From the centre of San Francisco’s Downtown, where locals and tourists fill the sidewalks below the tall buildings of the Financial District, I descend to the BART station and board the underground train. A few minutes later, we emerge into a horizontal landscape, where shipping containers stretch away in all directions. The only things against the blue sky are white-painted cranes, which seem to gaze back across the Bay towards San Francisco like lonely metal horses. Rail tracks and roads cross the barren concrete, but hardly a single human face peoples the sprawling port.
Most of the massive container ships that pass under San Francisco’s Golden Gate Bridge are heading to or from the Port of Oakland. It covers 32km (20 miles) of shoreline, and more than 2 million containers a year pass through Oakland between rail, road and ship. My train passes acre after acre of multicoloured boxes.
Finally, we start to pass signs of habitation: low-rise houses, cheaply built, with old vehicles parked between them. Painted in large, angry letters on the side of one building is the slogan, ‘Black Lives Matter’. Then it’s back into darkness.
Shortly afterwards, I walk out of Oakland City Center station into a cosy enclave of cafes with tables outside, nondescript shops and empty pavements. Many of the shops are vacant, and the fountains are dry, but it doesn’t feel like one of California’s most crime-ridden cities. I could be in any small town in England.
Panopticon
Across the road, in Frank Ogawa Grand Plaza, I meet Brian Hofer on the lawn in front of City Hall. He’s a local attorney, and he’s here to tell me the story of the Oakland DAC.
‘The Domain Awareness Center, or the DAC, was a port infrastructure improvement project,’ he says. ‘At some point the project expanded to become a joint project of the city and the port that would include facial-recognition software, automatic licence-plate readers, ShotSpotter, 700 surveillance cameras throughout Oakland unified school district, Oakland housing authority, 300 TB of data storage, along with other benign things like vessel tracking, tsunami warning, earthquake warning.’
Like a more ambitious version of Glasgow’s smart city, but with less emphasis on bins and heating, and more on gunfire and earthquakes. And I have heard that Oakland, however calm it appears, has a gun crime rate among the highest in California.
Brian is sceptical. ‘Supposedly we’re up there, yes. Unfortunately, part of those statistics are based on ShotSpotter, and it is one of the most inaccurate pieces of equipment ever invented. The most recent audit I saw had a 7 per cent accuracy rate.’
What is ShotSpotter? ‘It is an acoustic sensor designed to identify gunshots. The need for this according to ShotSpotter, and it is true in Oakland, the community often does not report gunfire to Oakland Police Department.’
Why not? ‘Many reasons. One: they don’t show up, so why call? Number two: there’s this distrust in certain communities, certainly communities of colour that have been brutalised in the past and somewhat today, that they don’t want to call the cops.’
The idea is that ShotSpotter can locate the gunshot and alert the police directly, so they can arrive in time to arrest the shooter. But, says Brian:
‘It doesn’t work that way. Not only does it not identify gunshots accurately, it does not get information to the police on time. The officers don’t show up, when they do show up there’s no one there. It’s not a good piece of equipment. I think it’s more of a taxpayer boondoggle than anything else.’
‘But we do have evidence here in Oakland that under the right circumstances it can record a human voice. Oakland Police Department used that favourably at a trial where someone was shot. On the ShotSpotter audio you could hear him identify his killer, the shooter, and that person was arrested and prosecuted successfully. So there are success stories but I get back to my 7 per cent accuracy rate: it’s just not worth the money.’
And it’s a system that can record people’s voices as they walk around the city?
‘Under the right circumstances. I’m not comfortable saying that it could always be on. I do think if the software was reconfigured that is a possibility, yes, you have a citywide surveillance network of microphones. I think there is a certain threshold, a certain frequency needed to trigger it right now. But without an independent audit, it’s hard to confirm that.’
Community distrust of the police is not unfounded. On New Year’s Day 2009, a 22-year-old passenger called Oscar Grant was pulled off a train at Fruitvale Station by a BART police officer, and shot dead while handcuffed and face down on the platform. Grant was African-American. His killer, who claimed the shooting was an accident, was convicted of involuntary manslaughter.
In October 2011, a group of protestors set up an encampment where we are standing, in Frank Ogawa Plaza, renaming it Oscar Grant Plaza. Calling themselves Occupy Oakland, they aligned themselves with other Occupy protests around the US and beyond. City and police efforts to remove the encampment escalated into violence and exacerbated tensions between authorities and the community.
Into this context the city introduced a proposal to link up existing surveillance equipment with new technology, all feeding one central Domain Awareness Center.
‘It had originally been sold as a port infrastructure project, then it was sold to us as this thing for first responders to help with efficiency. The problem being, the only time our previous version of this, the Emergency Operations Center, had been activated was in response to protests. So we had some suspicions.’
As Brian walks me through quiet streets towards the DAC, he talks about the city’s motives.
‘Because there’s distrust among a lot of the citizens with reporting crimes or being witnesses, Oakland has made this decision that they’re going to use technology. It’s shiny gadget syndrome. We’re up the road from Silicon Valley, everybody’s promising us all these wonderful things, this big data-driven solution that is going to solve all our society’s problems.’
So that’s the push. Then, says Brian, there’s a financial pull. ‘The smartest thing – this is me putting my little conspiracy hat on – is that the Department of Homeland Security is funding this via grants. So when I walk before City Council and try to make a taxpayer argument it’s really hard to show a local pain point.’
‘Where the taxpayer harm does come,’ he says, ‘is all those ongoing costs: maintenance, software, the staff, that we end up spending in the future after that grant money is gone.
That’s what we’re trying to show: it’s not cost-effective, it’s not doing the job, and it’s impacting my privacy.’
A few blocks from City Hall, we reach the building housing the DAC.
I feel slightly disappointed. Having read about its planned capabilities, I’d pictured something between the Pentagon and a Bond villain’s lair. Preferably an impregnable steel fortress inside an artificial volcano crater, but at the very least a sheer glass tower guarded by enigmatic men in sunglasses.
This is a low-rise, nondescript, white-painted building with absolutely no security around it. In fact, it’s a fire station.
‘It’s a working fire station. You can see on the ground floor there’s a couple of fire trucks. I have a couple of buddies that work inside,’ says Brian, ‘and then upstairs there’s the Emergency Operations Center. If there’s a natural disaster, some kind of emergency, this is where the crisis team assembles.’
I ring the buzzer and ask if we can come in and see the EOC, but the person inside says, apologetically, that I’d need to make an appointment. Brian tells me there’s not much to see anyway.
‘You see it on television shows, crime shows, it’s just like any other little command room. It’s a row of chairs with desktop computers and then one big flatscreen TV for everybody to look at.
The DAC is just an application, it’s software that sits inside these computers that has way more capabilities at aggregating all the data inputs,’ he explains.
‘The EOC could see and analyse all this data but it’s all on separate, distinct systems. What the DAC is doing is bringing it together all on to one screen and letting you overlay data so you can see a bigger picture. And of course that’s wonderful in an earthquake scenario or a fire. You’re able to track wind patterns, so if there was a chemical fire you could see which way the fire …’
… is going to go before it happens. And send fire trucks there, and save lives?
‘That’s wonderful, that’s great, we have no problem with that. No one has ever made an argument before City Council against those types of warning systems.’
What is the problem, then, if it’s just a system for dealing with earthquakes and fires?
‘That ability to aggregate all the data also allows you to create a mosaic, to see the patterns in someone’s daily travel habits or their life. Oh, Brian is going down the marijuana dispensary, now he’s hanging out at the abortion clinic, or he’s at that Occupy protest because we’re also tracking licence-plate numbers. And so the good is also the risk in this type of capability,’ he says.
‘Of course we had a big 1989 earthquake, freeways fell down, radios weren’t working, it was a bit crazy here. So to be able to coordinate and move resources around faster would be wonderful. But with that you need to have safeguards built in, to address the civil liberties concerns.’
Even the DAC’S location in a fire station set Brian’s antennae twitching.
‘It’s an interesting trend that we’ve noticed. A lot of the DAC’s funding is coming through fire departments and not police. We’re not quite sure why. I read a somewhat alarming White Paper out of the Monterey Naval Academy think tank, about using fire departments to get around the Fourth Amendment.’
As a Brit, I have to ask what the Fourth Amendment is.
‘The Fourth Amendment is protection against general searches and seizures. That’s where the requirement to get a warrant comes from, basically because of the British. Judges or magistrates were authorising these general warrants so you could go search anything at any time. That was one of the causes of the American Revolution, and the Americans pushing back against the Brits. So it’s kind of a big deal.’
So in a way, we helped America build freedom into its constitution?
‘Anyway, this Naval Academy White Paper was saying that you could use fire departments to get around the Fourth Amendment. You know, maybe it’s a marijuana grower’s house or something, you see some evidence of wrongdoing, you didn’t need a warrant to get in there, and then they could report back to the police. So we have some concerns over data-sharing between different entities.’
Americans have a number of legal principles from which to defend their privacy. As well as the Fourth Amendment, which demands a specific reason and target for a search warrant, they can invoke the First Amendment, which protects freedom of speech and association. California is among the states that also enshrines the right to privacy in the state constitution.
Privacy and free speech are sometimes discussed as though they’re conflicting principles. Brian would disagree:
‘I went down to Cuba in 2008. It was slightly opening up, people were very willing to talk to us, but they wouldn’t say Fidel or Raoul’s name in public. They would say the One or the Two, they’d make a gesture, the beard … The younger guys, out in the middle of a baseball field where there are no microphones, were like: There are tons of informants.’
In every town there were community organisations, and those were the informants, the locals told Brian. ‘These people will inform on everyone, and that’s why no one’s ever challenged the Castros’ power. They were masters at keeping the community disjointed so there was never any opposition.
And that’s what it’s about, mass surveillance. Of course there is legitimate criminal surveillance, like bringing down the mafia, but dragnet surveillance is about population control, and it’s very effective.’
Nor is Brian convinced by the argument that those who have nothing to hide have nothing to fear.
‘We do have something to hide. Not just our bank pin numbers, but same-sex relationships, marijuana use … America went crazy with marijuana prohibition even though everyone smoked. Everyone used it, but we had to pretend in public that we didn’t.’ And eventually, private use led to changes in the law.
‘And same-sex marriage: you had to keep your relationship in hiding, in privacy. Because you had privacy, you were able to do that.
But without privacy, we would not be where we are today. You don’t have that ability to form a different opinion, you have to be completely homogenous, like every other person.’
Even without laws explicitly forbidding certain actions, words and ideas, constant scrutiny has a chilling effect. That’s why freedom of association depends on the right to privacy, and freedom from surveillance.
‘I thought we rejected that in America, but it’s creeping back this other way.
There’s a famous Supreme Court case of people trying to get the NAACP1 to reveal its membership rolls, so they could target these people. And the Supreme Court said: No, they have freedom of association,’ he says.
‘And then, from the other end of the political spectrum, here in California with our Proposition Eight fight over same-sex marriage, the lefties, the progressives, were trying to force the conservatives to reveal their donors and membership rolls. And we’re like: No, we already decided this issue!
It’s like we didn’t learn much. Whether you’re left or right we’re still going after this freedom of conscience and trying to get rid of it.’
And Brian warns that the ease of aggregating information through technology poses a new danger.
‘Nowadays, sure, the NAACP doesn’t have to turn over their membership roll but the NSA2 can get in their computer anyway. Or they just use a Stingray and intercept phone communications while sitting outside your building. They use a licence-plate reader and drive around the building and look at the licence-plate numbers. So effectively court decisions are meaningless if surveillance equipment is used indiscriminately.’
Stingray is a word I keep hearing. I ask Brian what it means.
‘Stingray is the brand name of an IMSI catcher. If you take off the back of your cellphone and lift up the battery you’ll see this little IMSI number, we all have these unique identifier numbers in our cellphones,’ he explains. ‘Using a Stingray you can identify this unique number and by driving around in ever smaller circles you can triangulate someone’s position. So if you’ve got a fugitive on the run, kidnapping victim, maybe you’ve got an old person suffering from dementia that’s wandered off, we now all have mobile tracking devices on us: our cellphones, we all carry them.’
Although old people can be frustratingly unwilling to carry their cellphones everywhere. Perhaps they know something we don’t? Who knows what they’re getting up to.
Brian continues explaining how Stingray works:
‘A weakness of all cellphones is they’re constantly looking for the strongest tower, that’s how they connect, so the Stingray sends out this massively powerful signal and forces the phones in range to connect to it. Even if they get a warrant for my phone number it’s still a general search because it has to intercept all of your data and all the other phones that are in that range.’
And if that’s not intrusive enough, says Brian, ‘In certain configurations it intercepts metadata, the phone number, the duration of your phone call, but nowadays – Oakland police department recently acquired this capability – it can intercept content.’
Which sounds a lot like the kind of general search prohibited by the Fourth Amendment.
‘By federal law, when Stingrays were sold to local police departments they were not supposed to have this capability. You have intimate photos on your phone, you have private messages that can now be intercepted if you’re just walking randomly down the street,’ says Brian.
‘You wouldn’t even know you’d been intercepted, that your phone is being searched, because it’s an invisible signal and you just happened to be walking in range. You’re not even making a call. Your phone could be off and it can still be intercepted. It can intercept a text message, voice content.’
If you’re now thinking you don’t mind, because you have nothing to hide from the police, Brian would like you to think again.
‘It’s not just an activist thing, think of any doctor-patient conversation you’ve ever been involved in, whether it’s yourself or your kid. It is obviously private, you don’t want your medical information being intercepted. Attorney–client communications. Stingray signals are so powerful they penetrate the walls. All these attorneys sitting inside, using their cellphones for privileged communication?’ Brian gestures at the office buildings around us.
‘It’s at risk of being intercepted. There’s hardly anything more sacred under American or just Western law than attorney–client or doctor–patient privilege and all that is at risk now. This isn’t just about occupiers and activists, it’s an invasion of everyone’s privacy and dragnet is the only way this technology can operate.’
I start to wonder whether technology, which has been the villain in most of this conversation, could help protect privacy. Could you configure a Stingray so the software would dump all the data except the number for which you have a warrant, before a human being could see it?
‘Right. That’s where I think we’re going to get. Because Stingrays are highly effective. They always find the phone, they always get their guy. So I don’t think the majority of citizens would reject Stingrays outright. Oakland Police Department has told me that they immediately delete all the other data – we want to independently audit that of course and make sure there’s penalties if that’s abused but ultimately I think that’s probably where we’ll end up.’
You may have guessed by now that Brian, and other Oakland citizens, did not welcome their city’s data-driven surveillance network. Later in this chapter, I’ll come back and finish the DAC story.
The spy who bugged me
Oakland’s resistance to being watched over was given momentum by revelations in 2013 about how much data government agencies were gathering on their own citizens. These revelations came from a former CIA employee called Edward Snowden who turned whistleblower in 2012. The inside information he revealed to journalists is still emerging.
Snowden himself is, as I write, living in exile in Moscow. In case all the fuss passed you by, here are the basics of what he made public.
Shortly after the Second World War, the UK and US set up a spy network called Five Eyes with their allies Canada, Australia and New Zealand. Still going strong, it now uses technology to intercept and monitor communications between people all over the world. The NSA’s Prism and GCHQ’s Tempora are part of Mastering the Internet, which collects information in two main ways.
‘Upstream’, as one of the NSA’s leaked files calls it, means tapping directly into the hardware that carries your communications, the modern equivalent to putting clips on telephone wires to listen to your calls. Today, they’re more likely to be intercepting signals passing through a fibre optic cable under the sea, or planting software in your computer that reports directly to them.
Prism goes straight to the companies who already have your data collected and stored. Companies like Google, Apple, Microsoft and Skype who provide your telephone and internet services. Prism doesn’t just go back through old records, it can register in real time that you’re making a call or interacting on a chat forum.
A Pew survey in 2015 found that 87 per cent of Americans had heard about government surveillance of telephone and internet communications. Of that 87 per cent, a third had done something about their own privacy, mostly simple things like better passwords for email accounts, changing the way they search online, or having more conversations face to face.
Two-thirds of those surveyed said they were losing confidence that the surveillance programs serve the public interest. But they tended to support surveillance of suspected terrorists, and to say they weren’t personally concerned about their own communications being monitored.3
The British public are similarly ambivalent about government eavesdropping, and not because they’re unaware of how much GCHQ can collect. If anything, they may overestimate the capacity, or desire, for such mass surveillance. In 2015, almost two-thirds said yes to the YouGov question, ‘Do you believe that GCHQ has the resources and technical capacity to intercept/collect the internet-based communications of every British citizen?’
Naturally, neither GCHQ nor the NSA are going to reveal exactly what they can collect, or how, or whether they do. Intelligence services have complained that Snowden’s revelations drove terrorists and other targets to use more sophisticated techniques.
Government prying into its citizens’ communications is a genuinely tricky question. I feel very strongly that I don’t want anyone to access my private life without my express permission. But I also feel strongly that I don’t want to be killed by terrorists, and quite strongly that I don’t want to be the victim of a major crime.
In Orwell versus the Terrorists, British researcher Jamie Bartlett writes: ‘We demand perfect security, but thanks to the Snowden Effect, that’s going to be harder to achieve …’
He cites a growing consensus against mass surveillance, increased awareness of technology to elude it, and a shift in terrorists’ tactics:
And yet simultaneously, we have an impression that the security services can see everything, and so should stop everything, which is impossible. The Snowden revelations have created a false impression that the intelligence agencies are monitoring every single thing we do online, our every click, swipe and movement. And the resulting opinion shift against internet surveillance limits the space the intelligence agencies can operate within.
And because of the nature of online data – the fact there’s so much of it out there – there will always be some clue, some digital breadcrumb, that’s missed. More data doesn’t always mean more insight: it can also increase ‘noise’, making the ‘signal’ harder to pick out.
Bartlett gives the example of Michael Adebowale, who expressed via Facebook a desire to murder a British soldier, and six months later did murder British soldier Lee Rigby. If GCHQ is monitoring everything, many asked, how could they miss that?
If we continue as we are, warns Bartlett: ‘the result will be an intelligence agency that is seen as both omnipresent and incompetent, one that lacks broad public support and can’t do its job. This is the precise opposite of what we want.’
Instead, he calls for a shift away from mass surveillance by computer towards human intelligence that targets individuals, and for clearer public oversight of the powers exercised by intelligence agencies.
Outlaws and back doors
It’s easy, with hindsight, to ask why nobody picked up a post from a future murderer. But most people who express the desire to kill somebody don’t go on to kill somebody.
When the UK was hit by heavy snow in 2010, Paul Chambers tweeted: ‘Crap! Robin Hood4 Airport is closed. You’ve got a week and a bit to get your shit together, otherwise I’m blowing the airport sky high!’ An over-emotional reaction to a potentially delayed flight, but he was travelling to meet somebody special. Two years and two appeals later, Paul was finally acquitted of ‘sending a message of a menacing character’ as the High Court judge accepted it was clearly a joke, sent using Chambers’s real name and not directly to airport staff.
When a 14-year-old in the Netherlands tweeted a mock bomb threat to American Airlines, they responded that they had forwarded her IP address5 and details to the FBI. She handed herself in to local police in Rotterdam after tweeting, ‘my parents are gonna kill me if I tell them this omg pls’ and ‘I need a lawyer. Any lawyers on here?’
It’s easy to read these accounts and laugh at the idea of taking them as serious threats. But if social media accounts are monitored not by reasonable people, but by software, which is notoriously bad at irony, these people would be flagged up as potential dangers.
Though the UK legal system allows the police to arrest people for tweeting jokes, and the courts to pursue a case for two years, so perhaps the machines are not the problem.
Writing about big data and privacy feels like shooting at a moving target. When I started writing this chapter early in 2015, two UK Members of Parliament had just won a court case challenging a UK law called the Data Retention And Investigatory Powers Act (DRIPA), which gave sweeping powers to police and security services to get hold of our telecommunications data.
Where you were, when you sent emails, texts or telephone calls, and to whom, could be accessed on request, merely authorised by a colleague of the person who wants to spy on you. This is often called metadata, because it doesn’t include the content of calls and messages.
They would know I took photos late at night and to whose cellphone I sent them, but not what I was photographing in my bedroom at 2am. They would know which websites I looked at, but not exactly which page of OccupyOakland.org or icreacharound.xyz6 I visited.
Even a mere human can infer a lot from metadata. A computer, combining many sources and looking for probabilities of ill intent, can infer plenty. Former head of the CIA and NSA, General Michael Hayden, is on record saying: ‘We kill people based on metadata.’
As I return to this chapter a few months later, the UK government has published a draft IP Bill to replace DRIPA. Civil liberties groups are already pointing out how extensively police and security agencies would be able to access not only metadata, but all our communications, even encrypted messages, which the service providers would be compelled to decrypt on demand.
Encryption, which prevents anybody except the sender and the intended recipient from reading what is sent, has been an annoyance to some since Phil Brandenburger bought that Sting album online with his credit card.
Criminals would love to hack into your computer and get access to your online banking details, to your photographs in case there was anything blackmail-worthy, or just to your friends’ email addresses, to tell them you’ve lost all your money in a distant country, and please can they wire you a few hundred dollars via this bank account?
Encryption makes it easy to lock up a file, and remarkably hard to unlock it. It’s central to the relationships of trust that let us do so much business online, or via apps on our smartphones.
UK Prime Minister David Cameron, in a speech in early 2015, said: ‘the question is, are we going to allow a means of communication which it simply isn’t possible to read? My answer to that question is: No, we must not.’ Our government wants all service providers to keep a digital back door so they can, if requested, let the police or intelligence services read our private correspondence.
Apple, one of the companies currently offering end-to-end encryption, has warned of ‘dire consequences’ if it was forced by law to end it: ‘Any back door is a back door for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how.’
And if would-be terrorists know all commercially encrypted messages can be decrypted, they’ll simply switch to other channels and be harder to find.
Furthermore, if you accept the argument that no form of communication should be opaque to the security services, you are saying that there should be no truly private conversation.
The database state
Having your communication intercepted by spies is an extreme scenario. The same legal powers have been more widely used in the UK by the police against journalists, and even by local authorities checking that parents aren’t trying to dodge school selection rules, for example.
That expansion of powers from anti-terror to anti-using-a-fake-address-to-get-into-a-better-school is more worrying to me than allowing the security services to snoop on our telephone calls. It suggests that anyone in authority feels able to check up on us, even for trivial reasons.
Different branches of government already hold a lot of data on each of us for legitimate purposes. Now there are calls to tie all this data together for the convenience of both citizens and state.
In some countries, all official records associated with one person are already linked together, with an identifying number. In Sweden, each resident has a unique number on the population register, kept by the Swedish Tax Agency. This includes your address and details such as the date you got married. All branches of government can use this register, including vehicle licensing, pensions and health care. It’s also used by banks, insurance and mail-order companies, which must make moving house in Sweden a lot easier.
However, attempts to introduce a national ID card in Britain met resistance. Many people couldn’t see the point of having another official document to prove your identity, when a passport, driving licence or credit card were generally accepted. Initial proposals to offer a voluntary ID card were dropped as potential costs grew out of proportion to perceived benefits.
In a London cafe I meet privacy campaigner Phil Booth, a key figure in the No2ID campaign against identity cards. Tall, with a dark ponytail, he talks with an intense energy and lots of swear words, some of which have survived on to these pages. He’s not celebrating his victory against ID cards.
‘I don’t give a shit about cards,’ he says. What he opposes is, ‘the notion of the database state. That tendency of governments to try to run society or control people by watching or manipulating their data. That idea has been around amongst the bureaucrats since the invention of the filing cabinet: If only we had more data we could control things better!’
Phil answers his imaginary bureaocrats: ‘If you are only engaged in collecting data in order to get into this big data thing, I suggest you should be thinking about what it is you want to achieve, and seeing if there is a smaller, more precise dataset, based in a good appreciation of the problem you’re trying to address, that might suit your needs better.’
But surely, part of the promise of big data is recycling data you have already collected? If as a state you are already collecting people’s tax records, driving licences and addresses, why not link it all together and save us all having to fill in four different forms? Phil’s voice punches through the hubbub of the cafe.
‘Because, number one: it is unlawful. Number two: it’s an abuse of human rights.
This is why we have a human rights framework after the Second World War where a state went rogue and killed a lot of people. This is why we have laws in the area of data protection that recognise data that is about human beings, personal data, to be a special sort of data.
The rules governing personal data are very clear. If you’re collecting personal data you have to do it for a specified purpose. That is fundamental. Collect it all, decide what to do with it later, is not acceptable. This is enshrined in the Data Protection Act.’
Phil would like to see a much clearer legal framework that links privacy, data protection and Human Rights. At the moment, laws governing data vary between countries, and are often ill equipped to cope with today’s technology, let alone tomorrow’s.
American law tends to focus on protection and redress from misuse of data, rather than regulating its collection. The European Union takes the opposite standpoint, but is currently rewriting its laws governing data, which vary between member states.
In Germany, for example, the ‘right to informational self-determination’ is already enshrined in the constitution. Personal data, concerning an ‘identified or identifiable natural person’ is covered by data protection laws, and special protection is given to certain categories of personal data. These include anything relating to somebody’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trades union membership, health or sex life.
Lots of different groups want the European Union to make better laws that resolve some of the issues big data throws up. Medical researchers want a new approach to consent, to make it easier to repurpose data collected for previous studies. Consumers want better protection against their data being sent abroad, beyond their control. And privacy campaigners like Phil want more control to remain in the hands of the subject of the data.
With fellow campaigner Guy Herbert he combined privacy and property in a new legal concept:
‘Informational privity is analogous to some sort of human rights merged with a property right, where you can lease people use of aspects of your personal data. You may be able to say to someone: You can pass it on to other people. You can see how that plays out in health data.’
It’s all right, I’m a doctor.
Health data is an area that brings the privacy dilemma into sharp focus. Neuroscientist Professor Paul Matthews talks about a fundamental dialectic, ‘the two interests, first in preserving your privacy, but secondly a sense of altruism, a sense of public interest: in general you would like to help further medical research.’
Phil Booth’s latest campaign, MedConfidential, was provoked by attempts to make all the medical data held by Britain’s National Health Service (NHS) available to researchers for both health and policy research purposes. The first initiative, Care.Data, was put on hold when it became clear the public was not entirely willing to entrust their very personal information to unknown researchers for unknown purposes, at least without being convinced of the value and reassured about the risks.
‘What I campaign on is not privacy,’ says Phil, ‘but confidentiality and consent. In the health arena, if you lose confidentiality, if you lose the ability for a patient to know that what they tell their doctor stays within those four walls, some people will withhold information that may be critical to their health and well-being, possibly even their life. And peripherally but equally importantly, to public health.
That is where privacy, data, the NHS, tips over into lives, deaths. People who think this data shit is not about life and death are sadly, woefully wrong.’
Phil can see the potential for research of using health data, but thinks that issues of trust were not taken seriously enough. One result is opt-out rates that threaten to make the data useless to researchers.
‘The people who are in charge thought they could rely on the accumulated trust of generations in the NHS as an institution, to make use of the big data that an institution of that scale generates.
They failed to appreciate several fundamental points,’ he says. ‘One: this is not big data this is personal data. Number two: that trust cannot be assumed, in the same way that consent cannot be implied for anything other than direct medical care.
I would make a distinction between big data that is about non-human events and big data that is about human events. Human data is not the same because each piece of data relates to an actual person’s life. Therefore it is, in law and in practice, in ethical and human rights frameworks, recognised as a different type and quality of data.’
‘It is personal data if the person is directly identifiable, and it may be identifiable even if that data does not contain obvious identifiers like name and address, postcode.’
Phil spells out how easily seemingly anonymous data becomes personal: ‘Because if you start to link together dated or timed episodes about human beings, that is a fingerprint about that person and that person could quite conceivably be re-identified. And in the context that might have other consequences.’
He concludes, ‘These are not always bad consequences, but the people who are looking at this data need to have an ethical framework.’
Technology could help individuals exert more control over their own data.
In America, I chatted to Paul Terry, CEO of Vancouver-based company PHEMI, who had retired from tech when he joined a hospital board. Shocked by how poorly they used patient data, even in emergency situations, he got his team back together, ‘like taking The Who back on tour,’ he jokes.
PHEMI’s system enables very specific pre-consent for research or medical use, and controls not only who can access it, but also when and where. So your consultant can read your file on their iPad over breakfast at home, but nobody who steals the iPad would be able to see your records. To Paul Terry, privacy is not about hiding your data from everybody, but about ‘the right data to the right person, at the right time, in the right context.’
Phil Booth tells me about another company, Mydex, offering a Personal Data Store (PDS) that lets each person benefit from one home for their personal details, but stay in control of who else can see or use their data.
If the will is there, it’s technologically possible for us all to retain some power over who sees our data, and how it is used.
Research design can also build in protection for the privacy of participants. Phil is impressed when I describe Eamonn Keogh’s use of insects as roaming blood-samplers.
‘That’s a beautiful design to get around consent and anonymise at the same time. That’s a perfect example. Well, I refuse consent –’ Phil laughs and slaps his own arm – ‘if I’m fast enough. But it’s completely anonymous because that bug’s belly is full of three people’s blood.’
And we don’t even know which three people they were.
Except, as Phil points out, if they analyse the DNA in the blood, it could be possible to link that sample to families or individuals whose DNA you already have on file. You know only that they were bitten by this insect within this time frame, but it could help focus the search for an elusive target.
Perhaps IARPA’s funding of Premonition is not purely motivated by the altruistic desire to prevent disease outbreaks in remote parts of the world.
But sci-fi plots using airships, drones and mosquitoes are not what concerns Phil about big data and genetics. He worries more about ‘starting to classify human beings in a certain way, by virtue of nothing more than a pure happenstance of their conception.’
Phil uses himself as an example: ‘I would be in the genetic underclass, potentially, for some of the genes that happen to be in my family over which I have no control. Simply looking at a printout of what your baby’s got the potential to have … These are not trivial decisions. We might have missed out on my aunt and cousin, myself maybe. My aunt is one of the oldest people alive with cystic fibrosis. At over 60 she is on her second pair of lungs, but she has lived a fantastically productive, wonderful, happy family life.’
I am reminded of the early statisticians, and those who first developed the science of genetics, and how many of their contemporaries embraced eugenics as the way to a better society. ‘I develop that analogy with caution,’ says Phil, ‘but I’m genuinely watching this with very close interest at a political level.’
Given the ease and cheapness of sequencing human DNA, the genome genie is out of the bottle. Legal protection may be the only way to avoid discrimination.
America has the Genetic Information Nondiscrimination Act, GINA, which outlaws unfair treatment by employers or health insurers based on genetic tests. Designed for cases like women with a faulty BRCA1 gene, who might have been refused employment because of higher health insurance premiums, GINA was first invoked this year.
Two warehouse employees in Georgia were awarded $2.25 million damages, after their employer asked them for cheek swab DNA samples. The purpose was to identify who had been defecating in the grocery distribution warehouse. The two employees, neither of whom had DNA matching the offending deposits, successfully sued their employer for breaching GINA.
Not exactly the scenario envisioned when GINA was passed, but the principle is the same: just because the technology exists, you can’t use it for any purpose you like.
Look me up sometime
When you meet an interesting7 person, it’s almost the default today to do an internet search for their name. The results depend on a few factors such as age and profession, but as well as career outlines and unflattering photographs, it’s very easy to find private details such as siblings’ names or previous addresses.
That’s the dilemma of big data. To get the maximum use from it means linking up previously unconnected information, and analysing it in new ways. But that also means knowing more about an individual, more easily than ever before.
Most of us belong to different social groups: family, friends, workmates, people you went to school with and see once a year. With them, we express different parts of our personality. Do your parents know what you got up to at that party when you left school? Do your workmates know that you wear batman pyjamas?
Your answer to those questions depends, in part, on your age. My childhood, school and college years were passed in carefree anonymity, before social media came along to indelibly record my terrible fashion sense, drunken humiliations and awful, self-righteous ranting. If you’re in your twenties now, how do you quarantine the parts of your life whose main purpose is to help you grow up by giving you something to regret in future? Or do you just accept that everybody will know everything?
In his book, Privacy, Wolfgang Sofsky talks about the ‘transparent subject’, the person whose entire life is open to observation by the state. And this constant scrutiny is often welcomed by its subject, who wants protection, and is more afraid of fellow citizens than of the state. As Sofsky points out, the erosion of privacy goes much wider and deeper than the kind of all-seeing Big Brother described by George Orwell in his dystopian novel 1984.
Rather than a powerful state insisting on access to our secrets, it often feels more as if we ourselves regard privacy as suspect, and insist on the disinfectant of transparency even for our own personal lives. Feelings must be expressed and discussed, family life opened to friends and experts alike, relationship status posted on the internet as a mark of commitment.
Do we not readily give away all sorts of information about our private lives when we post to Facebook, Twitter and the like? Our birthdays, family members, likes and dislikes, pictures of our homes, pets, friends, meals, weddings, babies, injuries, holidays …
As Sofsky puts it:
‘Not the all-powerful “Big Brother” but rather many little brothers are busy finding out people’s secret wishes and activities.’
Little brothers
As we’ve seen, predicting your customers’ desires, sometimes before they know them, can give you an edge on your competitors.
Some of you may be more concerned about all the data gathered by companies to better understand you and market to you, than about what governments know. Others will feel that companies only gather what you agree to give them, and therefore anyone who doesn’t like that should just stop registering on websites and filling in consumer surveys.
In practice, it’s not a clear distinction. Hardly anyone reads all the privacy policies before clicking ‘I Agree’. Once you’ve agreed that your data may be shared with trusted third parties, or not un-agreed by un-checking the box, you’ve relinquished all control over which charities, arts organisations or insurance companies can use that information to classify and then contact you. And in practice, whether through resignation or a feeling that we get benefits in exchange, most of us do share at least some data, voluntarily.
A Direct Marketing Association survey in May 2015 found that the commonest reason to happily share personal information was trust in the organisation asking for it. Given how much information most of us share, you may be surprised to learn that the least trusted organisations when it came to our data were social media sites ‘like Facebook’. Top of the trust league table was the NHS, followed by banks.
The ranking for trusting organisations with data was almost exactly the same as their ranking for trust in general, with government departments and retailers in the middle. Other factors affecting our willingness to share personal information included knowing the reason why it was required, whether it would be shared more widely, and how securely it would be stored.
I would describe all these as aspects of a trust relationship. Being more concerned about governments having your data, or big corporations trying to sell you stuff, reflects your general feelings of trust towards them.
Personally, I’m relaxed about data-driven advertising. It seems to struggle with my profile. Today, Facebook’s offering me cycling T-shirts (nope) and advice for unplanned pregnancy (nope). Twitter is giving me stylish men’s shoes (still nope) data software (better) and wine (now we’re talking). But relevant or hilariously wrong, nobody forces me to buy something by showing me an advert.
However, since I started writing this book I’ve become more wary about downloading apps on to my phone and allowing them access to my contacts list or location. I check what I’m agreeing to before I start using the latest free timesaver.
Technology can help guard privacy as well as invade it. It’s a fast-changing subject, but I’ve put a few tips into an appendix in case you’re interested.
But more important, in my view, is to have very public conversations about privacy and why it’s important. Unless we regard having a private life as a key part of being an adult in modern society, we can’t defend it.
Big data makes it much easier to erode the distinction between public and private, but it’s not technology that decided the solution to falling trust was more transparency, and the answer to social atomisation was to ask the authorities to watch over our neighbours.
Back to DAC
Let’s go back to Oakland, where I’ve given up trying to talk my way into an office to see a row of computers, and returned with Brian Hofer to the City Center. At a table outside a cafe, a private conversation in a public space, he tells me the whole story.
In July 2013, not long after the Snowden revelations started to emerge, a local man called Josh Daniels noticed a routine item on the city council agenda, a vote to approve Phase 1 of the DAC, a surveillance system for the port. He got a few people along to the council meeting.
‘The first speaker was Josh Smith,’ Brian recounts, ‘and he says: “Where is your privacy policy?” Everybody just went quiet. The vote was still unanimous to proceed, but it got the community aware of the thing. So both those Joshes and some other members were the founding members of Oakland Privacy Working Group.’
The new group immediately exercised their rights, submitting a Public Record Act request for all the DAC documents. Making them public would help reach a wider audience. Including Brian.
‘I had no idea. I pay attention to politics, I read the newspaper. I had no idea this was happening until I read a December 2013 article in the East Bay Express which analysed a lot of the public record documents. By that point the project was already six months old. The very next day was an Oakland privacy meeting so I just showed up and, you know: How can I help?’
By this time the cameras and cables were installed in the port, and the council was preparing to approve Phase 2, installing equipment in the city and software to link everything together.
‘So we showed up to the Public Safety Committee and that’s when Oakland Privacy first threatened to sue the City of Oakland. That generated a great deal of press obviously and got the council’s attention. It opened the door to letting us start educating them. They had no idea what the system was and what it could do.’
That committee passed the hot potato on to the full council meeting, giving Oakland Privacy time to build a coalition with the American Civil Liberties Union (ACLU) and more than a dozen other organisations. More than 100 members of the public spoke against the DAC at the February council meeting, and the council postponed the vote to March.
‘That was the first real clue that we were on to something, that we had a chance to turn around two previous unanimous votes to proceed.’
It also gave them another three weeks to build support among ‘left, right, centre … well, you know, we don’t really have a right in Oakland, but those not so progressive, that were concerned about taxpayer costs.’ So by the time of the meeting, ‘We had 45 organisations, 200 public speakers showed up, the city council meeting started at 5.30 in the evening and the vote didn’t happen until 1 in the morning. People spoke, unanimously again, opposed to the project, and the city council voted to return it to its original 2008/9 status when it was just port infrastructure. They got rid of facial recognition, automatic licence-plate readers, they removed the city portion from the project, prohibited retention of any data.’
Within months, the campaign had convinced the city council to abandon the planned panopticon. But, says Brian, there was even better news, that the campaign didn’t anticipate:
‘They created the ad hoc committee, the citizens’ committee, that would draft the privacy policy to regulate it. Previously the city administration had given lip service: Oh yeah, we’ll work on a policy. We just felt they were going through the motions, that they hadn’t really decided to address privacy concerns. So giving us that responsibility was amazing.’
Not everybody saw it that way, says Brian, ‘On March 4, a lot of activists walked out of there thinking that we lost. They were horribly disappointed, they thought we’d wasted all this time. They thought our council was unresponsive. That is just not true. Not one of those 200 public speakers ever said anything about the tsunami warning system or the earthquake. There’s obviously parts of this project that were benign. There’s zero civil liberties risk from a tsunami warning reporting system. So March 4 was a true victory.’
Brian sees a changed attitude in City Hall. ‘You’re now seeing in the resolutions that are being written, in the questions that staff are asking, that they’re considering privacy immediately, upfront, instead of way after the fact after an activist yells at them.’
That was in 2014. A privacy policy governing the DAC, drafted with the citizens’ ad hoc Privacy Committee, including Brian Hofer and the ACLU, was passed by the city council in June 2015. It includes these words on privacy:
Privacy includes our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, associations, secrets, and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.
Put like this, you can see why your personal data is more important than just a slew of numbers across a spreadsheet.
The importance of privacy can be illustrated by dividing privacy into three equally significant parts: 1) Secrecy – our ability to keep our opinions known only to those we intend to receive them, without secrecy, people may not discuss affairs with whom they choose, excluding those with whom they do not wish to converse. 2) Anonymity – secrecy about who is sending and receiving an opinion or message, and 3) Autonomy – ability to make our own life decisions free from any force that has violated our secrecy or anonymity.
Without privacy, nobody can be fully autonomous or free.
This Policy is designed to promote a ‘presumption of privacy’, which simply means that individuals do not relinquish their right to privacy when they leave private spaces and that as a general rule people do not expect or desire for law enforcement to monitor, record, and/or aggregate their activities without cause or as a consequence of participating in modern society.
Just because you can collect this information, in other words, doesn’t mean that you should, or that we will give you permission to do so. Just because Brian and I were talking outside a cafe, doesn’t mean we expect you to come by and record everything we say.
The next stage is a standing Privacy Committee, which will draft a Surveillance Ordinance governing future technologies, based on a model written by the ACLU. And Oakland is now being used as a model for other cities, says Brian.
‘I’ve talked with government groups and privacy activists in other places and they’ve said: It’s all well and good, but it really requires an informed citizenry and active monitoring of law enforcement. And I’m like: Yeah, but that’s what we’re supposed to do! This is America, we’re supposed to hold people accountable, and government is supposed to be transparent.’
‘I know in a lot of places that just doesn’t happen,’ he concedes. ‘In Oakland we’re blessed that people care and are vocal and passionate and will hold people accountable, so we’ve been able to generate some political pressure. But it sadly is true that in a lot of places our model might not work, because these policies would get adopted and then just completely ignored.’
So what’s Brian’s top tip for other cities?
‘The first thing is pay attention, watch the agenda, watch what local government is doing.
Number two, you got to get organised. Build a coalition.’
Any city big enough to be getting surveillance equipment is big enough to have active community groups, he says.
‘Inform those people, and develop relationships with the elected leaders. Hold them accountable and educate. We were successful at generating a lot of media attention, in part because of the lawsuit, but I think the more effective strategy was educating the people that would be voting. You inform people and they make a good decision. That’s encouraging.
It’s not just understanding the technology, it’s also thinking: Well, if the technology can do that thing we do want, like predicting a tsunami, it could also do this, and follow these people around the city, and make a note of who’s been meeting with who, and whose cellphones are in the square.’
Wrong side of town
Using data in law enforcement is not only a problem for individual privacy. It can also have the consequence, intended or not, of targeting groups of people.
A journalist from Ars Technica obtained the data from Oakland’s automated licence-plate readers and, says Brian, ‘put together a map and showed super-high concentration in East and West Oakland. They’re not up in the hills targeting the rich white folks, they’re in these other communities of colour.’
Brian’s not convinced by the police argument: ‘Well that’s where the crimes happen.’ Less than two in 1,000 of those licence plates matched a suspicious vehicle on the police database. ‘How come you have a 0.16 per cent hit rate? Where is the crime? If it’s not pulling up anything what are you doing?’
Now Oakland has put aside money for PredPol, the predictive policing software we met in Chapter 6. Once again, Brian’s sceptical.
‘Just up the road in Richmond, their contract was discontinued because it was ineffective. The East Bay Express did a write-up on all these different police departments that are getting rid of it because it just doesn’t work.’
The Express examined crime statistics in several cities where PredPol was in use, publishing their report in June 2015:
‘The total number of crimes logged by the Santa Cruz police in 2011, when the police began using PredPol, was significantly above the city’s 10-year average. Last year, after three years of using PredPol to predict crime, the city’s total number of reported crimes remained significantly above the 10-year average.
Furthermore, in prior years, there were much more significant declines in assaults and other crimes, despite the fact that this was before the Santa Cruz police were using PredPol. The drops in specific types of crime in both cities appear to be just random fluctuations.’
In other words, the apparent success of PredPol’s software is down to selectively publishing figures that show improvements. And if you start using it in a high-crime year, crime levels will tend to fall in the next year or so, for the same reasons that earthquakes seem to become rarer after an especially bad year. It’s our old friend, regression to the mean.
But that’s not Brian’s only objection: ‘It’s going to lead to bias, to racial profiling, because you’re telling me to go to a certain intersection at a certain time and there’s going to be a crime there. What happens when I get there? I’m going to think all those people are criminals. You’ve already put this image in my mind. You tell someone: Don’t think of an elephant! You just thought of an elephant,’ he says.
‘So we’re going to tell people: Don’t suspect Black people in East Oakland! If you’re sending me there, and you’re telling me this is a crime hotspot based on your PredPol software, I’m going to suspect these people are criminals.’
And, because I am there, if I see any minor lawbreaking, I will make an arrest. The same activity could be going on elsewhere, but if I’m not there to see it, I won’t arrest anyone. So the crime hotspot notches up another arrest, and the prophecy becomes self-perpetuating.
‘Exactly. You’re sending me here for a crime. I need to justify this to my supervisors and to the city council. Now I’m going to start issuing citations for all this this low-level junk no one cares about: He’s got an open beer container on the sidewalk. Who cares! You shouldn’t have been there enforcing it, and now it’s just going to further lead to distrust in the community.
That’s the problem, even if the technology somehow magically becomes accurate, community relationships are going to be damaged.’
Privacy is an important issue, and one that won’t be resolved by technology alone. But the profiling potential of big data, letting the algorithm predict that my part of town will be a crime hotbed and your children are at risk of dropping out of school, is something I find equally worrying. And that’s what we’ll look at it in the next chapter.
Notes
1 National Association for the Advancement of Colored People, a leading force in the struggle for equal civil rights for all races in America.
2 National Security Agency.
3 Then again, if you were concerned about your own communication being monitored, you might not say so in an online survey. Wouldn’t that make you look as if you had something to hide, and draw unwanted attention to yourself?
4 Yes, the UK has an airport named after legendary outlaw Robin Hood. Which gives this story an ironic twist.
5 Which identifies an internet connection, and hence often the user.
6 A site set up by Brett Lempereur in Liverpool, to show every website he visits, and give an example of what ‘collecting metadata’ means.
7 I’m including both professionally interesting and romantically interesting in this, though personally I prefer to retain a little mystery if it’s the latter. I try not to Google before a first date.