E-SPEAIT T11 Privacy

From ICO wiki
Revision as of 18:22, 25 January 2022 by Kaido.kikkas (talk | contribs) (→‎For additional reading)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search


Back to the course page

Censorship, Privacy and the Internet

"There is nothing new under the sun" (Ecclesiastes)

The first accounts of censorship have been tracked back to Ancient Egypt. Classical Greek and Roman civilizations had it too - the very word originates from Latin, as the Roman censors were special state officials who, among other duties, had to supervise 'public morality' (another duty was keeping track of people, this function reflects in the English word 'census').

Censorship is also mentioned in the Bible (persecution of prophets proclaiming things unpleasant to rulers - a well-known example is John the Baptist). For about 400 years from about 1559 to 1966), the Roman Catholic Church had their list of banned books, Index librorum prohibitorum]. And in turn, the former Soviet Union outlawed all religious literature (similar practices still persist in e.g. North Korea) [1].

The U.S. has always been posing as a model democracy. yet it has a long history of hard censorship - the original Comstock Act (Federal Anti-Obscenity Act) of 1873 (never officially abolished) banned

  • Voltaire, Boccaccio, Chaucer....
  • 1001 Nights (for comparison, this book was counted among “youth literature” in the USSR!)
  • Dr Dolittle by Hugh Lofting (poor Doctor was considered racist!)
  • Uncle Tom's Cabin by Harriet Beecher Stowe (THIS book too)
  • Tom Sawyer and Huckleberry Finn' by Mark Twain
  • ...

Internet censorship is a relatively new phenomenon, starting mostly in the 1990s. The reason for that is likely that Internet stems from radically different roots and culture than censorship hardliners – for awhile, the latter just were not aware of the existence of Internet.

But why is the issue important? Access to information is a condition for being full citizens, limitations put it under question (producing subjects instead). Withholding information is also likely related to power, which in turn is related to money. Freedom of expression and thought is an essential component of a democracy, and censorship is something that puts it in danger. Yet recently, the rise of censorship has been most notable in the “democratic West”.

Terminology plays also a role - the same thing can be called different ways. For example,

  • Filtering => "remove dirt, keep the clean stuff“
  • Blocking => "denying access“
  • Censoring => "(ab)using power to deny access"

(Noteː similar wordplay is often used when talking about intelligence gathering - our side has 'heroic intelligence officers' while the opposite side has 'damn spies'.)


Emergence of Internet censorship

In 1990, the U.S. Secret Service raided a games company of Steve Jackson, blaming the created materials of 'helping hackers' – a reason was the company hiring Loyd 'The Mentor' Blankenship to write the rulebook for a game. During the ensuing court battles, the Electronic Frontier Foundation was founded. In 1993, the Secret Service loses the court case, resulting in 50k damages and 250k legal expenses.

The wider publicity however followed soon in 1995. Even if the “Cyberporn”, the cover story of Time magazine was later deemed to be massively incompetent, it created a lot of discussion and feedback. And most importantly, the advocates of censorship learned that Internet exists.

Main legal initiatives for Internet censorship in the US include

  • The Communications Decency Act (CDA) of 1996 - passed by the Congress, but dismissed the next year as incompatible with freedom of expression.
  • The Child Online Protection Act (COPA) of 1998 – after a long battle, was abolished in 2009.
  • The Children's Internet Protection Act (CIPA) of 2000 – passed as constitutional in 2003. According to the Act, all public schools and libraries are obliged to censor Internet traffic to be eligible to federal grants (noteː while censoring is said to be not mandatory, eating is not either; a large share of the affected facilities actually depend on federal grants).


Defining obscenity

As the U.S. law is largely case-based, the Miller test – named after Marvin Miller, a porn producer losing a court case vs California in 1973 - is still in use to determine if a work is obscene. It uses three-part approach:

  1. Whether "the average person, applying contemporary community standards", would find that the work, taken as a whole, appeals to the prurient interest,
  2. Whether the work depicts or describes, in a patently offensive way, sexual conduct or excretory functions specifically defined by applicable state law,
  3. Whether the work, taken as a whole, lacks serious literary, artistic, political, or scientific value

In fact, obscenity has apparently evolved with the rest of society. In 1972, a stand-up comedian George Carlin recorded “Class Clown”, that included "Seven Words You Can Never Say on Television". In 1973, it was broadcast by WBA station – the ensuing court case went up to the highest level and was finally won by censors (votes 5:4) in 1978.

In comparison, a blogger Patrick Ishmael googled the words from political blogs in 2007, finding plenty...


Another example: China vs Google

A general tendency is that the Chinese adopt Western evils, add national flavour, and push them further. Development of Internet Censorship is no exception, as seen from the timeline below.

  • 1994 – Internet reaches China
  • 1996 – First law on Internet censorship
  • 1998 – beginning of the Great Firewall of China
  • 2000 – all content creation regulated
  • 2002 – Google blocked
  • 2005-2010 – Google offers 'sanitized' services
  • 2010 – Google drops censorships and is gradually reduced to a marginal player in Chinese market, being largely replaced by the local, more "law-abiding" services.


A look at Internet censorship

Among things that can be blocked/filtered online are

  • Keywords
  • Web addresses (URLs)
  • IP addresses
  • Name servers
  • Packets
  • Search engines and portals
  • “Active censorship” (DDOS and other attacks)

It can be implemented in

  • E-mail – the border between censorship and legitimate spam blocking can sometimes be foggy
  • Browsers (via plugins) – ditto
  • Computer – typically takes admin privileges
  • (Local) networks via proxies
  • Search engines
  • ...


Main problems with censorware

  • Do not block everything they are supposed to
  • Do block a lot of stuff they aren't supposed to (mostly words and terms with more than one meaning)
  • Block mostly what the developer (not the user) wants
  • Fall out of date easily (proprietary!)
  • Can be cheated against
  • Slow down the computer
  • Sometimes pose a security risk themselves
  • ... and most importantly, is prone to becoming a tool for power play


They block...

  • Some offensive sites
  • A lot of controversial issues – citizen rights activists, environmentalists, minorities, pro-choice activists, people with disabilities…
  • A great host of bystanders

Many examples include The Scunthorpe Problem - e.g. hillaryanne@hotmail.com (contains "aryan"!), assassins (contain two "asses"), Tyson Homosexual (a 'conservative' web filter substituted 'homosexual' for 'gay', also renaming the American Olympic sprinter by accident).

Note: U.S, Middle East, China and Russia all block a lot, but quite different things. And given that all censoring works largely in excess (false positives are by far more common than false negatives) and there is still one Internet, "biting from all sides" may reduce access significantly.

Common countermeasures to Internet censorship include

  • VPN (Virtual Private Networks)
  • Proxy servers
  • Crypto
  • Sneakernet (using actual people to courier information on physical media like USB sticks)

The bottom line: censorship (also in the more general sense) is only effective with large-scale public ignorance - it only works if enough people are unaware, unknowing or uncaring.


Privacy: the old-timers had it easy

Before the days of hi-tech, privacy was rather easy to obtain - one had to go away from others and just keep an eye out for stalkers. Things went more complicated as distance increased - things like intercepting couriers, secretly opening letters, decoding secret messages etc existed long before IT. Today, we have uni- and bidirectional microphones, parabolic antennas, laser interferometers and other fancy stuff - and privacy is rapidly disappearing.

In times of old, it was really difficult to capture uttered words - the only way was to set a word against another (e.g in a court of law). But after a while, they started to be written down. And then secretly recorded (at first in writing, later in sound).

In ancient Jewish laws[2], there were prescriptions for privacy of home, e.g. building one's neighbour-facing window at least four cubits away (higher or lower) from his window; in addition, the law prohibited snooping at others [3]. Later legal systems introduced

  • right to autonomy, i.e. being left on one's own
  • right to control information about oneself
  • right to keep secrets and forward them in a controlled manner
  • right to solitude, intimacy and anonymity

Privacy is also separately mentioned both in the Universal Declaration of Human Rights from 1948 and the International Covenant on Civil and Political Rights from 1966 (interestingly, the U.S. only adopted it in 1992). Yet when we look at the situation in today's world, most of the points above are to be taken with some reserve.

The perception of privacy also depends on cultural context and traditions - e.g. in Japan, people are used to live in a compact manner (due to long history of dense population), for someone used to sparse population and a lot of personal space (e.g. people from Nordic countries) it may feel as a privacy violation. In some cases, privacy is limited also by

  • the person's own choice (e.g. celebrities)
  • comfort (e.g. internet banking - while handy, it requires identification to be used)


Privacy and Internet

Looking at the history of Internet, we can distinguish several stages which also brought along different levels of secrecy:

  • military network - top secret
  • research network - some secrets
  • education and NGO's - not many secrets (the "lost golden age" for some)
  • business (starting from 1991) - some secrets again
  • everyone (the Age of Facebook) - personal information

There is a paradox regarding online privacy - on the one hand, it makes impersonality and pseudonymity (in some cases also anonymity) much easier to achieve. On the other hand, there is always a risk of interception and surveillance - and there is no way to be certain (as intercepted/snooped information does not generally differ from its "pure" form, or the differences are difficult to find). Thus, privacy on Internet is a bit like the One Ring in Tolkien's "Lord of the Rings" - it turns the wearer invisible, but can betray him/her at the worst moment... And the history of Internet knows many Isildúrs.


My home is my castle

Privacy in any medium must have two qualities:

  • authenticity - the message really comes from the source it claims to be originating from.
  • integrity - the message arrives in exactly the same form as it was sent, it has not been tampered with.

Compared to traditional (physical) privacy, the online setting has the following:

  • the situation is harder to control.
  • there is mostly just the hindsight.
  • everything can be used against you - directly or indirectly, right now or years later (most people do not envision running for Parliament in ten years, but some of them actually will).
  • identity theft is easier, the consequences can be even more dire than before.
  • legal protection is weaker - legislation is reactive and conservative by essence, technology in contrast is dynamic and sometimes foolhardy; thus legislation tends to fall behind in nearly all aspects of information society (especially evident in the "intellectual property" issues).


PIBKAC

(the acronym in its various forms should be familiar for security students...)

Many problems stem from privacy becoming a source of business. From very early days, there have been two camps:

  • those who subsist on maintaining privacy (bodyguards, network administrators)
  • those who subsist on violating privacy (spies, thieves, spammers)

And cooperation between these (playing over the head of the unsuspecting target) is not unheard of.

An example of the human factor is a well-known political scandal in the White House. The main heroine phoned to a co-worker who secretly recorded the calls. In this case, added security to the channel would likely have had adverse effect - the sense of security would probably have resulted in an even more open talk that the real "leak" at the other end would have quickly made use of. Similar things are often seen in online communication as well.

It should be noted that collecting information is neutral by itself - but its use may have a very different outcome. For example, a person's health history can be used by

  • his/her doctor - nobody would really object
  • a business unrelated to health services (e.g. a mobile provider) - many would shrug "what would they need it for?", but some will definitely be concerned
  • a bank - may result in denying a loan or having worse conditions than others due to "perceived larger risks"
  • advertisement agencies - can result in strange situations [4]
  • spammers - like the previous, but in even more obnoxious manner, and can also connect to the next category
  • scammers and other criminals - a despicable fact is that most large disasters (e.g. Fukushima or the 2020 coronavirus pandemic) breed a large number of scam schemes trying to make money on people trying to learn about their loved ones nearby. Alas, one's health history can be a good starting point too.


Google in San Francisco, 2006

Proponents of cloud computing, e-society and ubiquitous computing have created compelling visions of the e-society of the future where connectivity is as universal and free as the air we breathe. At the first glance, Google wanted to take a step towards this future in 2006, when they proposed to cover the entire city of San Francisco with free wireless networks. The only small caveat - the company wanted to keep the right to collect information from the networks (about the activities and location of people) in order to offer 'context-based advertising'.

At first, the prospect of receiving a discount ad from the pizza bar nearby as soon as I sit down with my laptop in a public park is not bad at all. After all, advertisement is everywhere anyway, and if I occasionally find something useful with it, the better...

But again, there are two main concerns:

  • privacy - does anyone (which may soon become everyone!) need to know where I am at any given moment?
  • surveillance - security in such a network depends on constant surveying of the activities.

The San Francisco network project was not completed - but for reasons other than privacy.


Digging deeper (and waking the Balrog?)

Collecting information is increasingly easy in fully legal ways. It is possible to register even the smallest missteps, storing it is easy as well. Seemingly innocent cell phone pictures from a student party years ago may turn into a serious weapon in elections - even if at the time of the event, neither side could imagine becoming "somebody important" so soon. And sometimes, mere hinting of some compromising material is enough to derail the opponent - and the fact of hinting will be next to impossible to verify.

Data mining may have started as academic discipline, but has quickly bred "dark-side" applications too. In the hectic days of early 90s, the freshly independent Estonia had an urgent need for all kind of databases and registries (these were the golden days of IT students having mastered dBase and FoxPro). There was a young programmer who was employed by several institutions and companies, including banks, police, traffic authority etc. Predating official cross-institution databases by several years, he managed to compile a "super-database" containing various information (from car license plates to credit standing) about thousands of citizens. The bases were sold illegally for 30-50 thousand Estonian crowns (likely equal to a comparable sum in Euro nowadays) and were secretly used by many businesses. However, this was before the e-services and infrastructure of today - what took shady connections and illegal information back then can now be mostly done just by googling.


Privacy or comfort?

Perhaps the greatest threat to privacy and security is comfort. Locking a door, setting a car alarm, entering a computer password - all these are little nuisances. Most people do understand that they are necessary nuisances - but they often try to minimize the frustration (e.g. leaving a password or a PIN blank or keep the default one). And especially in the today's e-society, many not-that-secure technologies and practices have prevailed over better alternatives due to comfort:

  • any mobile phone (as a radio device) call can essentially be intercepted
  • laptops used by ignorant people are vulnerable in many ways
  • use of public computers (in a hotel or Internet cafe)
  • open or weakly secured wireless networks (note: properly maintained open WiFi can be rather safe to its owner - but not necessarily users)
  • a large share of social media (including Facebook)
  • ...

Dossiers and digital enclosure

As the computing power increases, processing and systematizing information becomes easier in increasing volumes. When in the old days, storing everything was out of question as both processing power and storage were expensive, today we see more and more detailed data collected "just in case". Customer databases of many companies get nearer in detail to court dossiers (resulting in what can be called the "Dossier effect") - and the government is not innocent either (as exemplified by several recent scandals - but similar activities do have a way longer history).

The term "digital enclosure" was initially used by Mark Andrejevic, a scholar from the University of Iowa, US. He derived it from a historical process - enclosure of community land (commons) into private ownership in the 18th-century England. In the digital realm, a digital enclosure is an interactive space where every action also generates a transaction, or information about the action ("digital footprint"). Entering a digital enclosure implies a) disclosing (increasing amounts of) personal information and b) accepting some form of surveillance. And again, the problem is comfort - its owners strive to make entering a digital enclosure so easy that people give up thinking.

Mobile phones (in their different forms and technology) constantly position themselves. It has ethical, legitimate uses (e.g. finding an elderly woman lost in the woods by positioning her phone) as well as gray areas and rather "dark" ones (e.g. various sources suggest that Russia assassinated Chechen rebel general Dzhokhar Dudayev by positioning his satellite phone, similar things are told about some events in Israel).


“Use the Force, Luke!”

The e-society does have both the Light and Dark side. Citizen democracy, e-inclusion of minorities etc are the former, while the latter have many faces:

  • massive surveillance
  • uncontrolled gathering of personal data
  • solipsism and hedonism - promoted by many services online; this kind of person is very easy to manipulate both by businesses and state
  • impersonalization of relationships - both on human and business levels

And there are both the Jedi and the Sith online...


The Big Brother

The "mass society" (as defined by some sociologists) had a lots of issues, but it also had one advantage - it allowed motivated people to "fly below radar", hiding among the crowds. It is getting increasingly difficult today. Many of the modern hardware and software "call home" (including all proprietary operating systems, also on "smart devices" [5]). Getting and installing software used to be a private endeavour - not so anymore. Most of all in proprietary systems, but even many well-known free and open-source software systems have opted for central repositories and installations. Again, in the name of comfort...

Coming back to the Estonian "super-database" case - today, there is a number of large corporations (mostly in the U.S.) whose business model is exactly the same (examples include LexisNexis, Equifax, Acxiom and others). The personal information is turned into private property (trade secret) that is the more valuable the more detailed it is. See http://www.bigbrotherawards.org for some additional reading.

(An idea to think about - is there any information at all that would be rejected by the gatherers: "Sorry, this is of no interest for us."?)


Asymmetric loss of privacy

In "old-school" network communities (Usenet, mailing lists, talkers, MUDs...), surveillance existed too. However, it was generally transparent and rather symmetrical (while admins watched the community, they were also under the surveillance of commoners and gross misconduct would have likely resulted in punishment). Today, one of the core questions is "Who watches the watchmen?" - while commoners get more and more transparent (as most of their information becomes available online), different agencies and corporations guard their secrets more closely than ever.

As a kind of sad irony, there have also been attempts of community-based surveillance online - an example is checkmymate.com (an archived copy from 2004, it was online in 2001-2007). Basically, people agreed to build a prison for themselves ("but hey, they invited us to participate!").

An interesting thing to watch is probably the most famous advertisement by Apple, launched during the U.S. SuperBowl 1984 [6]. It depicts overthrowing an Orwellian, totalitarian society with the help of Apple products... Today, we probably look at it as a kind of sad irony.


Conclusion

On the one hand, Internet censorship, just as its offline counterpart, is above all an instrument of power. On the other hand, it is effective only if the majority of population is ignorant and/or uninterested. Censorware does not work - it is by far too clumsy and inefficient (so people who actually care about children should teach them responsible online behaviour rather than blocking their access).

Internet has two qualities that are the main source of concern here:

  • it allows surveillance of others without them knowing, and
  • to collect, process and store increasing volumes of information over increasingly long periods

Privacy is largely an agreement between consenting adults. The reality of Internet is however different (if the chairman of a well-known company claims that there is no such thing as privacy...). The result is constant struggle between freedom and security instead of them cooperating to find a point of balance. One could say that the key is awareness without sinking into conspiracy theories. The best antidotes for digital enclosures and other unwelcome processes are

  • disclosure
  • discussion
  • people willing (and having time) to think


Study & Write

Choose and describe two interesting cases in your blog article - one about online censorship, the other about privacy. Noteː it is recommended to pick cases not already mentioned in this text, but if you find good additional references, it is not forbidden.


References

For additional reading

Back to the course page



The content of this course is distributed under the Creative Commons Attibution-ShareAlike 3.0 Estonian license (English: CC Attribution-ShareAlike, or CC BY-SA) or any newer version of the license.