In this Reddit India AMA held last week, Dr Gus Hosein and Dr Edgar Whitley talk about the perils of Aadhaar, citizen privacy and surveillance, a law for privacy and the right to privacy. Dr Gus Hosein works with Privacy International, a London-based charity and is a Visiting Fellow at the London School of Economics, and Dr Edgar Whitley is an Associate Professor (Reader) of Information Systems at the London School of Economics. Here are snippets from the AMA:
On generating awareness on the online privacy breaches:
Hosein: .. For some people it is all about the specific scenario that raises their awareness — a data breach, or the lack of power resulting from a decision against them based on their data. For others it is the matter of principle — that any entity could have control over their lives in such a way.
The answer I can give for an entire country (the question asked about India) is that you need many many stories of many many different types that give rise to debate and more stories and more debate. Then you have a national conversation… Nonetheless I can say that the debate in India has come so far since 2007 when I first visited. At the time whenever we spoke to people about privacy they all laughed.
Since then, due to the hard work of individuals and organisations, the debate has advanced significantly — faster than anywhere else in the world… We’re still working on the best ways of doing this!
Whitley: Another approach is to build in technological features that minimize the potential privacy risks, so that they don’t arise in the first place. Clearly, this needs to be done in conjunction with awareness raising/education as well… Education can include adding the topic to the curriculum of Schools – increasingly schoolchildren are being taught about the risks of sharing sensitive personal information online – and privacy risks are part of that.
On a case where a company found out a customer’s info and address and went to their doorstep:
Hosein: India needs a privacy law. It’s as simple as that… Without it, you cannot regulate government activities nor industry activities…No one is really talking about anywhere is how hard it is to secure data; and companies and governments don’t like these laws making it their duty to protect our data. If they were finally held to account for this challenge of protecting our data, they may finally start collecting less and sharing it less. Only the law gets them to do this…
Whitley: Indeed, some organisations are starting to realise that, despite the claimed benefits of big data and data analytics, data are actually a toxic resource that they are better off NOT holding on to. This comes to the broader question about privacy rights/laws in India. The Aadhaar bill doesn’t address this kind of situation… The home visit seems to be a completely different issue, given you weren’t likely to become a future customer of the organisation.
On other countries rejecting UID/Aadhaar like projects, implications of Aadhaar and impact of biometric technology on civil liberties:
Whitley: In the UK between the launch, in 2005, of a biometric identity card scheme and its scrapping in 2010, following election of the coalition government, public mood about the “surveillance state” changed dramatically. It was also affected by the government losing the personal details of all families claiming child support etc. Since then the UK has developed an explicitly privacy friendly identity verification service.
Hosein: I think that any country that has an open debate about whether to start an ID system inevitably concludes that it is not a good idea to create a multi-purpose centralised mandatory system. So instead every other government with such a system has managed to sneak it in through the backdoor, by making it voluntary for instance until it is made mandatory, or blaming foreign entities. So these systems are always rejected whenever they are openly deliberated upon.. Creating a system that is multi-purpose and mandatory costs so much money, takes so many security risks, has to create so much buy-in from across government and the general public, that it is almost inevitable that it will fail either in being dreamed-up, being legislated, or being implemented.
The biometrics industry has seen a boom since 9/11… then there was a second wave, with India and other countries being sold the ‘development’ angle to biometrics… I am very worried about this. We have to watch for Indian companies and consultants travelling the world selling these systems.
For the link with intelligence agencies.. there is a surveillance industry out there profiting from all of these types of surveillance technologies and traditionally have links with either defence firms or involve ex-intelligence agency employees going into the private sector. I am not sure about the biometrics industry though — we haven’t tracked them as much as the communications surveillance industry.
Whitley: Again, there are technological alternatives at play – not just “the use of biometrics”. Some smartphones use fingerprint biometrics to authenticate the user of the phone but they are designed to NEVER share the fingerprint data with any other system (and don’t need to). They simply check whether the fingerprint presented now is the same as the fingerprint presented earlier. Aadhaar (currently) seems to require the fingerprint presented now to be matched (via a secure internet connection) with the fingerprint collected previously. This, of course, also creates an audit trail of when (and where) the fingerprint was checked and, as Gus mentioned, increases the costs of using the system considerably.
On costs being borne by the citizens:
Hosein: We can only hope for debate and deliberation. In the UK the Government did get their legislation and did try to build their system over a 5 year period until the next government repealed it. The costs are always borne by the next politician, the next government, and yes, ultimately the citizens. The risks are ours too. Not the creators of the idea…
Whitley: Good detailed analysis of some of the problems with biometrics and their exclusionary effects can be found in Magnet SA (2011) When biometrics fail: Gender, race and the technology of identity. Duke University Press, Durham.
On additional risks of Aadhaar and it being just another ID:
Hosein: There are many identifiers out there. With modern surveillance systems, our face, how we talk could be used to identify us. Our mobile number is an identifier, but more interesting and useful is our IMSI number for our mobile — it is mandatorily disclosed by our phone to mobile phone towers all the time..
The problem with all of these IDs is that you have no say over them, and they are leaking your information and your uniqueness all the time, making you traceable to anyone who is able to monitor. Our governments should be protecting us from these kinds of surveillance, whether done by agencies or the private sector, in our country or abroad. But instead, governments are spending their time and money getting into the business of data collection.
We need identity systems that empower us and protect our data. UID seems to be making all the wrong decisions on security, no decisions on privacy, and by making it practically mandatory, is taking all the power away from the individual. This is not what Indians need.
On what questions should citizens ask the government with respect to privacy issues, especially in the face of Digital India:
Hosein: This is a fascinating question that I’m still getting my head around. ‘Digital country’ initiatives are massive funding initiatives that end up in wasted money and useless IT. Again, politicians love announcing these initiatives and then waste billions of taxpayers money on it. The exchange for their ‘Digital’ initiatives should be that citizens deserve transparency on how their information is going to be used, have a privacy law in the country, and taxpayers need to be kept aprised on how the funds are planning on being spent.
On free WiFi:
Hosein: As for free wifi at railway stations are often insecure, allow for interception and other forms of surveillance, and can be used to track you over time. If something is free, odds are that someone’s up to no good.
Whitley: The issue with most of these “free” services is that they aren’t really “free” – the most common method of making money is through analysing the data and providing (targeted) advertising. One consequence is that there is normally no reason to tell the truth when registering for the free service.
Hosein: Sadly they don’t need your date of birth and instead grab unique identifiers from your devices or browsers (e.g. IDs or cookies), from your network connection (IP address). So they are still able to uniquely identify you. The solution isn’t just faking out the system. The true solution is a legislative fix: a privacy law.
On things that make you give up your privacy, protecting self and if open source is a better system:
Hosein: Yes, mobile operating systems are key challenges/risks/opportunities for privacy. Android is open, which has its advantages. But the most glaring problems are that i) it is very hard to stop the transfer of data to Google in the process; and ii) most handsets running Android are not updated for security faults.
That is, every operating system and app out there needs to be updated periodically to fix any security holes in the system… Android is a fragmented environment. Most phones are operating very old versions of the operating system, and are as a result very insecure. But it also comes down to the hardware which is not owned by anyone you ever contract with; and is capable of being hacked or leak information…
So what we need are open devices with open hardware, and open operating systems that are kept up to date and patched continuously. This is going to take some investment but I’m optimistic.
On passive surveillance to watch for threats and citizen security:
Whitley: This is probably not an either/or situation rather one where I would want to know the details of what kinds of “passive surveillance” you are thinking about. Certainly, better policing helps a lot, not least because this is a rapidly changing context – e.g.reports that the Paris attackers were using burner (one-time) phones rather than encrypted messages.
Hosein: I agree with Edgar. The interesting thing to date about those terrorist attacks, is that the individuals were all known to the authorities. Surveillance is certainly a part of the answer. But mass surveillance is highly unlikely to be effective, and it is unacceptable from a human rights and legal perspective… Nonetheless, politicians will likely seek more surveillance powers. Seeking powers is easy particularly after an atrocity. But when there is another attack further down the road, the politicians are not held to account for their focus on surveillance instead of other measures — they only respond with the need for more surveillance. Again, like ID, politicians like pointing to simple solutions and aren’t there to be held to account when their ‘solutions’ fail.
On types of passive surveillance, like people visiting radicalised sites etc
Hosein: I don’t have an easy answer to it. How do you create a law that allows only this form of activity? We always see the expansion of purposes in practice. So what starts with ‘radicalised sites’ will soon become other types of sites that you are more concerned about. Such sites are an exercise in religious freedom and freedom of expression. Are you going to be criminalised for web surfing, or is it for actual speech, or just ‘liking’ something? Are you going to be tracked across your professional and personal life because of ending up somewhere on the internet? I’m not sure that is an effective way of doing things.
Authorities draw friendship trees: who knows someone who knows someone who knows someone who may be related to a terrorist investigation. That is already 3 degrees of separation and may include hundreds of thousands of people to investigate. It’s very hard to do that.
On risks of (Aadhaar) being an authentication system:
Whitley: The most obvious risks is the audit trail associated with authentications to the central database (see comment below). The other risk is that, inevitably, there may be some circumstances where “any reasonable person” would see that the biometric data should be shared (FBI / Apple anyone?). To be fair to UID, to date they have resisted any such calls but if the data is held, inevitably people will try and get access to it.
Hosein: Part of the Snowden disclosures included statements about how intelligence agencies are getting copies of national identity databases of other countries. I don’t know how you can entrust such sensitive information with a single authority that can never keep it secure enough from foreign agencies.
On NSA spying on citizens of other countries, steps for prevention and what steps needs to be taken by India:
Whitley: It is helpful to note that it is probably not that helpful to think about this being THE national policy as this immediately leads to contradictions – THE national policy might be to fight terrorist threats AND THE national policy might be to make the country a good place to do e-business (which requires strong encryption – which runs counter to the first national policy). Often it is different parts of “the government” pushing for these different agendas – did the NSA really think about the effects of their work on the business models for US cloud providers? (e.g. the removal of the safe harbor provisions – Silicon Valley now ‘illegal’ in Europe: Why Schrems vs Facebook is such a biggie
Hosein: The incredible work by Edward Snowden gave us the evidence of what the UK and US Governments were up to (and a bit about others). The challenge is that we discovered they were doing everything they could: they were intercepting vast components of the internet (see XKeyScore and Tempora), they were monitoring activities on social networks (see Squeaky Dolphin), they were hacking entire companies, networks and individuals… The list goes on.
What is actually to be done in response?
1. Demand governments to come clean on how they are secretly interpreting communications surveillance law to somehow undertake all these activities. It is highly likely that every intelligence agency is now undertaking similar activities, if they weren’t already doing so.
2. Demand companies to take extensive measures to protect security and privacy of your data and communications. Some companies have taken basic steps of say implementing SSL in their web server connections. But so much more is needed. Some firms have started to implement encryption more widely — it’s a good start, but they must do so as openly as possible. So you make a good point about closed-source software. Open review of code is absolutely necessary to ensure that it can be trusted.
3. We need to take ownership of the ‘cybersecurity’ agenda created by governments to spy on more communications and interactions; and make it about protecting our devices, our networks, and our information.
4. Stronger legal protections. Again, India needs a privacy law. With that as a foundation, more work is needed across the world to strengthen safeguards in surveillance laws. Privacy is a qualified right; but surveillance can only be done in limited circumstances with strong privacy safeguards. The problem is that governments secretly interpret the laws and loosely implement safeguards. We need to push a reform agenda.
5. We have taken a number of cases against the UK Government and its spying — on all the issues I highlighted above. We are likely to end up soon at the European Court of Human Rights. We’ll get back to you once we see what happens.
Hosein: ..Colombia had to shut down its intelligence agency because of surveillance abuses; then we found that the other agencies were re-creating many of these powers. The Ugandan government was making claims around the benefits of hacking the communications devices of the opposition party and protest movements. The Egyptian intelligence agency was buying hacking technology…
Whitley: If NSA etc. have infiltrated the developers of, elliptical encryption curve software, then making the software open source doesn’t necessarily help in practice.. as appears to be happening in relation to some aspects of privacy (ironically, in a closed environment).
On phone interceptions:
Whitley: If you mean listen in on them, then how would you feel if this was a call where you whispered sweet nothings to your loved one but then discovered that someone else was hearing this as well. If you mean just recording the metadata, then the EFF has some great examples https://www.eff.org/deeplinks/2013/06/why-metadata-matters
Hosein: Governments are not necessarily investing vast amounts of resources to listening in to phone calls, they are gathering metadata (who is speaking to who, when) and generating metadata (can we understand the language of the call, the mood of the people on the call, etc.) and store that in a database(s) so that it is possible to do detailed analysis at a later time, e.g. bring up all your call information, all your locations, all your moods over a six month period because you knew someone who knew someone who knew someone who might have been subject of an investigation at some point. Finally, to intercept your call and monitor you in any way, it is up to them to provide the justification why it is necessary in a democratic society to do so. It’s not for you to ascertain whether it caused you harm in any way.
On what ‘right to privacy’ stems from:
Hosein: Is it a right that enables other rights, or is it a right that must be respected for its inherent value? Or is it about dignity and autonomy (which is true of all the other human rights)? I tried to explore the definition in this piece. https://www.privacyinternational.org/node/54