Network surveillance and privacy protection have been hot topics in Finland and elsewhere in the world for several years. The classified information leaked by Edward Snowden, on the broad-based and systematic
surveillance of online data and communications conducted by the NSA, has prompted various communities and states to assess the content and importance of protection of privacy. Individuals may feel protected because, in their opinion, they have nothing to hide or have done nothing that would make them a surveillance target. This is a misconception that I will try to dismantle here.
What type of information does network surveillance collect? Because network surveillance tends to be targeted at all data transferred over computer networks, such data can be separated into two categories: data, which is the content being communicated and metadata, which is basic information on the transmission of data (such as by whom, to whom and when). Data and metadata serve many purposes.
The use of actual data is very simple. Data is collected and analysed through various automated tools, and different search words can be used to execute data searches. Although terrorism and crime are most commonly cited by defenders of data collection, there are also many other ways in which such data is being exploited. Governments have used it for purposes such as advancing their trade negotiations and conducting industrial espionage.
End-to-end encryption between two communicating parties is one way of effectively preventing data spying carried out purely for surveillance purposes. Proper protection requires the use of more complex solutions and targeted measures than the bulk interception of online data. This makes the data of those who are not persons of interest “safe”. On the other hand, the mere act of using encryption can make someone a person of interest and raise suspicions.
Establishing a picture of a social network through metadata is a highly valuable tool for many players; this is done by organisations such as Facebook and other social media enterprises to produce services for their users. Social networks can also be used to arrive at very far-reaching conclusions about individual users. Studies have shown that a person’s sexual orientation, for example, can be determined through their social network.
Social networks can also form the basis of conclusions about people who are not included in the network, forming the basis of so-called shadow profiles. For example, a shadow profile can be created when a friend or an acquaintance of someone else joins Facebook and installs a mobile application. This application may ask for the right to use the telephone’s contact information. After this, it will collect contact details such as telephone numbers and email addresses. These details can be collected from various sources and used to identify a person based on a phone number or email address.
In this way, persons who do not belong to any social networks can become part of a network and profiles can be created for them against their will, simply because someone belonging to a particular network has their phone number or email address. Protecting your privacy is therefore no longer a private matter – it is becoming a community-wide issue.
Whereas people can protect themselves against data collection by encrypting the content of their transmissions, at the moment people who use the internet for communication, trade or other purposes have no way of protecting themselves from
shadow profiles, i.e. profiling based on social networks. In addition, Snowden’s disclosures demonstrate that the NSA, for example, has taken advantage of data collected from people’s social networks by web companies such as Google and Facebook. Naturally, this provides the NSA with a more detailed picture of a social network compared to using information obtained solely through network surveillance.
There are various ways of protecting yourself from metadata collection, including the Tor system, which is mainly intended for web browsing. Unfortunately, total encryption of metadata is not yet possible and such data can therefore be collected through network surveillance and further refined using information from other sources, such as public databases.
If you are thinking to yourself, “what does it matter if metadata and social network information is collected on all of us”, you should remember these words by former CIA director, Michael Hayden: “We kill people based on metadata”. In other words, metadata and the conclusions formed on its basis have been considered sufficient grounds for making life and death decisions.
The article was published in Finnish in Kaleva on 9.5.2015.