To a smart lecture on cyber-security at the Dutch national policy council (WRR), by Ron Deibert of Citizen Lab. Deibert spends his time thinking about the ways that organisations and governments may be using our data for surveillance and control, and transfixed an audience of Dutch-speaking policymakers for nearly two hours with his account of how ‘we click on weblinks in documents like mice clicking on pellet dispensers’, and what that means for the security of our computers and our personal information. This is corroborated by a recent Internet Society survey of internet users worldwide, which found that 80% of us don’t read the privacy policies for sites we use, and 19% of us have found our personal data being used in a way we didn’t expect.
We have changed, Deibert says, from a society of private individuals to a mass of sharers, both intentionally through social media and our various online profiles, and inadvertently through our transactions with our phone companies, our banks and other institutions. None of this is new, but his analysis offers an insight into how many of the apps and companies we engage with daily can be believed trustworthy. Nokia-Siemens contributed surveillance technology that helped Iran suppress the 2009 Green Revolution, and every day tech firms from countries that support the right to protest are doing the same (stand up, Netsweeper, Bluecoat, Websense, Fortinet and Finfisher)
Deibert runs one of the world’s leading research groups investigating cyber crime and digital surveillance: in 2009 his lab uncovered Ghostnet, a vast surveillance program originating in China that involved the infiltration of more than a thousand computers worldwide belonging to embassies, firms and even the Dalai Lama. He points out that the technology that enabled the perpetrators to hack on such a vast scale is readily available online as an open-source app.
Deibert also suggests that we have passed obliviously through an ‘epistemic shift in perceptions of rights and governance’, where modes of surveillance such as Deep-Packet Inspection have become commonplace and even compulsory as governments tap into internet traffic through providers and networks. His researchers responded to queries from Chinese internet users about why Skype was deleting certain words in their chats, and found that the use of certain keywords to do with human rights or democracy switched on a program stored on Skype’s server by a Chinese company which had so far downloaded 4 million personally identifiable chats – if you skype with Chinese friends or colleagues, this probably includes you. Here’s the New York Times’ report if you’re interested.
These activities are not only the actions of oppressive governments: they would be impossible without global technology companies. Surveillance technologies are being sold every day by firms in more-free countries to governments of less-free ones to filter content, map people’s social networks and mine the content posted online for possibly subversive (or just autonomous) thoughts. Among the firms involved in this trade, as noted above, are Netsweeper (the Middle East), Bluecoat (Syria and Burma), Websense (Yemen), Fortinet (Burma), and Finfisher (Egypt and Bahrain). All these companies claim that they are not involved in censorship or surveillance, but merely sell their products on to resellers, which is how the oppressive governments get them. Websense has since issued a statement explaining why this is OK and has joined the Global Network Initiative, a worthy but so far limited attempt to self-police by the software industry. But the fact that its products remain just as much in use by authoritarian regimes suggests that their money is just too good to turn down.
Participating in the discussion that followed Deibert’s lecture were OII’s William Dutton and Marietje Schaake, an MEP who has been working on issues of digital freedom. They offered differing perspectives on how digital freedoms could, or should be addressed by policy. Dutton, who has written on the importance of the net-based fifth estate in creating accountability and voice, advocates devolution of the tools to protect privacy to the individual or household level, and using legislation to increase competitive pressures that will incentivise intermediaries such as search engines not to collaborate with censors. Schaake, however, suggests that most policymakers do not yet understand the problem, so attempts to legislate on digital freedom have so far been ineffectual. She advocates ‘human rights by design’, where companies are held to account in the R&D phase for the potential negative effects of their technology, and export controls imposed where their products are considered dangerous for freedoms in other countries.
Schaake closed the debate with the warning that if states don’t get involved, they can’t expect bottom-up processes to shape the online public sphere in the way they would like. But they also can’t expect firms to self-regulate, which has been the backstop of too many policymakers so far.