Some consequences

Mass surveillance crisis brought us several consequences. I like to believe that surprisingly they are mostly positive. To say at least this issue came out to the light. It became obvious to most that using Internet and broadly understood Social Media comes with a cost.

The cost of losing all privacy, not only to companies, but also to governments. Most definitely to US and British governments, but it is hard to believe that there are no other states conducting similar practices.

This growing awareness lead to the situation in which global ICT companies must have changed their business policies. Simply stating that they had nothing to do with mass surveillance is not going to work anymore. Therefore, some companies decided to take different

51 F. Cate, J. Dempsey, I. Rubinstein, Systematic government access to private–sector data…, p. 197–199.

112

path, show that they are privacy and data protection friendly. Two best examples are Google’s Project Zero and Microsoft’s campaign “Putting people in control” that can be concluded with the words: Microsoft experiences will be unique as they will reason over information from work and life and keep a user in control of their privacy.⁵²

It seems that both Google and Microsoft realized that to keep customers’ trust they need to prove that they really have nothing to do with mass surveillance. At least not anymore.

Project Zero is a group of top Google security researchers with the sole mission of tracking down and neutering the most insidious security flaws in the world’s software. Those hackable bugs, known in the security industry as “zero–day” vulnerabilities, are exploited by criminals, state–sponsored hackers and intelligence agencies in their spying operations. Google hopes to get those spy–friendly flaws fixed. What is also very important, Project Zero’s hackers won’t be exposing bugs only in Google’s products but they’ll be given free rein to attack any software whose zero–days can be dug up and demonstrated with the aim of pressuring other companies to better protect Google’s users.

Microsoft chose different path, path of informing and educating. They say that are helping put user in control in three ways:

1. Building privacy into policies and practices. Putting you in control means offering transparency, starting with company policies that provide simple and easy to understand explanations of how we use your personal information.

2. Building privacy into products. We design and build products with security and privacy in mind, from our software development processes to using best–

in–class encryption to protect your data. These steps are critical to keeping your information safe.

3. Advocating laws and legal processes that keep people in control. We require governments around the world use legal process to request customer data. We have challenged laws to make privacy protections stronger. In addition, we advocate for better public policy to balance privacy and public safety. ⁵³

Additionally, Microsoft created a simple guidance including following tips:

52 http://blogs.microsoft.com/on–the–issues/2015/01/28/data–privacy–day–2015–putting–people–control/

(access September 2015)

53 https://googleonlinesecurity.blogspot.fi/2014/07/announcing–project–zero.html (access September 2015)

113

1. Once posted, always posted: Think twice about posting comments, images or videos that you would not want your employer to see. Share, but do not over–

share!

2. Be knowledgeable about security and privacy settings. Control who sees what you post by judiciously using social networks’ privacy settings. For example, you may want to limit the people who can see Facebook photos from your cousin’s bachelor’s party to just a close circle of friends.

3. Keep personal info personal. Do not make cyber–criminals’ jobs easier by sharing sensitive information such as your address or other personal data.

4. Correct any inaccuracies. If you see information about yourself that is wrong or that you do not want to share online, take the necessary steps to correct it. If someone posts a photo of you on Facebook that you don’t want others to see, untag yourself or ask the original poster to remove the photo altogether.⁵⁴ Finally, Microsoft promotes Microsoft’s Safety and Security Center⁵⁵ and the National Cyber Security Alliance⁵⁶.

However, putting aside ICT companies attempts to prove us that suddenly they care about our security and privacy, there is a very recent development in European Union that we owe to Max Schrems and the European Court of Justice. The case was originally sent to the CJEU by the High Court of Ireland, after the Irish data protection authority rejected a complaint from Schrems. He had argued that in light of Snowden's revelations about mass surveillance, the data that was transferred from the Facebook's Irish subsidiary to the US under the Safe Harbour was not safely harboured. Advocate General Yves Bot of the CJEU agreed⁵⁷ with Schrems that the EU–US Safe Harbour system did not meet the requirements of the Data Protection Directive, because of NSA access to EU personal data.

In September 2015, CJEU stated that "the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter of

54 http://lumiaconversations.microsoft.com/2015/01/28/stop–think–connect–safeguarding–online–reputation/

(access September 2015)

55 Protect your privacy on the Internet, http://www.microsoft.com/security/online–privacy/prevent.aspx (access September 2015)

56 http://www.staysafeonline.org/ (access September 2015)

57 Opinion of Advocate General Bot delivered on 23 September 2015, Case C‑362/14 Maximillian Schrems v Data Protection Commissioner,

http://curia.europa.eu/juris/document/document.jsf?text=&docid=168421&pageIndex=0&doclang=en&mode=lst

&dir=&occ=first&part=1&cid=326249 (access September 2015)

114

Fundamental Rights of the EU." According to the Advocate General, the big issue is "the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States," which therefore amounts to "an interference with the right of EU citizens to an effective remedy, protected by the Charter."⁵⁸

Finally of October 6^th 2015 Court of Justice of European Union has ruled that the transatlantic Safe Harbour agreement, which lets American companies use a single standard for consumer privacy and data storage in both the US and Europe, is invalid.⁵⁹

The main points of the CJEU decision are:

• Individual European countries can now set their own regulation for US companies' handling of citizens' data.

• Countries can choose to suspend the transfer of data to the US.

• The Irish data regulator will now examine whether Facebook offered European users adequate data protections, and it may order the suspension of Facebook's transfer of data from Europe to the US if so.

Decision by Court of Justice of European Union is very important. It will change the situation in the area of privacy, data protection and mass surveillance. For exact consequences, we have to wait. However, already now I can see that companies such as Google and Microsoft will be vastly influenced and European Union, the states to be more specific, should now be able to prevent them from massive abuses to privacy.

8. Conclusion

The Soviet Union, East Germany, and other totalitarian states rarely respected the rights of individuals, and this included the right to privacy. Those societies were permeated by informants, telephones were assumed to be tapped and hotel rooms to be bugged: life was defined by police surveillance. Democratic societies are supposed to function differently.⁶⁰

Mass surveillance programs, knowledge about it, about PRISM in particular, the role of the companies with which we share sensitive data on a daily basis, it all have both very negative and some positive results for now and for the future of privacy and data protection.

58 Court of Justice of the European Union PRESS RELEASE No 106/15, Luxembourg, 23 September 2015 http://curia.europa.eu/jcms/upload/docs/application/pdf/2015–09/cp150106en.pdf (access September 2015)

59 Court of Justice of the European Union PRESS RELEASE No 117/15, Luxembourg, 6 October 2015, Judgment in Case C–362/14, Maximillian Schrems v Data Protection Commissioner,

http://curia.europa.eu/jcms/upload/docs/application/pdf/2015–10/cp150117en.pdf (access October 2015)

60 W. Diffie, S. Landau, Privacy on the Line…, p. 143.

115

Today we live in the new Network Society, which is also a Surveillance Society. Together I like to call it a society that is trapped in the network and this network is under constant mass surveillance. The simplest way to explain it, the reason to call this situation as being trapped in the network is that there is no choice anymore. As a society and as individuals we are in every aspect of our lives completely dependent on technology and infrastructure provided by technology. I cannot imagine a person living in modern society not being a subject of some kind of surveillance, as well as I cannot imagine this person being able to break with the access to technology.

However, there are attempts to seek for privacy in the Internet. Growing popularity of services hidden in Deep Web⁶¹ are the sign of it. Unfortunately, hiding in Deep Web may expose us to even bigger threats to our privacy. Deep Web today is a place for all sorts of criminal activities, a haven for thieves, child pornographers, human traffickers, forgers, assassins and peddlers of state secrets and loose nukes.⁶² Yet, more and more people chose to hide there, as this is the area unavailable for any kind of surveillance. It shows how desperate are some people in seeking privacy, but also it shows growing privacy awareness.

I absolutely do not support the idea of popularizing Deep Web, as a place highly dangerous, but I like the idea presented by Susan Barnes. She suggests that education about dangers on social media pages, especially education of younger generation may be the way to protect privacy and to raise privacy awareness.⁶³ It may be little naive, but knowing how recklessly young people give up sensitive data about themselves, it could be important solution and way to protect us from real life threats caused by losing our privacy on social media pages.

It is a good thing that there are attempts to save privacy or what has left of it, but the attention drawn to the problem suggests it seriousness and for how long we ignored this problem.

We have to remember that challenges to privacy are even bigger now, when Information Society changes into the Network Society. There are more risks, society seems to be more

61 The surface level of the Internet is basically everything that is indexed by search engines such as Google.

Facebook, Youtube, these are all surface sites. However, according to The Guardian, you can only access around 0.03% of the total internet on a search engine. Deep Web is World Wide Web content that is not part of the Surface Web, which is indexed by standard search engines. – Exploring the Hidden Internet ("Deep Web"), http://www.teamliquid.net/forum/general/229525–nsfw–exploring–the–hidden–internet–deep–web (access September 2015)

62 L. Grossman, The Secret Web: Where Drugs, Porn and Murder Live Online, November 11, 2013, http://time.com/630/the–secret–web–where–drugs–porn–and–murder–live–online/ (access September 2015)

63 S. B. Barnes, A privacy paradox…

116

willing to share sensitive data and standards of information security are very modest.

Altogether, privacy requires sophisticated information security.⁶⁴

All these efforts for privacy are very positive as there is no doubt that privacy will be beneficial for society also in the future. Legal systems must continue to contribute effectively to privacy and data protection. The contribution may be almost impossible on a national level.⁶⁵ However, it is possible within international legislation, but might result in overregulation and consequently in loopholes, inconsistency and ultimately in even more interpretations leading to violating privacy.

Regarding the topic of mass surveillance, it is impossible to end with this practices. In my opinion, surveillance is a necessity for both governments and private companies, the dominant ones in particular. Yet it is important to remember what ECHR article 8 gives us. “Any interference by a public authority with a Convention right must be directed towards an identified legitimate aim (…) The sorts of aims which are legitimate are interests of public safety, national security, the protection of health and morals and economic well–being of the country or the protection of the rights and freedoms of others.” Convention approach is to decide whether a particular limitation from a right is justified. Meaning that limitation must be proportionate to the legitimate aim pursued.⁶⁶

The way to protect our privacy is to limit surveillance’s infinity. The idea called Privacy–

Protective Surveillance (PPS)⁶⁷, by Ann Cavoukian, is an answer to typical approaches of protecting privacy, where while ensuring measures to counteract terrorism, we seek to strike a balance between privacy and surveillance. This often leads to making privacy the less important value, in favour of the more significant one, which is public safety. PPS is an alternative to current counterterrorism surveillance systems. One of the most attractive elements of PPS is the fact that its intelligent agents will only collect data that is considered significant. Significant data is defined by transactions or events that are believed to be associated with terrorist–related activities, for example, purchasing fertilizer capable of bomb making or accessing a bomb–

making website. An important consequence of PPS’s collection of significant data is that intelligent agents would effectively be blind to seeing any other information they may run

64 A. Saarenpää, Perspectives on Privacy…, p. 24–25.

65 P. Blume, The Importance of Information Privacy and its Future, [in:] S. Greenstein (ed.), Vem reglerar informationssamhället?, Stockholm 2010, p. 169.

66 J. Wadham, Human Rights and Privacy – The Balance, speech given at Cambridge (March 2000), http://www.liberty–human–rights.org.uk/mhrp6j.html, more in D. J. Solove, P. M. Schwartz, Information Privacy Law, Fourth Edition, New York 2011, p. 1072, 1073.

67 See A. Cavoukian, K. El Emam, Introducing Privacy–Protective Surveillance: Achieving Privacy and Effective Counter–Terrorism, September 2013, http://www.privacybydesign.ca/content/uploads/2013/12/pps.pdf (access September 2015)

117

across during their searches. Additionally, the use of homomorphic encryption would allow PPS to make computations or engage in data analytics on encrypted values – data that cannot be read because it is not in plain text. This provides additional assurance to individuals that recording or monitoring their actions within the system is impossible. Finally, the intelligence gathered by PPS would be context–specific. In order to become information of value, data must be placed in the appropriate context.⁶⁸

Fortunately, the privacy issues are recognized not only by Internet users and scholars.

International Data Privacy Day⁶⁹, watchdog organizations, Data Protection Regulation, revision of OECD principles, legal actions against Google⁷⁰, Max Schrems actions and CJEU ruling, are some of the recent examples of the increased awerness of privacy issues. Together with recognizing that we do not need more legislation, but the legislation, which is consistent, we still have a chance of keeping our privacy. Not the one we would like to have, for that it may be too late, not what has left of it, but new modern privacy for modern society, Network Society.

This privacy cannot, nor will be complete but it has to be ready for challenges that may come.

Today mass surveillance is no longer surprising to us, now we must work to never be surprised by what can come in future.

68 A. Cavoukian, K. El Emam, abstract of Introducing Privacy–Protective Surveillance: Achieving Privacy and Effective Counter–Terrorism, September 20, 2013, http://www.privacybydesign.ca/index.php/paper/introducing–

privacy–protective–surveillance–achieving–privacy–effective–counter–terrorism/ (access September 2015)

69 See https://www.staysafeonline.org/data–privacy–day/ (access September 2015)

70 H. Dixon, M. Warman, Google gets 'right to be forgotten' requests hours after EU ruling, May 14, 2014, http://www.telegraph.co.uk/technology/google/10832179/Google–gets–right–to–be–forgotten–requests–hours–

after–EU–ruling.html (access September 2015)

118

In document Society trapped in the network : does it have a future? (sivua 113-120)