privacy – OUseful.Info, the blog…

Fragment: Towards the Age of Coveillance?

There’s a lot of chat, and a lot of reports out (I’ll get around to listing them when I take the time to…) regarding the potential use of phone apps of various flavours regarding contact tracking as a possible tech solutionist contribution to any release of lockdown, particularly at scale over extended periods…

…so I’m really surprised that folk aren’t making use of the coveillance / #coveillance tag to refer to the strategy, playing on “covid-19″, “contact tracing”, “surveillance“, and even at a push, “panopticon” and so on…

From a quick search, the first reference I could find is from a course several years ago at Berkeley, 290. Surveillance, Sousveillance, Coveillance, and Dataveillance, Autumn/Fall 2009, taught by Deirdre Mulligan, which had the following description:

We live in an information society. The use of technology to support a wide array of social, economic and political interactions is generating an increasing amount of information about who, what and where we are. Through self documentation (sousveillance), state sponsored surveillance, and documentation of interaction with others (coveillance) a vast store of information — varied in content and form — about daily life is spread across private and public data systems where it is subject to various forms of processing, used for a range of purposes (some envisioned and intended, others not), and subject to various rules that meet or upend social values including security, privacy and accountability. This course will explore the complex ways in which these varied forms of data generation, collection, processing and use interact with norms, markets and laws to produce security, fear, control, vulnerability. Some of the areas covered include close-circuit television (CCTV) in public places, radio frequency identification tags in everyday objects, digital rights management technologies, the smart grid, and biometrics. Readings will be drawn from law, computer science, social sciences, literature, and art and media studies

This gives us a handy definition: coveillance: documentation of interaction with others

A more comprehensive discussion is given in the CC licensed 2012 book Configuring the Networked Self by Julie E. Cohen (printable PDF), specifically Chapter 6, pp. 13-16:

Coveillance, Self-Exposure, and the Culture of the Spectacle

Other social and technological changes also can alter the balance of powers and disabilities that exists in networked space. Imagine now that our café-sitting individual engages in some embarrassing and unsavory behavior— perhaps she throws her used paper cup and napkin into the bushes, or coughs on the milk dispenser. Another patron of the café photographs her with his mobile phone and posts the photographs on an Internet site dedicated to shaming the behavior. This example reminds us that being in public entails a degree of exposure, and that (like informational transparency) sometimes exposure can have beneficial consequences. (It also reminds us, again, that online space and real space are not separate.) Maybe we don’t want people to litter or spread germs, and if the potential for exposure reduces the incidence of those behaviors, so much the better. Or suppose our café-sitter posts her own location on an Internet site that lets its members log their whereabouts and activities. This example reminds us that exposure may be desired and eagerly pursued; in such cases, worries about privacy seem entirely off the mark. But the problem of exposure in networked space is more complicated than these examples suggest.
The sort of conduct in the first example, which the antisurveillance activist Steve Mann calls “coveillance,” figures prominently in two different claims about diminished expectations of privacy in public. Privacy critics argue that when technologies for surveillance are in common use, their availability can eliminate expectations of privacy that might previously have existed. Mann argues that because coveillance involves observation by equals, it avoids the troubling political implications of surveillance. But if the café-sitter’s photograph had been posted on a site that collects photographs of “hot chicks,” many women would understand the photographer’s conduct as an act of subordination. And the argument that coveillance eliminates expectations of privacy visà-vis surveillance is a non sequitur. This is so whether or not one accepts the argument that coveillance and surveillance are meaningfully different. If they are different, then coveillance doesn’t justify or excuse the exercise of power that surveillance represents. If they are the same, then the interest against exposure applies equally to both.
In practice, the relation between surveillance and coveillance is more mutually constituting than either of these arguments acknowledges. Many employers now routinely search the Internet for information about prospective hires, so what began as “ordinary” coveillance can become the basis for a probabilistic judgment about attributes, abilities, and aptitudes. At other times, public authorities seek to harness the distributed power of coveillance for their own purposes—for example, by requesting the identification of people photographed at protest rallies.23 Here what began as surveillance becomes an exercise of distributed moral and political power, but it is power called forth for a particular purpose.
Self-exposure is the subject of a parallel set of claims about voyeurism and agency. Some commentators celebrate the emerging culture of selfexposure. They assert that in today’s culture of the electronic image, power over one’s own image resides not in secrecy or effective data protection, which in any case are unattainable, but rather in the endless play of images and digital personae. We should revel in our multiplicity, and if we are successful in our efforts to be many different selves, the institutions of the surveillant assemblage will never be quite sure who is who and what is what. Conveniently in some accounts, this simplified, pop-culture politics of the performative also links up with the celebration of subaltern identities and affiliations. Performance, we are told, is something women and members of racial and sexual minorities are especially good at; most of us are used to playing different roles for different audiences. But this view of the social meaning of performance should give us pause.
First, interpreting self-exposure either as a blanket waiver of privacy or as an exercise in personal empowerment would be far too simple. Surveillance and self-exposure bleed into each other in the same ways that surveillance and coveillance do. As millions of subscribers to social-networking sites are now beginning to learn, the ability to control the terms of self-exposure in networked space is largely illusory: body images intended to assert feminist selfownership are remixed as pornography, while revelations intended for particular social networks are accessed with relative ease by employers, police, and other authority figures. These examples, and thousands of others like them, argue for more careful exploration of the individual and systemic consequences of exposure within networked space, however it is caused.
Other scholars raise important questions about the origins of the desire for exposure. In an increasing number of contexts, the images generated by surveillance have fetish value. As Kirstie Ball puts it, surveillance creates a “political economy of interiority” organized around “the ‘authenticity’ of the captured experience.” Within this political economy, self-exposure “may represent patriotic or participative values to the individual,” but it also may be a behavior called forth by surveillance and implicated in its informational and spatial logics. In the electronic age, performances circulate in emergent, twinned economies of authenticity and perversity in which the value of the experiences offered up for gift, barter, or sale is based on their purported normalcy or touted outlandishness. These economies of performance do not resist the surveillant assemblage; they feed it. Under those circumstances, the recasting of the performative in the liberal legal language of self-help seems more than a little bit unfair. In celebrating voluntary self-exposure, we have not left the individualistic, consent-based structure of liberal privacy theory all that far behind. And while one can comfortably theorize that if teenagers, women, minorities, and gays choose to expose themselves, that is their business, it is likely that the burden of this newly liberatory self-commodification doesn’t fall equally on everyone.
The relation between surveillance and self-exposure is complex, because accessibility to others is a critical enabler of interpersonal association and social participation. From this perspective, the argument that privacy functions principally to enable interpersonal intimacy gets it only half right. Intimate relationships, community relationships, and more casual relationships all derive from the ability to control the presentation of self in different ways and to differing extents. It is this recognition that underlies the different levels of “privacy” enabled (at least in theory) by some—though not all—social-networking sites.Accessibility to others is also a critical enabler of challenges to entrenched perceptions of identity. Self-exposure using networked information technologies can operate as resistance to narratives imposed by others. Here the performative impulse introduces static into the circuits of the surveillant assemblage; it seeks to reclaim bodies and reappropriate spaces.
Recall, however, that self-exposure derives its relational power partly and importantly from its selectivity. Surveillance changes the dynamic of selectivity in unpredictable and often disorienting ways. When words and images voluntarily shared in one context reappear unexpectedly in another, the resulting sense of unwanted exposure and loss of control can be highly disturbing. To similar effect, Altman noted that loss of control over the space-making mechanisms of personal space and territory produced sensations of physical and emotional distress. These effects argue for more explicitly normative evaluation of the emerging culture of performance and coveillance, and of the legal and architectural decisions on which it relies.
Thus understood, the problems of coveillance and self-exposure also illustrate a more fundamental proposition about the value of openness in the information environment: openness is neither neutral nor univalent, but is itself the subject of a complex politics. Some kinds of openness serve as antidotes to falsehood and corruption; others serve merely to titillate or to deepen entrenched inequalities. Still other kinds of openness operate as self-defense; if anyone can take your child’s picture with his mobile phone without you being any the wiser, why shouldn’t you know where all of the local sex offenders live and what they look like? But the resulting “information arms races” may have
broader consequences than their participants recognize. Some kinds of openness foster thriving, broadly shared education and public debate. Other, equally important varieties of openness are contextual; they derive their value precisely from the fact that they are limited in scope and duration. Certainly, the kinds of value that a society places on openness, both in theory and in practice, reveal much about that society. There are valid questions to be discussed regarding what the emerging culture of performance and coveillance reveals about ours.
It is exactly this conversation that the liberal credo of “more information is better” has disabled us from having. Jodi Dean argues that the credo of openness drives a political economy of “communicative capitalism” organized around the tension between secrets and publicity. That political economy figures importantly in the emergence of a media culture that prizes exposure and a punditocracy that assigns that culture independent normative value because of the greater “openness” it fosters.28 Importantly, this reading of our public discourse problematizes both secrecy and openness. It suggests both that there is more secrecy than we acknowledge and that certain types of public investiture in openness for its own sake create large political deficits.
It seems reasonable to posit that the shift to an information-rich, publicity-oriented environment would affect the collective understanding of selfhood. Many theorists of the networked information society argue that the relationship between self and society is undergoing fundamental change. Although there is no consensus on the best description of these changes, several themes persistently recur. One is the emergence and increasing primacy of forms of collective consciousness that are “tribal,” or essentialized and politicized. These forms of collective consciousness collide with others that are hivelike, dictated by the technical and institutional matrices within which they are embedded. Both of these collectivities respond in inchoate, visceral ways to media imagery and content.
I do not mean here to endorse any of these theories, but only to make the comparatively modest point that in all of them, public discourse in an era of abundant information bears little resemblance to the utopian predictions of universal enlightenment that heralded the dawn of the Internet age. Moreover, considerable evidence supports the hypothesis that more information does not inevitably produce a more rational public. As we saw in Chapter 2, information flows in networked space follow a “rich get richer” pattern that channels everincreasing traffic to already-popular sites. Public opinion markets are multiple and often dichotomous, subject to wild swings and abrupt corrections. Quite likely, information abundance produces a public that is differently rational — and differently irrational — than it was under conditions of information scarcity. On that account, however, utopia still lies elsewhere.
The lesson for privacy theory, and for information policy more generally, is that scholars and policy makers should avoid investing emerging norms of exposure with positive value just because they are “open.” Information abundance does not eliminate the need for normative judgments about the institutional, social, and technical parameters of openness. On the contrary, it intensifies the need for careful thinking, wise policy making, and creative norm entrepreneurship around the problems of exposure, self-exposure, and coveillance. In privacy theory, and in other areas of information policy, the syllogism “if open, then good” should be interrogated rather than assumed.

From that book, we also get a pointer to the term appearing in the literature: Mann, Steve, Jason Nolan, and Barry Wellman. “Sousveillance: Inventing and Using Wearable Computing Devices for Data Collection in Surveillance Environments.” Surveillance and Society 1.3 (2003): 331–55 [PDF]:

In conditions of interactions among ordinary citizens being photographed or otherwise having their image recorded by other apparently ordinary citizens, those being photographed generally will not object when they can see both the image and the image capture device … in the context of a performance space. This condition, where peers can see both the recording and the presentation of the images, is neither “surveillance” nor “sousveillance.” We term such observation that is side-to-side “coveillance,” an example of which could include one citizen watching another.

Mann seems to have been hugely interested in wearables and the “veillance” opportunities afforded by them, for example, folk wearing forward facing cameras using something like Google Glass (remember that?!). But the point to pull from the definition is perhaps generalising “seeing” to meaning things like “my device sees yours”, and whilst the device(s) may be hidden, the expectation is that: a) we all have one; b) it is observeable, then we are knowingly in an (assumed) state of coveillance.

By the by, another nice quote from the same paper:

In such a coveillance society, the actions of all may, in theory, be observable and accountable to all. The issue, however, is not about how much surveillance and sousveillance is present in a situation, but how it generates an awareness of the disempowering nature of surveillance, its overwhelming presence in western societies, and the complacency of all participants towards this presence.

Also by the by, I note in passing a rather neat contrary position in the form of coveillance.org, “a people’s guide to surveillance: a hands-on introduction to identifying how you’re being watched in daily life, and by whom” created by “a collective of technologists, organizers, and designers who employ arts-based approaches to demystify surveillance and build communal counterpower”.

PS as promised, some references:

COVID-19 Rapid Evidence Review: Exit through the App Store?, Ada Lovelace Institute;
COVID-19 Rapid Response Impact Initiative | White Paper 5
Outpacing the Virus: Digital Response to Containing the Spread of COVID-19 while Mitigating Privacy Risks, Edmond J. Safra Center for Ethics;
interesting draft of a Coronavirus (Safeguards) Bill 2020: Proposed protections for digital interventions and in relation to immunity certificates, by privacy concerned academics such as Lilian Edwards;
an EFF paper on The Challenge of Proximity Apps For COVID-19 Contact Tracing.

Please feel free to add further relevant links to the comments…

I also note (via tweet a few days ago from Owen Boswarva) that moves are afoot in the UK to open up Unique Property Reference Numbers (UPRNs) and Unique Street Reference Numbers (USRNs) via the Ordnance Survey. These numbers uiniquely reference properties and would, you have to think, make for interesting possibilities as part of a coveillance app.

And finally, given all the hype around Google and Apple working “together” on a tracking app, partly becuase they are device operating system manufacturers with remote access (via updates) to lots of devices…, I note that I haven’t seen folk mentioning data aggregators such as Foursquare in the headlines, given they already aggregate and (re)sell location data to Apple, Samsung etc etc (typical review from within the last year from the New York Intelligencer: Ten Years On, Foursquare Is Now Checking In to You). They’re also acquisitive of other data slurpers, eg buying Placed from Snap last year (a service which “tracks the real-time location of nearly 6 million monthly active users through apps that pay users or offer other types of rewards in exchange for access to their data”) and just recently, Factual, the blog post announcing which declares: “The new Foursquare will offer unparalleled reach and scale, with datasets spanning:”

More than 500 million devices worldwide
A panel of 25 million opted-in, always on users and over 14 billion user confirmed check-ins
More than 105 million points of interest across 190 countries and 50 territories

How come folk aren’t getting twitchy, yet?

Sharing Goes Both Ways – No Secrets Social

A long time ago, I wrote a post on Personal Declarations on Your Behalf – Why Visiting One Website Might Tell Another You Were There that describes how publishers who host third party javascript on their website allow those third parties to track your visits to those websites.

This means I can’t just visit the UK Parliament website unnoticed, for example. Google get told about every page I visit on the site.

(I’m still not clear about the extent to which my personal Google identity (the one I log into Google with), my advertising Google identity (the one that collects information about the ads I’ve been shown and the pages I’ve visited that run Google ads), and my analytics Google identity (the one that collects information about the pages I’ve visited that run Google Analytics and that may be browser specific?) are: a) reconciled? b) reconcilable? I’m also guessing if I’m logged in to Chrome, my complete browsing history in that browser is associated with my Google personal identity?)

The Parliament website is not unusual in this respect. Google Analytics are all over the place.

In a post today linked to by @charlesarthur and yesterday by O’Reilly Radar, Gizmodo describes How Facebook Figures Out Everyone You’ve Ever Met.

One way of doing this is similar to the above, in the sense of other people dobbing you in.

For example, if you appear in the contacts on someone’s phone, and they allowed Facebook to “share” their phone contact details when they install the Facebook app (which many people do), Facebook gains access firstly to my contact details and secondly to the fact that I stand in some sort of relationship to you.

Facebook also has the potential to log that relationship against my data, even if I have never declared that relationship to Facebook.

So it’s not “my data” at all, in the sense of me having informed Facebook about the fact. It’s data “about me” that Facebook has collected from wherever it can.

I can see what I’ve told Facebook on my various settings pages, but I can’t see the “shadow information” that Facebook has learned about me from other people. Other than through taunts from Facebook about what it thinks it knows about me, such as friend suggestions for people it thinks I probably know (“People You May Know”), for example…

…or facts it might have harvested from people’s interactions with me. When did you, along with others, last wish someone “Happy Birthday” using social media, for example?

Even if individuals are learning how to use social media platforms to keep secrets from each other (Secrets and Lies Amongst Facebook Friends – Surprise Party Planning OpSec), those secrets are not being held from Facebook. Indeed, they may be announcing those secrets to it. (Is there a “secret party” event type?! For example, create a secret party event and then as the first option list the person or persons who should not be party to the details so Facebook can help you maintain the secrecy…?)

Hmm… thinks… when you know everything, you can use that information to help subsets of people keep secrets from intersecting sets of people? This is just like a twist on user and group permissions on multi-user computer systems, but rather than using the system to grant or limit access to resources, you use it to control information flows around a social graph where the users set the access permissions on the information.

This is not totally unlike targeting ads (“dark ads”) to specific user groups, ads that are unseen by anyone outside those groups. Hmmm…

Ad-Tech – A Great Way in To OSINT

Open Source Intelligence – OSINT – is intelligence that can be collected from public sources. That is to say, OSINT is the sort of intelligence that you should be able to collect using a browser and a public or academic library that also provides access to public subscription content. (For an intro to OSINT, see for example Sailing the Sea of OSINT in the Information Age; for example context, Threat Intelligence: Collecting, Analysing, Evaluating). OSINT can be used as much by corporates as by the security services. It’s also up for grabs by journalists, civil society activists and stalkers…

Looking at the syllabus for a OSINT beginners course, such as IMSL’s Basic Open Source (OSINT) Research & Analysis Tradecraft turns up the sorts of thing you might also expect to see as part of one of Phil Bradley or Karen Blakeman’s ILI search workshops:

Appreciation of the OS environment
- Opportunities, Challenges and Threats
Legal and Ethical Guidance
Search Tradecraft
- Optimising Search
- Advanced Search Techniques
Profile Management and Risk Reduction
- Technical Anonymity/Low Attribution
- Security Tradecraft
Social Media exploitation
- Orientation around the most commonly used platforms Twitter, Facebook, LinkedIn etc.
- Identifying influence
- Event monitoring
- Situational Awareness
- Emerging social media platforms
Source Evaluation
- Verifying User Generated Content on Social Media

And as security consultant Bruce Schneier beautifully observed in 2014, [s]urveillance is the business model of the Internet.

What may be surprising, or what may help explain in part their dominance, is that a large part of the surveillance capability the webcos have developed is something they’re happy to share to with the rest of us. Things like social media exploitation, for example, allow you to easily identify social relationships, and pick up personal information along the way (“Happy Birthday, sis..”). You can also identify whereabouts (“Photo of me by the Eiffel Tower earlier to day”), captioned or not – Facebook and Google will both happily tag your photos for you to make them, and the information, or intelligence, they contain more discoverable.

Part of the reason that the web companies have managed to grow so large is that they operate very successful two-sided markets. As the FT Lexicon defines it, these are markets that provide “a meeting place for two sets of agents who interact through an intermediary or platform”. In the case of the web cos, “social users” who gain social benefit from interacting with each other through the platform, and the advertisers who pay the platform to advertise to the social users (Some Notes on Churnalism and a Question About Two Sided Markets).

A naive sort of social media intelligence would focus, I think, on what can be learned simply through the publicly available activity on the social user side of the platform, albeit activity that may be enriched through automatic tagging by the platform itself.

But there is the other side of the platform to consider too. And the tools on that side of the platform, the tools developed for the business users, are out and out designed to provide the business users – the advertisers – with intelligence about the social users.

Which is all to say that if surveillance is your thing, then ADINT – Adtech Intelligence – could be a good OSINT way in, as a recent paper from the Paul G. Allen School of Computer Science & Engineering, University of Washington describes: ADINT: Using Targeted Advertising for Personal Surveillance (read the full paper; Wired also picked up the story: It Takes Just $1,000 to Track Someone’s Location With Mobile Ads). Here’s the paper abstract:

Targeted advertising is at the heart of the largest technology companies today, and is becoming increasingly precise. Simultaneously, users generate more and more personal data that is shared with advertisers as more and more of daily life becomes intertwined with networked technology. There are many studies about how users are tracked and what kinds of data are gathered. The sheer scale and precision of individual data that is collected can be concerning. However, in the broader public debate about these practices this concern is often tempered by the understanding that all this potentially sensitive data is only accessed by large corporations; these corporations are profit-motivated and could be held to account for misusing the personal data they have collected. In this work we examine the capability of a different actor — an individual with a modest budget — to access the data collected by the advertising ecosystem. Specifically, we find that an individual can use the targeted advertising system to conduct physical and digital surveillance on targets that use smartphone apps with ads.

The attack is predicated in part around knowing the MAID – the Mobile Advertising ID (MAID) – of a user you want to track, and several strategies are described for obtaining that.

I haven’t looked at adservers for a long time (or Google Analytics for that matter), so I thought I’d have a quick look at what the UIs support. So for example, Google AdWords seems to offer quite a simple range of tools, that presumably let me target based on various things, like demographics:

or location:

or time:

It also looks like I can target ads based on apps a user users:

or websites they visit:

though it’s not clear to me if I need to be the owner of those apps or webpages?

If I know someone’s email address, it also looks like I can use that to vector an ad towards them? Which means Google cookies presumably associate with an email address?

This email vectoring is actually part of Google’s “Customer Match” offering, which “lets you show ads to your customers based on data about those customers that you share with Google”.

So how about Facebook? As you might expect, there’s a range of audience targeting categories that draw heavily on the information users provide to the system:

(You’ve probably heard the slogan “if you aren’t paying for the product, you are the product” and thought nothing of it. Are you starting to feel bought and sold, yet?)

Remember that fit of anger, or joy, when you changed your relationship, maybe also flagging a life event (= valuable to advertisers)?

Or maybe when you bought that thing (is there a Facebook Pay app yet, to make this easier for Facebook to track?):

And of course, there’s location:

If you fancy exploring some more, the ADINT paper has a handy table summarising what’s offered by various other adtech providers:

On the other hand, if you want to buy readymade audiences from a data aggregator, try the Oracle Data Marketplace. It looks as if they’ll happily resell you audiences derived from Experian data, for example:

So I’m wondering, what other sorts of intelligence operation could be mounted against a targeted individual using adtech more generally? And what sorts of target identification can be achieved through a creative application of adtech, and maybe some simple phishing to entice a particular user onto a web page you control and which you can use to grab some preliminary tracking information from targeted users you entice there?

Presumably, once you can get your hooks into a user, maybe by enticing them to a web page that you have set up to show your ad so that the adserver can spear the user, you can also use ad retargeting or remarketing (that follows users around the web, in the sense of continuing to show them ads from a particular campaign) to keep a tail on them?

[This post was inspired by an item on Mike Caulfield’s must read Traces weekly email newsletter. Subscribe to his blog – Hapgood – for a regular dose of digital infoskills updating. You might also enjoy his online book Web Literacy for Student Fact-Checkers.]

UK Ministry of Justice GPS Tagging Trial

A couple of days ago, NOMS (the National Offender Management Service) and the Ministry of Justice put out a toolkit for a pilot GPS tagging programme, or as they call it, an Electronic Monitoring Global Positioning System.

According to the toolkit documentation, tags can be be used as a condition of bail:

The Bail Act 1976 is the legislation governing court-imposed bail. This allows the use of electronic monitoring but only to ensure compliance with another bail condition (e.g. curfew, geographical exclusion): s6ZAB. To note there is no power to impose Electronic Monitoring as a stand-alone bail condition but only to monitor another pre-existing bail condition. … Where the court does impose electronic monitoring of a pre-existing bail condition then a person must be made responsible for the monitoring. That person can only be someone named by the Secretary of State in secondary legislation. (s.3AC).

If you’re looking for key phrases throughout bits of legislation relating to court orders that can be used to justify tagging as a condition, “electronic monitoring requirement” looks to be a good one. I assume there is also a corresponding “electronic monitoring equipment” phrase defined somewhere, in which case it would be good to know how tightly that is defined or how broadly it can be interpreted…

More generally, the toolkit states that:

“Electronic monitoring” is a generic term, which encompasses different technologies, it is generally used to support punitive requirements, however in principle EM can also be seen as a preventative measure if, for example, an exclusion zone prevents the offender from approaching a specific person or location. It is important to note that EM with location monitoring should only be proposed where it provides a particular identifiable value in protecting the public or specific victims, or in deterring the offender from crime.

The system looks like it provides a range of geo-fencing services, going by some of the instructions given to offenders wearing the tag, who must:

stay at their approved address (usually their home) during your curfew;
not enter any exclusion zones included in the order, bail or licence conditions;
not leave any inclusion zones included in the order, bail or licence conditions.

This is backed up by case study examples:

I’m not sure if an exclusion zone can be dynamic? For example, two offenders, both wearing tags, not allowed to be with 50m of each other – can one be the centre of an exclusion zone defined for another? (Also, I’m not sure what the resolution of the devices is?)

According to the toolkit, an inclusion or exclusion zone:

… must be unambiguous. Ideally it should be marked on a map so that the monitoring centre can clearly see what the judge or magistrate intended. If the monitoring centre cannot interpret an exclusion or inclusion zone they may request clarification if the requirement is unclear. … [O]ther conditions that might be supported by a GPS tag, such as attendance at work or at a programme. Again, the purpose must be clear, and where applicable timings should be included.

That said, the pilot seems to be a bit hacky…

GPS tags used for the pilot cannot easily monitor a curfew without a manual workaround so for the purposes of the pilot we have excluded GPS tagging alongside an electronically monitored curfew.

Oh good…

Also, how do they track location when the offender is indoors or otherwise out of line of site of the GPS satellites? (Does it use cell tower triangulation as an assist?) How do the devices report back to the control centre (via the mobile phone network?)? According to the product documentation for the tag that appears to be being used in the pilot:

The 3M Electronic Monitoring units store rules in the device, allowing autonomous tracking and monitoring capability without dependence on wireless signal availability. Offenders are immediately alerted in the event of a rule violation. These alerts notify the offender that corrective action is required and serve to help modify the offender’s behavior.

So maybe there are two alerts – one local on the offender, and one when the device phones home. Presumably, an alert is raised if the tag doesn’t phone home within a specified period? But what if that’s because the offender doesn’t fully appreciate the USP of the The Faraday Cage Cafe where they go for coffee and doughnuts?

The toolkit document further suggests that the pilot is not appropriate for:

Offenders of no fixed abode – electronic monitoring is reliant on a fixed supply to charge.
Offenders with serious identified mental health or learning disabilities – there may be particular difficulties with an offender’s ability to understand the device i.e. need to charge, purpose behind GPS), which could make GPS unsuitable.
Subjects under 18 years of age
Anyone subject to an electronically monitored curfew should not be given a condition monitored through a GPS tag.

Wider concerns are also touched upon in in the toolkit document. For example, when making a recommendation to enter an offender into the pilot:

Authors [of pre-sentence reports] must take account of the balance between a right to a private family life and public protection. Application of the requirement should be proportionate to the risks identified and clearly evidenced to ensure that there is no unintentional bias impacting the proposal and subsequently impacting the individual’s liberty.

The device itself is a rather clunky wearable, as shown in the GPS Tagging Handbook…

ankletag

(By the by, I wonder if that tattoo is personally identifying…?)

I’m guessing this product was developed for the US, by the plug on the charger?

tagcharger

Looking at the 3M product page, this seems to be their One Piece GPS Tracking System; they also have a Two Piece GPS Tracking System.

A guidance leaflet suggests the data may be used in various ways…

Relevant information gathered will be used to monitor your compliance with your licence conditions. If you fail to meet any of the conditions you may be recalled to prison custody. Where justified, the information gathered, including your location data, may be shared with Criminal Justice Agencies, including the Police for other purposes such as the prevention and detection of crime.

A fair processing notice covers this in legalese:

In the event you have been fitted with a GPS tag as part of the Ministry of Justice’s pilot scheme and in order to give effect to a Court order or condition on your prison licence, your whereabouts will be captured by the system 24 hours a day for the duration of the Order or licence condition. Your personal data, including your location data may be shared with other organisations for example (but not limited to) contractors, probation providers and the Police to give effect to the Order/licence, manage your compliance and enforce the requirements or conditions imposed.

Where it is justified, necessary and proportionate to do so, your data, may be shared with others including Criminal Justice agencies (e.g. the Police), for purposes such as (but not limited to) crime prevention, detection, investigation or to facilitate an arrest. Your data may also be shared with other government departments where necessary, such as in the case of legal proceedings.

When undertaking all of these tasks the Ministry of Justice will comply with the provisions of the Data Protection Act 1998. This will include:
– keeping the personal data up to date;
– storing and destroying them securely;
– protecting personal data from loss, misuse, unauthorised access and disclosure;
– ensuring that appropriate technical measures are in place to protect the personal data processed in line with Her Majesty’s Government standards;

All data captured during this pilot shall be retained securely by the Ministry of Justice for a period of at least six years from the end of the analysis of the pilot. Data that has been shared with stakeholders will be held by them in accordance with their data retention policies which must accord with the Data Protection Act 1998.

You have the right to request your personal data (including certain details about them) processed as part of the pilot by contacting the pilot monitoring team (details are at the end of this notice).

Please note that a payment of £10 will be required if you wish to obtain a copy of your data. Each request will be considered carefully in line with the Data Protection Act 1998. Some data may be covered by an exemption within the Act or other legislation which may prevent it being disclosed to you.

The toolkit documentation sets up the scene for the (desired) chilling effect that the tag is presumably expected to exert on a wearing offender, I wonder why consumer tagging devices (phones, fitbits, wearables, etc) aren’t also subject to the same chilling effect?

The pilots will seek to test how the use of a GPS tag might impact upon the behaviour of offenders and decision makers in the Criminal Justice System and how it might help to improve rehabilitative outcomes. They may also allow us to see what other benefits GPS tagging may bring and identify any potential barriers to wider implementation.

…

Location monitoring is live and alerts to the monitoring centre in the event of a potential breach are immediate. The monitoring centre will look into the circumstances and where a breach is confirmed the responsible officer will be notified of a breach.

…

High risk cases can be flagged on the monitoring system and prioritised for an emergency response. This may act as a deterrent against non-compliance for some offenders. An assessment should be made in relevant cases whether this form of monitoring is likely to deter in the particular case.

…

The monitoring centre will respond immediately to a breach. When a breach occurs it is flagged on the system. The monitoring centre staff will open up the record and investigate the breach. They are able to look at data 30 minutes before the breach and data post breach.

Here, then, are are a couple of reasons why we need to keep tabs on things like the Investigatory Powers Bill on the one hand, and the data collected by service operators who have access to geolocation information on the other: firstly, to try to make sense of the extent to which information collected by those services can be accessed using a a warrant; secondly, the extent to which the data could be used by comparing it to how data specifically collected for the purpose of regulating behaviour (using things like tags) can be used.

The document that perhaps requires the closest reading is the Code of Practice – Electronic Monitoring Data, which opens with a description of where the pilot will run:

annex_j_-_code_of_practice_pdf

To a certain extent, the pilot seems to be a fishing expedition:

4. The pilot will test a range of factors including:

how GPS tagging might impact on the behaviour of offenders released from prison on licence, suspects on bail and offenders sentenced by the Courts;
how Courts, probation staff, Parole Board members, and prison governors respond when given the option of imposing a location monitoring requirement as part of a Court Order or condition as part of a prison licence;
what other benefits GPS tagging might confer; and
how GPS might best be implemented in practice, and the challenges of operating GPS tagging.

Note the last two…

11. For the purposes of the pilot the data that will be gathered and processed will be that which is required to:

identify and tag suspects and offenders who fall within scope for the pilot and who have been made the subject of an electronic monitoring requirement by way of either a Court Order or prison licence;
monitor compliance with and enforce the requirements of such orders;
minimise the risk to staff involved in the tagging process e.g. any threatening or violent behaviour by the subject or others at the premises;
where justified and only in accordance with legislative provisions, the data captured may be shared with Criminal Justice Agencies and other Government Departments to assist with criminal enquiries or to seek advice/representation. The circumstances in which such data will be shared are set out in the body of this document;
assist in the evaluation of the pilot and to inform future policy formation and implementation.

The code seems a bit weaselly to me (my emphasis):

12. Personal and sensitive personal data will be collected and, where required and as permitted by legislation, shared for the purposes of meeting the requirements set out above. The electronic monitoring technical solution will capture the subject’s location 24 hours a day. In some cases (e.g. where location monitoring is only imposed to monitor an exclusion/inclusion zone) some of the location data captured at times of compliance will be extraneous to the purposes of monitoring the terms of the order. The technology available for the pilot does not allow for the monitoring of an exclusion zone in another way that would prevent this data being captured. This will be explained to the subject as part of a Fair Processing Notice (see paragraph 35). However, monitoring staff will only monitor the subject’s compliance with the requirements of the order and will not access the extraneous data unless there is a lawful reason to do so. So, if the order imposes an exclusion zone, the subject’s whereabouts will be monitored if they approach and breach that zone. It will not be actively monitored at other times (see paragraphs 35-47 for further details of how data will be shared).

So they haven’t taken the opportunity to design a certain amount of privacy in that does not collect the extraneous data. (The toolkit mentioned being able to look at data in the period before a breach, so if extraneous information was location data outside an exclusion zone, and the wearer breached by entering the exclusion zone, does the location data outside that area become “traneous”? To what extent are safeguards in place to prevent access to data unless “there is a lawful reason to do so”? NB This is covered in the Code of Practice – see below.

I wonder to what extent the data from several subjects can be merged? For example, are there screens that show the co-location of two people wearing tags?

Regarding datasharing, the Code seems to try to lock it down, but then opens it up again? For example:

Private prisons will provide notifications of an electronic monitoring requirement of those individuals released from their custody on a prison licence. They will not need access to the monitoring data. However, should the subject be recalled and end up back in their custody, information regarding the reasons for the recall will be shared with them via another source (NOMS Public Protection Casework Section). Once electronic monitoring data has been passed to a private prison they will become Data Controllers of the information in their possession.

Why would they need the monitoring data and how extensive will that data be? Data will also be shared outside the police in other ways:

22. The Data Processors of electronic monitoring information will be:

The third party contractor appointed to provide the tags and monitoring system;
The third party contractor employed to evaluate the outcomes of the pilot; and
The Bail Accommodation and Support Services (BASS) contractor [eg as described in this Commons Library Research Briefing: The Bail Accommodation and Support Service], as it is required to encourage compliance of individuals held in their premises with the provisions of relevant orders and report any breaches or concerns to the appropriate body.

I’m not sure who the respective third party contractors are?

The data collected includes personal data and sensitive personal data, as defined by the Data Protection Act, and as such subject to it – though maybe with wriggle room:

31. Furthermore, section 29 of the DPA, provides an exemption from a sub set of the DPA requirements in processing of personal data, if it is for prevention or detection of crime purposes. This is not a blanket exemption and so whether this exemption applies or not, will be considered on a case by case basis. In any event, a Schedule 2 condition and for sensitive personal data, a Schedule 3 condition, will still need to be satisfied.

32. Moreover the processing of personal and sensitive personal information engages Article 8 of the European Convention of Human Rights (i.e. the right to respect for private and family life). However, Article 8 is not an absolute right and public authorities are permitted to interfere with it if it is in accordance with the law, necessary in a democratic society for a legitimate aim and proportionate to do so. Therefore, any proposals for data sharing must be both justifiable and proportionate with the appropriate safeguards in place to ensure that personal data is not arbitrarily disclosed.

I’m not sure if Chinese Walls also apply to separate concerns:

The Police will have routine access to the following data for the specified reasons;

In their capacity as the Monitoring Team

i) All data captured as part of the pilot, to discharge its function as the monitoring body for the pilot project.
ii) All data on a single electronic monitoring requirement order imposed as part of a community order or suspended sentence order, and HDC cases, to meet the obligations bestowed upon them as part of this pilot for such orders (see paragraphs 23-26 above).

In their capacity as the Police

iii) Data on Court ordered bail subjects, as they act as the Responsible Officers in such cases.
iv) Data necessary to assist with managing compliance of other subjects such as MAPPA cases and prolific offenders;
v) Any data necessary to assist in the apprehension of subjects who have breached their Court Order / prison licence and are required to be returned to Court or to prison custody.

On the matter of the extraneous data:

33. The system will capture some extraneous location data as mentioned in paragraph 12 above. Those that are tagged will be informed that the tag will capture their whereabouts 24 hours a day as part of the Fair Processing Notice that will be provided to them on induction. Relevant stakeholders will only be provided with location data that is relevant to monitoring compliance with the conditions of the order. Access to the extraneous data will be restricted as set out in paragraph 43 below.

…

41. Relevant location tracking data i.e. the location data gathered for the purposes of monitoring compliance with Court Order /licence conditions, will be provided to relevant stakeholders via secure email. Where location tracking is in place solely to monitor exclusion/inclusion zones, the data that will be provided to stakeholders by the monitoring team will usually be restricted to the duration of the non-compliance and 30 minutes either side of it. Allowing a window of 30 minute either side of the non-compliance is considered to be relevant data which is necessary for stakeholders to contextualise any breach and for risk assessment purposes.

And as far as wider sharing goes:

43. During the course of the pilot, should public authorities require access to data for other reasons or other data, including access to extraneous location data, they will need to submit an External Agency Request (EAR) to the monitoring team. The request must explain why access to the information is required and failure to provide sufficient and appropriate justification will lead to it being rejected. By way of example, Code of Practice – Electronic Monitoring Data Code of Practice – Electronic Monitoring Data 13 should access to data for the purposes of detection or prevention of a particular crime, the requestor will need to set out the reasons why they believe that the specific suspect(s) are likely to be, or were likely to have been, involved in the criminal behaviour that is under investigation. The monitoring team will handle the more straightforward requests using guidance issued by the MoJ. Any further requests, including those that seek access to the extraneous location data will be escalated to the Ministry of Justice to consider. However, if request is urgent, arrives out of working hours, and the data is needed to manage a significant risk to the public, then, provided the request is justified as set out above, the monitoring team will release the necessary information and the MoJ will conduct a retrospective check.

Presumably, as art of the pilot is to see what other benefits GPS tagging might confer, external requests may well be looked on favourably as part of that?

As far as the operation of the tags goes:

48. Data transferred from GPS tags to the monitoring centre will be via mobile networks and will be encrypted. All data shared with stakeholders will be via secure email.

so the question arises: what about users who are out of signal range? (Are the devices set up for roaming, and capable of phoning home using all mobile operator networks? Or are the tags limited to using a single network?)

It should also be noted that by connecting to the mobile phone network the mobile operators will be able to track the devices in the same way they track mobile phones. If the operator can identify the tag as a tag, offenders’ identities could well be disclosed to the network if they carry a mobile phone around with them all the time that is persistently colocated with the tag device.

As hinted at above, I think this pilot is interesting for several reasons:

it is explicitly about using GPS monitoring information to track – and potentially influence the behaviour of the tracked user because they are aware they’re being tracked (panopticon style);
there are practical technical issues associated with the technology (GPS, mobile phone network connectivity and tracking);
there are issues around data collection and sharing;

More generally, in terms of system design, I see no reason why third party tracking data (collected from other devices, such as mobile phones or beacons) couldn’t be used as a source of location data, which means the pilot gives us an insight into what the police might be able to use this sort data for as part of a 24 hour surveillance regime.

Of course, if you;ve done nothing wrong, there’s no chilling effect to be afraid of…

Participatory Surveillance – Who’s Been Tracking You Today?

With the internet of things still trying to find its way, I wonder why more folk aren’t talking about participatory surveillance?

For years, websites have been gifting information to third parties that you have visited them (Personal Declarations on Your Behalf – Why Visiting One Website Might Tell Another You Were There), but as more people are instrumenting themselves, the opportunities for mesh network based surveillance are ever more apparent.

Take something like thetrackr, for example. The device itself is a small bluetooth powered device the size of a coin that you attach to your key fob or keep in your wallet:

The TrackR is a Bluetooth device that connects to an app running on your phone. The phone app can monitor the distance between the phone and device by analyzing the power level of the received signal. This link can be used to ring the TrackR device or have the TrackR device ring the phone.

The other essentially part is an app you run permanently on your phone that listens out for the trackr device. Not just yours, but anyone’s. And when it detects one it posts its location to a central server:

[thetrackr] Crowd GPS is an alternative to traditional GPS and revolutionizes the possibilities of what can be tracked. Unlike traditional GPS, Crowd GPS uses the power of the existing cell phones all around us to help locate lost items. The technology works by having the TrackR device broadcast a unique ID over Bluetooth Low Energy when lost. Other users’ phones can detect this wireless signal in the background (without the user being aware). When the signal is detected, the phone records the current GPS location, sends a message to the TrackR server, and the TrackR server will then update the item’s last known location in its database. It’s a way that TrackR is enabling you to automatically keep track of the location of all your items effortlessly.

And if you don’t trust the trackr folk, other alternatives are available. Such as tile:

The Tile app allows you to anonymously enlist the help of our entire community in your search. It works both ways — if you’re running the app in the background and come within range of someone’s lost item, we’ll let the owner know where it is.

This sort of participatory surveillance can be used to track stolen items too, such as cars. The TRACKER mesh network (which I’ve posted about before: Geographical Rights Management, Mesh based Surveillance, Trickle-Down and Over-Reach) uses tracking devices and receivers fitted to vehicles to locate other similarly fitted vehicles as they pass by them:

TRACKER Locate or TRACKER Plant fitted vehicles listen out for the reply codes being sent out by stolen SVR fitted vehicles. When the TRACKER Locate or TRACKER Plant unit passes a stolen vehicle, it picks up its reply code and sends the position to the TRACKER Control Room.

That’s not the only way fitted vehicles can be used to track each other. A more general way is to fit your car with a dashboard camera, then use ANPR (automatic number plate recognition) to identify and track other vehicles on the road. And yes, there is an app for logging anti-social or dangerous driving acts the camera sees, as described in a recent IEEE Spectrum article on The AI dashcam app that wants to rate every driver in the world. It’s called the Nexar app, and as their website proudly describes:

Nexar enables you to use your mobile telephone to record the actions of other drivers, including the license plates, types and models of the cars being recorded, as well as signs and other surrounding road objects. When you open our App and begin driving, video footage will be recorded. …

If you experience a notable traffic incident recorded through your use of the App (such as someone cutting you off or causing an accident), you can alert Nexar that we should review the video capturing the event. We may also utilize auto-detection, including through the use of “machine vision” and “sensor fusion” to identify traffic law violations (such as a car in the middle of an intersection despite a red stop light). Such auto-detected events will appear in your history. Finally, time-lapse images will automatically be uploaded.

Upon learning of a traffic incident (from you directly or through auto-detection of events), we will analyze the video to identify any well-established traffic law violations, such as vehicle accidents. Our analysis will also take into account road conditions, topography and other local factors. If such a violation occurred, it will be used to assign a rating to the license plate number of the responsible driver. You and others using our App who have subsequent contact with that vehicle will be alerted of the rating (but not the nature of the underlying incidents that contributed to the other driver’s rating).

And of course, this is a social thing we can all participate in:

Nexar connects you to a network of dashcams, through which you will start getting real-time warnings to dangers on the road

It’s not creepy though, because they don’t try to relate to number plates to actual people:

Please note that although Nexar will receive, through video from App users, license plate numbers of the observed vehicles, we will not know the recorded drivers’ names or attempt to link license plate numbers to individuals by accessing state motor vehicle records or other means. Nor will we utilize facial recognition software or other technology to identify drivers whose conduct has been recorded.

So that’s all right then…

But be warned:

Auto-detection also includes monitoring of your own driving behavior.

so you’ll be holding yourself to account too…

Folk used to be able to go to large public places and spaces to be anonymous. Now it seems that the more populated the place, the more likely you are to be located, timestamped and identified.

A Loss of Sovereignty?

Over the course of the weekend, rummaging through old boxes of books as part of a loft clearout, I came across more than a few OU textbooks and course books. Way back when, OU course materials were largely distributed in the form of print items and hard media – audio and video cassettes, CD- and DVD-ROMs and so on. Copies of the course materials could be found in college and university libraries that acted as OU study centres, via the second hand market, or in some cases purchased from the OU via OU Worldwide.

Via an OU press release out today, I notice that “[c]ourse books from The Open University (OU) have been donated to an educational sponsorship charity in Kenya, giving old course books a new use for the local communities.” Good stuff…

..but it highlights an issue about the accessibility of our materials as they increasingly move to digital form. More and more courses deliver more and more content to students via the VLE. Students retain access to online course materials and course environments for a period of time after a module finishes, but open access is not available.

True, many courses now release some content onto OpenLearn, the OU’s free open learning platform. And the OU also offers courses on the FutureLearn platform (an Open University owned company that made some share allotments earlier this year).

But access to the electronic form is not tangible – the materials are not persistent, the course materials not tradeable. They can’t really be owned.

I’m reminded of a noticing I had earlier this week about our Now TV box that lets us watch BBC iPlayer, 4oD, youTube and so on via the telly. The UI is based around a “My subscriptions” model which shows the channels (or apps) you subscribe to. Only, there are some channels in their that I didn’t subscribe to, and that – unlike the channels I did subscribe to – I can’t delete from my subscriptions. Sky – I’m looking at you. (Now TV is a Sky/BSkyB product.)

In a similar vein, Apple and U2 recently teamed together to dump a version of U2’s latest album into folks’ iTunes accounts, “giving away music before it can flop, in an effort to stay huge” as Iggy Pop put it in his John Peel Lecture [on BBC iPlayer], and demonstrating once again that our “personal” areas on these commercial services are no such thing. We do not have sovereignty over them. Apple is no Sir Gawain. We do not own the things that are in our collections on these services and nor do we own the collection: I doubt you hold a database right in any collection you curate on youtube or in iTunes, even if you do expend considerable time, effort and skill in putting that collection together; and I fully imagine that the value of those collections as databases are exploited by the recommendation engine mining tools the platform services operate.

And just as platform operators can add things to out collections, so too can they take them away. Take Amazon, for example, who complement their model of selling books with one of renting you limited access to ebooks via their Kindle platform. As history shows – Amazon wipes customer’s Kindle and deletes account with no explanation or The original Big Brother is watching you on Amazon Kindle – Amazon is often well within its rights, and it is well within its capacity, to remove books from your device whenever it likes.

In the same way that corporate IT can remotely manage “your” work devices using enterprise mobile device management (Blackberry: MDM and beyond, Goole apps: mobile management overview, Apple: iOS and the new IT, for example), so too can platform operators of devices – and services – reach into your devices – or service clients – and poke around inside them. Unless we’ve reclaimed it as our own, we’re all users of enterprise technology masked as consumer offerings and have ceded control over our services and devices to the providers of them.

The loss of sovereignty also extends to the way in which devices and services are packaged so that we can’t look inside them, need special tools to access them, can’t take ownership of them in order to appropriate them for other purposes. We are users in a pejorative sense; and we are used by service and platform providers as part of their business models.

Participatory Surveillance

This is an evocative phrase, I think – “participatory surveillance” – though the definition of it is lacking from the source in which I came across it (Online Social Networking as Participatory Surveillance, Anders Albrechtslund, First Monday, Volume 13, Number 3 – 3 March 2008).

A more recent and perhaps related article – Cohen, Julie E., The Surveillance-Innovation Complex: The Irony of the Participatory Turn (June 19, 2014). In Darin Barney, Gabriella Coleman, Christine Ross, Jonathan Sterne & Tamar Tembeck, eds., The Participatory Condition (University of Minnesota Press, 2015, Forthcoming) – notes how “[c]ontemporary networked surveillance practices implicate multiple forms of participation, many of which are highly organized and strategic”, and include the “crowd-sourcing of commercial surveillance”. It’s a paper I need to read and digest properly…

One example from the last week or two of a technology that supports particapatory surveillance comes from Buzzfeed’s misleading story relating how Hundreds Of Devices [Are] Hidden Inside New York City Phone Booths that “can push you ads — and help track your every move”; (the story resulted in the beacons being removed). My understanding of beacons is that they are a Bluetooth push technology that emit a unique location code, or a marketing message, within a limited range. A listening device can detect the beacon message and do something with it. The user thus needs to participate in any surveillance activity that makes use of the beacon by listening out for a beacon, capturing any message it hears, and then doing something with that message (such as phoning home with the beacon message).

The technology described in the Buzzfeed story is developed by Gimbal, who offer an API, so it should be possible to get a feel from that what is actually possible. From a quick skim of the documentation, I don’t get the impression that the beacon device itself listens out for and tracks/logs devices that come into range of it? (See also Postscapes – Bluetooth Beacon Handbook.)

Of course, participating in beacon mediated transactions could be done unwittingly or surreptitiously. Again, my understanding is that Android devices require you to install an app and grant permissions to it that let it listen out for, and act on, beacon messages, whereas iOS devices have iBeacon listening built in the iOS Location Services*, and you then grant apps permission to use messages that have been detected? This suggests that Apple can hear any beacon you pass within range of?

* Apparently, [i]f [Apple] Location Services is on, your device will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple to augment Apple’s crowd-sourced database of Wi-Fi hotspot and cell tower locations. In addition, if you’re traveling (for example, in a car) and Location Services is on, a GPS-enabled iOS device will also periodically send GPS locations and travel speed information in an anonymous and encrypted form to Apple to be used for building up Apple’s crowd-sourced road traffic database. The crowd-sourced location data gathered by Apple doesn’t personally identify you. Apple don’t pay you for that information of course, though they might argue you get a return in kind in the form of better location awareness for your device.

There is also the possibility with any of those apps that you install one for a specific purpose, grant it permissions to use beacons, then the company that developed gets taken over by someone you wouldn’t consciously give the same privileges to… (Whenever you hear about Facebook or Google or Experian or whoever buying a company, it’s always worth considering what data, and what granted permissions, they have just bought ownership of…)

See also: “participatory sensing” – Four Billion Little Brothers? Privacy, mobile phones, and ubiquitous data collection, Katie Shilton, University of California, Los Angeles, ACM Queue, 7(7), August 2009 – which “tries to avoid surveillance or coercive sensing by emphasizing individuals’ participation in the sensing process”.

More Digital Traces…

Via @wilm, I notice that it’s time again for someone (this time at the Wall Street Journal) to have written about the scariness that is your Google personal web history (the sort of thing you probably have to opt out of if you sign up for a new Google account, if other recent opt-in by defaults are to go by…)

It may not sound like much, but if you do have a Google account, and your web history collection is not disabled, you may find your emotional response to seeing months of years of your web/search history archived in one place surprising… Your Google web history.

Not mentioned in the WSJ article was some of the games that the Chrome browser gets up. @tim_hunt tipped me off to a nice (if technically detailed, in places) review by Ilya Grigorik of some the design features of the Chrome browser, and some of the tools built in to it: High Performance Networking in Chrome. I’ve got various pre-fetching tools switched off in my version of Chrome (tools that allow Chrome to pre-emptively look up web addresses and even download pages pre-emptively*) so those tools didn’t work for me… but looking at chrome://predictors/ was interesting to see what keystrokes I type are good predictors of web pages I visit…

* By the by, I started to wonder whether webstats get messed up to any significant effect by Chrome pre-emptively prefetching pages that folk never actually look at…?

In further relation to the tracking of traffic we generate from our browsing habits, as we access more and more web/internet services through satellite TV boxes, smart TVs, and catchup TV boxes such as Roku or NowTV, have you ever wondered about how that activity is tracked? LG Smart TVs logging USB filenames and viewing info to LG servers describes not only how LG TVs appear to log the things you do view, but also the personal media you might view, and in principle can phone that information home (because the home for your data is a database run by whatever service you happen to be using – your data is midata is their data).

there is an option in the system settings called “Collection of watching info:” which is set ON by default. This setting requires the user to scroll down to see it and, unlike most other settings, contains no “balloon help” to describe what it does.
…
At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.
…
you can clearly see that a unique device ID is transmitted, along with the Channel name … and a unique device ID.
…
This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.

It was at this point, I made an even more disturbing find within the packet data dumps. I noticed filenames were being posted to LG’s servers and that these filenames were ones stored on my external USB hard drive.

Hmmm… maybe it’s time I switched out my BT homehub for a proper hardware firewalled router with a good set of logging tools…?

PS FWIW, I can’t really get my head round how evil on the one hand, or damp squib on the other, the whole midata thing is turning out to be in the short term, and what sorts of involvement – and data – the partners have with the project. I did notice that a midata innovation lab report has just become available, though to you and me it’ll cost 1500 squidlly diddlies so I haven’t read it: The midata Innovation Opportunity. Note to self: has anyone got any good stories to say about TSB supporting innovation in micro-businesses…?

PPS And finally, something else from the Ilya Grigorik article:

The HTTP Archive project tracks how the web is built, and it can help us answer this question. Instead of crawling the web for the content, it periodically crawls the most popular sites to record and aggregate analytics on the number of used resources, content types, headers, and other metadata for each individual destination. The stats, as of January 2013, may surprise you. An average page, amongst the top 300,000 destinations on the web is:

– 1280 KB in size
– composed of 88 resources
– connects to 15+ distinct hosts

Let that sink in. Over 1 MB in size on average, composed of 88 resources such as images, JavaScript, and CSS, and delivered from 15 different own and third-party hosts. Further, each of these numbers has been steadily increasing over the past few years, and there are no signs of stopping. We are increasingly building larger and more ambitious web applications.

Is it any wonder that pages take so long to load on a mobile phone off the 3G netwrok, and that you can soon eat up your monthly bandwidth allowance!

A State of Surveillance…

This made me think…:

[I]f your every utterance, regardless of the privacy of the setting, is potentially subject to external scrutiny, you are living if not in a surveillance state, then in a state of surveillance.

“Whose interests are being served by this squalid tale of entrapment?” Andrew Anthony, The Observer, Sunday 23 May 2010

Why I Joined the Facebook Privacy Changes Backlash…

Whenever Facebook rolls out a major change, there’s a backlash… Here’s why I posted recently about how to opt out of Facebook’s new services…

Firstly, I’m quite happy to admit that it might be that you will be benefit from opting in to the Facebook personaliation and behavioural targeting services. If you take the line that better targeted ads are content, and behavioural advertising is one way to achieve that, all well and good. Just bear in mind that your purchasing decisions will be even more directedly influenced ;-)

What does concern me is that part of the attraction of Facebook for many people are its privacy controls. But when they’re too confusing to understand, and potentially misleading, it’s a Bad Thing… (I suppose you could argue that Facebook is innovating in terms of privacy, openness, and data sharing on behalf of its users, but is that a Good Thing?)

If folk think they have set their privacy setting one way, but they operate in another through the myriad interactions of the different settings, users may find that the images and updates they think they are posting into a closed garden, are in fact being made public in other ways, whether by the actions of their friends, applications they have installed, pages they have connected to, or websites they visit.

The Facebook privacy settings also seem to me to suggest various asymmetries. For example, if think I am only sharing videos with friends, then if those friends can also share on content because of the way I have set/not changed the default on another setting, I may be publishing content in a way that was not intended. It seems to me that Facebook is set up to devolve trust to the edge of my network – I publish to the edge of the my network, for example, but the people or pages on the edge of my network can then push the content out further.

So for example, in the case of connecting to pages, Facebook says: “Keep in mind that Facebook Pages you connect to are public. You can control which friends are able to see connections listed on your profile, but you may still show up on Pages you’re connected to. If you don’t want to show up on those Pages, simply disconnect from them by clicking the “Unlike” link in the bottom left column of the Page.”

The privacy settings around how friends can share on content I have shared with them is also confusing – do their privacy settings override mine on content I have published to them?

I’m starting to think (and maybe I’m wrong on this) that the best way of thinking about Facebook is to assume that everything you publish to your Facebook network can be republished by the members of your network under the terms of their privacy conditions. So if I publish a photo that you can see, then I have to assume that you can also publish it under your privacy settings. And so on…

This contrasts with a view of each object having a privacy setting, and that by publishing an object, the publisher controls that setting. So for example, I could publish an object and say it could only be seen by friends of me, and that setting would stick with the object. If you treid to republish it, it could only be repulshed to your friends who are also my friends. My privacy settings would set the scope, or maximum reach, of your republication of it.

Regular readers will know I’ve started looking at ways of visualising Facebook networks using Gephi. What I’m starting to think is that Facebook should offer a visualisation of the furthest reach of a person’s data, videos, images, updates, etc, given their current privacy settings (or preview changes to that reach if they want to test out new privacy settings.

PS re the visualisation thing – something like this, generated from your current settings, would do the job nicely:

More at The Evolution of Privacy on Facebook, including a view of just how open things are now…