Tuesday, February 24, 2015

What were you doing when they were building the surveillance society?

At the behest of my friend and colleague at the Open University, Mike Richards, I penned a piece towards the end of last year in connection with our introduction to cyber security mooc. I realise it is now up on OpenLearn. Copy below.
In the 1600s the founders of New England meticulously laid out their towns so that the relationship of buildings to each other and the town square allowed the Puritan inhabitants to keep a close eye on each other. For practising Puritans, at that time, allowing friends, family and the rest of the community to pry into their private lives was routine. Good behaviour in private was considered to be essential for societal wellbeing. However, that good behaviour would only be forthcoming if people watched each other closely.
This practice was brought into the internet age by a company called NetAccountability in 2002. They enabled people to sign up to have a morally upstanding friend or family member monitor their web surfing habits. The monitor then received regular comprehensive reports of the websites that person visited. There are a multitude of such services today.
In 1791, English philosopher Jeremy Bentham came up with the idea of an “ideal prison” built with a central tower from which watchers could see into every cell but the cell-bound could not see into the tower. Prisoners could never know exactly when they were being watched, would have to assume they were under constant surveillance and moderate their behaviour to avoid severe punishment. Bentham called his design a panopticon.
After the Berlin wall came down, the Stasi were found to have more than 6 million files on East German citizens, more than a third of the population. The German Democratic Republic panopticon, could not, however, when it comes to surveillance, hold a candle to modern practices of the governments of the US and the UK.
The internet, lauded in the 1990s as the force that would free humanity, has been turned into the world’s panopticon, an apparatus of mass surveillance the like of which the world has never known. Thanks to NSA whistleblower, Edward Snowden, we know that the UK and US governments sweep up communications data on an unimaginable scale, not on just a third of their citizens, but their whole populations – and the rest of the connected world.
Now I don’t know about you but I find the thought of permanently being watched oppressive, intrusive and disturbing. 1600s New England, Bentham’s panopticon, the GDR or communities that require me to sign up to constant close monitoring to protect my soul are not places that appeal to me in the slightest. However, as a result of the evolution of technologies and the war on terrorism, the Internet has become a world of incomprehensible surveillance.
Snowden has disclosed that the US National Security Agency (NSA) specifically targets the communications of everyone, ingesting, collecting, filtering, measuring and storing everything by default. The NSA’s counterpart in the UK, the Government Communications Headquarters (GCHQ) has developed a programme called Tempora; a hard wired intercept of the international communications cables entering and leaving the UK. Tempora is capable of collecting all communications content and “metadata” that pass across the UK. The metadata is the details of who is in contact with whom, what devices they are using, when and from where they are communicating, for how long, what websites are visited, searched, clicked etc.
Documents leaked by Snowden indicate data that several years ago GCHQ had the capability to collect 21 petabytes of data every 24 hours. That is equivalent to about 200 times the contents of the entire British Library, every single day. The technology (better) and economics (cheaper) of digital storage mean that their capacity is undoubtedly far greater today.
Yet the thing about the internet is we don’t notice we’re being watched. Sure we know about things called “cookies” tracking us – because of those irritating EU-mandated warnings that pop up on websites – even if we don’t know exactly what cookies are; and to a degree we know our browsing habits allow advertisers to specifically identify each and every one of us for targeted advertising.
But we don’t think about it too much… and when we do we console ourselves with thoughts such as “the government are only interested in terrorists and drug dealers and child abusers and organised criminal gangs – the four horsemen of the infocalypse – not us… and they know what they are doing… and they are the good guys… and most of us most of the time are not conscious of any intrusion… and we’ve got nothing to hide anyway….”
The trouble with the seductive “the innocent have nothing to hide” meme, wielded so freely by politicians and the press so intent on stripping away our privacy, is that is dangerous and wrong.
It is underpinned by two hidden and completely false assumptions.
1.      Privacy is only about bad people hiding bad things, so only bad people want privacy.
Wrong. The need for privacy is a fundamental part of the human condition.
2.      Sacrificing privacy will solve complex problems like terrorism.  
But here’s a news flash from a former senior executive of the NSA, decorated US Air Force and Navy veteran, and whistleblower, Thomas Drakemass surveillance doesn’t work.
We know it doesn’t work because in 13 years of mass surveillance following the 9/11 attacks neither the US nor the UK governments have been able to produce a single example of where it has worked that can withstand robust independent scrutiny. The US has claimed 54 attacks have been thwarted. All these have been rebutted by experts. The UK claims at least two major terrorist attacks every year since 9/11 have been stopped by mass surveillance. No specifics - we just have to trust them on that. Any plots that have come to light in the media have, when examined, been uncovered through conventional targeted intelligence and policing.
You see, finding the four horsemen is a needle in a haystack problem. There may (or indeed may not) be a crime-related communication in today’s 21 petabytes of data, but it is in amongst a colossal amount of completely innocent information. It doesn’t become easier to find the needle by throwing infinitely more needle-free hay on your stack and/or creating multiple giant and exponentially growing data haystacks.
Mass data collectors can dig deeply into the digital persona of anyone but don’t have the resources to do so with everyone. The resultant pursuit of false positive leads mean the real bad guys often get lost in the noise, as happened with the perpetrators of the 9/11 attacks who were known to US authorities but not considered sufficiently important to intercept. Even then, in a time of significantly more limited and targeted surveillance, the intelligence and security services were so inundated with data that the attackers evaded their grasp.
Despite of all of this the Snowden revelations have raised little more than a collective “meh”, in the parlance of my teenagers, amongst the majority of people in the UK. Even when it was revealed that GCHQ were running a system called Optic Nerve, secretly collecting private images from nearly 2 million Yahoo! webcam accounts, - including those of children - general public apathy prevailed.
Security and privacy professionals used to joke about the government wanting to put a camera in everyone’s bedroom – it couldn’t possibly happen – now they’ve done it and we apparently don’t care.
Why is that?
Well I suspect part of the answer is related to Stanley Cohen’s theory that when we as individuals, groups, communities, societies, governments, learn about monumentally appalling things, we go into a state of denial about it. It is too complex/difficult/terrible to comprehend or cope with, so we put it to one side and don’t think about it. In that state we can readily take on board assurances of the powerful to trust them and they will protect us.
And we have the additional bonus that the internet and our gadgets connecting us to it are so attractive, gratifying, responsive, entertaining, accessible, convenient, and educational even – our very own Huxleian soma, the drug that makes us feel better.

More importantly why should we care?
We should care because invasion of privacy is an ecological problem. When I give up a little bit of my privacy I’m polluting the lives of everyone I’m connected to and everyone they are connected to. The NSA deputy director testified to Congress that they look at anyone ‘3 hops’ removed from their targets.  You don’t have to have done anything wrong, just be connected to someone connected to someone connected to someone that falls under suspicion. Then, according to Snowden, the NSA or GCHQ uses their giant personal data haystacks to time travel through a comprehensive record of your digital history and scrutinize everything with a view to deriving suspicion from an innocent life.

And in a way it is not even that concerns me the most.
A lot of this mass surveillance activity is done by good people with the best of intentions but when you build the infrastructure of a surveillance state you cannot guarantee that it is – given the revelations of Edward Snowden and Thomas Drake – or will permanently remain under the control of the good guys. Nor can you guarantee it won’t be exploited by the very horsemen of the infocalypse it was nominally constructed to counteract. Mass valuable personal data databases are irresistible targets for the horsemen. Security backdoors built into standard computer architecture for intelligence purposes quickly become available to nefarious actors too.
The thing that worries me the most, though, is the legacy we are leaving for future generations and the question my kids and possibly their kids will be asking me in 20 years.
“Dad/granddad, what the hell did you think you were you doing when they were building the surveillance society?”
Mass surveillance is incredibly socially destructive and yet we don't seem to care enough to do anything about it.