Surveillance by Design

the a home and

a i but

if you use which relation also so we speak the period of sort of souls assault a so this a different country itself the big difference is dead and her name is right McDonald's french is going to talk about surveillance by design and if you up the think you applause and I and and so the 1st thing that I'll

say if you were in this in the discussion before any don't understand German I will say forget everything that person and Alex just told you the on I'm Reagan I'm originally from Canada I work with an organization called access is an international NGO that defense digital rights abuses around the world and I had up the Brussels work so I've been based in Brussels in the heart of the European Union's sausage making machine so today I want to talk to you about surveillance by design and just a note I know it's a little bit late and I am standing between you and your so I will try to be and as brief as

as possible and and hopefully allow for some some time for discussion and I'm questions and so I will just do a short introduction and then I want to walk you through the foundational

principles surrounds by design and then conclude with what we need and what we can do to make the situation better so

it's quite obvious to say that the explosion in electronic communications has

affected us and continues to affect us in ways that we're still not even yet conscious of but the pace of the change is something that is definitely something to know for example the invention of the mark of modern electronic communications and the telegraph was in 1844 and and the telephone came 3 decades later but the 2nd communications revolution which have in the nineties which is basically the opening of the Internet to commercial traffic the massive laying down a fiber optic cables around the world and the worldwide adoption of mobile phones took place in roughly 10 years it these massive transform transformations basically

happen overnight so laws are not able to keep up with these changes at which is a big part of why we found ourselves in the situation the and then there was you in 2006 Time magazine made you the person of the year it was the dawn of the age

of Web 2 . 0 web 2 . 0 was a new way of interacting with the internet is focused on user power and user-centered design and I was about information sharing social networking

interoperability collaboration and wikis no longer would be individual be a passive consumer but they would also have a part in the production so there buzzwords like the froze Sumer because Web 2 . 0 meant that individuals would be would have both the instead of just being a consumer but when you scratch the surface of on Web 2 . 0 you realize that are

participatory element is not actually measured through user-generated content for our value introducing but actually through the mining and harvesting of our idea so today in 2013 were undergoing another transformation and taking another step forward we have new buzzword such as big data which is the result of the

combination of myriad pieces of information which continue to blur the line between what is personal data and what is public data the Internet of Things where more and more devices are becoming connected to the network from your fridge to your alarm clock to your washing machine by 2020 people have estimated that there will be 100 billion Internet-connected devices the this

emerging digital power grid will be run on cloud computing services this means that the origin of the data being processed and the location in which it is stored might have conflicting laws that govern the protection of that information good when you combine this with the prevalence of mobile technology what this

means is that every minute of every day we are basically hemorrhaging data this also means that it's much easier for 3rd parties to

get access to any and all of that information whether it's companies some we might know like the Facebook's and Google's and others that we don't know like a large data brokers such as axiom or government agencies we have been working for the European Commission has proposed last year a proposal to update the privacy rules in

Europe through a data protection regulations the this law would among several things give individuals much more control over their personal data and encourage accountability and transparency among public and private bodies that control your data

my personal obsession with with in in the the privacy data protection regulation is privacy by design this is a feature In the proposed that in the proposal and is the concept where the government public and private bodies basically bake privacy into the products and services and policies about personal data this is a

very welcome step back when you take a step back and look at the big picture and the where communications infrastructure is built you see that there are flaws in the design of our communications ecosystem and then there are 2 main problems with surveillance by the sign not only does excessive surveillance infringe on our rights and undermine our ability to be able to trust the technology that we have come to depend

on for our day-to-day lives but a communications infrastructure that is built with surveillance as a default in fact undermines our security so that's the introduction and now I want to walk through the 6 foundational principles they are proactive and retroactive policing surveillance as the default

setting to and security 0 sum game opaque and undemocratic policymaking and no respect for user

rights although through them and there will be a quiz later from the so the first one the use of more and more intrusive surveillance techniques by

public bodies has resulted in 2 distinct paradigm shifts in policing proactive and retroactive policing the first one as the collection and storage of data becomes much cheaper and

much easier law enforcement is increasingly prone to collect 1st and ask questions later the Data Retention Directive is a primary example of this it was passed in 2005 and the European Union came into effect in 2006 and basically mandates that all telecommunications information is stored from between 6 months to 2 years depending on the Member States this blanket retention of all of our communications data threatens the

backbone of democratic societies by removing the presumption of innocence and treating us as what would be criminal support maybe suspected criminals the 2nd point is that a little bit of data actually says a lot about In the old

days before the communications revolution law-enforcement could listening to our phone calls or even read are e-mails this often paid a heavy toll on resources for time and money to pay all of these police officers to listen to certain phone calls but with the ubiquity of technology traffic data which is collected under the Data Retention Directive which includes the calls that you make to whom what time and can in fact reveal an awful lot about us our habits and our relationships in many jurisdictions getting access to traffic data is also it also requires much less judicial authorization so is much easier to get at finally behavioral surveillance centralizing surveillance techniques law-enforcement seeks to predict

criminal behavior projects such as in that in the EU which are under way right now and through combining these surveillance techniques and types of data such as face recognition technology traffic data and social networking data + CCTV cameras and even the camera drones we're all increasingly classified as 3 criminals in the eyes of law enforcement it's also when collection and storage of data is the

default this represents another shift because meaning is derived retroactively from this information where before law enforcement would could search for a specific individual or person of interest they would define what's called a schema and apply this to the search terms what happens now is that the schema can be determined after the data has been collected and stored for several years considering various amounts of data that can be collected analyzed and stored for extended periods of time we are increasingly vulnerable to future

crimes in essence it really begs the question how are we to be sure that what is OK today will not be a great tomorrow and will not be used against us In addition to this there increasing tendency is to minimize the accountability of both law enforcement and private bodies which

governments use to access and to get to are information kind of like a proxy of the of of government surveillance many suspicions of civil society were actually recently confirmed when the Electronic Privacy

Information Center are epoch based in DC in discovered that the US Department of Justice has been issuing what's called to 511 letters to AT and T and other large companies that would basically give them legal immunity to carry out surveillance of communications of their networks and that would likely be illegal under US law the yeah ultimately this lack of judicial and ethical oversight over communications surveillance means that that now there is a problem on top of that it is subject to abuse when you actually come down to it who is managing and mining these data centers are actually just humans and

humans a flood creatures the in there as rt several examples of abuse of these databases In Europe or from the Data Retention Directive some law enforcement authorities maybe want to use it to look up an ex girlfriend or to look up an ex-wife or potentially cheating husbands come and this is also apparently a growing problem in Ireland with the Irish Minister

recently urged uh the law-enforcement authorities in Ireland to stop using the police database as what he called the social network the 2nd 1 is

surveillance as the default settings increasingly the products and services that we use every day are modified in order to allow for surveillance which fundamentally weakens the security of the services that we are supposed to depend on the case in point the Communications Assistance for Law Enforcement Act or Collier was a lot of

acronyms in my speech so I apologize and this is a US domestic law and then I I do actually have some US examples but I only say this

because the US in many ways is kind of a standard we have a good or bad in this sense um and it has

the clear has implications for all of us in Canada and the U. since were mostly using US-made products and services and the Collier mandates that all telecommunications carriers and manufacturers of equipment have to modify and designed this equipment facilities and the services to ensure that they have built in surveillance capabilities so basically all of the products are made with backdoors in them was worse his that there have been discussions in the United States about expanding the scope of Collier to a clear to 2 which would actually include large service providers like google a Twitter or Facebook to have them build in real-time wiretapping capabilities and and have them suffer large fines if they do not comply with these wire to wire tapping and requests the so we're halfway through the

principle number 3 when we were already starting at a point of insecurity by using products that are but with back doors this makes this much more vulnerable to attacks such as malicious software and other surveillance techniques that are easily set loose on us often by our own governments the 1st example of this is deep packet inspection or DPI deep packet inspection is a

filtering technique that examines the contents of data packages that are transmitted across the network and this is a tool commonly used for traffic management so to clean up viruses and spam etc. but

it can also be tweaked as a tool to spy and surveillance citizens in this for instance was 1 of the pillars of and the Tunisian and then alleys regime which they use to you to spy on citizens but also to even a modified e-mails another toy frequently used by dictatorships and democracies alike is malicious software or malware these types of software can be used uh for a number of things to disrupt computer operations gather sensitive information or just gain full access to an end user's computer In 2011 and the Chaos Computer Club in Germany has actually has an alleged that the German law enforcement authorities were actually deploying Trojans on their population the so called industry Jana from thing a about that from has and this is government design software and that is made to intercept voice over IP so on Skype for example and but the software's functionality extends far beyond that includes even by keystroke logging and having access to to web cams much of the

discourse around surveillance lies or national security or terrorism etc. is

often mistakenly framed in terms of privacy versus security this concept that we have to lose 1 in order to gain the other and this is highly flawed approach create a kind of lose-lose situation for us for citizens where were actually left in the end with neither privacy nor security and the ultimate sum is 0 a perfect example of this this is a canadian

everyone said that Canadians are nice but that 1 is not true the how could that dictates he the Public Safety Minister in Canada and the

justification for intrusive surveillance laws often kind of blurred these lines between them and terrorism national security whether it's fighting paedophiles serious crime or just crime and the problem and propose solution and the scope of the measures are very are are left unanswered and in Canada there was a so-called lawful interception bill that has been proposed in the government since 2009 call Bill SE 30 or about protecting children from Internet predators act a very controversial bill in Canada this would have basically given Canadian law enforcement authorities and warrantless access to what the user information including IP address search history I everything and the bill was luckily struck down from because there were huge protests from citizens and you know not only because the government was calling the warrantless surveillance lawful access which is a big problem and but also because it came with an accompanying report which revealed that the scope of the bill would have went far beyond paedophiles and would have included terrorism national security and even a vague term called low-level violence I have no idea what that means in canadian speak through it could be anything so this is fine is that with the

zero-sum approach where privacy and security are pinned 1 again against 1 another this is what it allows a lot of questions to go unanswered and this is particularly the case for civil liberties issues many laws are therefore able to kind of flip through the democratic process with very little public discourse and and care for the actual impacts of such surrounds measures the again I say will see 30 in Canada it never once sought

consultation from the federal nor any of the the provincial data protection authorities not to mention any academics were

anyone from civil society these laws are often propose during times of crisis or immediately after some terrible tragedy and which means that the potential collateral

damage is often ignored some of the most intrusive surveillance bills have passed in this way we all know about following and 911 in the US was the patriot act but also in Europe and the Data Retention Directive and which basically followed very closely after the London and Madrid bombings in 2004 now I have been working in Brussels for the past few years and focusing on vessels policy and the Data Retention Directive passed from 2005 to 2006 which to me is 1 of the fastest directives that has ever made it through that complex bureaucratic system and what's worse to this day the European Commission has still not been able to provide any real evidence to show the necessity or proportionality of data retention so when the debate for lack

thereof is framed in these terms laws enabling greater surveillance paths such as the Data Retention Directive there are however a number of basic human rights and civil liberties that are infringed or which among other things actually greatly reduces the ability of citizens to 1 be aware of the surveillance laws and to to uh and challenge them these laws are rarely given back once the rights are taken away they're very seldomly given back to us so here a number of some of the civil liberties implications 1 of the example is the right to access information a very dangerous standard for upsetting

standard was recently set in the United States by the supreme court of justice in a case called copper versus amnesty basically in the US Under the Bush administration and the National Security Agency and was 1 of the wire tapping its own citizens Amnesty

International had strong suspicions for a long time and perhaps rightfully so that they might have been kind of wrapped up into this warrantless surveillance they were worrying and that they have they might have been implicated so by asking for more information the supreme court actually finally ruled in this case that the international human rights group actually had no standing to challenge the program to challenge the NSA basically because they couldn't actually prove that they were being attacked for availed by a secretive and illegal wiretapping program this is exactly the kind of example that I mean when I say that surveillance by designing pulls at the fabric of our societies because it undermines in undermines the trust that we have not only in the services in the products that we use but in our own democracies more and more were dependent on these communication technologies and it's almost like what were getting accustomed to the surveillance was were getting accustomed to not trust the services that we use for example a recent study showed that 71 per cent of Facebook users which now has 1 . 1 billion active users self-censor themselves on the social network because they have basically no idea what how much and who has access to their personal information is this acceptable so

absolutely not the Internet is 1 of the most fantastic tools that can give us so much potential for liberation but it has an equal potential to unravel are free and democratic societies what we have to do is make sure that we are creating digital societies where the technology actually works for us and not against us so

how do we do that I think is the hard part

we need 4 things basically helping the public discourse research and fact-based

policy making transparency and more targeted and accountable solutions for law enforcement the so the first one public public discourse the backbone of any

sound policy-making rests upon open consultation with all relevant stakeholders it

also depends upon credible research proving facts and of course well-defined problems and solutions these measures that would or could warrant and communications surveillance must focus 1st on the actual effect to see whether or not this measure or this law would actually work or be of real benefit to law enforcement before we even get into the civil rights issues and there's always international standards and national laws international covenant on civil and political rights Universal Declaration of Human Rights and in Europe the Charter of Fundamental Rights just to name a few standards the 2nd means transparency as a basic rule companies and governments must be transparent about requests for user data and surveillance that they are mandated some companies already

do produce regular transparency reports like Google or Twitter and drop cloths and Microsoft recently started and a few others but this has to become the norm states as well must be transparent about the use and scope of communication surveillance this includes publishing these reports on an annual basis with aggregate numbers of request and how law enforcement authorities are conforming with domestic and international laws

increasingly privacy is power so if the Government must watch fast then we should watch the

government to this is already an interesting experiment that's happening

in some states in the United States through and this experiment they have asked law-enforcement to start wearing lifelogging technologies or tiny cameras both on the person and on the cases which is the weapon of choice for most police officers and the video footage is actually accessible to the public to anyone who wants to see it the results of this kind of 2 ways

surveillance actually show that benefit that that has benefited the relationship between the police and the citizenry it's kind of like leveling the playing field the 3rd 1 instead of

putting an entire citizenry under full-scale surveillance other techniques are possible and in fact have shown here the ability to meet the needs of law enforcement without grossly undermining our rights for instance data preservation instead of blanket retention most telecoms actually do end up storing some information for a few months and then deleted In fact in the

Commission's attempts to justify the Data Retention Directive the examples of when retain data was useful to them they were actually citing mostly information that was would not retained under the Data Retention Directive but retained by telcos for another reason 2nd 1 is data minimization this is also a basic principle that's in uh the Data

Protection Regulation for companies and bodies and public bodies that collect information they should only collect what is absolutely necessary and

for very specific purposes this sounds like a very simple concept but currently this is not how uh public and private bodies or functioning the 3rd 1 is to delete data

just deleted this should be standard operating practice for companies and then

given the fact of the risk that companies incurred by automatically collecting data for you know the which they don't have much use is actually causes risks for them because the the frequency of high profile data breaches is actually an an increasingly large problem both monetarily and fervor public relations image not to mention for individuals and consumers so what

can you do until we can fully change the way that electronic surveillance is regulated in the long term there are some practical solutions that you can adopt now the 1st is to be vigilant and take control part of our

responsibilities as citizens living in a technologically ubiquitous environments is that we have to ensure that we ourselves are aware of the risks and the problems that we have in depending on

communications 2nd 1 is using privacy-enhancing technologies I don't have time to go into all these but I'm happy to talk after hen I can direct you to and 2 more resources but there are ways to browse the Internet anonymously to use off-the-record messaging and monophone and on on messaging and as well to encryptor e-mails a friend once told me that the Internet is kind of dirty and it's you wanna think about it like wearing a condom you don't wanna go there back on the internet you need to protect yourself from and these are some of the highest this and perhaps should the 2nd

1 yeah get in ball

Purdue that don't so dear um was here and I saw keynote and I was about participatory democracy and the importance of of getting involved and speaking out to politicians are even becoming a politician like she did and she kind of summarize it perfectly we need less trolling and more collaboration and I think that's exactly exactly right and

access my organization and a handful of other uh European digital rights groups have joined a

coalition and to protect the Data Protection Regulation the 1 of the other things you can do is actually get involved you can and right now during the fight to protect your privacy in the European Union and we set up the site and its citizens . you and today and the next few days we actually have postcards naked postcards that you can send your representative so this is a 2 benefits and 1 you will be helping you to get involved and to protect the fundamental right to privacy and data protection but then also you get disseminated picture to an entity whose which is kind of exciting so this is so this box here and is where you can fill in you have 2 options you can you write your own or there's already 3 written texts and you can just sign and what you do is after we will send it we will balance and into the parliament ourselves so you want filet in and put into that white box and the people that are doing this art myself I will have lots of postcards and there's also some other people there you should the delegates us up and that the freedom and also Kirsten who is speaking before me and planted I think you know

uh thank you thank you and the history of the 1st questions so no questions really you all of you and this is what will be on stage these you will enjoy the body of work going from that so 1 of the books questions

all if there are no questions that support various years more it

might be the