The latest revelation from the Snowden leaks has caused a good deal of amusement: the NSA has been ‘piggybacking’ on apps like Angry Birds. The images that come to mind are indeed funny – I like the idea of a Man in Black riding on the back of an Angry Bird – but there’s a serious point and a serious risk underneath it, one that’s particularly pertinent on European Data Protection Day.
The point is very simple: the NSA can only get information from ‘leaky’ apps like Angry Birds if those apps collect the information in the first place. If we want to stop the NSA gathering data about us, then, ultimately, the key is to have less data out there, less data gathered – less data gathering, and by commercial entities, not just by governments. Why, you might (and should) ask, does Angry Birds need to gather so much information about you in the first place? And, more importantly, should it be able to?
This hits at the fundamental problem that underlies the whole NSA/GCHQ mass surveillance farrago. As Bruce Schneier put it, quoted here:
“The NSA didn’t wake up and say, ‘Let’s just spy on everybody.’ They looked up and said, ‘Wow, corporations are spying on everybody. Let’s get ourselves a copy.’”
If we want to stop the NSA spying, the first and most important step is to cut down on commercial surveillance. If we want the NSA to have less access to our private and personal data, we need to stop the commercial entities from have so much of our private and personal data. If the commercial entities gather and hold the data, you can be pretty sure that, one way or another, the authorities – and others – will find a way to get access to that data.
That’s where data protection should come in. One of the underlying principles of data protection is ‘data minimisation’: only the minimum of data should be held, and for the minimum length of time, for a specific purpose, one that has been explained to the people about whom the data has been gathered. Sadly, data minimisation is mostly ignored, or at best paid lip service to. It shouldn’t be – and we should be getting angry about it. Yes, we should be angry that Angry Birds is ‘leaky’ – but we should be equally angry that Angry Birds is gathering so much data about us in the first place.
Whatever happens with the reform of data protection – and the reform process has been tortuous over the last two years – we shouldn’t let it be weakened. We shouldn’t let principles like data minimisation be watered down. We should strengthen them, and fight for them. Data Protection has a lot of problems, but it’s still a crucial tool to protect us, and not just from corporate intrusions but from the excesses of the intelligence agencies on others. On European Data Protection Day we should remember that, and do our best to support it.