The long overdue debate on policy towards the all-pervasive surveillance of our on-line activities is finally under way. On Monday morning the Shadow Home Secretary moved on from the “trust us” policy of the last Government with regard to state surveillance. On Monday evening a Conservative Technology Forum round table identified a clear way forward with regard to improving the governance of the surveillance done by the state and law enforcement but not with regard to the more frightening situation regarding the private sector and consumer devices. It heard that the terms and conditions of widely sold smart (i.e. Internet enabled) TVs include permission for data on your viewing habits to be transmitted to anywhere in the world. It was told of the break up of a couple after a friend warned them of the default tracking settings on their iPhones (they took a look and it became apparent that one of them was spending rather a lot of time at a particular location when they said they were ….).
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Forget the NSA and GCHQ. This is getting personal and serious. Big Brother is all around us.
Then on Tuesday morning the Deputy Prime Minister anounced an Obama-like review to be led by the Director General of the Royal United Services Institute.
This juxtaposition of events is not coincidence.
The Internet Engineering Task Force, (the engineers who agree the technology processes that enable the Internet) are meeting this week, in London. They are accompanied by their collective conscience, the Internet Society . On Tuesday evening both met with politicians from the three main parties in Westminster to rehearse the arguments currently under way.
[The video and audio recordings on the meeting are now on-line]
What emerged, including over drinks in the Marriott afterwards, was more profound than I expected. The way in which the Internet operates is based on an implied social contract between 1,400 engineers (and their employers) and 2 billion users. That “contract” has not kept pace with the evolution of the Internet. It is now broken. It is up to “who?” to fix it before the consequences cause business and regulatory models to unravel – as users withdraw their consent to be treated as commodities to be bought, sold and told what to do, with no effective voice or choice.
The Orwellian Society is with us. The screen we carry (our Smartphone), let alone the one in the corner (the Smart TV or Laptop/PC, now with its built-in video camera and microphone) is spying on us for who-ever will pay (or can hack into the systems of the supplier or ISP). A little bit of legislative tidying and some transparency for the existing governance procedures of GCHQ will probably do wonders for rebuilding faith in the procedures followed by the security services and law enforcement as they seek to help protect us. It is, however, quite another matter to retrofit effective governance to all those private sector suppliers who claim the right to monitor what we are doing and where, over the devices or apps we have acquired from them.
In the mean time those who care about their security and privacy have to set about protecting themselves.
Press cover for the recent Mobile Threat Report from Webroot, with its bland advice on how to handle very real threats, comes on top of yet another Guardian scare story on the evils of GCHQ, implying that the supposed pederasts of Cheltenham are a greater threat than the insecurity of information passed to Guardian journalists – whether via Edward Snowden or others. [I should add that I recently attended a meeting on intelligent led security at which we heard of the scale, nature and success of well targetted hacking attacks on the media and their lack of preparedness for handling the consequences].
Meanwhile the Drum story on the damage to Last Minute.com illustrates the impact when a search engine censors traffic using the excuse that descriptive terms used by rivals to its subsidiaries are also used by nasty people. This links to the point made, towards the end of the recent UK Internet Forum, that we should look at the need for effective governance (and effective redress) for internet blocking services that are applied in the UK but based in the United States.
Meanwhile guidance on good practice with regard to protecting corporate systems in a Post Snowden world with a “bring your own device” culture nearly always omits the identification and registration of the TCM components in most modern distributed devices, from phones to printers, let alone tablets, PCs and self-encrypting drives.
Is it because this approach enables dramatically improved security at greatly reduced cost, thus wrecking the business models of much of the security snake-oil industry?
Or is it because the spread of “encryption by default” greatly weakens content scanning, surveillance operations in support of advertising funded business models, not “just” those in support of state security services?
“Both” was my conclusion after the recent Real Time Club Debate. My blog entry on the recent sale of NHS data contains a reprise of my opening arguments . I would not, however, dare incur the wrath of colleagues by reprising the off-the-record arguments that followed – other than to say that, given the wealth of security technologies that are not being promoted or deployed, the conspiracy theorists have a very good case.
There appears to be a similar “conspiracy” to avoid covering the protection techniques that can be used by individuals to protect themselves, such as those covered in my recent guest blog from John Walker to simpler and more complex “solutions”.
Instead we have impractical and/or meaningless advice. How does the average user identify whether a website or app is trustworthy – as opposed to one which pays fees/royalties to their ISP, Search Engine or their major customers?
I do not believe we can wait for the next generation of Internet savvy youngsters to fix the contract that their parents generation has broken. We cannot (and should not even try) to “educate” them to respect the hypocrisies we have adopted.
So what are YOU going to do about it.
I joined ISOC back in 1995, during the run-up to the Atlanta Olympics, the first major event to have the Internet at its heart. I was persuaded that sooner or later it would develop into the governance body that would be needed. I have been disheartened many times over the years, but the very fact that it was a ISOC event last night that triggered this blog gives me heart that at last …..
Those I talked with from leadership team do indeed recognise that we need far more than introverted national debates about the regulation of our own state surveillance services, important thought those are. I therefore recommend you join as soon as their relaunch gets under and help with what will not be an easy task.
In the mean time I also recommend you help the political party of your choice to understand what is at stake and why they need to act. The Conservative Technology Forum meeting last Monday identified a balanced and well-informed group of volunteers to not only lead its study but also to review the recommendations for sustainability as technology structures and business models continue to evolve. I hope that it will prove practical to co-ordinate that work with similar teams looking at the issues in other parties, probably via the all-party Digital Policy Alliance, using its memorandums of understand with PICTFOR in the UK and European Internet Foundation in Brussels.
Remember the motto of this column: the silent majority gets what it deserves – ignored. Please do not be silent.