At the behest of my friend and colleague at the Open University,
Mike Richards, I penned a piece towards the end of last year in connection with our
introduction to cyber security mooc. I realise it is now
up on OpenLearn. Copy below.
In the 1600s the founders of New England meticulously laid
out their towns so that the relationship of buildings to each other and the
town square allowed the Puritan inhabitants to keep a close eye on each other.
For practising Puritans, at that time, allowing friends, family and the rest of
the community to pry into their private lives was routine. Good behaviour in
private was considered to be essential for societal wellbeing. However, that good
behaviour would only be forthcoming if people watched each other closely.
This practice was brought into the internet age by a company
called NetAccountability in 2002. They enabled people to sign up to have a
morally upstanding friend or family member monitor their web surfing habits.
The monitor then received regular comprehensive reports of the websites that
person visited. There are a multitude
of such services today.
In 1791, English philosopher Jeremy Bentham came up with the
idea of an “ideal prison” built with a central tower from which watchers could
see into every cell but the cell-bound could not see into the tower. Prisoners
could never know exactly when they were being watched, would have to assume
they were under constant surveillance and moderate their behaviour to avoid
severe punishment. Bentham called his design a panopticon.
After the Berlin wall came down, the Stasi were found to
have more than 6 million files on East German citizens, more than a third of
the population. The German Democratic Republic panopticon, could not, however,
when it comes to surveillance, hold a candle to modern practices of the
governments of the US and the UK.
The internet, lauded in the 1990s as the force that
would free humanity, has been turned into the world’s panopticon, an
apparatus of mass surveillance the like of which the world has never known. Thanks
to NSA whistleblower, Edward Snowden, we know that the UK and US governments sweep
up communications data on an unimaginable scale, not on just a third of their
citizens, but their whole populations – and the rest of the connected world.
Now I don’t know about you but I find the thought of permanently
being watched oppressive, intrusive and disturbing. 1600s New England,
Bentham’s panopticon, the GDR or communities that require me to sign up to
constant close monitoring to protect my soul are not places that appeal to me
in the slightest. However, as a result of the evolution of technologies and the
war on terrorism, the Internet has become a world of incomprehensible
surveillance.
Snowden has disclosed that the US National Security Agency (NSA)
specifically targets the communications of everyone,
ingesting, collecting, filtering, measuring and storing everything by default. The
NSA’s counterpart in the UK, the Government Communications Headquarters (GCHQ)
has developed a programme called Tempora;
a hard wired intercept of the international communications cables entering and
leaving the UK. Tempora is capable of collecting all communications content and
“metadata” that pass across the UK. The metadata is the details of who is in
contact with whom, what devices they are using, when and from where they are
communicating, for how long, what websites are visited, searched, clicked etc.
Documents leaked by Snowden indicate data that several years
ago GCHQ had the capability to collect 21 petabytes of data every 24 hours.
That is equivalent to about 200 times the contents of the entire British Library,
every single day. The technology
(better) and economics (cheaper) of digital storage mean that their capacity is
undoubtedly far greater today.
Yet the thing about the internet is we don’t notice we’re
being watched. Sure we know about things called “cookies” tracking us – because
of those irritating EU-mandated warnings that pop up on websites – even if we
don’t know exactly what cookies are; and to a degree we know our browsing
habits allow advertisers to specifically identify each and every one of us for
targeted advertising.
But we don’t think about it too much… and when we do we
console ourselves with thoughts such as “the
government are only interested in terrorists and drug dealers and child abusers
and organised criminal gangs – the four horsemen of the infocalypse – not us…
and they know what they are doing… and they are the good guys… and most of us
most of the time are not conscious of any intrusion… and we’ve got nothing to
hide anyway….”
The trouble with the seductive “the innocent have nothing to hide” meme, wielded so freely by
politicians and the press so intent on stripping away our privacy, is that is
dangerous and wrong.
It is underpinned by two hidden and completely false
assumptions.
1.
Privacy
is only about bad people hiding bad things, so only bad people want privacy.
Wrong. The need for privacy is a fundamental part of the human condition.
2.
Sacrificing
privacy will solve complex problems like terrorism.
But here’s a news flash from a former senior executive of the NSA, decorated US
Air Force and Navy veteran, and whistleblower, Thomas Drake – mass
surveillance doesn’t work.
We know it doesn’t work because
in 13 years of mass surveillance following the 9/11 attacks neither the US nor
the UK governments have been able to produce a single example of where it has
worked that can withstand robust independent scrutiny. The US has claimed 54
attacks have been thwarted. All these have been rebutted by experts. The UK
claims at least two major terrorist attacks every year since 9/11 have been
stopped by mass surveillance. No specifics - we just have to trust them on
that. Any plots that have come to light in the media have, when examined, been
uncovered through conventional targeted intelligence and policing.
You see, finding the four horsemen is a needle in a haystack
problem. There may (or indeed may not) be a crime-related communication in
today’s 21 petabytes of data, but it is in amongst a colossal amount of
completely innocent information. It doesn’t become easier to find the needle by
throwing infinitely more needle-free hay on your stack and/or creating multiple
giant and exponentially growing data haystacks.
Mass data collectors can dig deeply into the digital persona
of anyone but don’t have the
resources to do so with everyone. The
resultant pursuit of false positive leads mean the real bad guys often get lost
in the noise, as happened with the perpetrators of the 9/11 attacks who were
known to US authorities but not considered sufficiently important to intercept.
Even then, in a time of significantly more limited and targeted surveillance,
the intelligence and security services were so inundated with data that the
attackers evaded their grasp.
Despite of all of this the Snowden revelations have raised
little more than a collective “meh”,
in the parlance of my teenagers, amongst the majority of people in the UK. Even
when it was revealed that GCHQ were running a system called Optic Nerve, secretly collecting private
images from nearly 2 million Yahoo! webcam accounts, - including those of
children - general public apathy prevailed.
Security and privacy professionals used to joke about the
government wanting to put a camera in everyone’s bedroom – it couldn’t possibly
happen – now they’ve done it and we apparently don’t care.
Why is that?
Well I suspect part of the answer is related to Stanley
Cohen’s theory that when we as individuals, groups, communities, societies,
governments, learn about monumentally appalling things, we go into a state of
denial about it. It is too complex/difficult/terrible to comprehend or cope
with, so we put it to one side and don’t think about it. In that state we can
readily take on board assurances of the powerful to trust them and they will
protect us.
And we have the additional bonus that the internet and our
gadgets connecting us to it are so attractive, gratifying, responsive,
entertaining, accessible, convenient, and educational even – our very own
Huxleian soma, the drug that makes us feel better.
More importantly why should we care?
We should care because invasion of privacy is an ecological
problem. When I give up a little bit of my privacy I’m polluting the lives of
everyone I’m connected to and everyone they are connected to. The NSA deputy
director testified to Congress that they look at anyone ‘3 hops’ removed from
their targets. You don’t have to have
done anything wrong, just be connected to someone connected to someone
connected to someone that falls under suspicion. Then, according to Snowden,
the NSA or GCHQ uses their giant personal data haystacks to time travel through
a comprehensive record of your digital history and scrutinize everything with a
view to deriving suspicion from an innocent life.
And in a way it is not even that concerns me the most.
A lot of this mass surveillance activity is done by good
people with the best of intentions but when you build the infrastructure of a
surveillance state you cannot guarantee that it is – given the revelations of
Edward Snowden and Thomas Drake – or will permanently remain under the control
of the good guys. Nor can you guarantee it won’t be exploited by the very
horsemen of the infocalypse it was nominally constructed to counteract. Mass
valuable personal data databases are irresistible targets for the horsemen. Security
backdoors built into standard computer architecture for intelligence purposes quickly
become available to nefarious actors too.
The thing that worries me the most, though, is the legacy we
are leaving for future generations and the question my kids and possibly their
kids will be asking me in 20 years.
“Dad/granddad, what the
hell did you think you were you doing when they were building the surveillance
society?”
Mass surveillance is incredibly socially destructive and yet we don't seem to care enough to do anything about it.