When the Snowden revelations were released in June 2013, my passion for digital privacy was re-ignited. I’d always had an anti-authority streak in me, something I learnt from my father. My father taught me never to simply accept what people in power say, especially people in any government. Respect was to be earned, not simply given because someone had a fancy title or had won an election.
And even though many people, including me, in the digital privacy and cyber security industries knew that governments in the West were conducting mass surveillance, few knew of the breadth and pervasiveness of mass surveillance conducted by governments. I was surprised and angered by the extent of the Snowden revelations, and I spent a lot of time combing through the leaked documents.
The Problem
When I first began creating this website, I was sure that the digital privacy industry — civil rights organisations, activists, and some politicians — had a plan to end mass surveillance. However, as time passed by, I became convinced that such a plan was flawed, even if it were ever achieved.
I became convinced whilst attending a digital privacy conference at which an academic proposed a “digital privacy tsar” for Australia’s government to counter mass surveillance. At its heart mass surveillance is about governments’ access to citizens’ private data, often stored and processed by private companies. Australia’s government has already flirted with the idea of a “National Cyber Security Advisor”, Alastair MacGibbon, who publicly defended the right of Australia’s government to weaken encryption in order for the government to access citizens’ data.
The digital privacy conference made me realise that more government will never solve the issue of mass surveillance because governments in the West are involved in digital privacy in two primary functions:
- Governments spy on foreign and national citizens legally and illegally. In Australia, these powers are wielded by too many government agencies to list quickly. Governments also protect the privacy and security of its internal and external communications.
- Governments regulate public & private companies, organisations, and state and federal governments. In Australia, these regulations include, but are not limited to, The Privacy Act and The Notifiable Data Breach scheme.
These two functions of government inherently conflict with each other; that is, governments can’t protect citizens’ digital information, because governments want access to citizens’ data. In other words, the government is happy to regulate digital privacy for private companies (e.g., Facebook), as long as governments can still access citizens’ data that private companies hold.
Therefore governments have no incentive to actually protect citizens’ digital information from governments themselves. Granted, digital privacy regulations may improve citizens’ digital privacy from non-government entities by strengthening digital privacy requirements, but these regulations do not protect against government mass surveillance. Digital privacy regulations don’t tend to prohibit government mass surveillance, although there is at least one exception. (And the exception isn’t a panacea nor a pathway for other countries such as Australia, NZ, the UK, the US, and Canada.)
Governments cannot — and can never — effectively balance national security concerns over citizens’ privacy. National security concerns will always win.
More government is simply not the answer to ending mass surveillance. As I wrote above, mass surveillance is about governments’ access to citizens’ private data. Mass surveillance is an abuse of politicians’ and bureaucrats’ power against citizens. What is required is to restrict governments’ access to such private data through legislation that cannot be bypassed by the machinations of the politics of the day. An example of such legislation is the USA’s First Amendment: the right to freedom of speech and to peaceably assemble, etc. This right cannot be bypassed by the machinations of the politics of the day; this right protects citizens against the US government regulating speech. We need such rights in the West in order to prevent governments’ misuse of power against citizens. There is simply no other means by which mass surveillance can be ended.
Governments Leverage Private Companies for Citizens’ data
There are no solutions to government surveillance (ignoring mass surveillance for a second); there are only trade-offs. There is no panacea; utopia is not for this world.
Clearly a world without surveillance isn’t going to happen. After all, we do need intelligence agencies, the police, and the military in order to stop criminals and terrorists.
Can we achieve a world without government mass surveillance? A world in which innocent citizens aren’t pervasively spied upon by governments? Maybe.
In Australia, there is an ever-creeping government encroachment into the digital privacy and cyber security industries. For example, the government now proposes to regulate cyber security — and possibly cyber security professionals such as me — in order to improve private companies’ cyber security and hence digital privacy of citizens.
The problem? The same government routinely pushes more and more mass surveillance, mostly carried out by private companies that store and process citizens’ data. The confluence between governments and private companies — either by force or voluntarily — is the most egregious revelation by Edward Snowden, in my opinion. Government-corporate co-operation is responsible for many of the worst aspects of the Snowden revelations:
- The NSA paid security company RSA $10 million USD to back door a random number generator, which allowed the NSA to break the encryption.
- The NSA was collecting 200 million SMSs a day, from all around the world.
- The tapping of landing cables coming into countries, enabling spy agencies such as the UK’s GCHQ “full take” access to data coming into the UK.
Each of these revelations would not be possible without private companies co-operating with governments. Put another way, no one is/was surprised to learn that the government has your passport details, your photo, your tax details, knows where you live, and knows when you leave/enter the country. Of course they do. People were surprised that governments have access to data held by private companies: SMSs, emails, websites visited, even photos of you whilst on Yahoo Chat.
In Australia, one doesn’t need to look too far into the future to see what is happening: The federal government is squeezing both the digital privacy and cyber security industries, heading toward regulatory capture, in order to bolster government control over private companies’ systems. This is a nightmare result for those who care about mass surveillance: More government, more control over private systems, more control over who creates/reviews these systems.
The Solution
I intend to continue to expand upon my ideas in future blog posts, and therefore I’ll only give an overview. In this post, I’m keeping my arguments short for my ideas in order to give an introduction.
Solution to government and private company co-operation:
- A laissez-faire approach to the digital privacy and cyber security of private companies. In fact, the complete separation between the government and the digital privacy and cyber security of private companies. Think of this approach as analogous to the separation of church and state: “The government shall make no law regulating digital privacy and cyber security of private companies”.
- Likewise, private companies must not be able to voluntarily implement mass surveillance systems for governments. Yes, governments do ask private companies to voluntarily implement mass surveillance systems.
Yes, I’m proposing that governments in the West not be able to regulate the digital privacy and cyber security of Facebook, Google, etc.
I realise that a laissez-faire approach to the digital privacy and cyber security of private companies will upset many readers. However, I am prioritising the damage to society that mass surveillance does over largely voluntary transactions between individuals and private companies (i.e., one doesn’t need to sign up to Facebook, whereas one cannot avoid government mass surveillance).
As I wrote above: There are no solutions, only trade-offs. And the trade-off of removing governments’ ability to coerce — legally, illegally, voluntarily, or by force — private companies is one of the main means by which we can significantly reduce government mass surveillance. This approach won’t end in a digital privacy utopia, but it will get the main problem — governments — out of the way.
Government restrictions:
- Governments must be prevented from conducting mass surveillance. Australia doesn’t have a Bill of Rights — and there are good arguments for and against such a Bill — but ultimately governments must be legally stopped from introducing mass surveillance legislation. I don’t know of any means by which this can be achieved other than through a Bill of Rights.
- A line must bet drawn legally between mass surveillance and surveillance. We must allow the police, intelligence agencies, and the military to do their jobs.
- The return to a state rather than federal approach to anti-terror laws in Australia. Prior to 2002, anti-terror legislation — the most likely excuse for governments to conduct mass surveillance — was largely a state issue in Australia. Federalising anti-terror legislation ensures that one government — the federal government — has far too much power over Australians’ private data. State governments being in control of anti-terror legislation would de-centralise government power. (Sorry NZ, the UK, and Canada…. you’re stuck with one government to rule them all.)
- The end to laws that allow access to citizens’ metadata without a warrant. Warrants should only be issued for specific people over a specific period of time for a specific reason.
- No government involvement in, or funding of, cryptography / cyber security / digital privacy research. Governments have a habit of attempting to undermine cryptography research.
- No government involvement in the cyber security / digital privacy industries, including sponsoring private organisations, the JCSCs, and regulation.
In short: I’m not going to reinvent the wheel on other government restrictions, as this has already been done by smarter people than me.
In Summary
I’m unsure if anyone has ever proposed a laissez-faire approach to the digital privacy and cyber security of private companies in order to reduce mass surveillance. However, after much consideration, I believe that such an approach is the only sustainable means by which government mass surveillance can be significantly reduced.
I realise that what I wrote has little to no chance of ever being implemented by any government. However, I also believe that the current situation in which governments and private companies co-operate to conduct mass surveillance cannot be solved by any other means.
As mentioned, I intend to continue to write up my ideas over the coming months.