Cyber-surveillance and control vs Internet rights

Sally Burch

07/09/2014

Opinión

^-A ⁺A

The Data Retention and Investigation Powers Act (or DRIP Act), which was rushed through the UK parliament in just one week in mid-July, with almost no debate nor input from the public, is a new and disturbing example of how the supposed threat of warfare and terrorism is being used to scare people into accepting the legalisation of mass surveillance and retention of their data. 'We face real and credible threats to our security from serious and organised crime, from the activity of paedophiles, from the collapse of Syria, the growth of Isis in Iraq and al Shabab in East Africa,' argued Prime Minister David Cameron in a bid to silence public opposition, while securing an agreement among the three main parliamentary parties.

This, of course, is not new: it took root in the US with the Patriot Act following the 9-11 attack and other countries followed suit to differing degrees. The UK had been applying the European Union's 2006 Data Retention Directive, alongside other national legislation, until the European Court of Justice ruled, in April of 2014, that such EU laws requiring communications providers to retain metadata across the board are invalid because they seriously interfere with fundamental privacy rights. The new UK law not only is designed to get around these EU limits, but also further extends some surveillance powers. For example, law enforcement officers can now access not just metadata but also the content of messages, even if they are held by companies outside the UK. However, the DRIP Act will be challenged in the courts on the initiative of two backbencher MPs together with the human rights organisation Liberty, arguing that it is incompatible with European rights norms that guarantee respect for private and family life and the protection of personal data.

With the rapid expansion of digital communications, the tension between, on the one hand, protecting civil liberties and the privacy of communications, and, on the other, preventing cybercrime, intellectual property violations, spamming and terrorist activities, is likely to be at the centre of initiatives to regulate cyberspace activity. These issues bring conflicting interests into play, so it has become urgent to open up a broad public debate (both nationally and internationally) with respect to the direction the technology is taking and the implications for human rights and for democracy itself. Otherwise, we may well face a series of faits accomplis once it is too late to change course.

Of course, people need protection against bank fraud, destructive viruses or terrorist attacks, while excessive spamming is a real nuisance and slows down Internet traffic. But such factors need to be addressed in proportion to their real relevance and risk level, subjected to judicial oversight, and balanced against the dangers of submitting the entire population to blanket surveillance, forfeiting their right to privacy. It does not normally justify inventing 'new' crimes and sanctions; whatever is a crime in the real world should also be a crime on the Internet. Modalities, of course, may change, especially with new techniques for surveillance and detection, but in the last resort, the public interest should take precedence. Otherwise, there is a risk of continually increasing the levels of indiscriminate surveillance and control over the whole population, under the pretext of preventing a few crimes. It is simply too high a price to pay.

This is further complicated by the fact that mass data storage and data mining has the potential to concentrate power in the hands of those (whether governments or private companies) with the capacity to hoard and process them; a power which could be used for political, economic or military benefit, and which experience shows can be contrary to the public interest.

Concentration

Barely two decades have passed since the Internet took off as a global and publicly accessible system, and with extraordinary speed became part of the daily routine of more than a third of humankind. Around this technology, our societies are rapidly reorganising in almost every sphere. Already, life without digital technologies is almost unthinkable, and yet we are barely at the initial steps of our digital future. Moreover, it is happening so fast that it is very hard to grasp the implications. But while the fascination with the technology and its applications continues to spread, the utopic vision of the early pioneers of the Internet is fast giving way to pragmatism or disillusionment.

To a large extent this is because, although initially conceived as an open, decentralised and non-commercial sphere, the last two decades of commercialisation of the Internet have led to levels of concentration and centralisation that few people could have envisaged, a phenomenon in part deriving from the nature of the technology itself, and in part from the absence of policies adopted to counteract it.

On the one hand, there is technological concentration, illustrated, for example, by the immense international fibre-optic cables that interconnect countries.1On the other hand, content and personal data is being concentrated in huge servers, including digital social networks, 'cloud' data storage services, search engines that track and remember personal data and behaviour, or companies and security agencies specialised in collecting 'big data' and using it to establish profiles of users, among others.

The revelations made by Edward Snowden concerning espionage by the US National Security Agency (NSA) confirm how the uses of this information include such questionable practices as spying on foreign diplomats in order to gain advantage in international negotiations or compiling data on the intimate lives of foreign political leaders with a view to using it for blackmail to gain their compliance or publicly discrediting them if convenient. Similarly, at the business level, it has come to light that certain data aggregator companies create profiles of users, including their vulnerabilities (such as sensitive health data), that they sell to other companies that can use them to target consumers and exploit them more effectively.2

If this is already happening with the digital trails people leave as they intercommunicate and navigate the Internet, how much might it intensify when the 'Internet of things' becomes fully operational? It is estimated that barely 1% of the devices apt to have an IP address (Internet identifier) actually have one at present. In the near future, almost every new gadget we buy will be part of the Network, creating a grid of instruments recording what goes on in our homes and private transport, while public spaces will be monitored with multiple forms of identification and surveillance apparatus, way beyond the present CCTV security cameras. This will, of course, bring with it a number of advantages, but it will be increasingly difficult - and inconvenient - to try to switch off or opt out. Unless adequate controls, protections and informed user options become mandatory - contrary to the present trend - there is a danger that this infinite data will accrue even greater power to the few public or private entities with sufficient capacity to compile and process such huge volumes of information.

In his latest book No Place to Hide: Edward Snowden, the NSA, and the US Surveillance State,3 journalist Glenn Greenwald reveals how the NSA has convinced (through bribery, co-optation or voluntary alliances) no less than 80 global entities to act as partners in stealing information. These include Intel Corp. (producer of 50% of electronic chips), CISCO (the largest router producer), Oracle (databases for banks etc.), IBM (mainframe computers), HP, Microsoft, ATT, etc. The credibility of these companies has been seriously impaired but they continue to control a major part of the digital economy. Are we to trust them with the devices and applications we install in our homes and workplaces?

Legal frameworks

The great majority of people who use digital technologies have not felt concerned, until recently, about who manages or controls them, and how. But following the recent revelations by Snowden, awareness is growing that this issue is indeed important. However, while digital technology advances at exponential speed, the legal frameworks, rights and the mechanisms to guarantee their enforcement move at the pace of the analogue world. In fact, this is generally necessary to ensure adequate public debate and input (precisely what failed to happen with the UK law bill).

Obviously, the United States is not the only country to engage in surveillance and data retention, and all countries need to establish clear guidelines and practices on what is allowable, under what conditions, and what is not, in order to protect their citizens. The European Union and some countries such as Germany and Brazil have taken significant steps along these lines that could serve as a model.

The Brazilian Civil Rights Framework for the Internet, adopted by Congress in March 2014, which is centred on protection of citizens' rights, sets an important example of policy designed in the public interest. It was negotiated over a period of some five years and drafted mainly online in an open process by civil society actors. One of its main achievements was to shift the central focus from one of combating crime on the Internet to one of defence of human rights. This was a major turnaround since the initial proposals in Congress were centred on criminal activity such as bank fraud, paedophilia or unauthorised downloads of copyrighted material.

Some of the outstanding elements of this law include:

* protection of net neutrality (that is, equal treatment of data packets, independent of their origin or destination, so as to avoid content discrimination)

* guarantees for freedom of expression of network users. This includes exempting service providers from the responsibility of censuring user content. (In cases of libel accusations, due legal process must be followed, i.e., the courts decide, not the Internet service provider)

* protection of user intimacy, implying that firms operating in Brazil must develop technical mechanisms to ensure the privacy of communications. It is also illegal to hand personal data over to third parties without the users' informed, explicit and free consent.

The only clause that has provoked a strong rejection from those who defend user rights is the obligation for communications providers to retain communications data for six months.

Of course, national legislation can only partially resolve the protection and rights of citizens in the digital realm, given the global nature of the Internet, but it is an important starting point. At the international level, there is still no body with a clear mandate to address these issues, except at technical levels, and the ongoing debate on how to do this is far from resolved.4

Militarisation

Undoubtedly, the concentration of power arising from the control of technology, information flows, data mining and the knowledge derived from it, creates conditions for hegemonic control over the entire system. At present, this control is in the hands of the United States, arm-in-arm with a handful of US mega-corporations of the sector (Google, Yahoo, Amazon, Facebook, Microsoft, etc.). And this has geopolitical and ultimately military implications. Through their domination of cyberspace, in a sense, the US has expanded its borders across the geography of the planet, at least in this dimension of reality, exacerbating the dependency of other countries. This can also generate forms of neo-colonialism, such as the way Facebook intermediates personal relationships or how Google search algorithms determine what information is most available to people across the world and what remains hidden.

As the United States consider they have great interests to defend globally (generally more closely identified with those of economic power groups than of their people), the US government deploys every means within its reach for that purpose, which means bringing into play their vast superiority in technology and knowledge, in particular in the military domain. Thus, at the beginning of this century, the Pentagon developed its renewed military strategy of 'full spectrum dominance'. Among other things, this involved a detailed systematisation of each and every level or area of the spectrum where a potential enemy might be hiding. Outer space, the atmosphere, oceans, land surface, the subsoil, public and private spheres needed to be surveyed through panoptic mechanisms, including CCTV cameras, spy chips, centralised data systems, etc., differentiated according to the type of domain, social class of the area, etc.5 And to implement that, they have dedicated all their technological might.

Since 2001, the US has invested more than $500 billion in intelligence. A first obstacle they had to overcome was their own laws, which limited, to a certain degree, their margin for manoeuvre. Thus, the adoption of the Patriot Act virtually eliminated barriers to surveillance, even on their own citizens. A next step was to override international law with their thesis of preventive war. From the wars in Afghanistan and Iraq, they went on to invent drones as killing machines, and to the implementation of preventive cyber-attacks.

It is in this context that the indiscriminate and massive surveillance practised by the US needs to be understood: not simply as anti-terrorist action or prevention and investigation of criminal activity, but as a key component of the militarisation of cyberspace and full spectrum dominance. Surveillance is the first step for a cyber-attack, since it makes it possible to identify targets. Moreover, many of the technologies developed for mass surveillance can also be deployed to organise such attacks (such as taps on fibre cables, deliberate weakening of encryption standards, backdoors on security, etc.).

From Snowden, we learn that in just one year, 2011, the US carried out no less than 230 offensive cyber-attacks. Moreover, the US is not alone in this game. Snowden has documented the partnership among the so-called 'Five Eyes' (the US, the UK, Canada, Australia and New Zealand) which, together with Israel, have compromised global communications systems, converting them into a war machine. There are also estimates that at least 30 governments have developed offensive capabilities and doctrines for the use of cyberweapons,6 notably including Russia and China.

The US has explicitly stressed that cyber-attacks are an integral and necessary component of its cyber-defence strategy. Part of the logic behind this is that, in the digital realm, offence is cheaper than defence. Although offensive cyber-attacks by nation states are still much less prevalent than cyber-espionage, in the framework of global relations, a defence policy based on attack, rather than on protection measures and international law, carries a higher risk of escalating into open conflict. The Internet (or areas of it) could become hostage to such conflict situations.

At present, there are essentially no existing international agreements that would restrain cyber-warfare, and although there have been proposals to that end in the UN, there has been no consensus on even negotiating them.7 Considering the escalation of cyber-offence capacity and the need to guarantee cyberspace as a peaceful domain, at the recent Group of 77 + China summit (Santa Cruz, Bolivia, June 2014), the Just Net Coalition of civil society groups and activists circulated a briefing paper proposing the need for a treaty to restrict cyberwar and to ensure that networks, and in particular the public Internet, are not used for offensive military purposes. To quote from the paper:

'Cyberspace is being increasingly used for offensive military operations, often covert, often directly against states that are not engaging in conventional military operations. That is, a state might be subject to a cyber-attack even if it has not itself engaged in any kind of military offensive.

'The most powerful and richest nations are devoting increasing resources to both defensive and offensive cyber-warfare capabilities, often in secret. This creates an imbalance of power and can encourage those powerful states to engage in offensive cyber-attacks, which might have unforeseen consequences, including conventional retaliation or retaliation by guerrilla tactics (including what is commonly referred to as terrorism).'8

Just Net considers that humanity's increasing dependency on the Internet and digital technologies in almost every sphere of activity makes it a crucial matter to protect cyberspace from militarisation and to build a culture of cyber-peace.

- Sally Burch is a British journalist based in Ecuador, where she works with the Agencia Latinoamericana de Informacion - ALAI. She has written extensively on Internet-related issues and was co-coordinator of the Civil Society Working Group on Content and Themes for the first phase of the World Summit on the Information Society (2002-03). She is ALAI's delegate on the steering committee of the Just Net Coalition.

Endnotes

1. These cables have made spying by the US National Security Agency (NSA) much easier, since by intervening barely 190 data centres, they can monitor almost all the world's information flows, on the Internet, phone lines, etc.

2. See, for example: Catherine Crump and Matthew Harwood, 'Coming Soon: The Surveillance of Everything', 1 April 2014, http://www.alainet.org/active/72608.

3. Glenn Greenwald, No Place to Hide: Edward Snowden, the NSA, and the US Surveillance State, Metropolitan Books, May 2014.

4. See the articles by Michael Gurstein, and Prabir Purkayastha and Rishab Bailey in this issue.

5 See Ana Esther Ceceña, 'La dominación de espectro completo sobre América', 28 January 2014, http://www.alainet.org/active/70829.

6 See Joseph S Nye, 'The Regime Complex for Managing Global Cyber Activities', Global Commission on Internet Governance, May 2014, http://www.cigionline.org/publications/regime-complex-managing-global-cy...

7 The UN Group of Governmental experts did agree, in principle, in July 2013 that the UN Charter and Law of Armed Conflict would be applicable to warfare in the cyber domain. But there is as yet no definition of what would constitute cyber-warfare. Also, the International Telecommunication Union (ITU)'s 2012 treaty on International Telecommunication Regulations calls for cooperation to improve network security, but this treaty has not been signed by most developed countries. Such cooperation could conceivably act as a restraint on some types of cyber-attacks, but the scope of ITU is limited to peaceful use of telecommunications.

8 http://justnetcoalition.org/notes-need-cyberpeace-treaty-english

Article published in Third World Resurgence No. 287/288, TWN, July/August 2014, pp 42-45

http://www.twn.my/title2/resurgence/2014/287-288.htm

https://www.alainet.org/es/node/103123