Category: PRISM

Surveillance: Needles in Haystacks…

haystack

I watched and listened to the ‘open’ evidence session of the Intelligence and Security Committee (‘ISC’) yesterday with a sense of sadness more than anything else. It was of course entirely predictable that the session would primarily be about putting as positive as possible a spin on the surveillance activities of the intelligence services but even so I found myself disappointed. The ISC is as close as we currently get to something that scrutinises the activities of the intelligence services – but on the basis of what we saw yesterday they are neither capable of such scrutiny nor to they have the desire to provide it. ‘Supine’ was the word that sprang immediately to mind.

Malcolm Rifkind, chairing the committee, seemed determined that the only result of the session would be vindication of the intelligence services – and demonstrated only that he does not understand why people are concerned, and why they are right to be concerned. The rest of the committee, all of whom have effectively been personally selected by the Prime Minister, were little better – and some were even worse. The way that Hazel Blears in particular practically purred her appreciation of the wonderful job being done by the heads of GCHQ, MI5 and MI6 was deeply depressing to anyone who hoped that this would be the beginning of a new era of openness by the intelligence community. Instead, it seemed that they were determined to continue to misinform and mislead the public.

It’s the metadata, stupid…

A couple of things stood out. One was that, yet again, that old chestnut ‘we’re not reading your emails or listening to your phone calls’ was wheeled out by the spy chiefs – and no-one on the committee picked them up on it.  No-one who understands anything about internet surveillance has an image of old-style spies sitting in darkened rooms with headphones on listening to our every word. It’s not the ‘content’ of the phone calls or the emails that matters so much – it’s the metadata, the information that surrounds the calls, the emails, the web-browsing that really counts. That meta data gives different information about the subject than the contents – but in many ways much better information, more analysable information, more nuanced information. It is much more useful for profiling, for predicting activities, for tracking and so forth. The intelligence chiefs know that very well – and yet they continue to bring out the ‘not listening to your phone calls or reading your emails’ line again and again. The committee ought to know this too – and ought to have called the intelligence chiefs out on it. They didn’t – whether because they don’t understand or because they don’t want to rock the boat it’s hard to tell. Perhaps both.

Surveillance happens at the data gathering stage

The other key aspect of the surveillance that wasn’t touched upon is when the surveillance happens – at the gathering stage, or at the accessing stage. Again, I’m not sure that the committee understood the importance of this distinction, but it’s an absolutely crucial one. The current system assumes that gathering data on all of us is absolutely fine – indeed, that’s the basic premise of the surveillance systems they appear to use, and was the essence of the Communications Data Bill that was defeated last year. Hoover up as much data as possible, then put the checks and balances, the controls, at the access stage. That, however, is a wholly flawed approach if privacy is to be taken at all seriously. It leaves the systems and the data open to abuse, to function creep, to hacking, to human error – and indeed to leaks like the one performed by Edward Snowden that the spy chiefs deplored so vehemently.

The European Court of Human Rights recognised this – in the notable case S and Marper v. the United Kingdom, they concluded that “the mere retention and storing of personal data by public authorities, however obtained, are to be regarded as having direct impact on the private-life interest of an individual concerned, irrespective of whether subsequent use is made of the data.” They are right – and if the neither the ISC nor the spy chiefs know or understand this that is deeply disappointing. If they know it, and don’t see how it applies to their surveillance activities that is even more disappointing. If they do see how it applies, and fail to mention it, that’s still worse.

Needles in Haystacks

The ‘needles in haystacks’ analogy was made a number of times during the session, and it is indeed apposite – but to me it has very different implications to those drawn by the spy chiefs. They don’t seem to understand some key aspects of the old proverb. For a start, needles aren’t generally found in haystacks – and that the point of the proverb is that trying to find a needle in a haystack is a thankless task, and one doomed to failure. More importantly, however, they don’t seem to understand that their approach is what builds the haystack in the first place! It’s the universal rather than targeted surveillance model that generates that huge haystack.

For me, that’s the real point of the proverb – and it applies directly here. If you set yourself a thankless, impossible task, the question you should be asking is whether there might be another way, a better way, to solve the problem. Perhaps you can get another needle from somewhere else. Perhaps you can use another tool instead of the needle. Perhaps the task isn’t worth doing anyway. Perhaps counter-terrorism can be done in cleverer, subtler, less privacy invasive ways.

That question – whether there is an alternative – didn’t seem to enter the minds of any of the members of the ISC yesterday. Whether it has entered the minds of the spy chiefs is another matter – if it has, they certainly didn’t want to mention it. Indeed, finding any kind of suggestion of an alternative to the current approach in yesterday’s open session was as hard as finding a needle in a haystack….

If privacy is dead, we need to resurrect it!

Back in 1999, Scott McNealy, then CEO of Sun Microsystems, told journalists that privacy was dead.

“You have zero privacy anyway,” he said, “Get over it.”

In internet terms, 1999 was a very long time ago. It was before Facebook even existed. Before the iPhone was even a glint in Steve Jobs’ eye. Google was barely a year old. And yet even then, serious people in the computer industry had already given up on privacy.

The reactions of many politicians around the world – and particularly in the US – to the revelations of the activities of the NSA, GCHQ and others has echoed this sentiment. Privacy was already dead, many of them seem to be assuming, the only problem here is transparency. ‘We should have told you what we were doing’ seems to be one of the most common lines, ‘and we’ll find a way to be more open about it in the future’. The big companies echo that line, wanting to be allowed to say more about when they’ve given over information, about how many requests for data there have been and so forth – rather than calling for anything stronger, rather than saying that they in any way resisted the authorities desire for surveillance. Indeed, the suspicion of many observers from outside the industry is that rather than resisting government agencies’ surveillance plans, some of these companies were actively cooperative or even complicit.

It’s not just about transparency

For me, that’s not enough. This shouldn’t be an issue of transparency – because it’s not just transparency over surveillance and privacy that matters, it’s the surveillance itself. At the Society of Legal Scholars conference in Edinburgh yesterday, I listened to Neil Richards talk about the dangers of surveillance (his written paper can be found here) and found myself in total agreement. Surveillance in itself is harmful to people, in a number of ways – it can chill action and even thought, it creates and exacerbates power imbalances, it allows for sorting and discrimination, and it can and often is misused for personal or inappropriate reasons.

There are benefits to surveillance too – and reasons that surveillance is sometimes necessary – but the kind of total and generally secret surveillance that seems to be being performed by both government agencies (and the NSA in particular) and corporations seems to be totally out of balance – and it seems to be based, to some degree, on the assumption that privacy is dead anyway. For many, the only question seems to be how they can convince people to ‘get over it’. That is not enough. Yes, privacy may be dead – but if it is, we need to resurrect it. It may take a miracle – but it still needs to be done.

Can privacy be resurrected?

In an excellent article in the Guardian, Bruce Schneier talks about the role of engineers in the process. As he puts it:

“By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.

This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.

And by we, I mean the engineering community.”

Schneier knows what he is talking about – he is one of the real experts in the subject – and his piece is both compelling and surprisingly hopeful. Effectively he suggests – and I think he’s right – that there could be a way to re-engineer the internet, to take out the back doors, to rebuild the infrastructure of the internet so that surveillance is no longer the paradigm.

Schneier’s piece outlines what might be a technical route to the resurrection of privacy – but that resurrection needs more than just the technical possibility. It needs action from more than just the engineering community – it needs a political will, and that means that it needs action from a whole lot of us. It needs lawyers, advocates and academics to continue to challenge the legal justification for this kind of surveillance – the defeat last year of the Communications Data Bill (the UK’s ‘Snoopers’ Charter’) demonstrates that this kind of thing is possible. It needs journalists and bloggers to keep on writing about the subject – to make sure that surveillance and privacy isn’t just of passing interest, forgotten after a few weeks.

It needs ordinary people to keep taking an interest – because, ordinary people can and do make a difference. They make a difference to the companies who operate on the internet – Microsoft’s recent advertising campaign’s strap-line was ‘your privacy is out priority’, demonstrating that they at least thought that the idea of privacy could be a selling point, even if their complicity in the PRISM programme has made the words seem pretty hollow. Ordinary people matter to politicians, at least when election time comes around – and it’s worth noting that in the presidential debate in the German elections happening right now, the candidates were asked specifically about NSA surveillance. There IS public and political interest in this subject. The more there is, the more chance there is of action.

Ultimately, we need to challenge the very assumptions that underlie the surveillance. We need to challenge the idea that the threat of ‘International Terrorism’ is so great that almost anything that can be done to fight it should be done without question or fetter. That’s necessary for more than just privacy, of course, as a vast array of our civil liberties have been curtailed in the name of counter-terrorism – but it is still necessary.

Is it all doomed to failure?

It might be that privacy really is dead. It might be that resurrecting it is effectively impossible – and it will certainly be incredibly difficult. The strength of the security lobby, the power of those in whose interests the surveillance is carried out, from the commercial to the governmental, is more than intimidating. The whole thing may be doomed to failure – but even if it is, it’s a fight worth fighting. There’s a huge amount at stake. And miracles do happen.

The name’s Snowden. Edward Snowden

Snowden

I was asked today whether I thought that Edward Snowden was a one-off, or whether there were more whistleblowers waiting in the wings, and he was the first of many. ‘Of course,’ I said, without even thinking, ‘many, many more.’

It was only afterwards that I thought about why I believe that – because I do believe it. There are many factors, all of which contribute to the likelihood of further whistleblowers, leakers, ‘spies’, or whatever you want to call them.

You need secrets

Whistleblowers need something to blow the whistle about – and, to be frank, there’s plenty more where PRISM came from. If anyone thinks that Snowden has leaked everything that can be leaked in relation to the activities of the NSA, GCHQ and so forth, they’re being very naive. There are lots more secrets where they came from. Indeed, since the first revelations a whole lot more have emerged, and not just from the US. An equivalent French programme, ‘le Big Brother français’ was leaked to Le Monde and allegations of collaboration between the security services in the Netherlands and the US were just two examples: both leaked by people other than Snowden, but apparently inspired by him.

You need ‘bad guys’

The NSA fits the bill here – an almost nameless (‘No Such Agency’) group of faceless spooks, spying on everyone, accountable to no-one. They’re classical villains in spy movies: they’re the ‘State’ in ‘Enemy of the State’, the CIA cell hunting down Jason Bourne and so on. What’s more, their villainous nature has broadened to encompass pretty much the whole of the US government – Obama’s personal involvement has ensured that.

You need inspirations

Polls in the US have suggested there’s a deep split in opinion about Snowden – but to be an inspiration he doesn’t have to be considered a hero by the majority of Americans. He doesn’t even have to be considered a hero by a significant minority of Americans – he has to be considered a hero by enough of the right kind of people. I think he is. In the hacker community his status seems pretty assured – and that’s probably enough.

What’s more, the treatment of Snowden by the US authorities has cemented that status. The way they treated him has made him look like the hero of a spy movie – chasing him from one exotic location to another, causing diplomatic rows by seemingly forcing a diplomatic plane to be diverted and grounded and so on. Perhaps he’s not James Bond, but there are certainly echoes Jason Bourne in his story.

Of course there are arguments that can be made in support of the severity of the response – but would it really put off further whistleblowers? Will they be deterred by the way that Snowden is being hounded? It doesn’t seem likely – the sort of people to make the kind of carefully calculated rational decisions needed to be deterred are not likely whistleblowers anyway. It’s more likely that they will be inspired. Did the abysmal treatment of Bradley Manning by the US authorities deter Snowden? The opposite – they inspired him, made him feel that what he was doing was worthwhile. He quoted the treatment of Manning as one of the reasons that he felt he had to blow the whistle.

In most ways, to me it looks as though the US has done pretty much exactly the wrong thing in relation to Snowden. They’ve made him a cult figure, someone whose name will be remembered in hacker circles for a generation – and is likely to inspire further whistleblowers and hackers.

You need potential whistleblowers

…and that’s the real rub. There are plenty of them. The NSA and their equivalents will be employing nerds, hackers, programmers, whatever you choose to call them, and they’ll be employing a lot of them. What’s more, given the nature of the field, they’ll probably be using third parties to do a lot of the work for them – just as they did in with Booz Allen Hamilton in the case of Snowden. That means they can’t possibly be sure that they’re not employing another potential whistleblower. The people doing the work won’t be ‘career spooks’, deeply loyal to their nation and their agency, ready to give their all, regardless of anything else – those kinds of people are far more the myths of movies than heroes like Bond or Bourne. The people doing the real work will be much more ‘normal’ than that.

So all the pieces of the jigsaw are in place. Snowden wasn’t the first such whistleblower – and he certainly won’t be the last. The authorities need to understand that. Just as we need to adjust ourselves to the fact that we’re being watched all the time, they need to adjust themselves to the reality that their secret plans will almost certainly be leaked.

As I’ve said before, there’s only one sure way to stop your evil plans from being exposed – and that’s not to have evil plans in the first place. Sadly it’s pretty certain that won’t be the solution that the NSA and others find….

Privacy, me, and the NSA?

I wrote a piece back in 2011 about how I had first become interested in internet privacy – I reproduce it below (and the original online version is here). The essence of the post is simple. I became interested in internet privacy after I had a chilling experience: writing an email (to a friend) in the immediate aftermath of the invasion of Afghanistan that was critical of US foreign policy – and having my email account almost immediately cancelled. As I wrote back in 2011, I never discovered the real reason for the cancellation – but it started me becoming interested in internet privacy, an interest that changed my whole career.

The PRISM revelations have given me a moment’s pause: perhaps I wasn’t such a conspiracy theorist at all in thinking that my critical email was responsible for the cancellation of my email account. Perhaps I was one of the early victims of the NSA’s full scale email trawling. The email account I had was a Hotmail account, run by Microsoft, one of those companies directly implicated in the PRISM affair, if Snowden’s revelations are to be taken seriously. Of course this is still very much tin-foil hat territory, but the possibilities seem just a touch more likely than they did before.

Anyway, this is what I wrote back in October 2011: privacy is personal!

————————————————

My real interest in privacy – and specifically internet privacy – arose a little over ten years ago. Something happened to me that change the way I thought about the whole issue – something personal, something direct. Up until that point I hadn’t really thought much about privacy, though I’d been involved with the online world from a very early stage, setting up projects to provide rural communities with access to information, and trying to provide online education to housebound children in the mid 1990s – not exactly cutting edge stuff, but not too far from it. I’d also been involved in human rights work – most directly children’s rights – but I’d never thought much about privacy. To me, then, just as to many people now, it just didn’t feel important, particularly compared to the problems happening all over the world. 911 had just happened, and war was in the air.

I was living in New Zealand when the US invaded Afghanistan – and I was deeply concerned about the consequences of that action. I wrote about my concern in an email to a friend, also in New Zealand, and in that email I was at least partially critical of US foreign policy. I even mentioned Israel at one point. Some time over the next three hours, my email account became inaccessible.

At the time I was using a free email account – one of the big ones – that I had set up whilst in the US a few years earlier. A ‘.com’ email account. As I was living in a very isolated part of New Zealand, this email account was one of my few links to the outside world. It had all my contacts’ details, and all the messages I had sent and received for a long time – and I had been foolish enough not to keep written records elsewhere of a lot of the details. At first I thought it was just a blip, an accident – and I set up another email account and wrote to the service provider asking what had happened to my account, whether the password had been accidentally reset or something else. I was met with terse replies saying that the account had been terminated for a breach of contract terms. Friends told me to give up, and go with the new account – but I’m not that kind of person. I kept on badgering them, trying to find out what was going on. I hadn’t yet thought that it might be connected with the email that I’d sent. Eventually I got a message saying that I had been using the email for commercial purposes, which is why it had been cancelled – which was absurd, as anyone who knew my financial position at the time would know. Then, about six months later, they reinstated the account, minus all the content, contacts and so forth.

Now of course I have no evidence to prove that the account was cancelled because of that particular email – it may indeed just have been a mistake, the account may even have been hacked into (though such things were much rarer in those days), but even the suspicion was enough to disturb me enormously, and set me on the path that I’m still on today. I started asking how it could have happened, what happens to emails, how easily they can be read, how my privacy might have been invaded. The more I investigated, the more I uncovered, the more interested I became – and it ended up changing my whole life. The perceived invasion of privacy – in a sense it doesn’t even matter if it was real – was so personal that it cut me to the quick.

Back then I had had very little to do with the law – my degree was in mathematics, I qualified as an accountant and worked with technology, not the law. Now, as a result of following this path, I’m a lecturer in a law school at a good university, have published research and submitted a PhD on the subject of data privacy – and it seems even more relevant than it did ten years ago, as the online world has expanded and become more and more intrinsically linked with everything we do. Invasions of privacy do matter – whatever the likes of Mark Zuckerberg might think – and they matter because they’re deeply personal, and touch the parts of us that we really care about.

—————————————————————————

Privacy: the more we know, the more we care….

To some people, the PRISM revelations have been deeply shocking. The idea that the authorities could be spying on pretty much all our activities on the internet was something that they had never really believed – indeed, they had thought that those of us who had been going on about this kind of thing were, to be blunt, paranoid geeks. Now that Edward Snowden has brought it out in to the open, that’s not something so easy to maintain.

Snowden

The initial response of the authorities was to deny it all. The next was to say it was all being misinterpreted, and wasn’t what Snowden was saying at all. Both of those approaches seem to have been largely abandoned – the denials seem hollow, and instead they’re falling back on the old chestnuts ‘we’re doing it for your own good’, and ‘if you’ve got nothing to hide, you’ve got nothing to fear’. Their problem is, it looks as though a great many people simply don’t believe them on either count. Why? Because, I would suggest, the more people know about what’s really going on, the more they care. Now that people know what kind of activities the NSA, the CIA and GCHQ are up to, they don’t like it. They don’t like it at all.

This shouldn’t really be surprising, as it follows a pattern that people who study privacy should recognise. It happens again and again. The more people realise the extent to which our privacy is being invaded, and the ways in which those invasions of privacy can have an effect, the more they want to have their privacy protected. It happens in relation to internet surveillance by the authorities – but it also happens in relation to the way that businesses invade our privacy. It happens with behavioural advertising – the more people know about what advertisers are doing to track us, the more they want it to be stopped, or at the very least limited. That’s why advertisers are so keen to have Do Not Track as an ‘opt-out’ rather than ‘opt-in’: they realise that if they have to actually explain to people what they’re doing in order to get them to opt in to tracking, people probably won’t. The key study on the field, by Turow, King, Hoofnagle, Bleakley and Hennessy (which can be found here) found the following:

“Contrary to what many marketers claim, most adult Americans (66%) do not want marketers to tailor advertisements to their interests. Moreover, when Americans are informed of three common ways that marketers gather data about people in order to tailor ads, even higher percentages – between 73% and 86% – say they would not want such advertising.”

This last point is particularly important. The more people knew what was really going on, the more they cared, and the more they rejected the privacy-invasive practices. The converse also seems to be true: the more ignorant people are about how things really work, the less they care. It should be no surprise that the strongest advocates for the Communications Data Bill (the Snoopers’ Charter) have been amongst those who understand the internet the least. Theresa May and William Hague, in particular, from the pronouncements they make, seem to have almost no grasp of how the internet works – let alone what the impact of the programmes they actually promote would be. Those few MPs who do understand the internet are pretty much without exception strongly opposed to the Snoopers’ Charter, regardless of their political affiliation: David Davis for the Tories, Julian Huppert for the Lib Dems and Tom Watson for Labour.

Perhaps the best thing to come out of the PRISM farrago is a raising of awareness of the issues around internet privacy. The more this awareness is raised, the more chance we have of getting positive, privacy-friendly results – and the more chance we have to fight off the oppressive, privacy-invasive stuff. Tom Watson and David Davis have now suggested that the Snoopers Charter now has ‘practically zero chance of becoming law’ primarily as a result of the impact of the PRISM saga. I hope they’re right. If so, it could be a pivotal moment for internet privacy. I hope so.

Communications Surveillance, Protest and Control…

Protest against the badger cull in Bristol

What is the real reason that certain of the authorities are so keen on universal surveillance of communications data? Is it the fight against terrorism? It doesn’t seem very likely. It’s a supremely ineffective method of dealing with terrorism at best – even the examples quoted by the security services as ‘proof’ that it works have pretty much all been swiftly debunked (see for example here). In practice, it seems, targeted, intelligence-driven, almost ‘traditional’ methods seem to do the job far better. So why do the authorities all around the globe seem to be so enthusiastic about communications surveillance? One word: control

Control is the key

Despotic regimes have always wanted to have as complete a level of surveillance as possible – they want to know what is going on, who is meeting who, what they’re talking about, what they’re planning. That way, they can get control over their people. They can find subversives and dissidents, they can infiltrate those who resist or plot against them, they can snuff out the plans of their enemies before they gather sufficient momentum to have a real effect. That’s been fundamental to pretty much every oppressive regime throughout history – and the capabilities of the internet, and in particular of internet surveillance, offer possibilities beyond the dreams of the despots of yesteryear. However, it’s not just despots who like surveillance – or rather, it’s not just those that we usually label as ‘despots’ who like it. It’s anyone who wants more control – or who thinks that things are going out of control. It’s those concerned with ‘public order’. It’s those concerned with ‘protest’. That, sadly, means it’s all of our governments today – even that in the UK.

Snooping on the badger-cull protestors

News came out this week that ‘Whitehall chiefs scan Twitter to head off badger protests‘. As reported to the BBC,  ‘[t]he Department for Rural Affairs uses “horizon scanning” software to gain an “early warning” of public protests.’ Relatively speaking, this is a primitive form of snooping – and a legal one, since it scans public messages on social media services such as twitter. This isn’t a secret plan like PRISM, but an official and key part of the government’s communication plan – but it reveals a good deal about how the government (and other authorities) see the potential of communications surveillance. If they can find out what people are thinking and planning, they can nip protests in the bud.

Pretty much all of this, of course, is legal, and much of it is justifiable in ‘public order’ terms – but as anyone who saw the recent and deeply shocking revelations that the McLibel leaflet was co-written by an undercover police officer who had infiltrated an environmental campaign group would know, the tactics and techniques used by ‘law enforcement’ to deal with protestors and related groups can often stretch not just the law but our imaginations. Ideas presented and proposed for good or at least defensible reasons can easily morph into something much more sinister. Give the authorities leeway, and they use it…

The real use of communications surveillance…

…which is what, it seems likely, is one of the keys behind the enthusiasm for all kinds of communications surveillance, from the Snoopers’ Charter in the UK to PRISM and so forth in the US, to all the massive new programme in India etc. They know that if they have full surveillance capabilities their ability to control what is happening will be magnified enormously. Not only can they effectively unmask protestors, they can find out who their friends are, what websites they visit, where they’re planning to meet and so on. If they take it a few steps further, they can  block them from communicating with each other, shut down their blogs – or warn them off with anonymous threatening emails, or leak their details to their enemies.

Does this sound far-fetched? Perhaps, but not nearly as far fetched as the McLibel story, let alone the other horrendous details surrounding police infiltration of environmental and anti-racist groups. What’s more, most of the surveillance systems planned are designed for precisely this kind of surveillance – linking into Facebook, Google etc is far better at this that it is at fighting terrorism, paedophilia etc. Terrorists and paedophiles don’t do their planning on Facebook etc – but those organising legal, peaceful protests like that against the badger cull DO. Terrorists and paedophiles do everything they can to keep ‘dark’ – and they learn how to do so, what technology to use to bypass the authorities. Peaceful protesters don’t – they don’t often feel that they need to, and they don’t have the capabilities. They’re the obvious targets of this kind of thing: universal internet surveillance isn’t so much about fighting the big things as it is about keeping ‘public order’.

Whether that is an acceptable thing is another story. Public order IS important – but so is the right to protest, and not just in countries like Turkey. Protest is fundamental to our democracy, to our freedom of expression, to our ability to hold our governments to account. It’s important everywhere, and letting the authorities design and operate systems to stifle and control it is something about which we should be very wary.

PRISM: Share with the CIA – and Facebook!

new-facebook-privacy-options

Going out for a pizza? Who wants to know?

There’s been a joke going around the net over the last couple of weeks, inspired by the PRISM revelations. The picture above is just one of the examples – variants include replacing the CIA with the NSA, or adding the two together so that it says, effectively ‘Share with Friends, the CIA and the NSA’ and so on. It’s a pretty good joke – and spot on about the nature of the PRISM programme (and indeed the equivalents elsewhere in the world, such as the UK’s Communications Data Bill, the ‘Snoopers’ Charter’), but ultimately it misses one key element from the equation. It should also include ‘share with Facebook’…

Share with only me, the CIA, the NSA and FaceBook!

Something that seems to be forgotten pretty much every time is that whenever you put something on Facebook, no matter how tightly and precisely you select your ‘privacy’ settings, Facebook themselves always get to see your stuff. It’s never ‘just you’, or ‘just you and your close friends’: Facebook themselves are always there. That means a lot of different things – at the very least that they will use that information to build up your profile and to choose who is going to target advertising at you. It might be used directly for Facebook themselves to target products and services at you. It might mean that they put you on various lists of people of a certain kind to receive mailings – lists that could then be used for other purposes, potentially sold (perhaps not now, but in the future?) or even could be hacked…

Data is vulnerable

…and that is point that shouldn’t be forgotten. If you put something on Facebook, or if Facebook infers something from the information that you put up, that information is potentially vulnerable. Now it’s easy to worry about spies and spooks – and then to dismiss that worry because you’re not really the kind of person that spies and spooks would care about – but there are others to whom the kind of information you put on Facebook could be valuable. Criminals intent on identity theft. Other criminals looking for targets in other ways (if you’re going out for a pizza, that means you’re not at home…. burglary opportunity?). Insurers wanting to know whether they should put up your premiums (aha, they often go out for pizzas – doesn’t sound like a healthy diet to me! Up with the premiums!), potential employers checking you out (if you’re going out for a pizza at an unsuitable time of day, you might be an unsuitable employee) and so on.

Don’t imagine your ‘privacy’ settings really imply privacy…

This doesn’t mean that we shouldn’t ‘share’ anything on Facebook (or Google, or any other system online, because what happens with Facebook happens just as much with others), but that we should be a touch more aware of the situation. The PRISM saga has highlighted that what we share can be seen by the authorities – and has triggered off quite a lot of concern. That concern is, in my opinion, only a small part of the story. What the authorities do is only one aspect – and for most people a far less important one than the rest of the story. Having your insurance premiums raised, having credit refused, becoming a victim of identity-related crimes, being socially embarrassed or humiliated, becoming a victim of cyber-bullying etc are much more common for most of us. What we do online can contribute to all of these – and we should be a bit more aware of it.

PRISM: lessons for the future?

The news surrounding PRISM, from the stories surrounding whistle-blower Edward Snowden to the technical analyses of what (if anything) PRISM might actually be, seem to be multiplying every day. This is likely to continue – and in the short term though more and more information seems to be coming out it does not look as though we’ll really know what went on for some time – if ever. What is more interesting to me at this stage is how the reaction is playing out – in the media, with politicians, with the ‘geeks’, in the social media and so on. Even without knowing the technical details – let alone the ‘truth’ of what’s happening – there are some things that we can see.

People DO care – and that matters

This point is perhaps the most important – when people are told that their phone calls, their internet activity and so forth are being monitored, particularly without their knowledge and without proper checks and balances, they care about that. The scale of this particular furore has been bigger, in most ways, that any before – which goes pretty much directly against the often-repeated claims that people don’t care about privacy. What’s more, it appears from a number of surveys that young people care more about it than older people – again, going pretty much directly against the suggestion that privacy is somehow an outdated thing only the concern of old fogeys and geeks (like me). There are many possible reasons for this – it may be that young people understand the internet more, so have a clearer understanding of the implications of monitoring internet behaviour, it may be that young people have even less trust in the authorities than older people, it may be that young people are less convinced by the ‘war on terror’ than older people. It’s hard to be sure – but it is interesting.

The Snoopers Charter is substantially similar to PRISM

In effect, what is envisaged in the Snoopers’ Charter (the Communications Data Bill) is almost identical to the ‘worse case scenario’ for PRISM: it allows for ‘black boxes’ to be installed in ISPs, and potentially in at the servers of the likes of Facebook, Google etc, it allows for ‘direct access’ to those servers and so forth. If PRISM sounds like a nightmare – then so is the Snoopers’ Charter. I was in the US when the news of PRISM broke – at a privacy conference – and the reaction of many Americans was very interesting. Europeans often see Americans as less concerned by privacy than they should be – things like free speech and free enterprise always seem to take priority – and yet here was outrage and anger, and frustration at overreach by the authorities. If the Americans are worried about PRISM, then we should be doubly worried about the Snoopers’ Charter – and I hope we will use this mess as a bit of a wake-up call.

There are plenty of lessons to learn along these lines, particularly in relation to laws such as the Snoopers’ Charter. One is that whether something is technically legal is not necessarily the key – because the laws themselves may not be what we think they are. On both sides of the Atlantic lawmakers pass laws that they may not understand (something that has been painfully evident during the debate on the Snoopers Charter) and when reality bites they find themselves surprised and upset. They need, as many of us have said before, to listen far more carefully to the right people – in the case of the Snoopers’ Charter, they need to really read and understand the submissions to the committee. Another is that when a law is written in an open-ended way (as in the US the PATRIOT Act seems to have been) then authorities will be likely to take advantage, and end up going beyond the apparent intentions of the law. The primary implication is that we need to be much more careful about how these laws are written – and leave less scope for ‘interpretation’. It’s just not enough to ask us to ‘trust’ the authorities, and assume that they will stay within the spirit as well as the letter of the law. That will not do.

We fought off the Snoopers’ Charter once – and we must make sure that it is not revived in anything like its original form.

Arguments and old chestnuts…

Another thing that’s clear is that all the old chestnuts will be brought out in the arguments. Two particular ones get brought out pretty much every time: the idea that ‘if you’ve got nothing to hide’ then you’re OK, and that ‘we’re not listening to your phone calls’. Neither holds water in any way. The ‘nothing to hide’ argument has been debunked at huge length by a vast array of scholars and journalists over the years, from Daniel Solove’s classic piece here to danah boyd’s piece yesterday. The ‘we’re not listening’ argument focusses on traditional wiretapping – and makes far less sense today. The ‘meta-data’ or ‘traffic data’ that surrounds calls, and more particularly internet activity may well be more useful, especially for analytical purposes. It doesn’t just say when you call whom – but things like where you are when you call, the kind of technology you’re using (which device, which software, which provider etc) – and that data can be used for profiling and predictions far more than the content. We shouldn’t be reassured when William Hague or Barack Obama tell us they’re not listening to our calls – it’s pretty much irrelevant. They’re doing things that are far more intrusive.

If we care about governments – we should care about business!

It is interesting to me how much people are now worried about governments getting access to their private ‘stuff’ – when they were (and to an extent still are) far less concerned about businesses having similar access. People seem to trust Facebook, Apple, Google etc with their most intimate details but be deeply upset if the NSA or GCHQ might see it – and yet, for most people, the potential for harm is in many ways greater from businesses than from the authorities. Not only would businesses share their information with the authorities anyway – but they’ll also share it with advertisers, with credit agencies, with insurance companies and others who can have a very direct impact on our lives. They’ll also build up behavioural profiles of us that can be used by the authorities and all of those other groups – profiles that might well end up being sold or even given to those groups.

What does this mean? That we shouldn’t worry about PRISM etc? Precisely the opposite – that we should also worry much more about business gathering and use of data, about businesses tracking us and so forth. We need protection from both governments and business.

Strong data protection is crucial

This should be one of the key lessons from all this – particularly for those of us in Europe. Right now, the Data Protection reform package is being negotiated, and there is strong pressure from some groups – notably business lobby groups and the UK government – to weaken it. We should resist that pressure at all costs – and indeed we should look at ways to strengthen our data protection regime, make it tougher for businesses to hand over data or allow authorities access, bring in more checks and balances. Better, more transparent and more ‘privacy friendly’ business models are needed – amongst other things to increase our trust. That trust is currently quite precarious.

A privacy-friendly future is needed!

People seem to like privacy – and they should. I’ve written about this before, but I think both the desire and the need for a ‘privacy-friendly future’ is getting more intense. The technical side of things is developing apace – cryptography, systems for anonymity and so forth exist and are becoming a bit more than just the preserve of the ‘geek’ community. That has to continue – and should be embraced by mainstream providers. If people like Apple, Google, and Microsoft start to find ways to incorporate the better, stronger and more robust privacy-friendly systems into their own, that could be a selling point as well as helping users. If those developing ‘Do Not Track’ make it stronger, more effective, more clearly ‘do not track’ and less ‘do not target’, and most importantly ON by default, that would help even more. Just as for the business models, we need to have a sense that the technology can be trusted.

Trust in me…..

…because, in the end, trust is important. Trust, however, has to be earned, and has to be deserved. Right now, governments and businesses are losing that trust – and don’t seem to be able to find a way to win it back. It will take more than words – and hearing William Hague tell us that we should trust him, if anything makes me trust him less. He has to do a great deal more to earn it – as do Apple, Google, Microsoft and so on.

Trust in me