privacy – ubisurv

Harper’s nominee for Privacy Commissioner must be challenged

The current Canadian government has been in a lot of trouble recently over nominations to various federal offices. It’s been accused of cronyism, overly partisan, inappropriate and even illegal nominations to senior positions. Many have been rejected. It comes as no surprise then to find that Prime Minister, Stephen Harper, has nominated someone who seems almost entirely inappropriate to be the next federal Privacy Commissioner.

The nominee, Daniel Therrien, has spent almost all his career as a government insider. If Therrien was a privacy expert, this wouldn’t necessary be an obstacle even to someone taking a job which is supposedly an arm’s length position, as much a watchdog on government as a government office.

If he was a privacy expert.

But he’s not.

Therrien’s experience comes mainly in corrections (prisons and parole offices) and latterly with immigration and border issues. He’s currently the Assistant Deputy Attorney General, Public Safety, Defence and Immigration Portfolio, at the Department of Justice. It is in this position that he has had some involvement with privacy issues, and in some ways, this involvement makes his nomination even more troubling.

Therrien was one of the leaders of the Canadian negotiating team that dealt with the privacy principles of the Beyond the Border Accord, the agreement that essentially allows the USA to extend its ‘perimeter’ around Canada (the original proposed version of the agreement was refered to as the North American Perimeter agreement).

So what do the principles say? Essentially they are a vague set of reaffirmations of well-understood data protection principles combined with the recognition of domestic laws. They don’t do anything specific or new. They certainly will not guarantee that sensitive personal information is not shared across borders or provide for genuine protection when they are. And it seems clear that while necessity and proportionality and data quality are all referenced, necessity seems to trump everything else. As the final principle on ‘Retention’ states:

“The United States and Canada are to retain personal information only so long as necessary for the specific purpose for which the information was provided or further used.”

But as we know from almost everything that has happened since 9/11, necessity is the mother of expansion.

In addition, most of the principles also use the phrase “in accordance with their respective domestic laws”, or similar. A paragraph on ‘Effective Oversight’ states

“A system of effective data protection supervision is to exist in the form of a public supervisory authority or authorities with effective powers of intervention and enforcement. These powers may be carried out by a specialized public information protection authority or by more than one supervisory public authority to meet the particular circumstances of different legal systems.”

Translated, this means “business as usual.” Canada can carry on having its system of Commissioners and the USA can carry on having its in-house Privacy Officers. This does nothing to resolve the issue of what happens when privacy laws and systems of oversight are in conflict or incompatible – as they frequently are.

The Prime Minister is quoted in the press release as saying: “I am pleased that Daniel Therrien has agreed to be nominated for the position of Privacy Commissioner. He is a well-qualified candidate who would bring significant experience in law and privacy issues to the position.”

I guess it all depends what one considers to be ‘significant experience’. He has some experience. But he is neither a privacy lawyer not a privacy expert by training nor has be become such by virtue of his career. And his limited experience is almost entirely in the context of the furthering of neoliberal trade and security agreements with the USA, it is not in domestic privacy protection.

Daniel Therrien may well have had an impeccable professional record. He may well be an excellent Assistant Deputy Attorney General. He may well be a good person. But none of those things are the issue here: Therrien is not “a well qualified candidate” to be the federal Privacy Commissioner. He could, like the current interim Commissioner, Chantal Bernier, legitimately be appointed as Deputy Commissioner in order to build up his qualification in the area. But as the Commissioner? No.

Luckily, this nomination is not a foregone conclusion. It must be approved by both the Senate and House of Commons, and Liberals, NDP and Greens have all voiced concerns already. I am adding my own voice to this in saying that this nomination must be challenged in the most robust terms. Personally, I also think it’s a great shame that the capable and directly experienced Bernier was not given the opportunity to retain the seat that she has only been keeping warm for the next Commissioner…

The Right to Watch?

I’ve always defended the right to photograph in public places. However, a number of cases in the last few weeks are highlighting an important new development in this area, a new front in the increasingly confusing information wars. Gary Marx always like to say that surveillance is neither good nor bad but that intent, circumstances, and effects make it so, but a growing number of people and organizations seem to be treating surveillance – or at least watching, and certainly not all watching is surveillance – as a right which supersedes rights to privacy. We’ve seen this in the case of Google Glass – even before it was launched commercially – and more recently with the arguments over the ‘right to be forgotten’ in Europe, with personal privacy being counterposed to freedom of information and actions to protect privacy being compared to censorship. It’s all somewhat reminiscent of Dave Eggers’ novel, The Circle, in which a Facebook-Google-Apple-a-like company completely turns around social values until, as one of the corporate slogans has it, “PRIVACY IS THEFT!”

The latest case is that of the use of drones / micro-UAVs / MAVs in the USA. The Federal Aviation Authority (FAA), the government body that controls US airspace, is trying to regulate the use of drones and has attempted to fine commercial drone operators who fly surveillance drones without their permission. The case revolves around one Robert Pirker, who used an unlicensed drone to film a promotional video back in 2011. At the moment the FAA is appealing against the National Transportation Safety Board (NTSB), who rule that it could not fine Pirker as it did have jurisdiction over small drones. Now the media has weighted in on Pirker’s side, arguing that the FAA’s stance infringes the first amendment and creates a ‘chilling effect’ on journalism.

I’m really not sure about either argument. On the FAA side, this is partly about a bureaucracy trying to keep control of its regulatory territory as much it is about the object of the regulation – the FAA does not want to be seen to be losing control just as the number of small drones is increasing massively.

On the other side, is this really about the rights of journalists? Pirker was making a commercial film not covering a story, and the effect of the FAA’s ruling being overturned is more likely to open the door to a corporate free-for-all, an absurd PKDickian world of drones as far as the eye can see, with all the attendant crashes and legal battles, could result. Think not? Well, back in the 1900s, people thought there would never be that many cars on the roads either… so it is certainly it is partly about their mandate, i.e. air safety.

The big question here, as with Google Glass and with Search, is whether technological change makes a difference. Is a flying camera just the same as a hand-held camera? Does the greater potential for intrusion, or on the other hand the inability to know that one is being filmed, matter? Does that possibility that ‘the truth’ will be revealed justify any technological method used to obtain it? If not, which ones are acceptable, whereis the line drawn, and who decides and how? In the UK, the ‘public interest’ would be a good basis for deciding, as has been frequently alluded to in the Leveson Inquiry into telephone tapping conducted by Murdoch-owned newspapers, however ‘public interest’ is a much vaguer term in the USA… what is certain is that conflicts around the ‘right to watch’ versus the ‘right to privacy’ and other human rights and social priorities are only going to intensify.

On the ‘Right to Be Forgotten’

While Viktor Mayer-Schönberger is arguing today both that there’s really not a lot new to the European Court of Justice decision to order Google to adjust its search results to accommodate the right to privacy for one individual and that it really won’t be a problem because Google already handles loads of copyright removal requests very quickly, the decision has also sparked some really rather silly comments all over the media, usually from the neoliberal and libertarian right, that this is a kind of censorship or that it will open the door to states being able to control search results.

I think it’s vital to remember that there’s really an obvious difference between personal privacy, corporate copyright and state secrecy. I really don’t think it’s helpful in discussion to conflate all these as somehow all giving potential precedent to the other (and I should be clear that Mayer-Schönberger is not doing this, he’s merely pointing out the ease with which Google already accommodates copyright takedown notices to show that it’s not hard or expensive for them to comply with this ruling). State attempts to remove things that it finds inconvenient are not the same as the protection of personal privacy, and neither are the same as copyright. This decision is not a precedent for censorship by governments or control by corporations and we should very strongly guard against any attempts to use it in this way.

Google algorithms already do a whole range of work that we don’t see and to suggest that they are (or were) open, free and neutral and will now be ‘biased’ or ‘censored’ after this decision is only testament to how much we rely on Google to a large extent, unthinkingly. This is where I start to part company with Mayer-Schönberger is in his dismissal of the importance of this case as just being the same as a records deletion request in any other media. It isn’t; it’s much more significant.

You are sill perfectly free to make the effort to consult public records about the successful complainant in the case (or anyone else) in the ways you always have. The case was not brought against those holding or even making the information public. What the case sought to argue, and what the court’s verdict does, is to imply that there are good social reasons to limit the kind of comprehensive and effortless search that Google and other search engines provide, when it comes to the personal history of private individuals – not to allow that one thing that is over and one to continue to define the public perception of a person anywhere in the world and potentially for the rest of their life (and beyond). Something being public is not the same as something being easily and instantaneously available to everyone forever. In essence it provides for a kind of analog of the right of privacy in public places for personal data. And it also recognizes that the existence and potentials of any information technology should not be what defines society, rather social priorities should set limits on how information technologies are used.

Personally, I believe that this is a good thing. However, as the politics of information play out over the next few years, I also have no doubt that it’s something that will be come up again and again in courts across the world…

PS: I first wrote about this back in 2011 here – I think I can still stand behind what I though then!

Transparent Lives: Surveillance in Canada

The New Transparency project is coming to an end, and we are launching our major final report, Transparent Lives: Surveillance in Canada / Vivre à nu: La surveillance au Canada, in Ottawa on Thursday 8th May (which is also my birthday!). The report is being published as a book by Athabasca University Press, so it is available in all formats including a free-t0-download PDF. We want as many people in Canada (and elsewhere) to read it as possible.

The launch will be covered by the Canadian press and was already blogged in the Ottawa Citizen a few days ago .

A website with resources and summaries will be here very soon, and there is also a promotional video / trailer here in Youtube.

Hot Air on the Surveillance Industry from the UK

Privacy International has produced a much-needed survey of the state of the surveillance industry, following its other excellent report on the use of development aid to push surveillance technologies on developing countries. The British government’s response, voiced by the Chair of the Parliamentary Committee on Arms Export Controls, Sir John Stanley, has been a typically limp one, largely concerned with the possibility of such systems being sold to ‘authoritarian regimes’ yet blustered and talked of ‘grey areas’ when it came to Britain’s responsibility for this trade.

But this is all way too little too late. I warned of the danger of the increased technological capabilities and decreasing costs of ‘surveillance-in-a-box’ systems as far back as 2008 (see my post here which refers to that). Instead of taking horizon-scanning and pre-emptive action to limit this, Britain, the USA and many other states have encouraged this trade with state aid – as they have with military and security industries more broadly – and, not least, encouraged the use of surveillance on a global scale themselves. Their own extensive breaches of human rights through programs like PRISM and TEMPEST give them no real moral high ground to talk about what authoritarian regimes might do, when they are already pursuing the same actions.

Implants vs. Wearable devices

I’ve been thinking a lot recently about why it is that implanted tracking devices have never really taken off in humans. Just a few years ago, there were all kinds of people laying out rather teleological versions of technological trajectories that led inevitably to mass human implanantation – and not just the US Christian right, who saw RFID as the fulfilment of biblical prophecy.

I think there are many reasons, including negative public reaction (implants really are a step too far, even for the ‘nothing to hide, nothing to fear’ crowd) and the fact that a lot of the promotion of human RFID implants was actually the PR work of one very loud company (Verichip) and did not actually have a lot of basis in either social reality or market research. But the other major reason is to do with other technological developments, particularly in wearable computing and sensor networks. In most cases, implants solve a problem that doesn’t exist (the idea that people want to remove a tracking device that might be there for very good – although I am not saying, indisputably good – reasons, usually medical ones). And where there are no good reasons, there’s probably no case for tracking at all.

So devices like this – temporary, printed or stick-on and removable – are far more what is likely to become the solution to any actual problem of tracking or monitoring for medical reasons. And the relative ease with which it can be removed by the wearer does at least mean that there is some room for negotiation and consent at more than just one point in the process. Of course, such removable, wearable tracking are still not somehow free of ethical and political considerations – and some may argue that the very appearance of consent actually hints at the generation of a greater conformity and self-surveillance, but the issues are of a slightly different nature to those raised by implanted devices.

A Culture of Pornography and the Surveillance Society

The student newspaper here at Queen’s carried a disturbing story this week – a hidden camera disguised in a towel hook was found in a women’s washroom*. Apparently a search was carried out and nothing else was found. I would be very surprised if this was something unique and isolated. Voyeuristic footage is a staple of both private perversion and Internet pornography, and I suspect that this is much more common than we realise. I remember at my old university in the UK a private landlord being prosecuted for having virtually his whole house, which he rented out to female students, wired up like this. Cameras are now so small (and getting smaller), and readily available disguised from shops that deal in equipment (largely intended for industrial espionage and spying on nannies, spouses etc.) and can of course now be wirelessly connected, so could be almost anywhere and everywhere.

We’re also immersed in a culture of pornography: it is what spurred the immense growth of the Internet in the 90s (a subject that remains to be given a proper historical analysis), and it is changing the nature of sexuality, especially in teen boys, in ways we’re only just beginning to understand. I’d hesitate to make any sweeping generalizations, but it would seem that if one puts together the kind of normalization of pornographic understandings of bodies, desire and sex with the rape culture alleged to pertain at Queen’s (as the same paper detailed the week before) and a surveillance society, you end up with not the hopes of an empowering exhibitionism put forward by more utopian feminist thinkers on surveillance like Hille Koskela, but something infinitely more seedy and alienated.

Perhaps if Nineteen Eighty-Four was written today, then O’Brien’s answer to Winston Smith on what the future would look like would not be “a boot stamping on a human head, forever” but “a man masturbating over a mobile phone, forever”. I’m not sure which is worse…

*As a note, the newspaper described it as a ‘co-ed’ washroom, a term so archaic, it made me wonder how much of the culture that engenders such behaviour is down to the continued underlying patriarchal belief that women being in education on an equal footing with men is still unusual, provocative and somehow so exciting to men that they cannot control themselves. And of course ‘co-eds’ is exactly how online porn sites that publish this kind of voyeuristic footage would describe the unwitting participants.

(Thanks to Aliya Kassam for the story)

How online companies can protect privacy and free speech

There have been a lot of stories about online services breaching privacy, losing user’s data, being hacked, being to willing to give into state requests for information and much more. But not so much on how companies might provide a positive service that works, whilst respecting privacy, free speech and other fundamental rights. But now ACLU has issued a helpful guide. Clearly, it’s designed for business rather than being a critique of businesses and their practices, and as such is hardly a manual for revolution, but it will be interesting to see who takes notice… and who doesn’t.

Surveillance devices get smaller… but it’s privacy that vanishes.

I’ve been blogging for a while about miniaturization and the ‘vanishing’ of surveillance devices. This disappearance occurs in many ways, one of which is the incorporation of high-tech surveillance features into objects and devices that we are already used to or their reduction to a size and form factor that is relatively familiar. Two examples coincidentally arrived in my inbox over the last week.

The first was the news that the US Navy has awarded a development contract for binoculars that incorporate three-dimensional face-recognition technology from StereoVision Inc (who may well be the bunch of California-based face recog people I met at a biometrics industry show a few years back). This supposedly gets round the problems that standard two-dimensional face recognition has dealing with unpredictably mobile crowds of people in natural light (AKA ‘the real world’). The issue I’m highlighting here however is that we don’t expect binoculars to be equipped with face recognition. Binoculars may not be entirely socially acceptable items, and already convey implications of creepy voyeurism when used in urban or domestic situations, however this is something else entirely.

NY-CD236_NYPD1_G_20130123200238 — Small terahertz wave scanner being tested by NYPD in January (NYPD_

The second is the extraordinarily rapid ongoing progress towards working handheld terahertz wave technology (a far more effective form of scanning technology than either the backscatter x-ray or millimeter wave systems used in the bulky bodyscanners currently in use at airports). Just four years ago, I noted the theoretical proof that this was possible, and last month, it was revealed that police in New York were testing handheld terahertz wave scanners, (Thruvision from Digital Barriers) which of course people were likening to Star Trek’s tricorders. The idea that the police could perform a virtual strip search on the street without even having to ask is again, a pretty major change, but it’s also the case that the basic technology can be incorporated into standard video camera systems – potentially everyone with a mobile phone camera could be doing this in a few years.

I’m not a technological determinist, but in the context of societies in which suspicion, publicity and exposure are becoming increasingly socially normative, I have to ask what these technologies and many others like them imply for conventional responses based on ‘privacy’. Privacy by design is pretty much a joke when the sole purpose of such devices is to breach privacy. And control by privacy regulators is based on the ability to know that one is actually under surveillance – when everything can potentially be performing some kind of highly advanced surveillance, how is one able to tell, let alone select which of the constant breaches of privacy is worth challenging? So, do we simply ban the use of certain forms of surveillance technology in public places? How, would this be enforced given that any conventional form factor might or might not contain such technology? And would this simply result in an even more intense asymmetry of the gaze, when the military and the police have such devices, but people are prevented from using them? Do we rely of camouflage, spoofing and disabling techniques and technologies against those who might be seeking to expose us? You can bet the state will not be happy if these become widespread – just look at the police reaction to existing sousveillance and cop-watching initiatives…

$100 to anyone who can find a ‘privacy-compliant camera’ in Canada

Actually, the headline (from the Toronto Metro free paper) is a little misleading as what my friend and colleague Andrew Clement is actually betting on here is that no-one can find a video surveillance system in Canada that is fully compliant with Canadian privacy law. Which of course may of may not be the same as ‘privacy’ in any other terms. But it’s an interesting challenge – that is largely to do with signage. Prof Clement and his team at the iSchool at UofT have been monitoring the way in which video surveillance systems in Canada are signed for quite some time. As their website, surveillancerights.ca (which is also where you can try to claim your $100…) says

“Signs should at a minimum clearly tell you:

who is operating the camera
who you can contact if you have questions
the purpose(s) of the surveillance”

The signs should also in themselves be clearly visible, not hidden away somewhere. There’s more detailed information about requirments here.

So, who’s going to take up this bet?

(Thanks to Matthias Vermeulen for the story and Aaron Martin for noticing the difference between privacy and privacy law.)