Tag: privacy

Apple, governments, privacy and public good

Apple recently announced they are no longer providing Advanced Data Protection (ADP) for UK based customers in response to a request by the UK government.    ADP basically amounts to end to end encryption meaning only the user themselves can decrypt and access their data.    The press is largely carrying headlines focused on the negative impact on user privacy of this decision, either deriding Apple for reversing their long established position in relation to the privacy of user data or deriding the UK government for pushing Apple into this position.    And as always reporting tends to be very binary but the reality is things are a little more nuanced than that so I thought I would share my thoughts.

Removing ADP

So, what does this removal amount to?    Basically, in my reading of it, it amounts to the removal of encryption of your data at rest.  What this means is that your data continues to be encrypted in transit, so as it traverses the air, via 4G/5G or Wi-Fi, as it traverses the internet to its final destination being Apples servers.    So, a criminal, or another unscrupulous threat actor, intercepting data in transit will only get your data in its encrypted form and therefore be unable access it in its raw form.      The change comes at the point the data is stored on Apples servers.     Here, without ADP, the data will be stored in its unencrypted form allowing for Apple to access the data, or for Apple to share the data with law enforcement or other government entities, or for criminals to access the data should they gain access to apples servers.

So what does this mean for privacy?

The fact that the data is now unencrypted at rest amounts to a reduction in privacy and an increase in risk for individuals.   This is due to several reasons.   Firstly, an unscrupulous Apple employee could access your data, or maybe an Apple employee might be able to blackmailed or social engineered to give away data.    As Apple have the relevant encryption keys to decrypt your data, it may be that a criminal gains access to these and therefore is also able to decrypt your data having intercepted it in its encrypted form in transit.   And there is also the issue of unscrupulous governments using the same methods as the UK government to force Apple to remove end of end encryption and then demanding access to data in order to target dissidents or those who are vocal about the government, all under the guise of national defence or anti-terrorism.   Basically, your data without ADP is not as secure and private as it would be with ADP.

Why would anyone want to reduce privacy?

This all leads to the question of why the UK government would push Apple towards this decision.    The answer is one of national security and public good largely.     Privacy is a great thing however its benefits are felt by all and that includes terrorists, criminals, users sharing child sexual abuse materials (CSAM), etc.    With end-to-end encryption there would be no method for police or security services to investigate content as they simply wouldn’t be able to access it.  They would need to arrest the criminal end user and get them to unlock their device to be able to access content.    This would limit the potential for investigation to be carried out quietly in the background, which might also limit the potential for preventative measures as opposed to reactive measures.    And I note, when things do go wrong the press is quick to identify when people have been on watch lists, etc, but what use is a watch list if you have no way to actually see what users are actually doing?   Hindsight is 20/20 but with ADP enabled foresight would be encrypted.

Balance

The challenge here is we are trying to balance the risks to individual privacy, as experienced by all users in the UK in this instance, with the need to identify those who may seek to cause harm, distress or even death.    I don’t believe there is a perfect solution sadly.    It is about risk-based decision making.   

My belief is that the net impact of the removal of ADP is negative.   It impacts and increases risk for all users while those who the UK government may seek to monitor or discover will simply shift to using non-Apple services and devices, thereby meaning the gain from the removal of end-to-end encryption will be minor if any gain exists at all.    And additionally, the fact Apple have ceded to the request of the UK government will likely mean other governments will request the same, although for some the motivation may be more related to their own aims rather than anything related to public good or safety.

Conclusion

There is, in my view, an increasing level of friction between public good and personal privacy, with this particular issue related to Apples ADP service being the most recent and public example.    We sadly cannot have privacy, but only for some or at certain times.   Its privacy for all or for no-one, and where we opt for privacy for all we need to accept this will include those who seek to use privacy to cover illegal, immoral or unethical activities.     This news story also highlights the challenges related to national legislation of international companies.    In both cases, I think these are issues we should be discussing with our students as part of digital citizenship programmes, as these issues are only likely to grow in frequency.

Sadly the press pick a good news headline which is good for getting readership rather than conveying the more nuanced nature of the situation.   Maybe this also highlights the need for critical thinking skills to, so we can see through the black and white headlines, into the various shades of grey which are more representative of the real world.

A world of cameras

We now live in a world where, if there is a car accident or a fight or something similar everyone reaches for their phone to film it.    No-one, or very few, rush in to help and support, instead the majority whip out their mobile phone, video the event before publishing it online for the world to see, in the hope of going viral.   

A positive spin

This can be helpful in getting news out quickly plus can be useful in terms of evidence of actually what happened, hopefully removing subjective memories from the equation, although as I will mention later things are not quite that simple.    I remember watching a movie which centred upon the use of video footage and a bloke with a handy-cam to unpick the events leading to a terrorist attack.   We now live in a world where everyone pretty much has a camera with them, in their mobile phone, and therefore the chances of doing something criminal and not being recorded are slim, albeit that has just led to a growth in face coverings and hoodies to obscure the identity of those seeking to do ill.   But maybe the common access to phone cameras might discourage some from committing crime in which case that can be seen as another positive.   

But privacy I hear you say

What privacy do we have where we might get caught on the camera of someone we don’t know, and where they might then publish this online for all to see, all without either our knowledge or our permission?   In a world of social media where we publish our own content this happens all the time and we may find ourselves laughing at the person who falls over however how do they feel with our own mistakes captured for eternity online and for the world to watch and laugh at?    Also, what about the videos of what happened where only an excerpt is shared online such that the content shared does not convey the context of the event and instead is purposefully picked to suit a particular narrative?  

At the edges

There is also the issue at the extreme edges of this balance, where individuals post their arguments  with security staff or police online regarding their rights to film in public, or in relation to their right to privacy and not being filmed when involved in a march or demonstration.   To the person stating their rights to film in public, I wonder as to what their aim is in filming where security or police feel the need to challenge, and to someone stating their right to privacy, if they are not doing anything wrong and the footage is only for the purpose of policing and identifying those corrupting free speech, etc. again what is their concern?   Now I know, again, things are not that simple.

Balance and pragmatism

I often cite balance and will do so here, that having mobile phones and the ease of filming and photographing events presents a benefit but it also presents a risk.  The technology is a tool and some will seek to use it constructively whereas others will seek to use it for their own negative ends.    Am not sure what the answer is to this, although my personal feeling is we need to be a bit more pragmatic in terms of what is acceptable and unacceptable, and maybe rather than the law leading the way, it is our national culture which should lead the way in terms of what we consider acceptable and unacceptable.  

I think the key issue is that the video capture isn’t going away, and in fact it is getting better, higher resolution and also easier to edit with AI tools so the challenges are only likely to grow.   And the editing or creation of fake, or synthetic, imagery or footage is a clear and growing concern.It is for this reason that I think this is something we need to talk to students about as part of discussing digital citizenship.   What do they think is acceptable or unacceptable and why and how do we build a world where we, in the vast majority, stay on the acceptable side of the fence?

Privacy and OSINT

The more time I spend looking at cyber security the more concerned and paranoid I become and the more I realise how, in general, we don’t pay enough consideration to the data we share online.  Take for example a recent post I saw online where an individual was celebrating the purchase of a new house.  

They posted a lovely photo of the front of the house, with the for sale sign showing as sold.   The photo didn’t include the door number however it wouldn’t take much effort to find the address of the individual concerned.    Their photo showed the name and telephone number of the estate agent giving a rough area based on the UK area code.    A quick search on the estate agents site would give details of houses they had for sale along with photos from that period in time.   A quick comparison and you have an address, plus the name of the individual is included in their social media profile.   So, we now have a name and an address, plus from the social media profile we know about what they do for a living and various other bits of info.

The above is an example of OSINT or Open Source Intelligence, using freely available information to track someone down or create a profile on an individual.   It is all too easy given the information we make available online plus the various search tools which are now available. A logo, identifiable vehicle, company name or any manner of other things can help in tracking a person down.

In another post I saw an individual posted regarding repairs being done by the water board and how the works blocked their driveway.    The house number is in sight in the photo as is a house name plate.   Again, there is enough information to track the individual down and identify their address, with their name and job identified through their social media profile.

We all too often post photos online, such as photos from our evening run or photos with family, almost always giving away more information than we intended.   We equally may share information from health or fitness apps, possibly including run routes, again giving away more information than we intended.

This is yet another area of digital citizenship which we need to be discussing in our schools, with staff and with students.     If we don’t, it is likely that our continual sharing online will continue to compromise our privacy and potentially could result in some individuals putting themselves at risk.

Digital Citizenship

AI, Driverless cars, drones and the other societal changes with Tech may bring
Cyber Security, Data Protection and Big Data
Mobile Devices: To ban or not to ban?

For a while now I have been sharing various online articles which I believe relate to Digital Citizenship via twitter and also sometimes via linkedIn however it recently came to me that it might be useful to curate these tweets so that teachers looking for discussion material in relation to specific aspects of Digital Citizenship might be able to use them.

To that end I created three Wakelets based on three themes which I thought we reasonably common in relation to Digital Citizenship.

  • AI, Drones, Driverless cars and the other societal changes with Tech may bring

https://wke.lt/w/s/kJ3z2B

  • Cyber Security, Data Protection and Big Data

https://wke.lt/w/s/XFOeIs

  • To ban or not to ban?

https://wke.lt/w/s/09MVpQ

Now it may be that in future I may expand the number of themes.  I suspect this is highly likely, but for now the above are hopefully a good starting point.

In addition, for ease, I have created a separate section on my site for this curated Digital Citizenship content in case anyone wants to bookmarks it.  This section is also available via the sites menu structure.

Keeping students safe when the dark web is so easily accessible.

I just heard about software to allow the easy setup of a website on the Dark Web with little technical knowledge required and no costs other than the requirement of an internet connection.  Simple, easy and instantly anonymous.

Maintaining the safety of students online is a key part of a school’s overall efforts to safeguard students.   When I first entered teaching, this was relatively straight forward.   Students only access to devices in schools was likely to be the PCs in the computer suites where they had limited ability to make changes due to not having administrative access.   In addition, the school would have internet filtering in place to protect the students, where the students main tendency was to seek out games as opposed to any other inappropriate content.   I remember as the ICT teacher in one school, regularly having a look at the schools internet statistics and reviewing the most commonly hit sites for signs of games or other inappropriate content.   It was normally games I would find and therefore games I would block.    For those students who decided they wanted to bypass the schools restrictions the tools available were limited and the required knowledge to make them work was often greater than that which the majority of students possessed.

Fast forward around 15 years, to today, and the students are more aware of the content which is available on the internet, plus the search tools are better.  As such I suspect it is no longer games which are the most prevalent inappropriate website category in schools.     In addition, in many schools, students now come to school with their own device, either a device required by the school or a mobile phone.   The tools available to bypass school restrictions are now easily accessible, numerous and also easy to use.   These tools often aimed at supporting the right to privacy can easily be used for other purposes such as hiding malicious or inappropriate online activity.   I note for example how VPN providers can now be seen advertising their products on TV or heard on the radio.    In the last couple of days, as mentioned at the start of this post, I have also heard of the easy availability of software aimed at allowing individuals to setup websites on the dark web to anonymously share content without fear of it being traced back.

The technical solutions of the past, filtering and monitoring, are no longer sufficient as simply put, monitoring and filtering doesn’t work.    This isn’t just a school problem, this is a societal issue.   The societal issue is beyond the scope of this post however within schools we cannot sit idly by, we need to take action.   We need to take a wide view of online safety which with the removal of the ICT curriculum, somewhere these issues were often discussed and explored with students, has become increasingly difficult.   Time needs to be found to explore the issues around living in a digital world, to explore online safety, ethics, privacy, security, etc however sadly for now I am not sure where there is space for this in the already packed curriculum.    Given this, for me, all schools need to ask themselves what they do in relation to online safety, and what more could they do?   This is a question that should be asked at a senior level.   It is also important that schools get together, not just to share good practice but to collectively work together to ensure we strike a balance between preparing students for the technological world and keeping them safe.  We are all in the same boat and therefore maybe we need to find a collective approach to a collective problem.

 

 

Big brother?

Big brother is truly watching us.     This week already I have read two articles in relation to devices we are now bringing into our homes to make life easier, however where there are other considerations which may be overlooked.

The first of the two article related to the Amazon Echo device (Amazon hands over Echo ‘murder’ data, BBC).   The Echo is one of a couple of voice activated devices which is designed to make life at home easier.     The idea is that you can control home internet enabled devices via voice commands and the Echo.     The recent adverts for the Echo include people using voice commands the help locate their mobile phone which has been humorously swallowed by the users dog, to turn on the lights at home and to change the volume on music which is being played as just some examples.    Google offer a similar device called the Google Home.

The issue here relates to privacy in that these devices are always listening with at least some of the data uploaded to a cloud server somewhere.    The purpose of gathering the data is to help in generating better and more accurate understanding of natural language so that the software within the devices can more accurately respond to human instructions and queries however the issue is not in the intended use, but in other possible uses.

An article on the BBC website refers to a murder case where the accused has consented to allow data gathered from an Echo device to be used in the case.    This clearly wasn’t the intended use of the data gathered by Echo.     In this case the outcome should hopefully be positive in helping to prove either guilt or innocence but other uses may be less than positive.      Would we be happy about the government, spy services, police, etc. spying on us using this data?    Would it be acceptable for this data to be used in user or home profiling by marketing companies?     Would it be acceptable to use this data in relation to identifying peoples political allegiances in the approach to an election?      These are just a couple of possible uses where the ethics are a little questionable.   There are likely to be many more possible uses with new uses continuing to emerge with new technologies.      Is the benefit of the device comparable to the risk or sacrifice?   Also, surely this data constitutes personal data so how is its sharing and processing controlled in relation to Data Protection and the soon to be implemented General Data Protection Regulations (GDPR)?  Is the info in relation to this buried in difficult to understand and seldom read terms and conditions statements?

The second article related to the CIA and the recent leak of hacking tools which they had including tools designed to compromise Smart TVs (WikiLeaks says the CIA can use your TV to spy on you, Guardian).    Similar to the issue around the Echo, again we have an always listening device however in this case it is also always watching too, as it searches for gestures as part of its gesture control functionality.     Here the benefits are never losing your remote control down the side of the sofa, however the drawbacks seem to include the CIA being able to hack your system and watch what you are doing.     This also goes to show that although the purpose for the data was clear an outside actor, in this case the CIA, found a way to gain access and make use of it.   If they can do it, and given it is now public knowledge that it possible, it is highly likely others can or will also achieved this.   Again another internet enabled device brought into the home however again a risk.   Is the benefit of the device comparable to the risk or sacrifice?

The world loves its gadgets with people quickly adopting the next thing.    Vendors such as Google, Amazon and Samsung play to this while constantly striving to make their devices as secure and safe for their user base as possible.    The issue is that these vendors also want these devices to be easily installed and configurable by end users with limited IT abilities which limits the security options available.   It also tends to mean that a system of simplistic defaults is used meanwhile we have hackers and government sponsored agencies trying to compromise these devices.

I wonder whether as the Internet of things continues to take off we will see a growth in home infrastructure security devices.   I also wonder whether there is now a greater need to have discussions with students in schools in relation to these issues, including discussing specific incidents like the ones above.    We need the adults of the future to be able to judge and balance benefits against risks, in order to make informed decisions about the increasing number of internet enabled devices making their way into our homes.    We also need them, as they become the government officials of tomorrow, to understand the implications of technology.

 

Social Media, parents and our kids

In the last week I have read two separate articles with regards the use of Facebook by parents and the impact on their children.   The first of the two posts was posted on BBC News entitled “Should children ban their children from Social Media?” while the second was in The Guardian entitled “I was so embarrassed I cried: do parents share too much online?”.   I found the discussion an interesting one and hence this post.

My use of social media for sharing personal info is very limited.  I post very occasionally on Facebook, generally using it to send birthday wishes, etc. as opposed to posting my own content.    I use twitter heavily however for professional as opposed to personal purposes although I will admit that the line between these blurs; Posting about my morning walk to work I was considering the teacher wellbeing side of professional life however these posts could easily by categorised as providing some insight into my personal life.    I have almost never posted pictures of my two children as they have grown up so hopefully they will never have cause to be embarrassed by something that I have posted in relation to them.    That said they may still be embarrassed by something I have posted at some point in time, albeit not directly related to them but embarrassing in that it was posted by their dad.

So how can we mitigate against this potential embarrassment.   The easy however impractical solution is to stop posting.   If I don’t post anything then there isn’t anything to be embarrassed about.   Following this thought process, I can think of a few occasions when I have made a comment or said something embarrassing; does that mean I should stop talking?   I am sure there have been a few occasions where my kids wish I would.   The other problem with this approach to reducing embarrassment is simply that Facebook and social media are now a part of our lives.    Updating friends and relatives as to events and milestones is now more common than the old approach of taking a photo, having it developed and then putting it in a photo album or in a shoebox in the cupboard.   Social media makes the sharing easy and convenient to do and in doing so it adds to the richness of life.   Having moved back to the UK after a number of years in the UAE I am still able to keep up with the events and friends despite them being an eight hour flight away.   They still form a part of my life.

This is where things start to become a little more complex as the postings are about my life and therefore in the case of most parents include milestones and events with our children.    Milestones such as starting secondary school, walking for the first time, holidays with family and many other memories are eternalised through Facebook for others to see both when they happen but also many years into the unpredictable future.    It is in this future space that our children will start to develop their own online identify and social media profile.    This profile, through our posting as parents, will however have already started being created long before our children are able to make informed decisions with regards who they are within the digital space we now live in.    We as parents will have started to shape our children’s digital identify.    I acknowledge as parents we shape our children and therefore shaping their digital identify may seem nothing more than an extension of the parental role however I would suggest digital identify is a little different.   We shape our children’s attitude, outlook, beliefs, etc. however these can change over time.    In our digital footprint there is an element of permanence as once something is posted to the internet it may be impossible to remove.   Also there is the possibility for outsiders such as potential employers to view postings without access to the context within which the posting was made.

I would suggest one of the issues here is that when Facebook first became a hit there was little long term consideration for the implications of posting our lives online.    Young adults flocked to use Facebook without any guidance as to the later implications.   Consider the advice with regards not posting about your home address and holiday plans as a burglar could use this in targeting your empty home; this guidance didn’t make an appearance until after Facebook postings had been allegedly associated with a few robberies and the implications had been identified.    Fast forward a few years and those young users now have families with children complete with a digital record of their children’s early years thanks to Facebook.   Today I would say the implications of posting online are a little bit better known due to very public hacking incidents, cyber crime and celebrity scandals relating to social media use or the use of email in the case of certain presidential candidate.    We are a little more aware than we were.    We still have a long way to go in my opinion plus this is little use to the children of parents who posted every detail of their growing up, warts and all.

So what can we do?   Privacy settings are one part of the action we can take in making sure that only those people we really want to have access to our personal postings, and the postings relating to our children, have access.    Restraint is another action.   Rather than posting we need to consider how the posting might impact our children in future and if in doubt avoid posting.    We also need to open up communication with our children so they know what has and is being shared about them.    If you shared a potentially embarrassing photo of your child when they were younger do they know the photo exists and also which social media sites it has been shared on?    For truly embarrassing photos we can delete them although as with everything on the internet we must do so with the knowledge that everything posted cannot being removed as easily.    Any user could have copied a posting or taken a screenshot ready to repost so once it is out there it may not be possible to undo.    Another thing we need to do, which is something already well underway, is making sure our children are fully aware of the implications of social media.    When they go on to have their own children it would be reassuring to know that we have learned for any mistaken we may have made, and that they will not readily repeat them.

Social media is here to stay, a part of modern life, so the key is ensuring all using it understand the implications both on ourselves but also on the others who might be the subject of our posts including our children, or even just innocent bystanders to a poorly framed photo.    And on that note I will stick to limited personal use of social media, for now at least.