Should we expect to keep communication private in the digital age?
Reg writers and readers wrangle over rights and realities
Register Debate Can you have a debate on privacy without mentioning Orwell and 1984 or Bentham's Panopticon?
You can certainly try, which is just what our contributors did this week, when they went head to head on the motion: In the digital age, we should not expect our communications to remain private.
I kicked off proceedings, pointing out that, according to the UN amongst others, privacy is not just nice to have, but a human right and that of course this extends to digital communications.
The problem is, on the one hand, that governments have been intercepting our communications ever since the invention of the kettle, and on the other hand…well, Facebook for one. If we had a third hand, you can bet it would have a fat thumb, just like the HR person who hits send all when dealing with your confidential data.
So, I suggested, let's just be realistic and say we should accept that we can't have a realistic expectation of privacy. And I didn't mention Orwell once.
But inevitably, one Anonymous Coward was quick out of the blocks, arguing that Orwell was himself inspired by Bentham's Panopticon. "George Orwell extrapolated on consequences, but even he could not have dreamt up the pervasive amount of surveillance the average citizen is now subjected to as soon as someone discovered just how much profit could be made with reselling that data - with, of course, themselves nicely excluded from it."
But it's worse than that. When fellow commenters pointed out that Facebook has access to almost everything and people are giving it freely. Fred Flintstone suggested this was "Not entirely true. Zuck has my phone number because OTHERS installed WhatsApp and so shipped my personal data to Zuck without me ever having given permission to do so (because I wouldn't trust me on that). This is why commercial use of WhatsApp in my opinion is a straightforward breach of the GDPR unless you have the permission of every single person in your address book."
btrower said this issue is a "slam dunk" – yes, but how? Because, "You have no hope of privacy if a powerful enough adversary targets you. There are many routes to failure and exposure. The only hope of modest privacy is being someone who is not interesting enough to look at. Given the value of successfully targeting you as a consumer, you are indeed interesting to look at for anybody who can capitalize on this."
However modest you are, btrower continued,"If you know about Snowden's revelations, know what side-channel attacks are, know what social engineering is, understand how various types of data correlation and statistics work, are aware of things like undocumented instructions to alter CPU microcode, fundamental weaknesses in security code, deliberately weakened security standards by entities like the NSA and collaborating security experts, laws allowing government agencies to demand private data from service providers, hardware backdoors in things like hard disks , etcetera, it is hard to imagine how you think you can ensure you keep communications private."
Another day in the privacy wars
Day 2 saw Dave Cartwright argue against the motion. He drilled down further into the issue, pointing out that we need to ask "what precisely we mean by our communications". Our work mailbox belongs to our employers, he pointed out, so we can't complain about snooping there.
One can encrypt your communication with Facebook, and still Facebook will hoard and use all the data it can - and let the government access them
But, he continued, when it comes to communications containing our personal data between the HR department and the company's lawyers, "Yes, we should absolutely be entitled to expect those to be confidential." Likewise, we should expect our non work email, personal files, photos and everything else to remain private.
While we have to contend with legislation that allows governments to snoop on us, and cybercriminals who are in a continual arms race against security vendors, "To say we can't expect privacy is too close to admitting defeat."
Stirring stuff. But is it enough to stir the average punter?
One Anonymous Coward responded, bluntly, "Nothing digital is private. You just might not know that yet." (We've seen Dave's CV. He knows what's what when it comes to digital security and privacy.)
More illuminatingly, Lotaresco commented that "Over the past few decades I have worked hard to ensure that personal data given to large institutions remains private. It has been a difficult job…. increasingly I wonder why I bothered, because a survey of people's attitudes to the collection and use of this data just presented a giant shrug from the vast majority of the subjects….
"For the record, I go to incredible lengths to protect my own personal data. I think everyone should think very carefully about the subject. But for most people being able to tell a robot assistant to order more Sugar Puffs, a basket of sex toys, and some antibiotics is more important than protecting any misuse of sensitive personal data."
Sugar Puffs and, er, toys notwithstanding, scrubber decided to take a pop at "non-commercial" threats to privacy. "Maybe we'd do better against foreign nations and criminal gangs if government agencies didn't hoard zero day exploits then lose them to people who offer them for sale on the Dark Web. Just a thought."
And we enjoyed one Anonymous Coward's observation that "1984 was a decent model for Soviet-style totalitarianism, but the totalitarianism of western liberal democracies is better modelled by 'Brave New World.'
Soma, so good then.
Our second contributor arguing in favour of the motion was Jen, an infosec pro with over a decade of experience at the sharp end.
They argued that "Employers will use best endeavours" to ensure privacy. But at the same time, there is a "privacy paradox", with individuals' desire for privacy at odds with "a simultaneous lack of appropriate security behaviour by individuals – behaviour such as using the same insecure password for multiple sites, signing up to just about any site for a 10 per cent discount, or even a reluctance to use security measures such as multi-factor authentication."
Despite Jen's efforts to highlight individual responsibility when it comes to privacy, sev.monster was appalled by the number of people voting in favour of the motion.
Yes, the current reality meant it was difficult to "expect" privacy, but accepting the status quo "Is not only terrifyingly pessimistic, but sets a dangerous precedent that others will follow. The only way we will get our privacy back from vulturistic corporations and overreaching government organizations is by declaring unchallenged that we have a right to our privacy for the information we do not openly disclose, and if we provide that data to a third party in confidence, do not wish to be disclosed by any potential data holders. We SHOULD expect and demand it, and if our reality does not match those expectations, then something needs to change."
Not sure about the use of "vulturistic" there, but I think we get the point.
Filippo felt that "Bottom of FormFailing to properly defend your right to privacy can and often does mean that you lose your privacy - but it doesn't mean that you lose the right itself. It just means that you're an easy victim. But you're still the victim. The ultimate moral responsibility remains with those who abuse your privacy, regardless of how easy you're making it for them.
Another commenter suggested that businesses simply shouldn't accept insecure passwords from those eager beavers signing up for a 10 per cent discount.
Orwell that ends well?
And martinusher professed to be neither for nor against, pointing out that "A casual glance at history would show that 'the powers that be' will intercept whatever they want to intercept whenever they want to, the primary limitation for their activities being resources. Privacy is thus a "gentleman's agreement", not a right."
Ensuring confidential communications takes effort, our commenter added, and most will default to ready made applications and protocols. "It's naive to think these won't be intercepted at will – if nothing else, your communications will not be 'cracked' but they'll certainly provide raw data for traffic analysis which more often than not is all an interested party wants to know."
Veteran security writer John E Dunne wrapped up our week of battling opinions in uncompromising style, recounting the current UK government's deployment of none other than M&C Saatchi to convince the public that encrypted messaging "Puts society in moral peril."
The fact is citizens will feel the government has taken a liberty, while enterprises will ask how they are supposed to ensure secure communications and data, if the tools they rely on are backdoored.
Government control over the levers of privacy will not lead to greater security, but eroding trust, he said, and: "The problem with trust is that once it's gone, it's gone for good."
There was a flurry of back and forth comments debating whether we have the tools to secure our communications, and more importantly, whether these were truly accessible to ordinary citizens who aren't IT professionals.
LDS suggested John was: "Once again, conflating privacy with secrecy - and messages with life", pointing out that one "can encrypt your communication with Facebook, and still Facebook will hoard and use all the data it can - and let the government access them…. We have to rein in governments asking [for] easy mass surveillance - but beware of looking at a finger ignoring the elephant behind. Encryption alone can't save us."
Perhaps. But it should make life harder for those looking to peer into messages and data they shouldn't do.
A couple of other points.
While the contributors didn't mention 1984 at all, the Orwell-o-meter in comments hit 15, which with the total number of reader contributions north of 150 is, we'd suggest, restrained.
A running theme in the comments was whether the motion was framed correctly in the first place, with commenters arguing that having "not" was likely to misdirect some readers.
Some argued this was a cunning ploy akin to the slippery language one finds in, well, the privacy clauses internet service providers and ecommerce firms foist upon their customers. On the former, we'll bear it in mind. On the latter, we're really not that devious.
Still, the bulk of readers were more than capable of thrashing out the issues. Trawling through the comments might suggest a high level of scepticism about whether government and commerce can be trusted with our privacy. And there was a pervasive world weariness about consumers' endless capacity to hand over their data for…well, not very much.
But on balance, Reg readers aren't going to run up the white flag on their privacy. A resounding two-thirds voted against the motion. But don't worry, we won't tell anyone how you voted. ®