Archive for the 'Privacy' Category

Bruce Schneier’s next book

[link] Wednesday, October 15th, 2014

Title: Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World

Publisher: WW Norton

Publication date: March 9, 2015

Table of Contents

Part 1: The World We’re Creating
Chapter 1: Data as a By-Product of Computing
Chapter 2: Data as Surveillance
Chapter 3: Analyzing our Data
Chapter 4: The Business of Surveillance
Chapter 5: Government Surveillance and Control
Chapter 6: Consolidation of Institutional Surveillance

Part 2: What’s at Stake
Chapter 7: Political Liberty and Justice
Chapter 8: Commercial Fairness and Equality
Chapter 9: Business Competitiveness
Chapter 10: Privacy
Chapter 11: Security

Part 3: What to Do About It
Chapter 12: Principles
Chapter 13: Solutions for Government
Chapter 14: Solutions for Corporations
Chapter 15: Solutions for the Rest of Us
Chapter 16: Social Norms and the Big Data Trade-Off

Something to be pre-ordered, methinks.

Even if you’re not on Facebook, you are still the product

[link] Sunday, October 5th, 2014

This morning’s Observer column:

The old adage “if the service is free, then you are its product” needs updating. What it signified was that web services (like Facebook, Google, Yahoo et al) that do not charge users make their money by harvesting personal and behavioural data relating to those users and selling that data to advertisers. That’s still true, of course. But a more accurate version of the adage would now read something like this: if you use the web for anything (including paying for stuff) then you are also the product, because your data is being sold on to third parties without your knowledge.

In a way, you probably already knew this. A while back you searched for, say, a digital camera on the John Lewis site. And then you noticed that wherever you went on the web after that John Lewis ads for cameras kept appearing on the site you were visiting. What you were witnessing was the output of a multibillion-dollar industry that operates below the surface of the web. Think of it as the hidden wiring of our networked world. And what it does is track you wherever you go online…

Read on

After Snowden…

[link] Thursday, September 25th, 2014

Watch more videos on

A few months ago I took part in a debate about the implications of the Snowden revelations with Chris Huhne, the former Lib-Dem Cabinet minister, and Sir David Omand, the former Director of GCHQ. Here’s the video of the session.

In a national surveillance state, privacy is seen as “a luxury of the guilty”

[link] Friday, September 19th, 2014

Terrific piece by Andrew O’Hagan on Edward Snowden and Glenn Greenwald in the London Review of Books.


Surveillance in the UK is an implicitly sanctioned habit that has smashed the moral framework of journalism. Protection of sources is not an adornment, not some optional garment worn only when it suits, but a basic necessity in the running of a free press in a fair democracy. Snowden proved that, but not to the satisfaction of Britain’s home affairs establishment, or the police, who like to behave as if all freedoms are optional at the point of delivery. [Alan] Rusbridger recently made the point that source confidentiality is in peril, after the revelation that the Metropolitan Police had spied on the phone records of the political editor of the Sun, Tom Newton Dunn. Snowden might have taught us to expect to be monitored, but his message, that our freedom is being diluted by a manufactured fear of the evil that surveillance ‘protects’ us from, is not being heard. Louder and clearer to many is the message that comes from the security state mind, a suspicion carried on the air like a germ, that certain kinds of journalism, like certain aspects of citizenship, are basically treacherous and a threat to good management. This germ has infected society to such a degree that people don’t notice, they don’t mind, and a great many think it not only permissible but sensible and natural, in a culture of ‘threat’, to imagine that privacy is merely a luxury of the guilty.

And this:

The first thing that amazed me about Julian Assange was how fearful he was – and how right, as it turned out – about the internet being used as a tool to remove our personal freedom. That surprised me, because I’d naively assumed that all hackers and computer nerds were in love with the net. In fact, the smarter ones were suspicious of it and understood all along that it could easily be abused by governments and corporations. The new technology would offer the chance of mass communication and networking like never before, but lurking in all those servers and behind all those cameras was a sinister, surveilling machine of ever growing power. The US government sought omniscience – ‘a system that has as its goal the complete elimination of electronic privacy worldwide’ – and showed by such actions that it considers itself above the prospectus set out in its own constitution. The leaders of the NSA said, ‘collect it all,’ and the people put up with it.

So who still believes that collecting metadata is harmless?

[link] Friday, September 12th, 2014

Interesting snippet in the latest newsletter from the Open Rights Group:

It was revealed last week that the Met police accessed the telephone records of The Sun’s Political Editor, Tom Newton Dunn, using a RIPA request.

The case should end any discussion about whether or not metadata reveals anything personal about us: Newton Dunn’s calls and when and where they were received, were seen as enough to identify a whistleblower, who contacted him over the Plebgate scandal.

Journalistic privilege, protected by the Police and Criminal Evidence Act, was circumvented by the use of RIPA. Newton Dunn was not even aware that his records had been accessed until the Met published their report into the Plebgate affair.

When DRIP was announced, Newton Dunn wrote in The Sun, that the new powers would give MI5 and cops, “crucial access to plotters’ mobile phone records”. UK public authorities use RIPA over 500,000 a year to access private data. The police refused to answer questions as to how many times they have have accessed journalists’ data. When this is happening without our knowledge, we cannot ignore the threat to our civil liberties that data retention poses.

The interesting bit is the fact that the metadata were sufficient to identify a whistleblower. We all knew that, of course, but the official line is still that bulk collection of metadata does not infringe on privacy.

Dave Eggers has seen the future. Well, a possible future anyway…

[link] Monday, September 1st, 2014

Yesterday’s Observer column.

Fifteen months have passed since Edward Snowden began to explain to us how our networked world works. During that time there has been much outrage, shock, horror, etc expressed by the media and the tech industry. So far, so predictable. What is much more puzzling is how relatively relaxed the general public appears to be about all this. In Britain, for example, opinion polling suggests that nearly two thirds of the population think that the kind of surveillance revealed by Snowden is basically OK.

To some extent, the level of public complacency/concern is culturally determined. Citizens of Germany, for example…

Read on

Web services are ‘free’, which is why we’re all in chains

[link] Sunday, August 24th, 2014

This morning’s Observer column.

‘Be careful what you wish for,” runs the adage. “You might just get it.” In the case of the internet, or, at any rate, the world wide web, this is exactly what happened. We wanted exciting services – email, blogging, social networking, image hosting – that were “free”. And we got them. What we also got, but hadn’t bargained for, was deep, intensive and persistent surveillance of everything we do online.

We ought to have known that it would happen. There’s no such thing as a free lunch, after all…

Read on

TOR, Taylor Swift and breaking the Kafkaesque spiral

[link] Friday, August 22nd, 2014


Photo cc

Ever since the Snowden revelations began I’ve been arguing that Kafka is as good a guide to our surveillance crisis as is Orwell. The reason: one of the triggers that prompts the spooks to take an interest in someone is if that person is using serious tools to protect their privacy. It’s like painting a target on your back.

So if you use PGP to encrypt your email, or TOR for anonymous browsing, then you are likely to be seen as someone who warrants more detailed surveillance. After all, if you’ve nothing to hide… etc.

And there’s no way you would know that you had been selected for special treatment. This sounds like a situation that Kafka would recognise.

Until the other day, I couldn’t think of a way out of this vicious cycle. And then I came on reports (e.g. here) that a musician of whom I’d never heard — electronic music artist Aphex Twin — had announced the details of his new album on a site only accessible through Tor.

This resulted in the page attracting 133,000 views in little over 24 hours. This is within the limits of what TOR can currently handle, but Tor’s executive director, Andrew Lewman, worries that a more mainstream artist could break the system in its current state.

“If tomorrow, Taylor Swift said ‘to all my hundreds of millions of fans, go to this [Tor] address’, it would not work well. We’re into the millions now, and we have a few companies saying ‘we want to put Tor as a privacy mode in our premier products, can you handle the scale of 75-100m devices of users’, and right now the answer is no, we can’t. Not daily.”

This sounds like — and is — a problem. But it’s also an opportunity. Because what we need is for encrypted email and anonymous browsing to become the norm so that the spooks can’t argue that only evil people would resort to using such tools.

And here’s where Aphix Twin and Taylor Swift come in. They have the power to kickstart the mainstreaming of TOR — to make it normal. Of course for that to be effective it means that TOR has to be boosted and expanded and securely funded. Just as the big Internet companies have finally realised that they have to chip in and support, for example, the OpenSSL project, so they should now chip in to help build the infrastructure that would enable TOR to become the default was we all did web browsing.

Can Google really keep our email private?

[link] Sunday, June 8th, 2014

This morning’s Observer column.

So Google has decided to provide end-to-end encryption for any of its Gmail users who wants it. One could ask “what took you so long?” but that would be churlish. (Some of us were unkind enough to suspect that the reluctance might have been due to, er, commercial considerations: after all, if Gmail messages are properly encrypted, then Google’s computers can’t read the content in order to decide what ads to display alongside them.) But let us be charitable and thankful for small mercies. The code for the service is out for testing and won’t be made freely available until it’s passed the scrutiny of the geek community, but still it’s a significant moment, for which we have Edward Snowden to thank.

The technology that Google will use is public key encryption, and it’s been around for a long time and publicly available ever since 1991, when Phil Zimmermann created PGP (which stands for pretty good privacy)…

Read on

LATER Email from Cory Doctorow:

Wanted to say that I think it’s a misconception that Goog can’t do targeted ads alongside encrypted email. Google knows an awful lot about Gmail users: location, browsing history, clicking history, search history. It can also derive a lot of information about a given email from the metadata: sending, CC list, and subject line. All of that will give them tons of ways to target advertising to Gmail users – — they’re just subtracting one signal from the overall system through which they make their ad-customization calculations.

So the cost of not being evil is even lower than I had supposed!

This from Business Insider:

Inside the code for Google’s End-to-End email encryption extension for Chrome, there’s a message that should sound very familiar to the NSA: “SSL-added-and-removed-here-;-)”

Followers of this blog will recognise this as quote from a slide leaked by Edward Snowden.


This comes from a slide-deck about the ‘Muscular’ program (who thinks up these daft names?), which allowed Britain’s GCHQ intelligence service and the NSA to pull data directly from Google servers outside of the U.S. The cheeky tone of the slide apparently enraged some Google engineers, which I guess explains why a reference to it resides in the Gmail encryption code.

Yay! Gmail to get end-to-end encryption

[link] Wednesday, June 4th, 2014

This has been a long time coming — properly encrypted Gmail — but it’s very welcome. Here’s the relevant extract from the Google security blog:

Today, we’re adding to that list the alpha version of a new tool. It’s called End-to-End and it’s a Chrome extension intended for users who need additional security beyond what we already provide.

“End-to-end” encryption means data leaving your browser will be encrypted until the message’s intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser.

While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools.

However, you won’t find the End-to-End extension in the Chrome Web Store quite yet; we’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it. (And we mean it: our Vulnerability Reward Program offers financial awards for finding security bugs in Google code, including End-to-End.)

Once we feel that the extension is ready for primetime, we’ll make it available in the Chrome Web Store, and anyone will be able to use it to send and receive end-to-end encrypted emails through their existing web-based email provider.

We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection. But we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it.