Once upon a time in Mexico…

A new and disturbing law has almost made its way through the system in Mexico, awaiting only Presidential assent. Under this law, the police would be able to use a mobile phone’s geolocation system immediately, and without a warrant, in order to find that phone (see http://humanrightsgeek.blogspot.co.uk/2012/02/la-inconstitucionalidad-de-la.html – in Spanish, but translatable, and the excellent EFF’s blog https://www.eff.org/deeplinks/2012/03/mexico-adopts-surveillance-legislation ).

The law has been brought in, as I understand, to combat kidnappings, primarily of the children of prominent and influential people – and in many ways it is a classical response to a threat, echoing the various laws that justify intrusion and surveillance to combat the threat of terrorism, from the USA PATRIOT Act downwards.  The law, so far, seems to have passed through the parliamentary system without much resistance, and with huge majorities in votes. In that sense, in the eyes of the powerful at least, it seems to be very popular. And yet it sends shivers down my spine, for a number of reasons.

The first is a theoretical concern: any additional surveillance, any additional privacy-intrusive technology or law should be considered very carefully before bring brought in. When I first heard this story, it brought to mind the words of cybersecurity expert Bruce Schneier, writing in 2010: “It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers say, these systems cost too much and put us all at greater risk.”

What Scheier said about technology (which is excellent advice, though it seems to be consistently ignored) is equally – and perhaps even more perniciously – true about laws. It is very, very bad civic hygiene to enact laws that could be used to facilitate a police state. In the case of this Mexican law, the ‘police state’ analogy is much closer than in many situations. This doesn’t just make a police state a possibility – on the surface at least it provides the police with an exceptionally powerful tool, with almost no checks and balances.

The second is much more immediately and practically dangerous. As someone who works in the field of privacy and the net, I am all too aware of another story that has been coming out of Mexico over the last year or two: the way that at least four Mexican bloggers have been brutally murdered – decapitated – apparently by the drugs cartels. The bloggers try to work anonymously, but somehow the cartels locate them and kill them. Geolocation might have been used – it is hard to know – but providing another tool to the cartels would seem to put the crucial blogging community at even more risk. By putting a tool in the hands of the police, there is a more than theoretical risk that this tool will be able to be used by the cartels.

These two thoughts – one more theoretical, the other highly practical – are intrinsically linked. The practical risk is a prime example of why the theoretical consideration is important. If we build these systems, and set in place these laws, we need to consider the implications no just insofar as the technologies and laws are ‘intended’ to be used, by the ‘good guys’, but look at what might happen, how they might be used by the ‘bad guys’. Those ‘bad guys’ might be as obviously ‘bad’ as the drugs cartels in Mexico, but they might equally be governments wishing to suppress what they think of as ‘disorder’ but the participants think of as their right to free assembly, to free expression. In the UK, for example, a protest against the government plans for our health service is being planned and the police are concerned about potential disorder, wouldn’t it be nice for the police to be able to track the key organisers? The possibilities and implications are huge…

This is a key moment. If they do this in Mexico, where will it happen next? Law-makers and police forces worldwide may be watching events in Mexico with a great deal of interest.

Dogs will be dogs…

The growing furore over the gathering and retention of location data by smartphones reminds me very strongly of a joke that I heard first in the school playground many years ago. ‘Why does a dog lick his balls? Because he can.’
The same is true about smartphone operators. Why do they gather location data? Because they can. Technically, they can, because of the very nature of smartphones. Legally they can, because our laws over this kind of thing are obtuse and opaque – and because they understand the way they can get ‘consent’ through the small print of terms and conditions that no-one ever reads, let alone understands.
A lot of the discussion about the current furore has centred around the individual companies concerned, and brought out all the usual views of the merits or otherwise of Apple, Google and Microsoft – but whether you consider each of them to be fancified show-bred French poodles, friendly and loveable Labradors or ageing but far from toothless Rottweilers, they’re all dogs, and dogs will be dogs. Even the best behaved and most presentable show dog will lick his balls if he’s allowed to.
Three questions arise for me. Firstly, why are people surprised? Many people seem to be genuinely shocked by what has been revealed – even people who know a great deal about the subject. Is it really such a surprise? We’ve known about the capabilities of smartphones since they first emerged, and about the behaviour of all the companies involved for even longer. Dogs will be dogs.
The second question is whether any of it matters – and for me the answer is clear. Of course it matters, and matters a lot. That doesn’t mean that we need to panic, or need to throw our iPhones, Blackberries and HTCs in the nearest river – just that we need to aware of what is going on, and do what we can to ameliorate or manage the situation.
That brings me to the last question – what, if anything, can be done about it? Well, if we were talking about dogs, the answer would be simple: make sure they’re well trained, and well managed. If badly looked after, dogs behave badly. If they’re well trained, they can be very useful, helpful and excellent pets. They can help us in our personal lives, in our work and in many social situations – but you still need to train them and manage them. We need to do the same for the likes of Apple, Google and Microsoft. Show them who’s boss – using all the tools we can to do so. That means putting the right laws in place, but also using our powers as consumers, as advocates, and lobbyists.
If dogs know what they can do and what they can’t, they’ll behave much better. It’s very hard to train a dog not to lick his balls – and probably just as hard to train companies like Apple, Google and Microsoft not to push the limits of privacy – but it can be done. We need to tell them that this kind of thing is not acceptable – and back up what we say with the law and with our money. If we don’t want our location data gathered, we need to be clear about it.
My personal view is that we have the right not to have this kind of thing happen to us – and that we need to proclaim that right (and other rights) loud and clear.