On surveillance; what we do and what we have not yet done: A conversation with Jillian York

ICTs

Access to Knowledge

Cyber Security

Surveillance

We are in Cebu, the Philippines at the Global Voices 2015 Citizen Media Summit. I grab Jillian York, director of international freedom of expression at the Electronic Frontier Foundation, right before we walk into one interesting panel she moderated on online trolling. Besides being my favorite singer on the sidelines of conferences, York works at EFF on censorship and digital security among other things. She is also on the board of Global Voices and has previously been with projects like OpenNet Initiative and Herdict at the Berkman Center for Internet and Society. We talk about surveillance, privacy and the archive among other things. Lina Attalah: What’s your reflection on the way state control on online spaces is practiced? I am interested in infrastructural control; how infrastructures of the Internet are created with embedded control mechanisms, besides the add-ons that are created in response to people’s attempt to be secure and private. So I am asking how the network is built to control, but also how control is pronounced in economic ways: Who owns the infrastructure? Who owns the submarine cables? Who has access to the switch button? Jillian York: It’s funny we’re sitting on the table of the Web We Want. So it is the web we want versus the web that the government wants. When Saudi Arabia came online around 2000, it came pre-censored for the population. Most of the censorship was put in place and built in the infrastructure. Because they knew, as did China and a couple of other countries, the web that they wanted was one where citizens cannot use for organizing or political demonstration. They were thinking ahead in a way that a lot of western governments were not. Saudi Arabia was slightly less successful at it than China was. Although the infrastructure that the Chinese government managed to put in place was one that is incredibly capitalistic like the one in the West, it was sort of in line with their own values. So you have people who have a much more satisfying experience than populations where censorship came later. I don’t want to say that people don’t know what they are missing, but China managed to provide them with something that allows them to still feel that they have a connection to the Internet. So then you look at the US as a counter example of a country that didn’t think of these things ahead of time and where the Internet there was wild world west in the very beginning, and really up until recently, and from the Snowden revelations we know that a lot of these programs and corporations were only put in place seven or eight years ago. That is well after I was online. The infrastructural conception of the Internet in the American mindset is incredibly different than the one that the Chinese of my generation were raised with, because for the US, the Internet was intended to be free. If you look at the Declaration for Independence of the Cyber Space, the first thing it says, basically talking to capitalism and governments: you are not welcome here, this is our space. So we have this idea of being free from the confines of the state online and the Internet as this universal place where everyone is equal and then 15 years later, not only do we have that lack of freedom but both governments and corporations working together. The way this affected the Internet specifically in the US is really interesting as corporations have taken more control over politics, as well as the Internet and the way that it is being monitored. What we have now is a situation where the platforms are telling us that providing that same freedom and connectivity that we knew about almost 20 years ago is different as they are taking our data and handing them over to governments. I think that shift is fascinating. I don’t want to say that China is better. But at the same time it is an interesting contrast of what you see is what you get versus a promise that was then pulled back. LA: Technically speaking, before we even talk about the data traveling through the pipelines, is there a structural control in the way the Internet is set up? One way to think about it is that we always tend to think of the Internet in very virtual terms. What about when we start thinking about the physicality of the Internet? JY: A couple of days ago Samir and I did this demonstration and we took a bunch of people: one person was an email provider, one person was an Internet service provider, another person was a router and another was a computer. We had them line up and then we had an envelope. We sent it across as an email to basically give people a sense of all the nodes of control within the network. It is interesting because you don’t think of it that way. Not only do we think of the Internet as very virtual but we also think that governments are censoring us, companies are censoring us, but really it is all these different steps within the network that we don’t think about. For one, it’s not just your government that over hears you. Somebody can implant something in your router or your email provider can hand something to your government and they do it all the time. I think it is because of the way we connect to the Internet, just by pressing a button and this magical thing in the air that allows us to talk to each other. It makes it very difficult for us to conceptualize until you start to unpack it and understand how those nodes of control are operated. LA: Following your research in the Middle East, what are your insights on trends of online control acquired and practiced by governments? For example there are remote controlling systems with specific targets and there are the more generic mass surveillance, such as what was talked about recently in Egypt regarding the government’s quest to acquire software that monitors social media platforms. Besides infrastructural control, what are newer modes of surveillance? JY: I said for a long time that instead of mass surveillance, law enforcement has the right to and can absolutely monitor public content. In the context of incitement to violence and terrorism threats, the problem is with the rule of law; when it comes in and how it is used. You can look at France now as one good example of this. One of the cases we saw in the last days is a 16-year old arrested for a tweet. One of the Charlie Hebdo covers right after the Rabea massacre had a Muslim man holding the Quran as bullets are being fired at him and the commentary in French was the Quran won’t protect you from violence. So somebody turned this on its head and put a white man hiding behind a copy of a Charlie Hebdo as bullets are going his way and it had the same commentary: Charlie Hebdo won’t protect you from violence. Some 16 year old tweeted that image and was arrested for it. That is the parallel of open source monitoring, not that the monitoring itself is bad and I actually don’t think it is and I think it is a good alternative to invasive surveillance but the problem is that we don’t have the mechanisms or good laws to control how it is going to be implemented. I first started researching censorship and surveillance in the region in about 2008 and there were fewer governments that censored the Internet in the region than ones that didn’t. You had your big censors like Saudi Arabia and most of the Gulf, and then Syria. But then you had really weak censors or countries that didn’t censor like Morocco, Algeria and Yemen, either because they didn’t have the infrastructure or the finances to do it or because there weren’t that many people online so it was not a priority. Of course that changed and I think a lot of these governments are learning from each other. And so the first thing was the implementation of censorship, which, in many of those cases, was not expensive at all. Yemen for example was using an of the shelf filtering tool that any mother or father could buy to protect their kids for US$100 or $200 and they put that on the country’s entire network. Egypt had not tried to censor the Internet until 2011, except for a couple of instances but we knew the infrastructure was in place because of these instances, and then the immediacy with which they could block Facebook and Twitter in the revolution’s first couple of days sort of made it more apparent how powerful whatever they had was. Mass surveillance within the region is questionable. I think you have some countries that are getting data from the US from the National Security Agency, such as Egypt and Jordan. We won’t know until the Intercept decides to tell us. But beyond that, mass surveillance probably wouldn’t be useful to these countries because they don’t have the resources or the money to actually utilize this data, just frankly as the NSA is not doing a good job there either. Targeted surveillance is the more interesting case. I am not the expert in this and I am not able to tell which governments have used these tools like Finspy or Hacking Team. We know Egypt is one of them as well as Bahrain and the Emirates and there are others. Those countries in some cases haven’t even purchased these tools. In a couple of cases, researchers form Privacy International and Citizen Lab found that they were using sample copies. And even if they had purchased them, the cost is not that high. We are talking about $10,000 that any of these countries can easily afford. So I think that’s definitely one of the trends now. Also the question of censorship and surveillance that result in prosecution and arrest is another thing happening. Censorship is not as interesting because people get around it as none of the censorship in the region is as sophisticated as China’s. But the targeted surveillance of public material is not as talked about. LA: It’s interesting how in many cases of people targeted for their offline activism, their online activity is increasingly used to go after them. Now tweets are increasingly being used in courtrooms in Egypt by both prosecutors and by defense teams. JY: I suspect that over the last years, some of laws such as the United Arab Emirates’ cyber crime law or even France’s anti-terrorism law, almost make it much easier for governments to prosecute people who are already considered threats whether because of their offline activity or for their previous online activity. I wonder if these laws are reactionary, so we know the UAE people are talking about certain things but we don’t have a law to prosecute them easily, so we put a cyber crime law where extraordinary additional penalty is used if a behavior takes place online as it is much easier to prosecute them this way than for their offline activity. LA: How much do you feel the reaction to surveillance both in targeted and mass forms is trumping up access to knowledge? Is this proliferation of a privacy consciousness curtailing access to knowledge? How much are the concerns and the anxiety about privacy creating yet another barrier to information and knowledge production? JY: I think a lot of the conversation in response to surveillance and especially in the US and probably in a lot of places has become so divorced from politics. It is almost as if we are talking about something that exists in a vacuum and separate from other problems. Now, you don’t have to put yourself out there and say you must use your name or you should use anonymity. If you live in a context like Venezuela, you keep hearing about people being kidnaped everywhere. In Mexico, people are getting beheaded. You might want to use these tools because putting yourself out there almost means putting yourself at the risk of death. Risking death is a lot to ask from someone. But the problem is that the dialogue around privacy tools is this techno-utopian libertarian solution to what is essentially a political problem. LA: That’s the perfect sound byte. JY: There are different ways to address surveillance. I list them as four: policy or politics, education, legislation, and through personal responsibility. These privacy tools are the only way you can have a personal responsibility. You can’t also solve the problem by using these tools. This comes back to the economics of this question. We are never going to have the resources that the government has. The problem is mass surveillance is really cheap. The amount of money that the Department of Defense in the US puts into surveillance compared to the amount that the State Department is putting into these privacy-enhancing tools is just massive. We are not going to win this battle through technology and so while these tools are important, if we want to talk about surveillance, we have to ask why does it exist in the first place. Governments want to control populations. But this is not what the dialogue is about right now and I think that is part of the problem. It became so personalized and individualized. LA: Is the proliferation of a consciousness of privacy canceling out important narrative, important information? Let me give you an example. You mentioned to me once having had long encrypted chats with an activist over the years and now you have no access to these. That’s a record dropped. But there is an additional layer, which is that not only people use encryption but they actually end up not saying stuff altogether. The unsaid can be the product of privacy. That Facebook post that never gets written because people are conscious of their privacy and don’t want to give Facebook this content, for example. JY: There are a couple of activists who really awakened my political consciousness in a way that I would never have experienced. I was 25 or 26 when I met these people and most of them are from the Arab World. A lot of the things that inform my politics and my choices right now come from those conversations and I will never be able to see them again. One of these people has passed away and I will never be able to remember the things we said. And a lot of this is done in the name of safety for certain individuals, and some of it is just because we use these tools by default. I kept every school notebook that I had somewhere in my mother’s basement but some of the best education I have, I don’t have access to anymore. I do think that a lot of the things that we are doing right now: the self-censorship, the encrypting, particularly OTR which is more ephemeral than PGP, we need to be making more careful choices about why we are using them. Maybe we need to use some of these tools to stay safe but there are some tools that allow us to access this info and keep them encrypted across the wires. There is a balance that we are not finding right now because we are not thinking about this. Those who develop the tools and those of us who use this kind of advocacy aren’t thinking about it that way. LA: I am just coming from a place where I feel there is very little I can do right now especially in this state of defeat we’re in so I get concerned with producing our history, our archive. I always feel the archivist is missing from the conversation or the consciousness of the archive is missing from the conversation about privacy. JY: This actually came out when Alaa Abdel Fattah was released the last time. I was surprised to get a ping from him the day he was out of prison. He asked if I had any contacts in Yahoo. He needed to have access to his father’s emails as his father had just passed away and the family wanted access to his email. We talked to a couple of people and it seems that the law would allow for that through the inheritance of communication but not in the US. And so when I spoke to the company, they said they had to follow US law on this and they couldn’t get us the information. Now the reason he wasn’t able to get to the email in the first place is that he had taught his father to use strong passwords and to change them often and his father had done that. The best possible end for a sad story like this is when I asked whether he tried the “forgot password” and it turned out that it sent a message to his father’s phone; they were able to get the email and it was a simple solution at the end. It was interesting for me to understand those two different legal paradigms. In the US, your email remains private even after you are dead. In the US, privacy is important but it is there in the order of magnitude after free speech in the Constitution and it hasn’t been upheld in the same degree as free speech has. The idea is that your mail is private after your death is really surprising to me. I would like to leave some kind of access behind. Aaron Swartz did that when he committed suicide. He had this plan to have people access his archives. LA: Final thought: how productive is it to talk about law enforcement given what we’ve seen? Is there enough justification for it such as fighting crime, hate speech? Have we seen a model where law enforcement was a good justification for surveillance? JY: This is a hard one. When I think of law enforcement I think of police and only think about it in the context of the society we live right now not the society in which I would want to live. But, if we were to talk about it in the context of this society or structure of government, the only semi positive example that I have is a really strange case. Maybe you heard of this thing in the Netherlands Party x. That’s an interesting one where the police were able to stop a girl’s house from being completely invaded by hundreds of people because they saw this happening on social media. But that’s in the context of protecting children, which is one of the only and one of the most careful justifications that I have ever found for surveillance. It’s a justification for a very targeted, very carefully implemented surveillance. In the society that we want, we cannot just rely on old ideas of community policing as opposed to authoritarian law enforcement because in such a distributed world, these ideas are not possible. Why aren’t we talking about what we do want? What does this ideal society look like? In terms of the positive uses, this is a reminder for myself to look for more of them and use them in my own construction of what that society looks like.