On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Tuesday, 25 June 2013

Don't even bother asking governments not to spy on us

Electronic privacy is dead, now let's deal with the aftermath

Unlike most other technological innovations - particularly advancements in communication and mass media - for a relatively brief period the internet gave individual citizens an unprecedented edge over the state.

Previously everything media and comms was regulated by the state: from printing, broadcast radio and television to ownership of radio transceivers;  any UK citizen who feels oppressed by the state today should be reminded that until 1968 we had formal state censorship of theatres and stage plays.

Four factors made the internet impossible to regulate - at least in its early years:
  1. It happened by accident; governments around the world simply weren't anticipating the speed of growth, nor the impact the internet would have across many areas of life
  2. Even after (1) was appreciated, regulation during a period of intense growth would almost certainly have stifled development because growth relied mainly on private initiative
  3. The international nature of the network made many local laws irrelevant, e.g. in the UK, the Obscene Publications Act effectively banned hardcore pornography, but could not be applied against foreign websites 
  4. The nature of the network - a coalescence of many inter-connected autonomous networks - provided no centralised control point; and [early] limitations in technology, in particular latency and bandwidth, severely limited any government's ambition to impose content filtering and monitoring obligations on each of the autonomous networks
But what the internet giveth, the state can regulate away - it just takes time for the legislative machine to catch up.

And, now that technology has advanced to render point (4) obsolete, the legislative march is unstoppable.

It's unstoppable because it's impossible to change a mindset overnight.

The Government, its members and its security services all share one primary role: to defend the state; and currently defend is synonymous with control.

Until the collective thinking of law-makers advances to accept that a highly autonomous public does not itself threaten an established democracy - in fact it might well make us stronger - defending the state will necessarily involve maintaining a reserve of power and control over its people, just in case.

And the state now has these powers in respect to digital communications.

They have mastered the internet, in that it is now pretty much impossible to do anything of any significance online without running the risk of being tracked.1

I'm not saying you will be identified, but there's certainly now a non-negligible risk.

And I'm not saying that the internet does not still bring significant power to the people - it does, despite the tracking and monitoring.

But there are now two new realities.

One: everything online is monitored and traceable - if not [yet] by the state, by private companies be it Google, Facebook, your operating system vendor or ISP.

Two: there is nothing you can do, in calling for legislation or in your use of technology, that will be effective in stopping governments and corporations spying on you that doesn't severely impact what you want to achieve.

Any new laws will be symbolic because everyone, from states to corporations to private individuals - has become addicted to snooping.  (Yes, you, cruising Facebook to find out what your ex is up to...)

Only a step-change in technology can save us from ourselves, but don't sit on your hands waiting for any advancement that guarantees electronic privacy.  Encryption is creaking at the edges and passwords are becoming practically useless.

It's time to give up trying to prevent snooping and admit defeat.

Let them spy, for if we try and stop them they'll just do it anyway.

Instead, focus on building a wall around the spying that makes it hard for the state to wield its power against individuals.

We need to ensure robust laws are in place to mitigate the risks and dangers of a surveillance culture.

We need democratic transparency and oversight of the watchers.

We need to lift the veil of secrecy from the watchers and make them fully accountable.

And for that we need an end to ambiguous and unenforceable boundaries defining 'acceptable' and 'unacceptable' monitoring2. We need the intelligence services to run within a framework of detectable and enforceable offences - ie governing how the state acts on data in its possession to guard against persecution.

Those who feel unfairly targeted by surveillance deserve to have their cases heard in public, open to media scrutiny, not by a "judge" sitting twenty metres under ground in the Home Office bunker.



1. TOR, VPNs and other encryption and anonymity systems help to some degree, but once the state has its claws in the heart of the network, as it seems to have today, the risk of being tracked increases significantly.

E.g. post to a public bulletin board using TOR.  The size and timestamp for that post can be correlated against all active TOR sessions.  Successive posts will, over time, identify the poster.  "Hidden" services on the so-called "darknet" can all be traced with relative ease now that network surveillance is widespread.

Use an internet cafe: risk CCTV either in the cafe or en route. Use an unregistered mobile and give away your location, which can be correlated with road monitoring (ANPR), street CCTV, etc.

2. e.g. there is no real distinction between so-called metadata - aka communications data - and content.  Part of the Content at one level can become metadata at a lower level.  At the IP level the metadata shows my internet connection talking to Facebook.  Within IP packets other metadata can be carried, e.g. showing I'm writing a message on Facebook to Bob.  Some data stacks have metadata nested 3 or 4 levels deep.

1 comment:

  1. We back to paper and pencil? Methinks so, if we want privacy. Internet for stuff we don't care about, more primitive communications for stuff we do.


Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.