Nothing to Hide? Almost Nothing to Control (part 1)

02 Jun. 2015

When confronted with questions around corporate and government surveillance, many argue that they have "nothing to hide". This is the first blog of a series which counters this all-too-common refrain.

Last Updated: 22 Sep 2015

Author: Maria Xynou, Researcher at Tactical Tech

This is the 5th blog of the MyShadow series: “Why shrugging at the Snowden revelations is a bad idea” and Part 1 of its “nothing to hide” sub-series.

When confronted with questions around corporate and government surveillance, many argue that they have “nothing to hide”. However, this implies that individuals have sole control over their own data, which might not always be the case due to the business model and the infrastructure of the internet.

Business model of the internet

Advertising is the default business model of the internet and online tracking is one of its default components. Companies, such as Google and Facebook, track the websites we access and send us ads which are tailored to our interests. Almost every single website we access includes tracking technologies, such as browser cookies, which collect data about the types of websites that we visit, our interests and who we are. Once such data has been collected the question is how much control we have over what subsequently happens to it.

Collected data can get copied, cleaned, processed, analysed, stored, aggregated, reviewed, shared and sold. There is no single way in which our data is treated. Actors who gain access to our data have different privacy policies and can be based in different countries, which means that they manage data under different laws and jurisdictions. As advertising is the default business model of the internet, tracking companies sell access to the data they collect to numerous third parties which can range from advertisers and publishers to service providers and even law enforcement agencies. As a result of this, the chain of third party actors which ultimately can gain access to our data not only remains quite diverse and opaque, but also appears to be quite endless.

In most cases, not even the third parties who gain access to our data can determine what will eventually happen to it after they have sold, shared or disclosed it to other third parties who in turn have different policies, comply with different laws and have different customers. This is called “the secondary use of data”, when data collected for one purpose is subsequently used for another, unrelated purpose without our explicit and informed consent.

The business model of the internet is such that protecting all data flows adequately can be quite a daunting task, even for the most tech savvy and privacy-conscious. As such, thinking that we can have any substantial control over what happens to our data is largely an illusion if we don't take any digital security measures.

Infrastructure of the internet     

When we think of the internet, we might imagine “the cloud” or a space where “magic” happens. However, it is actually an international network of networks. Such networks consist of various types of cables and servers, physical infrastructure which can be vulnerable. As a result, the internet's infrastructure plays an important role in limiting our control over our data as well.

Everytime we access websites, our device connects to various servers within networks around the world. In some cases, as illustrated through documents leaked by Snowden, the network infrastructure required to access such servers has been compromised by intelligence agencies. Classified documents reveal that more than 30 countries around the world provided the NSA with direct access to the fibre optic cables that make up the backbone of their internet. Other documents show that the GCHQ had direct access to 200 fibre-optic cables through partnerships with commercial companies and that such access was also provided to the NSA. In other cases, intelligence agencies have exploited targets' connections to websites by redirecting them to malicious servers. This is illustrated by the NSA's example of redirecting a target's intended connection to a Yahoo server in a matter of seconds to a server – codenamed FoxAcid – for malware implantation.

In addition, companies whose services we commonly use, such as Google, store our data in their servers – which have been compromised by intelligence agencies in some cases. Documents leaked by Snowden reveal that the NSA and GCHQ broke into the main communications links that connect Google and Yahoo data centres, thus gaining indescriminate access to entire data flows. Given that all such cases of access to data have largely been carried out in secret, it remains unclear how our data has subsequently been handled.

A multitude of actors – ranging from corporations to intelligence agencies – can potentially gain access to our information, from various sources and through various means. Both the business model and the infrastructure of the internet enable this, thus limiting our ability to control our data adequately.

Discourse on surveillance should not be focused on whether we have “something to hide” or not. Rather, it should encompass questions (and answers) on how we can effectively increase our control over our data (and our lives).

View the rest of the blog series here and/or check out our blog series timeline.

Source of image: