Sunday 25 March 2018

Too much information... the threat of mass surveilance

Every click you make online can be harvested to build up a personal digital profile for use by snoops, governments and big business. Can this week's European court ruling rein in such scary mass surveillance?

Austrian Max Schrems (L) with his lawyer Herwig Hofmann
Austrian Max Schrems (L) with his lawyer Herwig Hofmann
Kim Bielenberg

Kim Bielenberg

A vast amount of personal information about internet users is available online, but we seem to be powerless to control who has access to it.

We may think that nobody outside our immediate circle knows if we suffered an illness, or if we put in a new bathroom. We may have thought it was a secret if we were once prosecuted for a traffic offence, or if we have a burglar alarm at the side of our house. By mining data, snoopers can find this type information out easily, just sitting at a desk - if they are interested.

Two years ago, the whistleblower Edward Snowden blew the lid on how US spying agencies can tap into major websites such as Facebook, Google and Microsoft to read private messages and emails. But they are not the only ones. Our privacy can be breached by employers, Irish State agencies, former partners and even suspicious spouses - and most of all by ourselves.

As Dublin cyber-security specialist Eamon Noonan told Review: "If I want to find out information about you, your privacy is not going to stand in my way.

"There are now sites that aggregate all the information about an individual and put it together. In the internet age privacy is a fallacy."

This week EU rules that allow Facebook and Google to transfer personal data about us to the United States were thrown up in the air after campaigning Austrian student Max Schrems scored a major legal victory.

An official at the European Court of Justice ruled that "mass, indiscriminate surveillance" carried out by US intelligence services renders a 15-year-old Safe Harbour agreement, which allows for transfer of data between the US and EU countries, invalid.

Schrems originally took a court action against Facebook in Ireland, arguing that the social media site violated his privacy by holding his data in the US, including content he had deleted.

The ruling will not stop agencies such as the US National Security Agency hoovering up information. But it may make the exchange of data across the Atlantic more difficult.

Typically, companies track what we search for online. They build up a profile of us, and then target us with ads.

Internet users with a Google account, such as the one they use for Gmail, can even check the search engine's ad profile of them, showing their interests.

Google purports to know if you are interested in history or hair-care products or shooter games. This profile is built from personal searches and other activity on Google sites such as videos watched on YouTube.

Most Irish internet users seem to agree to go along with this level of profiling, but Edward Snowden caused a stir when he claimed that details from the major companies were accessed by spying agencies.

"Snowden merely confirmed what many would have already suspected," says Noonan.

For the ordinary punter using the internet, does it really matter if a US spying agency can log the details when you order a Chinese takeaway online?

The trouble starts when users show an interest in a particular political activity, and this shows up in searches. Could it be interpreted as a threat by security agencies?

Dr Darius Whelan, an authority on internet law at University College Cork, says: "If you look up something like how to organise a protest or how to disrupt a ministerial meeting, that might set off a flag in a security agency.

"This becomes more sinister if you are living under a regime that is more totalitarian."

Daragh O'Shea, a data-protection specialist with Castlebridge Associates, says the information gathered by spying agencies is not always accurate.

"If an intelligence agency gathers information about you and it is wrong, you could end up on a 'no-fly' list, or you could come under more intensive security at a US airport. It could be because you liked something on Facebook or retweeted something on Twitter. You'll never know why because of the secrecy."

Snowden, the fugitive former NSA analyst, caused another stir this week when he revealed how British spies can turn smartphones belonging to suspects on and off from a remote location, and record what is happening around them.

The spying agency effectively takes over the phone, and it can be used to track the target.

This is what one would expect from a spying agency, but variations of this kind of snooping technology are widely available, and can even be used by ordinary individuals.

Using smartphone technology to spy on another person is remarkably easy, according to Noonan.

"Ordinary iPhones have a feature called Find My Phone, and once you have the password, you can find out where the phone is. So it acts as a tracking device."

FlexiSpy, one of the most popular apps available, offers to help ordinary users to "spy on mobile phones, cellphones and tablets".

As the blurb on the website puts it: "Is your wife or husband cheating on you? For the sake of your mental and sexual health, you have a right to know if your partner is being responsible."

FlexiSpy's website claims the app can listen and record live phone calls, eavesdrop on the phone surroundings, and read text messages and emails. It can also be used to rifle through digital photos.

Once the app is installed on the phone of the person who is being spied upon, it can track the phone user's movements using GPS and take photos of its locations by remote control.

These kinds of devices can also be used to spy on employees. When used to spy on employees, FlexiSpy can monitor and archive all communications on mobiles and tablets, including Facebook messages, texts and email. It can also secretly record sounds around the phone without the user knowing that it has been activated. It also traces the location of the phone through GPS.

Employers are legally allowed to monitor their employees' use of email and internet up to a point, but they are required to tell them beforehand that it is part of company policy.

Dr Darius Whelan says that employers engage in cyber-vetting of employees, and this often involves digging into a vast amount of detail about someone's past and studying their social-media presence.

"Employers routinely check profiles. A lot of the time it involves basic searches, but they can go further and try to get into more private zones.

"They might set up a fake profile of a 21-year-old attractive person and send someone a friend request on Facebook; then, the employer can see an entire private profile.

"A lot of young people are not aware that this is going on.

"They might have 700 friends on Facebook, and they accept friend requests from anyone."

As they leave college graduates can find themselves blocked from some companies because of social-media posts that they made years previously.

"There may be stuff that is embarrassing, which is five-years-old, and really shouldn't be up on social media anymore."

Eamon Noonan says intelligence-gathering reconnaissance tools are now freely available on the internet.

This makes it much easier gather information about an individual.

"Using a tool such as Maltego, I can put in an email address. It searches for every single instance of that email address online, and brings it back in a graphic format.

"We pour out information all the time. Think of every time you fill out a form, give information to research companies, go to hospital or do a survey. How well is that information protected?"

Data-protection watchdogs have repeatedly warned that state agencies are among the worst culprits, with unauthorised employees dipping into private information for no good reason.

Of course, the greatest intruders into personal privacy are ourselves, and sometimes giving away private information can turn us into victims of crime.

"A lot of criminals are now tech-savvy," says Noonan. "A lot of people put their wedding-gift lists up online, and that information can be accessed by burglars. Criminals can also use online RIP notices to find out when people will be out of the house for a funeral."

After this week's ruling by the European Court of Justice, a lot of responsibility is being placed on our Data Protection Commissioner Helen Dixon. She will have to decide whether transfer of the data of Facebook's European subscribers to the United States should be restricted on the grounds that the US does not do enough to protect our private information from prying eyes.

Whatever the outcome, we need to be more vigilant about protecting our private information as it swirls around the web at home and abroad.

Indo Review

Life Newsletter

Our digest of the week's juiciest lifestyle titbits.

Editors Choice

Also in Life