Mind these sites: Security and social networking

 

“The privacy and dignity of our citizens [are] being whittled away by sometimes imperceptible steps. Taken individually, each step may be of little consequence. But when viewed as a whole, there begins to emerge a society quite unlike any we have seen – a society in which government may intrude into the secret regions of a [person’s] life” – Justice William O. Douglas [1]

 

“You already have zero privacy. Get over it!” – Scott McNealy, CEO, Sun Microsystems [2]

 

 

Privacy is one of the foundation stones of freedom. It is a right that has been hard fought for and jealously protected. It has long been recognised that a society without privacy is open to abuse by those who rule it. We talk of 'Big Brother', meaning an all-powerful state that can reach into, and and interfere with, our most private lives. We instinctively know that such society is a route to totalitarian states, as George Orwell, who coined the term in 1984, pointed out so well.

The general principle, enshrined in laws such as the European Convention on Human Rights, is that there is a right to a private life and this should be protected from state and corporate intrusion. This civil liberty principle underlies the creation of an Information Commissioner to prevent privacy abuses. The Leveson Inquiry, currently investigating phone tapping, is based on this principle, as are challenges to the coalition government's current plans to extend surveillance powers to all internet use.

Social networking turns privacy on its head. Rather than cautiously releasing our information on a need-to-know basis, we willingly put it on display. Under the gentle encouragement of Facebook, Twitter, LinkedIn, Google, Yahoo and their ilk, the right to privacy is being devalued with no questions asked as to how it affects our security and freedom.

Security is about protecting privacy and that requires understanding how information is collected and used against us. To see this in practice, we first need to understand how information operates in the cyberworld.

Information webs and networks

Each one of us is at the centre of a web of information about ourselves, whether it is our presence in government databases or financial records of companies, reports in newspapers or our online activity. Much of this information we have little control over, but there are rules and regulations about how much of it can be seen and used by others.

Information is not a simple set of facts. Each fact has its own set of connections with other facts and, together, they form a web that creates our public identities. This has two important implications.

1. Holes can be filled in – That is, missing bits of information can be deduced from what is and what is not there, by making comparisons and drawing on other bits of knowledge. ‘Prediction models’ are tools used to identify characteristics and details of people that are not explicitly given. It is the aggregated facts that allow a more detailed picture to emerge. Each fact may by itself be innocuous, but putting them together gives more than the sum of the parts.[3]

In one academic study, an analysis of social networking sites was used to identify people who had yet to publicly come out as homosexual.[4] Other work was used to de-anonymise web users and identify people behind blogs and other online activities.[5]

2. Network profiles – People often assume that monitoring is simply about them and judge risk on that alone. Monitoring is rarely just that, however. Networks is as important to the marketers as to the security agencies, be they networks of friends or of political allies. Networks are identified by observing the overlapping information webs of different individuals and looking for certain features. Particular attributes can be sought, key opinion shapers ('leaders') identified, potential new customers found or 'radicals' uncovered. The technologies involved do not care whether it is a marketing company or a security agency that is using it – the questions are just variations of each other.

In terms of marketing, the ideal is to get people in one place where information webs overlap as much as possible. This allows trends to be discovered with relative ease and individuals to be marketed to at a personalised level. In social networking, this is achieved by making communicating with each other easy and free so that connections are built up quickly. Features are drip-fed to encourage more and more information to be given out. As this information is all held on corporate servers, it is readily accessible to their owners. The more information is centralised, the simpler profiling and targeting becomes. In flocking to the likes of Facebook and Google, we are carrying out a key part of this work by bringing all this information to them.

The intelligence gatherers

Traditionally, security fears have centred on government agencies. There is a tendency to overlook the actions of private security and intelligence gathering companies, or to see them as a lesser threat. However, there is increasing collaboration between security agencies and the social networking corporations, despite the latter's claims that they respect the right to privacy. Large sites such as Facebook and Google have their own liaison and compliance staff who work directly with the security services.[6]

Often, the intelligence gatherers do not need collaboration from corporate service providers, given how easy it is to access these networks, privacy settings being only a nominal deterrent, or non-existent if not invoked. Reports over the last couple of years indicate that the FBI is looking at real-time monitoring of social network threats,[7] while the Pentagon is looking into using them to manipulate situations.[8] How practical this is, however, is an open question.

Once membership and support lists of political groups were considered gold dust by infiltrators,[9] now it is increasingly the case that one merely needs to check a group’s Facebook page for its 'friends'.

There has also been a corresponding rise in the existence of companies that scan publicly accessible sites for information on campaigns and protests, which they sell on as 'analysis' to multinationals. For example, when Vericola Ltd was exposed for using infiltrators against environmental protesters, a line of defence was that they only gathered and sold on information that was publicly available.[10]

Many companies hold private information about us that even we do not know, like credit check agencies or private investigators.[11] This information can be combined with our publicly available information to build up stronger profiles.

Problems with social media corporations

As well as the risks related to the information that we put out, the corporations behind the social media sites are equally problematic. There are several aspects of concern here. Firstly, the more we give out and the more we communicate through social networking sites, the more we are encouraged to put ourselves on display.[12] The handing out of personal information becomes normalised. Even where it is not being put on display, we are still being asked for other details – for example, Google asks for mobile phone numbers as part of their security measures.

Secondly, cloud computing services, such as those provided by Google, Amazon and Microsoft,[13] encourage us to entrust all our work and communication to one site, where we become beholden to one company because we are so tied into its services.

Effectively, social media and networking sites are seeking monopolies, either over our communications or our personal work. We are conditioned, little by little, to accept this reliance and this openness with our information as the new normality. Whether it is actually in our interest is rarely asked. Now there is more shock that you are not on Facebook than the other way around. Facebook is the way to do things – if a campaign does not have a Facebook page, then it does not really exist for many people.

Trust?

The unspoken assumption is that, in using these sites, we trust the corporations which run them to look after our personal information, and that we can rely on them for maintaining and securing our communication. But even where there are privacy policies that allow us to moderate how much information we make public, the information is still being held and used by companies we have no control over. Privacy policies can be changed at a whim. Information is only hidden insofar as they allow it to be hidden. These are not things we have much choice to change.

The more social networking sites are entrusted with our webs of information, the greater the risk of abuse. We are suspicious of government agencies, but there is no reason to assume that corporations are any better, for all their friendly logos or Google's fabled, but ultimately hollow, slogan of 'do no evil'. We cannot expect corporations to fight for our civil liberties when it affects their income from advertisers, or their ability to operate in some countries.

Storing data

We have no control over the storage of the information on corporate servers. When we delete something sensitive, there is no way of guaranteeing that it is actually gone permanently and not kept in a backup. Indeed, there is an increasing trend to force corporations to store this sort of information or open it to the security services to keep (see below under CCDP).

Another issue is that it is not possible to guarantee that company employees or hackers are not accessing the information. So, privacy is dependent on matters we have no knowledge of, let alone control over. The dangers that face all large databases, such as medical records, are just as applicable to social networking sites. While there are various accounts of private data being accessed from government agencies,[14] there is little reason why private companies are not equally vulnerable to such abuses, even when they are not directly cooperating with state agencies.

Practical considerations

The above discussion is grounded in practical fears and experiences.

It has long been considered good practice to not give police your date-of-birth when arrested. However, at one person has found that the police had found their date of birth from their Facebook pages, after becoming aware of the person's identity from checking the page of a friend they had previously arrested. Use of face recognition search programmes and 'tagging' will make identification of individuals even easier.

There are other examples. A pro-Palestinian activist travelling to Israel to take part in solidarity work was prevented from entering the country because of their Facebook page.[15] Accounts of London rioters being imprisoned for simply encouraging rioting on their Facebook pages have been well publicised.[16]

Centralisation and censorship

It is not uncommon in some countries that experience strong resistance to autocratic governments for access to Twitter, Facebook and other sites to be banned or blocked, as has happened during the recent Middle Eastern and North African uprisings.[17] China regularly censors social networking sites to suppress internal dissent. Though Google made a fuss over this in 2010, up until then it was actually compliant with the Chinese government’s requests. Likewise, the company complied with 63% of US government agency requests to hand over data in 2011.[18] The British government has also considered closing down access to social network sites, for example after the London riots.[19] David Cameron’s initial calls for censorship were soon retracted but it seems unlikely the idea will go away.

Campaigns that are primarily publicised through a social networking site are vulnerable to decisions by the site to close them down. It is in the corporate service providers’ interests for us to consider these sites as a public service, but the reality is that they are beholden to advertisers and regulators. When something becomes embarrassing or inconvenient, they can simply kill off the account with the loss of everything it contained. There is no court to appeal to; as a private company, they can do as they wish with their site – the page is never ‘yours’.

Other things to watch out for...

Companies are using civil injunctions to protect their interests and to neutralise the effect of protests and campaigns. The use of social media sites has the potential to aid their case by allowing them to spin fears and create narratives that can be used to persuade judges – especially where people put up intemperate comments that can be argued to amount to harassment or creating a ‘climate of fear’. The Police and Crime Act 2009 has formalised the use of evidence from social media to be used in obtaining civil injunctions to prevent 'gang'-related crime,[20] something which could easily be used against anti-corporate campaigners in a manner similar to the way the Protection from Harassment Act was used against animal rights and anti-militarist campaigns.[21]

Public profiles and linking to or commenting on campaigns will allow security firms to identify new protesters and begin profiles on them, linking their images to details found online. This may be used to implement counter measures against them, or to scupper actions, as they now have more up-to-date information than has previously been the case. One such example is how the US Department of Homeland Security monitored social media during the 2010 Winter Olympics.[22]

It is now easier to find family and friends of anti-corporate campaigners through social networking sites, which may have implications for their jobs and their security. It is not unknown for work colleagues and family members to be approached for information on protests and campaigns.

While there is legislation against the creation of blacklists to hinder union activity in the workplace, some employers use private companies to vet potential employees or even review existing employees. This involves examining social networking sites, something that is hard to challenge. For example, Agenda Resource Management carries out 'pre-employment screening' of candidates for connections with animal welfare and animal rights campaigns – information that can easily be gathered if you have linked to such a campaign on Facebook.[23]

Regulation of Investigatory Powers Act 2000

RIPA brought together, and increased, various powers of UK government agencies to monitor internet use. It effectively updated previous powers to tap phone lines and open post. Currently, intrusive surveillance requires judicial oversight – that is, a warrant is needed to access personal communications.

As it stands, the security services have the powers to monitor internet traffic of suspects only. There are proposed changes, known as the Communications Capabilities Development Programme (CCDP) to increase these powers, including:

storage of details of all internet traffic for up to a year (websites visited; sender, recipient and subject of emails and so on), allowing retrospective searching of activity;

increased powers for real-time mass interception of internet traffic;

removal of powers of appeal against demands to hand over stored information;

a reduction in judicial oversight.

The underlying structure of the CCDP proposals enables everyone to be monitored, not just those who have come under suspicion.[24]

Conclusion

None of this is intended to persuade people to never use social networking sites; they remain important tools of connecting and campaigning. However, we need to be aware of the risks that come with them, and ask how much we can rely on and trust them. They are not simply socially beneficial services that just happen to be providing something useful, but corporations out to make money. While they are keen for users to join and to be seen as champions as freedom and communication, this will continue only as long as it is profitable.

References
* www.activistsecurity.org
[1] http://en.wikiquote.org/wiki/William_O._Douglas.
[2] www.wired.com/politics/law/news/1999/01/17538.
[3] Charles Duhigg, 'How companies learn your secrets', The New York Times, 19 February 2012; www.nytimes.com/2012/02/19/magazine/shopping-habits.html?_r=1.
[4] Matthew Moore, 'Gay men 'can be identified by their Facebook friends', The Daily Telegraph, 21 September 2009; www.telegraph.co.uk/technology/facebook/6213590/Gay-men-can-be-identified-by-their-Facebook-friends.html.
[5] De-anonymizing Social Network Users, http://blog.tech-and-law.com/2010/02/de-anonymizing-social-network-users-by.html. This is a technical paper describing the practicalities of such a process. See also http://33bits.org/2009/03/19/de-anonymizing-social-networks/.
[6] Maggie Shields, 'Google reveals government data requests and censorship', BBC News, 20 April, 2010; http://news.bbc.co.uk/1/hi/8633642.stm. Facebook internal document for law enforcement requests: http://cryptome.org/isp-spy/facebook-spy.pdf.
[7] Jim Giles, 'FBI release plans to monitor social networking sites', The New Scientist, January 2012; www.newscientist.com/blogs/onepercent/2012/01/fbi-releases-plans-to-monitor.html
[8] James Ball, 'Pentagon monitor social networking threats', The Guardian, August 2011; www.guardian.co.uk/world/2011/aug/03/pentagon-monitor-social-networking-threats.
[9] See Larry O'Hara, Notes from the Borderlands 1, for an account of the infiltrator Tim Hepple / Matthews and also Eveline Lubbers, Battling Big Business: Countering Greenwash, Front Groups and Other Forms of Corporate Bullying, Green Books, 2002.

[10] Rob Evans & Paul Lewis, 'Revealed: how energy companies spy on environmental activists', The Guardian, 14 February, 2011;www.guardian.co.uk/environment/2011/feb/14/energy-firms-activists-intelligence-gathering.
[11] It is known from various civil injunction cases that there is a passage of information between police and private firms on activists. Thought not focused on protests, a report from Big Brother Watch has highlighted the significant abuse of police databases by the police with information being passed on to third parties. See www.bigbrotherwatch.org.uk/home/2011/07/police-databases-how-over-900-staff-abuse-their-access.html.
[12] See the debate on this at www.economist.com/debate/days/view/806.
[13] See Alex Williams, 'Top 10 Cloud Computing Services for 2010', ReadWriteWeb, December 13, 2010; www.readwriteweb.com/cloud/2010/12/top-10-cloud-computing-services-for-2010.php.
[14] For example Cahal Milmo, 'Companies using 'blaggers' to illegally access personal data to be investigated', 27 Febuary, 2012; www.independent.co.uk/news/uk/crime/companies-using-blaggers-to-illegally-access-personal-data-to-be-investigated-7447162.html or see www.ico.gov.uk/news/latest_news/2012/company-directors-use-council-employee-to-illegally-access-tenants-details-30032012.aspx.
[15] Emil Protalinski, 'Israel uses Facebook to blacklist pro-Palestinian protesters', ZdNet, July 10, 2011 www.zdnet.com/blog/facebook/israel-uses-facebook-to-blacklist-pro-palestinian-protesters/2113.
[16] BBC News, 'England riots: Court rejects Facebook sentence appeals', 18 October 2011;

www.bbc.co.uk/news/uk-15347868.
[17] For example in Egypt in 2011, see Neal Ungerleider, 'Massive Egyptian Protests Powered by YouTube, Twitter, Facebook, Twitpic [Pics, Video, Updates]', Fast Company, 25 January 2012;

www.fastcompany.com/1720692/egypt-protests-mubarak-twitter-youtube-facebook-twitpic.
[18] See: www.google.com/transparencyreport/governmentrequests/US/?p=2011-06
[19] See Josh Halliday, 'Cameron considers banning suspected rioters from social media', 11 August, 2011; www.guardian.co.uk/media/2011/aug/11/david-cameron-rioters-social-media
[20] See www.lawgazette.co.uk/in-practice/practice-points/the-law-gangbos.
[21] See injunctions against Stop Huntingdon Animal Cruelty, SPEAK campaigns and the attempted injunction against SmashEDO.

[22] Jason Ryan, 'During the Olympics, the Feds will be Reading your Tweets – and the Blotter', ABC News, February 13, 2010; http://abcnews.go.com/Blotter/olympics-feds-reading-tweets/story?id=9825070#.T6VLTWbuPZt
[23] See: www.agenda-rm.co.uk/facilities_management.asp
[24] See Privacy International, 'Leaked Liberal Democrat internal briefing on new government surveillance plans reveals MPs being misled on key issues', 3 April 2012; https://www.privacyinternational.org/press-releases/leaked-liberal-democrat-internal-briefing-on-new-government-surveillance-plans-0; and www.bigbrotherwatch.org.uk.

Resources

Eveline Lubbers (2002) Battling Big Business: Countering Greenwash, Front Groups and Other Forms of Corporate Bullying, Green Books. Pre-social networking but very useful insight into how companies target campaigns and what they are after.

Rebecca MacKinnon (2012) Consent of the Networked, Basic Books. Exploration of the use of internet monopolies to suppress or hinder social movements. See also http://rconversation.blogs.com/MacKinnon_Libtech.pdf

www.schneier.com – Bruce Schneier is a commentator on computer security issues, including around social networking and related subjects, often dissecting their flaws and abuses.

www.theregister.co.uk – Often contains reports on privacy and security issues in relation to social media, including their dubious relationship to security agencies.

Evgeny Morovoz (2009) 'How dictators watch us on the Web', Prospect Magazine, www.prospectmagazine.co.uk/2009/11/how-dictators-watch-us-on-the-web/. This is an exploration of how some of the above issues have been implemented by autocratic regimes.

Category(s):