Updated 16 October, 2013: See below for a note on the Electronic Frontier Foundation

 

I’m certainly not the only one to be blogging about digital privacy in the last few days. Thus far, most of the anger over the US National Security Agency’s PRISM program has been directed at the government. But they’re not the only ones involved. It’s been alleged that major online services providers, including AOL, Facebook, Google, Apple, Skype, Microsoft and others have given the government ‘back door’ access to their users’ data, though this has been disputed by the companies in question.

Some of the language used is very grand, and rightly so. To think that millions of people are the subject of everyday surveillance is out of keeping with everything we’ve come to believe about modern freedoms. Edward Snowden, the former intelligence specialist who has outed himself as the story’s leak, has been quoted justifying his actions by saying: “It is not that I do not value intelligence, but that I oppose . . . omniscient, automatic, mass surveillance. . . . That seems to me a greater threat to the institutions of free society than missed intelligence reports, and unworthy of the costs.”

A few years ago, a friend of mine in a knowledge-economy company told me she thought privacy was about to burst through as the defining sustainability issue for the sector. I have to confess I didn’t fully grasp it at the time, since ‘privacy’ has been on the internet agenda for as long as any of us can remember, and because it encompasses such a huge range of possible impacts. Privacy covers everything from protection of children’s identities online to political protest in countries of concern. Meanwhile, we users of web services have been warned time and time again about how to protect our interests, and a new round of reminders comes around every time Facebook updates their privacy policy.

This is no longer news. We know to a degree that our online lives leave our control when we click the mouse. We know that wiretapping laws allow access to our clicks these days as much to our phone calls.

We also know we’ve made a grand bargain with the purveyors of internet services we love and use every day – we know they’re not giving us this for ‘free’. They are mining our likes and dislikes, our interests, worries, prejudices, relationships, buying habits, desires – and they’re looking for ways to satisfy our needs and ambitions, principally through parting with our money.

But now we hear that government agencies – the most secretive and unaccountable such agencies, to boot – are using the very same data to monitor us routinely. Why does this change our analysis? Commercial interests mine our data all the time, and they have no duty to protect us.

Your privacy is extremely valuable to us

The difference may be that in the case of routine intelligence surveillance, this is just something we didn’t think democratic governments in free societies did. On the other hand, we’ve known for a long time that commercial surveillance (and they wouldn’t use this term; they’d call it data mining) is the price of free on the internet. (In a somewhat different, but related light, the newly introduced European social media privacy laws introduce a ‘right to be forgotten’, in response to the damage online information can do to individuals; critics contend the very name creates an unrealistic expectation of what control individuals can expect to have.)

It’s said that the expression ‘I have read and accept the Terms of Service’ is the biggest lie on the internet. But at least when we click the ‘Accept’ box on a commercial site, we accept the fact that such terms of service exist. We’ve not been given the option to click that box with respect to government surveillance. The service providers are required to assist in law enforcement; we just didn’t think we were legitimate targets.

Then again, what are they getting? Perhaps the term ‘target’ is part of the problem, in that nobody is actually ‘targeted’ by this program; we’re all just swept up in the giant trawling nets. The mining of this data isn’t done by real people; just as it is in the commercial world, no person is sitting down and looking at my Google searches. That’s left to algorithms, which look for patterns.

http://imgs.xkcd.com/comics/dwarf_fortress.png

The fact that the surveillance is done by computer rather than by sentient beings is no excuse. One reason why online privacy is such a thorny issue is that the computer code that enables big data applications doesn’t have anything against you or me, and doesn’t have any values or morals or sense of accountability governing its application or results.

One particularly interesting twist in this story is the fact that some of the biggest and best-known of the companies fingered in the snooping scandal are members of the Global Network Initiative, a program designed to instil respect for and protection of human rights on the internet. GNI members, including Facebook, Google, Microsoft and Yahoo! sign up to a set of principles, including the following, from GNI’s website:

Privacy

Privacy is a human right and guarantor of human dignity. Privacy is important to maintaining personal security, protecting identity and promoting freedom of expression in the digital age.

Everyone should be free from illegal or arbitrary interference with the right to privacy and should have the right to the protection of the law against such interference or attacks.

The right to privacy should not be restricted by governments, except in narrowly defined circumstances based on internationally recognized laws and standards. These restrictions should be consistent with international human rights laws and standards, the rule of law and be necessary and proportionate for the relevant purpose.

Participating companies will employ protections with respect to personal information in all countries where they operate in order to protect the privacy rights of users.

Participating companies will respect and protect the privacy rights of users when confronted with government demands, laws or regulations that compromise privacy in a manner inconsistent with internationally recognized laws and standards.

 

The recent revelations put this principle in jeopardy. How will online service providers give assurance that it has not been compromised? (Indeed, how can they reassure us that they even can implement the commitment they’ve made?) It also raises big questions about who’s responsible, and how:

Responsible Company Decision Making

The implementation of these Principles by participating companies requires their integration into company decision making and culture through responsible policies, procedures and processes.

Participating companies will ensure that the company Board, senior officers and others responsible for key decisions that impact freedom of expression and privacy are fully informed of these Principles and how they may be best advanced.

Participating companies will identify circumstances where freedom of expression and privacy may be jeopardized or advanced and integrate these Principles into their decision making in these circumstances.

Participating companies will implement these Principles wherever they have operational control. When they do not have operational control, participating companies will use best efforts to ensure that business partners, investments, suppliers, distributors and other relevant related parties follow these Principles.

We will no doubt hear more from the companies in question as events unfold. But the damage to their reputations and trustworthiness may be significant. They will be at pains to demonstrate their independence, good governance, and technical nous – all of which were never in any doubt in the past. They may find themselves battling the perception that, as David Kirkpatrick, writing in a LinkedIn blog, put it: “To be an American service is now to be a tool for U.S. surveillance.”

 

–> Update 16 October, 2013: On 10th October, the Electronic Frontier Foundation (EFF), a well-known online privacy and freedom of expression advocacy organization, announced the end of its association with the Global Network Initiative (GNI), citing the ‘serious compromises GNI members may be forced to make’ in relation to their ability to speak freely regarding their internal security and privacy systems. This decision followed the revelations of PRISM and similar activities by US authorities that called into question how free companies operating under US authority may actually be to secure their customers’ privacy and security concerns. For EFF’s full statement, see https://www.eff.org/press/releases/eff-resigns-global-network-initiative. To the best of my knowledge, GNI has not (yet) issued any statement in response.

Advertisements