Tag - Identification

Entries feed

Tuesday, April 25 2017

ePrivacy debate is missing the basics - ends up helping criminals and anti-trust operations

ePrivacy is part of GDPR

ePrivacy is addressing the low-level aspect of GDPR - can and are citizens and devices identified and thereby trackable in the first place?

Where GDPR address data as such, ePrivacy is focussed on the technology and telekommunications when other than the citizens access or collect data from basic devices and entities. People are also devices as they communicate and have sentive "identifiers" (biometrics are sensitive data which cannot be collected according to GDPR article 9).

The ePrivacy debate is missing the core issue

Much of the debate on ePrivacy is somehow mistaken as a repeat discussion on GDPR (which is fixed) as commercial providers focus on access to track and collect sensitive data without or merely the illusion of consent.

On one hand, this is understandable as consent is hard and in some instances almost impossible.

Informed Consent is increasingly meaningless in a digital world, where data are (ab)used for a myriad of purposes that grow almost exponentially. In addition, expressing consent PRIOR to collection is literally meaningless when data collection has already happened when the question is asked. Internet of things represent scenarios where this problem scale into the extreme as the constant tracking of devices based on their leakage of identifiers (MAC or other device identifiers or addresses)

On the other hand, this is the EXACT reason and justification of ePrivacy as it address the question of HOW basic telecommunication occur.

The KEY question and raison d'etre of ePrivacy is to require sustainable telco standards.

The existing ePrivacy regulation have been effectively sabotaged by commercial interests reducing the issue to a statement "Here we track you and you consent simply by using our site" which is essentially a tracking wall mocking informed consent.

But we also saw the existing ePrivacy beginning to work as standards are changing - Bluetooth, RFID, WIFI all have seen modification in the direction of eliminating persistent identifiers whereby basic communication does not involve collecting device and personal data if neither can be recognized from session to session. In such technical setup, Informed Consent can PRECEDE collection, i.e. the citizen can CHOSE to release a Customer # or other identifier known to the site without releasing persistent identifiers linking the citizens/device across purposes.

If the citizen - for some strange or peculiar reason actually wants surveillance - she can always release a persistent identifier such as a Device MAC or reused communication address (equivalent to or easily linkable a social security number etc.). But, at least in principle with the proper technologies applying to Privacy by Design, she can also avoid doing so and maintaining the integrity of purpose-specification and control of data.

5G represent the test of ePrivacy reform

The ePrivacy reform face an easy upfront test. 5G is in entering the final stage of standardization.

Presently the standard work with the principle of enforced Data Retention in the sense of "Mandatory Endpoint Identification" meaning that all communication according to 5G will involve the network spying on devices and thus citizen.

If this happens, EU face a cartel-enforced data-retention regime until the next major change of standards which is assumed to be VERY long (at least decades) in which case, the collapse of not only both ePrivacy and GDPR will be almost ensured but also a MASSIVE negative impact on the value-creation of otherwise impressive technologies able to provide huge improvements in wireless communication.

The win-win alternative which ePrivacy MUST enforce

The sustainable alternative would be security and identity established as contextual-only, i.e. mechanisms where basic infrastructure maintain unlinkability unless explicitly desired otherwise BY the citizen.

It is clear that the telecommunications industry are still controlled by the gatekeeper thinking even long after this has proven a massive failure. Bad wireless standards are feeding control to the horizontal OTT infrastructure where profit-streams originate from systemic profiling of citizens and companies across non-related sessions. A Data Retention problem that has been judged clearly illegal and non-compatible with the EU Charter by courts. As such the 5G standardization process (such as e.g. @5GPPP and the 5G cartel) have both ignored and not invested in security beyond systemic surveillance. In other words taxpayers money have essentially - through EU - been feeding illegal data retention activities.

But even though the actual security alternatives clearly have been suppressed in investments, this does NOT means that standards should not assume these solution can, will and must emerge. By deliberately preventing alternatives ("mandatory"), the 5G standard function as a illegal antitrust cartel that prevent innovation in a direction that would prevent systemic tracking of citizens and devices which would call for large fines as obvious violations of both EU anti-competition regulation and GDPR/ePrivacy.

You can now say, that we should just wait and let Margrethe Vestager issues the predictable fines. But this misses the point as we will still be caught in decades of MASSIVE BAD INVESTMENTS in insecure surveillance-by-design 5G technologies which best case will cause massive damage to European economy and trust in an already precarious situation.

My point - and the sole reason for this article - the ePrivacy discussion and reform needs to get back to focus on the core point and raison d'etre; to require telco standards to ensure basic communication can be established WITHOUT transfer of control from citizens to surrounding infrastructure or passive wiretapping.

5G standards as-is is ENABLING terrorism

Where I would claim 5G should be considered critical infrastructure and thus particular attention to security should be emphasized we instead see standards DELIBERATELY undermining security even though we already know that e.g. US drones use the lack of security to direct missiles. The use of e.g. wireless identifiers leaking is rapidly turning normal in commercial tracking and targeting.

Point is - it is only a matter of time until even terrorist do the same as this represent a certain, cheap and effective targeting system to attack particular targets including VIP.

I informed EU about and demonstrated this more than 10 years ago, but they continued to make the same basic security mistakes. I even published it as a commercial business case "Bombs for Hire" (slide 8) as part of EUs 50 years anniversary. Bombs for hire (no security without privacy)

Wednesday, September 3 2014

We need a Second Renaissance

The first Renaissance

was about freeing the world from religious superstition where some Bible, Koran or Priest is assumed to tell people was is right and what is law. The religious dictatorships of the pre-Renaissance best exemplified by the Holy Inquisition and the Conquering and enslavement of colonies with military and priests side-by-side. Various alliances between the Church and dictatorships brought suffering on everyone on a enormous scale,.

Through science, experiments and rationality, citizens was empowered to think for themselves, revolt and act for the betterment for mankind. This brought forth a revolution of democracy and free markets that can be said to culminate with the Internet where all mankind can have access to all knowledge almost instantly. It peaked with Francois Fukuyama´s claim in 1989 of "The End of History" calling for the ultimate victory of democracy and market over dictatorship.

It did, however, not eliminate religious superstition. Worse - was Fukuyama wrong - it did not free humanity from the rapidly increasing abuse of pseudo-science for ultimately the same purposes that the first Renaissance was trying to free mankind from.

The second Renaissance

is also abut empowerment. It is about freeing the world from scientific superstition where some model or formula is able to or should tell the citizen what is right and how to behave. The dark side of the Internet and natural sciences turned out to be the ultimate of totalitarian regimes whether built on Command & Control bureaucracy and economics, technically enforced cartels or Google style behavioral winner-takes-all market controls.

There are no pure democracies and most of the former "free societies" are far down the grey-scale as the systems have grown unstable - intoxicated with the power of the Internet making it possible to enforce non-legitimate interests on citizens and organizations while technically also ensuring they abide to dictate.

  • Authoritarian regimes can profile each citizens ensuring that they act and think according to a defined ideal - whatever that may be. The divergent citizens and employees will get detected early and their re-education to the "right path" automatically controlled and constantly supervised. In such a society, there is no democratic debate except what the state deems beneficial to maintain the illusion and pseudo-legitimacy of power. The involved will have no problem convincing themselves that this is necessary for stability, national security, anti-crime and other anti-social behavior. They will even create an atmosphere of constant fear to ensure compliance.
  • Bureaucratic regimes can through technology dictate processes according to their design. Alternatives cannot exist and they will ensure all sub-systems feed their monitoring and plans for a "better life for everyone". And they will have an endless demand for intimate profiling of citizens to feed their "Research" and Command & Control models. Alternatives and UN-planned innovation will not be possible as technology structures will not permit these. The involved have not problems convincing themselves of their own superiority, neutrality, the effectiveness of centralized control and how irrational citizens needs supervision to do what is right for themselves. They will create an atmosphere of spin claiming everything they do is good and blasting every case into proof of the incompetence of citizens.
  • Commercial cartel structures can through technology and pseudo-science dictate markets according to their design. Alternatives cannot exist as they cannot be interoperable and new innovative competitors and better solutions are effectively prevented. Especially the role as gatekeeper to the digital networks are enforced through technology standards the strip citizens of control through identification and dictate a choice of Lord between cartel members.
  • A few commercial winner-takes-all structures will operate a structures where every transaction increase their power in the next transaction as they own the ability to link and apply controls. When these structures pass a certain threshold, power shifts from market participants into the infrastructure market makers as participation will become license to operate.- if you don't comply you cannot get access to market. These structures will ensure all are accomplices and get a small fraction of the power profit. They will do their best to keep up the illusions of competition and choice even though there is none and markets are turning into gardened monopolies where the infrastructure players dictate their profits and all society suffer. These structure force commoditization in products and services as they feed on the illusion of competition but almost eradicate innovation. As a result almost all providers will see their profits disappear in cut-through prize competition with little chance of innovating themselves out of problems as all novelties are rapidly copied and cartel standardization structures prevent major innovations.
  • Large-scale criminal organizations prosper in this world destabilizing power concentration. They will not only be tolerated but created as the source of fear to justify the centralized powers and blame of more covert actions. But even without the acceptance of the powerful. The near-total lack of security of dis-empowered citizens, commoditisized companies and single-point of state organizations makes them easy targets and - through identity theft - useful to hide behind.
  • These destabilizing power structures are worst when the feed from each-other. E.g. when NSA and the similar in China and Russia create and feed from Commercial cartel structures such as GSM, EMV etc. requiring these to strip citizen security through standards. Or when the Bureaucratic regimes and pseudo-democracies rig elections through winner-takes-all entities engaged in political profiling and vote selling through systemic behavior manipulation.

These mechanisms are far from showing their worst as we see smart-phones, biometrics, elimination of cash, cloud and Internet of Things turning into systemic surveillance and control of citizens by both the direct commercial providers and indirectly state structures utilizing the commercial controls for bureaucratic and authoritarian purposes.

Characteristic is that the neo-classical economic models are almost blind to these structures and the subsequent damages. The assumptions of market has become their illusion as they do not see or model how power is exercised and how value is destroyed and growth prevented as people are adapted to systems instead of resources and processes adapted to real needs..

We are not heading for trouble, we are already deep in trouble as the destabilization process continues to escalate in many ways already exploding into social unrest, conflicts and crisis even if political institutions try to create illusions to maintain some order and structure. The events of 2001 and subsequent military actions, the Financial crisis of 2008, the Snowden revelations and the emergent geopolitical conflicts are far from over - they are going to get a lot worse and how we act will have a profound impact on future generations. Problems such as over-population, pollution and resource depletion are simple and easily solvable in comparison to social power and market structures gone destabilizing.

What is essential to understand is that all these problems are really caused by the first renaissance focus on rationalizing the world without ensuring that the social sciences evolved to say what we need to remain within the realm of personal space and choice and to dictate these principles on technical design and standards. Naive political ideologies

The second Renaissance is about a return to Empowerment

Through evolving social sciences we need to understand the problems and provide us with the education, scientific, technological and technical means to detect and prevent the problems.

In reality most of the problems can be condensed into one single problem and related solution. Both the cause and solutions are closely related to HOW we digitize society.

  • Most of the power emerge from identification of Citizens when entering the digital networks and participating in society process. This is both the main source of destructive power and the main source of abuse of power.
  • Solutions simply has to eradicate digital identification - or in technical terms the ability to link unrelated transactions with the same citizen - as that will re-empower citizens relative to to the destabilizing power structures and provide means for gradual recovery as historic data cannot be abused to control the future and citizens while society processes and value chains will - once again - be forced to adapt to individual needs and the best providers rewarded with the profit of serving real needs instead of non-legitimate interests in private or public infrastructure.

I remain defaistic optimistic. Meaning that in the short term, I fear that our institutional structures are more a part of the problem and knowing very well from history that each age has a tendency to live up to its most sinister potential. But also that - in the longer term - humanity has a tendency to raise to the occasion when it is most needed - yet often only out of great suffering trying to prevent this from happening again.

We will measure success on the time from the emergence of Internet to when citizen can enter into even the most complex public sector services without ever becoming identifiable towards a server and power structure. And hoping that the suffering in the meantime can be kept to a minimum

Stephan Engberg, September 2014