The 2015 general election thrust privacy and surveillance back into the spotlight, with the new government promising an [Investigatory Powers Bill] that will provide the police and intelligence agencies with a new regime for interception of communications, and the Prime Minister assuring us that not only will children be protected from harmful content, but there will be no “safe space” for terrorists to communicate online.
Advocates of these policies – which can only be achieved through mass surveillance, collection, analysis and blocking of internet traffic – assure us that they are for our own protection. Indeed, the idea that we can live securely under a protective umbrella of surveillance and interception, is attractive to many; but for others the idea of a benign, watchful state is a creepy intrusion upon private lives. Surveillance advocates frequently use the argument that “if we have nothing to hide, we have nothing to fear”. It’s an attractively simple aphorism – but is there any truth in it?
The problem is that “nothing to hide, nothing to fear” sidesteps debate about the rights to privacy and freedom of speech, and ignores the complexity of the relationship between the individual and information relating to that individual. Any meaningful debate about surveillance needs to consider much wider issues, including:
– Continuity: The lifespan of any large technology system (and few systems are larger than surveillance systems) is invariably longer than that of a government. No matter how well-meaning the policy-makers are when embarking on a new interception policy, if their successors do not share their moral stance, then the powers and the data can be reused for very different and very dangerous purposes; for example, local authorities used the Regulation of Investigatory Powers Act to covertly monitor dog owners and penalise those who failed to clear up after their pets.
– Control: As the Snowden revelations have shown, there is no such thing as a single company or government holding information safely under its control: governments share intelligence with each other, and private companies host their data in shared cloud services. Sooner or later, control of that information – or more likely, copies of that information – is handed on to a third party, with unintended consequences, for example T-Mobile USA’s customers recently lost their identity details through a breach of Experian’s security.
– Security: As any information security professional knows, there is no such thing as perfect security. Whether through hacking, insider attack, misconfiguration of legitimate sharing or employee error, sooner or later information leaks. When dating site Ashley Madison lost the email addresses of 32m users, those individuals were implicated in showing interest in an affair, even if someone else had maliciously added their name to the database. Nobody has yet claimed a death because of the hack, but divorces seem inevitable.
– Accuracy: Surveillance advocates invariably assume the infallibility of their systems and data, but that is an hypothetical situation which simply does not apply in the real world. Credit reference agencies have had high-profile problems distinguishing between twins, resulting in damaged credit records that take months or even years to repair. In 2012, the government admitted that up to 20,000 criminal records were inaccurate, with numerous claims from individuals that they had been denied employment through failed CRB checks that had in fact returned someone else’s record. The consequences of these inaccuracies might be trivial for the data controllers, but can be life-changing for the individuals concerned.
Mistakes like these might seem rare, but they are going to become increasingly common. The victims of the benign database state are those who aren’t treated in accordance with the intended rules, but are at the wrong end of breakdowns in data accuracy, procedural rules, security or system errors. Under a benign government, it’s not the intended surveillance that makes victims of innocent people, but the human and machine errors. The strength of feeling about this problem has become an international political argument: the collapse of Safe Harbour in the wake of Schrems v. Facebook demonstrates how important control of personal data has become to nation states and major corporates.
So should we fear the idea of a database state, even when we have “nothing to hide”? Well, we do have things to hide. Everyone has things to hide. If I have a serious health concern, I want to be able to consult my GP without worrying my wife. If I’m looking for a new job, there is no reason why I should have to reveal that to my employer. If I’ve committed a serious crime, been convicted, rehabilitated and paid my debt to society, why should I be obliged to reveal that history to my neighbours if I pose no threat to them? This ability to control how information about us is used in any given context, is a fundamental quality of privacy in the modern age.
“Nothing to hide, nothing to fear” is a myth, a trojan horse wheeled out by those falling back on fear to justify their surveillance schemes, disproportionate databases and privacy invasions. It is a childish argument that insults intelligence and disregards the realities of building and operating technology systems, businesses, communities or governments. Perhaps the most cutting argument against “nothing to hide” is a quotation by Cardinal Richelieu, a man who understood the power of fear all too well: “Give me six lines written by the most honest man and I will find in them something to hang him.” That is something to fear, indeed.
Toby Stevens is a freelance privacy consultant. His views are his own and do not necessarily reflect those of his clients. firstname.lastname@example.org / @tobystevens