nothing to hide, nothing to fear? · pdf filenothing to hide, nothing to fear? a report into...

NOTHING TO HIDE, NOTHING

TO FEAR?

October 2014

Nothing to hide, nothing to fear? A report into mass surveillance on behalf of F-Secure.

2 / 21 Copyright © 2014 F-Secure Corporation. All rights reserved.

An investigation by the Cyber Security Research Institute has revealed that the UK is sliding fast into a surveillance state. The repercussions may be impossible to reverse unless immediate steps are taken to regulate the activities of companies and the Government itself.

Already as a result of what whistleblower Edward Snowden revealed about widespread technological abuses by

the US listening agency NSA and its UK equivalent GCHQ, and as a result of the UK tabloid newspaper phone-

hacking scandal, there is evidence of a change in personal behaviour in response to raised technological

awareness.

Drawing on a series of interviews with senior figures in Government, the privacy community, businesses

working with the Government on the development of its information systems, individuals within the financial

service industry who have worked with the Government on its information systems, former intelligence agents

and senior political figures such Sir Malcolm Rifkind, the chair of the intelligence and security committee, the

CSRI report demonstrates a worrying lack of political control or understanding about the surveillance world

that has now developed.

Just how significant the surveillance culture has become is shown by attitude surveys taken ‘before and after’ of

The Snowden Effect:-

In an ICM poll for The Guardian in 2004, 72% of respondents would swap some privacy for security, 65%

thought that the intelligence services should have access to emails and phone calls with no questions asked

and 63% were happy that the police had these same powers.

By 2013 – a year after the Snowden revelations – a YouGov/Cambridge University survey showed that only

43% of those polled agreed that the government and security services should have the right to intercept

communications of British citizens, and 49% thought they should be allowed to hack into the messages of

foreigners.

http://image.guardian.co.uk/sys-files/Guardian/documents/2002/09/06/privacy3.pdf#page=1

http://image.guardian.co.uk/sys-files/Guardian/documents/2002/09/06/privacy3.pdf#page=1



In a new survey commissioned by the report’s authors in October 2014, we can reveal that public disquiet

about mass surveillance is spreading rapidly:-

86.5% of those questioned disagree with the British Government conducting mass surveillance

82.2% of people surveyed are concerned about mass surveillance

Less than a third (32.3%) are aware that the Government is tracking their digital data

Three-quarters (77.85%) are concerned about the consequences of having their data tracked.

Only 14% of people believe the Government should have access to everyone’s personal data for the

sake of public security.

Only one in ten (10.45%) of people think mass surveillance is a good thing.

Despite all of this, only 3% of people of people have taken steps to ensure the Government can’t track

them

Two thousand adults were questioned on 10th-13th October 2014 by Vital Research & Statistics

Growing concern over a growing snooping culture

Worries about surveillance have prompted hundreds of people to seek out training in how to protect personal

data. A ‘crypto party’ held at London’s Shoreditch Town Hall by the campaign group Don’t Spy on Us in June

2014 was so over-subscribed that hopefuls had to queue round the block, and similar events attract big crowds

elsewhere.

This growing awareness of a ‘snooping culture’ has had a commercial impact on American cloud computing

companies, with research carried out for The Independent newspaper indicating that two technology firms –

Cisco and Microsoft have lost $1.07 billion worth of business because companies fear that cloud servers

in the USA will offer access to the intelligence agencies.

In Edward Snowden’s latest statement, he warns that the British Government is even worse than its American

counterparts, since the Founding Fathers of the United States of America enshrined in law certain rights which

the Brits – with no written constitution – cannot claim.

Speaking via Skype at the Observer Ideas Festival, held in central London, Snowden said there were “really no

limits” to GCHQ’s surveillance capabilities.



He said: “In the UK … is the system of regulation where anything goes. They collect everything that might be

interesting. It’s up to the government to justify why it needs this. It’s not up to you to justify why it doesn’t …

This is where the danger is, when we think about … evidence being gathered against us, but we don’t have the

opportunity to challenge that in courts. It undermines the entire system of justice.”

Amongst the different technologies and

applications used by Western intelligence

agencies to snoop on email, phone calls, web

searches, social media and geo-location are:

Prism, Tempora, Echelon, Frenchelon, Fairview,

MYSTIC, Carnivore, Optic Nerve, Quantum

theory, World of Warcraft, Nosey Smurf, Dreamy

Smurf, Tracker Smurf, Edgehill, Dishfire,

Stoneghost, Squeaky Dolphin, Royal Concierge.

Mass data collection

Government and commercial companies

also hold vast databases of personal

information. In 2004, Privacy International’s

founder Simon Davies compiled a composite

picture of all the databases (70) holding

information on a typical person – Janet

Sykes, a married mother living in London.

They include commercial companies, as well

as local and network services. In the ‘private

sector’ portion of the infographic, for

example, are store loyalty cards. Developers

who created the Tesco supermarket loyalty

scheme told CSRI that it is possible to predict

political allegiance and voting behaviour based on Clubcard spending habits and food preferences, as well as

postcode location and demographic data, such as age and gender.

http://www.theguardian.com/flash/0,5860,785926,00.html



That was seven years ago. Interviewed for this report in October 2014, Davies estimates that those 70

databases are now likely to exceed 700. The amount and nature of the information held on each citizen will

increase dramatically during the winter of 2014 when the National Health Service rolls out its Care Data

programme. Intimate, confidential, lifelong healthcare details of each patient – identified by NHS number –

will be collected and stored by the new Health and Social Care Information Centre (HSCIC). The NHS website

says the aim is to provide better care, since medical records provide a pool of information that can be mined to

provide statistics that will lead to better preventative medicine and better outcomes for patients. Critics warn

that this new database would be valuable to insurance companies, banks and mortgage lenders and that

managers in cash-strapped NHS departments may view the patients’ information as a potential source of

revenue.

The aim, said Simon Davies of Privacy International and the Privacy Surgeon blog, is ‘total information

awareness’ (TIA) a concept that dates back to the drafting in 1983 of the Data Protection Act. “In Whitehall, it’s

a religion that dare not speak its name,” he says. But government departments are not allowed to share or

combine each other’s databases without permission. “If you combine databases, you completely change the

information because you change the context. But the bureaucrats are not getting this because they believe

that all data collectively or in isolation is there in the public interest and its use is in the public interest. They

think it’s their data because they collect it.”

Snowden’s leaks have shown that Internet Service Providers (such as Facebook, Google and Yahoo) have co-

operated with the intelligence agencies to breach users’ privacy. This means that social media are just as

untrustworthy as government filing systems when it comes to protecting privacy and anonymity. Even if the

spooks are not entering your social media profiles through a ‘backdoor’ there is still a general risk to privacy.

Cyber bullies, thieves who steal or fake nude ‘selfie’ pictures, trolls and stalkers can take advantage of systems

where the privacy settings, terms and conditions are not always clear and easy to understand. Technology

companies such as Facebook offer their services for free. And as former German intelligence officer Bjorn Rupp

points out in an interview with the report’s authors, “If you are not paying, then you are not the customer.”

Their business models rely on selling your personal profile to advertisers and so they will naturally try to lure

you into disclosing more and more personal information in order to deliver tightly-targeted marketing

messages to your timeline.

Facebook – with or without a ’backdoor’ for the intelligence agencies – is also useful to governments. For

example, the German Government’s census officers proposed including some extra questions about citizens’

lifestyles in the standard questionnaire. But this caused an outcry from civil liberties campaigners. So they



quietly dropped the extra questions and instead took the information from publicly available data on Facebook

and other social media.

In Britain, the current reality is that the vast majority of people – those who pay taxes, have children attending

state schools, use the National Health Service, take out a student loan, draw a state pension or other benefits –

are tracked by the network of databases that administer these services. When the current complex benefits

system switches to Universal Credit in the next few months (2014-5), the aim is to make 82% of all transactions

online – saving public money on offices, staff and paper-based communications. The Government’s Digital By

Default scheme is also moving to online – Directgov, the official portal, provides a one-stop shop for people

trying to access services or information. Does it also offer a one-stop shop for the police and spies where

different categories of data may be combined? After many IT disasters wasting millions of pounds of taxpayers’

money, can we trust the new system? Graham Stringer MP, a member of the Science and Technology

Committee overseeing the Digital by Default programme, told the researchers he has concerns:

“There are two big risks as far as security is concerned. One is the risk to the whole system – whether it’s

medical records, National Insurance records – anything where they access public services – could be stolen

and used for illegal purposes or for commercial benefit. It’s very difficult when you’ve got an open system to

keep it really secure.

Secondly, there is the possibility of ID theft and there is also the difficulty in establishing a person’s identity

within the system – so those are all problems that have to be overcome.

We were exploring with experts from the technology industry ways to overcome the problems and warning the

Government that they had better be very careful. You can make systems as watertight as can be – but if

the people who are delivering it are dishonest in any way then the information can go walkabout.”

If we add to the data held in cyberspace all the legacy paper records, and the geo-locational information

provided by surveillance cameras, the authorities will have the means to track everyone, everywhere – whether

or not they are behaving suspiciously. The UK now has an estimated one surveillance camera for every 11

people in the population, according to a study published on 16th October 2014 by the British Security

Industry Authority. That’s 5.9 million CCTV cameras.

By comparison, in the totalitarian police state of East Germany (German Democratic Republic or GDR) for every

65 citizens, there was one informer covertly working for the Stasi secret police (Staatssicherheit).



Press surveillance

Among the small proportion of people who are tech-savvy,

many are now taking steps to protect their data from mass

surveillance. The report’s authors have both first hand and

personal evidence of people turning off their mobile phones

and moving away from mobile devices and computers to hold

personal conversations due to eavesdropping fears. This

behaviour is becoming common among journalists,

technology and financial sector workers. While it may be

viewed as paranoia, recent revelations, such as the police

abuse of the Regulation of Investigatory Powers Act to attempt

to uncover journalists’ sources, would appear to indicate some

justification for the practice.

It is a problem that was identified by the current Information

Commissioner Christopher Graham.

Speaking in an interview with The Daily Telegraph on the 7th of

January 2013, the Information Commissioner raised concerns

that the proposed reforms to data protection laws would allow

the subjects of stories access to information which journalists

hold about them. Experts fear this could lead to anonymous

sources being identified.

Mr Graham said: "We acknowledge the importance of ensuring

that data protection legislation does not undermine the work of the press and implications it can have for

freedom of expression.

“The area of subject access is particularly problematic in that there are legitimate concerns about the 'chilling

effect' Lord Justice Leveson's inquiry into journalists’ phone-hacking might have on investigative journalism.

This area will need very careful consideration. This, again, is a matter of balance of interests and is ultimately a

matter for Parliament."



Indeed, Guardian journalists working on the information provided by Snowden were forced to take

unprecedented but justifiable steps to carry on with their work in the face of direct government attempts at

intimidation.

Those steps involved using completely sanitised IT equipment in an ‘air-gapped’ room that had no windows.

The Guardian editor Alan Rusbridger publicly detailed the extent of the intimidation, including details of visits

from the security service agents who pointed out to him that cups of water could be turned into listening

devices.

Spreading fear

The fear of government

surveillance is now spreading

into the business community,

with a marked increase in

encryption beginning to

occur, as demonstrated by a

sharp uptake in the use of the

encryption system known as

Tor (an acronym historically

formed from ‘The Onion

Router’) and an increase in the

people using encrypted

Google Gmail, despite the

revelations from the NSA whistleblower Edward Snowden that both the NSA and GCHQ had forced access to

data from Google.

Further evidence of the change in business behaviour caused by the Snowden revelations is a sudden increase

in attendance from businesses in ‘crypto-parties’, events put on by technology enthusiasts and computer

security companies to teach organisations and individuals how to secure their data.



The Don’t Spy On Us crypto party held at Shoreditch Town Hall, London, in June 2014 was sold out and saw

long queues develop on the street of people trying to get in who did not have tickets. Numerous other

encryption training events are now being held around the country – many at the request of local businesses.

In the past, these teach-ins have been attended by techies and geeks, but events this year have shown an

increase in attendance from businesses and people who previously had no interest in technology.

That there is a business backlash against government surveillance is underlined by the impact that the Snowden

revelations have had on the US cloud computing industry which has seen a significant fall in business use due to

fears of NSA monitoring.

According to some observers, this perceived business damage has been one of the drivers for the sudden

decision by Apple, Microsoft, Google, Facebook, Yahoo, and AOL in October 2013 to write an open letter to

the lead members of the Senate Judiciary Committee calling for additional oversight and accountability

mechanisms for the NSA’s spying programs.

The impact of the Snowden leaks on the business community and the growing backlash has not been

acknowledged by the UK Cabinet Secretary Francis Maude, whose department is responsible for keeping

Parliament and politicians abreast of computing developments and for the implementation of computing

programmes since it absorbed the Central Computing and Telecommunications Agency under John Major’s

Government.

“We utterly deplore what’s happened there and we don’t sense a great growing reluctance to interact with us.

People know that we need to be protected. It’s better if it’s done away from the public gaze but the truth is we

have strict legal constraints on what can be done and our agencies have proper surveillance, proper oversight

of what they do and I think people can be reassured that they behave properly,” said Maude in an interview with

one of the report’s authors for the PassWord radio programme.

For the police though, the impact of this backlash is very real, as can be seen by two events in October 2014: -

The call by Troels Oerting, the head of the Europol Cybercrime centre for enhanced investigatory powers to

deal with encrypted communications and an identical request from Keith Bristow, the head of the UK’s National

Crime Agency. Both of them say that they are now hampered by the increasing use of encryption and wish to

be given the ability to target the communications of criminals who are hiding behind the new coded systems

that more and more of the population are beginning to embrace.



The call by British police for greater powers – first raised earlier in 2014 by the UK’s top counter terrorism

officer Cressida Dick, the Metropolitan Police Service’s Assistant Commissioner, who said in June of this year

that the UK’s ability to deal with terrorism was being degraded due to the police’s surveillance powers being

“unable to keep up with the development of new communications technologies.”

However, the surveillance of the population is not confined to the activities of what some have claimed to be

‘rogue elements’ in the intelligence agencies. It is part of a general picture that includes a number of consistent

elements.

There is a lack of technological awareness in the public at large and particularly among politicians.

A lack of effective government over-sight over information gathering systems.

A technology industry that is unwilling to be transparent about the capabilities of the technology it

develops and the shortcomings of that technology.

A big business culture of snooping and employee surveillance.

An opportunism among certain groups and individuals in government to use data in unethical ways.

The deliberate development of a culture that is designed to use the perception of technological

surveillance to influence behaviour – as shown by the deployment of CCTV camera systems in towns

and cities and the use of traffic cameras to deter speeding and punish traffic offences.

The intelligence agencies’ growing dependence on technology

It is a surveillance world that is now about to be developed even further due to the rapid emergence of the

Internet of Things, which will see even more sensors added into our homes, streets, cars and wearable devices

that will often be directly linked to our mobile phones. This will mean an additional extension of government

monitoring of our lifestyles and our very bodies.

The overall picture of the development of an uncontrolled surveillance infrastructure which has the potential to

be re-engineered by the technology industry and the intelligence agencies is now presenting very real threats,

not just to our civil liberties, but also our future social development.

To flesh out exactly what is now happening, the CSRI has conducted research designed to coincide with the

release by Laura Poitras of CitizenFour, a film documenting the meetings between Snowden and The Guardian



that resulted in the series of articles in papers in Europe and the US detailing the extent of intelligence agency

snooping.

Further to that, it also shows that the technology community has tempted the population at large into this new

world without informing them of the consequences of their decisions. The technology industry has a vested

interest in not informing the public of the ramifications of what they are doing.

As pointed out earlier, the ID card system in Britain has failed and never really captured the public imagination.

Ironically, though, the population has virtually universally elected to carry an ID card in the shape of a mobile

phone. The mobile has greater powers than the architects of the ID card scheme could even dream of, allowing

it, as it does, to follow our movements, provide information on what we are doing physically and on the web, to

monitor our conversations and to even eavesdrop on our lives.

In the world of government, the mobile phone now presents unprecedented identification and administrative

capabilities that, when connected with the other surveillance technologies now in place, have ushered in a

world of monitoring that the East German Stasi could only have dreamt about. Their ability to spy was limited

by the technology of the time and included radiation tagging, and collecting dissidents’ underwear to create

‘smell jars’ so that sniffer dogs could be trained to recognise and track an individual’s body odour. Mostly,

though, the Stasi relied on its network of paid informants in every neighbourhood, workplace and school. Many

people who were wrongly accused or suspected have still not recovered – twenty-five years after the fall of the

Berlin Wall and the end of the GDR.

Julia Behrends is one woman who attracted the attention of the Stasi by having an Italian boyfriend. They would

joke about the authorities listening-in on their phone calls, with Julia ending “Good night – I love you, and

good night all.” But when she refused to become an informant – using her boyfriend’s job to get access to

Western computer technology – Julia felt the full force of the totalitarian state. Even telling her story years

later, to author Anna Funder for the book Stasiland, she still feels pain:

“It’s the total surveillance that damaged me the worst…I know how far people will transgress over your

boundaries, until you have no private sphere left at all. I think I am definitely psychologically damaged. That’s

probably why I react so extremely to approaches from men and so on. I experience them as another possible

invasion of my intimate space.”

From Stasiland – stories from behind the Berlin Wall by Anna Funder, published by Granta Books.



Perhaps it is too early to tell whether or not today’s mass surveillance will impact people in the UK like this.

Certainly in Germany there has been a loud outcry since the Snowden revelation that German’s Chancellor

Angela Merkel was subject to phone-tapping by the NSA on her own personal mobile, and the authorities are

taking steps to try to protect citizens’ digital rights. Chancellor Merkel has even called for the establishment of

a ‘new internet’ for Europe.

In the UK in 2014, the interviews carried out by the CSRI indicate that there are various competing ‘data

factions’ which set ministries against each other.

Specific instances told to the investigators were of competing policies in different ministries setting

departments against each other and of government departments charging money to other government

departments for access to their data.

Evidence gathered by the CSRI over a number of years also shows that a culture of data ownership on UK

subjects has led to ‘data hardliners’ viewing the personal data of individuals as the property of the state, rather

than confidential information held in trust.

This is a view backed up by Tony Collins, the former head of investigations for the technology bible Computer

Weekly, who in an article published in The Guardian in 2002 writing about large Government IT projects stated:

“Why should we worry? After all, the fate of all these projects will be decided by ministers accountable to

parliament and, ultimately, to the public. In reality, though, it is not the elected politicians who are making the

crucial decisions, it is their officials. Indeed, there is growing evidence that what used to be merely the

influence of civil servants is fashioning itself into control. At the same time, the ability of parliament to hold the

executive – both elected and permanent – to account has diminished dramatically.

“The machine of government is growing technologically more complex. Add to this complexity the

unbelievably labyrinthine rules, legislation, amendments and interconnected conventions governing the

operations of departments and it becomes clear that ministers who are in post for a relatively short time

cannot hope to understand the day-to-day running of their departments without the full cooperation of their

officials.

“In short, complexity has become a friend of Big Brother, because it delivers ministers who hold short-

term tenures into the hands of the permanent executives who never need submit to the uncertainties

of elections.”



Collins goes on to point out that: “In trying to the stop the nation edging towards a Big Brother state, civil

libertarians face hurdles that seem insuperable. Their arguments against the use of surveillance technologies

are weak compared to the arguments in favour of defeating terrorism, fraud, tax evasion and illegal

immigration. More tellingly, departments win larger budgets and gain kudos in Whitehall by installing new

centralised systems. Civil libertarian warnings about the loss of privacy will have a diminishing impact as the

power of the executive over parliament becomes more indomitable.

“In an increasingly technological world, a Big Brother state may be inescapable, an inevitable consequence of

the symbiotic relationships between commercial marketeers and the natural desire of bureaucracies to

consolidate and expand their centralised power. Both can achieve their aims through the installation of new

technology; and the interests of the libertarian come a very poor third.”

According to Simon Davies, the founder of Privacy International, this has led to an attitude of ownership of data

and projects among civil servants.

While this may or may not be true, it is telling that the politicians do not appear to be accountable in Parliament

for the failure of computing projects that were often started before they took office, nor do the bodies

responsible for oversight (such as the Sir Malcolm Rifkind’s Commons’ Intelligence and Security Committee)

appear to be fully briefed on the activities of the intelligence agencies.

As demonstrated by Sir Malcolm’s response to the Snowden allegations: “The focus of our inquiry has been: did

they break the law? Or attempt to break the law? And the answer is, for the reasons we specify in the report,

unanimously and unreservedly – no they did not. Everything else then becomes a question not for GCHQ but

for the Government and Parliament….and that is why we still have to give a considerable amount of thought to

the wider legislative framework.

“Of course the work we’ve done on the PRISM allegations happens to have arisen in the immediate aftermath

of the new powers which are invested in the legality of GCHQ. The question of access to fibre-optic cables and

so on – there has not been any suggestion that it happened illegally. The issue is whether it was desirable or in

any other way a legitimate public interest.“

Sir Malcolm’s response demonstrates that the committee responsible for monitoring GCHQ’s activities

was not fully aware of what it was doing. In Government, this is normally a cause for the chairman’s

resignation, but in this case that does not appear to have been considered.



Civil servants the deciders of policy

This hard-line data policy has led to numerous attempts to

create single identifiers for individuals to try to develop a

government version of the technology industry’s fabled ‘single

customer profile’ – a definitive file holding all the data known

about an individual. Other reasons given to the report’s

authors for the UK’s slide into a surveillance nightmare have

included a lack of overall government understanding of

technology – particularly among politicians – with the result

that UK surveillance has increased and the opportunities for

government ‘big data’ surveillance have also increased. The

irony here is that the opportunities for the use of ‘big data’ to

achieve government cost savings have been lost, due to the

failure of a number of government IT schemes, particularly in the Department of Health.

There are many examples that demonstrate this lack of hands-on technology knowledge. The most damning is

that the MPs who worked on the 2000 UK E-Commerce Bill had to be given an intensive two week crammer on

IT to allow them to get a grasp of some of the issues, according to an inside source.

The Bill’s most controversial section dealt with law enforcement issues and incensed civil liberties groups by

including wording which allows the authorities to serve a warrant or "decryption notice" on anyone they think

"appears" to hold the key to coded data. It also includes a "tipping off" offence which also prevents those being

investigated from speaking about their case – their only recourse being an appeal through a secret tribunal.

It is a picture that has largely not changed, a report by Cambridge University in early 2012 pointed out how few

science and technology graduates were MPs and that only two –Diane Coffey and Julian Huppert –held

doctorates.

As Collins has pointed out, Government shortcomings in the IT area have meant that there is an overall lack of

political oversight about the advances that technology has made in the area of surveillance – as evidenced by

the Snowden revelations and it is notable that Huppert leads the Lib-Dems’ response in the area.



Building ‘Big Brother’

The genesis of the UK Government’s experiment with technology systems can be traced back to the Thatcher

era as the Government sought to achieve understanding through IT and provoked the Prime Minister Margaret

Thatcher’s famous comment “garbage in, garbage out”.

For Thatcher, the technology needed to be over-hauled and the databases cleaned and made fit for purpose.

One controversial announcement was the Government Data Network (GDN) at the end of the 1980s, a system

allowing more than 40 government departments in central London to be linked together.

Mindful of potential claims that this was the start of a ‘Big Brother’ over-arching database, civil servants were

quick to point out that no data would be moved and that the data would stay within the departments that

‘owned’ it.

However, according to one former high ranking head of computing for a UK Government department, the

GDN simply creates one database from all of the stores of information in the various government departments

that can be searched across if you use the highest permission levels in the system.

This statement is made more credible by another former civil servant who had worked on the HMRC (tax)

system, who pointed out that any of these systems can, of course, be interrogated by the intelligence agencies

completely legally. That point was acknowledged by Sir Norman Lindop, the former chair of the Committee on

Data Protection, who died this year.

Sir Norman – who ironically disliked computers according to his obituary – said in a number of interviews that

the Committee had always considered the Government itself to be the greatest danger to privacy. He was

nonetheless forced to allow changes to his committee’s proposals that allowed the forces of law and order

complete freedom to ignore the legislation in pursuit of their activities in the 1984 Data Protection Act.

Sir Norman’s fears have come true. The Data Protection Registrar’s office set up as a result of the Committee’s

proposals has now mutated into the Information Commissioner’s Office and successive Information

Commissioners have now warned about the danger to civil liberties from a surveillance state.

In 2004, Richard Thomas, the Information Commissioner issued a statement that the UK was sleepwalking into

a surveillance society akin to Eastern Europe and pointed out specific concerns over the ability of the UK

Government to collect data on individuals.



In 2006, the Information Commissioner published a document called ‘A Report on the Surveillance Society’,

which fleshed out the Commissioner’s concerns about the move to what he described as ‘dataveillance’, the

assembly of information collected upon us from a variety of sources to produce a detailed picture of the lives of

every one of us.

The report was produced for the Information Commissioner by a group of academics called the Surveillance

Studies Network and was presented to the 28th International Data Protection and Privacy Commissioners'

Conference in London which was hosted by the Information Commissioner's Office.

In 2010, an update to the 2006 report was requested from the Surveillance Studies Network by the Home

Affairs Select Committee which showed that, while indicating that some safeguards had been introduced, the

potential of surveillance to intrude into our private lives had actually increased.

In June 2012, the whistleblower Edward Snowden revealed to the world the extent of the surveillance

technologies that have now been developed by the intelligence agencies that are nominally answerable to the

US and UK Governments. He confirmed the earlier worries of Sir Norman Lindop, the chair of the Data

Protection Committee and Information Commissioners Richard Thomas and Christopher Graham.

The next Government initiative

Within the next few weeks (November 2014), the Government will launch its latest joined-up initiative – the

first in a series of steps to provide online access to government services, according to our Government

sources.

According to sources in the financial community, a system called Government Digital Services Identity

Assurance Plan will allow people to access Government services online and will offer them the choice of

four organisations to prove their identity – the phone company Vodafone, the credit reference company

Experian, the Post Office and a Dutch company Digidentity.

The Government is expected to increase the number of identity suppliers in a second round of bidding for the

scheme. It’s a move which is likely to excite a debate over the ownership of identity.



This will also demonstrate the increased use of surveillance in our society, drawing commercial companies into

a relationship with the Government by using them to prove their identity. The inclusion of Vodafone in the

group will be particularly contentious, as it could lead to claims that identity is being proved by the mobile

devices that we use. That could lead to an interpretation that sees them as ‘pocket spies’.

Sources involved in the discussions over the development of the technology told the report’s authors that it

will use a series of questions that those wishing to use the service will answer, culled from data that they have

provided to the companies or data that is held on them by the companies.

The answers given will result in a probability score that the person answering is indeed the person her or she

claims to be. This data will be combined with data the Government holds to achieve a combined score.

The UK banking industry were asked to participate in the scheme but declined due to a projected 1p per

lookup fee and because the Government would not allow the combined data to be extracted and used by the

banks for credit scoring.

This development will serve as an uncanny echo of Margaret Thatcher’s Government Data Network, the over-

arching access system to Government data used by civil servants. The only difference this time is that the

system will now be used by the public.

Whether a record of the public’s internet interaction will be stored by the Government is not clear but the

earlier discussions with the financial community indicate that data can be held on the combined scoring of an

individual.

More importantly, according to experts contacted by the CSRI who are familiar with Government and financial

systems, the all-important meta-data generated by the information exchange with Government websites will

be available to the intelligence agencies under the existing projects revealed by Snowden, if they so choose.

Though, as already pointed out, the intelligence agencies already have a number of routes to access data held

in the public sector.

“GCHQ monitors network traffic and they hold meta-data for such a long period of time that, if they wanted to,

they could go back and piece it together,” said a former Government source.



Nothing to hide, nothing to fear?

According to a Government spokesman, its new internet engagement systems have been deliberately

developed in as transparent a way as possible and with the involvement of the privacy community in a bid to

allay surveillance fears.

In the US, similar identity verification systems have been developed that use authentication from Google to

prove that an individual is who they say they are. And if any government department – or any other online

database – gets incorrect, outdated or irrelevant personal data about an individual citizen, that wrong

information will stay in the system forever.

Unlike the rest of the European Union, Britain is refusing to comply with the ‘right to be forgotten’ ruling of the

European Court of Justice. And to reinforce its stance, Parliament rushed through a new law just before the

House rose for the summer 2014 recess. This gives police, security services and government departments the

right to retain data and re-use it many years later. Two MPs – the Conservative David Davis and Labour’s Tom

Watson – are seeking judicial review to overturn the measure – known as DRIP - and they have the backing of

the civil liberties campaign Liberty.

When Edward Snowden first spilled his secrets, the then Foreign Secretary William Hague coined a phrase to

reassure the public about mass surveillance: “If you have nothing to hide, you have nothing to fear.” Yet the

fallout from the Snowden Affair proves that hundreds of thousands of innocent people are right to be afraid of

the super-snooping system.

Journalists covering the story of the leaks were amongst those in the firing line. Snowden’s biographer, the

Guardian journalist Luke Harding, told the CSRI research team how his computer was hijacked by a person or

persons unknown.

“I was sitting in my home in Hertfordshire writing the manuscript and there were a few occasions where I would

write something disparaging about the NSA…like the damage that this had done to US tech firms and their

bottom lines and the text in front of me. It would self-delete from right to left with the cursor gobbling up the

chapter I was working on. It was bizarre. I wouldn’t say it was terrifying but it was odd because I was working

offline, I was storing all my documents in a Truecrypt folder, I was taking security precautions.



“This continued to the point where I was leaving little notes for my mystery reader/secret editor whoever he or

she was, saying ‘Look – I know you’re reading this stuff, but please don’t delete it.’ This went on for about a

month and then a Guardian colleague of mine mentioned it in the newspaper and it stopped.

“Now, I don’t know if it was the NSA or my old friends the Russians. [Harding had earlier been expelled from

Russia where he was working as a journalist]. All I know is that someone had broken in to my laptop. I think that

it was probably demonstrative to show that I was being watched, and perhaps disapproval of some of the stuff

that I was writing.”

Elsewhere, other journalists have been targeted by police using the Regulation of Investigatory Powers

Act or RIPA. The Act allows them to seize phones, computers or digital records without first convincing a

judge of the need to obtain this data and getting an official warrant. RIPA is now beginning to be used in

preference to the Police and Criminal Evidence Act (PACE) which does require a warrant to be issued.

Journalists never willingly surrender the data they have collected because they must protect their sources’

privacy and anonymity – a cornerstone of Britain’s free press. The Press Gazette in October 2014 reports on

four different cases involving police in Suffolk, Kent and two in Thames Valley. In each case, officers seized

journalists’ phone call records without a warrant. And a reporter from the Milton Keynes Citizen had a listening

device bugging her car.

The nature of modern surveillance means that people can find themselves wrongly accused because of

intelligence-gathering by computerised systems which base their suspicions on algorithms, racial profiling or

other lifestyle characteristics. One recent example was the arrest of five members of the personal staff of

President Pervez Musharraf of Pakistan as they arrived in the UK in a flight from Barcelona where there had been

a terrorism scare.

Others who may indeed have something to fear are

the growing number of campaigners joining protest

groups such as Don’t Spy on Us, its American sister

organisation Stop Watching.us, human rights

charities like Amnesty, Privacy International and

Liberty or e-petition websites such as change.org,

38degrees and avaaz.org. There are creative

protests too, such as the interactive badge (pictured

here) created by design agency Superflux. The badge



flashes up ‘trigger’ words which excite the attention of the authorities, culled from SMS messages sent by the

wearer and transmitted to the badge by Bluetooth. Read more details about the Superflux Open Informant

campaign at www.futureintelligence.co.uk/whos-watching-the-watchers.

On an individual level, those in the know are buying encryption services such as Virtual Private Networks

(VPNs), an example being F-Secure Freedome, or attending ‘crypto parties’ and learning how to use privacy

and anonymity tools, such as Truecrypt or PGP email (it stands for Pretty Good Privacy). They might choose

Mozilla’s Firefox browser as an alternative to Google MSN or Yahoo – all of which are implicated by Snowden as

collaborators with GCHQ and the NSA in mass surveillance. Firefox also offers a free app called Lightbeam that

shows in real time which companies are sharing information about your preferences every time you search for

anything on the Internet. The Onion Router (TOR) is another option that provides anonymity.

Technology companies, police and politicians argue that encryption stands in the way of fighting cybercrime

and terrorism. They would prefer to have unfettered access to all our communications, for commercial,

political and operational reasons. Two years after Snowden’s leaks, internet users are finally wising up to the

fact that they carry spying devices in their pockets and handbags. GPS satellites are tracking them, sensors in

the home and environment and millions of CCTV cameras are all compiling databases on their every move. In

Britain today, there is no need for undercover police officers to infiltrate civil society like the East German Stasi.

The fact is that we are bugging ourselves, with our wi-fi-enabled tablets and smartphones always on –

tweeting, messaging, poking and sharing – shedding data like we shed skin.

Allen Scott, managing director or as he calls himself ‘Chief Digital Freedom Fighter’ of the Finnish company

F-Secure – which sponsored this research – puts it like this: “We are returning to tribal society, you know – in

tribal society people were naked in front of you and now we're naked in front of the whole world. So, actually,

we've gone full circle and the internet has exposed everything that we're doing. It's happened so quickly –

human beings don't adapt that quickly. When Tim Berners Lee invented the Web it was a single page of http:/.

Now it's millions of applications, billions of bits of data. In the last two years, there's been more data created on

the internet than there was in the entire universe before that.”

http://www.futureintelligence.co.uk/whos-watching-the-watchers



What happens next? The Snowden movie ‘Citizenfour’ is now showing in cinemas as an entertaining way to

raise awareness with friends and family. As well as watching the movie, there are opportunities to invest in

training and products that will protect our digital rights. On the political level, the British Government is

investing in even more data collection through the National Health Service medical records, Universal Credit,

Identity Verification and Digital by Default.

Big Brother is about to get much bigger: do we really have nothing to fear?

More Information on F-Secure Freedome

F-Secure Freedome is a super-simple security and online privacy solution. Freedome has the most sophisticated security features – VPN, anti-virus, anti-tracking, and anti-phishing. With the push of a button, Freedome protects your online privacy.

When you connect to the Internet, your device is assigned a unique IP address. Freedome masks your IP, so you can surf anonymously under the protective F-Secure network. All that is precious – from identity to location – stays hidden and private.

Freedome scans for malware, tracking cookies and other online baddies. You're protected from harmful sites, trackers and apps that want to forward your data without you knowing about it.

Freedome creates a secure, encrypted connection from you and your device to the F-Secure network. It makes your connection invisible in the wi-fi network and your data unreadable. So, even if someone tries to scan what's up, they can't tap into what's yours.

When you surf the net, data collection companies track your online activities and sell your data to advertisers. Freedome blocks these trackers so you can browse anonymously and freely.

To get F-Secure Freedome FREE for three months:

Download the app from Google Play or the App Store, go to Menu > Subscription > Have a Code > enter cnt5nze8.

nothing to hide, nothing to fear? · pdf filenothing to hide, nothing to fear? a report into...

Documents