpinning of freedom of expression on the internet. I’m sure you will have read his report – and will have realised that your insistence on people using real names when they use your services is a mistake. I imagine, indeed, that you’re already preparing to reverse those policies, and come out strongly for people’s right to use pseudonyms – particularly you, Mark, as Facebook is so noted for its ‘real names’ policy. As supporters of privacy, there can’t be any other way – and now that you’re both so clearly in the privacy-supporting camp, I feel confident that you’ll make that choice. I’m looking forward to the press releases already.

Data Protection Reform

As supporters of privacy, I know you’ll be aware of the current reform programme going on with the European Data Protection regime – data protection law is strongly supportive of individual privacy, and may indeed be the most important legal protection for privacy in the world. You might be shocked to discover that there are people from both of your companies lobbying to weaken and undermine that reform – so I’m sure you’ll tell them at once to stop that lobbying, and instead to get solidly behind those looking for better protection for individual privacy and stronger rights to protect themselves from tracking and misuse of their data.  As you are now the champions of individual privacy, I’m sure you’ll be delighted to do so – and I suspect memos have already been issued from your desks to those lobbying teams ordering them to change your stance and support rather than undermine individuals’ rights over their data. I know that those pushing for this reform will be delighted by your new found support.

That support, I’m sure, will build on Eric Schmidt’s recent revelation that he thinks the internet needs a ‘delete’ button – so you’ll be backing Viviane Reding’s ‘right to be forgotten’ and doing everything you can to build in easy ways for people to delete their accounts with you, to remove all traces of their profiling and related data and so on.

Geo-location, Facial Recognition and Google Glass

Your new found zeal for privacy will doubtless also be reflected in the way that you deal with geo-location and facial recognition – and in Larry’s case, with Google Glass. Of course you’ve probably had privacy very much in the forefront of your thoughts in all of these areas, but just haven’t yet chosen to talk about it. Moving away from products that gather location data by default, and cutting back on facial recognition except where people really need it and have given clear and properly informed consent will doubtless be built in to your new programs – and, Larry, I’m sure you’ll find some radical way to cut down on the vast array of privacy issues associated with Google Glass. I can’t quite see how you can at the moment, but I’m sure you’ll find a way, and that you’re devoting huge resources to do so.

Supporting privacy

We in the privacy advocacy field are delighted to have you on our side now – and look forward greatly to seeing that support reflected in your actions, and not just in relation to government surveillance. I’ve outlined some of the ways that this might be manifested in reality – I am waiting with bated breath to see it all come to fruition.

Kind regards

Paul Bernal

P.S. Tongue very firmly in cheek

PRISM: Internet surveillance IS a big deal!

It’s been a remarkable week to be at the Privacy Law Scholars Conference – a week when there have been some of the most interesting and potentially most important revelations relating to privacy for a long while.

Dramatic revelations – first on Verizon

Yesterday was particularly dramatic. First there was the revelation that the NSA has had access to the records of Verizon, one of the US’s biggest phone providers. This access covered what has been described in some places as ‘meta-data’ and in others as ‘traffic data’ – the key being that it didn’t include the content of the calls, so the NSA could claim not to have been ‘listening in’. As with the debate over the Snoopers’ Charter in the UK, this is a classic bit of misinformation – the meta-data can in many ways be even more revealing than the content, particularly in the light of modern profiling techniques, but this is a bit of a side issue really.

This first revelation was later extended to suggest that it was highly likely that the same was true of other phone companies, but that the information had not (yet) been leaked – and I have to say that sounds eminently likely. Why would the NSA choose just one provider? If they believed the information was likely to be helpful, and had a legal mechanism that would enable them to get it (via the ‘secret’ FISA courts – see here for the  court order in relation to Verizon), why would they restrict themselves to just one provider, however large?

Then PRISM…

The second, potentially even more interesting (and damaging) piece of news was the suggestion, in both the Guardian and the Washington Post, that the NSA has direct access to the files/servers of many of the biggest players in the internet – Facebook, Google, Apple, Microsoft, Yahoo, Skype, YouTube, AOL, PalTalk – through a programme called ‘PRISM’. The suggestion, effectively, was that the NSA had a kind of ‘backdoor’ into these systems, giving both real-time access to communications and full access to files and records. Quite what this really means, quite how true it is, whether the companies knew about it (most have flatly denied the latter) has yet to be verified, but will doubtless be the subject of huge scrutiny. I’m not going to write about it here – I’m neither qualified or knowledgeable enough to do so, and the jury is still out in any case – but the reaction from the authorities has been very interesting and revealing.

There are a number of aspects to it that bear thought. The first is the question of legality – essentially, if the whole thing is ‘legal’ does that make it ‘OK’. The second is the question of targeting. One of the immediate responses by the authorities was to say that it was ‘aimed at only non-US people’, as though that would mean that it wasn’t a problem. The third is that it was ‘No Big Deal’ in any case (see this report in Forbes).

Legality

My suspicion from the first few reports of the story is that this is very likely to have been legal – indeed, to still be legal. The US authorities have extensive powers along these lines – the particular suggestion is that it is Section 702 of the Foreign Intelligence Surveillance Act (see here for example). Would ‘legality’ mean that this kind of thing is ‘OK’? Actually, for me, quite the opposite – it would make the whole thing even more worrying. It would demonstrate quite how extensive and intrusive – and oppressive – the legal powers available to the authorities are. It would be a reminder for people in the UK how dangerous it is to grant any government loose, open-ended powers of surveillance, and then to ‘trust’ them to use them responsibly and in a limited way. They won’t. They’ll take the powers they’re granted and see how far they can stretch them. That, amongst other things, is why the Communications Data Bill (the Snoopers Charter), with its very much open ended powers, was (and remains) such a bad idea.

Focus on ‘Foreigners’

This second question – whether it’s ‘OK’ so long as it’s only non-US citizens that are targeted – is one that many non-Americans might be surprised by, but is fairly common in the US. In general, the US tends to support ‘civil liberties’ rather than ‘human rights’ – and that means that the protection it gives to its citizens is generally far, far stronger than that it gives to foreigners. It is understandable – any government’s primary consideration should be its own people – but the implications are deeply worrying. For those of us from outside the US, it means we’re ‘fair game’. For those within the US, it means that effectively the US is giving carte blanche to other countries to spy on them: if the US feels it’s OK to spy on the citizens of China, for example, then aren’t they saying that it would be OK for China to spy on the citizens of the US? And won’t China take advantage of the moral authority they’re given to do that?

It should be noted, too, that the words used are ‘targeted’ or ‘aimed’ – the suggestion is that they’re ‘aiming’ the surveillance only at non-US people, but US people may get caught as part of the collateral damage. That, I suspect, will be worrying for many Americans, even if they don’t think we foreigners are worthy of protection – or that protection for our privacy, protection against being spied on, is something to do with our humanity rather than the nations of which we’re citizens.

What’s more, the latest suggestion in the Guardian is that the US authorities have allowed UK authorities access to the PRISM system – and it is more than likely that there are similar deals for other ‘friendly powers’.

It IS a big deal!

This is the last part – and the one that most bothers me. Much of the reaction suggests that the whole thing is a bit of a storm in a teacup, that we should all be willing to accept this kind of thing so long as it keep us ‘safe’. That much I categorically deny. Having our internet traffic monitored, having our files scrutinised and data about us gathered is something that we should all be concerned about. It matters. It’s a human rights issue. The effects are potentially very significant, and not just for privacy.

The timing of this whole thing is remarkable – it comes just days after Frank La Rue, the UN Special Rapporteur on Freedom of Expression and Opinion, presented his report to the UN, a report whose key conclusion was that:

“The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas.”

It’s a conclusion that for those of us in the field is not surprising – but it is worth repeating. Internet surveillance chills free expression. It limits free speech. It stifles freedom of thought. It IS a big deal. A very big deal indeed. If this report about PRISM is even partially true – and there are signs that the US authorities are admitting to much of it – then it is a huge deal. We need to take it very seriously indeed.

Governments, the internet and freedom….

Current events in Turkey have raised a lot of questions – questions that strike at the very roots of government legitimacy. One of those questions is about how governments deal with the internet. Turkish PM Erdogan has ‘blasted’ twitter and social media for ‘spreading lies during weekend protests’ (see for example here).

It isn’t an uncommon response: when a government fears it’s losing control, it worries about the role played by social media in that loss of control. The extent to which Twitter and Facebook really contributed to the uprisings in the ‘Arab Spring’ is still a matter of debate – but the governments certainly thought they might, and sought to either suppress them or shut them down as part of their attempts to control the people. In the UK, in the aftermath of the rioting in London in 2011, Prime Minister David Cameron suggested:

“Free flow of information can be used for good. But it can also be used for ill. So we are working with the police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality.”

Even at the time, Cameron seemed unaware that he was suggesting exactly the same thing for the UK as he was deploring in places like Egypt and Libya – and even now, with suggestions that some within the government want to bring back the Snoopers’ Charter (see my blog posts here and here), and with regular calls to take control over various forms of ‘extreme speech’ – one man in the UK was arrested for a Facebook post of a burning poppy – it’s very clear that governments of many flavours consider the internet, and social media in particular, to be something to be feared.

And yet, when we watch what is happening in Turkey, many of us find ourselves naturally siding with those protesting. We need the right to protest – and the right to communicate, to organise, to assemble, to associate – and to do so with as much freedom as possible. That’s why those kinds of freedoms are built into most of the key human rights documents and declarations. The Universal Declaration of Human Rights, the European Convention on Human Rights and others have these as core values – and quite rightfully so.

When we see those rights restricted, controlled or threatened, we should know that this is wrong – and people in Turkey do. I was particularly struck by one tweet, by tweeter Faruk Ateş (@KuraFire):

“A government that fears the free communication among its citizens is a government you can no longer trust to govern you. #Turkey”

He’s right. When governments seek to control our communication – whether by shutting down social media, or by monitoring all our communications (as the Snoopers’ Charter proposes), ultimately that means that they are governments that you can no longer trust to govern you. The Turkish government is looking increasingly like that kind of government – and so would ours in the UK if we tried to do the same.

Of course there are good ‘excuses’ for doing so – fighting terrorism, avoiding ‘disorder’, stopping radicalisation and so forth – but we should be aware that by doing so we are risking sacrificing a huge amount of what makes us ‘civilised’ in any real sense. We should not allow ourselves to be distracted or persuaded that there’s something else going on – that, for example, the Snoopers’ Charter is only about monitoring the communications of the ‘bad guys’ and will only be used to deal with terrorism. As David Cameron demonstrated back in 2011, it’s very, very easy for a government to slip into thinking that powers are needed to keep ‘control’ when things get difficult. Powers to monitor all will ultimately be used to monitor all, and for whatever purpose the government and other authorities deem appropriate at the time. It is a slope that is very slippery indeed….

We should all be watching what happens in Turkey very carefully – for many reasons. How the Turkish government ultimately deals with the protest will be very important – primarily for the Turkish people, but in many ways for all of us. I, for one, am hoping that freedom wins out, and that suppression and oppression are not the main victors. The same is true for all countries. We need to find solutions to our problems that don’t require that kind of suppression and oppression – solutions that support our human rights – and our humanity.