The IP Bill: opaqueness on encryption?

One thing that all three of the Parliamentary committees that reviewed the Draft Investigatory Powers Bill agreed upon was that the bill needed more clarity over encryption.

This is the Intelligence and Security Committee report:

This is the Science and Technology Committee report:

This is the Joint Parliamentary Committee on the Investigatory Powers Bill:

In the new draft Bill, however, this clarity does not appear to have been provided – at least as far as most of the people who have been reading through it have been able to determine. There are three main possible interpretations of this:

1. That the Home Office is deliberately trying to avoid providing clarity;
2. That the Home Office has not really considered the requests for clarity seriously; or
3. That the Home Office believes it has provided clarity

The first would be the most disturbing – particularly as one of the key elements of the Technical Capability Notices as set out both in the original draft bill and the new version is that the person upon whom the notice is served “may not disclose the existence or contents of the notice to any other person without the permission of the Secretary of State” (S218(8)). The combination of an unclear power and the requirement to keep it secret is a very dangerous.

The second possibility is almost as bad – because, as noted above, all three committees were crystal clear about how important this issue is. Indeed, their reports could be seen as models for the Home Office as to how to make language clear. Legal drafting is never quite as easy as it might be, but it can be clear and should be clear.

The third possibility – that they believe they have provided clarity is also pretty disastrous in the circumstances, particularly as the amount of time that appears to be being made available to scrutinise and amend the Bill appears likely to be limited. This is the interpretation that the Home Office ‘response to consultations’ suggests – but people who have examined the Bill so far have not, in general, found it to be clear at all. That includes both technological experts and legal experts. Interpretation of law is of course at times difficult – but that is precisely why effort must be put in to make it as clear as possible. At the moment whether a backdoor or equivalent could be demanded depends on whether it is ‘technically feasible’ or ‘practicable’ – terms open to interpretation – and on interdependent and somewhat impenetrable definitions of ‘telecommunications operator’, ‘telecommunications service’ and ‘telecommunications system’, which may or may not cover messaging apps, hardware such as iPhones and so forth. Is it clear? It doesn’t seem clear to me – but I am often wrong, and would love to be corrected on this.

This issue is critical for the technology industry. It needs to be sorted out quickly and simply. It should have been done already – which is why the first possibility, that the lack of clarity is deliberate, looms larger  that it ordinarily would. If it is true, then why have the Home Office not followed the advice of all three committees on this issue?

If on the other hand this is simply misinterpretation, then some simple, direct redrafting could solve the problems. Time will tell.

The Surveillance Elephant in the Room…

Yesterday’s decision in the Court of Justice of the European Union (CJEU) in what has been dubbed the ‘Europe vs Facebook’ case was, as the Open Rights Group puts it, a ‘landmark victory for privacy rights’. Much has already been written about it. I do not propose to cover the same territory in any depth – the Open Rights Group blog post linked to above gives much of the background – but instead to examine the response of the European Commission, and the elephant in the Commission’s room: surveillance.

The judgment was published yesterday morning, and its essence was very simple. The ‘safe harbor’ agreement, which effectively allows personal data to be transferred from the EU to the US by some 4,000 or so companies, was declared invalid, because though under the agreement the relevant US companies promise to provide protection for that data in many ways – security, promising not to repurpose it, misuse it, hold it longer than necessary and so forth, essentially along the lines of European Data Protection law – there was one thing that it could not provide protection from: surveillance by the US authorities.

As the CJEU put it (paragraph 94 of the ruling):

“…legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life…”

This is where the European Commission comes in. It was the Commission that made the ‘safe harbor’ decision, setting up the safe harbor system, which should, in accordance with data protection law, have ensured that data was adequately protected in the US. The Commission did not ensure that – and did not even state that it did – primarily because the state of US surveillance law (and, as far as we know, US surveillance practice) could not allow it. US surveillance law means that ‘national security, public interest, or law enforcement requirements’ override privacy and other rights where non-US citizens are concerned, and EU citizens have no form of protection against this, or legal remedies available.

The Elephant in the Room

This, it must be clear, is a fundamental issue. If the US can do this, without control or redress, then whatever systems are in place, whatever systems are brought in to replace the now invalidated ‘Safe Harbor’, will similarly breach fundamental privacy rights. No new ‘safe harbor’, no individual arrangements for particular companies, no other sidestepping plans would seem to be possible.  Unless US surveillance law – and, US surveillance practice – is changed, no safe harbor would seem to be possible.

The Commission, however, does not seem willing – or perhaps ready – to confront this issue. Their brief statement in response to the ruling, published yesterday afternoon, does not mention surveillance even once. That in itself is quite remarkable. The closest it gets to accepting what is, in fact, the essence of the ruling, is a tangential reference to ‘the Snowden revelations in 2013’ without mentioning anything about what those revelations related to. There is no mention of US surveillance law, of the NSA, of national security or of anything else relating to it. The surveillance elephant in the room looms over everything but the Commission seems to be pretending that it does not even exist.

The US authorities, however, are quite aware of the elephant – in a somewhat panicky press release last week, between the opinion of the Attorney General that presaged the CJEU ruling, the ‘US Mission to the European Union’ said that the ‘United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens‘. They do not, however, seem to have convinced the CJEU of this. Far from it.

Heads in the sand

In a way it should not be a surprise that the Commission seems to have their heads in the sand about this issue. It is not at all easy to see a way out of this. Will the US stop or change its surveillance practices and law? It is hard to imagine that they would, particularly in response to a ruling in a European court. Can they provide convincing evidence that they are not engaging in mass, indiscriminate surveillance? Again it seems unlikely, primarily because the evidence points increasingly precisely the opposite way.

There are big questions about what actually constitutes ‘surveillance’ – does surveillance occur when data is ‘collected’, when it is accessed automatically or analysed algorithmically, or when human eyes are involved? The US (and UK) authorities suggest the latter, but the European Courts (both the CJEU and the European Court of Human Rights) have found that privacy rights are engaged when data is gathered or held – and rightly so, in the view of most privacy scholars. There are many reasons for this. There is a chilling effect of the existence of the surveillance apparatus itself and the ‘panopticon’ issue: we alter our behaviour when we believe we might be being watched, not just when we are watched. There is the question of data vulnerability – if data has been gathered, then it might be hacked, lost or leaked even before it is analysed. The very existence of the Snowden leaks makes it clear that even the NSA isn’t able to guarantee its data security. Fundamentally, where data exists, it is vulnerable. There are other arguments – the strength of algorithmic analysis, for example, may well mean that there is more effective intrusion without human involvement in the process, the importance of meta-data and so forth – but they all point in the same direction. Data gathering, despite what the US and UK authorities might wish to say, does interfere with our privacy. That means, in the end, that fundamental rights are engaged.

What happens next?

That is the big question. The invalidation of safe harbor has huge repercussions and there will be some manic lobbying taking place behind the scenes. The Commission will have to consider the surveillance elephant in the room soon. It isn’t going away on its own.

And behind that elephant there are other elephants: if US surveillance and surveillance law is a problem, then what about UK surveillance? Is GCHQ any less intrusive than the NSA? It does not seem so – and this puts even more pressure on the current reviews of UK surveillance law taking place. If, as many predict, the forthcoming Investigatory Powers Bill will be even more intrusive and extensive than current UK surveillance laws this will put the UK in a position that could rapidly become untenable. If the UK decides to leave the EU, will that mean that the UK is not considered a safe place for European data? Right now that seems the only logical conclusion – but the ramifications for UK businesses could be huge.

More huge elephants are also looming – the various world-wide trade agreements currently being semi-secretly negotiated, from the TPP (Trans-Pacific Partnership – between the various Pacific Rim countries including the US, Australia, NZ, Japan) to the TISA (the Trade In Services Agreement), TTIP (Transatlantic Trade and Investment Partnership – between the EU and the US) and CETA (Comprehensive Economic and Trade Agreement – between Canada and the EU)  seem to involve data flows (and freedom from government interference with those data flows) that would seem to fly directly in the face of the CJEU ruling. If data needs to be safe from surveillance, it cannot be allowed to flow freely into places where surveillance is too indiscriminate and uncontrolled. That means the US.  These agreements would also seem likely to allow (or even require) various forms of surveillance to let copyright holders ensure their rights are upheld – and if surveillance for national security and public safety is an infringement of fundamental rights, so would surveillance to enforce copyright.

What happens next, therefore, is hard to foresee. What cannot be done, however, is to ignore the elephant in the room. The issue of surveillance has to be taken on. The conflict between that surveillance and fundamental human rights is not a merely semantic one, or one for lawyers and academics, it’s a real one. In the words of historian and philosopher Quentin Skinner “the current situation seems to me untenable in a democratic society.” The conflict over Safe Harbor is in many ways just a symptom of that far bigger problem. The biggest elephant of all.

GCHQ: I’m not charmed yet….

A little over a week ago, GCHQ gave us a show. A giant poppy, part of the 2014 Armistice Day appeal. It was spectacular – and, for me at least, more than a little creepy.

The poppy display seems to have been part of something bigger: the term that immediately sprang to mind was ‘charm offensive’. GCHQ has, over the last year or so, been trying to charm us into seeing them as purely positive, despite the revelations of Edward Snowden. They’re trying to appear less secretive, more something to be admired and supported than something to be concerned about and made accountable. The poppy was an open symbol of that. Look at us, GCHQ seemed to be saying, we’re patriotic, positive, part of what makes this country great. Support us, don’t be worried about it. Love us.

I assume that the speech by Robert Hannigan, the new Director of GCHQ, was intended to be part of that charm offensive. For me, however, it had precisely the opposite effect. The full speech was published in the FT here – but I wanted to pick out a few points.

Privacy an absolute right?

The first, which made the headlines in the Guardian and elsewhere, is Hannigan’s statement that ‘privacy is not an absolute right’. He’s right – but we all know that, even the staunchest of privacy advocates. Privacy is a right held in balance with other rights and needs – with freedom of expression, for example, when looking at press intrusions, with the duty of governments to provide security and so forth. That’s explicitly recognised in all the relevant human rights documents – in Article 8 of the European Convention of Human Rights, for example, it says of the right to a private life that:

“There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”

So we already know that privacy is not an absolute right – so why is Hannigan making the point? It’s hard to see this as anything but disingenuous – almost as though he wants to imply that foolish privacy advocates want to help terrorists by demanding absolute privacy. We don’t. Absolutely we don’t. What we want is to have an appropriate balance, for the interference in our privacy to be lawful, proportionate and accountable. At the moment, it’s not at all clear that any of that is true – there are legal challenges to the surveillance, deep doubts as to its proportionality and little evidence that those undertaking the surveillance are properly accountable. On the accountability front, it’s interesting that he should make such a speech at a time when the Intelligence and Security Committee of Parliament, are undertaking a consultation – it made me wonder whether he’s trying to steer the committee in a particular direction.

Facebook – a tool for terrorists?

The other headline from the speech is the way Hannigan seems to be attacking Facebook and others for being too helpful to terrorists – which is an interesting reverse from the more commonly held view that they’re too helpful to the authorities. The argument seems to go that the ‘old’ forms of terrorists, exemplified by Al Qaeda, use the ‘dark web’, while the ‘new’ forms of terrorists, exemplified by IS, are using the social media – Facebook, Twitter and so forth. It’s an interesting point – and I’m sure there’s something in it. There’s no doubt that ‘bad guys’ do use what’s loosely called the dark web – and the social media activities of ‘bad guys’ all around the world are out there for all to see. Indeed, that’s the point – their visibility is the point. However, on the face of it, neither of those ‘facts’ support the need for the authorities to have better, more direct access to Facebook and so forth. Neither, on the face of it, is any justification for the kinds of mass data gathering and surveillance that seem to be going on – and that GCHQ and others seem to be asking us to approve.

By its very nature, the ‘dark web’ is not susceptible to mass surveillance and data gathering – so requires a more intelligent, targeted approach, something which privacy advocates would and do have no objection to. Social media – and Facebook in particular – don’t need mass surveillance either. To a great extent Facebook is mass surveillance. All that information is out there – that’s the point. It’s available for analysis, for aggregation, for pretty much whatever the authorities want it. And if Hannigan imagines that the secret activities of IS and others are undertaken on Facebook he’s more naive than I could imagine anyone in the intelligence services could be – they can’t have chosen to use Facebook and Twitter instead of using the dark web, but in addition to it. The secret stuff is still secret. The stuff on Facebook and Twitter is out there for all to see.

What’s more, there are already legal ways to access those bits of Facebook and Twitter than are not public – which is why the authorities already request that data on a massive scale.

Charming – or disarming?

Hannigan must know all of this – so why is he saying it? Does he think that the charm offensive has already worked, and that the giant GCHQ poppy has convinced us all that they’re wonderful, patriotic and entirely trustworthy? They may well be – I’m no conspiracy theorist, and suspect that they’re acting in good faith. That, however, is not the point. Trust isn’t enough here. We need accountability, we need transparency, we need honesty. Checks and balances. Not just charm.

Politics, surveillance and trust….

Themistocles grinned; it made me like him. “There you see it – that’s how we do it here. Among you Medes, I’m told, there are many men so honorable that everyone trusts them. We’re not like that at all – we never trust one another. So what we do instead is make sure that each side’s represented, so that every rascal’s got two worse looking over his shoulder.”

Gene Wolfe, Soldier of Arete.

I’ve always liked those words, put into the mouth of Themistocles by Gene Wolfe. Soldier of Arete is one of my favourite books – giving a very different perspective on the Ancient Greeks. Wolfe tries (and for me succeeds) to give a sense of what life might really have been like – not a place of divine nobility or unattainable grace, but a place inhabited by real people. Themistocles was one of the most successful of Athenian generals and politicians – someone around at the early days of what we these days call democracy. Wolfe’s version of Themistocles is a very much a likeable character, and a very grounded one. His view of democracy, of honour and of trust is one that seems both very real and very appropriate even for these days. Honour and trust are all very well, but for things to work well, we always need someone looking over people’s shoulders.

That’s particularly relevant to surveillance. ‘Quis custodiet ipsos custodes?’, to borrow another classical source. Who watches the watchmen? At the Intelligence and Security Committee ’round table’ sessions on Tuesday (about which I wrote here) it was one of the key issues – as were the issues of honour and trust. The first question that Sir Malcolm Rifkind asked at our table was whether we thought the intelligence services acted with ‘good faith’. I understood him to mean, essentially, whether we trusted them. Whether we thought they were honourable people. My answer was that I did think they were acting in good faith – but that that is not enough. I’m not like the Mede with which Themistocles was talking in Soldier of Arete, who thought some people are so honourable that they can be trusted completely. Good faith is a good start, but it’s not nearly enough. Limits on surveillance, controls, balances and strong oversight are still needed, no matter whether the intelligence services are acting in ‘good faith;’, and regardless of whether they are honourable, trustworthy people. Even the most able and honourable people need to be overseen. They make mistakes. They can be misled. They can be confused. They can be given poor information and make inappropriate decisions. And are we sure they are honourable and acting in good faith? It doesn’t matter if almost all of them are – even a single person who isn’t and is given free rein is capable of creating a disaster.

That’s not to say, of course, that trust isn’t important. At a certain level, we have to trust people – human life would be impossible if we didn’t. In things like surveillance, that trust, however, needs to be earned. It needs to be demonstrated that people are worthy of what trust we give them – and right now, after the Snowden revelations, trust in the intelligence services is in a great deal of doubt. It needs to be rebuilt – and that means much more transparency is needed to start with, but also much more understanding. It needs to be made clear that those in authority understand why people are bothered by this. It means that they need take our worries and concerns seriously.

Right now, too, it means that they can’t expect us to take what they tell us on trust. It means there should be a little more humility, a little more of what might be called ‘grace’. The way that the Data Retention and Investigatory Powers Act (DRIP) was steamrollered through parliament this summer showed none of this. The reverse: it showed contempt for people, and a huge amount of disrespect. The whole process, rather than helping to rebuild the trust, to demonstrate the good faith, to show that they are honourable people, reduced that trust, demonstrated bad faith, and suggested that they are far from honourable. And that goes for the ‘honourable members’ of parliament and for the intelligence services who presumably suggested the bill. I say ‘presumably’, because we really don’t know, and never got the chance to find out. Sir Malcolm Rifkind admitted on Tuesday that he didn’t understand RIPA: how many of the MPs who passed DRIP understood what they were passing? My guess is that they ‘trusted’ the people telling them it was needed, and decided that was enough.

Well, for me it wasn’t. Not nearly enough. We need much more – and I’m waiting.

Knights of the ISC Round Table….

Yesterday I took part in the ’round table sessions’ of the Intelligence and Security Committee of Parliament’s ‘Privacy and Security Inquiry’. It was an interesting event – and an enjoyable one, though I hope that doesn’t mean that I’ve already begun the process of being ‘captured’ by the intelligence community. The round table sessions are part of the bigger inquiry – accompanied by public evidence sessions which are continuing through the week.

The whole thing was very informal – I found myself sitting next to Sir Malcolm Rifkind and opposite Lord Lothian around a small, round table, one of three such tables in the room. Yes, the round table sessions really involved round tables. Essentially, we had an hour to chat about whatever issues we felt mattered to the inquiry – we had been invited on the basis of the written evidence we had submitted to the inquiry, back in February this year (mine can be found here). Around the table were an academic computer scientist, what I would call a ‘real’ programmer, a human rights activist, myself, a former lawyer for MI5 and MI6, and the two members of the committee, Sir Malcolm Rifkind and Lord Lothian.

There were some very positive things about the discussion – both Rifkind and Lothian appeared to agree, after some resistance, on the first major point that we tried to argue (primarily myself and Izza Leghtas from Human Rights Watch): that the privacy invasion, and hence the first set of proper controls, need to be at the gathering stage, not the accessing stage for data. That, in practice, less data should be gathered and held, and for shorter periods. Moreover, that there should be judicial involvement at the gathering stage – indeed, David Bickford, former Legal Director for MI5 and MI6, thought judges should be involved far more in the whole process, from beginning to end, following the French model.

As part of that discussion, they really did appear to take on board that there are serious risks involved in just gathering and holding data – and seemed to be listening as we listed them!

Other points of agreement were that RIPA is, basically, an awful mess. Rifkind readily admitted that he really didn’t understand it. What that says for his (and the committee’s) ability to oversee the intelligence services is another matter. The feeling from all concerned was that whatever else happens, the law needs review and it needs to be clearer what it actually does – whether directly in the law or in accompanying guidance. It would be nice to see – but I am not holding my breath.

Three particularly interesting things that came out of our brief discussion – and it was brief, because the hour we had went very fast. The first was that Sir Malcolm Rifkind made a very clear differentiation between the intelligence services and the other groups who can use RIPA. He made the argument that the intelligence services really can’t do you any harm unless you’re one of the ‘bad guys’ – and though this was perilously close to saying ‘if you’ve got nothing to hide’ he did acknowledge that it was not an argument that worked in relation to the police, to local authorities or to the other various bodies that utilise surveillance or gathered data. He seemed to suggest that all of those bodies – including the police – need much tighter controls. In the light of the current issues regarding police access to journalists’ communications data, this makes sense, but again it will be interesting to see whether it really amounts to anything.

The second was that David Bickford made the specific comment that if corporations do all the data gathering, analysis and so forth, then surely the intelligence services should be able to do the same. Why should we place more restrictions on the intelligence services than we do on Google and Facebook? When I suggested that perhaps this means that we should put more restrictions on Google and Facebook rather than less on the intelligence services, he laughed a bit, but did seem to get the point.

The third was that both Lord Lothian and Sir Malcolm Rifkind noted that the Human Rights Act provided protection – and when I teased him about the planned impending doom of the Human Rights Act, Rifkind almost winced, and said that there’s always the ECHR. I got the distinct feeling that Rifkind is not enamoured of Grayling’s plan for human rights, though he was far too diplomatic to say so.

Much more was said, and overall it was a good and fairly robust discussion – we all seemed to be able to say what we wanted, and the two committee members seemed genuinely to be listening. They are, however, politicians – and they were also very aware of the limitations of their own powers, and how hard it is to change things in this field with any speed. They were keenest of all on increasing transparency, and moving to a position where the default position is that information is disclosed, and is made public, rather than the opposite. I hope this happens….

….but I remain cynical about it all. The question of whether what the committee does actually has any impact on what the security and intelligence services do remains unanswered. Is this all just a PR exercise, or is there some more profound change going on? It will take a lot more than a few round table sessions, even with Knights like Sir Malcolm Rifkind, to convince me. However, I found myself just a smidgen less cynical than I was before the session started. Perhaps I’ve been captured after all.

Surveillance: ten ways to fight back!

Today, 11th February 2014, is ‘The Day We Fight Back” – a day of campaigning against mass surveillance. It’s a day where campaigners are trying to raise awareness of the issue – and begin fighting against it. The big question is how can we fight back – what can we actually do. It often seems as though privacy is dead, and that there’s nothing we can do about it. I don’t think so – there are lots of things we can do, lots of things we must do. Here are just ten….

1     Support The Day We Fight Back

One of the most important things in the whole fight is to raise awareness – and to take advantage of opportunities to spread the message that surveillance is a big issue. Days like The Day We Fight Back help to do that. Check out the website here. Tweet about it. Blog about it. Talk about it with your friends and colleagues. Make it something that people notice.

2     Lobby your politicians – or unseat them!

Let the politicians know that you care about this – because, ultimately, they are supposed to be your representatives. It may not feel as though they listen to you much – but if enough people tell them the same thing, if enough people bother them, then they may finally get up off their backsides and do something. And if they don’t, use your vote against them. Politicians make a difference here – or rather they could, if they could be bothered. Most of them don’t understand what’s going on – try to educate them! Help them to understand, and don’t let them get away with bland, meaningless reassurances.

3     Don’t let the corporations off the hook!

The Snowden revelations were shocking, revealing a degree of governmental surveillance that surprised many people, and made a lot of people angry with their governments – but we shouldn’t be fooled into thinking this is just about governments, or just about specific agencies like the NSA and GCHQ. The malaise is far deeper than that – and corporations are in it right up to their necks. In many ways corporate surveillance is worse than governmental surveillance – it can have real impact on people, messing with their credit ratings and insurance premiums, affecting their job prospects, the prices they pay for things and more.

The NSA and GCHQ to a great extent piggyback on the surveillance that the corporates do, utilise the tools that the corporates create, mine the data that the corporates hold – if the corporates weren’t doing it, the agencies couldn’t tap into it. What’s more, corporations actively lobby to undermine privacy law, obfuscate over their privacy policies and do a lot more to undermine the whole concept of privacy. We shouldn’t accept that – let alone allow themselves to portray themselves as the good guys in this story. They’re not. Right now, they’re the henchmen and sidekicks of the NSA and GCHQ – if they want our support, they need to start supporting us.

4     Don’t just demand transparency – demand less surveillance!

There’s a lot of talk of transparency, particularly in relation to governmental requests for data from the likes go Google, Facebook, Twitter etc. Transparency is great – but it’s not nearly enough. We shouldn’t let ourselves be fobbed off with talk of transparency – we need less surveillance. We need to demand that surveillance is cut back – not just that there is better accountability and transparency. Accountability often ends up in farces like the UK’s Intelligence and Security Committee’s hearing with the heads of MI5, MI6 and GCHQ – no real scrutiny at all, just a bit of lip service and a lot of back-slapping. It’s not enough. Not nearly enough.

5     Join or support civil society

Civil society groups all over the world are key players in this – and they need your support. Here in the UK, the Open Rights Group, Privacy International and Big Brother Watch have been in the forefront of the campaigns against surveillance. In the US the Electronic Frontier Foundation have been crucial. In the Netherlands Bits of Freedom have done wonders. These, however, are not groups with the scale or resources of the governments and corporations that are behind the surveillance – so they need every bit of support they can get.

6     Challenge the media!

The mainstream media, for the most part, have not played the part that they could in the fight against mass surveillance. The Guardian has been an honourable exception – and their role in making sure that the Snowden story has seen the light of day has been, for me, one of the most important pieces of journalism for many years – but generally the whole issue has been the subject of far less attention than it should have had. That’s sadly common – because reporting of almost all technology matters is pretty disappointing. We need to challenge that – and shame the media into doing a better job. When they misreport stories about surveillance they should be challenged – using the social media, for example. And, perhaps even more importantly, when they report on technology without seeing the privacy aspects we should challenge that too. One key example right now is the subject of ‘Smart Meters’ – they have deep problems in relation to privacy, but when you see a report in much of the media it only talks of the advantages, not the risks. That’s not good enough.

7     Educate yourself

Part of the reason that surveillance has grown, almost without our noticing, is that far too many of us – and I’m certainly one of them – have not kept ourselves up to date. This year is supposed to be the ‘Year of Code’ – and though that campaign is pretty farcical it does highlight the fact that most of us don’t really know how the tech we use works. If we don’t know how it works, it’ll be much harder for us to protect ourselves. I’m making a commitment right now that I’m going to learn cryptography – and that I’m going to use it.

8     Use and support privacy friendly tech

That brings the next point. There are a lot of privacy-friendly tools out there and we should use them. Search with duckduckgo or startpage rather than Google. Use Ghostery or Abine’s DoNotTrackMe to monitor or block those who are tracking you – remembering that commercial trackers can be hijacked by the authorities. These are just a few of the tools available – and there are more coming all the time – but they need to be used in order to succeed. They need support if they are to grow.

9     Keep your eye on the news

There are more stories about surveillance and other invasions of privacy appearing all the time – keep your eye on the news for them, and let other people know about them. It’s hard to keep up, but don’t give up. Don’t expect to know everything, but if we don’t keep up with the news we aren’t going to be in a position to fight. Information is power – which is a great deal of what surveillance is about. We need to be informed in order to fight back

10     Make sure the fightback isn’t just for a day

This is the most important thing of all. Campaigns for one day are pretty meaningless – and the authorities will generally let them ride, possibly with a few little comments but almost no action. Political pronouncement and political action needs long-term campaigning. Shifts in attitudes don’t happen in a day – so we need to keep this campaign going…. and expect it to be a long, attritional fight. It won’t be easy – but it’s worth it.