Most people have no idea of the dozens of ways that their information could be used to cause them harm. As security professionals, we try to raise awareness that all information and computers have an intrinsic value. That no matter how small or trivial, someone out there would like to steal it, leak it or hack it. Many people have a ‘small fish’ mentality and can’t imagine anyone in the great internet ocean would be interested in a boring barnacle or a minnow with hardly any money. Well, everything in the ocean has a predator.
While a degree of naivety can be expected from non-security experts, small fish thinking has also been apparent amongst some security professionals in the wake of Snowden’s leaks. Don’t worry they say, western intelligence agencies aren’t interested in little fish like you. The problem is that the backdoors and encryption weakness put in place by these agencies can also be used by criminals. The same criminals that make a living off small fish. As a profession, should we really trust bland assurances that everything will be fine? It’s like some security professionals have had their scepticism cortex replaced with spare parts from a Care Bears factory.
Some security professionals have tied themselves in knots trying to explain why mass surveillance isn’t really all that bad. Especially if you rename it something else like ‘bulk interception’. Apparently if you collect people’s information but promise not to peek then it’s not actually intrusive. Like if you steal a bicycle from a shop but don’t ride it then it’s not really theft. GCHQ says what they do isn’t mass surveillance because only a tiny fraction of intercepts are actually reviewed by an analyst. Perhaps I could put a webcam in your bathroom and as long as I promise not to look at the images then it’s not really surveillance? Or maybe I promise only to look at the webcam images for a fraction of the day. Like when you’re in there. Not keen? Shame really, we were so close to proving you weren’t a terrorist.
Perhaps the idea of surveillance is easier to accept when you think that it’s other fish being targeted – like foreigners. We discuss privacy as a civil right that belongs to ‘our’ citizens rather than an inalienable human right for everyone. The idea that other people should lose any of their human rights solely based on nationality or ethnicity should repulse us. If the new global standard is no privacy for foreigners then we should remember that we’re all foreigners somewhere else. Is surveillance of foreigners a logical, principled stand? Nah, just a form of social in-group bias.
The problem isn’t just trusting the intentions of those doing the surveillance. Mistakes will still happen even if every single person in every intelligence agency is completely trustworthy. This underlying Murphy’s Law of data leakage is why the European data protection principles explicitly define collection and storage as a form of processing. With storage costs plummeting and the potential for data to be stored for decades, are we really saying that we trust these entities for the rest of our lives never to make a mistake? For ever? That’s some marriage we’re entering into. And we haven’t even met the bride. The closest many of us have come to understanding how these agencies work is watching the trailer for The Bourne Identity.
But surveillance is all about monitoring terrorists, paedophiles and terrorist paedophiles. Small fish like us are safe. Unless of course you are the victim of serious crime, work at an oil company, have browsed BoingBoing, lobby for civil rights, believe in a nuclear free world, belong to a union, help with charity work in Africa or oppose government policy. Come to think of it, if you haven’t ever met any of the criteria above, you’re not much of a citizen of democracy are you?
First they took away the privacy of foreigners, and I did not speak out-
Because I was not a foreigner
Then they bugged the trade unionists, and I did not speak out-
Because I was not a trade unionist
Then they came for the users of privacy software, and I did not speak out-
Because privacy was only for criminals
Then they came for me-
Because they had been tracking my phone the whole time
If security professionals won’t speak out for the small fish, then who will?