PRISM: lessons for the future?

The news surrounding PRISM, from the stories surrounding whistle-blower Edward Snowden to the technical analyses of what (if anything) PRISM might actually be, seem to be multiplying every day. This is likely to continue – and in the short term though more and more information seems to be coming out it does not look as though we’ll really know what went on for some time – if ever. What is more interesting to me at this stage is how the reaction is playing out – in the media, with politicians, with the ‘geeks’, in the social media and so on. Even without knowing the technical details – let alone the ‘truth’ of what’s happening – there are some things that we can see.

People DO care – and that matters

This point is perhaps the most important – when people are told that their phone calls, their internet activity and so forth are being monitored, particularly without their knowledge and without proper checks and balances, they care about that. The scale of this particular furore has been bigger, in most ways, that any before – which goes pretty much directly against the often-repeated claims that people don’t care about privacy. What’s more, it appears from a number of surveys that young people care more about it than older people – again, going pretty much directly against the suggestion that privacy is somehow an outdated thing only the concern of old fogeys and geeks (like me). There are many possible reasons for this – it may be that young people understand the internet more, so have a clearer understanding of the implications of monitoring internet behaviour, it may be that young people have even less trust in the authorities than older people, it may be that young people are less convinced by the ‘war on terror’ than older people. It’s hard to be sure – but it is interesting.

The Snoopers Charter is substantially similar to PRISM

In effect, what is envisaged in the Snoopers’ Charter (the Communications Data Bill) is almost identical to the ‘worse case scenario’ for PRISM: it allows for ‘black boxes’ to be installed in ISPs, and potentially in at the servers of the likes of Facebook, Google etc, it allows for ‘direct access’ to those servers and so forth. If PRISM sounds like a nightmare – then so is the Snoopers’ Charter. I was in the US when the news of PRISM broke – at a privacy conference – and the reaction of many Americans was very interesting. Europeans often see Americans as less concerned by privacy than they should be – things like free speech and free enterprise always seem to take priority – and yet here was outrage and anger, and frustration at overreach by the authorities. If the Americans are worried about PRISM, then we should be doubly worried about the Snoopers’ Charter – and I hope we will use this mess as a bit of a wake-up call.

There are plenty of lessons to learn along these lines, particularly in relation to laws such as the Snoopers’ Charter. One is that whether something is technically legal is not necessarily the key – because the laws themselves may not be what we think they are. On both sides of the Atlantic lawmakers pass laws that they may not understand (something that has been painfully evident during the debate on the Snoopers Charter) and when reality bites they find themselves surprised and upset. They need, as many of us have said before, to listen far more carefully to the right people – in the case of the Snoopers’ Charter, they need to really read and understand the submissions to the committee. Another is that when a law is written in an open-ended way (as in the US the PATRIOT Act seems to have been) then authorities will be likely to take advantage, and end up going beyond the apparent intentions of the law. The primary implication is that we need to be much more careful about how these laws are written – and leave less scope for ‘interpretation’. It’s just not enough to ask us to ‘trust’ the authorities, and assume that they will stay within the spirit as well as the letter of the law. That will not do.

We fought off the Snoopers’ Charter once – and we must make sure that it is not revived in anything like its original form.

Arguments and old chestnuts…

Another thing that’s clear is that all the old chestnuts will be brought out in the arguments. Two particular ones get brought out pretty much every time: the idea that ‘if you’ve got nothing to hide’ then you’re OK, and that ‘we’re not listening to your phone calls’. Neither holds water in any way. The ‘nothing to hide’ argument has been debunked at huge length by a vast array of scholars and journalists over the years, from Daniel Solove’s classic piece here to danah boyd’s piece yesterday. The ‘we’re not listening’ argument focusses on traditional wiretapping – and makes far less sense today. The ‘meta-data’ or ‘traffic data’ that surrounds calls, and more particularly internet activity may well be more useful, especially for analytical purposes. It doesn’t just say when you call whom – but things like where you are when you call, the kind of technology you’re using (which device, which software, which provider etc) – and that data can be used for profiling and predictions far more than the content. We shouldn’t be reassured when William Hague or Barack Obama tell us they’re not listening to our calls – it’s pretty much irrelevant. They’re doing things that are far more intrusive.

If we care about governments – we should care about business!

It is interesting to me how much people are now worried about governments getting access to their private ‘stuff’ – when they were (and to an extent still are) far less concerned about businesses having similar access. People seem to trust Facebook, Apple, Google etc with their most intimate details but be deeply upset if the NSA or GCHQ might see it – and yet, for most people, the potential for harm is in many ways greater from businesses than from the authorities. Not only would businesses share their information with the authorities anyway – but they’ll also share it with advertisers, with credit agencies, with insurance companies and others who can have a very direct impact on our lives. They’ll also build up behavioural profiles of us that can be used by the authorities and all of those other groups – profiles that might well end up being sold or even given to those groups.

What does this mean? That we shouldn’t worry about PRISM etc? Precisely the opposite – that we should also worry much more about business gathering and use of data, about businesses tracking us and so forth. We need protection from both governments and business.

Strong data protection is crucial

This should be one of the key lessons from all this – particularly for those of us in Europe. Right now, the Data Protection reform package is being negotiated, and there is strong pressure from some groups – notably business lobby groups and the UK government – to weaken it. We should resist that pressure at all costs – and indeed we should look at ways to strengthen our data protection regime, make it tougher for businesses to hand over data or allow authorities access, bring in more checks and balances. Better, more transparent and more ‘privacy friendly’ business models are needed – amongst other things to increase our trust. That trust is currently quite precarious.

A privacy-friendly future is needed!

People seem to like privacy – and they should. I’ve written about this before, but I think both the desire and the need for a ‘privacy-friendly future’ is getting more intense. The technical side of things is developing apace – cryptography, systems for anonymity and so forth exist and are becoming a bit more than just the preserve of the ‘geek’ community. That has to continue – and should be embraced by mainstream providers. If people like Apple, Google, and Microsoft start to find ways to incorporate the better, stronger and more robust privacy-friendly systems into their own, that could be a selling point as well as helping users. If those developing ‘Do Not Track’ make it stronger, more effective, more clearly ‘do not track’ and less ‘do not target’, and most importantly ON by default, that would help even more. Just as for the business models, we need to have a sense that the technology can be trusted.

Trust in me…..

…because, in the end, trust is important. Trust, however, has to be earned, and has to be deserved. Right now, governments and businesses are losing that trust – and don’t seem to be able to find a way to win it back. It will take more than words – and hearing William Hague tell us that we should trust him, if anything makes me trust him less. He has to do a great deal more to earn it – as do Apple, Google, Microsoft and so on.

Trust in me

5 thoughts on “PRISM: lessons for the future?

  1. I think the important feature of this type of surveillance is that it if all the data is recorded then people can retrospectively carry out a fishing exercise sifting through historical data which they could not have got a warrant for in advance. In the case of wire tapping they have to ask for a warrant in advance of tapping your phone and can’t listen to things you said before the warrant. With this they have an opportunity to delve into your past interactions on the basis of a current suspicion so your current interactions can be accessed at any time in the future.
    I disagree with you about business. Individuals can make their own judgements about what businesses use their data. I enjoy getting recommendations from Amazon for example and if I am going to receive marketing I would rather it was targeted to me. Anything that improves opportunities for trade and effective commerce ought to be a good thing in a recession.
    Also I get to choose my bits invests relationships on a daily basis and as an individual. I only get to vote once every 5 years and if I don’t like the popular choice I have to lump it. So as far as I am concerned it is about keeping the Govt out of my personal life.

    1. Thanks for that. Your first point is a good argument to allow the ‘right to be forgotten’: if we can delete data (at least to a degree) then it can’t be sifted through. On business, I think you’re missing one key point: a huge amount of the data gathered by businesses is gathered either without people’s knowledge (e.g. third party behavioural advertisers setting cookies) or without people’s understanding (e.g. a shopping website gathering behavioural data while you browse, rather than when you purchase). In particular, people are unaware of the ways that profiling and data aggregation work – and unaware how their gathered data may be sold to or used by third parties. E.G. buy some sugar-free chocolate from a website – and find your health insurance premiums going up because they think there’s a significant chance you’re a diabetic….

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s