Privacy protection online I Surveillance MVV1368K Privacy and Personal Data František Kasl 1/28 Structure of the seminar • 1) Essays – Basic info + readings • 2) Topics – Surveillance then and now – Chilling effect – New surveillance • 3) Slides – Title – Question – Discussion - Information 2 Essays - Topics • Essay Deadline: 30 October, 8:00 AM • approx. 10 500 - 16 000 characters long (+ footnotes) = 5-8 pages • For further essay requirements see interactive sylabus • Presentation day (only students with Presentation No. 1): 31 October – Surveillance then and now: Development of the issue of state surveillance in the privacy context – Chilling effect: How lack of privacy affects the political freedom and social dissent – New surveillance: From pursuit of national security to erosion of privacy for commercial purposes 3 Obligatory readings • These readings are the prerequisite for the understanding of the concept of surveillance and its historical development. – CLARKE, Roger. Introduction to Dataveillance and Information Privacy, and Definitions of Terms, 1997. Available at: http://www.rogerclarke.com/DV/Intro.html – MARX, Gary T. What’s new about the “new surveillance”?: Classifying for change and continuity, Knowledge, Technology & Policy. 2004, Vol. 17, No. 1, pp. 18–37. Available (through university computers) at: https://link.springer.com/article/10.1007%2FBF02687074 4 Voluntary readings • These readings provide additional insight into the challenges related to the conflict of surveillance and privacy. – STUART, Avelie; Mark Levine. Beyond ‘nothing to hide’: When identity is key to privacy threat under surveillance. European Journal of Social Psychology. 2017, Vol. 47, 694-707. Available (through university computers) at: https://onlinelibrary.wiley.com/doi/abs/10.1002/ejsp.2270 – MILAJ, Jonida. Privacy, surveillance, and the proportionality principle: The need for a method of assessing privacy implications of technologies used for surveillance, International Review of Law, Computers & Technology, 2016, Vol. 30, No. 3, pp. 115-130. Available (through university computers) at: https://www.tandfonline.com/doi/abs/10.1080/13600869.2015.1076993 – POSNER, Richard A. Privacy, Surveillance, and Law, The University of Chicago Law Review. 2008, Vol. 75, No. 1, pp. 245-260. Available (through university computers) at: https://www.jstor.org/stable/20141907?seq=1#page_scan_tab_contents – PENNEY, J. W. Chilling Effects: Online Surveillance and Wikipedia Use. Berkeley Technology Law Journal. 2016, Vol. 31, No. 1. Available (through university computers) at: https://heinonline.org/HOL/LandingPage?handle=hein.journals/berktech31&div=6&id=&page = – ZUBOFF, Shoshana. Big other: surveillance capitalism and the prospects of an information civilization. Journal of Information Technology. 2015, Vol. 30, No. 1, pp. 75-89. Available (through university computers) at: https://link.springer.com/article/10.1057/jit.2015.5 5 Additional readings • These readings provide broader context and up-to-date examples of situations, where privacy is being challenged by surveillance. – BUNIN, G. ‘We’re a people destroyed’: why Uighur Muslims across China are living in fear. The Guardian. 7. 8. 2018. Available at: https://www.theguardian.com/news/2018/aug/07/why-uighur-muslims-across-china- are-living-in-fear – SCHNEIER, Bruce. It's Not Just Facebook. Thousands of Companies are Spying on You. CNN. 2018. Available at: https://www.schneier.com/essays/archives/2018/03/its_not_just_faceboo.html – SCHNEIER, Bruce. Security vs. Surveillance. Don't Panic: Making Progress on the 'Going Dark' Debate. 2016. Available at: https://www.schneier.com/essays/archives/2016/02/security_vs_surveill.html – SCHNEIER, Bruce. The Era Of Automatic Facial Recognition And Surveillance Is Here. Forbes. 2015. Available at: https://www.schneier.com/essays/archives/2015/09/sep_29_2015_0930_am_.html – CLARKE, Roger. Risks Inherent in the Digital Surveillance Economy: A Research Agenda. 2017. Available at: http://www.rogerclarke.com/EC/DSE.html – CLARKE, Roger. Data Retention as Mass Surveillance: The Need for an Evaluative Framework. International Data Privacy Law, 2015, Vol. 5, No. 2, pp. 121-132. Also available at: http://www.rogerclarke.com/DV/DRPS.html . – CLARKE, Roger; Marcus WIGAN. You Are Where You've Been The Privacy Implications of Location and Tracking Technologies. Journal of Location Based Services, 2011, Vol. 5, No. 3-4, pp. 138-155. Also available at: http://www.rogerclarke.com/DV/YAWYB-CWP.html – CLARKE, Roger. From Dataveillance to Ueberveillance. 2013. Available at: http://www.rogerclarke.com/DV/DV13.html – SOLOVE, Daniel J.; Paul. M. SCHWARTZ. Privacy, Law Enforcement and National Security. 2014, Wolters Kluwer Law & Business, 978-1454861539, 233 p. – SCHNEIER, Bruce. Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. 2016, W. W. Norton & Company, 978-0393352177, 448 p. 6 Surveillance then and now 7 Quick recap: Privacy and why does it matter? • control over self-determination – freedom to choose one´s future – „freedom to make mistakes“ – expression and development of unique personality + social profile – control over one´s outside image – self-esteem/self-representation • personal data = data about an individual • private sphere = intimate / vulnerable / „true self“ • types of privacy – spatial x social x intellectual x informational • levels of privacy - solitude x intimacy x anonymity x reserve • => surveillance = attempts to profile for outside control = public – excessive behaviour / private – customer behaviour • data profile + data processing – control over profile => categorization => prediction („pre-crime“ / „minitrue“ / „what is not on the menu?“) – control over individual - capacity for discrimination / normalization / manipulation 8 Surveillance What does it mean? • „close observation, especially of a suspected person“ – Concise Oxford Dictionary X • „systematic investigation or monitoring of the actions or communications of one or more persons“ – Roger Clarke, 1997 X • „the use of technical means to extract or create personal data“ – New Surveillance – G.T.Marx 2004 9 Technology and surveillance New tools = less privacy? • surveillance = ever present part of social organisation – need for information / control • changes in form and content – tax surveillance – religious surveillance – political surveillance – policed society surveillance – work/market/medical surveillance • self-surveillance X outside surveillance • direct X indirect surveillance • New tools and techniques => new countermeasures = constant struggle – observation X closed door / eavesdropping X coded language / wiretapping X encryption 10 Big data and surveillance How did modern ICT change surveillance? • electronic communication = exponential increase in data = new information potential • Dataveillance – "systematic use of personal data systems in the investigation or monitoring of the actions or communications of one or more persons" • Roger Clarke, 1997 – significantly less expensive - can be automated => mass scale surveillance – wide range of techniques • Front- End Verification (transactions) • Computer Matching (big data combination) • Profiling (categorisation) • => Data Trail = person´s informational tracks in cyberspace 11 Chilling effect 12 National security and state interests in surveillance For the greater good – justification of state surveillance? • surveillance in public interest – airport security / public places / counter-terorism / data retention / public health / social unrest • surveillance = tool – morality depends on the one who wields it • NSA PRISM (counterterorism surveillance program) • China - Xinjiang region – Uighur minority normalisation X • Energy distribution efficiency – Smart grid • Enviromental monitoring • Optimisation of public services • Epidemiological disease monitoring 13 Panopticon State´s watchful eye = good citizens? • Panopticon prison as "a mill for grinding rogues honest" – Jeremy Bentham (1748-1832) • you never know, if someone is not watching – mass surveillance – omnipresent surveillance in public places – monitoring of employees through ICT – surveillance through private online activities • impact on behaviour = chilling effect – social conformity = normalisation / preemptive selfregulation / supression of individuality / no space to revolt 14 Mass surveillance and data retention Wider net = better catch? • targeted surveillance – wiretapping / observation – criminal procedure – court order – limited to suspect • X • mass surveillance - data retention tools – systematic use of personal data systems in the investigation or monitoring of the actions or communications of groups of people. – Non-discriminatory retention of data – Preventive = not based on suspicion/investigation – Full-scope = collect first – sort out later – Evidence into the past = continuous process 15 Data retention vs. Privacy How to find the balance? • Data retention = panopticon of public surveillance – combating terrorism x orwellian society • Surveillance slack = differentiation between potential of the tool and its actual use – consideration of practical limits = budget / manpower / focus / priorities... • legal challenges to data retention through protection of privacy – retention by providers + access by criminal investigation units – need for proportionality = effective tools + minimal intrusion – Data Retention Directive 2006/24/EC – invalidated 2014 • CJEU 2014 – case Digital Rights Ireland - C-293/12 • CJEU 2016 – case Tele2 Sverige - C-203/15 • National constitutional courts => modified data retention approach – retention within limits justifiable by service provider interests (technical/billing) – access limited by court order / surpervision + list of criminal offences 16 Legal framework for surveillance Public oversight through transparency vs. enforcement efficiency? • Standard surveillance = e.g. security check on airport • X • Hidden surveillance = secret services/national security agencies X whistleblowers • European legal framework – complex / state specific – conflicting interests • Explanatory example – ECHR case of Big Brother Watch v. UK (Applications nos. 58170/13, 62322/14 and 24960/15) - 13 September 2018 (212) pages 17 Surveillance in the workplace Employer´s assets vs. Employee´s privacy? • justifiable interest X appropriate means • Grand Chamber judgment - Bărbulescu v. Romania (application no. 61496/08) - 2017 – proportionality criteria • i) preceding notification about monitoring • ii) adequate limitation of scope • iii) legitimate interest • iv) level of intrusion in private sphere • v) capacity to achieve the goal • vi) adequate guarantees for employees interests and rights 18 New surveillance 19 Surveillance capitalism Do you like the likes? • Freemium business model – profit seeking + information asymetry + unclear value of personal data • Early internet = encouraged model – infant industry protection – X current situation changed – „puppy“ => „beast“ • New challenges – omnipresence = big data = profiling – informational bubble effect = polarization and fragmentation – manipulative power = marketing x fake news x propaganda – increasing importance of individuals virtual identities => • abuse of the tools = hate speech / cybercrime / cyberstalking / identity theft • modification of personal perception = self-identification with virtual profile => impact on personality development – habits, opinions, preferences, choices • New tool of social control – China/Tencent – Social credit system => reward system for „good citizens“ 20 Belly of the big data beast How does the freemium business model generate profit? • Metadata => profiling => targeted advertisement • „Half the money I spend on advertising is wasted; the trouble is I don't know which half.“ – John Wanamaker (1838-1922) • Indirect payment for the services = illusion of „free“ – Just access to internet? Income inequality x we all „are data“ • Complex system = big data – max. revenue from available information – Invisible infrastructure = trackers and cookies – Algorithmic marketing tools = profiling + real time bidding 21 The magic that makes it work 22 23 24 Regulation of cookies How to tame the cookie monster? • ePrivacy directive = transparency – informed consent – opt in (X Czech opt-out) – right to refuse – cookie policy - data minimisation + privacy by design • X regulatory gap behind technology – new forms of cookies • zombie cookies / flash cookies / ever cookies • Proposal of ePrivacy Regulation 25 Platforms and illicit content Private censorship vs. protection from „info-pollution“? • ISP liability – eCommerce directive – notice and action – no obligatory general monitoring of content – terms and conditions – supranational entities - conflicting obligations • privacy vs. surveillance (EU vs. US laws) • terorist propaganda, hate speech, fake news – legal tools X state enforcement in cyberspace – technical tools X enforcement through private entities • cooperation in criminal matters – access to data • notice-and-action framework = delegated enforcement – adjudication of content through private entity X court remedy available – urgent issue = search for least imperfect tool that is effective 26 Future of surveillance – Smart everything New tools = less privacy - ver. 2.0? • internet of things / smart city / ambient intelligence – ubiquity – „nowhere to hide“ • new countermeasures = privacy as commodity – ambience – „everyday surveillance“ • new social standard = change in the concept of privacy? – automated profiling – „you are your data“ • individualisation of offer (services, goods) and opportunity (actions, decisions, rights) – enhanced reality – merger of the real and virtual identity • creation of new social gap? freedom on the fringes of society? • dystopian scenarios (cyberpunk) x solution to everything – past as guidance X certain aspects enhanced by new tech reality 27 Thank you for your attention! Questions? Ideas? Answers? Looking forward to your essays! 28