Public Feeling on Privacy, Security and Surveillance...A Report by DATA‐PSST and DCSS Need for...
Transcript of Public Feeling on Privacy, Security and Surveillance...A Report by DATA‐PSST and DCSS Need for...
1
PublicFeelingonPrivacy,SecurityandSurveillance
AReportbyDATA‐PSSTandDCSSNovember2015
Contributors
VianBakir,BangorUniversityNetworkfortheStudyofMediaandPersuasiveCommunication(MPC)
ESRCSeminarSeries:Debating&AssessingTransparencyArrangements‐Privacy,Security,Surveillance,Trust(DATA‐PSST!)
JonathanCable,CardiffUniversity
ESRCDigitalCitizenshipandSurveillanceSocietyProject(DCSS)
LinaDencik,CardiffUniversityESRCDigitalCitizenshipandSurveillanceSocietyProject(DCSS)
ArneHintz,CardiffUniversityESRCDigitalCitizenshipandSurveillanceSocietyProject(DCSS)
AndrewMcStay,BangorUniversityNetworkfortheStudyofMediaandPersuasiveCommunication(MPC)
ESRCSeminarSeries:Debating&AssessingTransparencyArrangements‐Privacy,Security,Surveillance,Trust(DATA‐PSST!)
2
PublicFeelingonPrivacy,SecurityandSurveillanceAReportbyDATA‐PSSTandDCSS
Contents
NeedforReport p.3StudiesConsulted p.4
Observations p.4Recommendations p.5DigitalCitizenshipandSurveillanceSociety(DCSS)Study:QuantitativeFindings p.6DigitalCitizenshipandSurveillanceSociety(DCSS)Study:Qualitativefindings p.8
Surveillance,PrivacyandSecurity(SurPRISE)Study p.9SurPRISE:UKNationalReport p.10PublicPerceptionsofPrivacyfromtheAdvertisingIndustry p.12IfPeopleCouldMitigateStateSurveillance,WouldThey,&WhatWouldTheyDo? P.13
ObservationsandRecommendations p.14References p.16Appendix1.PollsStudiedbyDCSS p.17
Appendix2.SurPRISEResults p.19
3
PublicFeelingonPrivacy,SecurityandSurveillanceAReportbyDATA‐PSSTandDCSS
NeedforReport
EdwardSnowden’srevelationsinJune2013promptedmajordebatesaroundthetopicsofprivacy,nationalsecurity,andmassdigitalsurveillance.Withinthesedebates,theBritishgovernmentanditsintelligenceagenciesregularlyinvokeBritishpublicopinionas:
a) desiringgreatersecurity,and;b) probablybeingpreparedtogiveupprivacytoenhancesecurity.
Forinstance:- ‘wedonotsubscribetothepointofviewthatitisacceptabletoletsometerroristattacks
happeninordertoupholdtheindividualrighttoprivacy—nordowebelievethatthevastmajorityoftheBritishpublicwould’(IntelligenceandSecurityCommittee,PrivacyandSecurity:AModernandTransparentLegalFramework.HouseofCommons[12March].2015:36).
- ‘Tothoseofuswhohavetotacklethedepressingendofhumanbehaviourontheinternet,itcanseemthatsometechnologycompaniesareindenialaboutitsmisuse.Isuspectmostordinaryusersoftheinternetareaheadofthem:theyhavestrongviewsontheethicsofcompanies,whetherontaxation,childprotectionorprivacy;theydonotwantthemediaplatformstheyusewiththeirfriendsandfamiliestofacilitatemurderorchildabuse.Theyknowtheinternetgrewoutofthevaluesofwesterndemocracy,notviceversa.Ithinkthosecustomerswouldbecomfortablewithabetter,moresustainablerelationshipbetweentheagenciesandthetechnologycompanies.’(RobertHannigan,DirectorofGCHQ,TheFinancialTimes,Nov.2014,arguingthattechfirmsneedtohelpsecurityservicesmonitortheinternet)
Othersrecognisethatwhilethepublicwantmoresecurity,theydon’twanttosacrificetheirprivacy:- ‘Thereisadilemmabecausethegeneralpublic,politiciansandtechnologycompanies,to
someextent,wantustobeabletomonitortheactivitiesofterroristsandotherevil‐doersbuttheydon’twanttheirownactivitiestobeopentoanysuchmonitoring.’(SirJohnSawers,ex‐DirectorofSecretIntelligenceService(MI6)TheTelegraph,January2015)
However,whatdoesthepublicactuallythinkonprivacy,security,andtheSnowdenleaks?Isthepublicpreparedtogiveupprivacyforsecurity?
4
StudiesConsulted
Toanswerthesequestions,thisreportdrawsonthefollowingstudies:‐ TheongoingDigitalCitizenshipandSurveillanceSocietyProject (DCSS)atCardiffUniversity
intoUKpublic opinionon the Snowden leaks, comprising analysis of opinionpolls and in‐depthfocusgroupswithdifferentdemographicsofthepublicinEnglandandWales.
‐ Thepublishedin‐depth,participatorystudy,Surveillance,PrivacyandSecurity(SurPRISE),of2000 citizens from nine European countries (Austria, Denmark, Germany, Hungary, Italy,Norway,Spain,SwitzerlandandUnitedKingdom)onattitudestowardssurveillance‐orientedsecurity technologies and privacy (Pavone et al. 2015). This study involved large citizensummits conducted in 2014 to generate quantitative data and to explore public views onthese complex matters in much more depth than opinion polls can deliver. Part of thisproject comprises a UK country study (Ball et al. 2015). These studies focused on threesecurity‐orientedsurveillancetechnologies:
(a)SmartClosedCircuitTelevision.Thisfeaturesdigitalcameraswhicharelinkedtogetherinasystemthathasthepotentialtorecognisepeople’sfaces,analysetheirbehaviouranddetectobjects.(b)Deeppacketinspection.Thisdetectsandshapeshowmessagestravelonanetwork.Itopensandanalysesmessagesastheytravel,identifyingthosethatmayposeparticularrisks.(c)Smartphonelocationtracking.Thisanalyses locationdatafromamobilephone,toglean informationabout the locationandmovementsof thephoneuseroveraperiodoftime.NBUKparticipantswerenotaskedtoconsider(c).
‐ Published advertising industry studies (opinion polls) on privacy and commercialsurveillance.
Synthesisingthesestudies,weprovidethefollowingobservationsandrecommendations.
Observations
1. UnliketheUKgovernment,theBritishpublicseesbulkdatacollectionasconstitutingmasssurveillance.
2. ThetopicsofUKstatesurveillanceofdigitalcommunicationsandonlineprivacymattertotheBritish,andwiderEUpublic.Thisisconfirmedbyopinionpolldatasince2013andin‐depthstudies.
3. TheEUandUKpublicthinksomesurveillancetechnologiesareuseful/effectiveforcombatingnationalsecuritythreats,andshouldbeused,butacceptabilityvariesaccordingtowhetherthesurveillanceisofcommunicationsorbodies,andblanketortargeted.Surveillanceofphysicalbodies(smartCCTV)andtargetedsurveillanceofdigitalcommunications(smartphonelocationtracking)aremoreacceptedthanblanketsurveillanceofdigitalcommunications(deeppacketinspection).
4. TheEUandUKpublicthinkthatalthoughcertainsurveillancetechnologiesareuseful/effectiveforcombatingnationalsecuritythreats,theycompromisehumanrightsandareabusedbysecurityagencies.Theseconcernsespeciallyapplytodeeppacketinspection.
5
5. IntheUK,thoseunder60seeUKstatesurveillanceofdigitalcommunicationsasgoingtoofar,andaninfringementupontherighttoprivacy.Over60sdonot.ThisfindingisechoedbyEU‐widestudies.
6. IntheUK,itisyoungerpeopleðnicminoritieswhoaremostconcernedaboutlackoftransparency&consentwhenitcomestostatesurveillanceofdigitalcommunications.
7. Thereareidentifiablecriteriaforwhatmakessecurity‐orientedsurveillancetechnologiesacceptableforEUpublics.Targetedratherthanblanketsurveillanceispreferred,asareclearcommunicationstocitizensaboutwhatisgoingon,withstrongregulatoryoversight.
8. AllagegroupsintheUK,especiallythoseover55,arestronglyconcernedaboutcommercialsurveillance,and increasingly takeconcretesteps todefendagainst intrusivebehaviourbyadvertisingcompanies.Thissuggeststhatifpeoplecoulddomoreaboutstatesurveillance,theywould.
9. There are a range of tools and behaviour change open to people to defend against statesurveillance.
Recommendations
1. GivenObservation1,theUKgovernmenthasmoreworktodoifitwantstopersuadetheBritishpublicthatBulkDataCollectionisdifferenttomassdigitalsurveillance.
2. GivenObservation2,theUKgovernmentshouldtakeintoconsiderationpublicviewsondigitalsurveillanceandprivacy.
3. GivenObservation3,theUKgovernmenthasapublicmandatetousesomesurveillancetechnologiesforcombatingnationalsecuritythreats.Howeverthismandateismuchweakerforblanketsurveillanceofdigitalcommunications(deeppacketinspection)thanmoretargetedsurveillanceofdigitalcommunications(smartphonelocationtracking)orsurveillanceofphysicalbodies(SmartCCTV).
4. Observation4showsthattheUKgovernmenthasmoreworktodoifitwantstopersuadetheBritishpublicthatitssecurityagenciesdonotabusetheirsurveillancepowers,especiallyconcerningdeeppacketinspection.Observations5and6showthattheleastpersuadedarethoseunder60andethnicminorities.
5. Givenobservation7,governmentsseekingapopularmandatefordigitalsurveillanceshouldensurethatsuchsurveillanceistargetedratherthanblanket,accompaniedbystrongregulatoryoversightandclearcommunicationstocitizensaboutwhatisgoingon.
6. Givenpublicconcernsoverblanketdigitalsurveillance,observation8whichshowspeopletakingincreasingactionagainstcommercialdigitalsurveillance,andobservation9whichshowsthattherearethingspeoplecanuseanddotomitigatestatesurveillance,thissuggeststhatunlesstheUKgovernmentprovidesadigitalsurveillancearchitecturethatisacceptabletoitspeople,itisquitepossiblethatpeoplewillrefusethissurveillance.
6
DigitalCitizenshipandSurveillanceSociety(DCSS)Study:QuantitativeFindingsEdwardSnowden’srevelationsinJune2013promptedmajordebatesaroundthetopicsofprivacy,nationalsecurity,andmasssurveillance.Theevidenceforthisisthattherehavebeenapproximately40UKpublicopinionpollson these subjects since June2013.The resultsof thesepollsdetail thelevelofconcernwithinthepopulationoftheUK.Overall,weseeanincreaseinconcernswithonlineprivacy since the revelations, and particularly amongst younger people there are also substantialconcerns with levels of interception and existing surveillance powers of the state. In particular,issuesregardinglackoftransparencyoverwhatandhowdataiscollectedaswellasthenatureandlevel of public consent are prominent amongst the British public. This section provides a briefoverviewofsomeofthesefindings.
ImportanceoftheTopicofSurveillanceThere is a general sense that the topic of state surveillancematters to the British public. This isevidencedbypublicopinionofwhatSnowdendid.FromJune2013toNovember2013therewere4YouGovpollswhichaskedthequestion“DoyouthinkMrSnowdenwasrightorwrongtogivethisinformation to the press?” In all 4 of the polls amajority of the British public said Snowdenwas‘right’ to dowhat he did (See YouGov polls 13/06/13, 14/06/13, 28/08/13 and 05/11/13). Takentogether the 4 poll results average out to 49% thought Snowden was ‘right’ to do what he did,comparedto32%whobelievedSnowdenwas‘wrong’toleakthedocumentstothepress.TheimportanceofthisissuetothegeneralpubliccanalsobeseeninanAngusReidGlobalpollfromOctober 2013 which asked ‘Overall, how important do you yourself consider this whole issue ofgovernmentsurveillanceofthepublic’sinternetcommunicationstobe’?Byalargemajority82%ofrespondentsfeltthatthisissuewaseither‘very’or‘quiteimportant’,andonly17%responded‘notthatimportant’or‘notimportantatall’.
ConcernsOverPrivacySimilarly, the levelofpublicconcernaboutonlineprivacy is reflected in theyearlyTRUSTePrivacyIndexconductedbyIpsos‐MORI.Eachyearthepublicisasked“Howoftendoyouworryaboutyourprivacyonline?”in2014thetotalamountofpeoplewhoworriedeither‘sometimes’,‘frequently’or‘always’was89%. In2015 inanswer to the samequestion theproportionofpeoplewhoworriedabouttheironlineprivacyhadrisento92%.Thepublicwerealsoaskedin2014iftheyweremoreworriedabouttheironlineprivacythanayearago,andgiventhatthisparticularpollwascarriedoutoneyearaftertheSnowdenrevelationstheresultisquitetelling.Atotalof60%oftheBritishpublicfelt more worried about their online privacy than a year ago. The poll enquired about what thepublic’s main concerns were online. This included concerns such as businesses sharing personalinformation,andcompaniestrackingonlinebehaviour. Inboth2014and201520%ofpeoplecitedgovernmentsurveillanceasoneoftheirtopcausesforconcern.Also,when thepublicwasasked specificallyabout theprivacyofonlineandmobiledataby IpsosMori inMay2014 theysawthisbeingeither ‘essential’or ‘important’byavery largemargin.Theresults broke down as: the privacy of internet browsing records – essential/important 85%, notimportant 12%; content of emails – essential/important 91%, not important 6%; mobile phonelocation–essential/important79%,notimportant18%.
7
ConcernsOverStatePowers
Concerns over the levels of powers granted to state agencies are often framedalong the lines ofprivacyvs.security.Asoutlinedbelow,opinionpollsshowgreatersupportforincreasedsurveillancepowers at the expense of privacy amongst older generations, particularly the 60+. All other agegroupsshowagreaterconcernwithsurveillanceasan infringementupontherighttoprivacy.Thecommonthreadrunningthroughthesepollsisthequestionofwhetherornotthesecurityservicesshouldbeallowedtointercept,store,andanalysedigitaldata.ThepollsdetailedbelowcoversJune2013 to March 2015. (For the full statistics please see Appendix 1.) This demonstrates that thepublic’sconcernisnotabatingastimemovesonfromtheSnowdenrevelations.
Thefirstsuchpollofthepost‐SnowdenerawaspublishedinJune2013byYouGov.Theyaskedifthesecurityservicesshouldbegiventhepowerstoaccessthepublic’sdatasuchaswebbrowsing,emailand social media activities held by mobile phone companies and internet service providers. Thequestion does however make it clear that this does not mean the content of social media andemails.That said, theproportionofpeoplewhosaid thiswould ‘go too far’was43%vs38%whobelieveditwasa‘goodidea’.Thedividebetweentheagegroupsisclear.Thethreecategoriesbetween18and59cameoutinthemajority stating thisproposalwent ‘too far’,andonly the60+ thought itwasa ‘good idea’.Therewere subsequent variations of this question in other polls but the proportions of people for andagainstremainedconsistentlyopposedtobulkdatacollectionbythesecurityservices.TheYouGovpoll fromOctober2013 for instanceaskedwhether thesecurityservices“shouldorshouldnotbeallowedtostorethedetails(butnottheactualcontents)ofordinarypeople'scommunications”thetoplineresultswere38%saidthey‘shouldbeallowed’,butthemajority46%saidthey‘shouldnot’.Inthisinstanceeverysingleagegroupcameoutagainstthisdatacollection.WhenYouGovrepeatedthequestionandansweroptionsfromtheJune2013poll inJuly2014theresultswerealmostidenticaloneyearon.Overall41%ofpeoplethoughtthatgrantingthesecurityservicesaccesstopersonaldatawent‘toofar’,and37%believedthiswouldbea‘goodidea’. Thespread of opinion across the age groups remained the same as the June 2013 poll. All three agerangesbetween18and59statingthispower‘goestoofar’andonlythe60+categorycameoutinmajorityfor‘isagoodidea’.
ConcernsOver‘Bulk’DataCollectionThesecondpartofthepollingdataorientatedaroundtheclandestinenatureoftheinterceptionofpersonal data. Following the Edward Snowden revelation in August 2013 that GCHQ had beenaccessingfibreopticcommunicationscablesinsecrettocaptureandstorepeoples’dataregardlessofanywrongdoingYouGovaskedthepublicwhetherornot theythought thiswasrightorwrong.Theoverallresultsofthepollshowedapublicrelativelyevenlydividedwhere41%saidwhatGCHQdidwas‘right’,comparedwith45%whosaidthatthiswas‘wrong’.Itisintheagedifferenceswherea realdivideshowed itself.Only24%of18‐24yearolds thought that thiswas ‘right’ compared to39%25‐39yearolds,43%40‐59,and46%60+.The60+agegroupwasagaintheonlysegmentwhichcameoutinthemajorityfor‘itisright’.InMarch 2015 YouGov asked the British public if GCHQ did have the resources and capability tointercept/collecttheinternet‐basedcommunicationsofeveryonecouldtheybetrustednottoabuse
8
thisability?Amajorityof42%cameoutinfavourof‘no’comparedto34%whosaid‘yes’theycouldtrustGCHQ.Similarly,YouGovconductedapollonbehalfofAmnestyInternationalwherethepublicwereaskediftheythoughtthattheirgovernmentshouldorshouldnotintercept,storeandanalyseinternetuseandmobilephonecommunicationsofallcitizenslivinginthecountry.ThemajorityoftheBritishpublicagaincameoutonthesideof‘shouldnotintercept’44%versus‘shouldintercept’36%.Whatisclearfromtheopinionpollresultsisthatthetotalfiguresareheavilyinfluencedbythe60+agebracket.Theirlackofconcernwithprivacyisnotsharedbyyoungeragegroups.Thesepollsalso demonstrate that blanketmass collection of communications data is of real concern to vastsectionsofthepopulation.
DigitalCitizenshipandSurveillanceSociety(DCSS)Study:Qualitativefindings
In addition to analysing opinion polls, the DCSS project conducted a series of focus groups withdifferentdemographicsofthepublicinEnglandandWales.
YoungerPeople&EthnicMinoritiesaremostConcernedaboutLackofTransparency&ConsentThe results of these focus groups support data fromopinionpolls regarding concernswith onlineprivacyandstatepowers,butparticularlyhighlightconcernswitha lackof transparencyregardingthe collection and use of data, as well as concerns with an absence of obtaining public consent.Theseconcernsaremoreprominentamongst somedemographics, relating tobothageaswell asethnicbackgroundwithminoritiesexpressinggreaterconcern.BulkDataCollectionconstitutesSurveillance
DCSS’ focus groups explored definitions of surveillance, including the collection of metadata. UKintelligenceagenciespresent their surveillanceofdigital communicationsas ‘bulkdata collection’,Rejecting the term “surveillance”, intelligence agencies state that rather than conducting blanketsearches,asimpliedbypressaccountsof‘indiscriminate’or‘drag‐net’surveillance,theyonlysearchfor specific information (ISC2015). TheUK’s intelligenceoversight committee concludes that such‘bulkdatacollection’doesnotconstitutemasssurveillancesinceBritishintelligenceagenciesdonothave ‘the resources, the technical capability, or the desire to intercept every communication ofBritishcitizens,orof the internetasawhole’ (ISC2015:2).However, thegeneral consensus fromDCSS’focusgroupswasthatthecollectionofmetadataisseenassurveillance.Thereasonsgivenbymembers of the public centred around ideas such as giving consent for data collection, personalownership of data, questions around why this data would need to be collected, the lack ofanonymityandtheabilitytobeidentifiedbythecollectionofmetadata.
PublicResignation,ratherthanApathyorConsent,overStateSurveillanceOverall,DCSS’focusgroupshighlightedaprominentconcernwiththecollectionofonlinedatabyanumberofdifferentactors,butalsoalackofunderstandingorsensethatit ispossibletodomuchaboutit.Inthatsense,focusgroupsresultsindicatethatstatesurveillanceisbeingcarriedoutonthebasisofpublicresignationratherthanapathyorconsent.
9
Surveillance,PrivacyandSecurity(SurPRISE)StudyAnin‐depth,participatorystudy,‘SurPRISE’,of2000citizensconductedacrosstheEuropeanUnion(EU)in2014findsthattheEUpublicwantbothbetternationalsecuritythroughsurveillancebutthattheyalsowantbetterprivacy–theydonotacceptatrade‐offbetweenthetwo(Pavoneetal.2015).
EUPublic(especiallyYoungerPeople)ConcernaboutStateSurveillance
AswiththeDCSSstudy,SurPRISEfindsthatacrosstheEU,agemakesadifference.Ageispositivelycorrelatedwiththeacceptabilityofsecurity‐orientedsurveillancetechnologies.EUPublicthinksomeSurveillanceTechnologiesareUseful/EffectiveforCombatingNationalSecurityThreatsMostpeopleintheEUagreeorstronglyagreethatsecurity‐orientedsurveillancetechnologiesareeffectivenationalsecuritytools–especiallySmartCCTV(64%agreement)andsmartphonelocationtracking(54%agreement)(seeAppendix2.1).Furthermore,morepeoplethannotalsofeelthattheseareappropriatewaystoaddressnationalsecuritythreats–especiallySmartCCTV(51%agreement)althoughlesssosmartphonelocationtracking(42%agreement)anddeeppacketinspection(41%agreement)(seeAppendix2.2).Overall,morepeoplethannotsupportsecurity‐orientedsurveillancetechnologiesasanationalsecuritymeasure–especiallySmartCCTV(63%agreement)andsmartphonelocationtracking(58%agreement)(seeAppendix2.3).EUPublicthinkallSurveillanceTechnologiesCompromiseHumanRightsandareSusceptibletoAbusebySecurityAgenciesDespitesupportingsecurity‐orientedsurveillancetechnologiesasanationalsecuritymeasure,mostpeopleintheEUagreeorstronglyagreethatsecurity‐orientedsurveillancetechnologiescouldviolateeveryone’sfundamentalhumanrights–especiallydeep‐packetinspection(82%agreement)andsmartphonelocationtracking(72%agreement),followedbySmartCCTV(59%agreement)(seeAppendix2.4).Furthermore,morepeoplethannotdisagreeorstronglydisagreethatsecurityagenciesusingthesesecurity‐orientedsurveillancetechnologiesdonotabusetheirpowers–especiallydeep‐packetinspection(56%disagreement)althoughlesssoforSmartCCTV(48%disagreement)andsmartphonelocationtracking(36%disagreement)(seeAppendix2.5).Tosummarise,theEUpublicthinksthatcertainsurveillancetechnologiesareuseful/effectiveforcombatingnationalsecuritythreats,butthatallsuchtechnologiescompromisehumanrightsandareabusedbysecurityagencies.Theseconcernsespeciallyapplytodeeppacketinspection.
10
SurPRISEalsodemonstratesthatwhiletherearedifferencesaccordingtonationandsecurity‐orientedsurveillancetechnology,onthewhole:
‐ Thepublicdoesnotacceptblanketmasssurveillance.Security‐orientedsurveillancetechnologiesthatoperateblanketsurveillancearefoundsignificantlylessacceptablethanthosethatcarefullyfocusonspecifictargets.
‐ Thepublicdemandsenforcedandincreasedaccountability,liabilityandtransparencyofprivateandstatesurveillantentities.
DrillingdownintotheEUdata,theUK’snationalstudyfindssimilarresults(Balletal.2014).
SurPRISE:UKNationalReport
UKPublicConcernaboutPrivacyUKparticipantswereconcernedabouttheprivacyofthegeneralpublic(63%expressconcerns)andabouttheirownpersonalprivacy(66%expressconcerns).76%areafraidthattoomuchinformationiscollectedaboutthem,withmanyworriedthatthepersonaldataheldaboutthemmaybeinaccurate(74%),sharedwithouttheirpermission(96%),orusedagainstthem(68%)(seeAppendix2.6).
UKPublicthinkSurveillance‐orientedSecurityTechnologiesImproveNationalSecurityandShouldbeUsedDespitetheirprivacyconcerns,90%ofUKparticipantsthinkthatsurveillance‐orientedsecuritytechnologiesimprovenationalsecurity,and80%thinkthatsincethesetechnologiesareavailable,governmentsmightaswellusethem(seeAppendix2.7).However,supportfordeeppacketinspection(at56%)ismuchlessthansupportforSmartCCTV(88%)(seeAppendix2.8).UKPublicthinkallSurveillanceTechnologiesCompromiseHumanRightsandareSusceptibletoAbusebySecurityAgencies
OverhalfofUKparticipants(55%)worrythatonceinplace,surveillance‐orientedsecuritytechnologiesmightbeabused(seeAppendix2.7).While46%agreethatsecurityagenciesusingSmartCCTVhavethewelfareinterestsofcitizensatheart,only31%considerthemcompetent,andonly29%viewedthemastrustworthy,withlargeamountsundecided.Only16%consideredthattheseagencieswouldnotabusetheirpower,withfarmore(41%)expressingdoubtsthatsuchabuseswouldnotoccur,andsimilaramountsundecided(seeAppendix2.9).Thefiguresfordeeppacketinspectionaresimilar,with41%satisfiedthatagenciesthatimplementthistechnologywerefocusedoncitizenwelfare.Only29%viewagenciesthatimplementthistechnologyascompetent,andonly30%considerthemtobetrustworthy,withlargeamountsundecided.Onceagain,participantsweremorecynicalabouttheextenttowhichsecurityagenciesmightabusetheirpower,with45%expressingdoubtsthatsuchabuseswouldnotoccur,andlargeamountsundecided(seeAppendix2.10).
11
GeneralPolicyRecommendationsfromUKParticipantsFollowingthecitizensummits,participantswereaskedtomakepolicyrecommendations.UKparticipantsrecommendedthefollowing(Balletal.2014:32‐33).OnTransparencyandcommunication
‐ Raisecitizenawarenessabouttheuseofsecurity‐orientedsurveillancetechnologies.‐ Providegreaterclarityaboutwhom,howandwheregatheredinformation/dataisheldand
used.‐ Givecitizensaccesstoinformationthatthesecurityservicesandothersholdaboutthem.
OnResponsibilityforregulatingandimplementingsecurity‐orientedsurveillancetechnologies.‐ Theyshouldbegovernedbytransparentandunderstandablelegislation.‐ Establishanindependentregulatorybodywithresponsibilityforoverseeinguseofsecurity‐
orientedsurveillancetechnologies,andwhichsetsrulesabouthandlingthegatheredinformation/data.
‐ Governmentshouldensurethatanyinformation/datacollectedthroughsecurity‐orientedsurveillancetechnologiesisheldwithintheUKandnotsentelsewhere.
‐ Nationallycontrolsecurity‐orientedsurveillancetechnologies,buttoanEUstandard.‐ Donotinvolveprivatecompaniesinoperatingsecurity‐orientedsurveillancetechnologiesor
givethemaccesstotheinformation/dataproduced.
EUPublicCriteriaforWhatMakesSecurity‐OrientedSurveillanceTechnologiesAcceptableAswiththefindingsontheUK,thewiderSurPRISEstudyfindsthatacommoncriteriondeterminingtheacceptabilityofsecurity‐orientedsurveillancetechnologiesbytheEuropeanpublicisthattheyareoperatedbytransparent,accountablepublicagenciesthatinformcitizensabouttheirpurposesandfunctions(Pavoneetal.2015).Thestudy’sfulllistofcriteriaforwhatmakessecurity‐orientedsurveillancetechnologiesacceptabletoEUcitizensisasfollows:a)Operateunderaninternationallegislativeframework,monitoredbyadataprotectionauthoritywithsufficientpowersattheEuropeanlevel;b)Areoperatedbytransparent,accountablepublicagenciesthatinformcitizensabouttheirpurposesandfunctions;c)Arecost‐effectiveandallowcitizenstoaccessandcontrolthedatathatsecurityservicesretrieveandstore;d)Alwaystargettheleastsensitivedata,onlyinpublicspaces,wheneverpossibleandbespecificallyorientatedtowardssuspectsandcriminalactivities;e)Aredeployedonlyaftersignificantevidencehasbeencollectedandonlyafterjudicialauthoritiesgrantpermission;
f)IncorporatePrivacy‐by‐Designmechanismsandprinciples;g)Donotreplacebutcomplementhumanintervention,aspartofabroader,sociallyinformed,securitystrategythataddressesalsothesocialandeconomiccausesofcrimeandviolence.
12
PublicPerceptionsofPrivacyfromtheAdvertisingIndustryWhile not ostensibly focused on the Snowden revelations it is instructive to look at poll findingsaboutpublicperceptionsofprivacy fromtheadvertising industry, suchas the InternetAdvertisingBureau(IAB),anorganisationthatchampionsthecollectiveinterestsoftheUKad‐techindustry.Thisisrelevantbecause:‐ Theadvertisingindustryhasaninterestinovercomingpeople’sprivacyconcerns;‐ Public concerns about online privacy from commercial and state surveillant entities arguably
overlap;‐ Becauseoftheoverlap,Snowden’srevelationshavedentedthepotentialfortrustintheonline
environment.‐ Peopleactivelytakestepstopreventcommercialsurveillance–andthiscouldbeanindicatorof
whattheymightbepreparedtodoregardingstatesurveillance,ifonlytheycould.
EveryoneWantsMoreOnlinePrivacy(thisPre‐datesSnowden)
Pre‐Snowden, in 2012, the IAB found that: 89% of people ‘want to be in control of their onlineprivacy’.Whilethis isnotsurprising,their findingthat62%‘worryaboutonlineprivacy’ isnotable.ThefindingsintheIAB(2012)studydifferherefrompollfindingsonconcernoverstatesurveillancein that it is over 55s who most demonstrate a wish for online privacy (93%), although youngerpeoplealsoseekcontrol(84%)(IAB2012).Post‐Snowden, data from TRUSTe (2014) on UK perceptions also highlight high levels of concernaboutadvertisingwith89%ofBritishinternetusersworriedabouttheironlineprivacy.Furthermore,duetoprivacyconcerns,Britonsarelesslikelytoclickonanonlinead(91%),useappstheydonottrust (78%) or enable online tracking (68%).More recent 2015 commentary from the IAB showsincreased interest in privacy. This is in response to unequivocal consumer concern and theforthcoming new European framework for data protection in Europe. They suggest now is ‘a realopportunitytocreateincentivesfororganisationstobuildprivacy‐enhancingmeasuresandembraceatruly‘privacybydesign’approach’(IAB2015b).
PeopleincreasinglyDefendThemselvesagainstIntrusiveBehaviourbyAdvertisingCompaniesItisinterestingtoalsoconsiderdefencesthatpeopletakeagainstintrusivebehaviourbyadvertisingcompanies. Although deletion of browsing history remains the foremostmeans to avoid trackingcookies, in the commercial sectors adblockers and anti‐trackers are used at rates that worry theadvertising industry. PageFair (2014) found that in the UK 15 per cent of British adults onlinecurrentlyuseadblockingsoftware,while22percenthavedownloadedthesoftwareatsomepoint.Unsurprisinglythisskewedtowardstheyoung,as34percentof18‐24yearoldsaremost likelytoblockads.Arecent IAB(2015a)reportfindsprivacyconcernsarecitedasareasonforblockingads(31%citeprivacy concerns), although this is certainly not users’ main concern. Ads are most likely to beblockedbecause:theyareinterruptive(73%);thedesigncanbeannoying(55%);andadsslowdownusers’webbrowsingexperience(54%).
13
IfPeopleCouldMitigateStateSurveillance,WouldThey,&WhatWouldTheyDo?
Fromthestudiesconsulted, it isclearthatonlineprivacyis importanttopeoplebothinregardstostatesurveillanceandcommercialsurveillance.Furthermore,peoplecan take steps regardingcommercial surveillance–and increasingly theyaredoingso.Takingstepsagainststatedigitalsurveillanceislessfine‐tuned.
WhatCanPeopledotoMitigateStateSurveillance
Peoplecan:‐ Encrypt their communications (for instance, using services that encrypt end‐to‐end, like
emailGhostmail,socialmediaplatformWhatsapporwebbrowserTor);‐ Choose to use digital communications platforms that do not track communications (eg
SearchEngineslikeDuckDuckGo);‐ Try to obfuscate their information, individually or collectively, by adding noise to existing
data collection to make its results ambiguous and hence less valuable. Examples includeswapping store loyalty cards; utilising a FaceCloak plug‐in that gives users a choice, oncreatingaFaceBookprofile,astowhowillseetheirpersonaldata;andusingpluginTrackMeNotthatfoilstheprofilingofusersthroughtheirwebsearchesbycreatingghostqueriesthatmakeusers’patternofrealquerieshardertodiscern(Brunton&Nissenbaum2015);
‐ Reduce what is posted, shared and searched. They may even choose not to use digitalcommunicationplatformsatall (going‘off‐grid’),butastheAndersonReport(2015)notes,thismeansnotparticipatingin21stcenturylife).
WillPeopleActtoMitigateStateSurveillance?
Giventhisrangeoftoolsandbehaviourchangeopentopeopletodefendagainststatesurveillance,thecrucialquestionforallconcernedwithsuchissues,includingpoliticians,regulators,businessesandactivists,is:
‐ Whetherpeoplewillacttomitigatestatesurveillance;‐ Whethertechnologycompanieswillactonpeople’sbehalftomitigatestatesurveillance,for
instance,bymakingencryptionadefaultmode.SinceSnowden’sleaks,intelligenceagencieshavepubliclylamentedtheinternet‘goingdark’(Comey2015;ISC2015:9).Theextenttowhichthisbecomesawidespreadrealityhasyettobeseen.Nodoubtthiswillbedeterminedbyarangeoffactors–notleastpublicfeelingonprivacy,securityandsurveillance.
14
ObservationsandRecommendations
Drawingonthesestudies,wemakethefollowingobservationsandrecommendations.Observations
1. UnliketheUKgovernment,theBritishpublicseesbulkdatacollectionasconstitutingmass
surveillance.2. ThetopicsofUKstatesurveillanceofdigitalcommunicationsandonlineprivacymatterto
theBritish,andwiderEUpublic.Thisisconfirmedbyopinionpolldatasince2013andin‐depthstudies.
3. TheEUandUKpublicthinksomesurveillancetechnologiesareuseful/effectiveforcombatingnationalsecuritythreats,andshouldbeused,butacceptabilityvariesaccordingtowhetherthesurveillanceisofcommunicationsorbodies,andblanketortargeted.Surveillanceofphysicalbodies(smartCCTV)andtargetedsurveillanceofdigitalcommunications(smartphonelocationtracking)aremoreacceptedthanblanketsurveillanceofdigitalcommunications(deeppacketinspection).
4. TheEUandUKpublicthinkthatalthoughcertainsurveillancetechnologiesareuseful/effectiveforcombatingnationalsecuritythreats,theycompromisehumanrightsandareabusedbysecurityagencies.Theseconcernsespeciallyapplytodeeppacketinspection.
5. IntheUK,thoseunder60seeUKstatesurveillanceofdigitalcommunicationsasgoingtoofar,andaninfringementupontherighttoprivacy.Over60sdonot.ThisfindingisechoedbyEU‐widestudies.
6. IntheUK,itisyoungerpeopleðnicminoritieswhoaremostconcernedaboutlackoftransparency&consentwhenitcomestostatesurveillanceofdigitalcommunications.
7. Thereareidentifiablecriteriaforwhatmakessecurity‐orientedsurveillancetechnologiesacceptableforEUpublics.Targetedratherthanblanketsurveillanceispreferred,asareclearcommunicationstocitizensaboutwhatisgoingon,withstrongregulatoryoversight.
8. AllagegroupsintheUK,especiallythoseover55,arestronglyconcernedaboutcommercialsurveillance,and increasingly takeconcretesteps todefendagainst intrusivebehaviourbyadvertisingcompanies.Thissuggeststhatifpeoplecoulddomoreaboutstatesurveillance,theywould.
9. There are a range of tools and behaviour change open to people to defend against statesurveillance.
Recommendations
1. GivenObservation1,theUKgovernmenthasmoreworktodoifitwantstopersuade
theBritishpublicthatBulkDataCollectionisdifferenttomassdigitalsurveillance.2. GivenObservation2,theUKgovernmentshouldtakeintoconsiderationpublicviewson
digitalsurveillanceandprivacy.3. GivenObservation3,theUKgovernmenthasapublicmandatetousesomesurveillance
technologiesforcombatingnationalsecuritythreats.Howeverthismandateismuchweakerforblanketsurveillanceofdigitalcommunications(deeppacketinspection)than
15
moretargetedsurveillanceofdigitalcommunications(smartphonelocationtracking)orsurveillanceofphysicalbodies(SmartCCTV).
4. Observation4showsthattheUKgovernmenthasmoreworktodoifitwantstopersuadetheBritishpublicthatitssecurityagenciesdonotabusetheirsurveillancepowers,especiallyconcerningdeeppacketinspection.Observations5and6showthattheleastpersuadedarethoseunder60andethnicminorities.
5. Givenobservation7,governmentsseekingapopularmandatefordigitalsurveillanceshouldensurethatsuchsurveillanceistargetedratherthanblanket,accompaniedbystrongregulatoryoversightandclearcommunicationstocitizensaboutwhatisgoingon.
6. Givenpublicconcernsoverblanketdigitalsurveillance,observation8whichshowspeopletakingincreasingactionagainstcommercialdigitalsurveillance,andobservation9whichshowsthattherearethingspeoplecanuseanddotomitigatestatesurveillance,thissuggeststhatunlesstheUKgovernmentprovidesadigitalsurveillancearchitecturethatisacceptabletoitspeople,itisquitepossiblethatpeoplewillrefusethissurveillance.
16
References
Anderson,D.2015.Aquestionoftrust:Reportoftheinvestigatorypowersreview.OGL.Retrievedfromhttps://terrorismlegislationreviewer.independent.gov.uk/a‐question‐of‐trust‐report‐of‐the‐investigatory‐powers‐review/
Ball,K.etal.2014.CitizenSummitsonPrivacy,SecurityandSurveillance:CountryreportUnitedKingdom.SurPRISE.Surveillance,PrivacyandSecurity:AlargescaleparticipatoryassessmentofcriteriaandfactorsdeterminingacceptabilityandacceptanceofsecuritytechnologiesinEurope.Retrievedfromhttp://surprise‐project.eu/
Comey,J.2015.Encryption,PublicSafety,and"GoingDark".Lawfare.Retrievedfromhttps://www.lawfareblog.com/encryption‐public‐safety‐and‐going‐dark
Brunton,F.&Nissenbaum,H.2015.Obfuscation:AUser'sGuideforPrivacyandProtest.Cambridge:MITPress.
IAB2012.ConsumersandOnlinePrivacy2012‐BitesizeGuide.Retrievedfromhttp://www.iabuk.net/sites/default/files/Consumers%20and%20Online%20Privacy%202012%20‐%20Bitesize%20Guide.pdf
IAB2015a.15%ofBritonsonlineareblockingads.Retrievedfromhttp://www.iabuk.net/about/press/archive/15‐of‐britons‐online‐are‐blocking‐ads
IAB2015b.IABbelievesinPRIVACY.Retrievedfromhttp://www.iabuk.net/blog/the‐iab‐believes‐in‐privacy
ISC.2015.PrivacyandSecurity:AModernandTransparentLegalFramework.HouseofCommons[12March].IntelligenceandSecurityCommittee.Retrievedfromhttp://isc.independent.gov.uk/
Pavone,V.,Esposti,S.D.andSantiago,E.2015.D2.4–KeyfactorsaffectingpublicacceptanceandacceptabilityofSOSTs.SurPRISE.Surveillance,PrivacyandSecurity:AlargescaleparticipatoryassessmentofcriteriaandfactorsdeterminingacceptabilityandacceptanceofsecuritytechnologiesinEurope.Retrievedfromhttp://surprise‐project.eu/
PageFair2014.AdblockingGoesMainstream.Retrievedfromhttp://blog.pagefair.com/2014/adblocking‐report/
TRUSTe2014.2013UKConsumerDataPrivacyStudy:AdvertisingEdition.Retrievedfromhttps://www.truste.com/resources/privacy‐research/uk‐consumer‐confidence‐index‐2014/
17
Appendix1.PollsStudiedbyDCSS
Poll Question
YouGovJune2013
Ithasbeen suggested that the lawshouldbe changed togivepoliceand security servicesaccesstotherecordskeptbymobilephoneandinternetserviceprovidercompanies.Thesewould include individuals’ web browsing, email and socialmedia activity, though not thecontentofemailsorsocialmessages.Inprincipledoyouthinkthisproposal...
Answers Total 18‐24 25‐39 40‐59 60+ Goestoofar:itunderminesourrighttoprivacy 43 50 44 47 36 Is a good idea, given the way technology is
evolving38 28 31 38 49
QuestionYouGovAugust2013
As you may know, Edward Snowden, a former US intelligence officer, has disclosed thatGCHQ,aBritish intelligenceagency,hasbeensecretlyaccessing fibre‐optic cablescarryinginternetandcommunicationdata.Itcantapintoandstoreanybody’sphonecallsandemailsforupto30days,regardlessofwhethertheyaresuspectedofdoinganythingwrong.Whichoftheseviewscomesclosertoyours?
Answers Total 18‐24 25‐39 40‐59 60+ It is right: the secret service shouldhaveaccess
tothisinformationinordertoprotectthenation41 24 39 43 46
It is wrong: the secret service should not havethe power to eavesdrop into innocent people'sprivateaffairs
45 58 42 45 43
QuestionYouGovOctober2013
Doyouthinkthesecurityservicesshouldorshouldnotbeallowedtostorethedetails(butnot the actual contents) of ordinary people's communications, such as emails andmobilephonecalls?
Answers Total 18‐24 25‐39 40‐59 60+ Shouldbeallowed 38 32 38 39 41 Shouldnotbeallowed 46 47 48 47 45 QuestionIpsosMoriMay2014
Howimportant,ifatall,doyouthinkitistomaintaintheprivacyofeachofthefollowing?
Answers Essential/Important
NotImportant
Internetbrowsingrecords 85 12 Contentofemails 91 6 Mobilephonelocation 79 18 QuestionYouGovJuly2014
Ithasbeen suggested that the lawshouldbe changed togivepoliceand security servicesaccesstotherecordskeptbymobilephoneandinternetserviceprovidercompanies.Thesewould include individuals’ web browsing, email and socialmedia activity, though not thecontentofemailsorsocialmessages.Inprincipledoyouthinkthisproposal...
Answers Total 18‐24 25‐39 40‐59 60+ Goestoofar:itunderminesourrighttoprivacy 41 51 43 44 32 Is a good idea, given the way technology is
evolving37 24 30 38 46
QuestionYouGovMarch2015
If indeed they DID [GCHQ] have the resources and capability to intercept/collect theinternet‐basedcommunicationsofeveryBritishcitizen,wouldyoutrustthemnottoabusethatcapability?
Answers Total Yes 34 No 42
18
QuestionYouGovMarch2015
Do you think the [your country] Government should or should not intercept, store andanalyseinternetuseandmobilephonecommunicationsofall[yourcountry]citizenslivinginthe[yourcountry]
Answers Total Shouldintercept,storeandanalyseinternetuseandmobilecommunications 36 Shouldnotintercept,storeandanalyseinternetuseandmobilecommunications 44
19
Appendix2.SurPRISEResults
2.1.Pavoneetal(2015:115)
20
2.2Pavoneetal(2015:117)
2.3.Pavoneetal(2015:110)
21
2.4.Pavoneetal(2015:120)
2.5 Pavoneetal.(2015:128)
22
2.6 Balletal(2014:15)
2.7 Balletal(2014:17)
23
2.8 Balletal(2014:18)
2.9 Balletal(2014:27)
2.10Balletal(2014:28)