Top US tech companies call for surveillance reform

We’ve heard from the politicians, the security services and now we’re hearing from the corporations. What are they really saying, and how does it affect us?

If you have used a computer, you will have used one of their products. The world’s most ubiquitous computing companies have now taken a stand on government surveillance. They want mass, untargeted data collection gone, and transparency with accountability put in place. Aside from their demands, which you can read here, what can we read into this as ‘users’ of their systems?

Implied approval of Snowden’s whistleblowing

And of his subsequent escape to China, then Russia. If he were detained in a US facility this approval might have been less forthcoming, so this can be seen as an agreement with his actions and disagreement with the persecution he faces at home. The companies’ stance is based on an objection to the principle of mass collection, preferring targeted, legally recorded and transparent information requests.

Implied admission that confidential data in plaintext is not safe in their systems

Not safe from the US government, and by logical extension from other governments, and by further extension any corporate, individual or political affiliates of these governments. The implications of this are wide ranging, but impact on journalist sources, client names and client intellectual property, freedom of expression of various kinds that may become illegal under a subsequent government or ruling.

If the press isn’t free to protect its sources around the world, if companies are not free to trade privately or if people aren’t free to think and act privately then we have a situation that could easily be abused for personal or political gain, if it hasn’t already been. From stock markets and intellectual property theft, to political power grabs, the balance of power is easily tipped away from democractic process in this situation.

How can we avoid using their systems for private data until further assurances are in place?

  • Use own mail and storage servers, with encryption
  • Generally view email as a postcard: encrypt any sensitive data before sending over these networks
  • IM/chat - use OTR over an open XMPP server rather than a cloud provider (GTalk, MSN, AOL etc.) for private conversation
  • Avoid social networks that can imply contacts by proxy and social circles
  • Use alternative search engines focused on privacy -, for example
To do all of this would of course be too much hassle for most people. We all enjoy the convenience of pervasive, automated communications and news updates from social networks, but it really isn’t hard to switch a few things around. For those who disagree in principle with the risks and actions being taken by the governments supposedly protecting us, the task becomes all the more simple.

The internet was essentially given to us for free, monthly charges notwithstanding, and piggybacking off that were these signatories who now control large swathes of internet use. But it doesn’t have to be this way; or at least the blind and wholesale acceptance of the ‘corporation as gateway’ to the internet model doesn’t have to be accepted.

A distributed system such as this can be open and free (as in price and as in liberty) with the tools that already exist today. This announcement shows that these signatories are deeply concerned about losing the trust of their users, users who have enjoyed the freely offered benefits of their services for years, in exchange for just a few private data exchanges. And then a few more. And so on until we arrive at today’s situation.

Hypocrisy from each company - none are angels

  • Yahoo! - glacial slowness to implement encryption as standard for its users (despite these claims to care for privacy)
  • Facebook - generating their own privacy intruding systems for ad sales, facial recognition, non-deletion of private data etc.
  • Google - tying user images and real names to ads, shuttering open services and protocols in exchange for proprietary, locking in users, censoring search results
  • Linkedin - spamming of algorithmically guessed at contacts, mass detailing of professional and personal networks and data for individuals and companies, on sale of course
  • Microsoft - mass tracking of location, usage, general life patterns, NSA backdoors in OS, monopolising malpractice in software and operating systems sales, changing Skype to read content of messages
  • Twitter - mass user data collection for advertising ends, censorship
  • Apple - restricting property rights on entertainment media for their own ends, at the expense of artists and creativity, patent abuse, poor manufacturing practices…

Do they go far enough?

It’s already a very good thing that they’re making a stand and somewhat vindicating Snowden, who has been much vilified for only doing what others before him have tried to do for years through official channels, unsuccessfully. But they could go further still.

What else could they do?

  • Agree to employ encryption for storage and transfer of user data - client-side encryption, preferably, i.e. keeping the key on a user’s computer, less susceptible to backdooring
  • Agree to not track locations and network habits
  • Agree to keep what data they have for no longer than a reasonable period of time - as deemed by users, not the corporations
  • Agree to let you export your data
  • Agree to vet third party apps in their ecosystems more strictly - even Flashlight apps can track your location and resell to ad companies without your knowledge.
Google have actually lead the way on some of these points, encrypting inter-server traffic and allowing users to export their data, but there is always more that can be done.

Governments and corporations have said their piece, now it’s time for the ‘users’ to speak out. It’s tricky, as most of the technical detail turns people off the issue, but the principles at stake are universal and it shouldn’t take another human disaster to let people see them.

Things ‘users’ can do

  • Vote with the mouse - move off services that violate privacy, and limit/delete sensitive unencrypted data passing over or stored on any third party service
  • Consider that data not currently seen as sensitive can still be used to build a very complete picture of your character and life, and those of social and professional circles, all without the user’s knowledge - remove that data
This picture of the user might be completely inert under this jurisdiction or at this time, but that’s not to say it won’t hamper future actions of travel, business or legal status for millions of people. Of course, nothing may come of it, and the chances would be slim for an average individual to be adversely affected, but this is just the start, and this direction could lead to much worse. That needn’t be so.

Further reading

Could we now be unwittingly in the midst of a new type of power system? What risks does that present? An argument eerily set out by Adam Curtis for the BBC will serve as an interesting follow-up if you’ve read this far.

Thanks for reading. I do translation from French and Swedish to English, so if that's useful to you, feel free to connect and message me on LinkedIn or Twitter.

Published by and tagged privacy using 1160 words.