Who should have your fingerprints?
Dystopian staffers talk data retention, presumption of innocence, and the dark side of human nature
Josh.Folland: Did you see this article? “Feds Walk Into A Building, Demand Everyone’s Fingerprints To Open Phones.”
Katherine.Gorham: Wow. Dystopian much?
Josh.Folland: Very. But I was always under the impression the law could compel you to give up your fingerprint.
Trevor.Pott: Josh is correct.
Josh.Folland: Them storming a building to collect them en masse is mildly frightening. (I use mildly because this sh*t just doesn’t surprise me anymore).
Katherine.Gorham: They had a warrant. A super-vague warrant, to be sure, but it wasn’t totally random.
Trevor.Pott: I don’t care. They eliminated the presumption of innocence for an entire building’s worth of people.That’s bulls**it.
Josh.Folland: They had a warrant to try to find evidence to get a less-stupid warrant.
Katherine.Gorham: I’m not saying it was a good move. Just not a warrantless bad one. Also, what’s the data retention policy on randomly collected fingerprints? Forever?
Josh.Folland: I can only imagine it goes in “your file”, yeah. Prosecutors would love if they had every person’s fingerprint forever, no? As opposed to waiting until they get put into the system.
Trevor.Pott: They collected my fingerprints at the airport when I applied for a NEXUS card, and told me they would be retained by both nations, presumably forever. Once they have that info, does anyone expect them to give it up?
Katherine.Gorham: No. But I wondered if there was any specific legislation about it.
Trevor.Pott: There’s lots of precedent in the UK for Law Enforcement Agencies (LEAs) to not delete fingerprints, DNA and more when they are supposed to. I expect all members of the Five Eyes to carry equal antipathy towards their own citizens.
In Canada, we have Bill C-51, which effectively hands our LEAs carte blanche to do anything they want.
Katherine.Gorham: I don’t really care if law enforcement has my fingerprint, but as with any mass data collection scheme, I have a lot of other objections: where do they store it? How secure is it? Who else can see it? (Whether authorized or unauthorized.)
Trevor.Pott: Re: the safety of your fingerprints: they are not safe. At all. Even if you are among the most highly vetted, critically important people in the US government. Others are aware of this. No, nobody cares. Apathy and negligence always win out.
Josh.Folland: I cannot in good conscience support or agree with anyone who thinks C-51 is a good idea, let alone vote for them
Katherine.Gorham: There’s a point of similarity between C-51 and the court filing to get that mass fingerprint warrant, in my opinion. Both of them used amazingly impenetrable, obfuscating language. I can’t say “on purpose”, because I have no idea if that as the case. But I do wonder if we’re facing a problem with law and technology: do the people voting for the legislation (or the people authorizing warrants) actually understand what they are signing? Or is it to them, basically “blah blah blah PASSWORD something something DATA technobabble SECURITY.”?
Trevor.Pott: No, I don’t think most people understand what they’re voting on. Certainly not elected officials. They not only don’t understand the problem – and why should they, most sysadmins don’t – they don’t understand the consequences of various choices, including inaction.
This really boils down to “why lobbying works”. Lobbying works because an elected official can only vote for, or table legislation on, a solution that they have encountered to a problem they even know exists. Often, lobbying is nothing more than getting enough airtime to present the problem and your proposed solution. No bribing required.
However, when the only people who get time in front of the relevant MPs to discuss digital security issues are the spooks, only their agenda is fulfilled. Sadly, their agenda doesn’t seem to actually be related to real-world concerns of everyday citizens, nor solving those problems.
The spooks – and the major corporations – act on one extremely flawed principle: “trust me”. And maybe – just maybe – the people in charge of those organizations are good, moral people today. What about tomorrow?
I just keep thinking about this: UK’s National Pupil Database has been used to control immigration. Lists of people will be used to discriminate. It is a fundamental law of human nature. We must avoid, wherever possible, putting groups of people onto lists, especially in government.
Josh.Folland: Indeed. Once the data exists, it’s just a matter of cherry-picking something that gets you ostracized by society. Homosexuality. Drugs use. Infidelity. What’s next?
Trevor.Pott: That’s my problem with this. The presumption of innocence goes out the window when you start hoovering up data but get none of the context. I don’t want HAL-9000 deciding my fate.
Anyways, no, the data isn’t safe. It can’t be made safe. The only way to square this circle is to avoid collecting the data unless absolutely necessary in the first place.
Katherine.Gorham: I agree. But I wonder how we even begin to convince legislators of this when public perception still seems to be “Big Data isn’t scary, it’s friendly! It’s magic! It cures cancer!”
Josh.Folland: It’s the same issue that we discussed last time. Nobody cares until they get slapped in the face by it.
Katherine.Gorham: Yes. I guess I’m always banging the drum of how to get social change to even sort of keep pace with technological change.
Trevor.Pott: Honestly? I don’t know. People – especially people in power – have been prone to “magical thinking” throughout all of human history. How many of them still deny climate change, or even evolution? If you can’t educate these people regarding basic science, how can you educate them regarding complicated mathematical or technical issues like encryption, or the attacker/defender dichotomy of digital defence?
Josh.Folland: I can only hope that 50 years from now we look at these privacy and security issues and say “wow, we sure were stupid back then eh?”
I feel like the worst has yet to come, though
Trevor.Pott: I mean, look at France and making burkinis illegal. That was this year. We can’t allow governments this kind of surveillance power. We, human beings, aren’t ready to have that kind of oversight into the lives of others. We aren’t responsible enough to create a privacy-free society.
Which brings me back to the phones. Maybe there’s a reason to want to go through everyone’s phones in an entire building. And maybe it’s even legitimate. But there has to be a procedure in place to A) not retain data on anyone who isn’t a legitimate suspect B) discard data from those found not-guilty, or who are no longer suspects and C) limit the number of individuals (and or databases) that interact with these phones, as they are highly private devices.
Josh.Folland: Watch someone panic as they can’t find their phone and you’ll truly understand how the smartphone has become a concious extension of ones’ self. The response to very personal interference hasn’t reached its boiling point yet but it’s getting closer and closer as technology becomes a more and more significant and necessary part of our lives. It used to be “I have an online and an offline persona” but as time passes, technology improves and society “progresses” (I use that term loosely) the lines between the two get blurred.
Katherine.Gorham: Good point, Josh. Technology is, at least for some, moving from the abstract to the personal. IT is not a device, it’s their life. Maybe that is the tipping point needed for people to get involved with these kinds of issues.
Trevor.Pott: To resurrect an old argument: will people actually care unless it impacts them directly? Humans are remarkably good at saying “it won’t happen to me”, even when the statistics say otherwise. Look at the almighty fights we had about seat belts, drunk driving or second-hand smoke!
Josh.Folland: Maybe it’s just a matter of changing the rhetoric.
Trevor.Pott: “Make Privacy Great Again?”
Josh.Folland: The reality is that security can, will, and does impact everyone. But so does every other technology that’s come before it. Society evolved damn quick when we got cars everywhere.
Trevor.Pott: But it doesn’t affect everyone! Or, at least, it’s easy to convince yourself that it doesn’t. If you aren’t secure at work, it’s your employer and their customers that are impacted. Not you. (Or so history teaches us). People in charge who might be responsible for training, incentives security best practices, etc…they are never held to task. Security only “affects all of us” in an abstract way. Humans suck at thinking in the abstract.
What it boils down to is this: whether it’s security or privacy, people don’t like doing things that aren’t easy, and they’ll take great risks in the name of convenience. This has always been true. It will always be true.
So long as there is more money to be made exploiting something (our lack of security, our lack of privacy) than there is in making that thing easy to use and convenient, the people as a whole will be taken advantage of.
Katherine.Gorham: Basically, security problems come from Monday mornings. “I don’t wanna deal with this right now, there isn’t enough coffee in the world, and it doesn’t really affect me anyway.”
Josh.Folland: Indeed. I post about this type of stuff on Facebook from time to time and most of my friends (who are ass poor and struggling to get their careers and relationships off the ground) just don’t care. Not to fault them, they just have other priorities.
Katherine.Gorham: Yeah. Why can’t the Internet of Awesome pay my rent, or help me get a decent night’s sleep?
Trevor.Pott: Indeed. Try talking about this at a family reunion and most of them think I’m a conspiracy theorist because I don’t blindly trust the government, police, spooks and corporations.
Katherine.Gorham: Try explaining to a checkout clerk why you don’t have an Air Miles card… same thing. If I care about who has my data and how securely they store it, I’m a tinfoil hatter.
Trevor.Pott: The fact that I can link to evidence for everything I’m saying – not “flag waving on the moon” class evidence, but carefully analysed by the world’s top experts evidence – doesn’t mean anything to my family. They were raised to trust the system, and trust those in power and they can’t conceive of anything else. Trying to change things, trying to educate themselves, it seems to overwhleming.
They actively don’t want to know. They carefully cultivate ignorance so as to attempt bliss.
Maybe that’s the downside of writing tech? We see this stuff every single day. We see examples of it constantly. We can’t not know about it.
Katherine.Gorham: There is no bliss in tech journalism.
Trevor.Pott: Bread and circuses, man. Doesn’t work for those who organize the circus.