Tuesday, November 10, 2020

UK-Japan trade deal data laundering threat

Upon prompting by the Open Rights Group, I've written to my MP, Layla Moran, about the data laundering provisions of the UK-Japan trade agreement.

Dear Layla,

You may or may not be aware that that new UK-Japan trade agreement includes expansive data transfer clauses posing a threat to our privacy. These provisions essentially create a surreptitious process for your data to be transferred to other jurisdictions with poor data protection records, including the US.

MPs seem to have been deliberately kept in the dark about these measures which amount to turning the UK into a data laundering haven for unaccountable multinational corporations and countries with weak data protection standards.

I would encourage you and your MP colleagues to call for the freezing of these sections of the treaty - as happened with the unconscionable intellectual property chapters of the Trans Pacific Partnership agreement.

The dangerous undermining of UK citizen and other residents' rights is likely to be an ongoing feature of the government's desperate rush to enter into trade deals they can promote as Brexit successes. In these challenging times, significant vigilance will be required on the part of all our parliamentary representatives to protect fundamental rights in the UK.

I this instance I would ask you to ask the government to “freeze data transfer clauses from the new UK-Japan trade agreement”. This will allow the agreement to go ahead but would freeze (stop) the harmful clauses endangering our privacy.

Thank you.

Yours sincerely,

Ray Corrigan

You can find the  UK-Japan Comprehensive Economic Partnership Agreement documents containing treaty information and a summary of the agreement online.

Jim Killock and Heather Burns at the Open Rights Group have prepared a succinct explanation of the issues. The agreement  contains brand new clauses which priotise the “free flow of data” between the UK and Japan, and from there on to other trade partners, over and above data protection rights.

"A “free flow of data” approach would be a radical departure from the current position. Today, UK companies must only transfer your personal data where they can guarantee that you continue to have similar rights over access, correction and deletion of that data. The UK Japan agreement would force the UK to accept lower data protection frameworks, including voluntary self-regulation, as compatible with the UK’s world leading privacy framework, in Article 8.80 and 8.84.

The UK-Japan agreement, together with the UK adequacy decision, would create a “gateway” for your data to flow to other countries that also have “free flow of data” trade arrangements with Japan. Worryingly, this will permit UK data to be transferred to the USA, without it being kept under GDPR-style protections.

Once data is exported from the UK to the USA via Japan under this agreement, your rights would vastly reduce. In the USA, there is no automatic right for you to know where the data is held, or by whom; you cannot prevent resale, reuse, or the data being put to new uses. There is no right to prevent your data from being used in ways that are discriminatory, or unfair. You cannot ask for your data to be deleted. If it is lost, then there is no legal barrier to a third party from obtaining it and using it. And there is no simple recourse to you if your data is breached or sold...

It is likely to prove impossible for the EU to conclude a data protection adequacy decision for the UK while these unrestricted data flows with Japan, and its trade partners are in place. The EU specifically excluded data flows from their trade agreement with Japan. Although Japan has an adequacy decision from the EU, it had to put specific arrangements in place for EU data to stay in Japan.

This stopped the data of people in the EU — including the UK — from being shifted to an overlapping legal regime and freely siphoned off to third countries. This trade deal bypasses both of those safeguards."

ORG also have a more comprehensive briefing on how the UK-Japan deal severs post Brexit data adequacy. (Pdf version available too).

There are also other serious concerns with the agreement, particularly in relation to general monitoring provisions - upload filters like the EU copyright directive's Article 17 - and bans on circumventing DRM/TPM even for the facilitation of interoperability or repair.

Given the Johnson government Svengali Cumming's obsession with eviscerating the controls on the collection and exploitation of big data, an intense and ongoing focus on resisting such dismantling of fundamental privacy and data protection rights is certainly in order.

Tuesday, October 20, 2020

DCMS Review of Representative Action Provisions, Data Protection Act 2018

Upon a prompt from Jim Killock at the Open Rights Group, I've submitted the following response to the Department for Digital, Culture, Media & Sport Review of Representative Action Provisions, Section 189 Data Protection Act 2018 consultation. (Apologies for the repetition in the paragraph about some of the worst breaches of data protection law being attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites.)

[This is the first time I've used the new Blogger interface and I'm not keen. The html interface is particularly dense tiny font and challenging to read/interpret/use]

I didn't have a lot of time, so drew heavily from Jim's own and Dr Johnny Ryan's work on challenging the legality of the adtech industry's architecture and operational practices.

Department for Digital, Culture, Media & Sport Review of Representative Action Provisions, Section 189 Data Protection Act 2018

My name is Ray Corrigan. I am a senior lecturer in the Science, Technology Engineering and Mathematics Faculty at The Open University but I am responding to this consultation in a personal capacity.

I write, in particular, in relation to the department’s examination of whether to introduce new provisions to permit organisations to act on behalf of individuals who have not given their express authorisation.

I am in favour of such provisions.

Chapter VIII Article 80(2) of the General Data Protection Regulation, provides that EU Member States may provide that any not-for-profit body, organisation or association which has been properly constituted in accordance with the law, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to GDPR Article 77 and to exercise the rights referred to in GDPR Articles 78 (right to an effective judicial remedy against a supervisory body) and 79 (right to an effective judicial remedy against a data controller or processor), if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.

The UK government chose not to incorporate this provision into the Data Protection Act 2018, and I would suggest it is important that this now be rectified.

The big technology and associated “ad tech” companies having been running rings round governments and regulators for too long. As Johnny Ryan of Brave points out, in this formal complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under the GDPR,

“Every time a person visits a website and is shown a “behavioural” ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies. Advertising technology companies broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the specific individual visiting the website.

A data breach occurs because this broadcast, known as an “bid request” in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful...

Bid request data can include the following personal data:

• What you are reading or watching

• Your location

• Description of your device

• Unique tracking IDs or a “cookie match”.

• This allows advertising technology companies to try to identify you the next time you are seen, so that a long-term profile can be built or consolidated with offline data about you

• Your IP address (depending on the version of “real time bidding” system)

• Data broker segment ID, if available.

• This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc. (depending on the version of bidding system)

Dr Ryan said “There is a massive and systematic data breach at the heart of the behavioral advertising industry. Despite the two year lead-in period before the GDPR, adtech companies have failed to comply. Our complaint should trigger a EU-wide investigation in to the ad tech industry’s practices, using Article 62 of the GDPR. The industry can fix this. Ads can be useful and relevant without broadcasting intimate personal data”.”

https://brave.com/adtech-data-breach-complaint/

For all their flaws, getting the GDPR and the Data Protection Act 2018 in place as legal infrastructure for regulating the collection & processing was not a bad start. Unfortunately, with few exceptions such as the recent Belgian data protection authority declaration that the behavioural advertising industry has been engaged in routine, systematic, industrial scale, blanket data collection and management practices, in serious breach of multiple provisions of the GDPR from the day it was passed, enforcement efforts have been underwhelming, at best, so far.

Ordinary internet users are almost completely oblivious to the mechanics of the hidden personal data processing adtech architecture behind most websites; and as the Belgian data protection authority have just pointed out, the deployment and operation of that invasive technology is systemically and systematically unlawful. It is almost astonishing that we, commerce, industry & governments enabled it, but we did and it is time to do something about that.

Mass data collection, processing, onward dissemination and storage has become incredibly complex. Relying on individuals to spot misbehaviour and malfeasance in this area and initiate complaints or legal proceedings to reign in an industry out of control, is unrealistic. The woman on the Clapham omnibus simply does not have the expertise, time or resources. Not-for-profit bodies, human rights organisations or other related associations, however, which have been properly constituted in accordance with the law, do have the expertise and understanding, even if, in these difficult times, many are experiencing a shortage of resources. It is more important than ever that such organisations are given the authority in law to raise complaints, independently, about nefarious data collection and management practices. NGOs should be empowered to complain, in the public interest and to protect individual rights, to the Information Commissioner’s Office and complain to the court about controllers, processors or ICO failure.

This power must include the capacity to challenge the Information Commissioner’s Office. In September 2018, Jim Killock of the Open Rights Group and Dr Michael Veale of University College London, submitted a formal GDPR complaint to the UK Information Commissioner about “real time bidding” the core of the industry’s invasive adtech architecture. In June 2019, the ICO gave the adtech industry six months to clean up its act. In January 2020, after six months of substantive inaction on the part of the industry, the ICO threw in the towel and said they would be taking no enforcement action to remedy industry breaches. https://brave.com/ico-faces-action/

Some of the worst breaches of data protection law are attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites. The ad tech described in the extract from Dr Ryan above engages in some invisible and deeply invasive profiling. Some of the worst breaches of data protection law are attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites. These areas need to be challenged but often are not because of their sensitivity.

When you visit a website, which delivers ads your personal data is broadcast to tens or hundreds of companies. What you read, watch or listen to is categorised and you are profiled into categories. Some of these are bland e.g. “football” or “jazz”. Some are hugely and outrageously sensitive. The rule making representative body for the adtech industry, the Interactive Advertising Industry (IAB) has, for example, got a “IAB7-28 Incest/Abuse Support” category. Other categories are related to sensitive or embarrassing health conditions, sexual orientation, religious affiliation etc. Google categories include “eating disorders”, political leanings etc.

These tags and profiles and trackers can stick with internet users for a long time and people have no idea of the digital baggage they are carrying round as a result. Such tags are not necessary for ad targeting. They are more a convenience for the industry to make it easier to track and profile and re-identify people. And the obscurity of the whole process, systems and mechanisms make it almost impossible for individuals to exercise their rights under the law, in the UK, the Data Protection Act 2018. We cannot find, identify, verify, correct or delete these digital shadows and profiles. The power differential and lack of transparency make it extremely difficult for individuals to take effective action to rectify unlawful and unethical activities on the part of the requisite industries.

Industry pretend they deal in anonymous or non-sensitive data which is a flat-out falsehood. Detailed, invasive personal profiles are constantly and casually created and traded as people innocently surf the internet unaware of these machinations. Industry treats this as routine business practice. It does not have to be this way and should stop. That mass privacy invasion is routine business practice on the internet does not make it right and it is time to stop it.

There is no great functional difference between adtech and techniques Cambridge Analytica used in an attempt to influence voters but, the Cambridge Analytica story, for a time, entered the realm of short attention span news cycle. The adtech data management platforms are just a longer running, invisible scandal.

It is particularly important, in the case of sensitive personal information, therefore, that qualified NGOs be given the power to bring complaints, independently, to protect individual and societal privacy. Privacy is not just an individual value but the fundamental basis of a healthy society.

A couple of final points before I close – firstly to note the necessary parallels with consumer law and secondly on Brexit.

Consumer law allows consumer organisations to initiate complaints in the public interest on the part of consumers. There is no reason, in principle, why NGOs should be prevented from engaging in an equivalent form of action in relation to consumer privacy.

On the Brexit front the UK in January 2021 will be facing the prospect of getting an approved data adequacy decision from the EU in relation to cross border flows of data. Elements of the Investigatory Powers Act 2016, the Digital Economy Act 2017 and recent government moves to pass the Internal Market Bill mean this could prove difficult. (See e.g. Brown, I. & Korff, D. The inadequacy of UK data protection law Part One: General inadequacy https://www.ianbrown.tech/wp-content/uploads/2020/10/Korff-and-Brown-UK-adequacy.pdf) A move to incorporate Article 80(2) of the GDPR into UK domestic law, enabling NGOs and other lawfully constituted public interest organisations to challenge unlawful data collection and management practices, could only help the process of demonstrating the UK, post Brexit, should be held to provide “adequate” protection to personal data.

Tuesday, March 31, 2020

Tired

I have spent the past umpteen years, in the day job, juggling and reacting to chaos and crises, crises that seem completely insignificant in the context of the prevailing pandemic. Three of those years have been at home, in the corner of the small bedroom where my desk is, since The Open University closed our regional infrastructure.

Isolated, 10 to 16 hours a day, mainly in front of a screen, engaged in micro-administrative, bureaucratic trivia and attempting to shield my staff and students from the worst excesses of what has been, at times, a difficult and destructive environment at The Open University.

Last week, although our operations are continuing, most staff in HQ and the remaining satellite offices were despatched to work from home. The focus, in the Covid-19 crisis, of the internal communications has shifted to concern for staff and student welfare, whilst we all try to keep frontline operations rolling, as smoothly, flexibly and sensitively as possible.

This afternoon, shortly after 3pm, my daily chaos slowed to something of a trickle. 30 minutes on, the trickle is still just that and I find myself somewhat flummoxed. We have been engaged in a vast amount of energetic activity making sure students can continue their studies as seamlessly as possible and we are fortunate enough to have the organisational infrastructure to do that.

If the demands flowing to my microscopic corner of the OU universe remain manageable through to this evening, I might have some time and space to do something constructive.

But I'm tired and I expect the chaos to resume later this afternoon or evening.

Tired and discombobulated and unproductive, sure enough I've wasted the window of opportunity in the day, as the communications begin to ping in again and the temporary lull in increasing entropy appears over.

It is disappointing to note the muscle memory of my little grey cells seems conditioned these days only to juggle the chaos.

I'm tired and irritated at wasting an opportunity but the chaos and the opportunity are trivial... my thoughts are with the family of a friend, infected with Covid-19, in an induced coma, on a ventilator in an intensive care unit.

This thing is real and dangerous.

Keep safe, stay well.

Friday, March 06, 2020

Carl Malamud at the Open University

On Tuesday, 3 March, 2020, Carl Malamud visited The Open University and shared his thoughts on text and data mining in scientific journals. He opened with the story of Mahatma Gandhi's writing of the book Hind Swaraj (India self rule) on a boat trip between the UK and South Africa in 1909.

The book is relevant to the open access movement in two key particulars. The first edition of the book was published with "No rights reserved", Gandi being the first author to explicitly eschew copyright. Secondly Malamud has been inspired by Gandhi's resistance to colonialism. Scientific knowledge has been colonised and, as James Boyle has argued for a generation, we are in the midst of a second enclosure movement, an enclosure of the commons of the mind.

Malmud has written a book, Code Swaraj, about this, with Sam Pitroda, a former Indian cabinet minister and telecommunications businessman. Gandi preached you had to rule yourself, not let others colonise. But nowadays if you want to do research you have to ask permission and that permission is often not forthcoming because of the immoral and probably illegal assertion of ownership of human knowledge by vested economic gatekeepers such as the scientific publishers.

Christopher Booker read hundreds of books over more than thirty years before writing The Seven Basic Plots: Why We Tell Stories, first published in 2004. His three decade long analysis was an exercise in text and data mining. Text and data mining is now something we can automate with computers. A study of gender in literature showed that the number of female characters has declined rather than increased, matching a proportionate decline in female authors.

Gitanjali Yadav, a plant genome researcher at Delhi’s National Institute of Plant Genome Research (NIPGR) and at Cambridge University is working on the mechanics and chemistry of plant communication channels, using a plant chemicals database.

Elisabeth Bik is a scientist working on fraudulent re use of images in academic papers and exposing paper mills. In China, part of the pre-requisites for becoming a doctor is the publication of peer review papers. The incentive to buy them from paper mills is high.

Scientific literature has been locked up and it is unclear what the potential for research could be as a result.

Max Häussler is researcher at the University of California, Santa Cruz (UCSC) and he has created a genome browser. The browser links human genome DNA sequences to sections of published articles that deal with the same sequences. He wrote to 43 publishers and explained he would like to do text and data mining on their articles. Many publishers did not want to cooperate, refused permission or did not engage at all. So he didn't get access to as much literature as he would have liked. Malamud considers there is an argument to be made that text and data mining of research is permitted in law, even if the publishers do not grant explicit permission. Häussler is unsure and doesn't mine articles for which permission is not forthcoming. It would seem clear that the power of his genome browser would be significantly greater if he had that broader access to data.

Without asking publishers' permission, Malamud has put a lot of stuff online via a project at Jawaharlal Nehru University (JNU) in India - 125 million journal articles from many sources, from the mid 19th century up to the present.

The storage facility is air-gapped and not connected to the internet. Researchers who want access can bring their computers to the facility and text & data mine the materials there. Without having to read or download the articles which is not permitted, they can, nevertheless, draw scientific insights, thereby circumventing any potential copyright problems. The terms and conditions are modeled on those of the HathiTrust and the store specialises in bioinformatics. The access model is 3-tiered:

Tier 0 is air-gapped and pdfs of the articles

Tier 1 is extracted texts and is also air-gapped

Tier 2 is facts. As there is no copyright on facts, this can be made available openly to everyone.

The HathiTrust were the involved in providing Google with books for scanning for the Google Book project. Google in return gave the trust digital copies of the scanned books where out of copyright works are now made freely available online. Publishers sued Google in the US for breach of copyright and the case took many years to make its way through the courts. The appeal court concluded, Authors Guild v Google in 2014, that Google's use of the books was "transformative" and therefore permissible under US copyright law:
"1) Google’s unauthorized digitizing of copyright-protected works, creation of a search functionality, and display of snippets from those works are non-infringing fair uses. The purpose of the copying is highly transformative, the public display of text is limited, and the revelations do not provide a significant market substitute for the protected aspects of the originals. Google’s commercial nature and profit motivation do not justify denial of fair use. 
2) Google’s provision of digitized copies to the libraries that supplied the books, on the understanding that the libraries will use the copies in a manner consistent with the copyright law, also does not constitute infringement. Nor, on this record, is Google a contributory infringer. Accordingly, the court affirmed the judgment."
In 2016 the US Supreme Court rejected the Authors Guild's request to further appeal the decision, ending the more than a decade long litigation. The Authors Guild also tried suing the HathiTrust but were unsuccessful in that case too. The technicalities of the case were different.  One interesting angle was that the court made a point of noting the value of the HathiTrust approach to making the books available to print disabled and visually impaired.

The bottom line was that Google Books and the HathiTrust were given the ok by the US courts.

In the UK text and data mining is permitted only for non-commercial use. The text and data mining copyright exception was introduced in the UK in 2014. A format shifting exception, partly based on a report I co-wrote with two Oxford economists, Mark Rogers and Josh Tomalin, 'The economic impact of consumer copyright exceptions', was introduced at the same time. This latter exception was subject to a legal challenge by the music industry and a high court judge quashed the exception in the summer of 2015. In British Academy of Songwriters, Composers And Authors & Ors, R (On the Application Of) v Secretary of State for Business, Innovation And Skills [2015] EWHC 1723 (Admin) (19 June 2015), Mr Justice Green also based his decision to negate the format shifting exception, partly, on that same report I wrote with Mark and Josh. We had simply advocated evidence based policy making on intellectual property.

Getting back to the text and data mining, Malamud suggests the UK situation makes the invalid assumption that we have an access subscription to everything and that publishers cooperate with researchers which they don't.

In 2012, Delhi University got into a legal scrap with Oxford and Cambridge University presses and Taylor & Frances. The case revolved around a copy shop on the campus which lecturers used to make copies of course packs for students. Under Indian law, section 52 of the Copyright Act of 1957, copyright does not apply to materials issued by a teacher to a student. Copying is also permitted for research purposes. The cost of the textbooks that extracts were copied from was way beyond the means of most of the students. The publishers, nevertheless, demanded that the university pay them a licence fee to cover the copying. The High Court in Delhi ruled in favour of the university.

It seems to have been at the time Malamud read about the case that he began to think India might be a fertile territory for his campaign to provide access to knowledge. Those early inklings, backed up with expert legal opinions he has since solicited noting that it is permitted under Indian law since text & data mining does not involve copying or reading the articles, have bloomed into the repository at Jawaharlal Nehru University (JNU) with his store of 125 million articles. Gitanjali Yadav's plant database is up and running and linked with another university research group.

The Indian government's chief scientific adviser has a plan to make all scientific abstracts of published papers openly available. Malamud is also beginning to work with a wikipedian at the University of Virginia who is keen to integrate correct scientific references into Wikipedia.

In the US federal employee authored work done in the course of their employment is not copyrightable. So Malamud decided it might be a fruitful activity to attempt to find journal articles written by federal employees. He sampled ten thousand articles and discovered many were done as part of official duties but they were still locked behind publishers' paywalls.  When Barack Obama was president he wrote an article for the Harvard Law Review. Though the small print connected with the article says it is not copyrighted, the manner in which the Harvard Law Review presents the article makes it appear that it is subject to copyright.  Malamud, when he finds works written by federal employees, can only guess whether they were produced as part of the authors' public service duties. But he might get it wrong, so chooses not to make them openly available. His principle goal is to challenge and push back against official and commercial copyright overreach but not break any law.

On the law, he has been sued by the state of Georgia for publishing the state code. Just in case you are doing a double take with that, I did really say that Carl Malamud is being sued by the state of Georgia for making the laws of Georgia freely available to the public.  The state sued and won at the court of first instance. Malamud appealed and won in the appeal court. This was appealed to the US Supreme Court which heard the case in December of last year. He is expecting a decision by the summer. Edicts of government are not subject to copyright protection, yet this case is in the US Supreme Court. You do sometimes have to wonder at the state of copyright law (excuse the pun).

Malamud cut his teeth on campaigning and access to knowledge activism with public codes that have the force of law. Building codes and electrical and plumbing and fire safety etc codes are edicts of government. Malamud bought copies from official standards bodies and put a lot of them freely online. Lots of standards get updated and we are obliged to work to them but they do not get released. Malamud has been sued by standards organisations in litigation that has been ongoing for 6 years. His annual legal costs are $1.6 million but he has the good fortune to be represented by lawyers who work pro bono. He can walk into a pub anywhere and strike up a conversation and it is easy for people to understand the work he does. He'll often get a plumber or builder etc offering to buy him a drink, explaining they had to fork out thousands of their hard earned cash for standards codes they are obliged to work to.

India has a very strong right to information law. Malamud put nineteen thousand Indian standards online, reformatted for usability. He bought the standards from the Bureau of Indian Standards. When he got renewal notices from them asking for the next due licence fee he wrote back saying he had put the standards online. He got an angry, "unhinged" response, accusing him of breaking the law, being no longer welcome as a customer and a variety of legal threats.

In the EU, member states must transpose standards into national laws within six months of being issued. Malamud got sued by the German standards organisation for posting the EU standard for baby soothers. The standard is just full of common sense - the mouth guard must be big enough so it doesn't present a swallowing/choking threat etc. The German court sided with the standards body. Malamud is now subject to a German court injunction punishable by a fine of up to €250k and a jail term of up to two years, should he decide to re-publish the standard online. He has, however, posted four EU toy standards focusing on environmental implications and petitioned the UK government on the matter. He got turned down by the standards bodies for access to these standards and is bringing a case to the Court of Justice of the European Union.

Malamud's friends, critics and acquaintances regularly ask him why he expends such energy on what he does, when there are so many bigger problems in the world like the climate crisis, conflict and disease. His answer is a simple and irrefutable one: without access to knowledge you cannot solve the any of these problems and you cannot educate the citizenry to enable them to formulate their own solutions. Access to knowledge is the pre-condition for solving the world's fundamental problems.

Update: On 27 April 2020, the US Supreme Court ruled in favour of Malamud in a tight 5-4 split decision. Justice Ginsburg, interestingly, sided with the minority.

Wednesday, January 22, 2020

Snowden book

I read Edward Snowden's book, Permanent Record, over the Christmas break. It's an accessible, engaging account of how he got to where he is.

His early education was shaped by the anarchic, liberal, open, collegiate internet of the late 20th century, before it began to be reshaped by commerce and states as the mass surveillance machine it is today. His family were supportive or possibly indulgent of his obsession with the computers and networks of the 1990s.

In school, Snowden hacked the system to avoid homework. Quizzes were worth 25%, tests 35%, term papers 15%, homework 15% and class participation 10%. He figured he could skip both the homework and the term papers and still comfortably pass by acing everything else. Then one of his teachers confronted him, asking why he had not handed in any of previous six homework assignments. Innocently Snowden explained his reasoning to the laughter of his classmates. The teacher complimented the young Snowden on his cleverness and, within 24 hours, changed the system to make homework compulsory. He also took Snowden aside and encouraged him to put his fine brain to more constructive use than avoiding work and to be aware of how records follow us around and the impact on his permanent record.

Snowden's parents broke up. He learned to be independent, went to community college and got a job as tech support for a small business, working out of the business owner's home on the south west edge of Fort Meade. Yes that Fort Meade - home to the NSA. Snowden was at work when the 9/11 attacks happened and everything changed.

He bought hook, line and sinker into the Bush/Cheney 'war on terror':
"It was as if whatever individual politics I'd developed had crashed – the anti-institutional hacker ethos instilled in me online and the apolitical patriotism I'd inherited from my parents, both wiped from my system – and I'd been rebooted as a willing vehicle of vengeance. The sharpest part of the humiliation comes from acknowledging how easy this transformation was, and how readily I welcomed it."
And joined the army.

Coming from family generations of which had served in the Coast Guard, Snowden wanted to serve his country through the branch of the armed services considered by that family to be the "crazy uncles of the military". He aced the entrance exam, went into training for special forces, got injured on exercises and was eased out on administrative separation.

So back went Snowden to community college and decided he could best serve his country through his technical prowess. But to do that he'd need to join the CIA, NSA or other intelligence agency. And to do that he would need security clearance - top secret (TS) and top secret with a Sensitive Compartmented Information (SCI) qualifier. This involved filling out some forms and "sitting around with your feet up and trying not to commit too many crimes while the federal government renders its verdict." As a military veteran of sorts and the product of a multi generational service family, most of whom had the equivalent clearances, he was a good prospect and in due course succeeded. By this time Lindsay Mills had also become part of his life and so closes part 1 of the book.

Part 2 opens with 'The System.' Snowden describes a system as "a bunch of parts that function together as a whole". At the Open University we have a slightly longer definition of a system:
  1. A system is an assembly of components connected together in an organised way.
  2. The components are affected by being in the system and the behaviour of the system is changed if they leave it.
  3. This organised assembly of components does something.
  4. This assembly as a whole has been identified by someone who is interested in it.
Given the systems Snowden was thinking about - the professional civil service his family were steeped in and the computer systems he was obsessed by - his working definition satifices. When it came to computers he was most intrigued by their total functioning, not as individual components but as overarching systems. So the natural inclination was to get into systems administration or systems engineering which is what he did. Sysadmins and systems engineers naturally incline to a craft of understanding how computer systems work and fail and develop the diagnostic processes that go into keeping them running and getting them fixed and retrofitted and improved and renewed. It is not unnatural, then, when working within government (albeit for contractors) for techies to apply to same systems analyst skills to the system of government. Which is also what Snowden did.

We know about the five eyes mass surveillance systems and activities from Snowden's disclosures in 2013, from PRISM to TEMPORA, XKEYSCORE to QUANTUM, TURBULENCE and beyond. Yet, in some ways, the most chilling chapter in the book is "Homo contractus". It essentially outlines the private sector infiltration of the US intelligence services.
"I had hoped to serve my country, but instead I went to work for it. This is not a trivial distinction... government had treated a citizen's service like a compact: it would provide for you and your family, in return for your integrity and the prime years of your life.
But I came into the IC during a different age.
...the sincerity of public service had given way to the greed of the private sector, and the scared compact of the soldier, officer, and career civil servant was being replaced by the unholy bargain of Homo contractus, the primary species of US Government 2.0. This creature was not a sworn servant but a transient worker, whose patriotism was incentivized by a better paycheck and for whom the federal government was less the ultimate authority than the ultimate client.
...for third-millennium hyperpower America to rely on privatized forces for the national defense struck me as strange and vaguely sinister."
Snowden goes on to explain the use of contractors is a con to let the agencies circumvent statutory federal caps on hiring. As contractors are not included in the limits, the agencies can hire as many as they have the budget to pay for. Post 9/11 was a time when no congresscritter was going to go on the record as opposing any resources the intelligence and security agencies declared necessary for the 'war on terror'.

Huge resources got poured into the intelligence agencies for technical surveillance infrastructure and the people to create, develop, deploy and operate it. A large proportion of the people working on this mass surveillance were, like Snowden, technically employed by contractors and sub contractors but working directly for and within the agencies, the CIA and NSA in Snowden's case. Many of those nominally employed by the private sector started out as government employees, as the private companies didn't want to pay someone to wait around for a year or more for their TS/SCI security clearance to come through. Once the clearance was secured they could swap a government job for a better paid private sector job, sometimes doing the same work. Snowden's first job was with the state of Maryland partnered with the NSA opening a new institution called CASL, the Center for Advanced Study of Language.

As the building in which CASL was to be resident was still under construction, he essentially did the work of a night shift security guard. Whilst there and considering his long term career as a federal employee, he was amazed to find few opportunities to work directly for the government. Most of the sysadmin and systems engineering jobs available in government were through "working for a subcontractor for a private company that contracted with another private company that served my country for profit." Given these positions provide "almost universal access to the employer's digital existence", it's surprising to find these circumstances prevailing in the context of security and intelligence.
"In the context of the US government, however, restructuring your intelligence agencies so that your most sensitive systems were being run by somebody who didn't really work for you was what passed for innovation.
The agencies were hiring tech companies to hire kids and then giving them the keys to the kingdom."
Snowden's first contracting gig was for a company called COMSO, subcontracted to hire him by BAE Systems. He worked at CIA headquarters in McLean, Virginia. He had been earning $30k at CASL and asked COMSO for $50k. His nominal "manager" at COMSO talked him up to $62k. Middlemen contractors charged the government the employee's salary plus 3-5%. The higher the salary, the higher the cut.

The actual job at the CIA was both depressing and enlightening. Depressing on the extent of the cynical restructuring of the agency by the Bush administration and the move to a dependency, particularly in relation to modern technical information systems, on external contractors. Enlightening on the extent of the access Snowden got to highly classified material and the insight that gave him into the reach of the CIA and the importance of intelligence operations. It also gave him a hankering to really serve his country by applying for a role in a CIA field office overseas, preferably in a conflict zone. That meant swapping his contractor badge for a government employee badge, swearing an oath to defend and uphold the US Constitution and going back to school.

The techie in the CIA field office or embassy is responsible for every piece of kit in the building, from computers to heaters, encryption devices to locks. For security reasons no embassy will employ local contractors on even routine maintenance. The tech guy and there are not usually that many of them does everything. That's what the 6 months schooling before deployment was for.

Conditions at the CIA Warrenton Training Center ("the Hill") were less than ideal and whilst there, Snowden got his first taste of what reporting problems up the chain of command led to i.e. no addressing of the problem and a marking of the card of the whistleblower. Instead of getting his preferred deployment to a war zone to actively live out his heart on a sleeve patriotism, he was sent to Geneva for his first overseas tour of duty.

In Geneva, Snowden got a front seat view of the changing intelligence world and the pivot of the CIA from human intelligence (HUMINT) to cyberintelligence (SIGNINT & COMSEC), not that the former was abandoned but became proportionately less prevalent.
" In Geneva... America was busy creating a network that would eventually take on a life and mission of its own and wreak havoc on the lives of its creators – mine very much included.
The CIA station in the American embassy in Geneva was one of the prime laboratories of this decades long experiment. This city... lay at the intersection of EU and international fibre-optic networks, and happened to fall just within the shadow of key communications satellites"
Following Geneva, he moved to Tokyo to work in his "dream job" for the NSA but again, technically, as a better paid contractor in the private sector, an employee of Perot Systems which was then taken over by Dell.

In Tokyo, communications interception was the primary mission. In Toykyo, Snowden's early work was to link the NSA and CIA systems. In Tokyo, he discovered the NSA were vastly technologically superior to the CIA and vastly more laissez faire about security. In Tokyo, he created a much more effective storage system for the NSA, called EPICSHELTER. In Tokyo, his mind boggled at the scale and reach of China's mass surveillance and censorship systems. In Tokyo, he first realised "the power of being the only one in the room with a sense not just of how one system functioned internally, but of how it functioned together with multiple systems—or didn't." In Tokyo, he began to become disturbed at US mass surveillance, even as he was creating, developing and operating elements of the systems involved. In Tokyo, he initially sated his concerns by assuring himself he was working for the good guys.

In Tokyo, he became aware senior intelligence and security community insiders had serious concerns over the Bush administration's unchecked expansion of warrantless mass surveillance. In Tokyo he accidentally got access to the classified version of the Report on the President's Surveillance Program, (PSP) filed in an 'Exceptionally Controlled Information' (ECI) compartment. Full classification TOP SECRET//STLW//HCS/COMINT//ORCON/NOFORN. Through the PSP report he learned of STELLARWIND, the NSA's general and indiscriminate, bulk collection of electronic communications. In Tokyo, he began to understand the political sophistry underpinning mass surveillance, such as the now ubiquitous claim that collected communications could only be considered to be legally "obtained" or "acquired" if a member of the agencies searched for or found them. Collected communications would not be legally acquired but would, nevertheless, be available for search and retrieval, in post hoc fishing expeditions, in perpetuity. In Tokyo, it dawned on him that the Obama administration had no intention seeking reparations for systemic illegalities or undoing any of the deployment of mass surveillance infrastructure undertaken by their predecessors.

By 2011, Snowden was back in the US, still employed by Dell, building cloud systems for the CIA. He was also getting stressed and depressed at the mass surveillance of the state; and not just willing but enthusiastic compliance and buy in of friends and the general public into commercial systems of mass surveillance. The stress led to illness, including epilepsy and he eventually took sick leave to recuperate. His next move, in 2012, was to Hawaii, still with Dell, a step down in terms of responsibilities, to facilitate his ongoing recuperation but now working for the NSA again. He was now the NSA's Microsoft Sharepoint administrator in Hawaii. Lowly in the organisational food chain but, as a manager of document management and "reader in chief", this provided the access privileges to gather comprehensive evidence on his nascent concerns from Tokyo, about US mass surveillance.

Having automated much of his formal work responsibilities he set about his task of surveying the extent of the NSA's surveillance capabilities, running into the standard security services secrecy, obfuscation, compartmentalisation, misdirection, bureaucratic code and all the other institutional processes available for keeping information from the light. He decided to automate this process too, with the approval of his boss, setting up a kind of RSS reader system on steroids. This not only scanned for or linked to documents but copied them. Snowden called it Heartbeat and gave intelligence services staff access to a personalised reader that collected classified intelligence documents (from NSA, CIA, FBI and Deparment of Defense) according to each individual's security clearance.

The volume of documents Heartbeat collected was enormous and although Snowden could see it all, beyond the capacity of a single human being to review. Nevertheless, it was through Heartbeat that he learned about Upstream (direct collection of bulk data live from private sector communications infrastructure) and PRISM (bulk data handed over by private sector actors like Google, Apple, Microsoft, Facebook and Amazon etc. and overseen, theoretically, by the Foreign Intelligence Surveillance Court, FISC). He learned of TURBULENCE, a collection of black servers hard wired into telecommunications companies' infrastructure, running internet traffic through filtering tools like TURMOIL to flag suspicious communications; and TURBINE which routs communications to the NSA, where other algorithms decide which malware to deposit (via QUANTUM) on the source computer, in order that the potential threat can be monitored.

Snowden began to become indignant at the intelligence community's blatant flouting of the US Bill of Rights, particularly the fourth amendment protections against search and seizure and also the White House, the courts' and congress's complicity in this. He was particularly incensed when the US Supreme Court decided to wash their hands of the issues in February 2013, when the Court decided, 5-4, that the American Civil Liberties Union (ACLU) and their client, Amnesty International, did not have standing to challenge the constitutionality of the warrantless wiretapping program. (Substantively, the ACLU and Amnesty were challenging the Foreign Intelligence Surveillance Act Amendments Act 2008 (FISAA). FISAA is the law that makes the act of being a foreigner a sufficient reason to be a target of US law enforcement and intelligence services.)

He had, by then, decided to blow the whistle on the whole shebang. The ACLU case and embryonic mass surveillance enabling laws in the UK (the snoopers' charter which eventually got passed as the Investigatory Powers Act 2016) and Australia (multiple bills) only hardened that resolve.

Chapters 21 and 22 extol the virtues of whistleblowing and Snowden's perspective on the fourth estate but I'll leave the reader to peruse those for themselves.

Before he blew the whistle, however, he wanted one last job, not just administering or reading about mass surveillance tools but actually using them, particularly XKEYSCORE, the NSA's incredibly powerful intelligence search engine. A position opened up at the National Threat Operations Center (NTOC), one "of the few offices in Hawaii with truly unfettered access to XKEYSCORE", through Booz Allen Hamilton. Snowden secured it and so began his education in the coal face abuses of US intelligence systems. The shock was palpable.
"Seeing them made me realize how insulated my position at the systems level had been from the ground zero of immediate damage. I could only imagine the level of insulation of the agency's directorship or, for that matter, the US president."
Snowden had already smuggled the documents he intended to pass to journalists out of the NSA on SD and micro SD cards. The flight to Hong Kong and handing over of those documents to Laura Poitras, Glenn Greenwald and Ewen MacAskill, his escape, aided by Wikileaks's Sarah Harrison, to and entrapment in Russia when the US revoked his passport, has been well documented in the Guardian, the Washington Post and Poitras's documentary, CitizenFour.

The chapter on Moscow in the book is thin on detail and only outlines the discussions Snowden and Harrison had with an intelligence official on the day they arrived, noting also thereafter they spent 40 days and nights at the airport. During that time he applied, unsuccessfully, to 27 countries for political asylum. He concludes the chapter suggesting the Russians gave him asylum because they were fed up with the media scrum at the airport.

The penultimate chapter of the book details extracts from the diary of Snowden's partner, Lindsay Mills, in the aftermath of his disappearance to Hong Kong. She is a powerful presence and positive force in his life and it would have been nice to hear more from her. Mills and Snowden were married in Russia in 2017.

The final chapter is largely a whistlestop tour of the legacy of Snowden's revelations from his perspective - global awareness of mass surveillance, some positive legal developments like ACLU v Clapper in the US and the GDPR in the EU, some important developments in encryption like HTTPS, Secure Drop, Signal and generally more end to end encryption. But if we were concerned to avoid living in a surveillance society, it's too late, we're already there. State and commercial surveillance systems are more powerful and pervasive than ever and getting worse. They will require structural solutions - legal, technical, economic, environmental, individual & societal - pressures brought to bear to bring them under democratic control.