On Thursday, April 23th, the policy brief: “Mass surveillance: Technology foresight, options for longer term security and privacy improvements” was presented to the Committee on Civil Liberties, Justice and Home Affairs. The speakers, Stefan Schuster (Tecnalia) director of the project, and Patrick de Graaf (Capgemini Consulting), introduced the Commission on this newly developed policy brief and it’s aims. “The purpose of this policy brief is to provide the Members of the European Parliament with technology oriented policy options, regarding the protection of the European Information Society against mass surveillance.”
-. Stefan Schuster (Tecnalia) director of the project:
The first part of the study on mass surveillance focused on examining threats and opportunities proposed by the current network application services.
I can say that the findings of our study have confirmed the fact that national security agencies of a wide number of states are using mass surveillance technologies to gather data on the Internet with the objective to analyse and filter these data in order to find and prevent threats concerning national security issues. The tools used to gather these data are very modern and the development of new technologies operated by the States own task forces is very rapid.
Despite the fact that there exist agreements that should avoid this activities, activists find traces of this practices in most of the states analysed.
When talking about ‘Mass surveillance’, we have to distinguish very clearly between ‘Mass surveillance’ understood as unwarranted and indiscriminate gathering of data and ‘Targeting surveillance’, the legal one, based on legal warranties. Moreover we need to distinguish the types of data that are being gathered:
- Metadata on the one side: Data about Data, which communication channel with which kind of device is communicating. Particularly suited to be analysed by artificial technology to gather additional information.
- Data that is the content on the other hand: (video, text, voice) all of these data are intercepted and gathered on all kind of devices, all of this basically with all currently deployed operating systems.
What can citizens do to avoid this practices?
As a first point: using encryption technology or VPN to encrypt metadata and content. When it comes to metadata the encryption of content hide most of the data but a few data always remain as who is talking to whom.
Moreover users should use Firewalls, antivirus, strong and secret password, and not following suspicious links or mail. Last but not least maintain regularly updates of our softwares. Even dough we apply all this measures it must be clear that there is never a 100% warranty to safe you from a targeted attack, if such a targeted attack comes from a State or large organisations there is virtually no way to prevent this kind targeted attacks.
The tools available for citizens to increase their privacy in the Internet are numerous, covering all areas from disc encryption to e-mail, voice, video or messaging encryption, basically they are available both for fix and mobile devices and for all operating systems.
Which are the policy options derived from this findings?
Firstly, we think that the user awareness needs to be increased (about threats and possibilities). Moreover we need to promote the security best practices, plus the encryption possibility. The fact is that today, the adoption of this security measures, in particularly the encryption, is very low in our society and we have the impression that this may be due the complex usage of this tools, that’s why we ask to invest in the integration of existing and new tools into a set of user-friendly seamless utility-like services that are built into our applications as default settings, and also that default services are being applied to the services we most use (Google, social networks).
-. Patrick de Graaf, Capgemini Consulting:
The second part of the study focuses on technological foresight and the deriving policy options.
Which ones can be seen as generic approaches to protect privacy in short and long run from the perspective of EU citizens?
For European citizens protecting their personal data against surveillance threats is never 100% possible. However there are some basic mechanisms in order to prevent your data being noticed, or better said to keep your data out of sight. This can happen through anonymization technologies as using the Thor browser, or through working in a separate network as an European sub-network or not using computers at all, but this last can not be considered as an option anymore.
The second basic mechanism is to avoid that data are collected. This is mainly a matter of minimizing vulnerabilities in the technologies we use, making sure that the software we are using is securely developed, but also using cloud platforms which are out of reach for those who want to collect data.
Concerning the third and last mechanism: avoid data collected being accessed, we are talking mainly about data encryption, this can be done while data are in transit but also when data are stored on computers or wherever.
We came up with more that 2000 policy options, deriving from more technological developments. So we ordered them in major access categories with two accesses: one is about the level of innovation required and the other access is the level of public intervention required, starting with support and rising awareness.
What we see is that it’s not only the lack of user friendliness but more the laziness of many users itself, which do not want to adopt any measures in order to enhance their privacy. In order to ameliorate this situation and to adopt these measures on a wider scale, we have to pursue a more collective privacy seeking approach.
About the technologies under development right now, there are still large problems to implement them on a large scale, so we need more research to make them practical.
Concerning the most disruptive forecast scenario, most of the policy option in that field tent to lead to what is called “the balkanisation of the Internet”, so we cut a piece of either the governance or the technology itself into pieces with specific European areas where the EU or the Member States can govern.
One of the options is the European Internet Subnet; a technical infrastructure measure that could be put on place.
Concerning the governing level instead is setting up certification schemes in Europe for widely used encryption standards. These days all encryptions standards used widely are proved and certified through a process governed by the US National Institute for Standards and Technology whose main aim is to serve directly the US government and not the world. However the NSA always have to say about certification standard procedures.
Policy option deriving from all of this: The key question is how to reach a new acceptable equilibrium between the interest of the EU citizens, their privacy and the legitimate interest of national security agencies and law enforcement.
As a research team, we felt that at this stage we need to shift the balance more towards protecting EU citizens.
Some options turned out:
Define parameters for data traffic: Protecting people from seeing, or accessing your data, could be possible both for level and data and infrastructure.
European sub Internet: very difficult to reach, and would probably disturb the open economy.
Putting more emphasis on the security on networks especially open source software’s.
End to end encryption is actually one of the few defensive measures, which can stand most of the attacks, that’s why European certification or independent certification schemes could be a good idea.
Individual and collective route to adopt new technologies, we prefer the collective route.
Raising awareness of end users.
Finally during the study we saw some underline patterns that influence the policymaking.
- First Security and Privacy are not completely opposites. They have common interest and overlap. Setting a new equilibrium cannot be guided by technology alone but is actually mostly a political act.
- The distinction between targeted and mass surveillance is also very helpful, it helps to discriminate which kind of technology options will help and which ones will help too much.
Concluding, what we also see is that the public debate is filled by the idea that encryption by itself is a bad idea, but effectively encryption is a main pillar and a very important mechanism to keep the internet a safe place to work in.
Encryption is the thing that forces law enforcement to change from mass to targeted surveillance, because you have to make more effort to access encrypted data.
Lastly, to put it in a wider context, data collection as part of Mass surveillances is actually the business model of the Internet. The growth of Internet is sustained by the gathering of data, mostly by private parties. The discussion about privacy and surveillance is a broad discussion field that impact people in a quite larger part of their life that they may expect.