Tuesday, October 20, 2020

DCMS Review of Representative Action Provisions, Data Protection Act 2018

Upon a prompt from Jim Killock at the Open Rights Group, I've submitted the following response to the Department for Digital, Culture, Media & Sport Review of Representative Action Provisions, Section 189 Data Protection Act 2018 consultation. (Apologies for the repetition in the paragraph about some of the worst breaches of data protection law being attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites.)

[This is the first time I've used the new Blogger interface and I'm not keen. The html interface is particularly dense tiny font and challenging to read/interpret/use]

I didn't have a lot of time, so drew heavily from Jim's own and Dr Johnny Ryan's work on challenging the legality of the adtech industry's architecture and operational practices.

Department for Digital, Culture, Media & Sport Review of Representative Action Provisions, Section 189 Data Protection Act 2018

My name is Ray Corrigan. I am a senior lecturer in the Science, Technology Engineering and Mathematics Faculty at The Open University but I am responding to this consultation in a personal capacity.

I write, in particular, in relation to the department’s examination of whether to introduce new provisions to permit organisations to act on behalf of individuals who have not given their express authorisation.

I am in favour of such provisions.

Chapter VIII Article 80(2) of the General Data Protection Regulation, provides that EU Member States may provide that any not-for-profit body, organisation or association which has been properly constituted in accordance with the law, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to GDPR Article 77 and to exercise the rights referred to in GDPR Articles 78 (right to an effective judicial remedy against a supervisory body) and 79 (right to an effective judicial remedy against a data controller or processor), if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.

The UK government chose not to incorporate this provision into the Data Protection Act 2018, and I would suggest it is important that this now be rectified.

The big technology and associated “ad tech” companies having been running rings round governments and regulators for too long. As Johnny Ryan of Brave points out, in this formal complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under the GDPR,

“Every time a person visits a website and is shown a “behavioural” ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies. Advertising technology companies broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the specific individual visiting the website.

A data breach occurs because this broadcast, known as an “bid request” in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful...

Bid request data can include the following personal data:

• What you are reading or watching

• Your location

• Description of your device

• Unique tracking IDs or a “cookie match”.

• This allows advertising technology companies to try to identify you the next time you are seen, so that a long-term profile can be built or consolidated with offline data about you

• Your IP address (depending on the version of “real time bidding” system)

• Data broker segment ID, if available.

• This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc. (depending on the version of bidding system)

Dr Ryan said “There is a massive and systematic data breach at the heart of the behavioral advertising industry. Despite the two year lead-in period before the GDPR, adtech companies have failed to comply. Our complaint should trigger a EU-wide investigation in to the ad tech industry’s practices, using Article 62 of the GDPR. The industry can fix this. Ads can be useful and relevant without broadcasting intimate personal data”.”

https://brave.com/adtech-data-breach-complaint/

For all their flaws, getting the GDPR and the Data Protection Act 2018 in place as legal infrastructure for regulating the collection & processing was not a bad start. Unfortunately, with few exceptions such as the recent Belgian data protection authority declaration that the behavioural advertising industry has been engaged in routine, systematic, industrial scale, blanket data collection and management practices, in serious breach of multiple provisions of the GDPR from the day it was passed, enforcement efforts have been underwhelming, at best, so far.

Ordinary internet users are almost completely oblivious to the mechanics of the hidden personal data processing adtech architecture behind most websites; and as the Belgian data protection authority have just pointed out, the deployment and operation of that invasive technology is systemically and systematically unlawful. It is almost astonishing that we, commerce, industry & governments enabled it, but we did and it is time to do something about that.

Mass data collection, processing, onward dissemination and storage has become incredibly complex. Relying on individuals to spot misbehaviour and malfeasance in this area and initiate complaints or legal proceedings to reign in an industry out of control, is unrealistic. The woman on the Clapham omnibus simply does not have the expertise, time or resources. Not-for-profit bodies, human rights organisations or other related associations, however, which have been properly constituted in accordance with the law, do have the expertise and understanding, even if, in these difficult times, many are experiencing a shortage of resources. It is more important than ever that such organisations are given the authority in law to raise complaints, independently, about nefarious data collection and management practices. NGOs should be empowered to complain, in the public interest and to protect individual rights, to the Information Commissioner’s Office and complain to the court about controllers, processors or ICO failure.

This power must include the capacity to challenge the Information Commissioner’s Office. In September 2018, Jim Killock of the Open Rights Group and Dr Michael Veale of University College London, submitted a formal GDPR complaint to the UK Information Commissioner about “real time bidding” the core of the industry’s invasive adtech architecture. In June 2019, the ICO gave the adtech industry six months to clean up its act. In January 2020, after six months of substantive inaction on the part of the industry, the ICO threw in the towel and said they would be taking no enforcement action to remedy industry breaches. https://brave.com/ico-faces-action/

Some of the worst breaches of data protection law are attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites. The ad tech described in the extract from Dr Ryan above engages in some invisible and deeply invasive profiling. Some of the worst breaches of data protection law are attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites. These areas need to be challenged but often are not because of their sensitivity.

When you visit a website, which delivers ads your personal data is broadcast to tens or hundreds of companies. What you read, watch or listen to is categorised and you are profiled into categories. Some of these are bland e.g. “football” or “jazz”. Some are hugely and outrageously sensitive. The rule making representative body for the adtech industry, the Interactive Advertising Industry (IAB) has, for example, got a “IAB7-28 Incest/Abuse Support” category. Other categories are related to sensitive or embarrassing health conditions, sexual orientation, religious affiliation etc. Google categories include “eating disorders”, political leanings etc.

These tags and profiles and trackers can stick with internet users for a long time and people have no idea of the digital baggage they are carrying round as a result. Such tags are not necessary for ad targeting. They are more a convenience for the industry to make it easier to track and profile and re-identify people. And the obscurity of the whole process, systems and mechanisms make it almost impossible for individuals to exercise their rights under the law, in the UK, the Data Protection Act 2018. We cannot find, identify, verify, correct or delete these digital shadows and profiles. The power differential and lack of transparency make it extremely difficult for individuals to take effective action to rectify unlawful and unethical activities on the part of the requisite industries.

Industry pretend they deal in anonymous or non-sensitive data which is a flat-out falsehood. Detailed, invasive personal profiles are constantly and casually created and traded as people innocently surf the internet unaware of these machinations. Industry treats this as routine business practice. It does not have to be this way and should stop. That mass privacy invasion is routine business practice on the internet does not make it right and it is time to stop it.

There is no great functional difference between adtech and techniques Cambridge Analytica used in an attempt to influence voters but, the Cambridge Analytica story, for a time, entered the realm of short attention span news cycle. The adtech data management platforms are just a longer running, invisible scandal.

It is particularly important, in the case of sensitive personal information, therefore, that qualified NGOs be given the power to bring complaints, independently, to protect individual and societal privacy. Privacy is not just an individual value but the fundamental basis of a healthy society.

A couple of final points before I close – firstly to note the necessary parallels with consumer law and secondly on Brexit.

Consumer law allows consumer organisations to initiate complaints in the public interest on the part of consumers. There is no reason, in principle, why NGOs should be prevented from engaging in an equivalent form of action in relation to consumer privacy.

On the Brexit front the UK in January 2021 will be facing the prospect of getting an approved data adequacy decision from the EU in relation to cross border flows of data. Elements of the Investigatory Powers Act 2016, the Digital Economy Act 2017 and recent government moves to pass the Internal Market Bill mean this could prove difficult. (See e.g. Brown, I. & Korff, D. The inadequacy of UK data protection law Part One: General inadequacy https://www.ianbrown.tech/wp-content/uploads/2020/10/Korff-and-Brown-UK-adequacy.pdf) A move to incorporate Article 80(2) of the GDPR into UK domestic law, enabling NGOs and other lawfully constituted public interest organisations to challenge unlawful data collection and management practices, could only help the process of demonstrating the UK, post Brexit, should be held to provide “adequate” protection to personal data.

Tuesday, March 31, 2020

Tired

I have spent the past umpteen years, in the day job, juggling and reacting to chaos and crises, crises that seem completely insignificant in the context of the prevailing pandemic. Three of those years have been at home, in the corner of the small bedroom where my desk is, since The Open University closed our regional infrastructure.

Isolated, 10 to 16 hours a day, mainly in front of a screen, engaged in micro-administrative, bureaucratic trivia and attempting to shield my staff and students from the worst excesses of what has been, at times, a difficult and destructive environment at The Open University.

Last week, although our operations are continuing, most staff in HQ and the remaining satellite offices were despatched to work from home. The focus, in the Covid-19 crisis, of the internal communications has shifted to concern for staff and student welfare, whilst we all try to keep frontline operations rolling, as smoothly, flexibly and sensitively as possible.

This afternoon, shortly after 3pm, my daily chaos slowed to something of a trickle. 30 minutes on, the trickle is still just that and I find myself somewhat flummoxed. We have been engaged in a vast amount of energetic activity making sure students can continue their studies as seamlessly as possible and we are fortunate enough to have the organisational infrastructure to do that.

If the demands flowing to my microscopic corner of the OU universe remain manageable through to this evening, I might have some time and space to do something constructive.

But I'm tired and I expect the chaos to resume later this afternoon or evening.

Tired and discombobulated and unproductive, sure enough I've wasted the window of opportunity in the day, as the communications begin to ping in again and the temporary lull in increasing entropy appears over.

It is disappointing to note the muscle memory of my little grey cells seems conditioned these days only to juggle the chaos.

I'm tired and irritated at wasting an opportunity but the chaos and the opportunity are trivial... my thoughts are with the family of a friend, infected with Covid-19, in an induced coma, on a ventilator in an intensive care unit.

This thing is real and dangerous.

Keep safe, stay well.

Friday, March 06, 2020

Carl Malamud at the Open University

On Tuesday, 3 March, 2020, Carl Malamud visited The Open University and shared his thoughts on text and data mining in scientific journals. He opened with the story of Mahatma Gandhi's writing of the book Hind Swaraj (India self rule) on a boat trip between the UK and South Africa in 1909.

The book is relevant to the open access movement in two key particulars. The first edition of the book was published with "No rights reserved", Gandi being the first author to explicitly eschew copyright. Secondly Malamud has been inspired by Gandhi's resistance to colonialism. Scientific knowledge has been colonised and, as James Boyle has argued for a generation, we are in the midst of a second enclosure movement, an enclosure of the commons of the mind.

Malmud has written a book, Code Swaraj, about this, with Sam Pitroda, a former Indian cabinet minister and telecommunications businessman. Gandi preached you had to rule yourself, not let others colonise. But nowadays if you want to do research you have to ask permission and that permission is often not forthcoming because of the immoral and probably illegal assertion of ownership of human knowledge by vested economic gatekeepers such as the scientific publishers.

Christopher Booker read hundreds of books over more than thirty years before writing The Seven Basic Plots: Why We Tell Stories, first published in 2004. His three decade long analysis was an exercise in text and data mining. Text and data mining is now something we can automate with computers. A study of gender in literature showed that the number of female characters has declined rather than increased, matching a proportionate decline in female authors.

Gitanjali Yadav, a plant genome researcher at Delhi’s National Institute of Plant Genome Research (NIPGR) and at Cambridge University is working on the mechanics and chemistry of plant communication channels, using a plant chemicals database.

Elisabeth Bik is a scientist working on fraudulent re use of images in academic papers and exposing paper mills. In China, part of the pre-requisites for becoming a doctor is the publication of peer review papers. The incentive to buy them from paper mills is high.

Scientific literature has been locked up and it is unclear what the potential for research could be as a result.

Max Häussler is researcher at the University of California, Santa Cruz (UCSC) and he has created a genome browser. The browser links human genome DNA sequences to sections of published articles that deal with the same sequences. He wrote to 43 publishers and explained he would like to do text and data mining on their articles. Many publishers did not want to cooperate, refused permission or did not engage at all. So he didn't get access to as much literature as he would have liked. Malamud considers there is an argument to be made that text and data mining of research is permitted in law, even if the publishers do not grant explicit permission. Häussler is unsure and doesn't mine articles for which permission is not forthcoming. It would seem clear that the power of his genome browser would be significantly greater if he had that broader access to data.

Without asking publishers' permission, Malamud has put a lot of stuff online via a project at Jawaharlal Nehru University (JNU) in India - 125 million journal articles from many sources, from the mid 19th century up to the present.

The storage facility is air-gapped and not connected to the internet. Researchers who want access can bring their computers to the facility and text & data mine the materials there. Without having to read or download the articles which is not permitted, they can, nevertheless, draw scientific insights, thereby circumventing any potential copyright problems. The terms and conditions are modeled on those of the HathiTrust and the store specialises in bioinformatics. The access model is 3-tiered:

Tier 0 is air-gapped and pdfs of the articles

Tier 1 is extracted texts and is also air-gapped

Tier 2 is facts. As there is no copyright on facts, this can be made available openly to everyone.

The HathiTrust were the involved in providing Google with books for scanning for the Google Book project. Google in return gave the trust digital copies of the scanned books where out of copyright works are now made freely available online. Publishers sued Google in the US for breach of copyright and the case took many years to make its way through the courts. The appeal court concluded, Authors Guild v Google in 2014, that Google's use of the books was "transformative" and therefore permissible under US copyright law:
"1) Google’s unauthorized digitizing of copyright-protected works, creation of a search functionality, and display of snippets from those works are non-infringing fair uses. The purpose of the copying is highly transformative, the public display of text is limited, and the revelations do not provide a significant market substitute for the protected aspects of the originals. Google’s commercial nature and profit motivation do not justify denial of fair use. 
2) Google’s provision of digitized copies to the libraries that supplied the books, on the understanding that the libraries will use the copies in a manner consistent with the copyright law, also does not constitute infringement. Nor, on this record, is Google a contributory infringer. Accordingly, the court affirmed the judgment."
In 2016 the US Supreme Court rejected the Authors Guild's request to further appeal the decision, ending the more than a decade long litigation. The Authors Guild also tried suing the HathiTrust but were unsuccessful in that case too. The technicalities of the case were different.  One interesting angle was that the court made a point of noting the value of the HathiTrust approach to making the books available to print disabled and visually impaired.

The bottom line was that Google Books and the HathiTrust were given the ok by the US courts.

In the UK text and data mining is permitted only for non-commercial use. The text and data mining copyright exception was introduced in the UK in 2014. A format shifting exception, partly based on a report I co-wrote with two Oxford economists, Mark Rogers and Josh Tomalin, 'The economic impact of consumer copyright exceptions', was introduced at the same time. This latter exception was subject to a legal challenge by the music industry and a high court judge quashed the exception in the summer of 2015. In British Academy of Songwriters, Composers And Authors & Ors, R (On the Application Of) v Secretary of State for Business, Innovation And Skills [2015] EWHC 1723 (Admin) (19 June 2015), Mr Justice Green also based his decision to negate the format shifting exception, partly, on that same report I wrote with Mark and Josh. We had simply advocated evidence based policy making on intellectual property.

Getting back to the text and data mining, Malamud suggests the UK situation makes the invalid assumption that we have an access subscription to everything and that publishers cooperate with researchers which they don't.

In 2012, Delhi University got into a legal scrap with Oxford and Cambridge University presses and Taylor & Frances. The case revolved around a copy shop on the campus which lecturers used to make copies of course packs for students. Under Indian law, section 52 of the Copyright Act of 1957, copyright does not apply to materials issued by a teacher to a student. Copying is also permitted for research purposes. The cost of the textbooks that extracts were copied from was way beyond the means of most of the students. The publishers, nevertheless, demanded that the university pay them a licence fee to cover the copying. The High Court in Delhi ruled in favour of the university.

It seems to have been at the time Malamud read about the case that he began to think India might be a fertile territory for his campaign to provide access to knowledge. Those early inklings, backed up with expert legal opinions he has since solicited noting that it is permitted under Indian law since text & data mining does not involve copying or reading the articles, have bloomed into the repository at Jawaharlal Nehru University (JNU) with his store of 125 million articles. Gitanjali Yadav's plant database is up and running and linked with another university research group.

The Indian government's chief scientific adviser has a plan to make all scientific abstracts of published papers openly available. Malamud is also beginning to work with a wikipedian at the University of Virginia who is keen to integrate correct scientific references into Wikipedia.

In the US federal employee authored work done in the course of their employment is not copyrightable. So Malamud decided it might be a fruitful activity to attempt to find journal articles written by federal employees. He sampled ten thousand articles and discovered many were done as part of official duties but they were still locked behind publishers' paywalls.  When Barack Obama was president he wrote an article for the Harvard Law Review. Though the small print connected with the article says it is not copyrighted, the manner in which the Harvard Law Review presents the article makes it appear that it is subject to copyright.  Malamud, when he finds works written by federal employees, can only guess whether they were produced as part of the authors' public service duties. But he might get it wrong, so chooses not to make them openly available. His principle goal is to challenge and push back against official and commercial copyright overreach but not break any law.

On the law, he has been sued by the state of Georgia for publishing the state code. Just in case you are doing a double take with that, I did really say that Carl Malamud is being sued by the state of Georgia for making the laws of Georgia freely available to the public.  The state sued and won at the court of first instance. Malamud appealed and won in the appeal court. This was appealed to the US Supreme Court which heard the case in December of last year. He is expecting a decision by the summer. Edicts of government are not subject to copyright protection, yet this case is in the US Supreme Court. You do sometimes have to wonder at the state of copyright law (excuse the pun).

Malamud cut his teeth on campaigning and access to knowledge activism with public codes that have the force of law. Building codes and electrical and plumbing and fire safety etc codes are edicts of government. Malamud bought copies from official standards bodies and put a lot of them freely online. Lots of standards get updated and we are obliged to work to them but they do not get released. Malamud has been sued by standards organisations in litigation that has been ongoing for 6 years. His annual legal costs are $1.6 million but he has the good fortune to be represented by lawyers who work pro bono. He can walk into a pub anywhere and strike up a conversation and it is easy for people to understand the work he does. He'll often get a plumber or builder etc offering to buy him a drink, explaining they had to fork out thousands of their hard earned cash for standards codes they are obliged to work to.

India has a very strong right to information law. Malamud put nineteen thousand Indian standards online, reformatted for usability. He bought the standards from the Bureau of Indian Standards. When he got renewal notices from them asking for the next due licence fee he wrote back saying he had put the standards online. He got an angry, "unhinged" response, accusing him of breaking the law, being no longer welcome as a customer and a variety of legal threats.

In the EU, member states must transpose standards into national laws within six months of being issued. Malamud got sued by the German standards organisation for posting the EU standard for baby soothers. The standard is just full of common sense - the mouth guard must be big enough so it doesn't present a swallowing/choking threat etc. The German court sided with the standards body. Malamud is now subject to a German court injunction punishable by a fine of up to €250k and a jail term of up to two years, should he decide to re-publish the standard online. He has, however, posted four EU toy standards focusing on environmental implications and petitioned the UK government on the matter. He got turned down by the standards bodies for access to these standards and is bringing a case to the Court of Justice of the European Union.

Malamud's friends, critics and acquaintances regularly ask him why he expends such energy on what he does, when there are so many bigger problems in the world like the climate crisis, conflict and disease. His answer is a simple and irrefutable one: without access to knowledge you cannot solve the any of these problems and you cannot educate the citizenry to enable them to formulate their own solutions. Access to knowledge is the pre-condition for solving the world's fundamental problems.

Update: On 27 April 2020, the US Supreme Court ruled in favour of Malamud in a tight 5-4 split decision. Justice Ginsburg, interestingly, sided with the minority.

Wednesday, January 22, 2020

Snowden book

I read Edward Snowden's book, Permanent Record, over the Christmas break. It's an accessible, engaging account of how he got to where he is.

His early education was shaped by the anarchic, liberal, open, collegiate internet of the late 20th century, before it began to be reshaped by commerce and states as the mass surveillance machine it is today. His family were supportive or possibly indulgent of his obsession with the computers and networks of the 1990s.

In school, Snowden hacked the system to avoid homework. Quizzes were worth 25%, tests 35%, term papers 15%, homework 15% and class participation 10%. He figured he could skip both the homework and the term papers and still comfortably pass by acing everything else. Then one of his teachers confronted him, asking why he had not handed in any of previous six homework assignments. Innocently Snowden explained his reasoning to the laughter of his classmates. The teacher complimented the young Snowden on his cleverness and, within 24 hours, changed the system to make homework compulsory. He also took Snowden aside and encouraged him to put his fine brain to more constructive use than avoiding work and to be aware of how records follow us around and the impact on his permanent record.

Snowden's parents broke up. He learned to be independent, went to community college and got a job as tech support for a small business, working out of the business owner's home on the south west edge of Fort Meade. Yes that Fort Meade - home to the NSA. Snowden was at work when the 9/11 attacks happened and everything changed.

He bought hook, line and sinker into the Bush/Cheney 'war on terror':
"It was as if whatever individual politics I'd developed had crashed – the anti-institutional hacker ethos instilled in me online and the apolitical patriotism I'd inherited from my parents, both wiped from my system – and I'd been rebooted as a willing vehicle of vengeance. The sharpest part of the humiliation comes from acknowledging how easy this transformation was, and how readily I welcomed it."
And joined the army.

Coming from family generations of which had served in the Coast Guard, Snowden wanted to serve his country through the branch of the armed services considered by that family to be the "crazy uncles of the military". He aced the entrance exam, went into training for special forces, got injured on exercises and was eased out on administrative separation.

So back went Snowden to community college and decided he could best serve his country through his technical prowess. But to do that he'd need to join the CIA, NSA or other intelligence agency. And to do that he would need security clearance - top secret (TS) and top secret with a Sensitive Compartmented Information (SCI) qualifier. This involved filling out some forms and "sitting around with your feet up and trying not to commit too many crimes while the federal government renders its verdict." As a military veteran of sorts and the product of a multi generational service family, most of whom had the equivalent clearances, he was a good prospect and in due course succeeded. By this time Lindsay Mills had also become part of his life and so closes part 1 of the book.

Part 2 opens with 'The System.' Snowden describes a system as "a bunch of parts that function together as a whole". At the Open University we have a slightly longer definition of a system:
  1. A system is an assembly of components connected together in an organised way.
  2. The components are affected by being in the system and the behaviour of the system is changed if they leave it.
  3. This organised assembly of components does something.
  4. This assembly as a whole has been identified by someone who is interested in it.
Given the systems Snowden was thinking about - the professional civil service his family were steeped in and the computer systems he was obsessed by - his working definition satifices. When it came to computers he was most intrigued by their total functioning, not as individual components but as overarching systems. So the natural inclination was to get into systems administration or systems engineering which is what he did. Sysadmins and systems engineers naturally incline to a craft of understanding how computer systems work and fail and develop the diagnostic processes that go into keeping them running and getting them fixed and retrofitted and improved and renewed. It is not unnatural, then, when working within government (albeit for contractors) for techies to apply to same systems analyst skills to the system of government. Which is also what Snowden did.

We know about the five eyes mass surveillance systems and activities from Snowden's disclosures in 2013, from PRISM to TEMPORA, XKEYSCORE to QUANTUM, TURBULENCE and beyond. Yet, in some ways, the most chilling chapter in the book is "Homo contractus". It essentially outlines the private sector infiltration of the US intelligence services.
"I had hoped to serve my country, but instead I went to work for it. This is not a trivial distinction... government had treated a citizen's service like a compact: it would provide for you and your family, in return for your integrity and the prime years of your life.
But I came into the IC during a different age.
...the sincerity of public service had given way to the greed of the private sector, and the scared compact of the soldier, officer, and career civil servant was being replaced by the unholy bargain of Homo contractus, the primary species of US Government 2.0. This creature was not a sworn servant but a transient worker, whose patriotism was incentivized by a better paycheck and for whom the federal government was less the ultimate authority than the ultimate client.
...for third-millennium hyperpower America to rely on privatized forces for the national defense struck me as strange and vaguely sinister."
Snowden goes on to explain the use of contractors is a con to let the agencies circumvent statutory federal caps on hiring. As contractors are not included in the limits, the agencies can hire as many as they have the budget to pay for. Post 9/11 was a time when no congresscritter was going to go on the record as opposing any resources the intelligence and security agencies declared necessary for the 'war on terror'.

Huge resources got poured into the intelligence agencies for technical surveillance infrastructure and the people to create, develop, deploy and operate it. A large proportion of the people working on this mass surveillance were, like Snowden, technically employed by contractors and sub contractors but working directly for and within the agencies, the CIA and NSA in Snowden's case. Many of those nominally employed by the private sector started out as government employees, as the private companies didn't want to pay someone to wait around for a year or more for their TS/SCI security clearance to come through. Once the clearance was secured they could swap a government job for a better paid private sector job, sometimes doing the same work. Snowden's first job was with the state of Maryland partnered with the NSA opening a new institution called CASL, the Center for Advanced Study of Language.

As the building in which CASL was to be resident was still under construction, he essentially did the work of a night shift security guard. Whilst there and considering his long term career as a federal employee, he was amazed to find few opportunities to work directly for the government. Most of the sysadmin and systems engineering jobs available in government were through "working for a subcontractor for a private company that contracted with another private company that served my country for profit." Given these positions provide "almost universal access to the employer's digital existence", it's surprising to find these circumstances prevailing in the context of security and intelligence.
"In the context of the US government, however, restructuring your intelligence agencies so that your most sensitive systems were being run by somebody who didn't really work for you was what passed for innovation.
The agencies were hiring tech companies to hire kids and then giving them the keys to the kingdom."
Snowden's first contracting gig was for a company called COMSO, subcontracted to hire him by BAE Systems. He worked at CIA headquarters in McLean, Virginia. He had been earning $30k at CASL and asked COMSO for $50k. His nominal "manager" at COMSO talked him up to $62k. Middlemen contractors charged the government the employee's salary plus 3-5%. The higher the salary, the higher the cut.

The actual job at the CIA was both depressing and enlightening. Depressing on the extent of the cynical restructuring of the agency by the Bush administration and the move to a dependency, particularly in relation to modern technical information systems, on external contractors. Enlightening on the extent of the access Snowden got to highly classified material and the insight that gave him into the reach of the CIA and the importance of intelligence operations. It also gave him a hankering to really serve his country by applying for a role in a CIA field office overseas, preferably in a conflict zone. That meant swapping his contractor badge for a government employee badge, swearing an oath to defend and uphold the US Constitution and going back to school.

The techie in the CIA field office or embassy is responsible for every piece of kit in the building, from computers to heaters, encryption devices to locks. For security reasons no embassy will employ local contractors on even routine maintenance. The tech guy and there are not usually that many of them does everything. That's what the 6 months schooling before deployment was for.

Conditions at the CIA Warrenton Training Center ("the Hill") were less than ideal and whilst there, Snowden got his first taste of what reporting problems up the chain of command led to i.e. no addressing of the problem and a marking of the card of the whistleblower. Instead of getting his preferred deployment to a war zone to actively live out his heart on a sleeve patriotism, he was sent to Geneva for his first overseas tour of duty.

In Geneva, Snowden got a front seat view of the changing intelligence world and the pivot of the CIA from human intelligence (HUMINT) to cyberintelligence (SIGNINT & COMSEC), not that the former was abandoned but became proportionately less prevalent.
" In Geneva... America was busy creating a network that would eventually take on a life and mission of its own and wreak havoc on the lives of its creators – mine very much included.
The CIA station in the American embassy in Geneva was one of the prime laboratories of this decades long experiment. This city... lay at the intersection of EU and international fibre-optic networks, and happened to fall just within the shadow of key communications satellites"
Following Geneva, he moved to Tokyo to work in his "dream job" for the NSA but again, technically, as a better paid contractor in the private sector, an employee of Perot Systems which was then taken over by Dell.

In Tokyo, communications interception was the primary mission. In Toykyo, Snowden's early work was to link the NSA and CIA systems. In Tokyo, he discovered the NSA were vastly technologically superior to the CIA and vastly more laissez faire about security. In Tokyo, he created a much more effective storage system for the NSA, called EPICSHELTER. In Tokyo, his mind boggled at the scale and reach of China's mass surveillance and censorship systems. In Tokyo, he first realised "the power of being the only one in the room with a sense not just of how one system functioned internally, but of how it functioned together with multiple systems—or didn't." In Tokyo, he began to become disturbed at US mass surveillance, even as he was creating, developing and operating elements of the systems involved. In Tokyo, he initially sated his concerns by assuring himself he was working for the good guys.

In Tokyo, he became aware senior intelligence and security community insiders had serious concerns over the Bush administration's unchecked expansion of warrantless mass surveillance. In Tokyo he accidentally got access to the classified version of the Report on the President's Surveillance Program, (PSP) filed in an 'Exceptionally Controlled Information' (ECI) compartment. Full classification TOP SECRET//STLW//HCS/COMINT//ORCON/NOFORN. Through the PSP report he learned of STELLARWIND, the NSA's general and indiscriminate, bulk collection of electronic communications. In Tokyo, he began to understand the political sophistry underpinning mass surveillance, such as the now ubiquitous claim that collected communications could only be considered to be legally "obtained" or "acquired" if a member of the agencies searched for or found them. Collected communications would not be legally acquired but would, nevertheless, be available for search and retrieval, in post hoc fishing expeditions, in perpetuity. In Tokyo, it dawned on him that the Obama administration had no intention seeking reparations for systemic illegalities or undoing any of the deployment of mass surveillance infrastructure undertaken by their predecessors.

By 2011, Snowden was back in the US, still employed by Dell, building cloud systems for the CIA. He was also getting stressed and depressed at the mass surveillance of the state; and not just willing but enthusiastic compliance and buy in of friends and the general public into commercial systems of mass surveillance. The stress led to illness, including epilepsy and he eventually took sick leave to recuperate. His next move, in 2012, was to Hawaii, still with Dell, a step down in terms of responsibilities, to facilitate his ongoing recuperation but now working for the NSA again. He was now the NSA's Microsoft Sharepoint administrator in Hawaii. Lowly in the organisational food chain but, as a manager of document management and "reader in chief", this provided the access privileges to gather comprehensive evidence on his nascent concerns from Tokyo, about US mass surveillance.

Having automated much of his formal work responsibilities he set about his task of surveying the extent of the NSA's surveillance capabilities, running into the standard security services secrecy, obfuscation, compartmentalisation, misdirection, bureaucratic code and all the other institutional processes available for keeping information from the light. He decided to automate this process too, with the approval of his boss, setting up a kind of RSS reader system on steroids. This not only scanned for or linked to documents but copied them. Snowden called it Heartbeat and gave intelligence services staff access to a personalised reader that collected classified intelligence documents (from NSA, CIA, FBI and Deparment of Defense) according to each individual's security clearance.

The volume of documents Heartbeat collected was enormous and although Snowden could see it all, beyond the capacity of a single human being to review. Nevertheless, it was through Heartbeat that he learned about Upstream (direct collection of bulk data live from private sector communications infrastructure) and PRISM (bulk data handed over by private sector actors like Google, Apple, Microsoft, Facebook and Amazon etc. and overseen, theoretically, by the Foreign Intelligence Surveillance Court, FISC). He learned of TURBULENCE, a collection of black servers hard wired into telecommunications companies' infrastructure, running internet traffic through filtering tools like TURMOIL to flag suspicious communications; and TURBINE which routs communications to the NSA, where other algorithms decide which malware to deposit (via QUANTUM) on the source computer, in order that the potential threat can be monitored.

Snowden began to become indignant at the intelligence community's blatant flouting of the US Bill of Rights, particularly the fourth amendment protections against search and seizure and also the White House, the courts' and congress's complicity in this. He was particularly incensed when the US Supreme Court decided to wash their hands of the issues in February 2013, when the Court decided, 5-4, that the American Civil Liberties Union (ACLU) and their client, Amnesty International, did not have standing to challenge the constitutionality of the warrantless wiretapping program. (Substantively, the ACLU and Amnesty were challenging the Foreign Intelligence Surveillance Act Amendments Act 2008 (FISAA). FISAA is the law that makes the act of being a foreigner a sufficient reason to be a target of US law enforcement and intelligence services.)

He had, by then, decided to blow the whistle on the whole shebang. The ACLU case and embryonic mass surveillance enabling laws in the UK (the snoopers' charter which eventually got passed as the Investigatory Powers Act 2016) and Australia (multiple bills) only hardened that resolve.

Chapters 21 and 22 extol the virtues of whistleblowing and Snowden's perspective on the fourth estate but I'll leave the reader to peruse those for themselves.

Before he blew the whistle, however, he wanted one last job, not just administering or reading about mass surveillance tools but actually using them, particularly XKEYSCORE, the NSA's incredibly powerful intelligence search engine. A position opened up at the National Threat Operations Center (NTOC), one "of the few offices in Hawaii with truly unfettered access to XKEYSCORE", through Booz Allen Hamilton. Snowden secured it and so began his education in the coal face abuses of US intelligence systems. The shock was palpable.
"Seeing them made me realize how insulated my position at the systems level had been from the ground zero of immediate damage. I could only imagine the level of insulation of the agency's directorship or, for that matter, the US president."
Snowden had already smuggled the documents he intended to pass to journalists out of the NSA on SD and micro SD cards. The flight to Hong Kong and handing over of those documents to Laura Poitras, Glenn Greenwald and Ewen MacAskill, his escape, aided by Wikileaks's Sarah Harrison, to and entrapment in Russia when the US revoked his passport, has been well documented in the Guardian, the Washington Post and Poitras's documentary, CitizenFour.

The chapter on Moscow in the book is thin on detail and only outlines the discussions Snowden and Harrison had with an intelligence official on the day they arrived, noting also thereafter they spent 40 days and nights at the airport. During that time he applied, unsuccessfully, to 27 countries for political asylum. He concludes the chapter suggesting the Russians gave him asylum because they were fed up with the media scrum at the airport.

The penultimate chapter of the book details extracts from the diary of Snowden's partner, Lindsay Mills, in the aftermath of his disappearance to Hong Kong. She is a powerful presence and positive force in his life and it would have been nice to hear more from her. Mills and Snowden were married in Russia in 2017.

The final chapter is largely a whistlestop tour of the legacy of Snowden's revelations from his perspective - global awareness of mass surveillance, some positive legal developments like ACLU v Clapper in the US and the GDPR in the EU, some important developments in encryption like HTTPS, Secure Drop, Signal and generally more end to end encryption. But if we were concerned to avoid living in a surveillance society, it's too late, we're already there. State and commercial surveillance systems are more powerful and pervasive than ever and getting worse. They will require structural solutions - legal, technical, economic, environmental, individual & societal - pressures brought to bear to bring them under democratic control.

Wednesday, December 04, 2019

Tactics of persuasion

In 2007, I wrote some notes on tactics of persuasion. Given the amount of disinformation at large today, it could doing with another airing, though some of the examples are dated. (Note: The 'DDM' acronym refers to digital decision making - not artificial intelligence but decision making in sociotechnical systems).

As well as being aware of the agenda of the various stakeholders and their relative power base, it is important to be familiar with the kind of tactics people and organisations use to persuade us of the legitimacy of their point of view.  The following is a list of some of the common tactics to look out for.[27]

Extrapolating opposition argument to the absurd and then refuting the absurd 
This is also known as the ‘straw man’ approach – create a straw man, something which you can pretend represents your opponents’ position, and knock that down. President Bush’s declaration that anyone who opposed his actions in the wake of the attacks of 11th September 2001 was a supporter of terrorism is a classic example:
“Either you are for us or for the terrorists.” 
This has been one of the most important oratorical tricks in the president’s armoury in his time in office. It has enabled him to take a range of actions including invading Iraq, legalising torture[28] and domestic surveillance that would arguably have been more difficult without the aid of painting his opponents as ‘soft on terrorism.’

Appealing to emotion and prejudice 
If someone tells us a story we want to hear, we are more likely to believe it. There are a huge number of ways of using this tactic. One example is appealing to nationalism, as in the following example from Jack Valenti, the President of the Motion Picture Association of America, in his testimony to a congressional sub-committee, on the ‘Home recording of copyrighted works’ (i.e. the use of video cassette recorders) in 1982.
“The US film and television production industry is a huge and valuable American asset. In 1981, it returned to this country almost $1 billion in surplus balance of trade. And I might add, Mr Chairman, it is the single one American-made product that the Japanese, skilled beyond all comparison in their conquest of world trade, are unable to duplicate or to displace or to compete with or to clone. And I might add that this important asset today is in jeopardy. Why?... Now, I have here the profits of Japanese companies, if you want to talk about greed. Here, Hitachi, Matsushita, Sanyo, Sony, TDK, Toshiba, Victor, all of whom make these VCRs. Do you know what their net profits were last year? $2.8 billion net profit.”

Labeling or ghettoisation of interested groups
Group all opponents under one general heading. Once there, they can be labelled, on a spectrum from ‘lunatics’ to ‘nice people who just do not understand.’ Then conclude that their arguments are not worth taking into consideration because they are at best ill-informed.  There is a whole range of ways of using this tactic.  If scientists agree on an inconvenient truth like global warming or evolution they are intellectual snobs who think they know better than the rest of us.  Conservative Christian advocates of the teaching of ‘intelligent design’ in science lessons in the US are very good at this.[29] One of the central themes of this book is the value to be gained from experts and ordinary people working together. The intelligent design debate is good example of ordinary people making what I believe is a bad judgement call, in defiance of contrary scientific evidence and advice.  Their values and beliefs lead them to reject the scientific theory of evolution in an attempt to promote their own model, intelligent design, of how life came into existence.[30]

Balancing act
Modern journalistic practice of reporting that there are two sides to every story,[31] in an apparent effort to appear balanced, can result in all kinds of quacks getting a media platform.  [Yes, I plead guilty here to using a denigrating label]. If someone says the moon is made of cheese on a slow news day, the headlines will say ‘opinion divided on the composition of the moon.’
Deborah Lipstadt [32] provides an especially stark example in the media tendency to legitimise the views of people who deny the holocaust took place, in spite of the overwhelming mass of incontrovertible documented and eye witness evidence of the Nazis’ atrocities. Lipstadt refused all media offers to ‘debate’ the reality of the holocaust with holocaust deniers, since it would just present these people with a public platform in which their point of view would be considered to be of equal value.
Unfortunately an expert backed by solid evidence but with poor communication skills can fail to influence a DDM situation, when faced with someone who has a poor understanding of the evidence but a strong agenda and good communications skills.

Using jargon to confuse
With DDM being such a complex subject, any debate about the design, deployment or regulation of information systems is open to this tactic. For example: ‘You will, of course, understand that the DRM or TPM anti-circumvention measures in the UK implementation of EU directive 2001/29/EC on copyrights and related rights in the information society, the EUCD, were a direct result of our international obligations, rather than something we would have chosen to write into UK law of our own volition.’

Making appeals to 'experts' 
I refer to Bruce Schneier, James Boyle, Kim Cameron and others throughout this book as experts. A reader, who is unfamiliar with these individuals or their areas of expertise, may just be taking my word that they are indeed experts.  Very often media reports quote named and un-named ‘experts’ in support of their assertions, though, and it can be well worth checking the credentials of these people.

Using sarcasm, innuendo, denigration and other forms of humour to belittle opponents
It is easier to get a low opinion of the opposing advocate if you are funny – the humour makes it easy for the audience to like you and diverts attention from the substance of your argument.

The dominant metaphor 
George Lakoff [33] teaches that metaphors are the mental structures that shape the way we see the world.  If someone tells us a story through appealing metaphors and language we are more likely to accept their point of view. By the same token, when Richard Nixon went on TV and said “I’m not a crook,” immediately everyone believed he was a crook.  It is also like telling someone not to think of an elephant. No matter how hard you try after someone has said this, the image of the elephant will come into your mind.

Using rhetorical questions 
If you get your audience to subconsciously supply the answer invited by the question, they become more receptive to the views that follow as a consequence of the answer. To appreciate this, test the effect of taking the opposite answer to the one implied.  The wonderful BBC comedy series Yes Prime Minster gave a classic illustration of this when Sir Humphrey Appleby [34] explained to Bernard Woolley [35] how to fix a survey:
Sir Humphrey: “Well Bernard you know what happens. Nice young lady comes up to you. Obviously you want to create a good impression. You don’t want to look a fool, do you?”
Bernard: “No.”
Sir Humphrey: “No. So she starts asking you some questions. Mr. Woolley, are you worried about the number of young people without jobs?”
Bernard: “Yes”
Sir Humphrey: “Are you worried about the rise in crime among teenagers?”
Bernard: “Yes”
Sir Humphrey: “Do you think there is a lack of discipline in our comprehensive schools?”
Bernard: “Yes”
Sir Humphrey: “Do you think young people welcome some authority and leadership in their lives?”
Bernard: “Yes.”
Sir Humphrey: “Do you think they respond to a challenge?”
Bernard: “Yes.”
Sir Humphrey: “Would you be in favour of re-introducing national service?”
Bernard: “Y… oh, well I suppose I might be.”
Sir Humphrey: “Yes or no?”
Bernard: “Yes”
Sir Humphrey: “Of course you would, Bernard. After all you’ve told her you can’t say no to that. So they don’t mention the first five questions and they publish the last one.”[36]
A variation on the rhetorical question is the use of words and phrases which suggest that the audience should accept without question, e.g. ‘Obviously...’ or ‘It is clear that we all agree...’ 

The sound bite 
It is very hard to find simple responses to counter established rhetoric. “If you’ve got nothing to hide, you’ve got nothing to fear” for example.*  You could try “how much do you earn” or “have you got curtains or a lock on your bathroom door” but they do not have the same effect.  Likewise “If I am not doing anything wrong, then you should not be watching me”; “Everyone has something to hide because everyone is entitled to privacy”; “Those engaged in the surveillance get to decide what's ‘wrong,’ and they keep changing the definition”; “You might misuse my information”; “I don't have anything to hide. But I don't have anything I want you to see, either”; “The government is sticking its nose into my business without a reasonable excuse”; and so on. It is an uneven playing field, rhetorically speaking – the rhetoric is stacked against the nuanced but more complete argument or explanation.  In a world of short attention spans, if you have to explain, you are losing the argument.

Presenting evidence or apparent evidence to make it appear to point to a particular conclusion
This includes using carefully selected evidence, while omitting contrary evidence.  In the UK government consultation on the proposed ‘entitlement card’ in 2003, about 6000 people indicated opposition to the idea and about 2000 were in favour.  The government at that time presented the results by saying that most people were in favour of the scheme by a ratio of 2 to 1. They later justified this by saying they had counted the 5000 or so who had expressed their opposition to the scheme via the Internet as a single vote against the scheme. David Blunkett, Home Secretary at the time, dismissed the people who used the Net to object as a vocal minority of civil liberties activists.  The government then commissioned a survey, the results of which suggested 80% of the population were in favour of ID cards. They have been quoting this survey ever since, in spite of a lot of evidence showing a huge drop off in support for the system.

Taking what someone says out of context
People regularly take quotes from religious texts like the Koran or the Bible out of context to justify their behaviour.  George Bush was vilified by critics for describing ten months of violence following the 2005 elections in Iraq as “just a comma” in history.[37]

Avoiding giving evidence whilst suggesting that evidence is being given
Put out a vague policy statement, saying the details will come later, then when asked about the details at a later date claim all the details were clearly included in the original policy statement and there is nothing further to add.

Non sequitur – ‘It does not follow’
This involves drawing an illogical conclusion from sound data. Since the data are credible the conclusion which follows closely is also accepted. The subtle exponent of the art will embed the illogical conclusion between two logical ones. An example is the government’s stance on the UK national identity system. It will be compulsory for everyone to have an ID card. Yet it is claimed that the card cannot be considered compulsory, since it will not be compulsory to carry it around all the time. 

Repetition 
Repetition of a claim, periodically and frequently, over a long period of time can often lead to general acceptance of the claim as fact, even though it may have been discredited on numerous occasions. This is a tactic used extensively by ‘historical revisionists’ like those who deny the existence of the holocaust. [38] In chapter 8, I look briefly at the repeated efforts to introduce a software patent directive in the European Union.  Those in favour of such a policy merely need to keep re-introducing it periodically over a sustained period.  Those who oppose such a policy need to be alert and mobilise effective opposition to every attempt to implement such a policy. Those with the most stamina get their way in the end.

Corporate, civil society or politically funded think tanks 
These institutions present an alternative to traditional academic and scientific peer review.  Researchers publish the required results.  Ordinary people find it hard to tell the difference between real research and advocacy research and the media rarely make the effort to distinguish or understand the difference between these when reporting on particular findings.  Increasingly, research in universities is commercially sponsored.[39] A simple question which is always worth asking is: who paid for the research?

Astroturfing 
This is the public relations trick of creating illusory grass roots campaigns.  Public relations companies acting, for example, on behalf of the energy, tobacco and pharmaceutical industries and political parties have been doing this for decades.[40] The idea is to send lots of letters or emails purporting to come from ordinary people to politicians or newspapers in order to make it appear that there is significant feeling about a particular issue.  There is a huge industry engaged in buying and selling personal data for commercial and political exploitation of this sort.  At the simplest level these details can be obtained from the voting register or the register of births and deaths.

*I would just note that the "nothing to hide" sound bite is particularly poisonous and should be refuted at every conceivable opportunity. It is based on two gigantic false assumptions -  
1. that privacy is exclusively sought or needed by evil people wanting to hide nefarious deeds and intentions. It is not. 
2. that destroying privacy will solve the complex socio-technical-economic-environmental-justice-immigration-terrorism-[choose your issue] problem/mess of the day. It has not and will not.
Never, ever accept "nothing to hide..." as the basis for framing a debate.

Notes
These tactics of persuasion are an extract from Chapter 6 of my book Digital Decision Making: Back to the Future, Springer Verlag [2007].

27 This list is adapted, with the kind permission of the Open University, from my Open University course, T182 Law the Internet and Society: technology and the future of ideas, which is fairly heavily focused on intellectual property and digital technologies.  The course is based on Larry Lessig’s book The Future of Ideas (Random House, 2001).  Both Jessica Litman in chapter 5 of Digital Copyright and Peter Drahos and John Braithwaite in chapter 3 of Information Feudalism: Who Owns the Knowledge Economy do a terrific job of outlining the long term process of changing public perception of what intellectual property is about.

28 See The Torture Debate in America Edited by Karen Greenberg (Cambridge University Press, 2005) and the Balkanization blog at http://balkin.blogspot.com/2005/09/anti-torture-memos-balkinization-posts.html
29 For a particularly good collection of essays dissecting their position see Intelligent Thought : Science versus the Intelligent Design Movement Edited by John Brockman (Vintage, 2006)
30 Incidentally, whether or not you believe in God, is it seriously beyond the bounds of possibility that He might understand enough science to work with evolutionary processes?
31 And usually only two sides.
32 See Denying the Holocaust: The Growing Assault on Truth and Memory by Deborah Lipstadt for an especially stark example of the media tendency to legitimise the views of people who deny the holocaust took place, in spite of the overwhelming mass of incontrovertible documented and eye witness evidence of the atrocity. Lipstadt refused all media offers to ‘debate’ the reality of the holocaust with holocaust deniers since it would just present these people with a public platform in which their ‘point of view’ would be considered to be of equal value.
33 Don't Think of an Elephant: Progressive Values and the Framing Wars a Progressive Guide to Action by George Lakoff (Chelsea Green Publishing Company, 2004); Metaphors We Live By by George Lakoff & Mark Johnson (University of Chicago Press, 1989)
34 Played by Nigel Hawthorne.
35 Played by Derek Fowlds.
36 The episode in question was The Grand Design, which first aired on the BBC on the 9th of January 1986.
37 Just a Comma’ Becomes Part of the Iraq Debate by Peter Baker Washington Post 5 October, 2006 at http://www.washingtonpost.com/wp-dyn/content/article/2006/10/04/AR2006100401707.html
38 David Irving, for example, went to prison in Austria for this. 
39 See, for example, Deterring Democracy by Noam Chomsky (Vintage, 1992) p.303. Chomsky says: “One fundamental goal of any well-crafted indoctrination program is to direct attention elsewhere, away from effective power, its roots, and the disguises it assumes.”
40 Toxic Sludge is Good For You: Lies, Damn Lies and the Public Relations Industry by John Stauber, Sheldon Rampton (Common Courage Press, September 1995) has some excellent examples.