Free media: issues, challenges and proposals

Privacy, Surveillance and Data Tracking: Why Does it Matter for Human Rights Defenders?

, by HACHE Alex, JANSEN Fieke

Can anyone really imagine life without the Internet and technology? For Human Rights Defenders (HRD) and activists the answer is no. Information and Communication Technologies (ICT) have become indispensable for individuals and networks, as well as integral to mobilizing resources effectively. Their capacity to influence and engage with individual and public opinions, expand the social base that supports them, highlight struggles and alternative ways of doing things, are all greatly facilitated by different technical means. How HRD tactically and creatively use ICT can enhance or minimize their responsiveness, reach and survival. And it is the same for free media and the people keeping it alive. Without the Internet and ICT, getting their voices heard and reaching out to local and global audiences would be much more of a challenge. In this article, we will focus on Human Rights Defenders and activists, and how their use of ICT and the Internet can put them at risk as well as their contacts, networks and the public they work with. Our analysis and recommendations thus also include free media initiatives.

The Internet has profoundly changed over the last decade, moving from a free, open, decentralized and do-it-yourself Internet to a centralized and commercially-oriented Internet. Major players such as the well known GAFAM (Google, Facebook, Amazon, Apple and Microsoft) have offered users convenience and often innovative online services and platforms “for free.” Nonetheless, this convenience has come at a cost. GAFAM offers more then just free user services; these companies provide the hardware and software foundations of the Internet [1] making it virtually impossible not to use any of their products, as other user products are built into their infrastructure. This centralization goes hand in hand with one of key commercial driving forces of the internet: data. These companies feel entitled to collect and sell the personal data of their users. This data-centric world has and will continue to negatively impact the ability and freedom of individuals to exercise their freedom of speech and challenge those in power as well as encroaching on people’s privacy. [2] It will also increase cases of “data discrimination” in which oppressed or marginalized communities are further socially excluded due to opaque “algorithmic” processes. Moreover, these centralization, commercialization and datafication trends have also made it easier for governments and companies to engage in surveillance activities aimed at controlling, censoring and tracking down political dissents and HRD.

Who tracks us ? Trackography project, Tactical Tech

In this article we detail the different types of data that are created, collected and analysed and discuss how they enable different forms of surveillance and control of HRD. This is followed by several recommendations on how to regain a certain degree of control over HRD “digital shadows” [3] and a list of useful resources and guides which enable one to use the Internet with increased privacy and security while maintaining one’s political engagement and citizenship. [4] This message was sent to mobile phone users located near a protest area in Kiev in 2014, their mobile phones revealing their location. One seemingly innocent piece of data such as location, situated in the social and political context of Ukraine, was linking people to a larger political tension. The prosecutor general called the protest a crime against the state, and labelled protesters or those in the protest’s vicinity as criminals.

Me and my shadow, Tactical Tech

Other examples show us how Women Human Rights Defenders (WHRD) have been harassed for speaking up in the name of social justice and equality. Personal profiles and fan pages are routinely taken down by Facebook due to targeted campaigns coordinated by misogynists “denouncing” their pages. For many activists, losing access to their social media profile not only means having their voice censored on the Internet but also means losing their contacts and support networks. [5]

Both examples show that data is not created, collected and analyses in a vacuum. It is placed in the social, political and economic context in which many HRD operate. To understand the impact of data on the privacy, security and well-being of a HRD, it is important to be familiar with the different data categories (identity, social networks, habits and patterns), and understand who can access this data and how it can be used. It is also important to identify how HRD can navigate these new challenges.

First of all, it’s helpful to think of all the digital data about you — your “digital traces” as information that tells a very detailed story about you and your activities. Like a “digital shadow” that is constantly expanding and morphing, with you and others creating and adding new traceable activities. When we use the term “digital traces,” we are basically referring to two types of data : content and metadata. Each has their own unique characteristic and can be used for different surveillance purposes.

Content is created by you and others actively publishing information, which includes what you write, publish and share, as well as content that other people create about you. Content can be scanned for key words which are considered harmful to the status quo, identifying whoever created the content as a human rights defender. The content may be read by individuals (trolls) who may not agree with it and consequently start an online hate campaign.

Metadata is data about data, which is created so that the basic infrastructure of our digital systems, including the Internet and our mobile phone networks, can work properly. For example, the metadata of an email contains the sender, recipient, time and date, sometimes the IP address and subject line. Metadata enables your email to be delivered correctly, your files to be found on your computer, and your smartphone to receive text messages and phone calls from around the world almost instantaneously. As it is key component of the Internet infrastructure, it cannot be easily modified, masked or concealed.

Metadata is very structured and therefore machine readable, which is good for understanding patterns in human behaviour [6] and creating social graphs [7]
Quantity is significant, as the metadata of a single email may not reveal that much, but an inbox full of email will reveal not only the frequency of communication and the times at which the communication takes place (there might be spikes before political events), but it will also highlight the different networks a HRD is communicating with. [8]

# Controlling data

It is important to understand that once digital traces are created and transmitted, they are out of our immediate control and generally end up in the hands of others, stored on servers that don’t easily forget. But not all digital traces are equal. The amount of control we have over a digital trace depends on how the trace was created and where it is stored.
In his book Data and Goliath [], Bruce Schneier outlines six different types of data or digital footprints. [10] They range from service data, which is the easiest for a HRD to control, to derived data, which is the hardest to control. Service data is information which is required when registering for a service. You can control the data you provide by withholding certain details, providing fake information or using an alias. Then there is the information that others create about you, called incidental data. This includes tags, twitter mentions, email and phone conversations. It is already more difficult to control, as a HRD can only ask certain people not to post photos or mention them. With data we entrust to third parties (entrusted data) such as Facebook and Google, HRD are dependent on these companies and institutions to treat their data with care. This category also includes data provided in governmental records, utility bills and bank statements.
The last two categories Schneier mentions are behavioural and derived data. Location data falls under the category of behavioural data, [11] and reveals what HRD do, with whom, how often and where. As this is mostly metadata, needed for the infrastructure to function, it is very hard to control. Finally, derived data, data which is inferred about HRD from other data, is out of one’s control. Companies and governments use data to create group profiles, based on social media networks, location data and/or browsing behaviour We have no control over what group profiles we belong to, nor what inferred digital footprints are created.
Both types of data present specific challenges and threats to HRD, as phone records, email and social media activity can reveal a HRD’s identity, their networks, their location and/or their activities (content of their communication). Nonetheless, it is important to understand that these categorizations are mostly analysed and created by algorithms and artificial intelligences. Both are only as good as the data which is the input, the code which is written by humans and the decisions that are based on the output. It is not uncommon that algorithms or artificial intelligence get it wrong. [12]
This means that you may be labelled an activist yet have nothing to do with activism, or be linked to a low credit score which prevents you from getting a loan, or be excluded from possible job interviews because you live in an impoverished area of the city. [13] Algorithms are behind most of the analysis made of behavioural and inferred data, and they can be completely off the mark. They can also be extremely accurate and put HRD and their networks at risk.

# Forms of surveillances

In her paper entitled “Big Data and Sexual Surveillance,” [14] Nicole Shepard reminds us that “when the control of a person’s information is out of that person’s hands, so too is the nature of the potential transformation.” She quotes Manovich who identifies three emerging classes in our data-driven societies, “those who create data (both consciously and by leaving digital footprints), those who have the means to collect it, and those who have expertise to analyse it. The first group includes pretty much everybody in the world who is using the web and/or mobile phones; the second group is smaller; and the third group is much smaller still. [15] [16]

There are three types of actors who collect and analyse data: companies, governments and individuals. Companies collect data in order to analyse individuals’ behaviour and habits for money-making purposes — otherwise known as corporate surveillance. Not only do companies sell data or their analysis of certain groups to other companies and governments, the Snowden documents [17] revealed that some companies also cooperate with governments by providing access to their databases. Or governments will hack into their servers to gain access to this data. [18]

Governments are extremely interested in gathering as much data as possible, in order to ensure a more efficient bureaucracy, to catch the “bad guys,” to identify foreign spies and to monitor migration. Depending on the social and political situation, this can also result in excluding marginalized groups from specific services, [19] censoring media, monitoring online activity [20] h [21] and identifying activists (using the Internet [22]), or even trying to “wall” their country off from the rest of the online world. [23]

Lastly, individuals can collect data by engaging in open source intelligence, social engineering or hacking into online services. There have been many cases where individuals use accessible online data to profile, monitor, control, spy on, harass, or blackmail family members, spouses, ex-partners or simply people whose lifestyle or political affiliation they disapprove of. Female HRD are especially vulnerable to this form of surveillance, as trolls, conservative and anti-rights groups have used different tactics to collect information in order to silence them. [24]

As our online profiles and “digital shadows” are constantly expanding, they give those who have access to them immensely detailed insight into who we are, what we like, who we know, what we do, and our daily habits and interactions. Often, in-depth data collection and analysis enables them to learn things about us that we may not even know or realize.

Companies and services (and even some researchers and non-profit organizations) often argue that they protect users through data anonymisation, so your “privacy” is safe with them. But it has been proven [25] that our data traces are so unique — just like our fingerprints — that even a small sample of data about us enables data analysts to identify and reveal individual behaviour due to the distinctive patterns which form our “digital shadows.”

Depending on who you are and what you do, you will probably have different concerns about the kinds of data or “digital traces” that are being created, as well as who can access them. This may make you feel uncomfortable. However it’s important to remember that you are not alone, and that there are a number of things you can do to limit your digital traces as much as possible.

# What you can do

Worldwide, there are very few laws that effectively regulate data collection or protect us from the unprecedented level of surveillance we are currently experiencing. This makes it even more important to support privacy protection laws and standards in order to work towards change both now and in the future.

It also makes it important that we remain aware of an issue that is relatively “invisible,” benefiting corporations and governments, and find ways to create interest and awareness among our own networks and friends.

And finally, we can also fight back by regaining control over the digital traces we create and limiting who can collect them by changing our ICT practices and switching to privacy-sensitive alternatives. [26] It’s important to deepen one’s understanding of the powers at play and educate oneself and one’s contacts and networks about how location [27] and browser [28] tracking works. There is a myriad of helpful resources [29] that enable one to switch practices and tools, thereby positively impacting one’s digital shadow.

We have also listed four possible strategies that enable one to regain a certain amount of control over one’s data and digital shadow. These strategies encompass tactics which may converge, complement or even contradict each other depending of who you are, the risks involved and how far are you willing to go in regaining control over your data.

One first possible strategy is “Reduction,” in the vein of “Less is more!” The idea is that data that is not created, can’t be collected, analysed, stored or sold. This strategy is based on the premise that the less data we produce, the better. Several concrete tactics include:

. Limiting data generation by withholding information. You do not need to fill out all the fields in registration forms.
. Cleaning your online identity, delete apps that you no longer use from your mobile phone, and erase pictures, emails and messages that are outdated.
. Blocking unwanted access, and installing Privacy Badger and NoScript to block cookies and other third party scripts from running in your browser and collecting data.

The second possible strategy is “Obfuscation.” This encompasses the idea of “Hiding in the crowd!” and intends to confuse companies or other adversaries with noise and confusing information. The obfuscation strategy involves creating a lot of fake information so that companies, governments or other individuals do not understand which data is true and which is false.

Several tactics include:
. Creating several fake social media profiles with similar names or pictures.
. Masking your individual identity on Facebook by creating a group account and identity.
. Creating noise by clicking on random ads, or install Adnausium, a tool that will do this for you, while you do other things.
. Misleading Google by installing TrackMeNot, a tool which generates random search queries,masking your real searches and questions.
. Using a VPN to change your IP address.
. Changing the name on your phone.
. Breaking your routine...

Our third strategy is “Compartmentalization” which is based on “Diversification” of profiles.” Offline we have a different persona in different social situations: at work or school we might be a different version of ourselves than at home, in the bar, or at the gym. We naturally tend to be good at managing these different identities. The compartmentalization strategy is about managing multiple personas online as well, by grouping different social networks, interests, behaviour, information and identities into different “compartments.” Several tactics include:

. Searching for your name online and writing a list of all the different accounts you have. This is a first step towards separating your online life into different spheres.
. Creating different social media accounts with different names.
. Separating your online identity: use certain browsers for certain sets of online activities; use different messenger apps for different social circles.
. Isolating valuable or personal data by storing it on a different device.
. Separating your work life from your social life by using different email accounts for each.

Finally, the fourth strategy is “Fortification.” This encompasses the idea of “My devices, my rules!” and is based on creating barriers, restricting access and visibility. This strategy is designed to keep your data safe from prying eyes. Several tactics include:

. Creating a barrier: install an anti-virus program and keep it up to date.
. Keeping your data under lock and key: encrypt your mobile phone, computer and tablet.
. Breaking all signals, turning off Wi-Fi and bluetooth when not in use and putting your phone in a faraday shield (you can make one yourself) when you don’t want to be tracked.
. A simple but effective measure is to cover your webcam when not in use.
. Ensuring that you connect to websites through a secure connection (wherever possible), by installing HTTPS Everywhere in your browser.

These recommendations are essentially about what you can implement or change as an individual. However, privacy and security is a collective game. The small-world experiment shows [30] that we are all somehow interrelated. All our actions as individuals impact and influence the privacy and security of our contacts and also of third actor parties. Making recommendations about privacy for organizations and/or networks would require a new article on its own. Yet we have included the following security recommendations for social movements.

 First, social movements would need to adopt shared agreements and then establish common security practices. This means social movements and networks would need identify their threat model, analyse the risks and potential impact of those risks, and assess the likelihood of these risks occurring. This should enable them to prioritize certain areas, and decide accordingly which practices and security protocols they need to implement.
 Secondly, organizations and social movements need to pay more attention to their technology choices and on selecting appropriate tools for communicating, sharing and storing information. This means selecting tools that are not commercially oriented and that do jeopardize their users’ privacy. Fortunately, there is a wide range of free privacy and security oriented software tools that have been developed and maintained by non-profit organizations and communities. We recommend you explore those options and alternatives with your colleagues and choose the communication tools that not only fit your privacy needs, but are also aligned with your ethical and political beliefs. Enjoy!