Data is not harmless – a websummit takeaway
”know that every border you cross, every purchase you make, every call you dial, every cell phone tower you pass, friend you keep, site you visit and the subject line you type; is in the hands of a system, whose reach is unlimited, but whose safeguards are not.” – #citizen4
As always, during one of the world’s greatest tech conferences, WebSummit swarmed with great ideas, revelations, as well as networking opportunities. While most of those learned lessons have not changed, some of my perspectives did. Exploring dozens of topics and talks, I’ve noticed a more pronounced accent on what is data, how does it affect us and where the industry is headed when focusing on data protection.
One of the ideas though, has remained deeply rooted in my brain: “Data isn’t harmless […] when it’s about people” – an idea planted during what I’d call, the summit of the 2019’s WebSummit.
That talk was held by Edward Joseph Snowden, a person that has been qualified as a horrific villain by some, and is considered a democracy knight by others. I must confess, since 2013 I’ve been a bit of a “Snowden” fanboy, but in this piece, I’ll leave my preconceptions aside and try to be as subjective as possible.
While others might debate his nature, I would consider taking a look at a self-portrait, rather than appealing to assumptions: “My family worked for the government, I was going to work for the government; so when you come from a certain kind of background, you’re a certain kind of guy. You’re not that exciting, but you believe in the importance of rules, and on the first day you work at the CIA, you have to take, what they call, an oath of service: it’s a very solemn vow in a dark room, flags all over the place, with everybody else that’s entering government service, and here, you have to swear an oath: to support defend, not the agency – not a secret; not even a president, but the Constitution of your country, against all enemies: foreign and domestic.”
This is how Snowden introduced his background at the event, and to be frank, I see this description as a good start when attempting any judgement that tries to depict his persona. At first sight, Snowden is neither a hero, nor a villain, but rather a public servant defending constitutional rights – it might be a quick judgement, but it serves the scope. After all, IMHO “Who is E. J. Snowden?” should not be the main debate here – I’d rather look into the data collection practices we’re all responsible for.
The “Permanent Record Systems”
Data has been collected for decades, primarily to enable a better prediction of customer behaviour. Most of us assumed it is a safe practice, we used to trust our providers since we’ve been quite confident: our favourite shampoo, socks, razor blade or soap producer, would only use something we call metadata – details related to intervals of purchase, generic preferences as well as age, sex or location.
This habit was designed as a quid-pro-quo, a solution that would help our providers to better address our needs whenever we required fulfilment. Once the WEB 2.0 kicked in, we started providing more than metadata, in fact, we began cloning our personas to those appealing digital worlds.
Instead of razors, socks and soaps, we (the people) became a mere commodity. To make matters worse, we’ve pointed everyone’s attention to our lives thinking no one else is looking. We thought our profiles don’t matter enough to become the subject of a surveillance conspiracy theory – alas, this one happened to be true.
“The thing that chilled me, is that intelligence collection and surveillance, more broadly, was happening in an entirely different way. It was no longer the targeted surveillance of the past, where the police or spies went with: «We have this person, that we suspect is up to no good, and so we’re going to sneak into their home, or their office, we’re going to plant a bug, we’re going to go to the phone company and we’re going to tap their specific line. We’re going to listen to a link that they talk to bad guys…» Instead, they begin watching everyone, everywhere, all the time, saving as much information as they could, even from people who had done nothing wrong; even from people who are not suspected of doing something wrong; simply because it could eventually be useful, or maybe they wouldn’t get a chance to catch it later, so they would prospectively begin surveilling people before they had broken the law.
This is what I call: the creation of «the new permanent record systems» – that did this all the time, in the background, and nobody in a position of power tried to stop it; because it benefited them – This brings us to the Democratic problem: the law didn’t matter, the courts didn’t matter, your rights didn’t matter”.
Considering this background, E. J. Snowden urged the tech industries to challenge their data collection habits, outlining that our current privacy measures are simply not enough. The expected progress in this area has been little, if not insignificant, especially following-up on his 2013 revelations: “Whether we’re talking about Facebook or the NSA, that is the real problem — we have legalised the abuse of the person through the personal. We have entrenched a system that makes the population vulnerable for the benefit of the privileged. What do you do when the most powerful institutions in society have become the least accountable to society? I think that’s the question that our existing generation is to answer.”
For instance, it is still a wonder how data collection processes, performed by companies like Google, Amazon, Apple or Facebook remain legal, despite recent scandals that proved obvious abuses. Listening in on private conversations through their smart devices, peeking into your private calls performed through their messaging apps, hiring people to analyse and qualify private conversations for the benefit of the AI – all of these actions were performed without consent, exposing private information.
As yet another turn of the screw, positive concepts like ”sharing economy” made their way into tech via rental and ride-hailing startups, exposing even more private data to an unregulated medium that promotes the “permanent record” paradigm:
“My generation, particularly the generation after me; they no longer own anything, they are increasingly not allowed to own anything. You use these services and they create a permanent record of everything you’ve done. Simply by having your phone in this room, on you, in your pocket; not even using it, but simply having it turned on, registers your presence at this event, because your phone’s association with the Wi-Fi points that surround it, your phone’s association with the cellular towers that are around it – and this is the thing that people miss.
All of these companies, all of these governments, go on data collection, data protection, as it’s all very abstract; but data isn’t harmless – data isn’t abstract when it’s about people; it is not data that is being exploited: it is people that are being exploited. It is not data and networks that are being influenced and manipulated: it is you that is being manipulated.”
”General Data Protection Regulation” – a paper Tiger
Being queried about his expectations from the tech community, particularly about his position on the GRDP, E.J. Snowden had to say the following: “The mistake is actually in the name: the «General Data Protection Regulation» – it misplaces the problem. The problem isn’t data protection; the problem is data collection!
Regulating the protection of data presumes that the collection of data, in the first place, was proper; that it was appropriate; that it doesn’t represent a threat or a danger; that it’s okay to spy on everybody, all the time, whether they’re your customers or whether they’re your citizens – so long as it never leaks, so long as only you are in control […] I would say: not only is that incorrect, but if we learned anything from 2013, it’s that eventually, everything leaks.”
Don’t get me wrong though: (GDPR) is a good first effort, it’s low bar (I mean they have raised it that far and that is meaningful); but what I’m saying is that: it’s not a solution, it’s not the good internet that we want; because even though the GDPR does propose 4% of global revenue fines, for Internet giants today, those fines don’t exist. Until we see those fines being applied every single year to the Internet giants, until they’ve reformed their behaviour and until they begin complying, not just with the letter, but with the spirit of the law, it is a paper tiger, and I think that actually gives us a false sense of reassurance.”
From his perspective, despite being a step in the right-ish direction, GDPR might not be enough. We’re in too deep and the trust game has changed.
Trusting your provider no longer works
In view of our current digital environment, what is private is no longer defined by how much you trust an app, a service or a provider. Opposing traditional practices (asking customers to trust you), companies should be more open about where communication snaps may occur, and how users should protect themselves: “If you have to trust Cisco or Juniper or Huawei or Nokia, we have a problem because you can’t trust any of them. They will all act in their own interest, rather than the public’s interest broadly, whether it’s a private company or a national telecommunications company. […] Rather than asking people to trust you, rather than asking them to trust your service, as all of your alien competitors, show them why they don’t have to trust you. Have them acknowledge: all of the intermediaries between you and the people that you’re talking to, are not in control of you, they do not understand your content is private to them. The only people you have to trust are the people that you’re talking to, the people on the ends of the communication.” – Stated Snowden.
All of this makes sense. Taking into account the ever-growing tendency to “encrypt everything” and to deploy zero-trust approaches in service delivery, we’re headed in the right direction, but this might not be enough. We’re at the beginning of a long way and paving it will employ everyone. Providers should be held accountable, software designers must adopt a “security first” approach and the public should understand: “everything eventually leaks” – so, maybe that “which celebrity you’re alike” facebook game does not worth exposing your private information.
Snowden concluded better than anyone else could, so instead of closing this piece, I’ll leave his words to do the trick: “Technology is not the only thing that can protect you. We are the only thing that can protect us and the only way to protect anyone is to protect everyone. Thank you, and stay free.”