Month: May 2012

Who goes where???

Somewhat hidden behind all the headlines about Facebook’s farcical IPO, another Facebook story grabbed my attention last week.

“Facebook Camera app really, really wants to know your location” ran the headline in CNET’s story about the latest in a long line of geo-location data stories. The essence of the story is pretty simple: the new camera app for Facebook only works properly if your location services are turned on. There are ‘work-arounds’, but for the vast majority of users it seems pretty certain that the result will be that they will simply leave location services on.

It feels like part of a trend: many of the big players in the internet world want to have location services turned on all the time – and they’re building their services and systems accordingly. It may be something that’s inevitable, and (like so many other privacy invasive technologies) we just need to accept it and move on – as Scott McNealy said, so long ago, ‘you have zero privacy, get over it’. I hope not – because there’s something qualitatively different about geo-location data from most of what we regularly give up.

It’s pretty cool stuff a lot of the time . I love the little ‘next train home’ button on the app I use for my travel – all I do is click and it finds the nearest station, checks the timetable and tells me everything I need to know. Almost everyone with a smartphone must use the mapping system pretty regularly too – it’s been a godsend for me more than once. Even so, there’s a lot more to it than there might seem – and useful to a lot of people other than you. Potential advertisers love the idea of being able to grab customers in real time, customers who might be in the neighbourhood of their restaurants and bars and so forth.

Sounds good so far? Well, yes…. but there is a lot more to it than that. There are some key factors that make it very different from the rest of the data we give up.

1)  It is qualitatively different from almost everything else in that it provides a direct link with the ‘real’ world in real time. The link between your online and offline activities, identity and so forth can be directly made using location data. For most people, most of the time, this may not make any difference – but sometimes it can be devastating. I’ve blogged before about the problems related to this in Mexico – where bloggers have been tracked down and killed by the drugs cartels. I’m not suggesting that they necessarily used geo-location data to find those bloggers – but geolocation could provide exactly the kind of tools to help them to do so.

2) Geolocation data not only tells people where you are, but where you aren’t… anyone who works in internet privacy will know about the pleaserobme.com story, where a Dutch website gathered publicly available data about people and published information saying ‘this person is on holiday right now, and this is their address – you can rob them now’… but that’s just the start. You can find out when people aren’t at work, or at school, or at the meeting they said they were at. Now you might argue that’s fine – it’s a good way to catch ‘cheats’ of all kinds – but is that really true? The opportunities for misuse are huge – particularly the use of information out of context – and in the hands of the wrong people, it could be a stalker’s paradise…

3) It’s not just about the individual data at a particular moment – indeed, that’s only a small part of the story. Geolocation data, particularly when made a default, is about building up data – building up patterns of behaviour. If you know that someone always goes to location A at a particular time, or always goes to location C after they’ve visited location B, you have an even better way to track and follow them. What’s more, if you know that 85% of people who visit location D between 10 and 11 am then go on to visit location E, you can make all kinds of predictions. The possibilities are more or less endless… particularly when you aggregate the geolocation data with other information: credit card use, transport card use etc – or profiles of any kind. Different patterns for different ages, social classes etc… and, of course, the more people that use geolocation, particularly by default, the more accurate this pattern analysis becomes.

4) It’s not just the ‘good’ people who can use geo-location data – as I’ve banged on many times before, if you build something for the ‘good guys’ to use, the ‘bad guys’ will use it too. And if the ‘neutral guys’ like commercial services, like Facebook and Google themselves’ have the data then governments can subpoena it, criminals can hack it, commercial rivals/collaborators can buy it or blag it etc etc…

5) Geolocation data is crucial for some of our most important liberties – free association and assembly most directly. Any government or other authority wanting to ‘control’ a protest movement would just love to have this kind of information – and are doubtless rubbing their hands with glee at the rapid take up of location-based services.

This is just the start – and as the technology develops there will doubtless be more. The next generations of geolocation technologies will be far more accurate – some with an accuracy measured in centimetres have already been tested. They’re already in smartphones and tablets – and we can expect it to be built into more and more technology. I’d be surprised if the majority of cameras didn’t have some kind of geolocation system build in over the next few years, for example.

So what should we do about it? Well, the first thing is to start thinking about it a bit more. I see far too many people on my timeline on twitter posting something or other from FourSquare about being in Costa in Edinburgh – why? Who wants to know? Did you think before you post? A lot of internet data gathering is built around the assumption that people want to ‘boast’ – they use people’s ‘natural’ inclinations in order to get them to give away data. This is just the new style….

We need to be more careful with our technology – let’s fight against the assumptions lie behind all of this. Let’s not let location become the default – and let’s not build technology that allows ANYONE to override our decisions not to reveal our location. If I turn the location system on my phone off, I want it to stay off! I don’t want the authorities to be able to override that ‘off’ switch – and we shouldn’t be persuaded by those who would like to let parents override their kids’ settings, employers override their employees’ settings etc etc etc. Designing technology that way is just asking for abuse. And geolocation data, perhaps more than any other data, is ripe for abuse.

I do not like this CCDP

That Nick’n’Dave, that Dave’n’Nick

I do not like that Dave’n’Nick

I do not like their strange ideas

They play on people’s deepest fears

They bother me, they make me sick

I do not like that Dave’n’Nick

“Will you try some CCDP?

You’ll find you like it, you will see!”

I do not like it, Dave’n’Nick

That CCDP makes me sick

I do not like it, not at all

You cannot make me take that fall

“But what if it will stop the bombers?”

It cannot, will not stop the bombers

It gathers up far too much data

We’ll only find them six weeks later

Even policemen tell us so!

Listen to them, they must know!

“But what if it will catch the paedos?”

It cannot, will not catch the paedos

They’ll find a way to not get caught

They’re good at that, they’re just that sort

To catch them we must be more clever

This blunderbuss will get them?  Never!

“We’ll find a way to keep it safe”

It cannot, will not be kept safe

That’s not its nature – listen here!

Just build it and the danger’s there

This thing can never be called tame

To claim so – well that’s really lame

“We’ll only let the good guys look”

Who are the good guys in your book?

Will they always stay so good?

I’m not sure that you’ve understood

Once it’s built it’s there for all

The worse of guys will use it well

“We’ll use it just to catch the bad guys!”

Who can say who ARE the bad guys?

Planning bombings – that’s quite easy

Planning protests? I feel queasy

This CCDP catches all

Bad guys, good guys, we all fall.

“Trust us, we know what we’re doing!”

Trust YOU? I see where you’re going!

Taking us to Orwell’s vision

That’s your clever spooks’ ambition

I do not like the road you’re making

I do not like the path you’re taking

This time, I say, Dave’n’Nick

I say NO: I’ll make it stick

You MUST not do this, you must NOT

I’ll shout with all the shout I’ve got

I’ll shout it loud until you hear

And so does everyone who’s near

I do not like this, Nick’n’Dave

I do not want to be a slave

I do not like this CCDP

This CCDP’s super creepy

Listen to us, listen now

Listen when we tell you NO!

P.S. The CCDP is the government’s proposed internet snooping package, the “Communications Capabilities Development Programme” For details, the ORG’s excellent analysis here

P.P.S. Apologies to Dr Seuss!

A wake up call?

A couple of years ago I was teaching a class in IT law, and the subject of surveillance came up. I tried not to let my own opinions colour the debate, and listened while one student after another talked quite happily about the benefits of things like CCTV, and how the needs of security and the fight against terror and crime meant that surveillance was a generally good thing, beneficial to society. The students were mostly from affluent Western countries – the UK and Western Europe for the most part – and they all seemed generally content with the situation. Eventually, however, one of the students stood up, and told the rest of them, to all intents and purposes, that they were all mad. He didn’t want the government watching him. He didn’t trust the police to use surveillance just for the ‘right’ purposes.

He wasn’t generally one of the most loquacious of my students – indeed, most of the time he was very quiet. He did, however, have one distinct advantage over the others when looking at this kind of thing: he came from one of the former Soviet republics in Central Asia, a place where the current government is in many ways even worse than before the fall of the Soviet Union. He knew, from first hand experience, the way that this kind of thing can be – and is – used in ways that control and oppress. He said, very directly, that you can’t trust a government.

The others said very little in response, except a weak attempt to say ‘well, our governments aren’t like yours’, to which he laughed, wryly. ‘They may not be now, but what about the future?’.

A wake up call?

That’s where the wake-up call comes. In yesterday’s election in Greece, the far right Golden Dawn party gained a disturbing 7% in the elections, and held rallies that had distinct echoes of Nazi Germany.

“No one should fear me if they are a good Greek citizen. If they are traitors – I don’t know,” their leader Nikolaos Michaloliakos told the media. The words, the images – and indeed the election results – have sent shivers down a lot of spines, not just in Greece but around the world.

Human Rights lawyer and blogger Adam Wagner (@AdamWagner1) tweeted about it (and later blogged – here):

“Anyone else think rise of European far right makes UK’s continued support of European human rights system seem quite sensible?”

He’s right. It does. It should remind us of the origins of a lot of the human rights conventions, declarations and so forth in the second half of the 20th Century: as a reaction to the atrocities of Second World War. We recognised the needs of people for protection from their own governments – because governments can’t be trusted to protect people at all times. Watching and listening to the spokespeople of the Golden Dawn should remind us very directly of that – as should, on a smaller scale, the calls from some of the Tory backbenches and some of the media for the government in the UK to move ‘to the right’.

Part of the ‘standard’ lurching to the right includes crackdowns on crime – and that, in turn, can often be used to justify more surveillance. It’s not hard to imagine the kinds of words that might be used to support this kind of thing – most directly, in this case, the proposed Communications Capabilities Development Programme (see the ORG summary here).

Moves like these should be resisted at all costs. Whatever systems we put into place will be hard to reverse – and won’t just be used by the ‘good guys’ to get the ‘bad guys’. Even if you do trust this current government (something which a lot of us find very hard to do), whatever we do will be available for others later. Whoever those others might be.

As Bruce Schneier put it, in one of my favourite quotes:

“It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state”

He’s right. We shouldn’t. Those election results from Greece should remind at that most forcefully. Wake up. Smell the coffee.

Safe…. or Savvy?

What kind of an internet do we want for our kids? And, perhaps more importantly, what kind of kids do we want to bring up?

These questions have been coming up a lot for me over the last week or so. The primary trigger has been the reemergence of the idea, seemingly backed by David Cameron (perhaps to distract us from the local elections!), of comprehensive, ‘opt-out’ porn blocking. The idea, apparently, is that ISPs would block porn by default, and that adults would have to ‘opt-out’ of the porn blocking in order to access pornographic websites. I’ve blogged on the subject before – there are lost of issues connected with it, from slippery slopes of censorship to the creation of databases of those who ‘opt-out’, akin to ‘potential sex-offender’ databases. That, though is not the subject of this blog – what I’m interested in is the whole philosophy behind it, a philosophy that I believe is fundamentally flawed.

That philosophy, it seems to me, is based on two fallacies:

  1. That it’s possible to make a place – even virtual ‘places’ like areas of the internet – ‘safe’; and
  2. That the best way to help kids is to ‘protect’ them

For me, neither of these are true – ultimately, both are actually harmful. The first idea promotes complacency – because if you believe an environment is ‘safe’, you don’t have to take care, you don’t have to equip kids with the tools that they need, you can just leave them to it and forget about it. The second idea magnifies this problem, by encouraging a form of dependency – kids will ‘expect’ everything to be safe for them, and they won’t be as creative, as critical, as analytical as they should be, first of all because their sanitised and controlled environment won’t allow it, and secondly because they’ll just get used to being wrapped in cotton wool.

Related to this is the idea, which I’ve seen discussed a number of times recently, of electronic IDs for kids, to ‘prove’ that they’re young enough to enter into these ‘safe’ areas where the kids are ‘protected’ – another laudable idea, but one fraught with problems. There’s already anecdotal evidence of the sale of ‘youth IDs’ on the black market in Belgium, to allow paedophiles access to children’s areas on the net – a kind of reverse of the more familiar sale of ‘adult’ IDs to kids wanting to buy alcohol or visit nightclubs. With the growth of databases in schools (about which I’ve also blogged) the idea that a kids electronic ID would actually guarantee that a ‘kid’ is a kid is deeply flawed. ‘Safe’ areas may easily become stalking grounds…

There’s also the question of who would run these ‘safe’ areas, and for what purpose? A lovely Disney-run ‘safe’ area that is designed to get children to buy into the idea of Disney’s movies – and to buy (or persuade their parents to buy) Disney products? Politically or religiously run ‘safe’ areas which promote, directly or indirectly, particular political or ethical standpoints? Who decides what constitutes ‘unacceptable’ material for kids?

So what do we need to do?

First of all, to disabuse ourselves of these illusions. The internet isn’t ‘safe’ – any more than anywhere in the real world is ‘safe’. Kids can have accidents, meet ‘bad’ people and so on – just as they do in the real world. Remember, too, that the whole idea of ‘stranger danger’ is fundamentally misleading – most abuse that kids receive comes from people they know, people in their family or closely connected to it.

That doesn’t mean that kids should be kept away from the internet – the opposite. The internet offers massive opportunities to kids – and they should be encouraged to use it from a young age, but to use it with intelligence, with a critical and analytical outlook. Kids are far better at this than most people seem to give them credit for – they’re much more ‘savvy’ instinctively than we often think. That ‘savvy’ approach should be encouraged and supported.

What’s more, we have to understand our roles as parents, as teachers, as adults in relation to kids – we’re there to help, and to support, and to encourage. My daughter’s just coming up to six years old, and when she wants to know things, I tell her. If she’s doing something I think is too dangerous, I tell her – and sometimes I stop her. BUT, much of the time – most of the time – I know I need to help her rather than tell her what to do. She learns things best in her own way, in her own time, through her own experience. I watch her and help her – but not all the time. I encourage her to be independent, not to take what people say as guaranteed to be true, but to criticise and judge it for herself.

I don’t always get it right – indeed, I very often get it wrong – but I do at least know that this is how it is, and I try to learn. I know she’s learning – and I know she’ll make mistakes too. She’ll also encounter some bad stuff when she starts exploring the internet for real – I don’t want to stop her encountering it – I want to equip her with the skills she needs to deal with it, and to help her through problems that arise as a result.

I want a savvy kid – not the illusion of a safe internet. Isn’t that a better way?