Page 39 of 145
There’s a new law that will enforce DNA testing for everyone: citizens, expatriates, and visitors. They promise that the program “does not include genealogical implications or affects personal freedoms and privacy.”
I assume that “visitors” includes tourists, so presumably the entry procedure at passport control will now include a cheek swab. And there is nothing preventing the Kuwaiti government from sharing that information with any other government.
Research paper: Elizabeth Stoycheff, “Under Surveillance: Examining Facebook’s Spiral of Silence Effects in the Wake of NSA Internet Monitoring“:
Abstract: Since Edward Snowden exposed the National Security Agency’s use of controversial online surveillance programs in 2013, there has been widespread speculation about the potentially deleterious effects of online government monitoring. This study explores how perceptions and justification of surveillance practices may create a chilling effect on democratic discourse by stifling the expression of minority political views. Using a spiral of silence theoretical framework, knowing one is subject to surveillance and accepting such surveillance as necessary act as moderating agents in the relationship between one’s perceived climate of opinion and willingness to voice opinions online. Theoretical and normative implications are discussed.
No surprise, and something I wrote about in Data and Goliath:
Across the US, states are on the verge of reversing decades-old laws about homosexual relationships and marijuana use. If the old laws could have been perfectly enforced through surveillance, society would never have reached the point where the majority of citizens thought those things were okay. There has to be a period where they are still illegal yet increasingly tolerated, so that people can look around and say, “You know, that wasn’t so bad.” Yes, the process takes decades, but it’s a process that can’t happen without lawbreaking. Frank Zappa said something similar in 1971: “Without deviation from the norm, progress is not possible.”
The perfect enforcement that comes with ubiquitous government surveillance chills this process. We need imperfect security—systems that free people to try new things, much the way off-the-record brainstorming sessions loosen inhibitions and foster creativity. If we don’t have that, we can’t slowly move from a thing’s being illegal and not okay, to illegal and not sure, to illegal and probably okay, and finally to legal.
This is an important point. Freedoms we now take for granted were often at one time viewed as threatening or even criminal by the past power structure. Those changes might never have happened if the authorities had been able to achieve social control through surveillance.
This is one of the main reasons all of us should care about the emerging architecture of surveillance, even if we are not personally chilled by its existence. We suffer the effects because people around us will be less likely to proclaim new political or social ideas, or act out of the ordinary. If J. Edgar Hoover’s surveillance of Martin Luther King Jr. had been successful in silencing him, it would have affected far more people than King and his family.
Slashdot thread.
EDITED TO ADD (4/6): News article.
Here’s a 1,300-page Congressional report on “surveillance technology” from 1976.
Interesting analysis from The Grugq:
Bottom Line Up Front
- Intelligence agencies must cooperate more rapidly and proactively to counter ISIS’ rapid and haphazard operational tempo.
- Clandestine operatives must rely on support networks that include overt members of the public. These networks are easily mapped out based on metadata available to nation state level security forces.
- Fugitives should learn to cook if they want to minimize their footprint and improve their security.
- Exposure of clandestine networks is inevitable, given modern data sources. Only extremely disciplined non-organic organizations can hope to survive for long.
Details at the link.
That third item is related to the “unusually large” pizza order that alerted the police that there were more people in the house than should be.
The bottom bottom line is that tracking people, and tracing groups of people, has become easy because of all the unencrypted metadata we generate everywhere.
The Brennan Center has released a report on EO 12333, the executive order that regulates the NSA’s overseas surveillance. Much of what the NSA does here is secret and, even though the EO is designed for foreign surveillance, Americans are regularly swept up in the NSA’s collection operations:
Despite a series of significant disclosures, the scope of these operations, as well as critical detail about how they are regulated, remain secret. Nevertheless, an analysis of publicly available documents reveals several salient features of the EO 12333 regime:
- Bulk collection of information: The NSA engages in bulk collection overseas—for example, gathering all of the telephone calls going into or out of certain countries. These programs include the data of Americans who are visiting those countries or communicating with their inhabitants. While recent executive branch reforms place some limits on how the government may use data collected in bulk, these limits do not apply to data that is collected in bulk and held for a temporary (but unspecified) period of time in order to facilitate “targeted” surveillance.
- Treating subjects of discussion as “targets”: When the NSA conducts surveillance under EO 12333 that it characterizes as “targeted,” it is not limited to obtaining communications to or from particular individuals or groups, or even communications that refer to specified individuals or groups (such as e-mails that mention “ISIS”). Rather, the selection terms used by the NSA may include broad subjects, such as “Yemen” or “nuclear proliferation.”
- Weak limits on the retention and sharing of information: Despite recent reforms, the NSA continues to exercise significant discretion over how long it may retain personal data gathered under EO 12333 and the circumstances under which it may share such information. While there is a default five-year limit on data retention, there is an extensive list of exceptions. Information sharing with law enforcement authorities threatens to undermine traditional procedural safeguards in criminal proceedings. Current policies disclosed by the government also lack specific procedures for mitigating the human rights risks of intelligence sharing with foreign governments, particularly regimes with a history of repressive and abusive conduct.
- Systemic lack of meaningful oversight: Operations that are conducted solely under EO 12333 (i.e., those that are not subject to any statutory law) are not vetted or reviewed by any court. Members of the congressional intelligence committees have cited challenges in overseeing the NSA’s network of EO 12333 programs. While the Agency has argued that its privacy processes are robust, overreliance on internal safeguards fails to address the need for external and independent oversight. It also leaves Congress and the public without sufficient means to assess the risks and benefits of EO 12333 operations.
The report concludes with a list of major unanswered questions about EO 12333 and the array of surveillance activities conducted under its rules and policies. While many operational aspects of surveillance programs are necessarily secret, the NSA can and should share the laws and regulations that govern EO 12333 programs, significant interpretations of those legal authorities, and information about how EO 12333 operations are overseen both within the Executive Branch and by Congress. It should clarify internal definitions of terms such as “collection,” “targeted,” and “bulk” so that the scope of its operations is understandable rather than obscured. And it should provide more information on how its overseas operations impact Americans’ privacy, by releasing statistics on data collection and by specifying in greater detail the instances in which it shares information with other U.S. and foreign agencies and the relevant safeguards.
Here’s an article from the Intercept.
And this is me from Data and Goliath on EO 12333:
Executive Order 12333, the 1981 presidential document authorizing most of NSA’s surveillance, is incredibly permissive. It is supposed to primarily allow the NSA to conduct surveillance outside the US, but it gives the agency broad authority to collect data on Americans. It provides minimal protections for Americans; data collected outside the US, and even less for the hundreds of millions of innocent non-Americans whose data is incidentally collected. Because this is a presidential directive and not a law, courts have no jurisdiction, and congressional oversight is minimal. Additionally, at least in 2007, the president believed he could modify or ignore it at will and in secret. As a result, we know very little about how Executive Order 12333 is being interpreted inside the NSA.
The New York Times is reporting that WhatsApp, and its parent company Facebook, may be headed to court over encrypted chat data that the FBI can’t decrypt.
This case is fundamentally different from the Apple iPhone case. In that case, the FBI is demanding that Apple create a hacking tool to exploit an already existing vulnerability in the iPhone 5c, because they want to get at stored data on a phone that they have in their possession. In the WhatsApp case, chat data is end-to-end encrypted, and there is nothing the company can do to assist the FBI in reading already encrypted messages. This case would be about forcing WhatsApp to make an engineering change in the security of its software to create a new vulnerability—one that they would be forced to push onto the user’s device to allow the FBI to eavesdrop on future communications. This is a much further reach for the FBI, but potentially a reasonable additional step if they win the Apple case.
And once the US demands this, other countries will demand it as well. Note that the government of Brazil has arrested a Facebook employee because WhatsApp is secure.
We live in scary times when our governments want us to reduce our own security.
EDITED TO ADD (3/15): More commentary.
New paper: “The Economics of Privacy, by Alessandro Acquisti, Curtis R. Taylor, and Liad Wagman:
Abstract: This article summarizes and draws connections among diverse streams of empirical and theoretical research on the economics of privacy. Our focus is on the economic value and consequences of privacy and of personal information, and on consumers’ understanding of and decisions about the costs and benefits associated with data protection and data sharing. We highlight how the economic analysis of privacy evolved through the decades, as, together with progress in information technology, more nuanced issues associated with the protection and sharing of personal information arose. We use three themes to connect insights from the literature. First, there are theoretical and empirical situations where the protection of privacy can both enhance and detract from economic surplus and allocative efficiency. Second, consumers’ ability to make informed decisions about their privacy is severely hindered, because most of the time they are in a position of imperfect information regarding when their data is collected, with what purposes, and with what consequences. Third, specific heuristics can profoundly influence privacy decision-making. We conclude by highlighting some of the ongoing issues in the privacy debate.
Research paper: Gavin J.D. Smith, “Surveillance, Data and Embodiment: On the Work of Being Watched,” Body and Society, January 2016.
Abstract: Today’s bodies are akin to ‘walking sensor platforms’. Bodies either host, or are the subjects of, an array of sensing devices that act to convert bodily movements, actions and dynamics into circulative data. This article proposes the notions of ‘disembodied exhaust’ and ’embodied exhaustion’ to conceptualise processes of bodily sensorisation and datafication. As the material body interfaces with networked sensor technologies and sensing infrastructures, it emits disembodied exhaust: gaseous flows of personal information that establish a representational data-proxy. It is this networked actant that progressively structures how embodied subjects experience their daily lives. The significance of this symbiont medium in determining the outcome of interplays between networked individuals and audiences necessitates that it is carefully contrived. The article explores the nature and function of the data-proxy, and its impact on social relations. Drawing on examples that depict individuals engaging with their data-proxies, the article suggests that managing a virtual presence is analogous to a work relation, demanding diligence and investment. But it also shows how the data-proxy operates as a mode of affect that challenges conventional distinctions made between organic and inorganic bodies, agency and actancy, mortality and immortality, presence and absence.
Law Professor Karen Levy writes about the rise of surveillance in our most intimate activities—love, sex, romance—and how it affects those activities.
This article examines the rise of the surveillant paradigm within some of our most intimate relationships and behaviors—those relating to love, romance, and sexual activity—and considers what challenges this sort of data collection raises for privacy and the foundations of intimate life.
Data-gathering about intimate behavior was, not long ago, more commonly the purview of state public health authorities, which have routinely gathered personally identifiable information in the course of their efforts to (among other things) fight infectious disease. But new technical capabilities, social norms, and cultural frameworks are beginning to change the nature of intimate monitoring practices. Intimate surveillance is emerging and becoming normalized as primarily an interpersonal phenomenon, one in which all sorts of people engage, for all sorts of reasons. The goal is not top-down management of populations, but establishing knowledge about (and, ostensibly, concomitant control over) one’s own intimate relations and activities.
After briefly describing some scope conditions on this inquiry, I survey several types of monitoring technologies used across the “life course” of an intimate relationship—from dating to sex and romance, from fertility to fidelity, to abuse. I then examine the relationship between data collection, values, and privacy, and close with a few words about the uncertain role of law and policy in the sphere of intimate surveillance.
Brian Krebs has a really weird story about the built-in eavesdropping by the Chinese-made Foscam security camera:
Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.
Sidebar photo of Bruce Schneier by Joe MacInnis.