For people to have the level of privacy they need or think they are receiving, greater protections need to be erected for them, writes Ross Bellaby.
Never before has the real world been so interconnected with the cyber with an increasing amount of our everyday activity becoming digitised. However, what we say, what information we look at, and every online activity necessarily leaves electronic records and footprints that can reveal some of our most personal activities and attributes. Unsurprisingly, this is something that has not escaped the attention of the intelligence community who argue that by collecting and examining this data they can detect, locate, and even predict threats.
People are, however, rightly concerned that access to this information without their knowledge or control represents a significant threat to their privacy, with additional concerns being raised about how access to this information might be used against them or used to distort their access to services. As such, an increasing number of people have begun to utilise anonymising technology to secure their identity and online activity behind encryptions and auto-deletes. One popular tool for this is TOR, an easily downloadable program that allows online anonymity through onion routing – a form of layered encryption where the traffic is processed through three nodes, encrypted at each stage so that the sender and destination are unknown as each intermediary knows only the location of the immediately preceding and following nodes (Abbott el at, 2007). Through this TOR circuits many kinds of ‘hidden services’ are available such as website hosting denoted by the onion URL, online messaging and VOIP communications, and data sharing (TOR Project). These protections have created what is commonly referred to as the ‘dark web’, the collected sum of these websites that allows anonymity to those who visit or conduct business through it.
This technology, however, should not be just for those who have the awareness to download and utilise it. The increasing pervasiveness of online surveillance means that people should have such online protections put into place for them, whether they have explicitly requested it or not.
This argument clearly represents a new ethical challenge. On the one hand intelligence actors have an ethical obligation to prevent threats from harming the political community and having access to online information when justified can play an important role in this. Indeed, anonymising technologies that allow the individual to ‘go dark’ go further than any previous protections, creating what former FBI Director James Comey termed as ‘warrant proof’ spaces – technological black boxes that no matter what some authority might deem as being legitimately searchable is protected to the extent that there are very limited or non-existent means of forcing oneself in (Judiciary Committee). This has the potential to sway the balance against the intelligence community irrevocably, preventing them from monitoring online activity or accessing digital information, even when they have a legitimate reason for doing so.
Arguments could be made, therefore, that anonymising technology distorts the relationship between liberties and intelligence actors too far against protecting the political community as the state, even when justified, cannot access necessary information. However, from the point of view of the individual this does not diminish their right to establish whatever privacy protection they see fit. Judith Thomson discusses privacy in terms of a collection of property rights: that if an individual wishes to put something precious to them in a safe to prevent others from looking at it, then it is their right to do so, and indeed represents a clearer demonstration that they wish to stop others from looking at what they own. Breaking in would be a clear violation of their privacy (Thomson, 1975). Importantly, they are not locking their private items away with the knowledge or expectation that should the need arise the door can be blown off. It is not the responsibility of the individual – or safe manufacturers – to ensure this option. If we make Thomson’s safe crack-proof this does not undermine the individual’s right to use it, even to the detriment of possible future intelligence collection. Moreover, it is the state’s duty to demonstrate why such protections for specific individuals should be necessarily pulled down.
The individual is assumed innocent until proven guilty and the danger of demanding presumed access to an individual’s property flips this; that there is an assumption that they will be guilty of something and so the state will need access; or that using such protections is an inherent indication of future guilt as a form of pre-crime (Zedner, 2005; Solove, 2007). Any demand that insists on weakening protections for all individuals assumes everyone is potentially guilty and therefore in need of being surveilled. Therefore, it can be argued that even though anonymising technology provides a nearly impenetrable barrier, the individual has the right to exert what protections they feel is required to ensure their privacy.
Not only a right, but an ethical need
This argument can be pushed one step further, however, in that not only is there a right but it is ethically mandatory to establish such privacy protections at a fundamental level of cyberspace, to create defences that automatically and systematically anonymise an individual’s identity and activity whether or not they have expressed an explicit desire. While this might raise liberal concerns regarding overreach and interference in people’s lives, paternalism can actually help highlight why there is a need for such interventions. Indeed, some argue that any interference in an individual’s life is unjustified because it is infantilising to the individual (Anderson, 1999), or a ‘violation of the person’s autonomy’ as people are not choosing their own destiny (Dworkin, 1988: 123). However, if the main concern about paternalism is the impact on people’s autonomy then the context of the interference becomes important. Being fully autonomous requires people having the capacity to plan, choose, and reflect on options in terms of arguments, with the relevant information and without excessive outside influence (Frankfurt, 1971:7). If individuals do not have the full facts or could not reasonably be able to comprehend their meaning, then they are unable to make an informed decision and are therefore unable to act autonomously. Moreover, lacking the capacity for full autonomy demands an obligation on others to help provide or facilitate their realisation of their good life, whether the support is physical or in aiding in the necessary rational, critical reflection. It can be argued, therefore, that anonymising technology protects people by providing them with their necessary privacy in a situation where their lack of knowledge or ability to understand means that they are non-autonomous agents, while also securing their autonomy through providing protected spaces for deliberation free from state surveillance influencing their decision-making processes.
An important part of this argument is the overall general ignorance of people in understanding how their information is being collected. This includes a general lack of awareness in regards to privacy settings and an understanding of the implications of the publically stated abilities of corporations and governments to collect data, as well as a specific lack of awareness on the secretive surveillance powers of intelligence actors such as the USA’s National Security Agency (NSA) and UK’s Government Communications Headquarters (GCHQ) that were revealed by Edward Snowden.
Indeed, there is wide ranging evidence showing that while people do value their online privacy, they do not recognise the need to act to protect it. For example, in terms of social media, even though there should be a greater awareness on the ability of others to access one’s information given its outward looking nature, people view access like a ‘walled-garden’ – expecting their friends to be able to view the information but not the wider world (Dwyer et al, 2007; Livingstone, 2008; Tufekci, 2008). Moreover, even when people consent to access to their information – in terms of HTTP cookies (also known as browser cookies or just cookies) or by accepting website ‘terms and conditions’ for example – there are significant technical barriers to people fully understanding the implications of such agreements. This therefore fails to meet the standard of informed consent, especially when there is a culture of pervasive and habitual nature of agreeing to the terms coupled with the lack of technical understanding.
Concluding the need
The conclusion therefore is that while anonymising technology and the dark web represent a clear challenge for the intelligence community, in order for people to have the level of privacy they need or think they are receiving then greater protections need to be erected for them. These protections are very difficult for intelligence actors to circumvent and so prevent large-scale surveillance. This technology therefore not only represents a useful means of people erecting protections over their cyber-privacy, but it is this very en masse surveillance – from both governments and corporations – coupled with people’s limited awareness and ability to comprehend such data collections that makes such technology ethically mandatory. Therefore, anonymising technology should be built into the fabric of cyberspace to provide a minimal set of protections over people’s information, and in doing so force the intelligence community to develop more targeted forms of data collection.
- This blog post appeared previously at LSE Business Review and is based on the author’s paper “Going dark: anonymising technology in cyberspace“, in Ethics and Information Technology (2018).
- Featured image: Logo of the Tor browser, by The Tor Project, Inc., under a CC-BY-3.0 licence
Note: The post gives the views of its authors, not the position USAPP– American Politics and Policy, nor of the London School of Economics.
Shortened URL for this post: http://bit.ly/2Z86GOY
Ross Bellaby – University of Sheffield
Ross Bellaby is a senior lecturer in security studies at the University of Sheffield’s politics department. His research focuses on designing ethical frameworks for the intelligence community and for cyber-activity. His ethical framework is set out in his book, The Ethics of Intelligence: A New Framework (2014). This work is further developed in papers on counterterrorism and the CIA’s extraordinary rendition program (2017), the justifiability of cyber-intelligence (2017), the ethical obligation of whistleblowing (2017), and the need for more dark web technology to protect against state surveillance (2018).