The pervasiveness of digital technology has exponentially increased the potential for intrusions into personal privacy, but users are often unaware of how their actions - and the data they inadvertently share - put them at risk.
Privacy in the digital age is a controversial and often misunderstood concept. The current pervasiveness of digital technology has exponentially increased the potential for intrusions into personal privacy – whether by state security forces or by corporate actors seeking a competitive advantage. While there is, in some places at least, legislation that protects privacy, (e.g. the EU’s General Data Protection Regulation - GDPR) what is considered to be private by individuals and what is actually legally protected as private can differ.
The impact of privacy on individuals and social movements
Data is power. In the same way that we may use our own personal data to make very important decisions in our lives, it can simultaneously be used by others to influence our decisions and shape our behavior. It is no secret that governments and the private sector, especially the Silicon Valley giants of Google, Apple, Facebook, and Amazon, use our personal data to exert influence over us - leading to serious concerns about privacy violations. The Cambridge Analytica scandal is one recent example that shows how personal data has been used in an experiment to shape our behavior and decisions. During the 2016 US presidential campaign, the data of an estimated 87 million Facebook users was shared with Cambridge Analytica, which used the data to influence voters. Additionally, personal data collected by an individual for private reasons may ultimately be used as an excuse to deny them access to goods or services. If you’ve undergone genetic testing, for example, some insurance companies may request access to this data to determine your eligibility for long-term care coverage
"Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say." - Edward Snowden
Recently, the US State Department has requested the right to access the social media handles of foreign visa applicants. Privacy advocates argue that such a data collection exercise is not about "making America safe again" - as terrorists are unlikely to tweet about their next plan of terrorist attack. Accessing social media accounts - and the corresponding implications for privacy - is instead about stifling freedom of expression, and deterring participation in social movements.
Such a link between personal data collection and its chilling impact on social movements is not hard to see, especially after the Arab Spring, when many governments have been aggressively violating the privacy of their citizens to prevent the spread of social movements - particularly those that are deemed critical of the government. To assist them in their efforts, many countries have been shopping for sophisticated cyber-surveillance systems and zero-day hacks. For example, BAE systems is a British multinational company known for selling these tools to countries such as Saudi Arabia, UAE, Qatar, and Morocco. "You’d be able to intercept any internet traffic. You could pin-point people’s location based on cellular data. You could follow people around," said a former employee of BAE. A Tunisian intelligence officer who used the software confirmed that "you put in an opponent's name and you will see all the sites, blogs, social networks related to that user."
Misunderstandings Around Privacy Violations
There are a lot of misunderstandings about privacy, especially around one issue in particular - metadata. Metadata means "data about data." It is defined as the data that gives information about the actual data. Some apps use it to summarize basic information about data, for example the time and date of data creation, the author of the data, or the location of a computer network where the data was created. While some might have considered this data to be innocuous, following the Edward Snowden revelations there was increasing alarm about how such data would be used, when it was revealed that telecom companies such as Verizon were required to hand over this metadata to the US National Security Agency (NSA).
One of the greatest threats of "metadata" is that one does not need the content to reveal the full extent of what sort of communication is taking place. An experiment from Stanford University that examined the phone metadata of about 500 volunteers over several months shows that basic telephone metadata – information about calls and text messages, such as time and length – can reveal an unexpected amount of personal detail. "I was somewhat surprised by how successfully we inferred sensitive details about individuals" said study co-author Patrick Mutchler. For example, one participant had a long call with her sister. Two days later, she placed a series of calls to the local Planned Parenthood location and made another long call to the same center a month after. Even though the researchers did not intercept the call (the data itself) they deduced that this participant was most likely scheduling an abortion.
In another context, mobile phone usage patterns by activists may arouse suspicion by governments about their activities. This might include situations in which groups of activists simultaneously switch off their phones while assembling at a particular location, or if known activists noticeably refrain from communicating with one another for extended periods of time. While a mobile user may believe that they can simply turn off their phone and their privacy will be protected, the very act of turning it off can itself be considered as metadata. Governments, either via the user data they request or are willingly given from telecom companies, may speculate that they are organizing a protest or some other kind of activity, leading to potential retaliation, imprisonment or even torture.
Another important concept related to metadata that has been used to obstruct privacy is the social graph. Basically, a social graph is a representation of interconnections of relationships in an online social network. A 2013 New York Times article described how the NSA correlates 164 ''relationship types'' to build social network profiles of individuals using queries like ''travelsWith, hasFather, sentForumMessage, employs." If you are talking to someone who is under the attention of the government, then you might as well give up any idea that your own actions aren’t also being tracked. It doesn’t matter if this person is your partner or someone you barely know.
Gaps to Reduce
One might ask why after all this effort made by civil society to emphasise the importance of privacy we still do not have good tools to protect our data? We believe there are two complex problems to that that are resumed into gaps between communities:
One of these gaps is the lack of communication between users and developers. Even though tool developers aim to enhance the security and the privacy for the users, there is often no real contact between these two groups. Conferences and events that discuss and train on encryption techniques for social movements like RightsCon, the Internet Freedom Festival, and the Internet Governance Forum (IGF) almost never take place in countries where the risks for internet-based social movements are the highest. It is even harder for these two groups to meet when security tools are banned in the places where they may be of most value: Signal is banned in Afghanistan and Egypt, Tor is illegal in Iran.
There is also a gap between academia and the users. When the latter tries to evaluate the tools they are using to see if they can trust them, they are unlikely to read academic papers. One of the causes is that academic papers have impenetrable jargon - written by experts for experts, and conferences where these papers are discussed tend to be selective, expensive, and do not cater to non-experts in the subject.
Today more than ever we are witnessing an arm wrestle between those who work for privacy and those who are against it. Digital rights activists are making great efforts to tackle this problem: tools are being developed (e.g. Signal, Tor) by hacker and developer communities, privacy-friendly protocols are being written by academia, and laws are being pushed by several NGOs. However, despite these positive steps, there are still significant gaps between what is needed and what is offered. Individuals, NGOs, and activists need to remember that everyone is a potential target of surveillance. Privacy is more important than we may think it is, and we all should fight for it.