Surveillance: ten ways to fight back!

Today, 11th February 2014, is ‘The Day We Fight Back” – a day of campaigning against mass surveillance. It’s a day where campaigners are trying to raise awareness of the issue – and begin fighting against it. The big question is how can we fight back – what can we actually do. It often seems as though privacy is dead, and that there’s nothing we can do about it. I don’t think so – there are lots of things we can do, lots of things we must do. Here are just ten….

1 Support The Day We Fight Back

One of the most important things in the whole fight is to raise awareness – and to take advantage of opportunities to spread the message that surveillance is a big issue. Days like The Day We Fight Back help to do that. Check out the website here. Tweet about it. Blog about it. Talk about it with your friends and colleagues. Make it something that people notice.

2 Lobby your politicians – or unseat them!

Let the politicians know that you care about this – because, ultimately, they are supposed to be your representatives. It may not feel as though they listen to you much – but if enough people tell them the same thing, if enough people bother them, then they may finally get up off their backsides and do something. And if they don’t, use your vote against them. Politicians make a difference here – or rather they could, if they could be bothered. Most of them don’t understand what’s going on – try to educate them! Help them to understand, and don’t let them get away with bland, meaningless reassurances.

3 Don’t let the corporations off the hook!

The Snowden revelations were shocking, revealing a degree of governmental surveillance that surprised many people, and made a lot of people angry with their governments – but we shouldn’t be fooled into thinking this is just about governments, or just about specific agencies like the NSA and GCHQ. The malaise is far deeper than that – and corporations are in it right up to their necks. In many ways corporate surveillance is worse than governmental surveillance – it can have real impact on people, messing with their credit ratings and insurance premiums, affecting their job prospects, the prices they pay for things and more.

The NSA and GCHQ to a great extent piggyback on the surveillance that the corporates do, utilise the tools that the corporates create, mine the data that the corporates hold – if the corporates weren’t doing it, the agencies couldn’t tap into it. What’s more, corporations actively lobby to undermine privacy law, obfuscate over their privacy policies and do a lot more to undermine the whole concept of privacy. We shouldn’t accept that – let alone allow themselves to portray themselves as the good guys in this story. They’re not. Right now, they’re the henchmen and sidekicks of the NSA and GCHQ – if they want our support, they need to start supporting us.

4 Don’t just demand transparency – demand less surveillance!

There’s a lot of talk of transparency, particularly in relation to governmental requests for data from the likes go Google, Facebook, Twitter etc. Transparency is great – but it’s not nearly enough. We shouldn’t let ourselves be fobbed off with talk of transparency – we need less surveillance. We need to demand that surveillance is cut back – not just that there is better accountability and transparency. Accountability often ends up in farces like the UK’s Intelligence and Security Committee’s hearing with the heads of MI5, MI6 and GCHQ – no real scrutiny at all, just a bit of lip service and a lot of back-slapping. It’s not enough. Not nearly enough.

5 Join or support civil society

Civil society groups all over the world are key players in this – and they need your support. Here in the UK, the Open Rights Group, Privacy International and Big Brother Watch have been in the forefront of the campaigns against surveillance. In the US the Electronic Frontier Foundation have been crucial. In the Netherlands Bits of Freedom have done wonders. These, however, are not groups with the scale or resources of the governments and corporations that are behind the surveillance – so they need every bit of support they can get.

6 Challenge the media!

The mainstream media, for the most part, have not played the part that they could in the fight against mass surveillance. The Guardian has been an honourable exception – and their role in making sure that the Snowden story has seen the light of day has been, for me, one of the most important pieces of journalism for many years – but generally the whole issue has been the subject of far less attention than it should have had. That’s sadly common – because reporting of almost all technology matters is pretty disappointing. We need to challenge that – and shame the media into doing a better job. When they misreport stories about surveillance they should be challenged – using the social media, for example. And, perhaps even more importantly, when they report on technology without seeing the privacy aspects we should challenge that too. One key example right now is the subject of ‘Smart Meters’ – they have deep problems in relation to privacy, but when you see a report in much of the media it only talks of the advantages, not the risks. That’s not good enough.

7 Educate yourself

Part of the reason that surveillance has grown, almost without our noticing, is that far too many of us – and I’m certainly one of them – have not kept ourselves up to date. This year is supposed to be the ‘Year of Code’ – and though that campaign is pretty farcical it does highlight the fact that most of us don’t really know how the tech we use works. If we don’t know how it works, it’ll be much harder for us to protect ourselves. I’m making a commitment right now that I’m going to learn cryptography – and that I’m going to use it.

8 Use and support privacy friendly tech

That brings the next point. There are a lot of privacy-friendly tools out there and we should use them. Search with duckduckgo or startpage rather than Google. Use Ghostery or Abine’s DoNotTrackMe to monitor or block those who are tracking you – remembering that commercial trackers can be hijacked by the authorities. These are just a few of the tools available – and there are more coming all the time – but they need to be used in order to succeed. They need support if they are to grow.

9 Keep your eye on the news

There are more stories about surveillance and other invasions of privacy appearing all the time – keep your eye on the news for them, and let other people know about them. It’s hard to keep up, but don’t give up. Don’t expect to know everything, but if we don’t keep up with the news we aren’t going to be in a position to fight. Information is power – which is a great deal of what surveillance is about. We need to be informed in order to fight back

10 Make sure the fightback isn’t just for a day

This is the most important thing of all. Campaigns for one day are pretty meaningless – and the authorities will generally let them ride, possibly with a few little comments but almost no action. Political pronouncement and political action needs long-term campaigning. Shifts in attitudes don’t happen in a day – so we need to keep this campaign going…. and expect it to be a long, attritional fight. It won’t be easy – but it’s worth it.

Snoopers’ Charter RIP?

This morning, live on air, Nick Clegg effectively said that the Communications Data Bill, the Snoopers’ Charter, was dead. I hope he’s right – and if he is, those campaigning against the bill, including pressure groups Big Brother Watch, the Open Rights Group and Privacy International, and MPs such as Julian Huppert and David Davis, deserve a great deal of credit. Those of us who’ve been campaigning will be holding our breath to see whether it’s really true – because promises like this have been made before, and come to nothing. So what should we do next?

Well, first of all, we should keep up the pressure – and scrutinise the Queen’s Speech with great care, to see what is actually said. There’s still likely to be something in there – we should make sure that it’s the kind of thing that Clegg has promised.

Secondly, we should remember that the existing powers, under the Regulation of Investigatory Powers Act (RIPA) are already excessive and have been subject to significant function creep. We should be pushing for a tightening of those powers – and more clarity about how and when they should be used. Ideally, the ‘small bill’ in the Queen’s Speech should do that – but I won’t be holding my breath.

Thirdly, we should be lobbying all the main political parties to make sure that a ‘reborn’ Snoopers’ Charter isn’t part of their plans – indeed, to get commitments in manifestos (for what they’re worth) that they won’t be planning these.

Fourthly, we should be supporting campaigns in other parts of the world against similarly invasive and damaging laws and plans – from CISPA in the US to the National Security Review plans in Australia onwards. The movement towards universal internet surveillance is a pervasive one, and one that needs fighting at an international level.

Fifthly, we should be looking to have the European Data Retention Directive reviewed – and ideally repealed. This directive, described by Peter Hustinx, the European Data Protection Supervisor as ‘the EU’s most privacy invasive tool’ follows the same kind of logic as the Snoopers’ Charter, though with a slightly different scope. It was passed in the aftermath of the 7/7 bombings, and was based on fear – just as the Snoopers’ Charter is based on fear. We need a new approach, a new angle.

The big point for me is to understand why Nick Clegg might be wanting to kill the Snoopers’ Charter. To me, it’s indicative of a gradual changing in people’s attitudes. As I’ve written and talked about before (for example in my ‘privacy-friendly future’ blogs and talks), I think people are waking up to privacy, and starting to understand how much our privacy matters, and how it is being undermined. If privacy is now a politically significant issue – enough to make Nick Clegg stand firm on this – then that bodes well for the future.

All this, however, should be taken with a huge pinch of salt. The battle isn’t over yet – we need to watch Clegg like a hawk, and follow developments very, very closely. I’m cautiously optimistic, however. Let’s hope the rumours of the death of the Snoopers’ Charter have not been exaggerated….

Internet Surveillance: a despot’s dream…

Imagine you’ve just been appointed the head of the online secret police for an oppressive dictatorship. Your leader comes to you with a worried expression. The internet bothers him, he tells you. People get to say whatever they want, to talk to whoever they want, and it’s spreading dissent and destabilising the government. ‘It’s a disaster,’ he says. ‘What are you going to do about it? We need to keep this under control.’

You think about it a bit and then come up with a plan. Our main problem, you tell him, is that we don’t know enough about what is going on. We need to monitor everything. ‘If we know who is talking to who, what sites they’re visiting on the internet, which social networking systems they’re using, and for what, then we can start to take back control.’

A smile starts to appear on the leader’s face. ‘What next?’ he asks.

‘Next we need to set up a system to be able to search through all that information – some kind of filtering system to find what we want to find.’

‘You mean like a kind of Google for private communications and internet activities?’

‘Exactly. We can search for whatever we want – and whoever we want. But there’s more: we can use that information to do much more. They think the internet’s a tool for their free speech – we can turn it into a way to find them, to arrest them, to block them, to find out who likes what they say. We can access their activities in real time and respond to them before they know what’s happening. We can turn the tables on them.’

Your leader smiles and rubs his hands together. ‘Go for it,’ he says.

——————————————-

A dystopian vision?

This may seem like a dystopian vision – but it is, in essence, exactly what the Communications Data Bill is designed to do. It is set up to allow full access to all internet activities, both in a stored form for later access and analysis and a ‘real-time’ feed, allowing monitoring of what people are doing while they’re doing it. It then legislates for a filtering system to be created, a system by which those in authority can search through all the data gathered to find what they want, using whatever terms they want. No warrants are required so long as the person mandating the search is sufficiently senior – and currently, precisely what level of seniority is required in each relevant authority is not specified in the bill, leaving it to the discretion of the authorities concerned.

There are similar initiatives around the world: two prime examples are those proposed in the current review of Australia’s National Security laws and, to a certain extent, the existing Swedish FRA-Law. The United States does it a bit differently: it seems that the National Security Agency (NSA) is just doing all the surveillance, if a key whistleblower is to be believed, without an official legal basis. It’s something that ‘authorities’ seem to have decided is well worthwhile – primarily, it seems, for reasons described above.

One of the characteristics of these laws and systems is that the politicians who put them forward and vote for them appear to be ignorant of both what they do and what they imply. Indeed, politicians often appear not to understand the digital world much, which is one of the reasons we end up with messes such as the Digital Economy Act – but their secret policemen are not in the dark. That’s why it is the ‘intelligence services’ that seem to be the driving force behind the Communications Data Bill, more so even than the police, and why the NSA in the US, as noted above, appears to do pretty much exactly the same, without even a pretence of a legal basis.

Panicking about the Internet

In many ways, the authorities are panicked about the internet. It seems to be too much out of control – and too much beyond their understanding. They used to be able to tap phones and intercept mail, to watch people on the street and to interrogate their friends and connections – now that seems to be much harder. When they sort out systems to tap into one form of communication, the internet develops another – so laws like the Data Retention laws cover email and phones, but they don’t cover social networking sites or instant messaging, because those weren’t sufficiently understood or developed when the laws were drafted. They’ve learned a lesson from that: don’t try to specify too carefully. Instead, gather everything.

There is a logic to it – new forms of communication are being developed all the time and people will find new ways to use existing forms. Conversations can develop in the comments on a blog or even a newspaper article – so all that would need to be monitored. Even reviews of products on Amazon are being used for creative conversations – so that needs to be monitored too. In the end, if you follow this path, the only conclusion is to monitor everything.

One particular red herring in the bill is that it won’t monitor the ‘content’ of communications. That’s fine if you’re looking at conventional forms of communication – emails and phone calls etc – but when you start looking at websites, even a site’s URL can indicate its contents. More to the point, by monitoring people’s behaviour you can profile them – and tap into already highly-developed behavioural-targeting systems. These have been created for advertising, but can be used just as effectively for political, racial and religious profiling.

This kind of universal data gathering, from the perspective of the secret policeman, is both logical and necessary – but it has huge implications, and not just for the obvious issue of privacy. The first and most important effect is a real and direct one: people can be located and prevented from exercising their freedom of expression. Two immediate examples spring to mind. The first is the Nightjack blogger, whose blog provided rare insight into the real life of the police, as well as being fascinating and well enough written to win the Orwell Prize for blogging. His blog was shut down because he was ‘outed’ by The Times – nefariously – and he was unable to operate without the anonymity that his blog provided. If there is universal surveillance, and if we know there is universal surveillance, it will be much easier to break people’s anonymity and pseudonymity. That alone will have a chilling effect, deterring people from blogging if they feel they’re likely to be easy to locate. For some, of course, it’s more than a chilling of speech – it can be deadly. Bloggers in Mexico regularly face very real danger and anonymity is crucial to their safety. Many have been hunted down and executed by drugs cartels. Systems like the one being proposed would make it far easier for them to be found, and given the likelihood of collusion between the cartels and certain elements of the police, the consequences could be hideous.

Function creep – and other risks…

The legal implications may just be the tip of the iceberg. The idea that the police and others authorised to take action under this kind of legislation will only use it for the purpose originally specified is naïve to say the least. Have we learned nothing from the phone-hacking saga, particularly about the way the police can potentially be subverted by other ‘interests’? Function creep is real, both in terms of legislation and in the use of the technology itself.

It is also important to understand that this kind of profiling could be extended to other areas of the internet. People could be ‘steered away’ from particular sites without knowing it. If a large number of ‘suspicious’ people visit a particular website, the site could end up being blocked – or worse, those who create and support that site could be located and arrested. Other forms of data can make the whole thing even worse – from facial profiling of photos on the net to geo-location data that can be used not just to locate people in real time but to analyse their movements over a period in order to predict where they might be. When you combine that with the kind of social networking and related data that might also be gathered, the opportunity to control and even shut down protests or other gatherings becomes more extreme – again, the effect on free expression, on political discourse both offline and online, could be significant.

Experts doubt whether systems like this will even work. The real ‘villains’ – the terrorists and paedophiles that are generally used to justify such proposals – are likely to know how to evade the surveillance. They often have a great deal of practice in covering their tracks and generally take more precautions to avoid being caught.

Stimulating a trade in surveillance technology?

There is another key potential impact of the Communications Data Bill: the law supports the development of technology for surveillance and control. The bill currently estimates that it will cost £1.8bn (US$2.9bn) to implement: that’s £1.8bn on research, development and production of surveillance technologies. Companies will be queuing up for a share of that money – and when they use it, what will they do with it? The products developed – both hardware and software – won’t only be used by our ‘good’ government. Companies will want to sell them elsewhere – or at the very least use the expertise that they’ve developed while building them in further contracts. Who will those contracts be with? There will be a ready market for this kind of surveillance system in any regime with even the smallest degree of an authoritarian streak. Not only will free speech be chilled in our own country, but elsewhere around the world. The concept of universal surveillance will be given the green light.

Universal internet surveillance not only impacts upon privacy, it impacts upon our whole lives – particularly as more aspects of our lives either take place online or have an online element. It chills speech. It can block free association and free assembly. It allows each and every one of us to be pro- filed in great detail. It puts tools of immense power into the hands of exactly those people who can be least trusted to use it – and it should be stopped. The question we must ask is what kind of a society do we want – one with freedom, or one where all the power is in the hands of the authorities?

———————-

(This story first appeared in Index on Censorship – Digital Frontiers – which you can buy here)

Privacy is not the enemy – rebooted…

Today, Saturday February 23rd 2013, is International Privacy Day. To mark it, I’ve done a re-boot of an old blog post: ‘Privacy is not the enemy’. The original post (which you can find here) came back in December 2011, after I attended an ‘open data’ event organised by the Oxford Internet Institute – but it’s worth repeating, because those of us who advocate for privacy often find themselves having to defend themselves against attack, as though ‘privacy’ was somehow the enemy of so much that is good.

Privacy is not the enemy

Privacy advocates are often used to being in a defensive position – trying to ‘shout out’ about privacy to a room full of avid data-sharers or supporters of business innovation above all things. There is a lot of antagonism. Those we speak to can sometimes feel that they are being ‘threatened’ – some of the recent debate over the proposed reform of the Data Protection regime has had very much that character. And yet I believe that many of those threatened are missing the point about privacy. Just as Guido Fawkes is wrong to characterise privacy just as a ‘euphemism for censorship’ (as I’ve written about before) and Paul McMullan was wrong to suggest to the Leveson Inquiry that ‘privacy is for paedos’, the idea that privacy is the ‘enemy’ of so many things is fundamentally misconceived. To a great extent the opposite is true.

Privacy is not the enemy of free expression – indeed, as Jo Glanville of Index on Censorship has argued, privacy is essential for free expression. Without the protection provided by privacy, people are shackled by the risk that their enemies, those that would censor them, arrest them or worse, can uncover their identities, find them and do their worst. Without privacy, there is no free expression. The two go hand-in-hand, particularly where those without ‘power’ are concerned – and just as privacy shouldn’t just be something available for the rich and powerful, free speech shouldn’t only be available to those robust enough to cope with exposure.

Privacy is not the enemy of ‘publicness’ – in a similar way, to be truly ‘public’, people need to be able to protect what is private. They need to be able to have at least some control over what they share, what they put into the public. If they have no privacy, no control at all, how can they know what to share?

Privacy is not the enemy of law enforcement – privacy is sometimes suggested to be a tool for criminals, something behind which they can hide behind. The old argument that ‘if you’ve got nothing to hide, you’ve got nothing to fear’ has been exposed as a fallacy many times – perhaps most notably by Daniel Solove (e.g. here), but there is another side to the argument. Criminals will use whatever tools you present them with. If you provide an internet with privacy and anonymity they’ll use that privacy and anonymity – but if you provide an internet without privacy, they’ll exploit that lack of privacy. Many scams related to identity theft are based around taking advantage of that lack of privacy. It would perhaps be stretching a point to suggest that privacy is a friend to law enforcement – but it is as much of an enemy to criminals as it is to law enforcement agencies. Properly implemented privacy can protect us from crime.

Privacy is not the enemy of security – in a similar way, terrorists and those behind what’s loosely described as cyberwarfare will exploit whatever environment they are provided with. If Western Law enforcement agencies demand that social networks install ‘back doors’ to allow them to pursue terrorists and criminals, you can be sure that those back doors will be used by their enemies – terrorists, criminals, agents of enemy states and so forth. Privacy International’s ‘Big Brother Inc’ campaign has revealed the extent to which surveillance products developed in the West are being sold to despotic and oppressive regimes – in an industry worth an estimated $5 billion a year. It’s systematic, and understandable. Surveillance is a double-edged sword – and privacy is a shield which faces many ways (to stretch a metaphor beyond its limits!). Proper privacy protection works against the ‘bad guys’ as well as the ‘good’. It’s a supporter of security, not an enemy.

Privacy is not the enemy of business – though it is the enemy of certain particular business models, just as ‘health’ is the enemy of the tobacco industry. Ultimately, privacy is a supporter of business, because better privacy increases trust, and trust helps business. Governments need to start to be clear that this is the case – and that by undermining privacy (for example though the oppressive and disproportionate attempts to control copyright infringement) they undermine trust, both in businesses and in themselves as governments. Privacy is certainly a challenge to business – but that’s merely reflective of the challenges that all businesses face (and should face) in developing businesses that people want to use and are willing to pay money for.

Privacy is not the enemy of open data – indeed, precisely the opposite. First of all, privacy should make it clear which data should be shared, and how. ‘Public’ data doesn’t infringe privacy – from bus timetables to meteorological records, from public accounts to parliamentary voting records. Personal data is just that – personal – and sharing it should happen with real consent. When is that consent likely to be given? When people trust that their data will be used appropriately. When will they trust? When privacy is generally in place. Better privacy means better data sharing.

All this is without addressing the question of whether (and to what extent) privacy is a fundamental right. I won’t get into that here – it’s a philosophical question and one of great interest to me, but the arguments in favour of privacy are highly practical as well as philosophical. Privacy shouldn’t be the enemy – it should be seen as something positive, something that can assist and support. Privacy builds trust, and trust helps everyone.

———————————-

Over the time since I first wrote this post, privacy has if anything become bigger news that it was. If Facebook launches a new product (e.g. Graph Search, about which I wrote here and here), it makes privacy a centre-piece of the launch, regardless of the true privacy impact of the product. Apple has now put privacy settings into iOS for its iPhone and iPad. Privacy is big news! Let’s mark International Privacy Day by reminding ourselves that privacy is not an enemy – the opposite….

Big Brother is watching you…. and so are his corporate partners

Privacy advocates are spoilt for choice these days about what to complain about – privacy invasions by business, or privacy invasions by the authorities? Over the last year or so, I’ve written regularly about both – whether it be my seemingly endless posts in recent weeks about Facebook, or the many times I wrote last year about the wonderful Snoopers’ Charter – our Communications Data Bill (which is due to re-emerge after its humiliation fairly shortly).

It’s a hard one to answer – and I tend to oscillate between the two in terms of which I think is more worrying, more of a threat. And then a new story comes along to remind me that it isn’t either on its own that we should be really worried about – it’s when the two work together. Another such story has just come to light, this time in The Guardian

“Raytheon’s Riot program mines social network data like a ‘Google for spies’, drawing ire from civil rights groups”

The essence of the story is simple. Raytheon is reported to have developed software “capable of tracking people’s movements and predicting future behaviour by mining data from social networking websites”. Whether the details of the story are correct, and whether Raytheon’s software is particularly good at doing what it is supposed to do isn’t really the main point: the emergence of software like this was always pretty close to inevitable. And it will get more effective – profiling will get sharper, targeting more precise, predictions more accurate.

Inevitable and automatic

What’s more, this isn’t just some ‘friendly’ policemen or intelligence operatives looking over our Facebook posts or trawling through our tweets – this is software, software that will operate automatically and invisibly, and can look at everything. What’s more, it’s commercially produced software. Raytheon says that ‘it has not sold the software – named Riot, or Rapid Information Overlay Technology – to any clients’ but it will. It’s commercially motivated – and investigations by groups such as Privacy International have shown that surveillance technology is sold to authoritarian regimes and others around the world in an alarming way.

If you build it, they will come

The real implication is that when software like this is developed, the uses will follow. Perhaps it will be used at first for genuinely helpful purposes – tracking real terrorists, finding paedophiles etc (and you can bet that the fights against terrorism and child abuse will be amongst the first reasons wheeled out for allowing this kind of thing) – but those uses will multiply. Fighting terrorist will become fighting crime, which will become fighting disorder, which will become fighting potential disorder, which will become locating those who might have ‘unhelpful’ views. Planning a protest against the latest iniquitous taxation or benefits change? Trying to stop your local hospital being shut or your local school being privatised? Supporting the ‘wrong’ football team?

Just a quick change in the search parameters and this kind of software, labelled by the Guardian a ‘google for spies’, will track you down and predict your next moves. Big Brother would absolutely love it.

A perfect storm for surveillance

This is why, in the end, we should worry about both corporate and government surveillance. The more that private businesses gather data, the better they get at profiling, even for the most innocuous of purposes, or for that all too common one, making money, the more that this kind of data, these kinds of techniques, can be used by others.

We should worry about all of this – and fight it on all fronts. We should encourage people to be less blasé about what they post on Facebook. I may be a bit extreme in regularly recommending that people leave Facebook (see my 10 reasons to leave Facebook post) because I know many people rely on it at the moment, but we should seriously advise people to rely on it less, to use it more carefully – and to avoid things like geo-location etc (see my what to do if you can’t leave Facebook post). We should oppose any and all government universal internet surveillance programmes – like the Snoopers’ Charter – and we should support campaigns like that of Privacy International against the international trade in surveillance technology.

Facebook and others create a platform. We put in all our data. Technology firms like Raytheon write the software. It all comes together like a perfect storm for surveillance.

Google, privacy and a new kind of lawsuit

Today is Data Privacy Day – and new lawsuit has been launched against Google in the UK – one which highlights a number of key issues. It could be very important – a ‘landmark case’ according to a report on Reuters. The most notable thing about the case, for me, is that it is consumer-led: UK consumers are no longer relying on the authorities, and the Information Commissioner’s Office in particular, to safeguard their privacy. They’re taking it into their own hands.

The case concerns the way that Google exploited a bug in Apple’s Safari browser to enable it to bypass customers’ privacy settings. As reported on Reuters:

“Through its DoubleClick adverts, Google designed a code to circumvent privacy settings in order to deposit the cookies on computers in order to provide user-targeted advertising. The claimants thought that cookies were being blocked on their devices because of Safari’s strict default privacy settings and separate assurances being given by Google at the time. This was not the case.”

The group of consumers have engaged noted media and telecomms lawyers Olswang for the case. Dan Tench, the partner at Olswang responsible for the case, told Reuters:

“Google has a responsibility to consumers and should be accountable for the trust placed in them. We hope that they will take this opportunity to give Safari users a proper explanation about what happened, to apologise and, where appropriate, compensate the victims of their intrusion.”

For further information – and if you want to join the action – Tench can be contacted by email at daniel.tench@olswang.com

There’s also a Facebook page for the suit: https://www.facebook.com/SafariUsersAgainstGooglesSecretTracking

What’s important here?

The case highlights several crucial aspects of privacy on the net. The first is the extent to which we can – or should be able to – rely on the settings we make on our browsers. What was happening here is that those settings were being overridden. Now it’s a moot point quite how many people use their privacy settings – or indeed even know that they exist – but if those settings are being overridden by anyone, let alone a company as big and respected as Google, it’s something that we need to know about and to fight. Browser settings – and privacy settings in general – are the key control, perhaps the only control, that individuals have over their online privacy, so we need to know that they work if we are to have any trust. A lack of trust is something that damages everyone.

The second is that the case highlights that users aren’t going to take things lying down – and neither are they going to rely on what often seem to be supine regulators, regulators unwilling to take on the ‘big boys’ of the internet, regulators who seem to take their role as supporters of business much more seriously than their role as protectors of the public. Alexander Hanff, a privacy advocate who is assisting Olswang on this case, said that:

“This group action is not about getting rich by suing Google, this lawsuit is about sending a very clear message to corporations that circumventing privacy controls will result in significant consequences. The lawsuit has the potential of costing Google £10s of millions, perhaps even breaking £100m in damages given the potential number of claimants – making it the biggest group action ever launched in the UK. It should also be seen as a message to the Information Commissioner’s Office that they are in contempt of the British public and are not doing their job.”

This last point is crucial – and it may suggest not that the Information Commissioner’s Office are not doing their job but that their job is one that needs redefining. The ICO sometimes appears to be caught between two stools – their role is more complex than just as protectors of the public. They’re not a Privacy Commissioner’s Office – and perhaps that is what we need. An office with teeth whose prime task is to protect individuals’ privacy.

What happens next?

This lawsuit will be watched very carefully by everyone in the field of online privacy. The number of people who join the case is one question – there are plenty who could, as Safari, though somewhat a niche browser on computers, is the default browser on iPhones, so is used by many millions in the UK. How it progresses has yet to be seen – there are many different possibilities. If nothing else, I hope it acts as a wake-up-call for all involved: Google, the ICO, and the public.

Turning the tables…

————————————————————————–

A smile starts to appear on the leader’s face. ‘What next?’ he asks.

‘Next we need to set up a system to be able to search through all that information – some kind of filtering system to find what we want to find.’

‘You mean like a kind of Google for private communications and internet activities?’

Your leader smiles and rubs his hands together. ‘Go for it,’ he says.

————————————————————————–

This is the opening section of an article I’ve just had published in Digital Frontiers, the new volume of the excellent Index on Censorship. It’s a fascinating magazine – and this edition includes pieces by such luminaries as Rebecca MacKinnon, Ethan Zuckerman, Gabriella Coleman, Jennifer Granick, Privacy International’s Eric King amongst others. It covers many different aspects of the issues surrounding the internet – from free speech and surveillance to child protection and the power of microblogs.

I feel privileged to have been able to contribute – my piece, as the opening might suggest, is about the dangers of the UK’s Communications Data Bill, the ‘snoopers’ charter’ in terms of free speech, and how it could contribute to a worldwide ‘chilling effect’. I’d seriously recommend buying the magazine – it’s currently available only in print form – not for my piece, but for all the rest, and to support the excellent work of Index on Censorship.

You can find details of how to buy it – and to subscribe to Index on censorship, by clicking here…

The politics of privacy…

The news that the Lib Dems are apparently ready to ‘ditch’ the Communications Data Bill – the Snoopers Charter – will come as welcome news to privacy advocates and other supporters of civil liberties. As with too many things ‘Lib Dem’, it’s still very much a maybe… but even if the Lib Dems do come out as firmly against the bill, that may not be enough to defeat it, even with the committee report, due out shortly, likely to be highly critical of the bill. The problem is a deep one, connected with the party politics of the UK. All three major political parties are deeply conflicted over the issues – and that conflict may well allow the proposal to be pushed through regardless of the apparent opposition of the people, of civil society, of the main players of the internet industry and many more. The situation is far from clear cut, however, and there are threads within each party that work both for and against the idea.

Tories…

The Tories, as very much the senior party in the Coalition, are to a great extent right behind the programme: after all, they’re the ones proposing it. In some ways the programme fits directly into some traditional Tory agendas: ‘Law and Order’ has long been central to Conservative politics, from the more extreme ‘hang ‘em and flog ‘em’ sections of the party to the slightly more rational ‘prison works’ mantra of Michael Howard et al. Moreover, a certain kind of old-fashioned patriotism could be said to fit in with the anti-terrorist agenda – and it’s easy to see the ‘if you’ve got nothing to hide, you’ve got nothing to fear’ argument used by those who essentially see criminals and terrorists as basically ‘evil’, distinct from and a threat to good, ordinary people.

On the other hand, there is another strong, traditional thread in Conservatism that goes directly against the idea of surveillance on this kind of scale and in this kind of way – and it should be no surprise that one of the most eloquent and consistent speakers against the programme has been David Davis. Civil liberties should be central to Conservative philosophy – and in particular the kind of civil liberties that protect against intrusion into privacy. An Englishman’s home is his castle, after all! What’s more, the kind of programme envisaged smacks of ‘big government’, and the ‘nanny state’, things that a Tory should instinctively reject. David Davis expresses this view very well – and I’m sure what he says resonates with a lot of Tory MPs and Tory supporters.

Labour…

Labour may well be even more conflicted over the issue than the Tories. On the one hand Labour is supposed to stand up for the little people against oppression and control, and there is a strong association between the left wing and the ideas of freedom that this kind of a programme deeply undermines.Anyone who remembers the Thatcher years knows all too well how the forces of the police and even military intelligence were used against the unions (and not just during the miners’ strike) and against ‘left wing’ groups such as CND – the recent scandal of long term police infiltration into environmental groups (including long term relationships between undercover officers and and activists) fits into this pattern.

…and yet there are three strong factors that make Labour far from certain to oppose the programme. Firstly, there’s an authoritarian streak on the left – it would be unfair to suggest it might be a touch ‘Stalinist’, but there’s a certain degree of a ‘command and control’ attitude from some, and a sense that government needs to take a grip of things in this kind of a way. Secondly, there’s the long term need of the Labour Party to counter the Tory argument that Labour are ‘soft’ on crime – this attitude verged on paranoia during the last Labour administration, and is still clear in the current Labour party. Thirdly, there’s the deep problem surrounding the ‘War on Terror’ and the Labour Party’s role in it: Tony Blair and Gordon Brown were more than complicit in the ‘War on Terror’, they drove it forward. These three factors produced a series of desperately authoritarian Home Secretaries, each bringing in more draconian and anti-civil libertarian measures than the last. David Blunkett, Charles Clarke and John Reid presided over some of the most appalling pieces of policy in living memory, from the push towards ID cards to the data retention measures that ultimately lie behind the current programme.

For Labour, the challenge is to break with the past – to admit (or at least recognise) that mistakes were made by the last administration, and to be brave enough to say that Blair and Brown got this wrong. That last part it really hard to do for politicians at the best of times – and the signs are not good. Yvette Cooper’s stance against the idea of giving prisoners the vote show that the authoritarian streak in Labour is still present and strong.

The Lib Dems

In one way, the Lib Dems should be the least conflicted – which is, perhaps, why they’re the party that seems readiest to come out against the proposal. These measures are pretty fundamentally ‘illiberal’, and the Liberal Democrats as a party should be simply and directly against them. A few short weeks before the last general election I heard Nick Clegg speak excellently at the Privacy International 25th Birthday Party, talking directly about the rise of the ‘database state’ under Labour and how directly opposed to such things he was both personally and politically. For the Lib Dems, there really shouldn’t be an issue – and if they were currently in opposition, against a majority Tory government, I’d be willing to bet a lot of money that as a party they’d oppose the measure.

…but they’re not in opposition. They’re part of the coalition, and that brings with it several pieces of baggage. First of all, they have to work with the Tories – and in particular, Nick Clegg has to work with David Cameron. Secondly, they have to appear ‘governmental’ – and Nick Clegg wants to look ‘statesmanlike’, which many politicians seem to think means doing the wrong, illiberal and unpopular thing, to appear more ‘responsible’. Thirdly, if they come out against this, many of their supporters may ask why they didn’t come out against other policies – student fees, privatising the NHS, welfare, legal aid etc – which were just as much against ‘liberal’ principles. To an extent they’re hoist with their own petard. They’re part of this government now, and may feel they have to ‘see it through’. There have already been so many ‘betrayals’, one more hardly makes any difference….

Three parties, alike in turmoil

So all three parties have their internal conflicts – which makes them ripe for the ‘security lobby’ to exploit. It does, also, give an opportunity for opposition to the bill to be generated. The excellent Privacy International, the Open Rights Group, Big Brother Watch and others have worked very hard to oppose the current measures. The numerous written submissions to the parliamentary committee (which can be found here) were excellent – and substantially all highly critical of the proposal from a wide range of perspectives. If the committee’s report reflects the evidence submitted, their report should be devastating – and yet it may not be enough, if the political forces in favour of the ‘hard-line’ surveillance approach are too strong.

I’d like to think that these forces are not overwhelming – and that the ‘good’ side of each of the parties is able to resist, and to stop us being railroaded into something that, ultimately, I don’t think that many people, whatever their political persuasion, either want or believe that we really need. The politics of privacy are complex – one of the things that I have found particularly refreshing since I started working in the field is that is can unite people with otherwise very different political perspectives. Let’s hope that this unity is enough.

Note: this blog post is a reworking of my original posting in April, when the Bill first emerged… that can be found here

Taking a lead on privacy??

Two related stories about privacy and tracking are doing the rounds at the moment: both show the problems that companies are having in taking any sort of lead on privacy.

The first is about Apple, and the much discussed recent upgrade to their iOS, the operating system for the iPhone and iPad. There’s been a huge amount said about the problems with the mapping system (and geo-location is of course a huge privacy issue – as I’ve discussed before) but now there’s an increasing buzz about their newly introduced tracking controls. Apple, for the first time, have provided users with the option to ‘limit ad tracking’ – though as noted in a number of stories, including this one from Business Insider, that option is hidden away, not in the vaunted ‘Privacy’ tab, but under a convoluted set of menus (first ‘General’ settings, then ‘About’, then scroll down to the bottom to find ‘Advertising’, then click ‘Limit Ad Tracking’). Not easy to find, as even the techie and privacy geeks that I converse with on twitter have found.

This of course raises a lot of issues – it’s great to have the feature, but the opposite to have it hidden away where only the geeks and the paranoid will find it. It looks as though the people at Apple have been thinking hard about this, and working hard at this, and have come up with an interesting (and perhaps effective – but more on that below) solution, but then been told by someone, somewhere, that they should hide it for fear of upsetting the advertisers. I’d love to know the inside story on this – but Apple are rarely quite as open about their internal discussions as they could be.

There’s a conflict of motivations, of course. On the one hand, Apple wants to make customers happy, and there is increasing evidence that customers don’t want to be tracked – most recently this excellent paper from Hoofnagle, Urban and Li, appropriately entitled “Privacy and Modern Advertising: Most US Internet Users Want ‘Do Not Track’ to Stop Collection of Data about their Online Activities”. On the other hand, Apple don’t want to annoy the advertisers – particularly when the market for mobile is getting increasingly competitive. And the advertisers seem to be on a knife edge at the moment, very touchy indeed, as the latest spats over the ‘Do Not Track’ initiative have shown.

That’s the second story doing the rounds at the moment: the increasing acrimony and seemingly bitter conflict over Do Not Track. It’s a multi-dimensional spat, but seems to have been triggered by Microsoft’s plan to make do not track ‘on’ by default – something that the advertising industry are up in arms about. The ‘Digital Advertising Alliance’ issued a statement effectively saying they would simply ignore Microsoft’s system and track anyway – which led to privacy advocates suggesting that the advertisers wanted to kill the whole Do Not Track initiative. This is Jeff Chester of the Center for Digital Democracy:

“The DAA is trying to kill off Do Not Track. Its announcement today to punish Microsoft for putting consumers first is an extreme measure designed to strong-arm companies that care about privacy.”

Chester and others saying similar things may be right – and it makes people like me wonder if the whole problem is that the ‘Do Not Track’ initiative was never really intended to work, but was just supposed to make people think that their privacy was protected. If it actually got some teeth – and setting it to a default ‘on’ position would be the first way to give it teeth – then the industry wouldn’t want it to exist. There are other huge issues with Do Not Track anyway. As the title of the Hoofnagle, Urban and Li report suggested, people think ‘Do not track’ means they won’t be tracked – that their data won’t be collected at all – while the industry seems to think what really matters to people is that they aren’t targeted – i.e. their data is still collected, and they’re still tracked and profiled, but that tracking isn’t used to send advertisements to them. For me, that at least is completely clear. Do Not Track should mean no tracking. Blocking data collection is more important than stopping targetting – because once the data is collected, once the profiles are made, they’re available for misuse later down the line.

That, far deeper point, is still not being discussed sufficiently. The battle is at a more superficial level – but it’s still an important battle. Who matters more, the consumers or the advertisers? Advertisers would have us believe that by stopping behavioural targetting we will break the whole economic basis of the internet – but that is based on all kinds of assumptions and presumptions, as Sarah A Downey pointed out in this piece for TechCrunch “The Free Internet Will Be Just Fine With Do Not Track. Here’s Why.” At the recent Amsterdam Privacy Conference, Simon Davies, one of the founders of Privacy International, made the bold suggestion that the behavioural targetting industry should simply be banned – and there is something behind his argument. Right now, the industry is not doing much to improve its image: seeming to undermine the whole nature of Do Not Track does not make them look good.

There’s another spectre that the industry might have to face: the European Union is getting ready to act, and when they act, they tend to do things without a great deal of subtlety, as the fuss around the Cookie Directive has shown. If the advertisers want to avoid heavy-handed legislation, they should beware: ‘Steelie’ Neelie Kroes is getting impatient. As reported in The Register, if they don’t stop their squabbling tactics over Do Not Track, she’s going to call in the politicians….

Someone, somewhere, has to take a lead on privacy. Apple had the chance, and to a great extent blew it, by hiding their tracking controls where the sun doesn’t shine. Microsoft seems to be making an attempt too, but will they hold their nerve in the face of huge pressure from the advertising industry – and even if they do, will their lead be undermined by the tactics of the advertising industry? If no-one takes that lead, no-one takes that initiative, the EU will take their kid gloves off… and then we’re all likely to be losers, consumers and advertisers alike….

Scrambling for safety?

This afternoon I was at ‘Scrambling for Safety’ – a fascinating conference, focussing on the proposed ‘Communications Capabilities Development Programme’, aptly if not entirely accurately dubbed the ‘snoopers’ charter’ by the media. The conference was organised by Privacy International, the Open Rights Group, the Foundation for Information Policy Research and Big Brother Watch – and had a truly stellar line-up, from Ross Anderson and Shami Chakrabati to MPs David Davis, Julian Huppert and Tom Brake, David Smith from the ICO, Professor Douwe Korff, former Chief Police Officer Sir Chris Fox QPM, noted cryptographer Whit Diffie and industry expert and rep Trefor Davies. Some of the best and most expert people from many different areas in the field.

Overall, it was a remarkable conference – I’m not going to try to summarise what people said, just to pick out some of the key things I took away from the event. Some lessons, some observations, so confirmations of what we already knew – and, sadly, some huge barriers that will need to be overcome if we are to be successful in beating this hugely misguided and highly dangerous project.

There are a LOT of people from all fields who are deeply concerned with this. The number of people – and the kind of people – who took their time to attend, at short notice, was very impressive.
This problem really does matter – I know I go on about privacy and related subjects a lot, but when I attend an event like this, and listen to these kinds of people talk, it reminds me how much is at stake.
The work of Privacy International, the Open Rights Group and Big Brother Watch needs to be applauded and supported! Getting this kind of an event to work in such a way was brilliant work – and Gus Hosein (PI), Eric King (PI), Jim Killock (ORG), Nick Pickles (BBW) and their colleagues did an excellent job.
David Davis is a really impressive – and I say that as someone generally diametrically opposed to his political views. On this subject, he really does get it, and in a way that almost no other politician in this country gets it.
As David Davis said, it really isn’t a party political issue – I’ve blogged before about this (here) but what happened at Scrambling for Safety made it even clearer than before. All the parties have their problems…
…and one of them was made crystal clear, by the very, very disappointing performance of Tom Brake MP, a Lib Dem MP and spokesperson on the issue. He seemed to offer nothing but a repeat of exactly the kind of propaganda spouted by apologists for the security lobby ad nauseam over the last decade or more. In fact, he said pretty much everything that Gus Hosein, in his opening to the conference, said that official spokespeople would say by way of misdirection and obfuscation. If Tom Brake is a representative of the ‘better-informed’ of MPs, we really are in trouble. It wasn’t just that his performance seemed that of a ‘yes-man’ or ‘career politician’, but that he simply didn’t seem to understand the issues, concerns, or even the technology involved.
Julian Huppert, also from the Lib Dems, was far more impressive – but of course he has no ‘official’ position. That seems to be the problem: anyone who understands this kind of thing is not ‘allowed’ to be involved in the decision-making process: or perhaps once they do get involved in any ‘official’ capacity, they lose (or have stripped away from them) the capacity for independent thought…
The police are NOT the enemy here – in fact, former Chief Constable Sir Chris Fox was one of the most impressive speakers, putting a strong case against this kind of thing from the perspective of the police. In the end, the police don’t really want this kind of thing any more than privacy advocates do. This kind of universal surveillance, he said, could overwhelm the police with data and detract from the kind of real police work that can actually help combat terrorism. Sir Chris was supported by another police officer, one of the audience, a former Special Branch officer, who confirmed all Sir Chris’s comments.
Sir Chris Fox also made what I thought was probably the most important observation about the whole counter-terrorism issue: that we have to accept there WILL be more terrorist incidents – but that this is balanced by the benefits we have from living in a free society.
The problem of ignorance matters on all levels – and in many different directions: technological, legal, practical, political. That’s the real problem here. People are pushing policies that they don’t understand, to deal with problems with which they have no real experience or knowledge…. politicians, civil servants, etc, etc, etc
I was very interested that Ross Anderson (who was excellent, as always) expects us to be able to defeat the CCDP – because once people understand what is at stake, they won’t accept it. He did, however, suggest that once we’ve defeated this, the next stage will be harder to defeat – that the security lobby will try to work through the providers directly, asking (for example) Google, Facebook etc to install ‘black boxes’ on their own systems, rather than through ISPs… and some of these providers will just do it… that’s harder to know about, and harder to combat.
Last, but far from least, David Davis made the point that though people who know and understand these issues are few and far between (though very well represented at the conference!), they can punch above their weight – the very fact that ‘we’ know how to use social media etc means that we can have more of an impact than our numbers might suggest.

This last point is the one that I came away with the most. We really NEED to punch above our weight – there’s a huge job to do. There was a great deal of energy, enthusiasm and expertise evident at Scrambling for Safety, but even by the end of the afternoon it was losing a bit of focus. We need to be focussed, coordinated and ‘clever’ in how we do this. Surveillance must be kept in the headlines – and we mustn’t let the kind of misdirection and distraction that politicians and their spin-doctors use far too often distract us from fighting against this.

What’s more, again as David Davis said, we don’t just need to stop this CCDP, we need to reverse the trend. The powers in RIPA, the data retention already done under the Data Retention Directive, are already too much – they need to be cut back, not extended or ‘modernised’. It will be a huge task – but one worth doing.