Striking a new balance between data, privacy and power

| April 3, 2018

If you don’t like the thought of how much Facebook knows about you, take a look at your Google data download. If you have an Android device, you might be particularly interested in the number of times your device incorrectly thought you said “OK Google”, and duly uploaded an audio recording of everything that was being said.

Many people who have downloaded their Facebook data have been unpleasantly surprised to find that it included phone call and text metadata they didn’t know Facebook was collecting.

In the wake of the furore over Facebook’s data sharing and its exploitation by data analytics firm Cambridge Analytica, the Australian Prime Minister’s special advisor on cyber security, Alistair MacGibbon, has deftly called out the real issue. “These companies that hold up privacy, and the sanctity of the individual, to us as governments – western, liberal, democratic governments – are the same ones that are then allowing data at the back end to go off out of their control.”

Clearly, if we’re relying on Facebook to uphold our privacy and the sanctity of the individual against our democratically elected government then we’re in deep strife. What should be done? We argue that the best solution is more user control and less data collection.

Why liberal democracies are vulnerable

Detailed knowledge about a person can be exploited for political purposes. One of the allegations against Cambridge Analytica (which it denies) is that it used Facebook data to promote Donald Trump’s US presidential campaign. Targeted advertising is, after all, exactly what Facebook actually sells.

There are two important implications for elections. The first is the opportunity for using data to micro-target inconsistent messages, so that different parts of the electorate vote for the same person, expecting completely different policies. This was always possible, but it’s worse online, and harder to detect.

A second concern is that narrowly-targeted online ads might help the advertiser evade electoral advertising laws in their country.

But it’s very unclear how well it works, or what the data is exactly. The best we know is from some data on US voters accidentally left on an unprotected server by the Republican National Committee in 2017. It contained detailed information on over 198 million (i.e. almost all) US voters, including demographic data and political inclinations.

Note, however, manipulation like this may not always work – Cambridge Analytica tried but failed in Nigeria.

Governments that tolerate a lot less political freedom also use this data to keep tabs on their own citizens. The Chinese Communist Party monitors its citizens as part of its social credit system. Apple was justly criticised for its recent decision to store decryption keys for iCloud storage in China.

This would allow Chinese officials who could access those keys to decrypt Apple users’ cloud storage, though their end-to-end encrypted messaging.

What you can do

There are of course steps that we can all take to better safeguard our data. It may be a little late to delete Facebook, but you could at least stop giving Facebook new information about yourself – run an ad blocker, browse in private browsing mode, and turn off third-party cookies.

You can buy a cover (or just use some tape) for every device camera you take into the bedroom or bathroom, and get them for your kids too. And if you’ve found a good microphone cover, email us!

Be wary of always-on recording devices providing services like digital assistants. If you buy an always-on recording device for your home, it will be… always-on, recording, in your home.

Use end-to-end encrypted communications, like Signal, Wickr, WhatsApp, iMessage and FaceTime. If it’s properly implemented, this means that the decryption key is held only by the person you’re talking to – even the company that sells the software can’t read it. Try to find an end-to-end encrypted cloud storage provider, so that you are the only person with the decryption key to your cloud storage.

But all this data is useful for catching terrorists and paedophiles isn’t it? Perhaps, but according to Apple’s transparency report Australia is third in terms of number of requests for access to devices, behind Germany and the US, which both have much larger populations.

Some targeted surveillance is, of course, a necessary part of keeping everyone safe – the question is how much, and to what extent companies should be obliged to gather extra data just in case.

A recent report from the US Department of Justice suggests that the FBI may have not exhausted all its options for accessing the iPhone data of San Bernadino terrorist Syed Farook, but that some in the FBI wanted it to seem hard, so as to pursue an “agenda of obtaining a favorable court ruling against Apple.”

What governments could do

But what should liberal democratic governments do? Even Facebook founder and CEO Mark Zuckerberg is “not sure we shouldn’t be regulated.” The best government response to this controversy would be to work to decrease data acquisition and sharing.

It could mandate easy, ubiquitous opt-outs. When the “OK Google” button comes up on your phone, you should get an obvious and easy option that says “disable this feature and never upload my audio.”

Zuckerberg says “there are things like ad transparency regulation that I would love to see.” So would we.

Even if it didn’t introduce new security vulnerabilities, the Australian government’s move to force social media companies to grant it access to encrypted messages would increase the information available to the companies themselves. We agree with the recent Senate motion which, on the contrary, encourages end-to-end encryption and secure, user-controlled devices.

There’s nothing wrong with government asking companies for data that they have, given an appropriate warrant. But it’s in the best interests of Australia’s security to disincentivise massive data gathering and encourage end-to-end encrypted communications and secure, user-controlled devices.

Then companies like Facebook, Google and Cambridge Analytica and their (real) customers will have less data about Australians to share and exploit.

This article was written by Dr Vanessa Teagu and Dr Chris Culnane of the School of Computing and Information Systems at the University of Melbourne.  It was published on Pursuit, read the original here.

SHARE WITH:

One Comment

  1. Alan Stevenson

    Alan Stevenson

    April 4, 2018 at 11:37 am

    If we access a data-gathering platform and alter or delete the data can we be sure that such alteration is verifiable and permanent? Given their histories I would have my doubts. It is one of the attributes of humanity that we collect but dislike changing or getting rid of information.