Most of the products that have found their way into the mass surveillance industry Spy Files compiled by WikiLeaks relate to criminal/security-based surveillance. Some, however, are presented as service tools, not just for network operators but for their customers to improve service.
Dan delaMare-Lion, our Virgil through this cyberhell, urged users to consider the benefits his company could provide for “Service Assurance”, enabling it to “identify network bottlenecks and avoid affecting user experience”.
That is, the more a service provider knows about what you are doing, the better the service they can provide. That’s the basis of the pitch from US company Dialogic, which like Qosmos and SS8 emphasises that online and mobile behaviour can be a key to identity but goes further and suggests behaviour can be a predictive tool for future user service demands — for example, by predicting whether a user will run out of credit during an important mobile phone call.
In this context, surveillance of everything you do online or via your mobile is a tool to predict what you’ll do in the future and anticipate what you’ll need from the company you use. In short, you benefit from the complete stripping of your privacy.
This is the same rationale behind the Carrier IQ keystroke-logging software embedded on HTC and Samsung-built Android phones that is now the subject of US Senate interest, with claims the software breaches US wiretap laws and, inevitably, lawsuits. “We measure and summarize performance of the device to assist Operators in delivering better service,” said Carrier IQ in a statement defending itself. “Our software makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the Operators provide optimal service efficiency.”
Carrier IQ’s protestations of innocent intentions, however, are a little hard to take at face value given its initial reaction to the revelation of the software — it threatened legal action to silence researcher Trevor Eckhart and only backed off when the Electronic Frontier Foundation became involved.
The embedded nature of such systems in important. The cyber security industry argues that mechanisms to monitor customer usage must be embedded — they shouldn’t be purpose-built or bolt-on systems added to existing networks. Networks should be developed from the ground up with full surveillance in mind. Add-ons are “compromise solutions”, said Dan delaMare-Lyon, that are expensive and not future-proofed: “We have one underlying network. We need to be able to see the traffic on it for many reasons — multiple teams focus on service delivery, security, lawful intercept … In some cases, deep packet inspection and session reassembly is necessary.”
The problem with systems like Carrier IQ’s software, of course, is that users are entirely unaware of the means of maximising their “consumer experience”, and given no choice to opt out. Indeed, even if you know the software is on your phone, disabling or removing it requires expertise well beyond most consumers. This is the difference between, for example, providing personal information willingly to Facebook, and Facebook’s systematic invasion of user privacy without consent. If you’re stupid enough to furnish Facebook with personal data, that’s your decision as a consumer. But Facebook’s “like” button tracks users visiting other sites and stores data for up to three months — although the company, which has called for the end of online anonymity, insists it isn’t “tracking” users but merely using the information to serve users more targeted ads.
There it is again — making your user experience “better”. But that concept of “better” is a corporate one — companies seriously think giving you “more targeted ads” improves your life.
Last week, Facebook agreed to a settlement with the US Federal Trade Commission committing to stop misleading its users about the efficacy of its privacy settings and accepting regular government audits for two decades. Facebook had been routinely passing on customers’ private information to third parties without their consent. The FTC has also thrashed out privacy-related settlements with Google and Twitter over the last 12 months, although the Twitter issue related to the hacking of people’s Twitter accounts, not how Twitter was handling customer info.
So what is the Australian government doing about what looks like a relentless private sector onslaught on privacy, driven both by the security industry and by companies eager to “improve service quality”?
The most we’ve heard from the government on privacy is when Stephen Conroy railed at Google over its Streetview violations involving sniffing wifi signals — coincidentally at the same time as Google was criticising the internet filter proposal. Privacy Minister Brendan O’Connor did release an issues paper on establishing a right to privacy earlier this year, but that was aimed at the media in the wake of the UK phone-hacking affair rather than the cyber security industry.
We also have no understanding of what firms are being used by our security and intelligence agencies in their electronic interception programs. Knowing which firms are being used would at least give us an understanding of the sorts of products being used to eavesdrop on Australians.However, unlike other government departments, agencies like ASIO are not required to publicly identify significant contracts. Instead, MPs can request that ASIO brief them confidentially on whom they outsource to, or what contracts they enter into to purchase equipment and services. The public is not permitted to know what firms and equipment security agencies are using to undertake surveillance.
Indeed, far from moving to better protect Australians’ communications privacy, this government continues to propose to remove protections. Its cybercrime bill, which didn’t pass before parliament rose for the year, would enable foreign governments to obtain Australians’ traffic data. And the government continues to consider, in secret, a mandatory data retention law that would preserve all records of every Australian’s phone and online behaviour.
Governments are creating a permissive environment for systematic privacy breaches because they ultimately stand to benefit from systems that track online usage, profile behaviour and chip away at online anonymity. From the perspective of governments, the spectrum of privacy breaches — from cyber security companies spruiking “mass surveillance” of all internet traffic to social media companies accumulating data — provides a smorgasbord of opportunities to accumulate information.
It’s willful neglect, in which governments pick and choose those privacy breaches they regard as inappropriate and do nothing to regulate the rest, in effect giving it a menu of tools for its own use, in the knowledge that the private sector is working on issues like defeating online anonymity and behaviour recognition.
Don’t expect governments to do anything about a rampant cyber security industry any time soon.