Surveillance or Privacy - Ross Anderson

Professor Ross Anderson is one of the worlds foremost Computer Security experts. He has published books on cryptology, hardware design, economics of security etc. He is widely known for his book “Security Engineering”. He is currently writing the Third Edition of Security Engineering. This blog reviews Chapter 23 - Surveillance or Privacy, this chapter looks at policy, the current privacy landscape and what we might expect from the tussles over data retention. Furthermore, this chapter discusses about censorship and government backdoors. The chapter begins by talking about the online interest’s government has from surveillance to censorship and from privacy to safety. The chapter introduces the criticality of surveillance and privacy by providing examples such as the 911 attack and the impact the attack had on the security and privacy ecosystem, which was furthermore intensified by the attacks on London, Madrid, Paris, Berlin etc. The chapter discusses about the evolution of surveillance, brings the concept of terrorism, discusses the concept censorship and privacy and regulation.

This chapter talks about the technical surveillance and the roles of government in different countries in getting private information’s either via getting information’s from google or Facebook by warrant (USA) or by forcing password out of people (Syria/Iran). Furthermore, the chapter discusses how government/rulers always tried to control communication by pointing out examples of the communication during classical times and Middle ages. However, the invention of telephones has led to privacy issues since the US government passes a law which made wiretapping legal via a warrant, although analysts believe that around 9/11 there were same amount of unauthorized wiretapping as authorized wiretapping. The Snowden leaks made it obvious that governments exploited wiretap in an unauthorized manner. In this chapter Professor Ross Anderson made it clear that the biggest concern of the government is intelligence and the government spend 100x more money in gathering information that can be used against the enemies of a government than fighting cybercrimes.

As we move on, we can see that the chapter start to discuss surveillance in the era of the internet from the era of phone-company. The difficulties in collecting data from the internet and the amount of data that can be collected from ISPs and CSPs. The chapter included the finding by Michal Kosinski and his colleagues how a Facebook post can be weaponized for marketing, political campaigning and Cambridge Analytica scandal.

The chapter also brings examples of governments weaponizing information’s collected illegally via wiretapping a phone or illegal monitoring etc. Moreover, the chapters talk about the expose of the first economic espionage by the US, electronic warfare and the importance of human intelligence. The term “key escrow” is brought into the chapter as a part of crypto war and discuses crypto war 1 and crypto war 2, the chapter also discusses about the backstory of crypto policy and how DES became the solution for foreign countries adopting ciphers which increased the cost of intelligence gathering. The chapter then discusses about export controls on cryptographic equipment’s. I find it interesting how Anderson Ross shares his personal experience of being a European researcher which gave him the freedom to write crypto software and publish it online in his own webpages whereas the citizens of the US were prohibited from doing that by the ITAR regulation. He also points out that in 2019, a large number of academic and software firms are breaking this law by uploading software that have a key longer than 56 bits. The topic on surveillance is concluded by saying that the export control issue was referred to the EU agencies and it has quietly forgotten.

The topic ‘Terrorism’ is introduced into the chapter by discussing the emergence of policy around privacy and surveillance which was driven by the 9/11 attack. Professor Ross Anderson states how politician plays the terrorism card when they wanted something that they shouldn’t get and the role of media in it. I find it very interesting how he stated that cyber terrorism hasn’t ever happened but yet the attention it receives. He manages to derive a definition for terrorism by explaining the causes of political violence and the psychology of political violence. He also tries to explain the role of institution and the why the government act the way they do. He also emphasizes the role of media in spreading bad news around the world, “If it bleeds, it leads” and the role of media in helping with the politician needs, the need of officials to build an empire and how the media amply how the country need a hero to protect them from terrorist attacks. The chapter also discusses how a politician took advantage of terrorist crisis to get a boost in the polls risking many lives. He also says that mature voters like leaders who stand up against terrorism than play along with fear which was pointed out with the example of Obama being elected as the President since people were fed up with the fear-based policy by President George Bush.

Professor Ross Anderson states that censorship is becoming a much bigger issue as years goes by. He also talks about the variety of motives for use of censorship. Most countries block child sex abuse, hate speech, anything that glorifies terrorism etc. He also discusses the roles of internet in censorship. The chapter also talks about the efforts of china made to censor the online content via perimeter defenses, application level defenses and social defenses and concludes that china is winning the censorship battle comparing to Russia’s internet and Arab spring. Moreover, he speaks about the laws and policies that exist in different countries that allows and prohibit hate speech. For instance, the US has constitutional protection for free speech; whereas France/Germany prohibits hate speech and enforced a threat against online providers with more than 2 million customers should take down any content related to hate otherwise they will have to pay a fine of 50 million euro.

The last policing topic in this chapter is about forensics and how data can be recovered from digital electronics such as phones, computers etc. Professor Ross Anderson discuses about the difficulty of collecting data for an investigation since the world moved to smart phone and cloud services because now, they are ways to make data’s memory resident and it would make the evidence self-destruct. He also talks about the admissibility of evidence in terms of engineering issues, accuracy and reliability. Finally, he talks about what can go wrong during the computerized investigations by pointing out an example of a case that happened in UK where the suspects were arrested due to suspicious tampering of ankle bracelet with GPS positioning but then later released due to vendors refusal for giving access to the equipment for testing by experts.

Lastly the chapter disuses about the ‘Privacy and Data protection’. The chapter explains the way US and Europe dealt with privacy and data protection in a completely different pattern. The significance of dealing with privacy is explained well in this portion of the chapter which explains the way Europe process data and the privacy around the data. The textbook provide an example of how France fined google for 50m euro for not telling enough about data consent policy to their users which explains the seriousness of the matter, whereas the chapter explains how the business has convinced the government in US to make privacy to ‘Self-regulation’. Professor Ross Anderson talks about the regulations in US in terms of privacy and compare some of the policies that exist in USA to the European policies. He also explains the changes that had to be adapted when GDPR was enforced.

In conclusion, the chapter covered public policy, surveillance, privacy and all its components. Professor Ross Anderson has explained the need to constitute laws and regulation that should be responsible for governing privacy in surveillance with real life situations. After reading the chapter its has been recognized that it’s a necessary reduction in privacy to combat today’s threat of violent crime and terrorism.

Written on September 27, 2019