Privacy in a Digital World

Introduction

For the purposes of this text, privacy terms the ability of an individual or a group to remain free from observation and choose what information about them becomes known to a given party. We primarily concern ourselves here with Information Privacy—relating to the data about a person’s self or activity. This definition covers a range of information. From your preferences, biometric data, or other properties which can be described as part of the self, to statuses written, location, etc. The ability of privacy allows individuals to freely choose what information and to whom they want to disclose it. Privacy is a subset and a necessary condition of security. If a system protects your data (be it files, emails, or whatever) from being tampered with, but discloses their contents to the public, such a system would not be seen as secure.

Privacy is thus a basic human right and necessity. In fact, many legislations recognise it as the former:
”No one shall be subjected to arbitrary interference with his (OR HER) privacy, family, home or correspondence...”—Universal Declaration of Human Rights Article 12
″The protection of natural persons in relation to the processing of personal data is a fundamental right”—GDPR (European Union)
”In other words, the First Amendment has a penumbra where privacy is protected from governmental intrusion”—Griswold vs Connecticut (United States of America)

However, the devil lies in the details. While privacy is recognised as a right, the definition of it remains vague. For example the European Union in the General Data Protection Regulation defines “personal data” as only that through which a “natural person can be identified”. Still, it excludes “the processing of such anonymous information, including for statistical or research purposes”. Recent cross-dataset attacks have identified that merely anonymising the data is not enough as re-identification is possible given a large enough volume of different datasets [1] and [2].

Taking the Fig Leaf Off


The 2013 leaks by Edward Snowden revealed the governments’ respect for privacy. Email and chat contents are being searched [3], internet traffic is monitored (both through UPSTREAM and PRISM) of both US and foreign citizens. What perhaps needs to shock the reader is how easy an agent can obtain access to an individual’s information. The agent needs only some minimal confidence that a crime has been committed and they would be allowed to monitor a person’s activity. They would also be allowed to monitor someone three “hops” (or connections) away from someone under surveillance [4]. Any claims that these breaches of privacy are done in the name of national security should be seen as unsubstantiated.

In 2020, the LAWFUL ACCESS TO ENCRYPTED DATA ACT was proposed to the United States Congress. The act would basically make it mandatory that applications and device manufacturers create “backdoors” (ways to view encrypted data without knowing the secret passcode). Naturally, the act argues this is in favour of “our communities and our national security”, however previous leaks should tell you how trustworthy this claim is. Backdoors are a fundamental security risk. While they could provide government agencies with information needed, they could just as easily be used by third parties for malicious purposes.

The USA is not a fringe case. Other countries have also lead their fair share of battles against encryption in the name of “security”. Ironic as it may seem—weaken the security of the population to strengthen the security of the population. Doublespeak is too common in political circles. Australia and the United Kingdom have both successfully passed legislation which grants law enforcement agencies the power to request removal of encryption, “where the provider is already capable of removing this protection”. Yes, backdoors are not made mandatory (as is the case with the LAWFUL ACCESS TO ENCRYPTED DATA ACT), however all traffic which is not end-to-end encrypted is subject to decryption. End-to-end encryptions are the next frontline against the erosion of digital privacy. In 2017 when Australia first began her war on encryption, the government faced much criticism against their policies and decisions, as mandating decrypted data, when the key is not known, is a mathematically hard problem. To this the Prime Minister responded: “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia”. In the past year, governments around the world have begun moving towards introducing “client-side scanning” on devices which can detect potentially “harmful and unwanted” content before it is sent. The definition of “harmful and unwanted” aside, this procedure introduces another surface to be exploited and attacked when trying to obtain the encrypted messages[5].

The above described events are by no means exhaustive. This war on encryption and privacy has been going on since day 1. Here I have merely highlighted some important recent events which should make clear our liberal democratic governments’ desire for control, which is obstructed by the existence of digital encryption.

The Cyberopticon

The past paragraph has discussed findings and legislations which have been viewed by the public as violations of privacy by government institutions. Indeed the governments have the greatest resources to survey the population—both through sheer computational power and through legal power. Still, most devices and services are not offered and distributed by government agencies (though attempts were made by NSA for this), but instead by corporations, which have different goals compared to aforementioned authorities. It is easy to see them as the champions for privacy, as some news articles would try to make them out. For example, Meta refusing to comply with the anti-end-to-end encryption laws [6]. However, this stems out of a simple misalignment between the goals of the two institutions rather than anything else. Big corporations have been more than happy to violate any ethical concerns in the interest of profits.

Without a doubt when privacy violations are brought up, the first thing people think of nowadays is the Facebook-Cambridge Analytica scandal. In brief, it was revealed that millions (the number varies from 30 to over 80 million) of people’s personal information was collected without their knowledge. This data primarily included digital behaviour information such as page likes, profile, and current city of residence. This was enough to construct psychological profiles of the targeted users to find what marketing campaign would work best for them. The scandal did not reveal anything new. Psychological profiling based on digital footprint had been investigated for years prior [7] [8] and companies had already been selling your data to brokers [9]. The revelations merely confirmed what people already knew. When the service is free, you are the product.

Most of your devices are always listening. And if you have opted in to “improve the product or service”, well your conversations are probably being recorded. The claim is that Alexa “lives in the cloud and is always getting smarter”, however anyone with some knowledge of machine learning will tell you that this is not entirely accurate. Alexa in particular uses a supervised learning approach, meaning that Amazon employs need to listen and transcribe the recordings, which have also included intimate conversations [10] and [11]. Modern advancements have been made in preserving privacy with federated learning and Microsoft’s SEAL’s usage of homorphic encryption, but this still has not become the standard.

All of this is information publicly available and known by the general population.

The Fight for Privacy

It should thus become evident that while privacy may be recognised as a right, it still remains just lofty ideals. Governments and corporations will both continue to trample it over in order to pursue their goals (be it profits, dominance, or whatever). Therefore, it remains the task of the individual to safeguard their own data and guarantee their own privacy and security. I hope the myriad of information easily accessible on the internet will aid the common person in their fight against the cyber forces. If you have any questions, do not hesitate to message me. I will be more than happy to answer any technological questions you may have.

No comments.