In our contribution to the 2013 UNCTAD Information Economy Report, we talked about the likely importance of place in cloud services purchasing decisions: The storage of data in multiple, usually foreign, jurisdictions raises a different set of regulatory issues including data protection and police investigatory powers. The jurisdictional issues are anchored on the location of the firm and the location of the data. In the former instance, wherever the data may be located, the firm may be ordered to ensure that data are subject to the laws applicable to the jurisdiction within which the firm is located. As a corollary, the firm may be required to ensure that the data are located is jurisdictions where the laws are consistent with those of its home jurisdiction. This was not too difficult a problem in the past because the firms that stored or processed data in foreign locations were large entities with capability to enforce the applicable rules through contracts and otherwise.
Last week, LIRNEasia taught a course on broadband policy and regulation in Sohna. One of the modules was on privacy and surveillance. One of the instructors was Sunil Abraham, acknowledged for his thoughtful and creative approach to sticky ICT policy questions. Drawing a diagram, he pointed out that if surveillance was exclusively focused on the small percentage, perhaps five percent, of people who were engaged in terrorism or other bad acts, law enforcement would be more efficient and the liberties enjoyed by the non-terroristically inclined majority would be that much safer. On the face, a beguiling proposition.
The mass surveillance apparatus promised by the Government of India has yet to kick in, but according to a survey (the method is not fully reported, so we cannot vouch for veracity), Indians are already taking precautions. Asia accounts for four of the world’s top five VPN-using countries, although Indian netizens are more likely to hide their location than those in China, according to new research. Out of 28 per cent of global users who tunnel through the internet, only one fifth do so because they don’t want to be spotted by government snoopers, according to a Global Web Index study of 32 countries (H/T to TechInAsia). Presumably the other four-fifths are either very security conscious or trying to get on BBC iPlayer. In descending order, the top five are India, Vietnam, Thailand, China and Turkey – all of which have usage figures of a little over 20 per cent, according to the sample surveyed.
John Podesta is no stranger to privacy issues. I can remember some interactions with him in the context of the Electronic Privacy Information Center (EPIC) during the Clinton Presidency. He has now been tasked with producing a big data-privacy report in 90 days. We are undergoing a revolution in the way that information about our purchases, our conversations, our social networks, our movements, and even our physical identities are collected, stored, analyzed and used. The immense volume, diversity and potential value of data will have profound implications for privacy, the economy, and public policy.
President Obama’s first response to the revelations of NSA malfeasance was jarring to many, an unhappiness articulated by Pratap Bhanu Mehta. Now we have Obama’s considered response: Mr. Obama also said he was taking the “unprecedented step” of extending privacy safeguards to non-Americans, including requiring that data collected abroad be deleted after a certain period and limiting its use to specific security requirements, like counterterrorism and cybersecurity. “The bottom line,” he said, “is that people around the world — regardless of their nationality — should know that the United States is not spying on ordinary people who don’t threaten our national security.” Full report.
For too long, the field of privacy has been becalmed by religious fealty to a concept propounded by two New England aristocrats who were annoyed by paparazzi taking pictures of a party in a home. The ill-considered explosion set off by the NSA in its zeal to prevent all future acts of terror has opened up space for new thinking on the subject. An op-ed in the Washington Post is a good example: This is an anonymity problem: The NSA cannot create a dossier on you from your metadata unless it knows that you made the calls the agency is looking at. The privacy question is all about data-gathering: Should the NSA have access to nationwide metadata? The right answer to that question is yes.
One of the reasons we opposed the ill-considered efforts by ETNO and others to impose sending-party-network-pays charging on Internet traffic was the danger of balkanization: differential access to the Internet from different countries or splinternet. We beat back that effort in a temporary alliance with the US State Department, but little did we know that another part of the US government was actively destroying the basis of the Internet. It will cause massive negative economic effects to US tech companies, as described well in a Wired article. Zuckerberg is referring to a movement to balkanize the Internet—a long-standing effort that would potentially destroy the web itself. The basic notion is that the personal data of a nation’s citizens should be stored on servers within its borders.
Since 2010, we at LIRNEasia have been engaged with problems of international backhaul. Renesys, an authoritative voice in this space, has a nice summary of developments in 2013. Here is their conclusion, influenced no doubt by the incredible damage done to US players in this space by the indiscriminate snooping of NSA. Increasingly, simply having inexpensive connectivity in our interconnected world is not enough. As enterprises become more sophisticated consumers of Internet transit, they seek connectivity alternatives that will keep their own customers happy.
I once invited Bruce Schnier to speak on cryptography at a Ohio State U conference. He came and gave a good talk. But he’s now a star. He exposed the NSA inserting back doors into national cryptography standards. Here is his big picture analysis: Not only is ubiquitous surveillance ineffective, it is extraordinarily costly.
We think about transaction-generated data (TGD) a lot. The essence is that data generated as a by-product of some activity (and which is therefore highly accurate) can tell us more about behavior (even future behavior) than all the questionnaires in the world. Behavior associated with music, closely tied to emotion,seems like an even better candidate than reading. During the next federal election cycle, for instance, Pandora users tuning into country music acts, stand-up comedians or Christian bands might hear or see ads for Republican candidates for Congress. Others listening to hip-hop tunes, or to classical acts like the Berlin Philharmonic, might hear ads for Democrats.
In a recent contribution to a just-published UNCTAD report on cloud computing we said: The other aspect of the problem is whether data are subject to the laws of the jurisdictions where the cloud computing companies are located. For example, take the case of a company in Country A using the services of a cloud computing supplier registered in Country B, which dynamically stores and processes the Country A firm’s data on server farms located in Countries C, D and E. Country A may not be happy to have the laws of Country B apply to the data and that its police may go trawling therein. The applicability of the laws of the country where the storage and processing occurred poses a new set of problems, because even determining which country has jurisdiction may be difficult in light of dynamic resource allocation. This was well before Snowden changed the entire discourse.
This was a central claim in the highly significant ruling made by Federal District Court in Washington DC: In a 68-page ruling, Judge Leon said the N.S.A. program that systematically gathers records of Americans’ phone calls was most likely unconstitutional, rejecting the Obama administration’s argument that a 1979 case, Smith v. Maryland, was a controlling precedent.
A new robot equipped with multiple sensors that can collect information from its surroundings that can be matched against “big data” streams has been announced. The facts are interesting. Even more intriguing is the allusion to Minority Report. K5 also raises questions about mass surveillance, which has already set off intense debate in the United States and Europe with the expansion of closed-circuit television systems on city streets and elsewhere. The Knightscope founders, however, have a radically different notion, which involves crime prediction, or “precog” — a theme of the movie “Minority Report.
To me, the biggest question arising from the Snowdon affair is why everyone is acting so surprised. “Everyone was so focused on the N.S.A. secretly getting access to the front door that there was an assumption they weren’t going behind the companies’ backs and tapping data through the back door, too,” said Kevin Werbach, an associate professor at the Wharton School.
My work on privacy in the 1990s greatly benefited from my teaching. My classes were like laboratories where we tested out scenarios and concepts. I (and my students) also engaged with science fiction. I still talk about the extraordinarily powerful, low-tech surveillance techniques described by Margaret Atwood in The Handmaid’s Tale. That was brought to me by a student.
I touched on this issue at the cloud computing session at IGF 2013 in Bali. The scandal of NSA and CIA spying is likely to do serious damage to US firms. I for one do not place much faith in the good behavior of any government and do not see much point in simply replacing American companies with non-American. The backlash against government Internet surveillance could hurt the United States economy, partly because businesses and consumers could abandon United States cloud companies, said Richard Salgado, the director for law enforcement and information security at Google, in testimony before the Senate judiciary subcommittee on privacy, technology and the law. He cited studies like one from Forrester that predicted the cloud computing industry could lose $180 billion, 25 percent of its revenue, by 2016.