The postponement of the ill-conceived NHS central database is the first great win for common sense over Big Data, but we need more clarity as to what is at stack and who is on which side in the battle between Big Brother and Anonymous. We also need to consider whose side, if any, we are on. I personally regard GCHQ as much less of a threat to my personal safety, let alone privacy and civil liberties, than the members of the Global Government Surveillance Reform Group and that we need to the current legal governance for both to be seen to be enforced, particularly the minimum information requirements specified in the e-Commerce directive for those trading on line and the RIPA regulations on the lawfull interception of business communications, before calling for more.
Enforcing the minimum information requirements, (including to ensure that those claiming to be based in Europe really are, e.g. the reform of .uk), will do more to enhance consumer confidence in the on-line world and business confidence in Europe as a location of choice for e-commerce operations, than any of the Data Protection, Identity or other directives and Regulations currently under discussion.
In parallel we also need GCHQ to be more public about its govenance processes, particularly those that protect against political interference. These mark it out from similar operations in other nations (including the USA). Until that happens, GCHQ (and the rest of UK surveillance activities in support of law enforcement), are unfairly tarred by a series of brushes, from the dodgy dossier at the top, through to local authority staff using data access to help police family honour or school admissions policies.
I had hoped to lose the debate at the Real Time Club last night but I won, (23 to 14 with 17 abstentions) after putting the symbiotic relationship between surveillance and ICT into perspective and kicking as many cyber-myths as practical, given my ten minutes and some very perceptive and well-informed questioning and probing as the evening wore on. The meeting was under the Club’s variation of the Chatham House Rule so I will not repeat any of what was said during the discussion but I will refine the comments I blogged when I rehearsed the arguments I was planning to make in order to open that discussion …
The motion was “Nobody is telling the truth about cyber security – noteven when they think they know what the truth is”. I did not accuseeveryone of lying. Most merely suffer from ignorance, myopia and tunnelvision. That said, some are more than “economical with the truth” whenthey repeat myths, such as “using anti-virus and a firewall will protectagainst 80% of threats. Even if correctly installed, up-to-date andworking, these now appear to protect against less than 40% and then onlyif you still access the Internet over a PC or Laptop, not a mobile.
Mycore “truth” was that the symbiotic relationship between surveillanceand information and communications technologies goes back hundreds ofyears before a telephone exchange was turned into a computer to helpdecrypt intercepted traffic at the Bletchley Park harem: 8,000 women and2,000 men, more than half of the latter being guards to protect thewomen, particularly from the US Army and Air force. The US Navy had 200men on the inside.
The UK Government policy of routing ourcommunications through channels they can readily monitor goes back to1680, when James Duke of York suppressed the original penny post,because it bypassed the General Post Office. The reasons given includedits use to facilitate adulterous affairs at Court, as well as seditionand treason. The Hornblower and Jack Aubrey stories both featureman-in-the-middle attacks on French semaphore traffic. These are basedon a real raid, in 1808 when Lord Cochrane captured and ran an isolated signal station on thechain between Marseille and Toulon.
The Internet is the currentstate of the world largest machine, the global telecommunicationsnetwork. Its electronic lineage goes back to the need to send signalsbetween railway stations to arrive before the train to which theyreferred. The first large scale commercial customer was the East IndiaCompany, who also saw the need for encryption, although General Napier’stelegram after the capture of Sind was not “Peccavi”. That was aschool girl joke reproduced in Punch and serves to remind us that theinvolvement of women at the heart of cryptography also goes back ahundred years before they helped win the war at Bletchley.
By 1856, in time for the Indian Mutiny, the East India Company had over 4,000miles of telegraph wires across India. American Civil War saw the firstcyber-battles, with each side not just cutting down poles andattempting to decode each other’s telegrams but organising telegraphicdeception. The slaughter at Gettysburg would not have been fought hadthe Unionists secure telegraph system not failed in the middle of thebattle of Chancellorsville, turning victory into defeat.
We heara lot of rubbish on the need for government programmes and legislationto promote electronic signatures. Their use goes back over 150 years.The first test case on whether a cable authentication is a signaturewent to the Supreme Court of New Hampshire back in 1869.
Lastweek at the UK Internet Governance Forum it was said to be disgustingthat we and the Americans were tapping international submarine cables.We have done so for over a century. The Royal Navy’s first action, in1914, before escorting any troops to France, was to cut the cables outof Germany to force traffic between Germany and the United to transit the UK.
The special relationshipbetween GCHQ and the NSA with regard to spying on the rest of the worldgoes back over 70 years, to the dark days of 1941, before Americaentered the war, when we gave the secrets of Bletchley to the US Navy -because we could not even hope to build all the Bombes we needed todecrypt the traffic being intercepted. The UK end of the agreements maystill be secret but little that Snowden has told us could not be deducedfrom what was released by the American in the 1990s, during theeuphoria of glasnost.
Whatever we do on-line is recorded (toenable the packet-switched, store-and-forward, Internet to work at all),stored (often well beyond the time needed for resilience), analysed(not just to improve performance) and the results made available(legitimately or otherwise), to a growing variety of “researchers”,lawyers, spooks and organised crime groups.
“They” not only knowyou are a dog, but which breed and what trees you pee against. Andeveryone is recording what you do on line:
• to help telcos and mobile operators deliver their services and charge for them
• to help advertisers target those they wish to sell to
• to help lawyers trace who is downloading their clients’ films or music
• to help those running transaction services distinguish between customers and impersonators.
• to help predators, from organised crime downwards, select suitable victims
• to meets the demands of market and consumer protection regulators, in case they might need it
AllEdward Snowden has told us is that national security services also usesubsets of the same technologies to try to identify the current andpotential enemies of their Governments. The reactions to that”revelation”, like the similar reactions to attempts to protect childrenfrom on-line bullying and abuse, tell us that those running theInternet do not want us to know the truth: the moment you switch on yourPC or browser a myriad of unknown players are watching everything youdo.
Big Data is another manifestation of the symbioticrelationship between computing and surveillance. The tools were developed to digest signals intelligence from the enormous volumes ofdata passing over the cables serving the main Internet peering points.Post Snowden, the Russians, Chinese and every other state securityservice want similar access and the members of the Global GovernmentSurveillance Reform group (from Google to Yahoo) want us to trust themwhile they use similar tools to target advertising against us and helpanyone with the right US Court order to hound our children fordownloading that over which their clients claim copyright.
Wehave a multi-billion pound Data Protection industry, supposedlyenforcing principles drafted for the age of mainframes, while ourpersonal data (including our on-line habits) is routinely collated,stored and analysed by those outside their reach. Meanwhile those whowant to better serve and protect us are stuck with trying to make senseof a jungle of semi-incompatible demands to destroy or retain dataaccording to how many angels there are on the head of a regulatorypin.
Next comes the obsession of Cabinet Office and Commissionwith Digital Identities and Trust Services. Those running banking andpayment services cannot afford the risk that third party certificateproviders (e.g. Diginotar) have been compromised (not just by the NSA). They use realtime transaction profiling (alias surveillance) to back up theirin-house routines. They also join “intelligence led security”partnerships to identify those attacking them and to help them mount”asset recovery” exercises to get redress and cause their attackers totarget some-one else next time.
Meanwhile our children’s phonesare packed with apps monitoring their location and behaviour, with onlydomestic law enforcement unable to have access in order to protect themand ISPs refuse to support and mandate age verification, supposedlybecause of cost and complexity, but really because it gets in the way ofthe drive-by, click per view, advertising revenues on which they havecome to depend.
In short: almost everyone is runningsurveillance operations, to identify terrorists, victims or potentialcustomers or those in need of health and welfare services or to attack,exploit, serve or protect current customers and their families.
Theon-line world is now ubiquitous as well as mobile. The first fridge hasbeen caught taking part in a bot attack. To quote the Choco Leibnitzadverts before “Person of Interest” – Who is watching yours?
– The food police to report you for breaking the latest NHS obesity “guidelines”?
– Google or Amazon to target advertising to encourage you to break the guidelines?
– Organised crime looking to frame and blackmail you for doing so?
Andno-one is telling us the truth. The only way to protect your privacy isto switch off your phone, PC and TV when they are not in use and put abooster bag, alias Faraday cage, over them.
Last night I stoppedon that note – which was, of course, a very partial truth. There aremany less drastic tools available that can help, but first we have tothink about why we want to protect our privacy and from whom. Then wehave to work together, including politically, to gain the power toexercise the informed choices that the members of the Global GovernmentSurveillance Reform Group, and their peers, have denied to us: includingby failing to help police the requirements of the e-Commerce Directiveand the 2003 regulation for “minimum information” before allowing theirpaying customers, and a myriad of others, to put surveillance softwareon our systems. But that is only an EU requirement and does not count,compared to the priorities of Californian lawyers, New York investorsand Washington lobbyists.
Perhaps our most valuable ally is,however, market forces. The “pay-per-click” advertising bubble looks setto burst under the weight of fraud and we know that consumers whoactively exercise choice proceed to spend a lot more.