15 January 2020

Online surveillance for our „common good”

Liviu Ioniţă

Companies using the online space for most of their activities have a business model based on employees’ individual surveillance, a model which can significantly interfere with humans’ rights and liberties. One can therefore say that governments should protect their employees against abuses from corporations, adapt and update laws on data privacy and firmly apply the existent ones. Furthermore, some countries- US, United Kingdom and Australia- think that citizens and societies are in danger because of the way big companies with cyberspace activities are deliberately projecting their systems to stop any kind of access to content. Hence, some questions arise. More surveillance from private companies or the extension of state’s power in surveillance? Who benefits from this surveillance? Is it a private or public business?

Image source: Mediafax

When private data becomes public data

Each of us generate, daily, a great quantity of online data, and this activity is tracked by browsers and websites belonging to different companies, as online services are dominated by the Big Five: Apple, Amazon, Google, Microsoft and Facebook.

These IT technology giants are using users’ data to develop their businesses and governments have to enhance regulations on how these data are being used. This is what Yael Eisenstat, former CIA officer and former special adviser for national security to vice-president Joe Biden stated in September 2019, at the D61+ Live conference, from Sydney.

Einsentat, who led, for a short period, Facebook’s integrity operations, thinks that how online companies are using available data on their platforms’ users can lead to the polarization and misrepresentation of the civil speech, which could be a significant threat for national security.

Their business model is exploiting personal data to allow advertising agents to present filtered versions of the truth and manipulate with hyper-personalized advertisements, which can have false information.

In a 60 pages report, published on November 21th 2019, called Surveillance Giant, the Amnesty International organization sees Facebook’s business model as based on surveillance, which is incomparable to privacy right.

Given that Facebook and Google are facing questions on data collection policies and how their allegedly uncompetitive practices could impact users, Amnesty International insists that they change their business model, arguing that it is prone to abuse, that it represents a systemic threat to human rights. Giants in surveillance threaten freedom of expression and opinion, freedom of thought and the right to equality and non-discrimination.

The human rights organization calls on governments to review regulations to ensure that people are not being pursued by advertisers or third parties. People are accessing the public space under Facebook and Google conditions, are subjected to ubiquitous surveillance equipment, and some data is used for manipulation and influence. The business models of online companies force the users to make a faustic negotiation: you obey these conditions or you give up the benefits of the digital world.

Facebook-a huge threat for a huge company

According to Amnesty International, part of the problem is that these companies have become too big, and the decisions they make - for example, to direct public discourse, collect information on people's health or allow politicians to advertise – have consequences all over the world. As long as these companies rely on ads to make money, users’ data will be their preferred exchange currency.

Google and Facebook’s business model is primarily based on collecting and storing vast amounts of data about people. These companies are not only collecting this data, but also use it to create user profiles. The platforms are based on state-of-the-art artificial intelligence and machine learning tools that can deduce incredibly detailed features about humans. The wholesale nature of data collection on Internet is considered ubiquitous surveillance (Bruce Schneier), in practice, which means that people are constantly being watched when dealing with their day-to-day online business and more and more in the real world.

This collection and analysis of personal data on such a scale is incompatible with the right to privacy, the right to control information about ourselves and the right to have a space where we can freely express our identities. This approach may allow aggressive advertising tactics, but may also be used for political purposes.

Facebook is being asked, for some time, to end the end-to-end encryption, a system wherein only the users (sender / receiver) involved in the communication process can read the messages, which, in principle, prevents a third party from being able to access the cryptographic keys needed to access the conversation. Therefore, the companies that use this process are not able to send the authorities texts of their clients’ messages, these being accessible only to Facebook.

Australia, the United States and the United Kingdom have asked Facebook, in an open letter from October last year, to withdraw their encryption plan, unless they find a way to provide law enforcement with the opportunity to legally access to messages. It is considered that designing the systems deliberately to prevent any form of access to content puts citizens and companies in danger of exploitation and abuse, terrorism and external interference.

The company denies that its business practices violates human rights principles and disputes the fact that its business model is based on surveillance, claiming that users voluntarily accept this service. Following the Cambridge Analytica scandal, Facebook has agreed to pay a record $ 5 billion fine and has agreed to review its privacy practices. It also pledged that it would impose stricter rules on political advertisers before the 2020 election, as part of their efforts to enhance transparency of advertising.

What was Faceook’s response? How about governments’ reaction?

Facebook said No to the letter of the three governments, with all due respect for law enforcement and the need to keep people safe.

On the other hand, it seems that governments are not too good at protecting rights when it comes to citizens’ personal data, and many countries are trying to increase control over the information processes subsequent to the Internet.

In the US, the National Security Agency Office of the Inspector General (OIG) has published, at the end of last year, a study on how the requirements for keeping SIGINT data are being followed - phone calls and online communication -, requirements established by statute, national policies and court orders and which vary according to the authority that performs the storage. The OIG report reflects significant non-compliance risks of the National Security Agency with the legal and political requirements for keeping SIGINT data. Following the verifications carried out by the supervisory and control structure at the National Security Agency, it resulted that a significant percentage of the data collected by the Agency crosses the legal limits.

Also at the end of last year, in Russia the law of the sovereign Internet that allows blocking contents in an emergency situation came into force and resident Vladimir Putin signed a normative act that prohibits selling equipment without pre-installed Russian applications.

Countries such as China, Iran and Saudi Arabia have already restricted their citizens’ access and how they can communicate with each other over the Internet, and it is assumed that Russia's project will also allow the state to filter the communication content through its own technology censors.

In fact, in Russia, an unprecedented mechanism for locating personal data had already been adopted in 2015 - after the government amended the Information Law no. 242-FZ - mechanism that prohibits achieving personal data of Russian citizens abroad. As a result, foreign companies operating in Russia were forced to store personal data of their users or customers, Russian citizens, on servers physically located in Russia.

Operators must notify the Federal Communications, Information Technology and Media Monitoring Service (Roskomnadzor - body responsible media and telecommunications censorship) about the location servers where personal their data is stored. It has been introduced a new legal status, called the Organizer for information’s dissemination on the Internet, which refers, loosely, to anyone associated with Internet services, anyone who offers services that allow Internet users communicate with each other. Anyone who is determined to fall under the definition of Organizer must notify Roskomnadzor on data storage and cooperate with law enforcement agencies (largely the Federal Security Service), granting them, upon request, access to the data warehouse data.

To amendments of the Federal Law no. 242-FZ there were added, in mid-2016, other controversial changes to antiterrorist laws, known as the Yarovaya law. According to this legislative package, organizers of the Internet information distribution, the telecommunications providers, must store the contents of voice calls, data, images and text messages for 6 months and metadata for 3 years and give the Federal Security Service access to the online services ( messaging, e-mail and social networks), upon request and without a court decision.

And at the end of 2019, it reached the highest point of multiple attempts to develop laws on the Internet and modify Russia's local Internet infrastructure: the government announced that it had completed a series of tests whose purpose was to verify whether country's Internet national infrastructure - RuNet - could operate without access to the global DNS (domain name system) and the external Internet.

Thus, the state will have the power to disconnect the country from the rest of the Internet without too much explanation, for national security reasons, it will be able to block the content without legal consent, without the users knowing what information is blocked and why. All local Internet service providers redirect Internet traffic through strategic government-led selections, chokepoints that can also function as an Internet surveillance device, similar to China's Great Firewall technology.

In a different state, this time member of EU, on January 14-15, the Federal Constitutional Court will hold a hearing on the Federal Intelligence Service (BND) law, Germany's external intelligence agency.

The BND law came into force in early 2017, Berlin taking the decision to reform the law after the intelligence service's dubious practices came to light following the 2013 NSA / Snowden scandal. The normative act was an important step toward BND attribution for global mass monitoring of Internet’s data traffic.

The hearing takes place after an alliance of five media organizations and for the defence of civil rights filed a constitutional complaint before the court to challenge BND’s supervisory powers.

In behalf of national security, governments access citizens’ personal data and try to control how their citizens communicate.

In this context, Five Eyes member states’ intention to persuade companies to opt out of end-to-end encryption raises concerns about protecting social media platforms users. Concerns are considering the fact that a possible encryption elimination will open the door not only to domestic violence, identity theft and other scams, but also to attempts, at the level of state actors, of interference in social-political life, for example, in democratic elections. Using end-to-end encryption is not just a barrier for hackers from anywhere, but also for government agencies.

Personal data and the right to have it

Given the quick technological developments in data collection and analysis, the increasing number of almost unlimited intelligent data storage devices and the emergence of artificial intelligence is transforming the way intelligence agencies operate, endangering civil liberties, therefore we need transparency and  law limits in terms of these technologies (Shay Hershkovitz, former professor at Tel Aviv University, expert in intelligence studies, geopolitics and advanced research methodologies, research director at XPRIZE non-profit organization in California). In the near future, where information will be transmitted from every car, every home and even from heaven, if we really want to find out how information will look like, we need to look outside the national security institutions, to explore not only what governments do, but also what happens in the sector and academic field (Shay Hershkovitz).

IT Companies with IT technlogy have access to a great amount of personal data. Information agencies can collect and sort information on a massive scale and need to decide what information they store and for how long. The widespread communications surveillance has generated public awareness of the risks of digital technologies confidentiality loss and society’s increasing dependence on them. Organizations responsible for protecting citizens must ensure that basic rights and confidentiality are not compromised.

Who owns personal data and does it use it? Companies? Government structures?

Andrew Yang, a Democratic candidate for the US presidential preliminary elections in 2020, but less likely to win his party's nomination, considers individual property rights to personal data as part of the solution and suggests substantial changes to US’s data privacy laws. Andrew Yang has published a policy proposal that requires personal data to be treated as proprietary.

He thinks the answer to who owns the data is, in fact, neither the controller, nor the processor. The individual must be the one who holds the data.

The competition between big technology companies and the government in storing, accessing and manipulating personal data is still unfolding in a context where it is not clear who will have the supremacy over a good that, it seems, has become more valuable than oil (Andrew Yang).

Translated by Andreea Soare