You may be sick of worrying about online privacy, but ‘surveillance apathy’ is also a problem



File 20171107 1032 f7pvxc.jpg?ixlib=rb 1.1
Do you care if your data is being used by third parties?
from www.shutterstock.com

Siobhan Lyons, Macquarie University

We all seem worried about privacy. Though it’s not only privacy itself we should be concerned about: it’s also our attitudes towards privacy that are important.

When we stop caring about our digital privacy, we witness surveillance apathy.

And it’s something that may be particularly significant for marginalised communities, who feel they hold no power to navigate or negotiate fair use of digital technologies.


Read more: Yes, your doctor might google you


In the wake of the NSA leaks in 2013 led by Edward Snowden, we are more aware of the machinations of online companies such as Facebook and Google. Yet research shows some of us are apathetic when it comes to online surveillance.

Privacy and surveillance

Attitudes to privacy and surveillance in Australia are complex.

According to a major 2017 privacy survey, around 70% of us are more concerned about privacy than we were five years ago.

Snapshot of Australian community attitudes to privacy 2017.
Office of the Australian Information Commissioner

And yet we still increasingly embrace online activities. A 2017 report on social media conducted by search marketing firm Sensis showed that almost 80% of internet users in Australia now have a social media profile, an increase of around ten points from 2016. The data also showed that Australians are on their accounts more frequently than ever before.

Also, most Australians appear not to be concerned about recently proposed implementation of facial recognition technology. Only around one in three (32% of 1,486) respondents to a Roy Morgan study expressed worries about having their faces available on a mass database.

A recent ANU poll revealed a similar sentiment, with recent data retention laws supported by two thirds of Australians.

So while we’re aware of the issues with surveillance, we aren’t necessarily doing anything about it, or we’re prepared to make compromises when we perceive our safety is at stake.

Across the world, attitudes to surveillance vary. Around half of Americans polled in 2013 found mass surveillance acceptable. France, Britain and the Philippines appeared more tolerant of mass surveillance compared to Sweden, Spain, and Germany, according to 2015 Amnesty International data.


Read more: Police want to read encrypted messages, but they already have significant power to access our data


Apathy and marginalisation

In 2015, philosopher Slavoj Žižek proclaimed that he did not care about surveillance (admittedly though suggesting that “perhaps here I preach arrogance”).

This position cannot be assumed by all members of society. Australian academic Kate Crawford argues the impact of data mining and surveillance is more significant for marginalised communities, including people of different races, genders and socioeconomic backgrounds. American academics Shoshana Magnet and Kelley Gates agree, writing:

[…] new surveillance technologies are regularly tested on marginalised communities that are unable to resist their intrusion.

A 2015 White House report found that big data can be used to perpetuate price discrimination among people of different backgrounds. It showed how data surveillance “could be used to hide more explicit forms of discrimination”.


Read more: Witch-hunts and surveillance: the hidden lives of queer people in the military


According to Ira Rubinstein, a senior fellow at New York University’s Information Law Institute, ignorance and cynicism are often behind surveillance apathy. Users are either ignorant of the complex infrastructure of surveillance, or they believe they are simply unable to avoid it.

As the White House report stated, consumers “have very little knowledge” about how data is used in conjunction with differential pricing.

So in contrast to the oppressive panopticon (a circular prison with a central watchtower) as envisioned by philosopher Jeremy Bentham, we have what Siva Vaidhyanathan calls the “crytopticon”. The crytopticon is “not supposed to be intrusive or obvious. Its scale, its ubiquity, even its very existence, are supposed to go unnoticed”.

But Melanie Taylor, lead artist of the computer game Orwell (which puts players in the role of surveillance) noted that many simply remain indifferent despite heightened awareness:

That’s the really scary part: that Snowden revealed all this, and maybe nobody really cared.

The Facebook trap

Surveillance apathy can be linked to people’s dependence on “the system”. As one of my media students pointed out, no matter how much awareness users have regarding their social media surveillance, invariably people will continue using these platforms. This is because they are convenient, practical, and “we are creatures of habit”.

Are you prepared to give up the red social notifications from Facebook?
nevodka/shutterstock

As University of Melbourne scholar Suelette Dreyfus noted in a Four Corners report on Facebook:

Facebook has very cleverly figured out how to wrap itself around our lives. It’s the family photo album. It’s your messaging to your friends. It’s your daily diary. It’s your contact list.

This, along with the complex algorithms Facebook and Google use to collect and use data to produce “filter bubbles” or “you loops” is another issue.

Protecting privacy

While some people are attempting to delete themselves from the network, others have come up with ways to avoid being tracked online.

Search engines such as DuckDuckGo or Tor Browser allow users to browse without being tracked. Lightbeam, meanwhile, allows users to see how their information is being tracked by third party companies. And MIT devised a system to show people the metadata of their emails, called Immersion.

The ConversationSurveillance apathy is more disconcerting than surveillance itself. Our very attitudes about privacy will inform the structure of surveillance itself, so caring about it is paramount.

Siobhan Lyons, Scholar in Media and Cultural Studies, Macquarie University

This article was originally published on The Conversation. Read the original article.

Advertisements

What should Australian companies be doing right now to protect our privacy


David Glance, University of Western Australia

Australians are increasingly concerned about how companies handle their personal data, especially online.

Faced with the increasing likelihood that this data will be compromised, either through cyber attacks or mishandling, companies are now being forced into a more comprehensive approach to collecting and protecting customers’ personal data. The question remains – what is the best approach to achieving this goal?

The Organisation for Economic Co-operation and Development (OECD) has proposed that instead of talking about cybersecurity – companies, organisations and nations should be viewing the problem from a digital security risk management perspective.

Cybersecurity often overlooks risks to data that have nothing to do with a “cyber” element, even if people could agree on a definition of that term. In the case of Edward Snowden for example, he used a colleague’s credentials to access the system and copied files to a USB drive.

Digital security risk management involves getting everyone in an organisation to see digital risk as part of the overall risks that the organisation faces. The extent of risk any organisation is willing to take in any particular activity depends on the activities value. The aim is to manage the risk to a level that is acceptable to all parties.

What do you do about the weak link: humans?

It is worth remembering that in the case of the Equifax breach in which the personal details of up to 143 million customers in the US were leaked, it was largely human errors that were to blame.

Put simply, the person who was responsible for applying the patch (a piece of software designed to update a computer program or its supporting data, to fix or improve it) simply didn’t do their job. The software that was supposed to check whether the patch had been applied also failed to pick this up.

Until humans can be taken out of the equation entirely, it is almost impossible to remain entirely secure, or to avoid the inadvertent disclosure of personal and private information. Insider threat (as this type of risk is known) is difficult to combat and companies have tried various approaches to managing this risk including predictions based on psychological profiling of staff.

Automation and artificial intelligence may be a way of achieving this in the future. This works by minimising the amount of sensitive information staff have direct access to and surfacing only the analysis or interpretation of that data.

A litany of recent breaches

If you needed convincing about the vulnerability of personal data on the Internet, you only need look at Gemalto’s data breach website or DataBreaches.net.

The breaches of private and personal information don’t recognise national boundaries with hacks of companies like Yahoo having affected 3 billion users, including millions of Australians.

Of course, Australian companies and organisations have also been involved with spectacular data breaches. Last year saw the Australian Red Cross expose 555,000 customer records online.

Of more concern was the Australian Department of Health had published online what they believed were de-identified records of Medicare and pharmaceutical claims of more than 3 million patients. Researchers at the University of Melbourne discovered that the “encrypted” doctor provider numbers could be decrypted.

Are we looking at it in the wrong way?

Whilst there are practical steps companies can take to protect digital systems and data, there are more fundamental questions companies should be asking from a risk perspective. In order to navigate these questions, companies need to understand the data they collect and perhaps surprisingly, this is something most companies struggle to do.

The 13 Australian Privacy Principles from the Office of the Australian Information Commissioner outline the basics of how organisations and agencies should handle personal information. The practical application of these principles involves an approach called Privacy By Design for all applications and services companies offer.

Enter confidential computing

For CSIRO’s Data61, the answer to breaches of this sort is “confidential computing”. Data61 is tasked with data innovation and commercialisation of its research ideas. Confidential computing is the remit of Data61’s latest spin-off, N1 Analytics.

The main aspect of confidential computing involves keeping data encrypted at all times and using special techniques to be able to query data that is still encrypted and only decrypting the answer.

This can even allow others outside an organisation to query internal data directly or link to it with their own data without revealing the actual underlying data to either party.

Aside from the case of allowing the use of sensitive data in research, this approach would allow a company with financial information say, to share this data with an insurance company without handing over sensitive information but theoretically letting the insurance company carry out extensive data analytics.

What companies should do now to protect your data

As a starting point, Australian companies should only collect the minimum of personal information that the business actually needs. This means not collecting extra information simply for marketing purposes at some later date for example.

Companies then need to explain in simple, clear, terms why information is being collected, what it is being used for and get users to consent to giving that information.

Companies then need to secure the data that is collected. Security involves dedicated staff understanding the data that is kept by a company and taking responsibility for its physical security and for controlling who has access, when they have access and what form they can access the data.

The ConversationLastly, they need to understand and enact a risk management approach to all digital data. This means that this is part of the overall culture of the company for every employee.

David Glance, Director of UWA Centre for Software Practice, University of Western Australia

This article was originally published on The Conversation. Read the original article.

The new data retention law seriously invades our privacy – and it’s time we took action



File 20170615 24976 1y7ipnc
Then government’s new law enabling the collection of metadata raises serious privacy concerns.
shutterstock

Uri Gal, University of Sydney

Over the past few months, Australians’ civil rights have come under attack.

In April, the government’s data retention law came into effect. The law requires telecommunications companies to store customer metadata for at least two years. Metadata from our phone calls, text messages, emails, and internet activity is now tracked by the government and accessible by intelligence and law enforcement agencies.

Ironically, the law came into effect only a few weeks before Australia marked Privacy Awareness Week. Alarmingly, it is part of a broad trend of eroding civil rights in Western democracies, most noticeably evident by the passage of the Investigatory Powers Act in the UK, and the decision to repeal the Internet Privacy Law in the US.

Why does it matter?

Australia’s data retention law is one of the most comprehensive and intrusive data collection schemes in the western world. There are several reasons why Australians should challenge this law.

First, it undermines the democratic principles on which Australia was founded. It gravely harms individuals’ right to privacy, anonymity, and protection from having their personal information collected.

The Australian Privacy Principles define limited conditions under which the collection of personal information is permissible. It says personal information must be collected by “fair” means.

Despite a recent ruling by the Federal Court, which determined that our metadata does not constitute “personal information”, we should consider whether sweeping collection of all of Australian citizenry’s metadata is consistent with our right to privacy.

Second, metadata – data about data – can be highly revealing and provide a comprehensive depiction of our daily activities, communications and movements.

As detailed here, metadata is broad in scope and can tell more about us than the actual content of our communications. Therefore, claims that the data retention law does not seriously compromise our privacy should be considered as naïve, ill-informed, or dishonest.

Third, the law is justified by the need to protect Australians from terrorist acts. However, despite the government’s warnings, the risk of getting hurt in a terrorist attack in Australia has been historically, and is today, extremely low.

To date, the government has not presented any concrete empirical evidence to indicate that this risk has substantially changed. Democracies such as France, Germany and Israel – which face more severe terrorist threats than Australia – have not legalised mass data collection and instead rely on more targeted means to combat terrorism that do not jeopardise their democratic foundations.

Fourth, the data retention law is unlikely to achieve its stated objective and thwart serious terrorist activities. There are a range of widely-accessible technologies that can be used to circumvent the government’s surveillance regime. Some of them have previously been outlined by the now-prime minister, Malcolm Turnbull.

Therefore, in addition to damaging our civil rights, the law’s second lasting legacy is likely to be its contribution to increasing the budgetary debt by approximately A$740 million over the next ten years.

How can the law be challenged?

There are several things we can do to challenge the law. For example, there are technologies that we can start using today to increase our online privacy.

A full review of all available options is beyond the scope of this article, but here are three effective ones.

  1. Virtual private networks (VPNs) can hide browsing information from internet service providers. Aptly, April 13, the day the data retention law came into effect, has been declared the Australian “get a VPN day”.

  2. Tor – The Onion Router is free software that can help protect the anonymity of its users and conceal their internet activity from surveillance and analysis.

  3. Encrypted messaging applications – unprotected applications can be easily tracked. Consequently, applications such as Signal and Telegram that offer data encryption solutions have been growing in popularity.

Australian citizens have the privilege of electing their representatives. An effective way to oppose continuing state surveillance is to vote for candidates whose views truly reflect the democratic principles that underpin modern Australian society.

The Australian public needs to have an honest, critical and open debate about the law and its social and ethical ramifications. The absence of such a debate is dangerous. The institutional accumulation of power is a slippery slope – once gained, power is not easily given up by institutions.

And the political climate in Australia is ripe for further deterioration of civil rights, as evident in the government’s continued efforts to increase its regulation of the internet. Therefore, it is important to sound a clear and public voice that opposes such steps.

Finally, we need to call out our elected representatives when they make logically muddled claims. In a speech to parliament this week Tuesday, Turnbull said:

The rights and protections of the vast overwhelming majority of Australians must outweigh the rights of those who will do them harm.

The ConversationThe data retention law is a distortion of the logic embedded in this statement because it indiscriminately targets all Australians. We must not allow the pernicious intent of a handful of terrorists to be used as an excuse to harm the rights of all Australians and change the fabric of our society.

Uri Gal, Associate Professor in Business Information Systems, University of Sydney

This article was originally published on The Conversation. Read the original article.

How the law allows governments to publish your private information



Image 20170310 10926 1lptfki
Controversy has recently surrounded Centrelink and its handling of ‘overpayments’ and personal information.
AAP/Dave Hunt

Bruce Baer Arnold, University of Canberra

Recent controversy over the government’s use of information provided to Human Services and Veterans’ Affairs demonstrates there are major holes in Australia’s privacy regime that we need to fix. The Conversation

Australians are accustomed to providing personal information to federal and state governments. We do it repeatedly throughout our lives. We do so to claim entitlements. We also do so as the basis of public administration – the contemporary “information state”.

In making that state possible we trust we will not be treated as a file number or an incident. We will not be doxed.

A key aspect of that trust, consistent with international rights law since the 1940s, is that our privacy will be protected. We assume officials – and private sector entities they use as their agents – will not be negligent in safeguarding personal information.

We also assume they will not share personal information with other agencies unless there is a substantive need for that sharing – for example, for national security or to prevent harm to an individual. And we expect they will not disclose personal information to the media or directly to the community at large as a way of silencing criticism or resolving disputes.

Australia has a sophisticated body of administrative law and ombudsmen. So, there is no need for public shaming of people who disagree with ministers, officials or databases.

The complicated and inconsistent body of privacy law highlighted by law reform commissions over the past two decades attempts to provide legal protection for personal information. It is overseen by under-resourced watchdogs that – amid threats of termination – are inclined to lick the ministerial hand that feeds them.

That law has major weaknesses, illustrated by the Centrelink controversy and the furore over the Veterans’ Affairs Legislation Amendment (Digital Readiness and Other Measures) Bill. The Commonwealth is able to ignore ostensible protections under the Privacy Act and other statutes. That is quite lawful. It has been so for many years, evident in the watchdog’s finding in L v Commonwealth Agency.

The watchdog’s guidelines state that where someone:

… makes adverse comments in the media about the way [a body] has treated them … it may be reasonable to expect that the entity may respond publicly to these comments in a way that reveals personal information specifically relevant to the issues that the individual has raised.

Put simply, if you complain publicly about a Commonwealth agency that holds personal information relating to you, that agency can lawfully give the information to the media or publish it directly. It can do so to correct what the minister deems to be “misinformation”.

There is no requirement that your complaint be malicious, fraudulent, vexatious or otherwise wrong. Disclosure is at the minister’s discretion, not subject to independent review. You have no legal remedies unless it could be proved that the official was malicious or corrupt.

We have seen such a disclosure. The Department of Human Services gave personal information to a journalist for publication about a person who disagreed with action by Centrelink to recover an alleged overpayment of an entitlement.

There has been much discussion in the media and the national parliament about the vigour with which the government is seeking to recover overpayments. Worryingly, it remains uncertain whether many of the alleged overpayments actually exist.

Ongoing changes to entitlements policy, the hollowing out of key agencies by the annual “efficiency dividend” (that is, ongoing cuts to budgets) and problematical design and management of very large information technology projects mean overpayments might not have occurred.

Public disclosure of someone’s personal information thus looks very much like bullying, if not a deliberate effort to chill legitimate criticism and discussion of publicly funded programs.

The veterans’ affairs minister and the shadow minister have apparently not done their homework. The new Digital Readiness Bill – passed in the House of Representatives but not in the Senate – allows the minister to publicly disclose medical and other personal information about veterans. The rationale for that disclosure is to correct misinformation.

Understandably, veterans are unhappy. Legal practitioners and academics wonder about the scope for public shaming through release of department information that might not be correct.

The national Privacy Commissioner has been complacent. Labor’s veterans’ affairs spokeswoman, Amanda Rishworth, has belatedly expressed concern. The minister has simply referred to the establishment of an independent review by the Australian Government Solicitor and his department. It is difficult to understand why privacy wasn’t properly considered before the bill went into parliament.

There are too many loopholes in Australia’s privacy regime. Government agencies also need to toughen up in the face of criticism – legitimate or otherwise – and not respond by bullying people through publication of personal information.

Bruce Baer Arnold, Assistant Professor, School of Law, University of Canberra

This article was originally published on The Conversation. Read the original article.