what do we know and what should we do about…? internet privacy

My new book, what do we know and what should we do about internet privacy has just been published, by Sage. It is part of a series of books covering a wide range of current topics – the first ones have been on immigration, inequality, the future of work and housing. 

This is a very different kind of book from my first two books – Internet Privacy Rights, and The Internet, Warts and All, both of which are large, relatively serious academic books, published by Cambridge University Press, and sufficiently expensive and academic as to be purchasable only by other academics – or more likely university libraries. The new book is meant for a much more general audience – it is short, written intentionally accessibly, and for sale at less than £10. It’s not a law book – the series is primarily social science, and in many ways I would call the book more sociology than anything else. I was asked to write the book by the excellent Chris Grey – whose Brexit blogs have been vital reading over the last few years – and I was delighted to be asked, because making this subject in particular more accessible has been something I’ve been wanting to do for a long time. Internet privacy has been a subject for geeks and nerds for years – but as this new book tries to show, it’s something that matters more and more for everyone these days.

It may be a short book (well, it is a short book, well under 100 pages) but it covers a wide range. It starts by setting the context – a brief history of privacy, a brief history of the internet, and then showing how we got from what were optimistic, liberal and free beginnings to the current situation – all-pervading surveillance, government involvement at every level, domination by a few, huge corporations with their own interests at heart. It looks at the key developments along the way – the world-wide-web, search, social networks – and their privacy implications. It then focusses on the biggest ‘new’ issues: location data, health data, facial recognition and other biometrics, the internet of things, and political data and political manipulation. It sketches out how each of these matters significantly – but how the combination of them matters even more, and what it means in terms of our privacy, our autonomy and our future.

The final part of the book – the ‘what should we do about…’ section – is by its nature rather shorter. There is not as much that we can do as many of us would like – as the book outlines, we have reached a position from which it is very difficult to escape. We have built dependencies that are hard to find alternatives to – but not impossible. The book outlines some of the key strategies – from doing our best to extricate ourselves from the disaster that is Facebook to persuading our governments not to follow the current ultimately destructive paths that it seems determined to pursue. Two policies get particular attention: Real Names, which though superficially attractive are ultimately destructive and authoritarian, fail to deal with the issues they claim to and put vulnerable people in more danger, and the current and fundamentally misguided attempts to undermine the effectiveness of encryption.

Can we change? I have to admit this is not a very optimistic book, despite the cheery pink colour of its cover, but it is not completely negative. I hope that the starting point is raising awareness, which is what this book is intended to do.

The book can be purchased directly from Sage here, or via Amazon here, though if you buy it through Amazon, after you’ve read the book you might feel you should have bought it another way!

 

Paul Bernal

February 2020

A better debate on surveillance?

Back in 2015, Andrew Parker, the head of MI5, called for a ‘mature debate’ on surveillance – in advance of the Investigatory Powers Bill, the surveillance law which has now almost finished making its way through parliament, and will almost certainly become law in a few months time. Though there has been, at least in some ways, a better debate over this bill than over previous attempts to update the UK’s surveillance law, it still seems as though the debate in both politics and the media remains distinctly superficial and indeed often deeply misleading.

It is in this context that I have a new academic paper out: “Data gathering, surveillance and human rights: recasting the debate”, in a new journal, the Journal of Cyber Policy. It is an academic piece, and access, sadly, is relatively restricted, so I wanted to say a little about the piece here, in a blog which is freely accessible to all – at least in places where censorship of the internet has not yet taken full hold.

The essence of the argument in the paper is relatively straightforward. The debate over surveillance is simplified and miscast in a number of ways, and those ways in general tend to make surveillance seem more positive and effective that it is, and with less broad and significant an impact on ordinary people than it might have. The rights that it impinges are underplayed, and the side-effects of the surveillance are barely mentioned, making surveillance seem much more attractive than should be – and hence decisions are made that might not have been made if the debate had been better informed. If the debate is improved, then the decisions will be improved – and we might have both better law and better surveillance practices.

Perhaps the most important way in which the debate needs to be improved is to understand that surveillance does not just impact upon what is portrayed as a kind of selfish, individual privacy – privacy that it is implied does not matter for those who ‘have nothing to hide’ – but upon a wide range of what are generally described as ‘civil liberties’. It has a big impact on freedom of speech – an impact that been empirically evidenced in the last year – and upon freedom of association and assembly, both online and in the ‘real’ world. One of the main reasons for this – a reason largely missed by those who advocate for more surveillance – is that we use the internet for so many more things than we ever used telephones and letters, or even email. We work, play, romance and research our health. We organise our social lives, find entertainment, shop, discuss politics, do our finances and much, much more. There is pretty much no element of our lives that does not have a very significant online element – and that means that surveillance touches all aspects of our lives, and any chilling effect doesn’t just chill speech or invade selfish privacy, but almost everything.

This, and much more, is discussed in my paper – which I hope will contribute to the debate, and indeed stimulate debate. Some of it is contentious – the role of commercial surveillance the interaction between it and state surveillance – but that too is intentional. Contentious issues need to be discussed.

There is one particular point that often gets missed – the question of when surveillance occurs. Is it when data is gathered, when it is algorithmically analysed, or when human eyes finally look at it. In the end, this may be a semantic point – what technically counts as ‘surveillance’ is less important than what actually has an impact on people, which begins at the data gathering stage. In my conclusion, I bring out that point by quoting our new Prime Minister, from her time as Home Secretary and chief instigator of our current manifestation of surveillance law. This is how I put it in the paper:

“Statements such as Theresa May’s that ‘the UK does not engage in mass surveillance’ though semantically arguable, are in effect deeply unhelpful. A more accurate statement would be that:

‘the UK engages in bulk data gathering that interferes not only with privacy but with freedom of expression, association and assembly, the right to a free trial and the prohibition of discrimination, and which puts people at a wide variety of unacknowledged and unquantified risks.’”

It is only when we can have clearer debate, acknowledging the real risks, that we can come to appropriate conclusions. We are probably too late for that to happen in relation to the Investigatory Powers Bill, but given that the bill includes measures such as the contentious Internet Connection Records that seem likely to fail, in expensive and probably farcical ways, the debate will be returned to again and again. Next time, perhaps it might be a better debate.

Will the government ‘get’ digital policy?

I had an interesting time at the ‘Seventh Annual Parliament and Internet Conference’ yesterday – and came away slightly less depressed than I expected to be. It seemed to me that there were chinks of light emerging amidst the usually stygian darkness that is UK government digital policy and practice – and signs that at least some of the parliamentarians are starting to ‘get it’. There were also some excellent people there from other areas – from industry, from civil society, from academia – and I learned as much from private conversations as I did in the main sessions.

The highlight of the conference, without a doubt, was Andy Smith, the PSTSA Security Manager at the Cabinet Office, recommending to everyone that they should use fake names on the internet everywhere except when dealing with the government – the faces of the delegation from Facebook, whose ‘real names’ policy I’ve blogged about before were a sight to behold. Andy Smith’s suggestion was noted and reported on by Brian Wheeler of the BBC within minutes, and made Slashdot shortly after.

It was a moment of high comedy – Facebook’s Simon Milner, on a panel in the afternoon, said he had had a ‘chat’ with Andy Smith afterwards, a chat which I think a lot of us would have liked to listen in on. The comedic side, though, reveals exactly why this is such a thorny issue. Smith, to a great extent, is right that we should be deeply concerned by the extent to which our real information is being gathered, held and used by commercial providers for their own purposes – but he’s quite wrong that we should be able and willing to trust the government to hold our data any more securely or use it any more responsibly. The data disasters when HMRC lost the Child Benefit details of 25 million families or the numerous times the MoD has lost unencrypted laptops with all the details of both serving and retired members of the armed forces – and potential recruits – are not exceptions but symptoms of a much deeper problem. Trusting the government to look after our data is almost as dangerous as trusting the likes of Facebook and Google.

The worst aspect of the conference for me was that there seemed to still be a large number of people who believed that ‘complete’ security was not just possible but practical and just a few tweaks away. It’s a dangerous delusion – and means that bad decisions are being made, and likely to continue. A few other key points of the conference:

• Chloe Smith, giving the morning keynote, demonstrated that she’d learned a little from her Newsnight mauling – she was better at evading questions, even if she was no better at actually answering them.
• In Chi Onwurah, Labour have a real star – I hope she gets a key position in a future Labour government (should one come to pass)
• We’ve got a long way to go with the Defamation Bill – without seeing the regulations that will accompany the bill, which apparently haven’t even been drafted yet, it’s all but impossible to know whether it will have any real effect (at least insofar as the internet is concerned)
• In a private conversation, someone who really would know told me that one of the problems with sorting out the Defamation Bill has been an apparent obsession that Westminster insiders have with the ‘threat’ from anonymous bloggers – I suspect Guido Fawkes would be delighted by the amount of fear and loathing he seems to have generated in MPs, and how much it seems to have distracted them from doing what they should on defamation and libel reform.
• After a few conversations, I’m quietly optimistic that we’ll be able to defeat the Communications Data Bill – it wasn’t on the agenda at the conference, but it was on many people’s minds and the whispers were generally more positive than I had feared they might be. Time will tell, of course.
• Ed Vaizey is funny and interesting – but potentially deeply dangerous. His enthusiasm for the ‘iron fist’ side of copyright enforcement built into the Digital Economy Act was palpable and depressing. The way he spoke, it seemed as though the copyright lobby have him in the palm of their hand – and that neither they nor he have learned anything about the failure of the whole approach.
• Vaizey’s words on porn-blocking – he seemed to suggest that we’ll go for an ‘opt-out’ blocking systems, where child-free households would effectively have to ‘register’ for access to porn, something which has HUGE risks (see my blog here) – were worrying, but again, another insider assured me that this wasn’t what he meant to say, nor the proposal currently on the table. This will need very careful watching!!
• The savaging of Vaizey by a questioner from the floor revealing how much better and cheaper broadband internet access was in Bucharest than in Westminster was enjoyed by most – but not Vaizey, nor the industry representatives who remained conspicuously quiet.
• Julian Huppert – my MP, amongst other things – was again impressive, and seems to have understood the importance of privacy in all areas: the fact that Nick Pickles of Big Brother Watch was invited to the panel on the internet of things that Huppert chaired made that point.
• On that subject – mentions of either privacy or free speech were conspicuous by their absence in the early sessions on cybersecurity, but they grew both in presence and importance during the day. I asked a couple of questions, and they were both taken seriously and answered reasonably well. There’s a huge way to go, of course, but I did feel that the issue is taken a touch more seriously than it used to be. Mind you, none of the government representatives mentioned either in their speeches at all – it was all ‘economy’ and ‘security’, without much space for human rights….
• The revelation from the excellent Tom Scott that though the rest of us are blocked from accessing the Pirate Bay, it IS accessible from Parliament was particularly good – and when my neighbour accessed the site and saw the picture of Richard O’Dwyer on the front page, it was poignant…

I came away from the conference with distinctly mixed feelings – there are some very good signs and some very bad ones. The biggest problem is that the really good people are still not in the positions of power, or seemingly being listened to – and those at the top don’t seem to be changing as fast as the rest. If we could replace Ed Vaizey with Julian Huppert and Chloe Smith with Chi Onwurah, government digital policy would be vastly improved….

The beginning or the end of cyberlaw?

From time to time I have described myself as a ‘cyberlawyer’. When I’ve done so, I’ve had three kinds of reaction: the positive, the negative and the dumbfounded. Some people find the idea of cyberlaw almost exciting – looking to the future in a kind of William Gibson-esque way. Others look at it with derision – Easterbrook’s comparison of it with the non-existent law of the horse back in 1996 is one that echoes still. Some simply don’t understand what cyberlaw is, or what it might be.

For a long time I’ve taken the side of the first – indeed, my enjoyment of science fiction was certainly part of what led me down the path of cyberlaw – but I’m beginning to think that the other two reactions are perhaps more appropriate – though not necessarily for the reasons that proponents of either argument might have made. It’s not, as Easterbrook suggested, that cyberlaw is too much of a niche subject, nor that ‘cyberspace’ is something only of interest to geeks and nerds. The opposite. Increasingly it seems that almost all lawyers will have to learn cyberlaw – and that almost all people are becoming citizens of cyberspace.

The significance of cyberlaw within the legal community seems to be growing. The first time I went to the cyberlaw section of the Society of Legal Scholars conference, at the LSE in 2008, I sat through sessions with just a handful of other scholars – making even a small seminar room feel empty. This year, at Downing College Cambridge, it was standing room only as pretty much every session was packed beyond the capacity of the room. We had to borrow chairs from other far less popular sessions, and even thought of moving to one of the bigger venues. In other ways, too, cyberlaw seems to be becoming more mainstream. Over the last month or so I’ve been lucky enough to make contributions to two high-quality blogs well outside the realms of cyberspace – most recently writing about web-blocking for the UK Constitutional Law Group blog, and before that writing about the ‘right to be forgotten’ for the excellent INFORRM media law blog. Whilst I would like to pretend that I’ve been asked to make these contributions because of my individual brilliance, I have a feeling it’s much more of a reflection of the way that cyberlaw now impacts upon almost every aspect of law – and not just media and constitutional law.

Media lawyers need to understand the ‘new media’. Constitutional lawyers need to think about the impact of the cross-border nature of the internet on sovereignty, and the way that rights function online. Employment lawyers need to consider how social media impacts upon things like hiring and firing. Commercial lawyers need to understand electronic contracting. Intellectual property lawyers may well spend more time dealing with digital IP than anything else.  Tax lawyers have to grapple with the complex issues of jurisdiction and so forth. Criminal lawyers have to look at how the rules of evidence apply to digital records, and think carefully about the legality of electronic investigatory methods. Human rights lawyers – and I consider my field to be as much human rights as cyberlaw – need to understand both the opportunities for and threats to human rights that arise as a result of the internet. And for each branch of law these are just some of the more obvious and superficial ways in which the digital world has to be taken into account – there are few areas of law where the internet doesn’t have a significant impact.

So what does this mean? Does the increasing importance of cyberlaw mean that we all have to become cyberlawyers – and hence that the whole idea of cyberlaw disappears? Will every lawyer be a cyberlawyer? Ultimately that may be so – but there’s a long way to go before that happens. The law is still finding it hard to come to terms with the internet, for all the efforts of the pioneering cyberlawyers – and the politicians are even further behind, with a few honourable exceptions. There’s also a significant rump of the legal ‘establishment’ that may have to be dragged kicking and screaming into the brave new world where ‘reality’ and ‘cyberspace’ are increasingly integrated. It’s coming, though, and faster, I suspect, than even people like me imagine.