Night of the Surveillance Dead

In one of those curious synchronicities that occasionally emerge out of the chaotic foam of the internet, I came across two stories (of an entirely different nature) featuring surveillance and ‘zombies’ this week.

The first is one that Ars Technica first publicized recently – the creation of new undeletable cookies. Cookies, for the still unaware, are little bits of code that sit on your computer and store information, usually relating to websites you have visited – so, passwords and the like. Originally they were simply a tool to make it easier to handle the proliferation of sites that needed login details from users. And in most cases, they used to be both moderately consensual (i.e. you would be, or could be, asked if you wanted to have you computer download one) and relatively easy to remove. However, in recent years, this has changed. For a start there are so many sites and applications using cookies that it has become inconvenient to ‘consent’ to them or to manage them in any unautomated way. The new development however is a system that uses the database capabilities in HTML5 rather than being a traditional cookie. The major problem with this, and you can read more about the technical details in the story, is that these cannot ever be deleted by the user, as when they are deleted, they respawn themselves, and recreate the data profile of the user by reaching into other areas of your computer (and even stuff you thought was also deleted). The company concerned, Ringleader Digital, which specializes in ‘targeted, trackable advertising’ for ‘real-time visibility’, says users can ‘opt-out’ by using a form on their website, but this so-called ‘opt-out’ is hedged about with terms and conditions.

Now, Ars Technica reports that an open-source developer, Samy Kamkar, has created ‘evercookie‘, a virtually indestructible cookie designed as an educational tool to make users aware of the presence of these new internet zombies that do their master’s bidding. It’s a neat idea but I wonder – and I hope you will excuse my taking the zombie metaphor just a little further here – whether in raising the dead to show that necromancy is bad, good wizards like Samy Kamkar might in the end just be contributing to the problem. It isn’t as if most ordinary users understand these strange powers. Perhaps the people who need to witness the power of these occult rites are the regulators. It’s not clear to me whether these kinds of programs would be considered in any way legal in most places with strong data-protection and privacy laws, like Canada and the EU – as the controversy over the similar British Telecom system, Phorm, showed. So I would be very interested in what the Canadian Privacy Commissioner has to say about it, for example. I will be asking them.

(The second zombie story I will add later…)

Bigger than Brazil

So says a new IMS report on the surveillance market in Latin America, according to industry site, Surveillance Park.

Brazil’s emergence as an economic power means that there is increasing demand for surveillance both in individual applications and for larger infrastructure projects like the 2014 World Cup and 2016 Olympic Games. But Brazil already has what the report terms “an established eco-system of suppliers” so, in the face of this strong competition, foreign surveillance companies are advised to look elsewhere, particularly Argentina, Chile and Mexico, whose surveillance markets should provide “long-term double digit growth.

‘Friendly’ Surveillance and Intelligent Socks

I missed putting this up last week, but MIT’s Technology Review blogs had a good summary of a talk by Intel’s Justin Rattner, who was arguing for a new era of more ‘friendly’ surveillance. By this he means an emphasis on ubiquitous computing and sensing technologies, or what the Europeans call ‘ambient intelligence’, for personal and personalized assistance and support. He is quoted in the piece as saying “Future devices will constantly learn about you, your habits, how you go about your life, your friends. They’ll know where you’re going, they’ll anticipate, they’ll know your likes and dislikes.” Rattner himself was wearing some new ‘intelligent socks’ (well, sensors in his socks) during the talk, which can sense whether the wearer has fallen or experienced some other unexpected movement. Of course, the problem with this, apart from the issue of whether we want even our socks to anticipate our movements and more, is that the constant stream of data needed to inform the intelligent systems has to go somewhere, and that ‘somewhere’ is ‘the cloud’, i.e. the most intimate data about you, whatever level of security is in place, would be just out there and far more accessible than the forms of biomedical information currently held by, for example, our doctors.

The city where the cameras never sleep… New York, New York

The Gothamist blog has a brief report on the massive upgrading and expansion of the video surveillance system in the New York public transit system. Like Chicago, which I’ve mentioned several times here, the cameras in New York are really just collection devices to feed an evolving suite of video analytic software, that can track suspects or vehicles in real-time or search through old footage to find multiple occurences of particular distinctive objects or people.

The other notable thing is that the new camera system is just completely overlaying the old – in other words there is no attempt to connect the older cameras which are not compatible and have far poorer image quality. As cameras and software gets cheaper, this option looks like being the one many urban authorities will pursue, so cities like London, which pioneered widespread video surveillance, but which, with their disconnected mosaic of incompatible systems, have started to look increasingly ineffective and out-of-date, could deal with this not by expensive and unreliable fixes but simply by sticking in an entirely new integrated algorithmic system on top of or alongside the old ones. Technological fallibility and incompatibility can no longer be relied on as protections for the privacy rights of citizens in public spaces.

Chipping Pre-School Kids in the USA

ACLU is reporting that nursery schools kids in Richmond, California are being issued with jerseys embedded with RFID chips. GPS-enabled and/or RFID-chipped clothing has been available for a while now, and there have also been (pre-)schools in other countries that have issued tracking devices to kids, notably in Yokohama in Japan, but this appears to be the first time in the USA. RFID is a very simple, insecure technology, and this type of initiative gives a false sense of security and is about at once raising and appeasing social anxiety and parental paranoia about the incredibly rare instances of child kidnapping. ACLU note correctly that this is just likely to make stalking and kidnapping easier as harder, but really all this does is enable the school to know where the jersey is – like left on the back of a bus, swapped with a friend or thrown in a ditch. It’s more pointless security theater, but at a more intimate level than the kind we are used to at airports and public buildings.

America’s Surveillance State

I’ve posted several times over the last few years on how the USA is rapidly overtaking Britain as the leading democratic ‘surveillance society’. It seems like some commentators in the USA now agree – Glenn Greenwald writes on the Salon magazine site, about his essay published by the libertarian Cato Institute, and the responses it has received from different parts of the US political spectrum. It’s all worth a read, although for British activists and academics in this area in particular, it will sound like what Yogi Berra famously described as ‘deja-vu all over again’… and it’s hardly new even in the States (see the work done by ACLU, Wired’s Danger Room, experts and academics like Bill Staples, Bruce Schneier and Torin Monahan, and popular books by Christian Parenti and Robert O’Harrow, for just a couple of examples).

Cyber-Surveillance in Everyday Life: Call for Participation

Call For Participation: Cyber-Surveillance in Everyday Life

Digitally mediated surveillance (DMS) is an increasingly prevalent, but still largely invisible, aspect of daily life. As we work, play and negotiate public and private spaces, on-line and off, we produce a growing stream of personal digital data of interest to unseen others. CCTV cameras hosted by private and public actors survey and record our movements in public space, as well as in the workplace. Corporate interests track our behaviour as we navigate both social and transactional cyberspaces, data mining our digital doubles and packaging users as commodities for sale to the highest bidder. Governments continue to collect personal information on-line with unclear guidelines for retention and use, while law enforcement increasingly use internet technology to monitor not only criminals but activists and political dissidents as well, with worrisome implications for democracy.

This international workshop brings together researchers, advocates, activists and artists working on the many aspects of cyber-surveillance, particularly as it pervades and mediates social life. This workshop will appeal to those interested in the surveillance aspects of topics such as the following, especially as they raise broader themes and issues that characterize the cyber-surveillance terrain more widely:

  • social networking (practices & platforms)
  • search engines
  • behavioural advertising/targeted marketing
  • monitoring and analysis techniques (facial recognition, RFID, video analytics, data mining)
  • Internet surveillance (deep packet inspection, backbone intercepts)
  • resistance (actors, practices, technologies)

A central concern is to better understand DMS practices, making them more publicly visible and democratically accountable. To do so, we must comprehend what constitutes DMS, delineating parameters for research and analysis. We must further explore the way citizens and consumers experience, engage with and respond to digitally mediated surveillance. Finally, we must develop alliances, responses and counterstrategies to deal with the ongoing creep of digitally mediated surveillance in everyday life.

The workshop adopts a novel structure, mainly comprising a series of themed panels organized to address compelling questions arising around digitally mediated surveillance that cut across the topics listed above. Some illustrative examples:

  1. We regularly hear about ‘cyber-surveillance’, ‘cyber-security’, and ‘cyber-threats’. What constitutes cyber-surveillance, and what are the empirical and theoretical difficulties in establishing a practical understanding of cyber-surveillance? Is the enterprise of developing a definition useful, or condemned to analytic confusion?
  2. What are the motives and strategies of key DMS actors (e.g. surveillance equipment/systems/ strategy/”solutions” providers; police/law enforcement/security agencies; data aggregation brokers; digital infrastructure providers); oversight/regulatory/data protection agencies; civil society organizations, and user/citizens?
  3. What are the relationships among key DMS actors (e.g. between social networking site providers)? Between marketers (e.g. Facebook and DoubleClick)? Between digital infrastructure providers and law enforcement (e.g. lawful access)?
  4. What business models are enterprises pursuing that promote DMS in a variety of areas, including social networking, location tracking, ID’d transactions etc. What can we expect of DMS in the coming years? What new risks and opportunities are likely?
  5. What do people know about the DMS practices and risks they are exposed to in everyday life? What are people’s attitudes to these practices and risks?
  6. What are the politics of DMS; who is active? What are their primary interests, what are the possible lines of contention and prospective alliances? What are the promising intervention points and alliances that can promote a more democratically accountable surveillance?
  7. What is the relationship between DMS and privacy? Are privacy policies legitimating DMS? Is a re-evaluation of traditional information privacy principles required in light of new and emergent online practices, such as social networking and others?
  8. Do deep packet inspection and other surveillance techniques and practices of internet service providers (ISP) threaten personal privacy?
  9. How do new technical configurations promote surveillance and challenge privacy? For example, do cloud computing applications pose a greater threat to personal privacy than the client/server model? How do mobile devices and geo-location promote surveillance of individuals?
  10. How do the multiple jurisdictions of internet data storage and exchange affect the application of national/international data protection laws?
  11. What is the role of advocacy/activist movements in challenging cyber-surveillance?

In conjunction with the workshop there will be a combination of public events on the theme of cyber-surveillance in everyday life:

  • poster session, for presenting and discussing provocative ideas and works in progress
  • public lecture or debate
  • art exhibition/installation(s)

We invite 500 word abstracts of research papers, position statements, short presentations, works in progress, posters, demonstrations, installations. Each abstract should:

  • address explicitly one or more “burning questions” related to digitally-mediated surveillance in everyday life, such as those mentioned above.
  • indicate the form of intended contribution (i.e. research paper, position statement, short presentation, work in progress, poster, demonstration, installation)

The workshop will consist of about 40 participants, at least half of whom will be presenters listed on the published program. Funds will be available to support the participation of representatives of civil society organizations.

Accepted research paper authors will be invited to submit a full paper (~6000 words) for presentation and discussion in a multi-party panel session. All accepted submissions will be posted publicly. A selection of papers will be invited for revision and academic publication in a special issue of an open-access, refereed journal such as Surveillance and Society.

In order to facilitate a more holistic conversation, one that reaches beyond academia, we also invite critical position statements, short presentations, works-in-progress, interactive demonstrations, and artistic interpretations of the meaning and import of cyber-surveillance in everyday life. These will be included in the panel sessions or grouped by theme in concurrent ‘birds-of-a-feather’ sessions designed to tease out, more interactively and informally, emergent questions, problems, ideas and future directions. This BoF track is meant to be flexible and contemporary, welcoming a variety of genres.

Instructions for making submissions will be available on the workshop website by Sept 1.

See also an accompanying Call for Annotated Bibliographies, aimed at providing background materials useful to workshop participants as well as more widely.

Timeline:

2010:

Oct. 1: Abstracts (500 words) for research papers, position statements, and other ‘birds-of-a-feather’ submissions

Nov. 15: Notification to authors of accepted research papers, position statements, etc. Abstracts posted to web.

2011:

Feb. 1: Abstracts (500 words) for posters

Mar. 1: Notification to authors of accepted posters.

Apr. 1: Full research papers (5-6000 words) due, and posted to web.

May 12-15 Workshop

Sponsored by: The New Transparency – Surveillance and Social Sorting.

International Program Committee: Jeffrey Chester (Center for Digital Democracy), Roger Clarke (Australian Privacy Foundation), Gus Hosein (Privacy International, London School of Economics), Helen Nissenbaum (New York University),
Charles Raab (University of Edinburgh) and Priscilla Regan (George Mason University)

Organizing Committee: Colin Bennett, Andrew Clement, Kate Milberry & Chris Parsons.

University of Toronto & University of Victoria.

Backdoors for Spies in Mobile Devices

There’s been a lot of controversy over this summer about the threats made to several large western mobile technology providers mainly by Asian and Middle-Eastern governments to ban their products and services unless they made it easier for their internal intelligence services and political police to access the accounts of users. The arguments actually started way back in 2008 in India, when the country’s Home Ministry demanded access to all communications made through Research in Motion’s (RIM) famous Blackberry smartphone, which was starting to spread rapidly in the country’s business community. Not much came of this beyond RIM agreeing in principle to the demand. Then over this summer, the issue flared up again, both in India and most strongly in the United Arab Emirates (UAE) and Saudi Arabia. RIM’s data servers were located outside the countries and the UAE’s Telecommunications Regulatory Authority (TRA) said that RIM was providing an illegal service which was “causing serious social, judicial and national security repercussions”. Both countries have notorious internal police and employ torture against political opponents.RIM initially defended its encrypted services and its commitment to the privacy of its users in a full statement issued at the beginning of August. However, they soon caved in when they realised that this could cause a cascade of bans across the Middle-East, India and beyond and promised to place a data server in both nations, and now India is once again increasing the pressure on RIM to do the same for its internal security services. So instead of a cascade of bans, we now have a massive increase in corporate-facilitated state surveillance. It’s Google and China all over again, but RIM put up even less of a fight.

However, a lot of people in these increasingly intrusive and often authoritarian regimes are not happy with the new accord between states and technology-providers, and this may yet prove more powerful than what states want. In Iran, Isa Saharkhiz, a leading dissident journalist and member of the anti-government Green Movement is suing another manufacturer, Nokia Siemens Networks, in a US court for providing the Iranian regime with the means to monitor its mobile networks. NSN have washed their hand of this, saying it isn’t their fault what the Iranian government does with the technology, and insist that they have to provide “a lawful interception capability”, comparing this to the United States and Europe, and claiming that standardisation of their devices means that “it is unrealistic to demand… that wireless communications systems based on global technology standards be sold without that capability.”

There is an interesting point buried in all of this, which is that the same backdoors built into western communications systems (and long before 9/11 came along too) are now being exploited by countries with even fewer scruples about using this information to unjustly imprison and torture political opponents. But the companies concerned still have moral choices to make, they have Corporate Social Responsibility (CSR) which is not simply a superficial agreement with anyone who shouts ‘security’ but a duty to their customers and to the human community. Whatever they say, they are making a conscious choice to make it easier for violent and oppressive regimes to operate. This cannot be shrugged off by blaming it on ‘standards’ (especially in an era of the supposed personal service and ‘mass customization’ of which the very same companies boast), and if they are going to claim adherence to ‘standards’, what about those most important standards of all, as stated clearly in the Universal Declaration of Human Rights, Article 12 of which states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence,” and in Article 19: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”

City of Leon to install mass public iris-scanning

The City of Leon in Mexico, if a report in Fast Company are to be believed, is going ahead with a scheme that goes far further than any other urban surveillance project yet in existence. They are already installing scanners that according to their manufacturers, Global Rainmakers Inc., an until recently secretive company with ties to US military operations, can read the irises of up to 50 people per minute.

Now, we have to be careful here. Gizmondo, as usual has gone way over the top with reports of ‘the end of privacy’ (which, if you believed their stories has already happened as many times as the apocalypse for 7th Day Adventists…) and talk of the ‘entire city’ being covered and ‘real-world’ operations (i.e. in uncontrolled settings). In fact, if you read the  Fast Company report, and indeed the actual description of the products from the company, they are far more limited even in their claims (which are likely to be exaggerated anyway). There is no indication that the iris scanners proposed will work in uncontrolled settings. When the company talk about the scanners working ‘on the fly’, they mean that they will work when someone is basically looking at the scanner or near enough whilst no more than 2 metres away (in the most advanced and expensive model and significantly less for most of them) and moving at no more than 1.5 metres per second (and, again, slower for the lower range devices). All the examples on the company website show ‘pinch points’ being used (walls, fences, gates etc.) to channel those being identified towards the scanner. In other words, they would not necessarily work in wide public streets or squares anyway and certainly not when people were moving freely.

So is this what is being proposed? Well, there are two phases of the partnership with Leon that the company has announced – and we have as yet no word from Leon itself on this. Phase I will cover the settings in which one might expect levels of access control to be high: prisons, police stations etc. Phase II will supposedly cover “mass transit, medical centers and banks, among other [unnammed] public and private locations”. It is also worth noting that the scheme’s enrolment is limited to convicted criminals, with all other enrolment on an entirely voluntary basis.

I am not saying that this is not highly concerning – it is. But we need to be careful of all kinds of things here. First of all, the Fast Company report is pure corporate PR, and the dreams of the CEO of Rainmakers, Jeff Carter (basically, world domination and ‘the end of fraud’ – ha ha ha, as if…) are the same kind of macho bulltoffee that one would expect from any thrusting executive in a newish company in a highly competitive marketplace. Secondly, there’s a whole lot of space here for both technological failure and resistance. The current government Leon may well find that the adverse publicity from this will lose rather than gain them votes and that in itself could see the end of the scheme, or its being limited to Phase I. In addition, without this being part of wider national networks, there may in the end be little real incentive for anyone to enrol voluntarily in this. Why would banks in Leon require this form of identification but not those in Mexico City or Toluca for example? Will the city authorities force everyone who use public transport to undergo an iris scan (which would make the ‘voluntary’ enrolment a sham)? This could all end being as insignificant as the Mexican companies offering RFID implants as a supposed antidote to kidnapping, it could be the start of a seismic shift in the nature of urban space, or it could be a messy mixture.

I hope my colleagues in Mexico are paying attention though – and I will try to keep updated on what’s really going on beyond the corporate PR.

Facebook Places: opt-out now or everyone knows where you are?

Facebook Places… what to say? Most of the criticism writes itself because we have been here before with just about every new ‘feature’ that Facebook introduces, and they seem to have learned absolutely nothing from any of the previous criticisms of the way in which they introduce their new apps and the control users have over them. Basically, Facebook Places is just like Google Latitude, but:

1. instead of having to opt-in to it, you are automatically included unless you opt out; and (here’s the really creepy part),
2. instead of just you being able to tell your ‘friends’ where you are, unless you do turn it off, anyone who is your friend can tell anyone else (regardless of their relationship to you) where you are, automatically.

Luckily we know how to turn it off, thanks to Bill Cammack (via Boingboing).

When, if ever, will Facebook realise than ‘opt-out’ is an entirely unethical way of dealing with users? It lacks the key element of active consent. You cannot be assumed to want to give up your privacy because you fail to turn off whatever new app that Facebook has suddenly decided to introduce without your prior knowledge. Facebook is basically a giant scam for collecting as much networked personal data as it can, which eventually it will, whatever it says now, work out how to ‘add value’ to (i.e.: exploit or sell), whether its users like it or not. And surely this is now the ideal time for an open source, genuinely consensual social networking system that isn’t beholden to some group of immature, ethically-challenged rich kids like Zuckerberg et al.?