We are Privacy International and we're fighting against the UK's government hacking powers. Ask us anything!

Hi guys thanks for doing this!

​

My questions are -

​

What can regular people in the UK do to help maintain their privacy online? What equipment / practices would you advice?

​

What's your favourite movie?

We try to avoid getting into detailed guidance about what you can do to protect yourself online, for a few reasons. 

1. Because it’s a bit like victim-blaming (‘if you don’t do X, Y and Z, then it's your own fault if your data is compromised' etc) 

2. But also because our focus is on ensuring that privacy is built into the design of products and services. You shouldn't have to work for your privacy - you should have it by default.

3. Also, perhaps most worryingly, is that even if you were to follow every last piece of advice a tech genius was to give you to protect yourself (and I'm no tech genius), there's no guarantee that your devices or your data couldn't still be compromised.

With all those caveats in mind, here are some resources that might be able to help:

https://www.johnscottrailton.com/jsrs-digital-security-low-hanging-fruit/

https://ssd.eff.org/en

https://tacticaltech.org/themes/digital-security/

https://www.frontlinedefenders.org/en/resource-publication/digital-security-privacy-human-rights-defenders

And thanks for the question about movies! 

You know, I work on state surveillance issues, so of course I’m gonna take the opportunity to list a bunch of dystopian movies. Blade Runner is up there. A Clockwork Orange. Minority Report.

Our Executive Director Gus Hosein gave a great talk last week all about dystopias at Free Word’s ’This is Private’ festival in London. You can watch it on YouTube here https://www.youtube.com/watch?v=SoTSe416VyI

Btw, movies that glamourise spies don’t make it into my faves list I’m afraid. Sorry Mr Bond.

When I debate this kind of thing with friends and family, the most common response is "Well I'm not doing anything wrong, let them see it!". My question is how would you answer that question?

When I suggest to them, what if the government change the rules on what's illegal etc, it all gets a bit 1984/dystopian, and too extreme, and they don't buy it all.

Good luck!

This is the classic 'nothing to hide, nothing to fear' question. We get asked that a lot. It remains the core question - indeed, a deeply philosophical question - about the balance of power between the individual and the state. There is not one single answer to the question, but a whole set of things we would say:

    - We might think we having nothing to hide or fear, but we don't really get to decide whether we have anything to hide or fear. Governments change and they can become more authoritarian or repressive. So something you said or did today that you think is fine might not be fine tomorrow. We can't base our laws only on our trust in the government of today. Our laws and protections have to be strong enough so that even as political winds and social mores change, we maintain our personal privacy and autonomy.

    - Even if we trust our government of today (and I'm drawing here from lawyer Ben Wizner, who was drawing from security expert Bruce Schneier), the perfect enforcement of our laws, which is enabled by surveillance, would stifle social change. One prominent example is to consider the movement for LGBT rights. Until recently, sexual relations between people of the same sex was illegal in the US (and remains so in many places around the world). The perfect enforcement of those laws, which would have resulted in a blanket prohibition on this activity, would have forestalled the later movement to recognize these rights.

    - In truth, we all hide things, and there's nothing wrong with that. Governments conflate privacy with secrecy and then conflate secrecy with criminality. But isn't the state of your health, or the state of your bank balance, something you might keep not only from the government, but from many others? Does hiding those things mean that you have a dark secret? Does the government have the right to know these things about you? Do companies? How do you feel about your health insurance premiums going up based on nothing more than online searches you have carried out about certain health conditions? The more you think about the whole idea of 'hiding' things, the more we hope people realise that not only do we all have things we want to hide, but also that such information falling into the wrong hands is something we should fear.

    - The point above also gets to a final point about privacy and surveillance. We sometimes think only of the intelligence agent analysing our communications. But surveillance can affect us in many subtler, but insidious ways. It can mean your health premiums going up. It can mean not getting that job interview. It can mean a denial of government benefits. Or placement on a government watch list. All of these decisions are shrouded in secrecy, which means that we cannot meaningfully challenge them (if we even know that they have occurred). And that's why we say that privacy is fundamentally about the balance of power between the individual and the state (or companies).

UK spy agency GCHQ has the extraordinary powers to hack into your phone and computer, enabling them to download all content, log keystrokes, and even switch on your mic and camera - all secretly and totally imperceptibly.

Can you corroborate this?

UK spy agency GCHQ has the extraordinary powers to hack into your phone and computer, enabling them to download all content, log keystrokes, and even switch on your mic and camera - all secretly and totally imperceptibly.

Thanks for your question. First of all, the government explicitly avowed these powers in our case, so it's not just an assertion we're making, but one that the government has itself confirmed. You can find these avowals in the Investigatory Powers Tribunal judgment in our underlying case (para. 5): https://privacyinternational.org/sites/default/files/2018-03/2016.02.12%20Hacking%20Judgment.pdf. For more details on these powers and the evidence for our original assertions in our case, I would recommend you look at the witness statements that we submitted in the case, particularly from our former Deputy Director and a security expert (here: https://privacyinternational.org/sites/default/files/2018-03/2015.10.05%20Witness_Statement_Of_Eric_King.pdf and here: https://privacyinternational.org/sites/default/files/2018-03/2015.09.30%20Anderson_IPT_Expert_Report_2015_Final.pdf)). 

Second, the UK government has now authorized a wide range of government authorities to hack in the Investigatory Powers Act 2016. The relevant parts of the Act are Part 5, and Chapter 2, Part 5 (on "equipment interference"): http://www.legislation.gov.uk/ukpga/2016/25/contents. For the government's description of the equipment interference powers, there is also the Equipment Interference Code of Practice, available here: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715479/Equipment_Interference_Code_of_Practice.pdf.

What is your opinion on Surveillance Capitalism? Do you think the entire market form goes against users rights to privacy? If you do think that Surveillance Capitalism goes against peoples rights to privacy would you be willing to legally fight for that? That would mean going against companies like Google, Apple, Microsoft, Facebook.

Why do you think people are generally so apathetic about the issues of their own privacy?

I don't think the answers are mutually exclusive. In other words, there can be many companies whose entire business model is built on collecting and selling personal data but that doesn't necessarily mean that the entire market is skewed against users' right to privacy. To be sure, companies that subscribe to the "surveillance capitalism" model are many and some are incredibly powerful. For that reason, we have a whole area of our work dedicated to exposing the ways in which these companies not only exploit our data, but also interfere with our rights in the process. We also believe it leads to a general and dangerous imbalance of power between ordinary users and companies and we fight for ways to try and redress that imbalance. 

I think it's also important to acknowledge that there is a strong relationship between government and corporate surveillance. Many companies are forcing us to generate more and more data about ourselves. They are storing this data, analysing it to make predictions and decisions about us (yet another form of data about us) and sharing it with numerous third parties. Governments are hungry for this data, by virtue of its mere existence. Governments also rely on companies in important ways to access this data.

That being said, there are certainly companies that care more about user privacy than others, it's an explicit part of their business model. And when considering the orientation of a company in relation to data exploitation, one general principle is to understand your role vis-a-vis the company. Google and Facebook offer services to us, but we're not really their customers. Their real customers are those purchasing ads on their platforms (or rather purchasing a slice of our attention). By contrast, companies that build our hardware, like our actual phones and computers, may be somewhat more inclined to care about our privacy, because we are actually their customers. Of course, it's not that cut and dry. Some companies sell our attention and build phones and laptops too. Some companies that build our phones and laptops don't actually care about our privacy.

Privacy can be a difficult concept to grasp because on its own, it can seem abstract and nebulous. It's not as concretized, for example, as the right to freedom from torture or from arbitrary arrest. Before Privacy International, I worked on detention issues, so I sometimes draw analogies from that work to explain why I think privacy is so fundamentally important. In the detention context, prisons are black boxes and prisoners are subjected to total state control - there are less meaningful checks on state behavior. In that sense, prisons are like a relatively pure manifestation of state power and a state's treatment of prisoners is sometimes considered a barometer for a state's true respect for civil liberties. I think a state's treatment of privacy can act as a similar barometer. Surveillance is conducted in secret - we are increasingly not informed about surveillance and lack the opportunity to question this activity. Surveillance can also present a state with opportunities to completely disempower citizens, particularly because the erosion of privacy has an incredible knock-on effect to other fundamental rights. Without the space to think and speak without judgment, we cannot exercise the right to free expression/opinion or free religion. Without privacy, we can be subjected to data mining and categorisation techniques that can result in discrimination on criteria such as race, gender and religion.

What do you think are the most promising laws in power today or about to be introduced that could limit government hacking/surveillance?

Do you notice a lack of awareness or sense of importance with people when it comes to tracking/surveillance/hacking etc.?

And lastly, what career path would you recommend to law students who are interested in Privacy Law?

Thank you!

On promising laws, I should start by saying that our position is that governments haven't really made the case that they should be hacking and so we're wary of any new laws that introduce these powers, regardless of what safeguards they may contain. But if you do look at new laws emerging across a number of different countries, it's unfortunate, but many of them lack what we think are the minimum safeguards necessary if a government is going to insist on hacking. If you're interested in seeing what kinds of safeguards we think are necessary at a minimum to constrain government hacking, check out our guide here: https://privacyinternational.org/sites/default/files/2018-08/2018.01.17%20Government%20Hacking%20and%20Surveillance.pdf. There is no country to date that has enacted a law that meets these safeguards as we've articulated them (and are grounded in the international human rights framework).

On lack of awareness, I think you're probably right. The Snowden revelations back in 2013 brought enormous attention to this issue and public awareness about the extent of state surveillance (by the US and UK in particular) increased massively. But as important as Snowden's revelations were, I don't think it means that the public now fully understand their right to privacy and how much governments interfere with that right through surveillance. But that's not the fault of the public. The US and UK governments, and many other governments around the world, are keen to downplay the reach and intrusiveness of what they do. For example, no government has ever admitted 'yes, we carry out mass surveillance' - rather, they will describe it in other terms, like that even though they intercept everything coming off a fiber-optic cable, they don't have the capacity to look at all that traffic. So we and others work hard to counter government narratives and say to the public that yes, this s*** is real. For instance, we've been at the Supreme Court of the UK over the last two days arguing with the British government about their mass hacking powers and it was only when we brought our case back in 2014 that the government finally avowed that it had these capabilities.

When I was a law student, I don't think there was a single class on privacy law or any related area of the law (e.g. cybersecurity, data protection, etc.). I think legal curricula have changed a lot since then, so if you do decide to go to law school and are interested in these areas, you should obviously explore what relevant classes are on offer. I think, however, that the best way to pursue your interest is to gain practical experience. Depending on where you're from, your law school education may include the opportunity for internships and you could explore opportunities at organisations that work on these issues. Privacy International, for example, has a volunteer program, where we have taken on law students in the past (https://privacyinternational.org/type-resource/opportunities)).

Hi guys,

I respect what you are doing and I understand that nobody wants the government snooping around their digital data, or any data for that matter.

But you must also adknowlege that GCHQ has a purpose that protects our national interests and most importantly saves lives.

I was wondering how do you best feel we can strike a balance between the need to collect on persons of interest and what you view as the overzealous hacking of the UK public?

Thanks for your question. So we completely agree that GCHQ serves a critical purpose. Our work is not about denigrating the role of GCHQ and we also recognize that that work may necessarily interfere with our right to privacy. Our mission is to ensure that GCHQ and other public bodies do not violate this right. This distinction is important and it also helps answer your question about the proper balance. International human rights law recognizes that the right to privacy is a qualified right - it's therefore a right that the government can interfere with but only pursuant to certain well-established principles. A government that ignores those principles violates our right to privacy.

The three bedrock principles set out in international human rights law are that any interference with privacy (e.g. an order to wiretap your phone) must be clearly authorized by law (and in a way foreseeable to the public), must be necessary in pursuance of a legitimate aim (e.g. to prevent or detect crime), and must be proportionate to that aim. These principles also incorporate a number of key safeguards. Those safeguards include that any interference be subject to prior independent authorisation, that it be targeted to a specific person or place or device, and that it be subject to independent oversight after the fact.

Hacking is an incredibly novel and intrusive surveillance technique, which raises disturbing human rights concerns (it interferes with the rights to privacy and free expression, but also involves the manipulation of data, so raises questions about the integrity of any evidence gathered by the government) as well as broader security concerns. For these reasons, it's not at all clear that international human rights law permits hacking to be used as a surveillance technique (as pointed out by the UN Special Rapporteur on the right to free expression in this report (para. 62) - https://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf)). But where governments do insist on hacking, we insist in turn that, at minimum, they must comply with a series of safeguards laid out in international human rights law and articulated by us here: https://privacyinternational.org/sites/default/files/2018-08/2018.01.17%20Government%20Hacking%20and%20Surveillance.pdf.

Does your organisation have a certain philosophy that you base your activism on?

We recognise the government need some additional powers the argument I suppose is how far those powers should go. Understanding your philosophy will help me to understand if your work is something I should support

That's a brillant question. And yes, we do have a philosophy. It can be summed up as:

- We believe privacy is necessary to human development. It is a protector of human dignity, and essential to our individual autonomy. Privacy supports the development of the person by enabling us to establish space and security. In turn, it grants the individual the freedom to define himself and herself through self-actualisation and development of identities and free thought. 

- We believe that surveillance generates power for those who surveil us, whether that's governments or companies. The more intelligence a government or company has on individuals and groups, the more our thoughts and actions become predictable, manipulatable, and controllable. Without constraints, surveillance becomes increasingly ubiquitous and intrusive. With complete surveillance, resistance to power becomes impossible, or futile.

- Related to the above, we believe that modern surveillance systems are key enablers of social, economic, and political control. Through the application of modern laws and the use of modern systems, our bodies and our activities across our daily lives are generating increasing amounts of data points, and are being commoditised and analysed in ways that were never previously possible. Even when we are aware of the systems we are not necessarily empowered to make decisions. 

- We believe that powerful and often secretive institutions, in both the public and private sectors, are now able to generate and collect intelligence on us all. So much of what happens is now beyond our knowledge or control. These institutions use this intelligence to profile and judge us, to decide what we see, what we may access, what we may do, and if and how we may participate. They interfere with our bodies, property, devices, services, networks, and lives for their own purposes, and often in secret.

- We believe that privacy is the necessary counter-balance to this enormous power. A healthy society is one that regulates power.

- We believe privacy secures people and their rights, thereby providing a foundation upon which other rights may thrive.

I’m curious about your thoughts on the CLOUD Act, especially because the UK will likely be the first country to negotiate an executive agreement under the law. Many U.S. civil liberties groups opposed the law, but I’d like to get the UK perspective.

Are there particular provisions you like to see in the US-UK agreement? Do you have any concerns about potential changes to UK law to accommodate said agreement? Thoughts on the proposed E-Evidence regulation?

Edit: sorry, I just realized the AMA is about government hacking. In that case, do you believe that a warrant requirement is enough of a safeguard in government hacking cases, or are additional measures necessary like what the US has for wiretaps?

Also, I’ve used some of your reports for my work and found them very helpful. Thank you.

Thanks for these excellent questions! It might be easiest to point you to some of our resources in this area. At a very high level, we don't support the CLOUD Act, both because the Act itself fails to articulate standards commensurate with international human rights law, and because the UK framework falls short of even these watered down standards. Here are some pieces that explain these points:

https://www.lawfareblog.com/doj-cross-border-legislation-meeting-human-rights-requirements-both-sides-pond (This analysis is not focused on the CLOUD Act specifically, but much of it still applies over to the act itself.)

https://www.lawfareblog.com/weak-link-double-act-uk-law-inadequate-proposed-cross-border-data-request-deal

https://www.justsecurity.org/44020/u-s-u-k-deal-sides-deserve-scrutiny1/

On the proposed e-evidence regulation, we recently signed onto a letter together with a number of other digital rights organizations summarizing our concerns. You can find that letter here: https://edri.org/growing-concerns-on-e-evidence-council-publishes-draft-general-approach/.

And in case you haven't seen it, we're currently running a fundraising appeal. Fighting the UK government through the courts for four years comes at considerable financial risk! So if you are able to support PI to keep fighting please chip in at  https://www.crowdjustice.com/case/hackable/

What can a private person do to make his data more secure from spying governments?

Thanks for your question. Can I refer you to the answer I gave to wu-tangkilla above.

Does using Private Browsing with a vpn protect me from being tracked?

I'm not a technical expert so I'm tagging in my colleague Eliot Bendinelli, one of our technologists, to help me answer this one...

@Eliot - It depends who is tracking you and what kind of activity it's tracking. Regardless of the method used, private browsing and a VPN will only protect you to some extent. 

Private browsing will ignore cookies and browsing history, this partially helps avoid cookie tracking (for advertisment or data collection purpose) but not entirely. The browser as well as the OS and the device you use still create a fingerprint which makes tracking possible. You can test this form of tracking here: http://nothingprivate.ml/. The Panopticlick tool by EFF also shows what makes your browser unique: https://panopticlick.eff.org/. If you want more protection against this kind of tracking, there are some browser extensions that will block tracker and extensions which fake your user agent (one part used in fingerprinting). This won't prevent all forms of tracking but it's a nice addition.

VPN will hide your IP and encrypt the traffic, it's good because it prevents trackers from identifying a unique user as many people will share the VPN's IP address. Again, this doesn't prevent fingerprinting or protect you from a specific form of tracking.

Generally speaking we believe there is a problem with the Ad-Tech industry as people have to take extensive measures to protect themselves from tracking and data collection, something that happens without their explicit consent. We have recently sent a complaint about that to data protection authorities in Europe asking them to investigate 7 identified companies. You can find more information about that on our website: https://privacyinternational.org/campaigns/tell-companies-stop-exploiting-your-data (there is also a page to ask these companies to delete your data!)

Is this an ability/issue on global scale, or localized to the UK? If the latter, what is the deciding factor: UK citizenship? Being physically within UK borders? Using an internet access from within the UK? Purchasing hardware (i.e. phone) from a shop in the UK? etc

Hacking is an ability and issue on a global scale for a number of reasons. First, there are a growing number of governments that have this capability and are deploying it. In Europe, it's not just the UK, but France, Germany, the Netherlands and Italy are all countries that carry out hacking for both law enforcement and intelligence gathering purposes. We also know it's happening to some degree in other countries. The New York Times has been reporting over the last two years, for example, on how the Mexican government has purchased services from a company to hack human rights defenders, lawyers and journalists (https://www.nytimes.com/2018/11/27/world/americas/mexico-spyware-journalist.html)).

Second, it's a global issue because hacking can impact users no matter how localised the activity is. Because hacking involves the exploitation of vulnerabilities in systems - some of which may be used by millions - even if a government is hacking its own citizens, it can have a security impact that is global in nature. Just as an example, the UAE government attempted to target a human rights dissident through hacking by exploiting a vulnerability in Apple software unknown to even Apple itself. Thankfully, the dissident realised he was being targeted and his phone was examined by security experts. They discovered the vulnerability and notified Apple immediately, which led to a software update being pushed out to all Apple users within days. If you own an Apple, you no doubt downloaded that software update to patch a security flaw a government sought to exploit. (https://www.reuters.com/article/us-apple-iphone-cyber-idUSKCN1102B1))

Third, hacking is also a global issue because governments do target both domestically and abroad. In the UK, GCHQ has the power to hack both domestically and abroad and in both cases, in a non-targeted manner. You can imagine the impact that that scale of hacking might have, both from a rights and a security perspective. The Snowden revelations disclosed, for example, that GCHQ had hacked Belgacom, the Belgian telecommunications company (https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/)), as well as Gemalto, a SIM card company (https://www.theguardian.com/us-news/2015/feb/19/nsa-gchq-sim-card-billions-cellphones-hacking)).

Thanks for the detailed response and the links provided!

If this is about a more global/generic view on government institution's abilities to hack (their citizens') devices... then what is the reason you're fighting the UK's one specifically?

As someone uninvolved in the topic, my first assumption would be that both the US and Russia have a far bigger profile/impact in that regard?

That's an excellent question! To begin, we do work on hacking in other contexts. For example, we intervened in several cases around an FBI hacking operation, which affected over 8,700 computers, in 120 countries and territories; over 83% of these computers were located outside the United States. (ee https://privacyinternational.org/legal-action/united-states-v-levin-and-similar-cases-fbi-hacking)). And we're currently working with the ACLU and the University of Buffalo Law School on a series of freedom of information requests in the US around federal law enforcement hacking (see https://www.justsecurity.org/60785/shining-light-federal-law-enforcements-computer-hacking-tools/)). We've also worked with partners in other countries where we've seen hacking emerge, for example, in Mexico and the Netherlands (see https://medium.com/@privacyint/letter-to-mexican-government-on-the-reported-hacking-of-civil-society-e531808dd9b2 and https://privacyinternational.org/advocacy-briefing/816/privacy-internationals-analysis-italian-hacking-reform-under-ddl-orlando)).

But we shouldn't downplay the UK's hacking powers, which are formidable for a number of reasons. One reason is that the UK is part of what's called the Five Eyes alliance, which is an intelligence sharing arrangement between the US, UK, Australia, New Zealand and Canada. The Snowden disclosures, which revealed that the UK was engaged in hacking domestically and abroad, also revealed that the US and the UK collaborate on hacking operations and also share hacking techniques (e.g. malware libraries). Another reason is that the UK's hacking powers, until we challenged them, were virtually unconstrained. Our argument in our original case, which we brought in 2014, was that there was no legal framework governing UK government hacking and therefore no rules or safeguards governing this activity.

The last thing is that we are an international organisation but we are based in London, so we sometimes bring test cases in our own backyard for practical reasons. It is also strategic too. Cases that start here may end up before the European Court of Human Rights or the Court of Justice of the European Union and the resulting decisions can therefore have an impact for a broad number of countries, beyond just the UK.

Hi PI, thank you for all you do to protect privacy and civil liberties. You’re a ‘David’ with the moral and legal high ground against a ‘Goliath’.

Why is there so much political inertia to protecting or maintaining innocent citizens’ privacy? It seems like an easy win for opposition parties and rebel MPs to criticise overbearing security powers as ‘police state’, ‘nanny state’, and ‘stalinist paranoia’.

Similarly, which parties or politicians have been most vocal at defending civil liberties?

Thank you for your support! And what a great question. It's a difficult one. I think one reason is that because the right to privacy itself can seem nebulous and abstract (see above), it's hard to understand concretely the impact that robust protection of this right can have. And that makes it politically unattractive to defend. It may be a bit analagous to the frog in a boiling pot of water - for a long time, you're slowly acclimating yourself to a climate that's a little less and less free, but at a certain point, you might look back and realise that privacy has eroded to a point where there is virtually no space for you to think, associate, just be, in a free way. By contrast, when there is a tragedy, like a terrorist attack, politicians are placed under enormous pressure to explain what happened and propose solutions. Again, because the right to privacy is difficult for people to grasp, it makes it relatively easy for politicians to propose ideas that infringe on this right.

Because we're a charity, we are a non-partisan organisation and therefore don't endorse any specific parties or politicians. What we can say is that we think almost all political parties could do a better job prioritising the right to privacy, including by championing laws that protect this right and pushing back against proposals curtailing it.