Usable Security and Privacy for Secure Messaging Applications
INTERNET PRIVACY AND SURVEILLANCE, IS OUR INFORMATION SECURE?
-
Upload
maynoothuniversity -
Category
Documents
-
view
5 -
download
0
Transcript of INTERNET PRIVACY AND SURVEILLANCE, IS OUR INFORMATION SECURE?
The right to privacy is acknowledged as a fundamental
human right. The right to privacy can be globally recognised
and linked to a sense of self. Still, the definition of
privacy itself can prove extremely difficult, particularly in
this time of information. I have attempted several times to
get a concrete explanation of privacy and every definition I
seem to come across falls a little short, when taking all of
the technological advancements into account. The explosion of
computers, the internet, mobile phones and the omnipresence of
devices with the ability to send and receive information is
unbelievable. This of course lends to the difficulty in
attempting to define privacy.
Most people would define privacy by stating that there
are certain aspects of their life that are no one else’s
business but their own. The concept of privacy has been put
forward several times that privacy is an individual’s right to
be left alone. Privacy has a direct link to our sense of self,
that our bodies, actions and thoughts are our own. The control
that we possess over who has or does not have access to
information personal to ourselves, predominantly information
that would be directly linked to the ability to forming social
1
relationships with other people. This is because we are
naturally social creatures and our interactions with other
people are part of our sense of self, therefore the concept of
privacy is intertwined with the very notion of who and what we
see ourselves as.
Charles Fried, an American lawyer, narrated the importance of
privacy as a right, with the suggestion that invasions of
people’s privacy “injure them in their very humanity”
(1968:475).In an article published in ‘‘Philosophy and Public
Affairs’’ wrote by Judith Jarvis Thomson, a moral philosopher
and metaphysician, she proposes that the right to privacy is
derived from other rights, particularly an individual’s right
over their own body and their own property. However, Thomson’s
concept of privacy as a by-product of other rights has been
criticised. In the book Critical Moral Liberalism: Theory and Practice,
Jeffrey H. Reiman, author and professor of philosophy,
contends that an individual’s right over their own person and
property are expressions of the right to privacy and are, in
actual fact, derived from it and not the other way round.
Furthermore, Reiman suggests that Thomson’s theory of privacy
as an aspect of other personal and property rights lessens the
2
actual value of privacy. He goes on to suggest that the right
to privacy protects some unique interest of ours that goes
beyond the degree of protection offered by personal and
property rights. In another article in the “Philosophy and
Public Affairs” entitled “Why is Privacy so Important”, James
Rachels, an American philosopher who specialized in ethics,
also criticises Thomson’s privacy hypothesis as inadequate
because he suggests that situations could arise where an
individual’s right to privacy could be violated without
violating either their rights over their body or property.
Rachels gives the example of someone finding out very personal
information about an individual such as a medical condition
and passing this information on to other people. He argues
that such a circumstance would not violate that individual’s
rights over their person or property, but it would still be a
violation of their right to privacy. As a result, while an
individual’s right over their own person or property are
important rights, which can be connected to privacy, these
rights do not always overlap with the right to privacy. In
relation to Reiman, Rachels suggests that an individual’s
right to privacy should be valued in its own right because it
3
protects some other special interest. Rachels proposes that
the value of privacy is derived from the notion that
there is a close connection between our ability to control who has access to us and to information about us,and our ability to create and maintain different sorts ofsocial relationships with different people (1975:326). The growth in social media and the copious amount of
information that we ourselves share with the general public on
things like Twitter, Facebook, SnapChat etc. is leading to
varying classifications of privacy. Privacy is a very diverse
concept it includes, cultural, social, legal, political,
economic and technical aspects. The difficulty in attempting
to define the concept of privacy is well documented, as has
been shown, yet the emergence of Privacy Enhancing
Technologies (PETs) is becoming ever-present. The 14th annual
Privacy Enhancing Technologies Symposium stated that their aim
this coming year was to address “the design and realization of
privacy services for the Internet and other data systems and
communication networks by bringing together anonymity and
privacy experts from around the world to discuss recent
advances and new perspectives.” (Clarke 2013).
PETs are a range of computer tools, applications and
mechanisms which, when used in conjunction with online
4
services or applications, allow the user to protect the
privacy of their personally identifiable information. The
goals of PETs are to allow users control over their personal
data, sent to and used by internet service providers and
merchants, data mining companies etc. PETs also aim to
minimise personal data collection and usage and give the user
a degree of anonymity while online. They strive to achieve
informed consent about giving personal data and attempt to
provide the possibility to negotiate the terms and conditions
of giving their personal data to online service providers and
merchants through the channels of data handling and privacy
policy negotiation.
In recent years, PETs have gained significant momentum
in academia and industry, in both theoretical and practical
aspects of privacy technologies. This is due to the recent
reliance of people on the internet and the easily accessed,
elaborate databases that have been set up online to store and
sell off personal information. It has become virtually
impossible to remove your cyber footprint and in recent years
with phone directories, newspaper articles, public access
government archives etc. All becoming so readily accessible
5
online the sheer amount of information available to people is
terrifying, financial scams are becoming more and more
prevalent. An intriguing factor that I have come across in my
research is the fact that governments are the biggest consumer
and producers in this data collection business. This would
obviously make them a privacy threat. There are an unsettling
amount of examples of privacy leakage that has occurred
concerning government files containing personal information on
citizens. One of the main problems is that today’s governments
have a vast number of laws, surveillance agencies, and other
tools for extracting private information from the populace.
Furthermore, a great many government employees have access to
this valuable information, so there are bound to be some
workers who will abuse it.
It has been reported that over 120 data storage devices,
including laptops and portable memory devices have been lost
or stolen from Irish government departments since 2002, and 16
laptops belonging to the Comptroller and Auditor general have
been stolen since 1999. Many of these devices contained
personal and sensitive information of state employees and the
general public, which in some cases was not stored in an
6
encrypted or otherwise appropriately secure format. While
incidences of theft may not be entirely preventable, security
breaches and inappropriate use of personal information
pertaining to the general public can still occur within
government departments and other organisations. It was
revealed that personal information held by the Department of
Social and Family Affairs, which related to an individual who
had won the lottery, was accessed by over 100 staff members of
the Department of Social and Family Affairs, only 34 of who
had a legitimate reason to access the information. In the UK
the potential for such risks was highlighted, when in 2007
discs containing the personal records of 25 million
individuals, including their dates of birth, addresses, bank
accounts and national insurance numbers were lost in the post.
Of course, I could not leave out when President Clinton’s
Democratic administration including the FBI found themselves
with unauthorized files on hundreds of Republican opponents in
the “Filegate” scandal. All of these figures and facts are
terrifying, the reality is that we entrust this information to
people with the assumption that our personal information will
be safeguarded in some way and not used in any other capacity
7
than initially intended. We must wonder why all that
information is being stored and not destroyed. The likelihood
of this to me would be that our information is being retained
in the hope it may be used in the future for a profitable
measure which would in turn make this gathering of information
a type of surveillance on the population. I must include
another recent example of this unusual level of information
that governments appear to hold on file about extremely
personal information, in November last year a Canadian author
was denied entering into the US because of a hospitalization
during 2012 from a suicide attempt. She suffered ongoing
depression and received clinical treatment. In November 2013
she was denied access to America and told it would take the
permission of US government-approved doctor and around $500 in
fees in order to enter the country. The lady in question had
travelled between Canada and the States several times, upon
this attempt she was told by a border agent that her
hospitalization in 2012 warranted extra attention and that
they have the right to deny entry with a physical or mental
threat that may cause a threat to safety, property of welfare
of the state. Although all of this seems perfectly legitimate,
8
this ladies hospitalization did not involve legal authorities
and she was deemed healthy enough by her own doctors to
travel, therefore one must ask the question, how did those
boarder officials have access to that ladies medical record?
And in turn how much access do they really have? Medical
records are supposed to private and confidential and not
readily available to boarder controls unless you are in
isolation and escaped or something.
One must notice a similarity of these examples and Michel
Foucault’s ideas on surveillance, and how surveillance based
on a system of permanent registration. This was brought up in
Foucault’s book Discipline and Punish: The Birth of Modern Prison. Foucault
talks about the measures taken when the plague first appeared.
The measures taken by the magistrates at the time would be
seen by a modern reader as extreme and inhumane. Complete
control was given to the magistrates, this in turn lead
everyone being forced to declare and be declared for with no
exceptions and nothing allowed to be concealed.
In 2013 David Cameron, the British Prime minister
announced an opt in law for accessing porn. This would mean
that any user would have to contact their internet provider
9
and select the option to be able to access porn on their
internet. This is a clear declaration and obvious way of
removing anonymity from the internet which was meant to be a
private and secure place. Foucault notes that in this town
“The registration of the pathological must be constantly
centralized.” ( Foucault 1977:196) , In relation to this, it
is clear that in Britain they are classifying people that
watch porn as pathological and in need of registration. I must
admit my study of internet privacy has at times made me wonder
the very nature of our own security being in any way
associated with the internet and its ridiculously mysterious
mechanisms. The more aware people seem to becoming of the
internet and its inability to be monitored the more internet
privacy and security seems to elude us. While reading back
over my lecture notes a particular quote stood out “power
works best when it is invisible. When power manifests itself
it becomes something to rebel against”. This reminds me very
much of the internet and the group Anonymous that seem to be
the vigilantes when it comes to the federal regulation of the
government. They appear to rebel against any kind of
limitation put on the unstoppable force that is the internet
10
and then seamlessly disappear again. Although a few members
have been arrested for allegedly committing offenses against
the state. This kind of internet vigilantism appears to be the
norm online and with this large companies are often genuinely
scared into conforming to the requests of the group. I have
heard several stories of large betting companies being
blackmailed around large racing events that if they don’t part
with a substantial amount of money they will have their
websites hacked and shut down. The majority of these companies
comply with these organisations amidst fears of loss of
profit. The sheer volume of internet usage and the power it
holds over everyday life, really does require PETs. Although
to be fair even after spending months a research trying to
figure out exactly what they are, it is apparent that because
the very nature of the internet and the technology and the
privacy that goes along with it, is so vast and ever changing
it is only possible to state that the majority of these
technologies are being formulated by ideas that really do want
to limit our vulnerability while on the internet, mainly for
an obvious gap in the market and spurned on by financial
motives!
11
Foucault mentioned the society of security which can be
determined when power is dominated by the technology of
security. These databases and PETs which are being formulated
and advanced in order to protect our basic right to privacy is
leading into the simple fact that the internet itself is
becoming a space, that will in my opinion, due to the research
I have carried out for this project (which has involved me
reading copious journal and manifestos and government issued
documents about our so-called online security) be dominated by
security. This in turn leads to a question posed in class upon
the study of Foucault and his lectures, does security produce
a concept of normal behaviour where abnormal is not allowed
exist. For instance in America certain people will be targeted
for this constant internet surveillance based simply on their
internet browsing history. Also people in China and US
citizens are being told that occasionally their Skype sessions
might be monitored and recorded for something referred to as
‘Metadata’. Of course when governments are questioned about
such apparently evasive and shifty procedures all we get in
response is that they were trying to protect their citizen and
promoting the common good. The reference to the common good is
12
referred to constantly in all these governmental documents
about internet security and privacy. Even in the Irish Council
on Biometrics we are given every assurance that our personal
data will not be miss-used unless it is necessary for the
common good, yet no where do I see any definition for the
common good made apparent. Although the majority of us have
figured out that clearing your internet history is advisable
does one realise that not deleting your history actually
affects prices of things like plane tickets where the site can
recognise your IP address and browser and will actually keep
putting the rice of flights up every time you check them until
you clear your history.
Foucault’s Panopticon reminds me of Facebook or SnapChat
and how we monitor what and when we put things up or make
public as we are aware of what others will see and think about
us and how it will affect us later on. This constant awareness
of being monitored makes us censor our own behaviour online.
This is an example of what I would classify as biopower. It
mirrors what Foucault said when he was talking about the
Bentham Panopticon and how the constant thought of being
monitored forced an inmate into a state of conscious and
13
permanent visibility that assures the automatic functioning of
power.
Anonymity is often used as a tool for privacy and is one of
the main ways PETs attempt to maintain and guard our personal
identity information. Today, home HIV tests rely on anonymous
lab testing, Garda tip lines provide anonymity to entice
informants and/or witnesses, journalists and anthropologists
take great care to protect the anonymity of their confidential
participants and there is special legal protection and
recognition for medical practitioners and members of the
judicial system to protect clients and patients’
confidentiality and anonymity.
Outside of the Internet, anonymity is widely accepted and
recognized as a valuable feature in today’s society. Over the
years society has continually accepted and adhered to the fact
that the need for privacy and anonymity for certain things are
in place for good reason and are therefore protected and
valued, this would make an obvious next step that such values
would be carried over to the internet. Most of these privacy
enhancing companies are attempting to regain some of the
anonymity lost to the internet. There are a number of
14
situations where we can already legitimate use of Internet
anonymity such as the website spunout.ie which helps people
suffering depression to cope without feeling vulnerable to
social stigma. On the other hand, illicit use of anonymity is
all too common on the Internet. At times, anonymity tools are
used to distribute copyrighted software without permission. We
have all streamed a movie illegally or downloaded an illegal
copy of a song. Widespread availability of anonymity will mean
that site administrators will have to rely more on first-line
defences and direct security measures rather than on the
deterrent of tracing. Providers of anonymity services will
also need to learn to prevent and manage abuse more
effectively. This is in part of what these PETs are trying to
help with.
It is being put into place in Ireland with the internet
provider Eircom, who have stated that any user found to be
illegally downloading will have their internet, removed and
will be reported to authorities. Although it is also worth
mentioning that the majority of internet holders have since
changed internet providers prior to the implementation of this
sanction or the savvy internet users found a way around this
15
by using proxy sites and also published their information and
data sharing websites like Reddit or 4chan. This constant
change in technology is the reason these PETs exist and there
is new markets for HotPETs. These are classed as measures put
forward to attempt to deal with up to date or hot topics on
internet risks such as help for privacy protection on social
networking sites, interdisciplinary privacy: usability,
economics, legal issues, cultural perspectives, user studies,
real world impact of PETs, economics of privacy, anonymous
communications and publishing systems, censorship resistance,
cryptographic protocols with application to privacy etc. In a
market of such rapid change and innovation there will always
be away to get around these privacy technologies. It is this
fact alone that is making PETs such an extremely current and
growing industry. The majority of these PETs and the people
developing them are doing so with such rigour because they
want to try and prevent judicial intervention in technology
which I assume would lead to a decrease in whatever profit
they are gaining.
This wish for the removal of governmental surveillance
and interference with technological data is coming very much
16
to the forefront of many of the most popular websites used
today. An open ended letter was sent by Twitter Inc., LinkedIn
Corp. and AOL Inc. joined Google Inc., Apple Inc., Yahoo Inc.,
Facebook Inc. and Microsoft Corp. in the push for tighter
controls over electronic espionage. These companies represent
the most influential and world renowned companies on the
internet at the moment. As the companies' services and
products have become more deeply ingrained in society, they
have become integral parts of the economy. Their prosperity
also provides them with the fiscal stance to pay for lobbyists
and fund campaign contributions that sway public policy.
Although the campaign is apparently directed at governments
all around the world, the U.S. is clearly the main target."The
balance in many countries has tipped too far in favour of the
state and away from the rights of the individual...rights that
are enshrined in our Constitution," the letter stated. "This
undermines the freedoms we all cherish. It's time for a
change."Civil liberties aren't the only thing at stake. The
main reason these technology companies have become such a hive
of information for policing authorities is that they routinely
store copious amounts of personal identity information as a
17
way of targeting their advertisements. By analyzing search
requests, internet browsing habits, social networking posts
and even the content of emails, the companies are able to
determine, things like the type of digital ads to show
individual users. The NSA revelations have raised fears that
people might shy away from some Internet services or share
less information about themselves. Such an alteration in
information availability would make it more difficult for
companies to increase their ad revenue and in turn, boost
their stock prices.
The increase in our fascination and usage of the internet
is undeniably an extremely marketable and innovative
commodity. The obvious need for some type of regulation and
monitoring of it is blatantly necessary, especially when we
have so many examples of such badly secured data bases. Yet,
if we are to avoid a foucauldian type securitization where the
gaze is constantly in action through documentation and
surveillance of our most secret preferences we must find some
way to manage this regulation without limiting the
possibilities available to us from such a truly wonderful hive
of information and possibilities and in turn affecting our
18
human rights on privacy, freedom of speech and access to the
availability of information. I do believe that a lot of these
privacy technologies that are being discussed and created will
lead to more transparency in the way we use the internet. Yet,
if governments and companies’ hell bent on censoring the
internet due to financial reasoning and utilising information
for their own gain we will inevitably be forced to strictly
monitor and limit what we are allowed to know. Technology and
easily available information will always be something that
will require discussion as the speed in which it evolves is
mind-blowing. But as we all know nothing in life is free and
while keeping that in mind are we sacrificing our personal
information for the right and privilege to gain access to
unlimited information at our fingertips?
19
AOL Inc., Apple Inc., Facebook Inc., Google Inc., LinkedIn
Inc., Microsoft Inc., Twitter Inc., Yahoo Inc.
2013. Reform Government Surveillance. Electronic Document.
http://reformgovernmentsurveillance.com/ accessed December 15,
2013
Clarke, Jeremy
2013 Privacy Enhancing Symposium. Electronic Document.
http://petsymposium.org/2014/index.php Accessed November 22,
2013
Foucault, Michel
1977 Discipline and Punish: The Birth of Modern Prison. A.
Sheridan, Trans. New York: Random House, Inc.
Fried, Charles
1968 Privacy. Yale Law Journal 77(3): 475-493.
Rachels, James
1975 Why Privacy is so Important. Philosophy and Public
Affairs 4(4): 323-333.
20