with No Comments

Post No.: 0955privacy


Furrywisepuppy says:


States are responsible for the safety of their citizens – to actively protect them from harm. They cannot use the excuse of ‘we had nothing to do with that terror attack’ – inaction isn’t an admissible defence for governments when they fail to do their best to protect their own citizens, according to human rights and international law. States must police the population to prevent anyone from causing harm to innocent lives.


Howbeit, we don’t want over-reach. We don’t want successful terror attacks yet we don’t want an oppressive police state either. There’s the human right to live safely from terror, but there’s also the human right for privacy.


Similarly, there’s the human right to free speech, but there’s also the human right to not have people’s private information publicly disclosed or falsehoods spread about them. So the human rights field is complex – some rights directly impede others. We’re arguably left with trying to do the lesser of two evils, and perennially debating what is the lesser evil?


So there’s this dilemma between privacy versus security. We cannot have freedom, convenience, safety and peace without compromise. Most of us accept our governments snooping on people to fight terrorism and organised crime, and keeping some things secretive for national security reasons, but are worried that they’ll spy on us for reasons that subvert our liberties.


Most of us are also fine about our own country spying on other countries (we might even glamorise our own spies) yet think it’s underhand for other countries to go spy on us. Diplomats and politicians of allies are even sometimes spied upon to leverage economic advantages i.e. it’s not just between hostile states and it’s not just about defence. There’s cyber, military and economic espionage. Corporate espionage also frequently happens.


The US breaks espionage down into areas like open-source intelligence, human intelligence (HUMINT), signals intelligence (SIGINT), electronic intelligence (ELINT), measurement and signature intelligence and geospatial intelligence (GEOINT).


The authorities are incentivised to conduct in dragnet or bulk metadata collection. They want tech companies to give them ‘backdoors’ to data, and telecommunications companies and internet service providers to comply with providing any and all content when requested via warrants (e.g. actual voice and text messages people have made) because if intelligence agencies miss out on something crucial just once, a terrorist might get away with committing an attack that slays many innocent civilians. So the stakes are extremely high and there’s no second chance for the victims and their families, or for an entire city or nation if it’s a critical infrastructure cyber attack.


The FBI offer software and hardware developers money to install backdoors in their products so that the US government can spy on its own people. Plenty of criminals do get caught due to law enforcement making use of backdoor access to data. But the risk is that it’s not just law enforcement that could access people’s private data if there’s a backdoor, or use client-side scanning on devices themselves, but potentially criminals too. Just one rogue agent from any contractor with access to all this data misappropriating or misusing any of it can cause malicious outcomes from within. A developer could surreptitiously leave in a backdoor for themselves. Post No.: 0936 evaluated data leaks. Therefore a lot of trust is asked from citizens.


Many ordinary citizens have privately done the odd illegal file download or TV show stream for instance, but the authorities have hardly sent letters to everyone who has done so. If you were caught for such, or other, illegal activities then it’d really be fair enough rather than ‘you were unjust for catching me’ (although some kinds of evidence may be inadmissible in court if it was acquired in illegal ways)! If you’ve nothing to hide then you’ve nothing to fear.


Notwithstanding, we can be blackmailed with our legal but sensitive data (e.g. intimate images) rather than incriminating data. Indeed not everything that people want to keep personally secret and private is criminal like fraud, or immoral like mendacity. We may worry about things that’d embarrass us if they were publicly revealed, like our web search history. However, our non-immoral private quirks or behaviours aren’t likely to be as unique as we think they are – we’re not likely to be that weird, or special. People’s public personas are often carefully managed façades that don’t fully reveal what they’re like in private – so sing and dance away like no one’s watching! Be ‘loud and proud’ and publicly normalise what you do, like what the transgender community has been doing. It’s the trolls and bullies that need to change their intolerant attitudes – not those who aren’t doing anything illegal or immoral. The intolerant are in fact the ones who are trying to control populations – by coercing everybody to fall in line and only do what they think is culturally acceptable, lest one gets mocked and ostracised. Woof.


The power of having privacy is like holding a hand in poker – with private information, you can either tell the truth or bluff. Our ability to bluff (lie) will be taken away if nothing is private. Our opportunity to deceive others appears socially important to us, like saying one thing to people’s fuzzy faces but thinking something else in private!


Some contend that privacy isn’t the same as secrecy though – that privacy is about ‘the power, control and autonomy to make decisions about who we are’ whilst secrecy is about ‘hiding things we don’t want others to see’.


Invasions of privacy are also a matter of trust – even if you’ve nothing to hide and someone who rummaged through your stuff without your consent didn’t find anything incriminating or embarrassing, it’s not nice. If an uninvited stranger entered your house without stealing anything, it’d still leave you feeling unsafe about your home afterwards.


The assumption is that secrets are more truthful and valuable because unimportant information doesn’t need to be kept hush, hence why conspiracy theories are normally about big things that are allegedly being kept secret from the masses. Simply telling someone that something is a secret makes them want to know what it is – similarly to telling people there’s no need to panic buy will cause them to panic buy!


Every time you pay electronically (i.e. not cash), you leave a record and trace. Well almost anything you do online will do in fact, albeit people can attempt to hide their activities with a virtual private network (VPN) or by moving to the dark web and using Tor browsers.


End-to-end encryption can prevent phone calls, emails, texts or other transmitted data from being intercepted by unintended recipients. But crimes like sending child abuse images or other sexual offences will also be hidden from legitimate police investigators. And they won’t know what’s innocent or criminal until they look. Yet if all data is open to the authorities, even via a special backdoor just meant for the authorities, then they could be open to unscrupulous actors too. There are still ways to intercept encrypted data regardless though.


A convenient excuse for platforms that employ end-to-end encryption is that, since even they themselves cannot see what their users are sending, they claim they cannot be held responsible for what’s being sent on their platforms. Some don’t want to moderate any content whatsoever because they think that free speech should be absolute. Some don’t want to be regarded as news organisations, despite many people taking their daily news from their platforms, because they don’t want to pay publishers for news content posted on their platforms.


Before online social media, people frequently said things when younger that they no longer believed in when older but this was okay because that stuff eventually became forgotten. But now the things people say or do that’s recorded online can stay online indefinitely and come back to bite them. Some jurisdictions now have ‘right to be forgotten’ laws, where people can request private information about them to be removed from web searches and other directories if it was acquired via illegal means or if the privacy of the person in question is deemed to be more paramount than the interests of the organisation storing their data. This can help victims of revenge porn or children who committed petty crimes. In other cases however, this could be abused to essentially act as censorship to rewrite history.


GDPR legislation introduced a right for individuals to have their personal data erased. Large companies and complex services often use multiple partners and share their data between them though, so even if you wanted to request knowing what data they held about you, you mightn’t know if you’ve asked everybody.


Pseudonymisation isn’t perfect and can be defeated relatively easily if either the original records aren’t stored with the proper level of security or if the algorithm that converts full personal data into pseudonyms is unsecured. GDPR regulations place the responsibility on organisations using pseudonymisation to ensure it’s not possible for attackers to easily de-anonymise personal data.


According to the ‘database reconstruction theorem’ – given access to a sufficiently large enough amount of information, underlying databases can be reconstructed to, in theory, identify individuals. Your unique combination of data (e.g. that you like punk rock, okonomiyaki, drive a Subaru Impreza, live in Margate…) can narrow a set of data down to only you like in a game of Guess Who, hence de-anonymising your data when somebody has enough of your anonymous data. There’s an inherent trade-off between informational accuracy and privacy – the more accurate the information disclosed about you is, the more easily it can be traced back to identifying that it belongs to you. The best we can probably do with public data such as censuses is to apply ‘differential privacy’ measures, which is about making sure that any observer of an output cannot identify whether a particular individual’s information was used when computing it.


Digital fingerprinting involves collecting bits of information, like the make and model of the device one is using, its IP address, browser version, apps installed, the language, and even the fonts installed – this combination of variables could be so unique that the profile might as well have your name on it.


About ‘burner phones’ (new and unregistered pay-as-you-go mobile phones) – they may start off being anonymous but once you call someone who’s a known associate of yours then this new phone’s number (both a SIM and handset are individually traceable by the way), which isn’t linked to anyone else in this person’s circle, will flag as being suspicious precisely for being an unknown number. And the more people you call who are known to be linked to you, the more strongly this new phone number will be yours.


…Tech-savvy political ‘hacktivists’ (hacker activists) have some power when it comes to challenging authorities and state over-reach. But they shouldn’t be assumed to be one homogenous group with one ideal or goal – different groups are funded by those with different ideologies. And is it hypocritical to hack into the private networks of organisations in the name of protecting privacy? Is it hypocritical for hackivists to use fear (e.g. threats of distributed denial-of-service (DDoS) attacks) in the name of safeguarding liberties? Who polices those who purport to police the web? There’s a massive motivation to hack during elections – unsure voters may be swayed by propaganda, lies or scandalous news that’s strategically released in the days just before a day of voting. And then this result will have a material bearing for up to 5 years for elections, or longer for referenda.


Challenging governments and corporations is vital work but one can accept that some secrets must be kept for protecting national security or corporate trade secrets. There’s thus a tension between state secrecy and transparency too.


Some civilian hackers join in conflicts too, by conducting cyber attacks on adversary targets. But many fail to adhere to the laws of war.




Comment on this post by replying to this tweet:


Share this post