I was fortunate enough to speak at the Internet and Human Rights Conference at the Human Rights Law Centre at the University of Nottingham on Wednesday. My talk was on the topic of internet surveillance – as performed both by governments and by commercial entities. This is approximately what I said – I very rarely have fully written texts when I talk or lecture, and this was no exception. As you can see, I had one ‘official’ title, but the talk had a number of alternative titles…
Surveillance and Consent
Or
Big Brother is watching you – and so are his commercial partners
Or
What Edward Snowden can teach us about the commercial Internet
Or
To what do we consent, when we enter the Internet?
In particular, do we consent to surveillance? If we do, by whom? When? And on what terms? There are three parts to this talk:
1) Government surveillance and consent
2) Commercial surveillance and consent
3) Forging a (more) privacy friendly future?
1: Government surveillance and consent.
Big Brother is Watching You. He really is. Some of us have always thought so – even if we’ve sometimes been called conspiracy theorists when we’ve articulated those thoughts. Since the revelations of Edward Snowden this summer, we’ve been taken a bit more seriously – and quite rightly so.
The first and perhaps most important question to ask is why the authorities perform surveillance? Counter-terrorism? That’s the one most commonly mentioned. Detection and enforcement of criminal law? Crime prevention? Prevention of disorder? Dealing with child abuse images and tracking down paedophiles? Monitoring of social trends? There are different degrees to all these areas – and potentially some very slippery slopes. Some of the surveillance is clearly beneficial – but some is highly debatable. When looking in the area of crime and disorder this is particularly true when one considers police tactics in the past, from dealing with the anti-nuclear movements in the sixties, seventies and eighties to the shocking revelation about the infiltration of environmental activists more recently. Even this summer, the government admitted that it monitored people’s social media activities in order to ‘head off’ the badger cull protests. Was that right? Are other forms of ‘social control’ through surveillance acceptable? They should at least raise questions.
When looking at government surveillance, we need to ask what is acceptable? Where do we draw the line? Who draws that line? How much of this do we consent to? There are a number of different ways to look at this.
Societal consent?
Do we, as a societies, consent to this kind of surveillance? It is not at all clear that we do, even in the UK, if the furore that lead to the defeat of the Snoopers Charter is anything to go by, or the reaction to Edward Snowden’s revelations in most of the world (though not so much in the UK) is any guide. Do we, as societies, understand the level of surveillance that our governments are performing? It doesn’t seem likely given the surprise shown as more and more of the reality of the situation is revealed. Can we, as societies, understand all of this? Perhaps not fully, but certainly a lot more than we currently do.
Parliamentary consent?
Do we effectively consent by delegating our decisions to our political representatives? By electing them, are we consenting to their decision-making, both in general and in the particular area of internet surveillance? This is a big political question in any situation – but anyone who has observed MPs, even supposedly expert MPs, knows that the level of knowledge and understanding of either the internet or surveillance is appalling. Labour’s Helen Goodman, the Tories’ Clare Perry, the Lib Dems’ Tom Brake, all of whom have been (and still are) in positions of power and responsibility within their own parties in relation to the internet have a level of understanding that would be disappointing in a secondary school pupil.
The Intelligence and Security Committee, who made their first public appearance in November, demonstrated that they were pretty much entirely incapable of providing the scrutiny necessary to represent us – and to hold Big Brother to account on our behalf. Most of the Home Affairs Committee – and the chair, Keith Vaz, in particular, demonstrated this even more dramatically this Tuesday, when questioning Guardian Editor Alan Rusbridger. Keith Vaz’s McCarthy-esque question to Rusbridger ‘do you love your country’ was sadly indicative of the general tone and level of much of the questioning.
There are some MPs who could understand this, but they are few and far between – Lib Dem Julian Huppert, Labour’s Tom Watson, the Tories’ David Davis are the best and perhaps only real examples, but they are mavericks. None are on the front benches, and none seem to have that much influence on their political bosses. Parliament, therefore, seems to offer little help. Whether it could ever offer that help – whether we could ever have politicians with enough understanding of the issues to act on our behalf in a meaningful way, is another question. I hope so – but I may well be pipe dreaming.
Automatic or assumed consent?
Perhaps none of this matters. Could it this kind of government surveillance something we automatically consent to when we use the Internet? Simply by using the net, do we automatically consent to being observed? Is this the price that we have to pay – and that we can be assumed to be willing to pay – in order to use the internet? Scott McNealy’s infamous quote – you have zero privacy anyway, get over it – may be old enough to represent common knowledge. Can we assume that everyone knows they have no privacy? Would that be reasonable, even if it were true? It isn’t true of the public telephone system – wholesale wiretapping isn’t acceptable or accepted, not even of the metadata.
I don’t think any of these – societal, parliamentary or ‘assumed’ really work, or would be sufficient even if they did – because amongst other things because we simply haven’t known what was going on. Our consent, such as it existed, could not have been informed consent, in either of the two ways that can be understood. We did not have the information. We were deliberately kept in the dark. And experience suggests that when we do know more, we tend to object more – as events like the defeat of the Snoopers’ Charter demonstrate.
Do we know what we are consenting to?
Do we understand what the implications of this surveillance actually are? This isn’t just about privacy, no matter how much people like Malcolm Rifkind tries to frame it that way. It isn’t just about individual either – sometimes through this kind of framing it can seem as though asking for privacy is an act of selfishness, and that we should be ashamed of ourselves, and sacrifice our privacy for the greater good – for security.
This is quite wrong – and in many ways framing it in this way is deliberately deceptive. There is a significant impact on many kinds of human rights, not just on privacy. Freedom of expression is chilled – both by overt surveillance through the panopticon effect and through covert surveillance through the imbalance of power that allows control to be exerted. Freedom of association and assembly are deeply affected – both online through the disruption and chilling of online communities, and offline through the disruption of the organisation of ‘real world’ protest and so forth. There’s more too – profiling can allow for discrimination. Indeed, as we shall see, discrimination of a different form is fundamental to commercial surveillance – so can be easily enabled in other ways. Ultimately, too, it can even impact upon freedom of thought – as profiling develops, it could allow the profiler to know what you want even before you do.
So even if we have given consent before, that consent is not really valid. The internet is not like old-fashioned communications. We do more online than we ever did through other forms of communication The nature of the surveillance itself has changed – and the impact of it. Any old consent that did exist should be revoked. If Big Brother wants to keep watching us, He needs to ask again.
2: Commercial surveillance and consent
This is an issue much closer to the common legal understanding of consent – and one that has been much debated. It’s one of the key subjects of the current discussions over the reform of the data protection regime. Edward Snowden, however, has thrown a bit of a spanner into that debate, and those discussions.
To understand what this means, we need to understand commercial surveillance better. Who does ‘commercial’ surveillance? What do I mean by commercial surveillance? Surveillance where money is the motivation – or, to be more precise, where commercial benefit is the motivation. This means things like behavioural tracking – for various purposes – but it also means profiling, it means analysis, all of which are done extensively by all the big players on the Internet, with little or no real idea of consent.
Does commercial surveillance matter?
Commercial surveillance does not often seem to be something people (other than a few privacy geeks like me) care about that much. It’s just about advertising, isn’t it? Doesn’t do anyone any harm? Opt-out’s OK, those paranoid privacy geeks can avoid it if they want, for the rest of us it’s what pays for the net, right? For people like me, there are big concerns – and in some ways it might matter more for most people than surveillance by the NSA and GCHQ. The idea – the one that’s being sold to us – is that it’s about ‘tailoring’ or ‘personalisation’ of your web experience. We can get more relevant content and and more appropriate advertising…
…but that also means that it can have a real impact on real people, from price and service discrimination to an influence on such things credit ratings, insurance premiums and job prospects. Real things that matter to almost all of us. There’s even the possibility of political manipulation – from personalised political advertising to detailed targeting of key ‘swing’ voters, putting even more political influence into the hands of those with the deepest pockets – for it is the deepest pockets that allow access to the ‘biggest’ data, and the most sophisticated profiling and targeting systems.
What Edward Snowden could teach us…
Some parts of the revelations from Edward Snowden should make us think again. PRISM, in particular, should change people’s attitudes to commercial surveillance. This is what Edward Snowden has to teach us. Look at the purported nature of the PRISM program. ‘Direct access’ to the servers of the big Internet companies – including Google and Facebook. Who does commercial surveillance more than Google and Facebook? What’s more, the interaction between governments and businesses is much closer than it might immediately seem. They share technology – and businesses have even let governments subvert their technology, building backdoors, undermining encryption systems and so forth. They share techniques – and even share data, whether willingly or otherwise.
Shared techniques…
Behavioural profiling is just what governments want to do. Behavioural analysis is just what governments want to do. Behavioural targeting is just what governments want to do Is identifying potential customers any different from identifying potential suspects? Is identifying potential markets any different from identifying potential protest groups (such as those involved in the aforementioned badger cull protest)? Or potential dissidents? Is predicting political trends and political risks any different from predicting market trends? Is ‘nudging’ a market that different from manipulating politics? The Internet companies have built engines to do all the authorities’ work for them (well, OK, most of the authorities’ work for them). They just need to tap into those engines. Tailor them a bit. It’s perfect surveillance, and we’ve helped build it. We’ve ‘consented’ to it.
Who is undermining privacy?
So who is undermining privacy? The spooks with their secret surveillance… ….or the business leaders telling us to share everything and that, as Mark Zuckerberg put it, ‘privacy is no longer a social norm’? This ‘de-normalisation’ of privacy – apologies for the word, which I suspect doesn’t really exist – amounts to an attempt to normalise surveillance. The extent to which this desired and pushed-for ‘de-normalisation’ has contributed to the increasing levels of surveillance is essentially a matter for conjecture, but it’s hard not to see a connection.
Paranoid privacy geeks like me have been warning about for a while – but just because we’re paranoid, it doesn’t mean we’re wrong. In this case, it’s looking increasingly as though we were right all along – and that the situation is even worse than we thought.
Is this what we consented to when we signed up for Facebook? Is this what we consent to each time we do a Google search? Is this what we expect when we watch a YouTube video or play a game of Words with Friends? I don’t think so. With new information there should come new understanding – and a reassessment of the situation. We need to decide.
3: A (more) privacy-friendly future?
A three-way consensus is needed. People, businesses and governments need to come to an agreement about what the parameters are, about what it acceptable. About what we consent to. All three groups have power – but at the moment only the authorities seem to be really wielding theirs.
Imagine what would happen if Facebook’s Mark Zuckerberg, Google’s Sergey Brin, Apple’s Tim Cook and their fellows from Microsoft, eBay, Twitter etc all came together and said to the US government ‘No’! Would they be locked up? Would their companies be viciously punished? It seems unlikely – they are much more powerful than they realise. We often talk about the power of the corporate lobbyists – this power could be wielded in a positive way, not just a negative way…
…but it only will if there’s a profit in it for the companies concerned. And that’s where we come in.
We have a key part to play. We need to keep making noises. We need to keep informing people, keep lobbying. Make sure that the companies know that we care about privacy – and not just in relation to governments. Then the companies might start to make a move that helps us.
There are some signs that this might be the case – from the noises from Zuckerberg and so on about how upset they are about the NSA to the current crop of ‘Outlook.com’ advertisements that proclaim loudly how they don’t scan your emails the way that Google do – though it is difficult to tell whether this is just lip service. They talk a lot about transparency, not so much about a reduction in actual surveillance by government – let alone by themselves. If they can wield this power in our favour it could help a lot – but it will only be wielded in this positive way if we make them. So we must be clear that we do not consent to the current situation. We do not consent to surveillance.
Paul Bernal's Blog 
I think Zuckerberg is right in terms of privacy no longer being so important to people. I remember years ago the author Robert Anton Wilson saying that privacy was a bad thing. He reasoned that if 10 people each had 10 bits of information which they kept private then they each had 10 bits of information. However, if they shared them then they would each have 100 bits of information. He was so anti-privacy that he thought people should be able to read each others mail. In many ways his wishes have come true. A someone who likes openness I feel that society has improved for the better.
I think the lack of concern about private surveillance is partly cultural. Geek culture is American driven and people there tend to be very mistrustful of Government and quite trustful of commerce. In Britain which has always been highly regulated and not very entrepreneurial the opposite is true.
I frequently express a view that I am unconcerned about private companies but concerned about Government surveillance. This is partly to annoy British middle class people who anti-capitalism and pro-authoritarian Government. However, it is also because I value the product choices that people like Amazon offer me as a result of profiling. .
Thanks – I remain unconvinced by Zuckerberg, particularly given his massive vested interest. For me, based on both my research and my discussions with students, it’s more that the kind of privacy people care about has changed. Kids really do care about privacy, but on their own terms.
I’ll see if I can reply more later… I’m not at my best today!
Paul A lot of good points, i would suggest that we return to the basics of political philosophy–consent and legitimacy. When do we consent to enter political society or the social contract? We have no choice to exist in physical space and the modern state system covers the globe so there is very little space for an individual to live beyond its reach. We have to consent to travel and be received by a state. The o,ly exception being the high seas, but even there one must sooner or later return to land.
The digital domain demands consent to enter as one has the choice to participate explicitly. We have an implicit participation, if the government has made our personal data available in the digital domain. Our choice, though, unlike the physical realm, is mediated by technology. We rely upon someone else either the state or a corporation to gain access. Therein we see a problem because we cann choose to remain private by not participating in the public digital domain.
The second issue is legitimacy. To date no one has shown or demonstrated that the surveillance or disproportionate to the threat. In the US the surveillance has not been shown to be illegal nor unconstitutional. In large part because it is national security which exists beyond the law by definition. The survival of the regime has to be beyond the law of the regime. To paraphrase, the constitution is not a suicide pact. The issue then is the nature of the threat in that it transcends the foreign domestic split. In that regard the threat does not allow us to keep a clear or neat distinction between domestic team, of law and constitutions, and the foreign, external, realm of force and fraud. Here sovereignty does not matter so it is important to rely on the role of legitimacy created by constitutional and regime based institutions and supported by consent. Legit.acy is supported by the rule of law and restrained balanced government that respects citizens rights, per the social contract, as it fulfills it by keeping the citizen safe.
Were the surveillance or the state’s power to be used for illegitimate purposes such as political goal of a political party rather than legitimate goal of national security, then legitimacy would be in jeopardy. In the same way if the government fails to protect it citizens it becomes illegitimate. We have not been shown that the governments are illegitimate and sk the social contract remains in force. Although the relationship with business is different, the principles remain. The key is that the state has to have the technological power to protect the individual from the businesses and enforce the rule of law. The deeper problem though is that our natural person does not correspond to ojr digital person and the business is able to take advantage k, large part because it is a legal person lacking physical presence which makes it suitable, almost ideal, for the digital do.ai,. Until the physical and digital are reconciled to the individuals advantage it will become the standing reserve of the digital economy with consequences worse than the chilling of free speech. I, many ways our speech is chilled more by our electronic neighbours than the state. The digital domain allows the worst excesses of the communitarian school. Conformity is enforced by digital vigilantes dishing our reeducation and ensuring conformity worse than any democratic government. I have never had a government call me a troll, but i h e had a social media potentate do that. The powerful can wield greater power to chill debate by whipping ip their followers into an unthinking mob intent on dispensing rough justice.
Good post. Thanks. Best
Lawrence
The converse to your question on proportionality is that no-one has convincingly demonstrated that the threat is sufficiently great to justify the intrusion either…
…but what I really want is the decisions, the consent, to be better informed…
Do we need bodies in the street to understand that the war in the shadows is waged to avoid that outcome. As my mentor Bill Rood wrote in his medal winning essay Distant Rampart 1967 if you are fighting on your own soil you have already lost. In 200
lost when it had to fight on its soil. The nature of war and the threats have changed. America now defends itself in depth starting with strengthening its ideals and its example to the world. A nation that can elect Barack Obama and fulfill the promise and potential of its founding sends a powerful message with its example. America’s enemies know America cannot be defeated through conventional weapons or nuclear weapons so they must choose an asymmetrical threats and means. The digital threat and terror attacks are the way to strike deep into the heart of America and deter her from bringing her example to the world. There are many groups who hate America and what it stands for with its commitment to equality.
I do not believe or accept that we need to remove representational government so the autonomous individual can satisfied their curiosity on a daily basis that the laws cater to their individual whims. We have killed God amd we want to destroy anything that even appears to constrains the autonomous individual’s appetites to the point of self destruction. When the Leviathan is blind who will protect the weak, vulnerable and the vanquished? Who will ensure our rights or will we return to a state of nature in which our blind faith in the autonomous individual’s appetites leaves us unable to defend ourselves from the beasts who live beyond the laws? Man remains wolf to man is the threat. Look around for the proof. Without the state we would be on the brink of Congo or Syria.