Crypto Party…in a public library…in the UK

Newcastle Central Library (CC-BY).

Well, this is a turn up for the books. When I wrote my recent article on Snowden and the digital divide I made a few limited recommendations (in hindsight I could have been more extensive in this regard). Having worked in public libraries myself, I was somewhat hesitant to recommend that all public libraries install Tor Browser as the default – I knew (or at least had a very strong suspicion based on working in public libraries) it just simply wasn’t going to happen (in terms of my local library authority, I’ve pretty much had this confirmed). Instead, I kinda vaguely pushed that we as a profession should learn some of the skills and, however possible, share them with our communities (I’ve vaguely started on this road, but I’ve been less than great at doing so). There would be nothing wrong with hosting workshops, even if the tech cannot be the default on the council computers. It’s clear to me there’s an intellectual privacy divide – between those that are able to ensure digital privacy, and those that cannot due to lack of skills, knowledge etc. Libraries, for me, should play a role in bridging this gap. The protection of intellectual privacy is, after all, a core principle underpinning the profession.

I was, therefore, both pleased and surprised to see that Newcastle libraries are working with the Open Rights Group (North East) to run a Crypto Party later this month – the first public library service I am aware of to officially run and deliver one in the UK (if you know of an official library organised event that is comparable, please let me know!). According to the details on cryptoparty.in, they intend on covering:

  • Safe browsing
  • Tor Browser & TAILS
  • Signal
  • Full Disk Encryption
  • PGP

A cursory glance at the website looks promising…the Newcastle library service seem to be giving it a bit of a promotional push as well. It will be interesting to hear how this develops and whether other library services take Newcastle’s lead and teach privacy enhancing tools. It’s something I think we should be doing much more of, rather than leaving the teaching of digital skills to private companies with a vested interest in promoting certain tools and approaches to online engagement. Hopefully others will follow Newcastle’s lead….

GCHQ and American attitudes to surveillance…

(Image c/o Christian Payne on Flickr.)

From Wired:

GCHQ’s hacking operations are conducted with little to no oversight and risk “undermining the security of the internet”, leading online privacy experts have warned. Even when oversight is required, GCHQ has revealed that ministers don’t have the technical knowledge to understand what it is doing. Privacy campaigners today described the issue as “a major scandal”.

Details of GCHQ’s hacking operations and attempts to weaken encryption were revealed in a parliamentary committee report into the UK’s surveillance capabilities. The Intelligence and Security Committee (ISC) review, published last week, revealed GCHQ makes the majority of decisions about hacking, and its operations to weaken encryption, internally and without telling ministers exactly what it is doing.

In a passage quoted by the Open Rights Group, the ISC review found that:

No additional Ministerial Authorisation is required for these activities. There are internal procedures: ***. There is no legal requirement to inform Ministers: however, GCHQ have said that they would ask the Foreign Secretary to approve a specific operation of this kind “where the political or economic risks were sufficiently high” (although, in practice, they manage their operations to avoid this level of risk). GCHQ told the Committee that:

The FCO is aware of the activity and the possible political risk, but individual legal authorisations are not required for each operation. The FCO could assess the political risk of a compromise, it is not well‐placed to assess the complex technical risk. Whilst not formally overseen by a Commissioner, the Intelligence Services Commissioner has been briefed on this type of activity where it relates to individual approved operations.

A very disturbing admission about the state of digital surveillance in the UK. And the timing of the statement from ORG could not be more apposite. Whilst we are only just starting to come to terms with the consequences of this, a study in the US has been published that explores the fall-out from the Snowden revelations in terms of how it has affected behaviours as well as how it has impacted upon the relationship between the state and the individual.

The Pew Research Center’s report, Americans’ Privacy Strategies Post-Snowden, provides a comprehensive and fascination exploration of how these revelations have affected US citizens. There is a lot to plough through, but a few things stand out on an initial reading (and, by the way, wouldn’t it be nice if someone in the UK produced the kind of reports that Pew produce on a regular basis, particularly with respect to the Snowden revelations). Top line stuff:

Overall, nearly nine-in-ten respondents say they have heard at least a bit about the government surveillance programs to monitor phone use and internet use. Some 31% say they have heard a lot about the government surveillance programs and another 56% say they had heard a little. Just 6% suggested that they have heard “nothing at all” about the programs. The 87% of those who had heard at least something about the programs were asked follow-up questions about their own behaviors and privacy strategies:

34% of those who are aware of the surveillance programs (30% of all adults) have taken at least one step to hide or shield their information from the government. For instance, 17% changed their privacy settings on social media; 15% use social media less often; 15% have avoided certain apps and 13% have uninstalled apps; 14% say they speak more in person instead of communicating online or on the phone; and 13% have avoided using certain terms in online communications. 

1 in 3 people changing their behaviours is quite significant, and would explain why there are increasing moves to shut down the methods by which people protect themselves. One might also ask how Cameron would deal with 14% of people speaking in person rather than communicating online (given he thinks no form of communication should be free from surveillance).


 

…the public generally believes it is acceptable for the government to monitor many others, including foreign citizens, foreign leaders, and American leaders:

82% say it is acceptable to monitor communications of suspected terrorists

60% believe it is acceptable to monitor the communications of American leaders.

60% think it is okay to monitor the communications of foreign leaders

54% say it is acceptable to monitor communications from foreign citizens

Yet, 57% say it is unacceptable for the government to monitor the communications of U.S. citizens.


In this survey, 17% of Americans said they are “very concerned” about government surveillance of Americans’ data and electronic communication; 35% say they are “somewhat concerned”; 33% say they are “not very concerned” and 13% say they are “not at all” concerned about the surveillance. Those who are more likely than others to say they are very concerned include those who say they have heard a lot about the surveillance efforts (34% express strong concern) and men (21% are very concerned).


 

Some quotes from those who argue that they are unconcerned about surveillance:

“Law-abiding citizens have nothing to hide and should not be concerned.”

“I am not doing anything wrong so they can monitor me all they want.”

“Small price to pay for maintaining our safe environment from terrorist activities.”

All of which, to my mind, underline a certain failure to grasp the nature of the state and its relationship with individuals. Of course, it is not individuals who determine whether what they are doing is wrong. The lie of “if you have done nothing wrong you have nothing to fear” seems to be one of the hardest to shift, despite its fairly obvious naivety about the state. It also underlines that state propaganda is very effective on large chunks of the populace (I’m not restricting that to the US by the way). So long as you keep talking about threats (which are minimal) and highlighting the importance of “protecting citizens” from “dangerous individuals”, some people will continue to believe that the state will protect them and that sacrifices to their rights must be made to ensure that protection. There’s nothing new in this, states have used that particular strategy for centuries: construct an external enemy, convince the populace that the state has the means to protect them, chip away at individual rights under the guise of protection etc etc.


 

Sophisticated tools and techniques are widely available and can help online Americans increase the privacy and security of their online activities and personal data sharing. However, thus far, fairly few have adopted these tools since learning about the programs. Among those who have heard about the government surveillance programs:

10% say they have used a search engine that doesn’t keep track of their search history.
5% have added privacy-enhancing browser plug-ins like DoNotTrackMe (now known as Blur) or Privacy Badger.
4% have adopted mobile encryption for calls and text messages.
3% have used proxy servers can help them avoid surveillance.
2% have adopted email encryption programs such as Pretty Good Privacy (PGP).
2% have used anonymity software such as Tor.
1% have used locally-networked communications such as FireChat.

It’s interesting that despite the fears and clear concern about the surveillance programme, many people are not using the most effective tools to protect themselves (I would include myself in that category if there were a UK equivalent study). This suggests there is a lot of work to do to inform the general public about how they can protect themselves online. I would guess that Barclays’ Digital Eagles probably won’t offer much help here. It seems to me that, and I probably would say this, librarians are well placed to provide this kind of assistance (see Library Freedom Project). Certainly given our professional ethics, this is an area that should concern us and that we should seek to provide solutions to for the general public. There is clearly a need as, looking at the figures, there is concern and a need to seek protection. One would assume that this would also be the case in the UK but, again, there is no such study at present.

I’d definitely recommend going through the Pew stats if you get the chance. There is a PDF report you can download, but lots of interesting stats are summarised over 5 web pages. Will such a study be conducted in the UK? It seems unlikely at this stage, but with the revelations about the activities of GCHQ and how ministerial oversight appears to be virtually non-existent, a study equivalent to Pew’s would be very welcome.

Is the neutrality of the internet under threat in Europe?

It certainly seems that way following the vote yesterday by the European Parliament’s Industry Committee. Jim Killock of The Open Rights Group (ORG) argued that:

‘By allowing ISPs to charge more for “specialised services”, the Regulation would enable telecoms and other companies to buy their way to a faster internet at the expense of individuals, start-ups and small businesses. This threatens the openness and freedom of the internet.’

Effectively, a two-tier internet would ensue, where the big players dominate and control the flow of information online. As Marietje Schaake of the Netherlands (a country which enshrined net neutrality in law in 2012) explains:

“Without legal guarantees for net neutrality internet service providers were able to throttle competitors. And existing online services can make deals to offer faster services at a higher price. This could push players without deep pockets, such as start-ups, hospitals or universities, out of the market.”

Of course, the increased corporatisation of the internet was always likely. The internet is (still) too wild and free a place for corporates and they see greater influence over the way information is delivered as necessary to protect their interests and drive profits.

As is to be expected, the legislation proposed is also rather loose with its wording (what legislation related to technology isn’t?) which raises concerns about the potential for increased internet censorship:

Also of concern are proposals that would allow “reasonable traffic management measures” to “prevent or impede serious crime”. On these, Killock added:

‘It is unclear what “reasonable traffic management measures” are but potentially they could allow ISPs to block or remove content without any judicial oversight. Decisions about what the public can and can’t see online should not be made by commercial organisations and without any legal basis.’

The full European Parliament will vote on this Regulation will take place on 3rd April. It’s still not too late to take action against the proposals. A good place to start is the Save the Internet campaign. And if you want to find out more about net neutrality and what it means, you could do worse than watch the short video below.

When it comes to the internet, it’s not just government snooping we should be worried about…

Corporations want your data as much as governments want to snoop.
(Image: El Alma Del Ebro in Zaragoza by Saucepolis on Flickr.)

Remember the early days of the internet?  When start-up companies seemed to be, somehow a different breed from the companies that we had grown accustomed to? “Don’t be evil” appeared not only to be Google’s mantra, but the mantra of a whole host of companies that emerged in tandem with the growth of the internet.  Whereas we had grown accustomed to companies that were focused on shareholder profit over rather than the interests of ‘consumers’ or society in general, these companies seemed to be benign, friendly, sensitive to their social responsibilities.

In contrast to the growth of these ‘benign forces’ of the internet, governments and politicians have become increasingly suspicious of the technology, predominantly because it is an area over which they do not feel they exercise sufficient control.  In the UK, this has manifested itself most obviously and most recently in the Data Communications Bill (or Snoopers’ Charter).  A particularly invasive piece of legislation that was seriously considered by the coalition, it proposed to grant powers to the Home Secretary (or another cabinet minister) to order any ‘communications data’ by ‘telecommunication operators’ to be gathered and retained, effectively collecting ostensibly private data on citizens for whatever purpose they deemed worthy.  It appears, on the face of it, that these proposals have now been abandoned, although that is not to say they won’t come back in a slightly modified form.  If one were a cynic, one might suggest the Liberal Democrats applied pressure to drop the legislation in advance of the local elections to ensure they were case in a positive light? Unlikely perhaps, but my cynical mind can’t help but believe there is more to this than simply a matter of principle, after all Nick Clegg wasn’t always so opposed…

This suspicion, however, doesn’t begin and end at the Snoopers’ Charter. There was also, for example, the introduction of the Digital Economy Act, which enables the blocking of website access for anyone who is deemed to have infringed copyright laws but, consequently, also risks penalising those entirely innocent of any such activity.  Then there is the Regulation of Investigatory Powers Act 2000 (Ripa) used to investigate Osita Mba, a whistleblower who uncovered a “sweetheart” deal with Goldman SachsUsing Ripa:

…HMRC can see websites viewed by taxpayers, where a mobile phone call was made or received, and the date and time of emails, texts and phone calls. According to the revenue website, these powers “can only be used when investigating serious crime”.

And it doesn’t end with proposed or existing legislation; individual politicians have also made calls for illiberal and unhelpful restrictions on the internet. Back in 2011, following the riots, one politician called for Twitter and Facebook to be blacked out during any further disturbances.  Needless to say this was a particularly stupid and disturbing suggestion, not least because the very same social media helped people in the area affected by the riots to communicate with others and ensure their own safety.  There’s no doubt that the freedom provided by the internet frightens those who believe it threatens existing power structures, underlining that, from their point of view, freedom only goes so far…

The desire to highlight some of these illiberal measures isn’t solely restricted to organisation such as the Open Rights Group, many of the giants of the internet are quick to point the finger at the role of government as a threat to the freedom of the individual. Take, for example, the largest of all the companies to emerge in the internet era – Google.

Last week, in an article for The Guardian, Eric Schmidt (executive chairman) and Jared Cohen (Director, Google Ideas) warned that global governments are monitoring and censoring access to the web, which could lead to the internet becoming ever increasingly under state control.  The usual examples are rolled out of authoritarian regimes seeking to restrict what their citizens can access online.  Curiously, however, there is no mention of the United States or Europe (Russia appears eight times, China seven), it appears that we are not affected by the government monitoring or censoring access to the web – oh, apart from the Data Communications Bill, the Digital Economy Act, Ripa etc etc.This omission seems curious considering an admission by Schmidt in a separate interview with Alan Rusbridger, also in The Guardian.

During the interview, Rusbridger notes:

But [Schmidt’s] company collects and stores an extraordinary amount of data about all of us, albeit in an anonymised form. Which is all well and good, until government agencies come knocking on Schmidt’s door – as they did more than 20,000 times in the second half of last year. The company usually obliges with US officials. (It’s more complicated with others.) This will only get worse.

Clearly, as the legislative examples shown above demonstrate, attempts to monitor the web are not only restricted to authoritarian regimes but are also a problem in Western, (supposedly) liberal democracies as well.  When the US is making 20,000 requests in six months (around 100 requests a day on average), it is clear that the problem is not restricted to just China, Russia and other authoritarian regimes.  But there’s another side to this equation. A side that Schmidt and others in the business community seem to be reluctant to talk about, for very obvious reasons.

The extract from Rusbridger’s interview with Schmidt reveals two facts that everyone concerned with the internet and the free flow of information need to be worried about.  First are the actual requests from US officials for data from Google. The second is the data that Google collects and makes available to US officials.  There are, I would argue, two concerns about the future of the internet: government control and corporate control. The former Schmidt is keen to talk about, the latter not so much.

Google’s business is data.  They collect data from users to ‘enhance the user experience’ (a brilliant phrase used to suggest that the collection of your personal data is actually doing you a favour).  The volume of data collected is vast and is collected for a specific purpose: to make money (to “enhance the user experience”). These services do not charge you to make money, they use a commodity you are giving away for free and then selling it on to advertisers. The transaction is different from the traditional service model (consumer purchases goods from service provider), but it is effective and relies on your data to ensure profitability for the service provider. For example, Google was making $14.70 per 1,000 searches in 2010.  Some services do not even require you to visit the service itself to obtain your personal data.  Facebook, for example, has been known to track light users of the service across 87% of the internet.

Google’s executive chairman, Eric Schmidt (image c/o Jolie O’Dellon Flickr).

The sheer volume of data handled by many of the largest internet companies should be a cause for concern. Indeed, not only is the data collection itself a concern, but also the willingness with which they give it up to government agencies (note in the aforementioned interview, Schmidt suggests that Google usually say yes to government requests for data).  Of course, many would argue that there is nothing to fear about the collection of personal data: if you have done nothing wrong etc. But you are not in control of the personal data and the rules that govern its use, corporations and governments are. Imagine for a moment a different type of government, a different set of rules, a different environment altogether, would you be so keen on US officials demanding your data and it being handed over as easily as Google do now? And what if Google engineered this change in government? Sounds far-fetched doesn’t it? Maybe it’s not as far-fetched as it might sound…

A recent study by United States-based psychologists, led by Dr. Robert Epstein of the American Institute for Behavioral Research and Technology, revealed the disturbing amount of power at the hands of companies like Google. Epstein’s study found that Google has the capability to influence the outcome of democratic elections by manipulating search rankings.  The study (available here – PDF) presented three groups of eligible American voters with actual web pages and search engine results from the 2010 Australian general election. Participants were randomly assigned to one of three groups, two groups were provided with search engine rankings favouring one of the candidates, the remaining group were provided with rankings that favoured neither:

Beforehand, individuals reported having little or no familiarity with the candidates at all. Based on short biographies, they were asked to rate each candidate and say how they would vote.

They then spent time gathering information using a mock search engine, after which they again rated the candidates in various ways and again said how they would vote.

Before their Internet search, there were no significant differences in how they rated the candidates. Afterwards, however, two thirds of the people in the first two groups said they would vote for the candidate that was favored in the search rankings – a dramatic shift that could easily “flip” the results of many elections, especially close ones, concludes the report.

Now, there is nothing to suggest that Google have actually weighted search results in the way suggested in the study nor that they ever have the intention of doing so, but they can. Not only can they do it, but they can do it without our awareness of such manipulation.

Governments may attempt to monitor us through the introduction of ever more illiberal regulatory measures applied to the internet, but it’s important to remember that the corporations profiting from the internet also benefit from our manipulation.  It strikes me that there are two crucial considerations that we need to remember when we reflect upon the role of the corporation (as opposed to that of the state) in the development of the internet:

1)      The relationship between the user and the service.  Unlike traditional relationships, we are not simply the consumers purchasing goods from a service provider.  They are taking data from us and selling it to advertisers to make money.  Our data is the product and we are the vendor.  The problem is we are not remunerated for this transaction, only permitted to use a service under the terms stipulated by the service provider.  They are not acting out of kindness in offering such services for free, they want more data from users to increase profits.  Users need to be more aware that they are the vendors in this relationship, not the customers.  Of course, we believe and trust them because we are not ‘buying’ from them, we still see them as providing us with something for free when actually they make their money using our data.

2)      Considering the volume of data given away, there is a need to remind ourselves of the nature of government and corporations.  Like governments, corporations are not fixed.  Corporations change.  They change either because of a need to increase profits, or they change because they have been bought out by a rival.  You may well be happy giving Google all your data, but what happens when it is no longer Google?  What if your personal data fell into the hands of a company you were not comfortable gaining access to it?  What then? And whilst a takeover attempt of Google may seem far-fetched at this point, remember that that the very idea that Time Warner would merge with a company called AOL was a fanciful notion towards the end of the last century. Nothing remains static in either the worlds of business or technology.

Above all else, however, we need to remember that companies like Google and Facebook are just that: companies. Whilst they appear warm, fuzzy and less stuffy than traditional corporations, they are still corporations.  Corporations that are acting the same as every other corporation before them, lobbying government to lighten regulation, maximising profit and, where possible, shift the focus onto government shortcomings in the hope that their own activities won’t be subject to scrutiny. They are, after all, just corporations like any other and we should treat them with the same scepticism as we treat older, more established corporations.  For when it comes to the internet, we need to keep a close eye on both the governments who regulate it and the corporations who profit from it.