Tag: Privacy

Categories
Links

Lawful Access Was the Tip of an Already Existant Iceberg

From a National Post article, published in 2012, we get a taste of the governments’ existing surveillance capabilities and activities:

Medical

The intimate information in medical files might include: erectile dysfunction, anti-psychotic medication, HIV tests, addictions, body mass index, the times you sought help because of stress, depression or sexual trauma. Health records can include psychiatric counselling.

And it isn’t just information about the person named on the file. They contain concerns expressed about a spouse’s drinking or infidelity or drug use by their child; the times they vented about their unstable boss.

Aren’t these out of the hands of anyone other than health-care providers?

Ask Sean Bruyea. The Gulf War veteran found his health records, including psychiatric reports, had been passed around by bureaucrats and sent to a Cabinet Minister in an apparent bid to discredit the outspoken critic.

Financial

Financial records are similarly sensitive: how much you earn, how much you donate to charity, which charities you choose, bankruptcy declarations, who you owe money to.

Financial data in government hands include income tax records, pension information, child tax benefits and much more. Anyone who has received a cheque from the government for any reason or ever paid money to the government is now in a database.

Corporate and business registration, federally and provincially, also requires a lot of personal and financial information. Credit card records offer a detailed profile of spending habits. Although privately held, a court order sees them turned over.

“You can find almost anyone and learn an awful lot about them if you have their credit history,” said a former police officer who now works for a provincial government.

There are also the enormous databanks of the Financial Transactions and Reports Analysis Centre of Canada (FinTRAC), a government agency collecting and disclosing information on suspected money laundering and terrorist financing.

Banks, life insurance companies, securities dealers, accountants, casinos, real estate brokers and others who deal with cash are obligated to report the deals or attempted deals under certain circumstances.

“Behaviour is suspicious, not people,” is FinTRAC’s mantra.

Scholastic

Extensive student records exist on most Canadians, including government student loans.

Local school boards and provincial education ministries have recorded your marks, attendance, illnesses, notes from teachers to parents and notes from home to the school. Many jurisdictions are moving to creating a complete, portable account of each student that follows the person from class to class, school to school.

Like head lice in a shared toque, it never goes away.

Policing

Law-enforcement databanks allow officers anywhere to check if a person is dangerous or a fugitive. Databanks such as the Canadian Police Information Centre lists criminal convictions, warrants and other important interactions with police. Also flagged are “emotionally disturbed persons” and those who are HIV-positive.

But there is, increasingly, much more to police databanks, with almost anyone who has a police encounter being entered into one.

It is hard to muster worry that a convicted killer or child molester is flagged in a police computer, but what about you being embedded there for complaining about a noisy party or reporting stolen property?

The PRIME-BC police database contains the names of more than 85% of B.C. residents, according to the B.C. Civil Liberties Association, which warns citizens could be passed up for jobs and volunteer positions because of misleading red flags. In Alberta, TALON, a new, $65-million database, is also raising concerns.

Manitoba, under Mr. Toews when he was the province’s attorney-general, was a trailblazer in recording interaction with young men to note markers of gang activity to help identify and declare them as gang members.

The Toronto-area forces have an enormous, shared combined database.

Federally, also, those convicted of certain offences are ordered to submit their DNA to the DNA databanks, perhaps the ultimate baring of your identity.

Travel

Passport Canada, an agency of Foreign Affairs Canada, keeps a large repository on citizens, including facial-recognition biometrics, those who vouched for your passport application and all trips abroad as well as visa applications.

Canada Border Services Agency keeps track of who is crossing our borders, including where you go and who arrives to visit you.

Recall that thin slip of card for customs you filled out on the airplane when returning to Canada. You wrote your name, address, travelling companions, passport number, where you went, how long you stayed and what you bought.

Those cards — its catalogue of booze and tobacco and all — are kept and can be forwarded to police or other government agencies.

Immigration

The Field Operations Support Systems, used by border and immigration agents, track all immigration-related information.

The Computer Assisted Immigration Processing System tracks every immigration application being processed by overseas offices, including family history, assessment notes, appeals status and concerns raised by citizenship staff.

Both of these large databanks are being consolidated into the Global Case Management System. The consolidation is but one example of the government’s drive of integrating data.

Transportation

Provincial ministries regulating driver’s licences hold a bevy of information, including medical information, address, photograph and its biometric information for facial recognition, driving and vehicle records.

This summer, the Insurance Corporation of British Columbia caused an uproar by offering biometric data from its database to police to help identify participants in the Stanley Cup riot. Critics blasted the potential use of data collected for one purpose for a distinctly different one.

Automatic Licence Plate Recognition (ALPR) creates another powerful tool for surveillance.

Pitched as a way of finding stolen cars and kidnapped children, the technology has appeal, but the portable devices that read hundreds of passing licence plates every minute and runs them through registration databases to attach it to an owner is causing concern.

Scanned pictures can be stamped with GPS co-ordinates, date and time information and stored in a database. It can track cars coming and going from any destination.

In Britain, there have been wide complaints of police using ALPR to stop vehicles coming or going to political protests. Privacy watchdogs in B.C. uncovered that among those automatically targeted by the RCMP’s ALPR included everyone who has gone to court to establish legal custody of a child, all who had a mental health problem that received police attention, and those linked to others under investigation.

Corporate information

Information collected by private corporations also has a way of making it to government.

407 ETR, the privately run electronic toll highway north of Toronto, scans licence plates so the owner can be billed. Police have accessed the data to track vehicles entering and exiting the highway, cross-referencing it and linking it to their investigations.

More widely used is hydro-electricity data. Special legislation in some provinces sees hydro data turned over to government to help identify homes with unusually high usage.

Drawing a lot of power is a marker for running a marijuana grow operation. More than one hothouse cucumber farmer, hot tub or swimming pool owner has been on the wrong end of that information.

Needless to say, that’s a lot of surveillance in a lot of sectors. The range of activities also speaks to why privacy advocates are often jack-of-all-trades (there aren’t a lot of them, so they need to learn a little about a lot) and why there are persistant worries around ‘surveillance creep’, or the gradual expansion of state surveillance capabilities. Sure, a new program may not be all that significant on its own but when combined with everything else authorities can derive previously-impossible-to-realize insights into Canadians’ private lives.

And, let me tell you from experience: getting access to the personal information that is stored about you by various agencies is often an act in futility. Government can learn about you, but it’s often impossible to learn what government has recorded about yourself.

Link: Lawful Access Was the Tip of an Already Existant Iceberg

Categories
Links

This is not surveillance as we know it: the anatomy of Facebook messages

There are a lot of issues related to ‘wiretapping the Internet.’ A post from Privacy International, from 2012, nicely details the amount of metadata and data fields linked with just a Facebook message and the challenges in ‘just’ picking out certain fields from large lists.

As the organization notes:

Fundamentally, the whole of the request to the Facebook page must be read, at which point the type of message is known, and only then can the technology pretend it didn’t see the earlier parts. Whether this information is kept is often dismissed as “technical detail”, but in fact it is the fundamental point.

We should be vary of government harvesting large amounts of data and then promising to dispose of it; while such actions could be performed, initially, once the data is potentially accessible the laws to legitimize its capture, retention, storage, and processing will almost certainly follow.

Categories
Links Writing

Big data: the greater good or invasion of privacy?

Chatterjee has a good, quick, article on the significance of ‘big data.’. Note experts warning that, as a result of massive data aggregation, almost all individuals will have secret or sensitive information about themselves stored, traded, or used in the course of companies’ daily activities. This information isn’t necessarily about anything illegal, but legality is not the sole benchmark for whether humans want others to know things about them: embarrassing, shameful, or similar information that may not break the law could be financially, personally, or emotionally damaging should it be provided to third-parties.

Also, take note of Ohm’s warning that we should slow down and think about what is happening with regard to massive data aggregation and mining; we shouldn’t just commit ourselves to pushing the ‘privacy envelope.’ Headlong rushes and acceptance of novel technical structures that invisibly affect billions, with little clear accountability for corporate data mining practices, is a recipe for constructing futural harms.

Categories
Links Writing

The Internet as a Surveillance State

The Internet is a surveillance state. Whether we admit it to ourselves or not, and whether we like it or not, we’re being tracked all the time. Google tracks us, both on its pages and on other pages it has access to. Facebook does the same; it even tracks non-Facebook users. Apple tracks us on our iPhones and iPads. One reporter used a tool called Collusion to track who was tracking him; 105 companies tracked his Internet use during one 36-hour period.

This is ubiquitous surveillance: All of us being watched, all the time, and that data being stored forever. This is what a surveillance state looks like, and it’s efficient beyond the wildest dreams of George Orwell.

Opinion: The Internet is a surveillance state – CNN.com (via new-aesthetic)

There are a few important things to recognize about Schneier’s argument (which, I don’t think, detract from his overall points):

  1. Surveillance isn’t inherently bad. It speaks to a distribution of power where another party enjoys heightened capabilities resulting from their perception of the surveilled. Surveillance becomes ‘bad’ when the power disequilibrium has harmful moral or empirical consequences.
  2. Again, it isn’t entirely surveillance that’s the ‘problem’ with the Internet; it’s the persistent recollection of information by third-parties, often without the data subject knowing that (a) the data was collected; (b) it was subsequently recalled in an unrelated context; © it was then used to influence interactions with the data subject. These problems have always existed, in some fashion, but we are living in an era where what used to historically have been lost to the ethers of time is being retained in massive databases. The nature of perpetual computational memory – often made worse when errors in retained data spawn in perpetuity across interlinked systems – challenges how humans understand time, history, and subjectivity in very powerful ways.
  3. With regards to (2), this is why Europeans are interested in their so-called ‘Right to Be Forgotten’. And, before thinking that forgetting some data collected vis-a-vis the Internet would lead to the end of the (digital) world, consider that Canadians largely already ‘enjoy’ this right under the consent doctrines of federal privacy law: the ‘net isn’t broken here, at least not yet!

(Note: for more on the consent doctrine as it relates to social media, see our paper on SSRN entitled, “Forgetting, Non-Forgetting and Quasi-Forgetting in Social Networking: Canadian Policy and Corporate Practice”)

Categories
Links

Data Protection Law and Consent

Data protection law has not fallen from the sky. Let me give you an example of this – the overblown discussion on consent.

The current Directive states since 1995 that consent has to be ‘unambiguous’. The Commission thinks it should be ‘explicit’. 27 national Data Protection Authorities agree. This has become a major talking point. What will this mean in practice? That explicit consent will be needed in all circumstances? Hundreds of pop-ups on your screens? Smartphones thrown on the floor in frustration? No. It means none of these things. This is only the scaremongering of certain lobbyists.

Citizens don’t understand the notion of implicit consent. Staying silent is not the same as saying yes.

  • Viviane Reding, Vice-President of the European Commission

The EU’s Data Protection reform: Decision-Time is Now

http://europa.eu/rapid/press-release_SPEECH-13-197_en.htm

(via omalleyprivacy)

Important things to consider when reading about how consent will – somehow – break the Internet. It will force American (and some Canadian!) companies to obey the law or face fines. So be it.

Categories
Quotations

2013.3.10

But documents released by the Electronic Privacy Information Center (and an unredacted version of the same unearthed by CNET) late last week show that the DHS has been doing a lot more with drones in the intervening ten years, including tricking them out with cellphone sniffing equipment, sensors that can distinguish between humans and animals, and technology that tells authorities whether someone on the ground is packing a gun.

Frighteningly, the records also show that the DHS’ Predator drones are ready to be equipped with weapons, although a spokesman for DHS sub-agency Customs, Border Protection (CBP) told CNET’s Declan McCullagh that the drones are currently unarmed. McCullagh reports that the DHS has been loaning its drones to domestic law enforcement agencies with criminal justice missions, “including the FBI, the Secret Service, the Texas Rangers, and local police.” Requests from those agencies are becoming more and more common, he writes:

“[DHS drone] use domestically by other government agencies has become routine enough – and expensive enough – that Homeland Security’s inspector general said (pdf) last year that CBP needs to sign agreements ‘for reimbursement of expenses incurred fulfilling mission requests’.”

The DHS told McCullagh that it isn’t using “signals interception” on its drones – yet – and that “[a]ny potential deployment of such technology in the future would be implemented in full consideration of civil rights, civil liberties, and privacy interests and in a manner consistent with the law and long-standing law enforcement practices.” But if “longstanding law enforcement practices” are any indication of where the DHS is headed, we are in trouble.

That’s because often “long-standing law enforcement practice” has been to get away with whatever it can using the loosest interpretation of the fourth amendment possible, before legislators or courts act to correct the problem (if they ever do).

Kade Crockford, “Drones are coming home to skies near you: feel safer?
Categories
Writing

Don’t Risk Model for Aged, Wealthy, Americans

Data security and communicative privacy matters. The boons of the contemporary computer era has led to people across the world using common services for security, for data processing, and for communications generally despite users’ radically different risk profiles. Few users are savvy enough to engage in code-level audits, fewer to ascertain the validity of improperly issued security certificates, and likely even fewer to guarantee that programs’ and operating systems’ updates are from the actual developers. These are problems – important problems – that need to be directly addressed by developers.

It’s always been morally wrong to be cavalier about your software’s security profile, and to just discount the potential vulnerabilities or bugs linked to your tools. Things aren’t getting better, however, on account of state actors becoming more and more sophisticated in how they target and monitor their citizens’ and residents’ communications. Consequently, the blasé attitude towards security that has (largely) focused on successful engineering over successful security in depth is a larger and larger problem. This attitude, especially when it comes to anti-circumvention and encryption software, is leading to individual users ending up seriously hurt, imprisoned, or dead.

Security is important. Speech is important. And ensuring that secure, private, speech is possible is an increasingly critical issue for parties throughout the world. Developers and companies and individuals ought to take the severity of the consequences of their actions to heart, or risk having very real blood on their hands.

Categories
Videos

“Your entire life is online. Be vigilant.”

Categories
Links Quotations

2013.3.2

At least Britain sort of got it half right. There, to make life easier for stores selling age-restricted items there’s a “Challenge 21″ programme, so anyone looking 21 or under is asked for ID, even if the products are restricted to over-18s. Tesco and other large chain stores championed a “Challenge 25″ programme just in case someone slipped through the net. Finally some idiot in the seaside resort of Blackpool came up with the idea of “Challenge 30″, which is roundly lambasted across Britain.

But at least these outlets demand high-integrity forms of ID such as driving licences. In the US you can show a picture of your dog pasted on the back of a chocolate biscuit and they’re likely to accept it.

That’s because no-one really knows why they are asking for ID in the first place, and no-one up the chain tells them – mainly because they don’t know either. Everyone just goes through the motions. There’s no way to verify the validity of ID, so everyone just plods along with the security theatre.

Simon Davis, “How a dog and some chocolate biscuits reveal an identity crisis in America
Categories
Quotations

2013.2.28

… test version of a data-mining tool in Delta’s offices, and he was surprised by the technology’s power to collect vast amounts of personal information using one start point. Jackson volunteered his Social Security number and watched the tool retrieve his address, the names of his neighbours, his wife’s name, and the date they were married, all from publicly available information. Some of the Delta employees had been test subjects already, and when his own personal information stated popping up for all to see, Jackson joked he’d seen enough. But the demo convinced him that the government had to have this capacity. Not because he wanted it. But because he was afraid he couldn’t do his job without it.

Shane Harris, The Watchers: The Rise of America’s Surveillance State