what do we know and what should we do about…? internet privacy

My new book, what do we know and what should we do about internet privacy has just been published, by Sage. It is part of a series of books covering a wide range of current topics – the first ones have been on immigration, inequality, the future of work and housing. 

This is a very different kind of book from my first two books – Internet Privacy Rights, and The Internet, Warts and All, both of which are large, relatively serious academic books, published by Cambridge University Press, and sufficiently expensive and academic as to be purchasable only by other academics – or more likely university libraries. The new book is meant for a much more general audience – it is short, written intentionally accessibly, and for sale at less than £10. It’s not a law book – the series is primarily social science, and in many ways I would call the book more sociology than anything else. I was asked to write the book by the excellent Chris Grey – whose Brexit blogs have been vital reading over the last few years – and I was delighted to be asked, because making this subject in particular more accessible has been something I’ve been wanting to do for a long time. Internet privacy has been a subject for geeks and nerds for years – but as this new book tries to show, it’s something that matters more and more for everyone these days.

It may be a short book (well, it is a short book, well under 100 pages) but it covers a wide range. It starts by setting the context – a brief history of privacy, a brief history of the internet, and then showing how we got from what were optimistic, liberal and free beginnings to the current situation – all-pervading surveillance, government involvement at every level, domination by a few, huge corporations with their own interests at heart. It looks at the key developments along the way – the world-wide-web, search, social networks – and their privacy implications. It then focusses on the biggest ‘new’ issues: location data, health data, facial recognition and other biometrics, the internet of things, and political data and political manipulation. It sketches out how each of these matters significantly – but how the combination of them matters even more, and what it means in terms of our privacy, our autonomy and our future.

The final part of the book – the ‘what should we do about…’ section – is by its nature rather shorter. There is not as much that we can do as many of us would like – as the book outlines, we have reached a position from which it is very difficult to escape. We have built dependencies that are hard to find alternatives to – but not impossible. The book outlines some of the key strategies – from doing our best to extricate ourselves from the disaster that is Facebook to persuading our governments not to follow the current ultimately destructive paths that it seems determined to pursue. Two policies get particular attention: Real Names, which though superficially attractive are ultimately destructive and authoritarian, fail to deal with the issues they claim to and put vulnerable people in more danger, and the current and fundamentally misguided attempts to undermine the effectiveness of encryption.

Can we change? I have to admit this is not a very optimistic book, despite the cheery pink colour of its cover, but it is not completely negative. I hope that the starting point is raising awareness, which is what this book is intended to do.

The book can be purchased directly from Sage here, or via Amazon here, though if you buy it through Amazon, after you’ve read the book you might feel you should have bought it another way!

 

Paul Bernal

February 2020

Why is Apple fighting the FBI?

The conflict between Apple and the FBI over the San Bernardino shooter’s iPhone has already had a huge amount of coverage, and that’s likely to continue for a while. The legal details and the technical details have already been written about at great length, but what is perhaps more interesting is why Apple is making such a point here. It isn’t, as some seem to be suggesting, because Apple doesn’t take terrorism seriously, and cares more about the privacy rights of a dead terrorist than it does its responsibilities to past and future victims of terrorism. Neither is it because Apple are the great guardians of our civil liberties and privacy, taking a stand for freedom. Apple aren’t champions of privacy any more than Google are champions of freedom of speech or Facebook are liberators of the poor people of India.  Apple, Google and Facebook are businesses. Their bottom line is their bottom line. Individuals within all of those companies may well have particular political, ethical or moral stances in all these areas, but that isn’t the key. The key is business.

So why, in those circumstances, is Apple taking such a contentious stance? Why now? Why in this case? It is Apple, on the surface at least, that is making this into such a big deal – Tim Cook’s open letter didn’t just talk about the specifics of the case or indeed of iPhones, but in much broader terms:

“While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.”

It’s wonderful stuff – and from the perspective of this privacy advocate at least it should be thoroughly applauded. It should, however, also be examined more carefully, with several pinches of salt, a healthy degree of scepticism and a closer look at the motivations. Ultimately, Apple is taking this stance because Apple believes it’s in Apple’s interests to take this stance. There may be a number of reasons for this. In a broad sense, Apple knows that security – and this is very much a security as well as a privacy issue – is critical for the success of the internet and of the technology sector in general. Security and privacy are critical under-pinners of trust, and trust is crucial for business success. People currently do trust Apple (in general terms) and that really matters to Apple’s business. The critical importance, again in a broad sense, of security and trust is why the other tech giants – Google, Facebook, Twitter et al – have also lined up behind Apple, though their own brands and businesses rely far less on privacy than Apple’s does. Indeed, for Google and Facebook privacy is very much a double-edged sword: their business models depend on their being able to invade our privacy for their own purposes. Trust and security, however, are crucial.

In a narrower sense, Apple has positioned itself as ‘privacy-friendly’ in recent years – partly in contrast to Google, but also in relation to the apparent overreach of governmental authorities. Apple has the position to be able to do this – it’s business model is based on shifting widgets, not harvesting data – but Apple has also taken the view that people now really care about privacy, enough to make decisions at least influenced by their sense of privacy. This is where things get interesting. In the last section of my book, Internet Privacy Rights, where I speculate about the possibility of a more privacy-friendly future, this is one of the key messages: business is the key. If businesses take privacy seriously, they’ll create a technological future where privacy is protected – but they won’t take it seriously out of high-minded principle. They’ll only take it seriously because there’s money in it for them, and there will only be money in it for them if we, their customer, take privacy seriously.

That, for me, could be the most positive thing to come from this story so far. Not just Apple but pretty much all the tech companies (in the US at least) have taken stances which suggest that they think people do take privacy seriously. A few years ago that would have been much less likely – and it is a good sign, from my perspective at least. Ultimately, as I’ve argued many times before, a privacy-friendly internet is something that we will all benefit from – even law enforcement. It is often very hard to see it that way, but in the long term the gains in security, in trust and much more will help us all.

That’s why in the UK, the Intelligence and Security Committee’s report criticised the new Investigatory Powers Bill for not making protection of privacy more prominent. As they put it:

“One might have expected an overarching statement at the forefront of the legislation, or to find universal privacy protections applied consistently throughout the draft Bill”

It is also why the FBI is playing a very dangerous game by taking on Apple in this way. Whilst it is risky for Apple to be seen as ‘on the side of the terrorists’ it may be even more risky for the FBI (and by implication the whole government of the US) to be seen as wanting to ride roughshod over everyone’s privacy. This is a battle for hearts and minds as much as a battle over the data in one phone, data that it is entirely possible is pretty much useless. Right now, it is hard to tell exactly who is winning that battle – but right now my money would be on the tech companies. I hope I’m right, because in the end that would be to the benefit of us all.

 

So who’s breaking the internet this time?

I’m not sure how many times I’ve been told that the internet is under dire threat over the last few years. It sometimes seems as though there’s an apocalypse just around the corner pretty much all the time. Something’s going to ‘break’ the internet unless we do something about it right away. These last few weeks there seem to have been a particularly rich crop of apocalyptic warnings – Obama’s proposal about net neutrality yesterday being the most recent. The internet as we know it seems as though it’s always about to end.

Net neutrality will destroy us all…

If we are to believe the US cable companies, Obama’s proposals will pretty much break the internet, putting development back 20 years. How many of us remember what the internet was like in 1994? Conversely, many have been saying that if we don’t have net neutrality – and Obama’s proposals are pretty close to what most people I know would understand by net neutrality – then the cable companies will break the internet. It’s apocalypse one way, and apocalypse the other: no half measures here.

The cable companies are raising the spectre of government control of the net, something that has been a terror of internet freedom activists for a very long time – in our internet law courses we start by looking at John Perry Barlow’s 1996 ‘Declaration of the Independence of Cyberspace’, with its memorable opening:

“Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.” 

Another recent incarnation of this terror has been the formerly much hyped fear that the UN, through the International Telecommunication Union (ITU) was about to take over the internet, crushing our freedom and ending the Internet as we know it. Anyone with real experience of the way that UN bodies work would have realised this particular apocalypse had next-to-no chance of every coming into fruition, and last week that must have become clear to most of even the more paranoid of internet freedom fighters, as the ITU effectively resolved not to even try… Not that apocalypse, at least not now.

More dire warnings and apocalyptic worries have been circling about the notorious ‘right to be forgotten’ – either in its data protection reform version or in the Google Spain ruling back in May. The right to be forgotten, we were told, is the biggest threat to freedom of speech in the coming decade, and will change the internet as we know it. Another thing that’s going to break the internet. And yet, even though it’s now effectively in force in one particular way, there’s not much sign that the internet is broken yet…

The deep, dark, disturbing web…

At times we’re also told that a lack of privacy will break the net – or that privacy itself will break the net. Online behavioural advertisers have said that if they’re not allowed to track us, we’ll break the economic model that sustains the net, so the net itself will break. We need to let ourselves be tracked, profiled and targeted or the net itself will collapse.  The authorities seem to have a similar view – recent pronouncements by Metropolitan Police Commissioner Bernard Hogan-Howe and new head of GCHQ Robert Hannigan are decidedly apocalyptic, trying to terrify us with the nightmares of what they seemingly interchangeably call the ‘dark’ web or the ‘deep’ web. Dark or deep, it’s designed to disturb and frighten us – and warn us that if we keep on using encryption, claiming anonymity or pseudonymity or, in practice, any kind of privacy, we’ll turn the internet into a paradise only for paedophiles, murderers, terrorists and criminals. It’s the end of the internet as we know it, once more.

And of course there’s the converse view – that mass surveillance and intrusion by the NSA, GCHQ etc, as revealed by Edward Snowden – is itself destroying the internet as we know it.

Money, money, money

Mind you, there are also dire threats from other directions. Internet freedom fighters have fought against things like SOPA, PIPA and ACTA – ways in which the ‘copyright lobby’ sought to gain even more control over the internet. Again, the arguments go both ways. The content industry suggest that uncontrolled piracy is breaking the net – while those who fought against SOPA etc think that the iron fist of copyright enforcement is doing the same. And for those that have read Zittrain’s ‘The Future of the Internet and How to Stop It’, it’s something else that’s breaking the net – ‘appliancization’ and ‘tethering’. To outrageously oversimplify, it’s the iPhone that’s breaking the net, turning it from a place of freedom and creativity into a place for consumerist sheep.

It’s the end of the internet as we know it…..

…or as we think we know it. We all have different visions of the internet, some historical, some pretty much entirely imaginary, most with elements of history and elements of wishful thinking. It’s easy to become nostalgic about what we imagine was some golden age, and fearful about the future, without taking a step back and wondering whether we’re really right. The internet was never a ‘wild west’ – and even the ‘wild west’ itself was mostly mythical – and ‘freedom of speech’ has never been as absolute as its most ardent advocates seem to believe. We’ve always had some control and some freedom – but the thing about the internet is that, in reality, it’s pretty robust. We, as an internet community, are stronger and more wilful than some of those who wish to control it might think. Attempts to rein it in often fail – either they’re opposed or they’re side-stepped, or they’re just absorbed into the new shape of the internet, because the internet is always changing, and we need to understand that. The internet as we know it is always ending – and the internet as we don’t know it is always beginning.

That doesn’t mean that we shouldn’t fight for what we want – precisely the opposite. We should always do so. What it does mean is that we have to understand is that sometimes we will win, and sometimes we will lose. Sometimes it will be good that we win, sometimes it will be good when we lose. Whatever happens, we have to find a way – and we probably will.

Samaritans Radar – underestimating people…

Yesterday, after a huge struggle, Samaritans finally decided to suspend its new app, Samaritans Radar. It took them a long time to do it, and there was a lot of pain on the way. The Samaritans have lost trust, and a fair number of people respect them less than they did before the saga began – not least because, even now, the Samaritans don’t seem to have grasped what has gone on. They still seem to think the app has had to be pulled because of the way that privacy concerns were raised – the implication being that a bunch of activists on the internet derailed a valid and important project. Very much the opposite is the case: Samaritans Radar had to be pulled because the app, and those behind it, misunderstood the nature of the very people they should have been helping.

In a wide range of ways they underestimated those people. They underestimated how much people care about their autonomy (and related to that, their privacy). They underestimated people’s ability to work out what was going on, to analyse and understand not just how the app worked but what the impact of the app might be. They underestimated people’s ability to organise, to bring in experts to support them, to work with the media – and to support each other. They underestimated people’s ability to achieve something.

The campaign that eventually led to the suspension of Samaritans Radar was led by what is an active and very positive ‘mental health community’ on Twitter. This isn’t a bunch of out-of-touch ‘keyboard warriors’ as some people seem to have suggested. It’s remarkably varied: people who have or have had mental health issues, people working in the field of mental health, privacy advocates, social media professionals, academics, media people – and many people who have a complex mixture of all of these. Many of those now working as mental health professionals have also had mental health issues themselves. It’s not an ‘official’ campaign of any kind – it’s a bunch of people who connect with each other on an ad hoc basis (one of the best things about Twitter) and who coalesced around this issue. I was brought into it by someone I know only through Twitter – but someone who I respect very much for his views, his perspective and his understanding. That’s the thing – respect. And that’s where Samaritans let themselves down so badly. It looked as though they didn’t respect exactly the people they should have respected.

People who have suicidal thoughts, people with mental health issues and so forth don’t have any less desire for autonomy than other people. They don’t have any less need for autonomy than other people. They don’t have any less ability than other people – because they’re people! They come from every walk of life, and have every range of skills. Of course there are people here who care about this kind of thing who also have huge amounts of ability to express themselves, to campaign, to investigate and respond – and Samaritans as much as anyone should know that. They should have understood that before they developed the app – and should have been able to anticipate the issues, and avoid them.

“Privacy, particularly in its aspect as a protector of autonomy, is something that people want and expect. When it is invaded, when people’s autonomy is overly restricted, people react and dislike it. One common thread of the case studies throughout this book is that it appears that the more people know about how, when and where their privacy has been invaded, the more they want to protect that privacy. In the end, businesses need to understand this if they are to meet consumer desires.”

That’s a quote from my book, Internet Privacy Rights: Rights to Protect Autonomy – from the first chapter (p21). It’s referring to businesses – the case studies in the book are mostly business-related – but it applies equally directly to charities like the Samaritans. The issue of autonomy is the key – people want autonomy, they think they have a right to autonomy, and they will fight to protect that autonomy. In the case of Samaritans Radar, they did fight to protect that autonomy.

So what can Samaritans do now? They’ve taken the first step by suspending the app. Next, they need to think a bit harder about why that had to happen – and not try to pretend it was a fine app brought down by unnecessary complaints. Then, most importantly, they need to consult much more widely – and in particular, they need to talk to the very people who brought down the app: the campaigners, the Twitter activists and so on. They need to face up to the concerns that people have – and understand why people care about their autonomy and their privacy. It’s hard to see a future for the app – but if they are going to try to resurrect it, they need to understand why the people on Twitter fought so hard against it. They didn’t do it out of perversity, out of some theoretical and misplaced belief in privacy: they did it because it threatened their autonomy, their agency, something that everyone holds very dear.

If the Samaritans don’t understand this, and try another relaunch along the same lines as before, it will be fought again. And it will lose.