Category Archives: Privacy and Surveillance

The Illusion of User Choice

CEOs like Alphabet’s Larry Page and Facebook’s Mark Zuckerberg have repeatedly claimed that users have choice. That we choose which information to share, and therefore control our data.

This narrative is misleading, and here’s why.

Privacy settings

Privacy settings only cover a small portion of our data. They allow us to explicitly choose “yes” or “no” in relation to a predetermined subset of our data, excluding all other types of data that companies make money out of.

Regardless of whether you use Google and Facebook or not, these companies collect information about you anyway. Most websites on the internet use Google and Facebook tracking technologies, allowing these companies to track our online activities. Facebook may not sell our personal data individually (as Zuckerberg repeatedly claimed this week), but they sell access to our aggregate data: the types of information that group us, profile us, and make us a target of advertising. All such data expands far beyond the choices we can make via privacy settings.

By arguing that privacy settings provide us control over our data, internet companies are essentially implying that only a subset of our data deserves protection, while all our other data is fair game in the data industry. This argument also appears to be an attempt to exempt internet companies from their responsibility, and to place the responsibility of data protection on the user.

The opportunity though to make explicit choices about our data (and to therefore have control over and be responsible for it) is more often the exception, than the norm.

Terms of service: Take it or leave it

Most of our data is processed (and analysed, shared, retained, disclosed, etc.) on the basis of terms and conditions, which we cannot easily negotiate. When we use online services, companies can use our data for any purpose that can be justified on the basis of their corporate interests. This means that our data can be used as part of profiling, marketing and advertising.

During the Facebook hearings earlier this week, U.S. Senators complained about Facebook’s terms of service being “too long” and written in “complicated English” for the average user. The main problem, however, with the privacy policies of most internet companies is that they are too vague in relation to our data and fail to answer a number of key questions adequately, such as: Who are the mysterious “third parties” that our data is shared with and disclosed to? Which information is shared with and disclosed to them? How exactly will our data be used and why? How and why will its use be re-purposed? Which information is tracked and collected when we visit third-party websites? Which information is used for marketing and advertising purposes, why and how?

Answering these questions may be challenging for a number of reasons. A lot of this probably depends on the types of services, the users and the data they generate (directly and indirectly). The data industry consists of a long chain of diverse companies who aggregate, buy and sell different types of datasets. As a result, it’s likely the case that not even these companies can determine what will ultimately happen to our data once it’s sold, shared or disclosed in aggregate to other third parties who in turn have different policies, comply with different laws and have different customers. In other words, tracking the secondary, repurposed use of our data once it has been aggregated and sold in the opaque and seemingly endless chain of data brokers can, at best, be an inconvenience and, at worst, unattainable.

But if internet companies are going to place the responsibility of data protection on the user, they should be prepared to answer these difficult questions. With their vague privacy policies and terms of service, they instead argue that if we are not comfortable with their data processing practices, we should simply refrain from using their services altogether. It’s pretty much a “take it or leave it” situation.

Realistically though, can we refrain from using the most popular internet services?

The Network Effect

What makes leaving (or refraining from using) popular internet services so difficult is what is called The Network Effect: the value that these services have because many people use them (including your social networks, such as your friends, family, and colleagues).

How easy is it to connect with friends and to find out about events if we’re not on Facebook? More and more companies – including our banks and potential employers – rely on online social networks to verify our identities and/or to check our credibility. The online “public square” is provided by companies like Twitter. If we choose not to use these services, are we effectively being excluded from public discussions?

The Network Effect appears to be a symptom of a race between internet companies to monopolize services. Because few alternatives to their services exist, more people end up using them, they accumulate value and The Network Effect is (almost) unavoidable. In some cases, alternative services may not even exist or are unknown outside of niche tech circles. None of this is a coincidence. Internet giants, like Alphabet and Facebook, work hard to buy their competition. A mere look at Alphabet’s acquisitions and investments over the last decade shows that they bought many startups that could have posed competition to their services. Similarly, Facebook bought some of their competitors, such as Instagram and WhatsApp.

What is concerning though is that it seems like their competitors want to be bought. Apart from the monetary value of being bought by a multi-billion dollar company, there is also the social value – the prestige – of being bought by them. Many startups are considered “successful” if they are eventually bought by the likes of Alphabet, even if this contributes to a less competitive market and fewer alternative services. This is precisely what makes companies like Alphabet and Facebook so powerful, and “user choice” questionable.

If alternative services barely exist and our societies use and rely on the services provided by internet giants, is opting out of their services even an option? And even if we do choose to leave such services, what choices can we make for the protection of our data? Is it even possible to protect our data, given that most websites on the internet use tracking technologies owned by internet giants?

Data Responsibility

Internet companies place the responsibility of data protection on the user because it is convenient (and profitable) for them to do so.

We can argue that internet companies should protect their users by default, and perhaps if most of their users demand such protection (and start boycotting their services) they’ll have some incentive to do so. But the reality is that the foundation of their business model relies heavily on our data, and so they’re more likely to provide “cheap protections” to make us happy.

We can argue that governments should apply stricter regulations, but the reality is that many regulators struggle to understand the complexities around the data industry and how the internet works. Even experts struggle to understand these things.

So if internet companies and governments realistically can’t (or lack the incentive to) protect our data adequately, who will?

We can take matters in our own hands: install ad blockers, use search engines like DuckDuckGo instead of Google Search, use Tor browser instead of Google Chrome, use Etherpad instead of Google Docs, use Riseup instead of Gmail, use Signal instead of WhatsApp, and the list of alternatives goes on. But is this enough?

The problem is that some of these alternatives don’t work as well (or don’t offer as many or as great features) as the services offered by the internet giants we’re all used to. Many of these alternative, privacy-enhancing services are poorly funded and lack resources – especially in comparison to multi-billion dollar internet companies, like Google or Facebook. And the reality is that many of us need great services in order to get our jobs done. We also need services that the rest of our friends, family, and colleagues use. Switching to solely using alternative, privacy-enhancing services is an inconvenience and a privilege that many can’t afford (due to lack of know-how, the Network Effect, etc.).

But this issue requires much more than individual actions.

The Data Problem

The Data Problem is societal. The fact that your data is being collected, analyzed, and sold without your knowledge or explicit consent is a problem. But the bigger problem is the analysis, use, and sale of aggregate data. Or to put it differently, the clustering of society, the profiles that internet companies create about groups and communities within societies, and the algorithmic discrimination that comes with that.

The Data Problem is structural. We live in a world where our daily lives rely on internet services, which in turn rely on the data generated by our daily lives. This feedback loop ends up handing more and more power over to companies that have no real social responsibility. In this type of world, can “user choice” be anything but an illusion?

Privacy used to be about secrecy, but over the last decade (with the boom of internet services), we have come to redefine privacy as “control over data”. Has the time come to re-think this privacy definition again?

The idea that privacy is the core objective of data protection is quite individualistic. It assumes that harm can mainly be posed to the individual and its rights. While this can be true, my main concern is the harm that the data industry can potentially cause to societies. The algorithmic clustering of society into groups and profiles, and the discrimination that can result from that. The power that companies – who weren’t elected and who bear no social obligations other than to please their customers – are accumulating every day. The shifting power dynamics and their consequences on groups and societies at large.

With the narrative of “user choice”, internet companies are diverging our attention from the real problem: their power and influence on society. The Data Problem is not so much about your personal data, but about how all of our data in bulk feeds this new Infocratic System.

7 reasons not to shrug at the Snowden revelations

geopolitics

Two years ago as of today, Edward Snowden started leaking confidential NSA documents which illustrate that a global surveillance ecosystem is being built right under our nose. Whether we like it or not, we are all part of it and it is limiting our control over our data and our lives.

Read this blog here.

Publisher: Tactical Technology Collective

Publication date: 5th June 2015

Nothing to Hide? Asking the Wrong Question!

wrong-question

It’s been two years since Snowden started leaking thousands of confidential NSA documents which illustrate and prove that the communications of almost all citizens around the world are under surveillance through a “collect-it-all” strategy. Yet, instead of questioning the legal and ethical dimensions of spying on the private communications of millions of citizens around the world, agencies narrowed the debate, arguing that “if we have nothing to hide, we should have nothing to fear”.

The problem with this debate is that we are asking the wrong question.

Read this blog here.

Publisher: Tactical Technology Collective

Publication date: 4th June 2015

Nothing to Hide? Stories our Data Tells About Us

magic open book of fantasy stories

Almost everything we do online is constantly being collected, analysed and processed by algorithms. Is it really up to us to decide if we have “something to hide”? Or is it up to data analysts…and their data mining software?

Read this blog here.

Publisher: Tactical Technology Collective

Publication date: 3rd June 2015

Nothing to Hide? Almost Nothing to Control

hide-and-seek

When confronted with questions around corporate and government surveillance, many argue that they have “nothing to hide”. However, this implies that individuals have sole control over their own data, which might not always be the case due to the business model and the infrastructure of the internet.

Read this blog here.

Publisher: Tactical Technology Collective

Publication date: 2nd June 2015

Why I refrained from joining Twitter all these years…but joined in the end nonetheless

It’s 2015, I’m a twenty-something-year-old and somehow, I’ve never had an account on any social networking sites…until now. Did I live in a cave all these years?

Like other privacy activists, many considered me paranoid for years – and in some ways, perhaps rightfully so. After all, unlike my peers, I never had a Facebook account. I never had an account on MySpace, Twitter, or on any other social networking site for that matter. Somehow, not even my global nomadic lifestyle over the last years has not been a strong enough incentive to get me connected on social media. Why? Well the idea that information about me would be owned by a corporation and available on a platform which would enable potentially anyone, anywhere around the world to view simply freaked me out.

4257136773_5634a21fa2_z

by bark on flickr

Would I tell random strangers my address? No. Would I tell them who my friends are? No. Would I share my personal pictures with them? Hell no. And handing over all this information for free to a corporation which, in turn, would sell it to multiple other parties without my knowledge or informed consent simply did not make any sense  to me. As a result, I spent all of my life (until now) being the weirdo who’s not on Facebook or any other social networking site. And in no way have I regretted or re-considered joining platforms like Facebook. Twitter, though, is quite an interesting case, I think.

Many privacy activists today – if not most – have accounts on Twitter. For quite a while, this struck me as a huge paradox and here are some reasons why:

1. Like other social networking sites, Twitter makes money out of our data
2. Twitter shares, sells and discloses datasets to multiple, unknown third parties
3. If users don’t use anonymity software, like Tor, Twitter knows their geographical location
4. Twitter can potentially map out its users’ real-life social networks
5. Users’ tweets and retweets can show and map out their interests
6. Users’ tweets and retweets can show and map out their thoughts (and sometimes even their emotions)
7. Users’ retweets can show and map out who they likely follow and, hence, are interested in and/or are associated to
8. Analytics on Twitter datasets can show and predict how individuals and groups are likely to behave
9. Even though Twitter supports Do Not Track, Twitter is able to track most of our online activity anyway through the inclusion of its button in most websites
10.  Every tweet is a public statement to the world – how easy is it to remember that across time?

302930614_267682af28_z

by ItzaFineDay on flickr

The world is being digitised and, unfortunately, independent online public spaces for free speech on a global, mass level do not exist yet. Free speech and the free, uncensored sharing of and access to information is a vital component of any free society. However, the transition of societies from the offline to the online domain has been a challenge for all, and particularly for governments. Traditionally, governments have been considered the main actors that are responsible for responding to citizens’ needs. Over the last decades though (and arguably way longer than that), most governments around the world have failed to meet citizens’ needs adequately due to lack of resources, interests and various other reasons that I will not analyse in this blog.

Similarly to governments, corporations aim at responding to citizens’ needs. Unlike governments though who are supposed to serve the public interest, most corporations serve their own financial interests. When governments around the world failed to meet citizens’ need for an online space which would serve free speech and the free dissemination of information, corporations, like Twitter, jumped to serve – and profit out of – this need. As a result, Twitter has monopolised the online public sphere for free speech to mass audiences. And who can blame them? From a business perspective it makes sense and it only reflects governments’ incompetency when meeting the digital needs of their citizens.

But it’s important to remember that Twitter is a corporation and like most companies, financial profit is at the heart of its interests. And in some – if not most – cases, such interests might not serve public interests and the overall well-being of societies. After all, Twitter’s business model is largely based on advertising, which is supported through the segmentation and profiling of individuals and groups. Data segmentation can not only lead to social stratification, but also to social discrimination. While we might innocently tweet articles, news, throughts and ideas which we consider to be important to the world, an entire data industry is aggregating our data, matching patterns and creating profiles about us – which may or may not be accurate. Regardless, if algorithms determine that we belong to a specific data segment, various actors (advertisers, insurance companies, banks and maybe even governments) take decisions which might influence our lives in direct and/or indirect ways.

2920562020_c5f09e510f_q

by Tom Woodward on flickr

Most of this happens behind the scenes. The architecture of the internet is designed in a way which prevents us from knowing which specific parties are collecting and aggregating our data in any given moment. When we access websites, for example, various companies are tracking our online activity through the use of cookies and other tracking technologies. They then subsequently share this data with other parties, who in turn share it with others, and the chain of third party actors who ultimately gain access to our data appears to be quite endless. No doubt, one these actors is Twitter and a project I work on (“Trackography”) shows that it is one of the top 5 companies globally which track individuals’ online activity the most. So why support a tracker by joining its social networking site? Why support an actor which spies on citizens’ lives for a living?

8166723408_35b5e8167d_z

by Marines on flickr

Twitter can be very empowering. In fact, it can arguably empower citizens in ways that most governments throughout history have not. After all, when have citizens in the past had the opportunity to instantly and independently express their opinions and ideas to the world…at the click of a button? When have citizens in the past had the opportunity to choose the types of news from around the world that they want to read and to receive such information instantly, all in one platform? When have citizens around the world had the opportunity to instantly find and connect with other citizens who share the same passions and interests? No doubt, Twitter can be extremely empowering…but it can also be quite dangerous.

When we have the power to instantly make public statements to the world, we also have the power to instantly expose ourselves to the world. Publications on more traditional platforms, like newspapers, magazines or journals, have a subtle advantage: they require an editorial process prior to publication. The fact that we can instantly and independently publish on Twitter deprives us from this editorial process, which means that we probably do not have the time and/or resources to review, proof-read, edit and gain feedback for everything we publish. In other words, the fact that no editorial process is required prior to publishing on Twitter means that there is a high probability that we will publish things that we might later on regret.

Recently I edited an article that I wrote for Tactical Tech a year ago. Back then, I was quite pleased with my article. When I revisited it a few days ago so that it can get published soon, I was horrified by it. I view the topic from a completely different lens now and I was surprised by the amount of conclusions I jumped to, the important information I somehow failed to include and the various inaccurancies througout the article. I could go on and on about this, but my point is that in the end of the day, I am very thankful for the fact that Tactical Tech has a set of individuals which can provide me feedback, challenge my assumptions and help me review my article before it gets published to the world.

Twitter, though, does not have this advantage, but that might not necessarily be a problem per se. After all, we’re humans and our thoughts, opinions and ideas are bound to change across time anyway, regardless of where they get published, right? But when we think along these lines, we likely forget that Twitter is not just a publisher; it’s also a data mining engine which can correlate our publications across time and match them with specific groups and individuals within networks. And then that brings us to the following question: how long will our Twitter data be retained for?

6811825498_675cff55a9_z

by Nick Sherman on flickr

According to Twitter’s privacy policy, it only retains data for up to 37 days once an account has been deleted. However, let’s not forget that Twitter – like many other corporations in the data business – shares, discloses and sells data to multiple other parties, all of which have completely different data retention periods. So while Twitter might indeed only retain our past tweets for up to 37 days after we have deleted our accounts, how long do all the other third parties retain our Twitter data for? I think it’s quite difficult – if not impossible – to answer this question.

In addition to data retention concerns, Twitter also fosters citizen-consented tracking on steroids. Multiple companies in the advertising business generally tend to embed tracking technologies, such as cookies, in websites to track individuals’ online activity and interests. Twitter though appears to be at the frontline of innovation, since it does not necessarily need to rely on actively tracking individuals: its users do all the work. By having a Twitter account, we pretty much provide Twitter (and the world) a lot of the data that many companies would otherwise have to dig out through the use of tracking technologies. Anyone can potentially map out the types of media websites that specific people read, the news that they are interested in, their political beliefs and ideologies and much more through their tweets. In short, most of what tracking technologies are designed to collect is actually being donated to Twitter by its users.

2704017177_8490072e06_z

by Seth Anderson on flickr

Data mining and profiling can raise serious concerns – especially for those placed in vulnerable positions within societies. Would it be ideal for governments to be able to map out all of the political activists within their countries? And would it be ideal for governments to not only be able to map out activists, but to also be able to map out their networks and associations? Interestingly enough, Twitter’s privacy policy states that “non-personal information” that it can share or disclose includes the people that we follow and who follow us on Twitter. Given that the specific third parties which Twitter shares data with remain quite opaque, in theory this could mean that the social networks (followers) of activists could be shared with oppressive governments for all we know. The business model of Twitter (and the internet at large) is such that the probability for breach appears to be high, while safeguards for human rights appear to be inadequate.

And as if all the above concerns are not enough, I’ve also been told far too many times that a really bad trolling culture exists on Twitter – which I guess sort of inevitably comes along with free speech to some extent.

118051286_6d001fe397_z

by Anna Bialkowska on flickr

Nonetheless, I finally decided to create a Twitter account under my real name. This probably sounds like quite a schizophrenic decision – given my argumentation in this article – and perhaps it is. But it generally derives from my overall – arguably naive – belief that public awareness and mobilisation is a key component for structural change. More importantly though, it comes down to one main thing: I care a lot about freedom (probably more than what’s good for me) and I desperately want my voice to be heard.

Talk in India - May 2013

Is this a wise trade-off though? Is it wise to donate some of my interests, networks and other valuable data to a corporation – which is not transparent about all the parties it will subsequently share my data with – in exchange for free speech on a global, public platform? To be honest, I don’t know. What I do know though is that it’s probably not fair to expect the public to mobilise against mass surveillance and other threats to human rights, without mobilising myself. Another thing I know is that those in power often foster fear within societies, which enables them to maintain and expand their power often at the cost of human rights.

Unfortunately it’s quite a chicken and egg situation.

On the one hand, if activists join social networks like Twitter, those in power can spy on them and their networks more effectively; but on the other hand, if activists don’t join such platforms, it’s very hard for them to mobilise the public and to get their voice heard.

The fact that the largest online public space for free speech is monopolised by a corporation is at the core of this problem. By no means am I suggesting that governments replace this role, as that would likely lead to even more severe concerns for abuse – especially in authoritarian regimes. What I am suggesting though is that we start creating autonomous online public spheres for free speech, which are free from corporate and government surveillance, and which can reach large and diverse audiences around the world. This of course is easier said than done and extremely complicated, but change won’t happen unless we aim to reach the impossible.

Until then…hello Twitter.