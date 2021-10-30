An increase in surveillance is more a result of ‘mission creep’ as businesses and government agencies expand their brief, than an overarching conspiracy.

I’m not paranoid, but I think they might be watching me.

Or at least listening.

When our household bought a second-hand car recently, it was the first time we had owned one with a dashcam. The dealer explained its value in case of an accident; with everything recorded on its SD card, an insurance claim would be a piece of cake.

A few weeks later, we remembered the SD card and plugged it into our laptop to check it was working. Sure enough, we could see a video recording of our last drive, divided into two-minute clips. And the three drives before that. And, surprisingly, some from before we possessed the car – going all the way back to Japan.

We could even see the moment when the car drove off the ship in Auckland; according to the lettering painted on the docked ship’s hull, the car arrived courtesy of the Wallenius Wilhelmsen line.

The card also had a folder with seemingly random two-minute clips taken after the car had been parked. On one of them, we could see two people – presumably prospective buyers – opening the bonnet to see what was underneath.

Here’s the thing, though. Their voices came through loud and clear as they discussed how to pop the bonnet. And we came through loud and clear when driving. My exchange with my mother as I dropped her home on one trip was preserved in startling clarity. So was my conversation with my son as we ran some errands. So were earlier conversations held in Japan.

The dashcam, which we had assumed was only taking video of the road ahead, was also collecting audio from the cabin.

It felt insidious. Fleet vehicles come in a whole new light when you realise the audio capacity of dashcams.

Digital tech and privacy expert Andrew Chen, of Koi Tū: The Centre for Informed Futures, has his own story to add of unexpected monitoring. “My one was when I found out that if you're on hold on the phone to a company, and they record the calls for quality assurance and training purposes, they actually record the whole part where you are on hold as well.

“You know, that's the time when people think ‘I'm not being recorded, this is where I'll swear about the terrible company and terrible service that I'm getting’. And they've got all of it.

“I was really surprised when I heard about that.”

The digital world may have opened up an array of connection and convenience, but it also ushers in seemingly endless ways in which our privacy might be eroded, from a dealer’s dashcam oversight to the spread of facial recognition technology, from data sharing across platforms and devices to the ever-present danger of being hacked. Are we sleep walking to a surveillance society?

Supplied Andrew Chen, a researcher at University of Auckland-based Koi Tū: The Centre for Informed Futures, says facial recognition technology is readily available.

Facial recognition technology is readily available, points out Chen, who has been helping police work out procedures around its use. Cameras with the capability can be bought off the shelf, newer iPhones can be unlocked using facial recognition, and some smart doorbells might also use it. “The technology is widely available, but I wouldn't say that it's commonplace right now.”

The software is being trialled at Wellington Airport by Aviation Security to distinguish airport staff from passengers in the security area. Chen is relaxed about that, partly because the monitoring is clearly signposted, and because each passenger’s digital record is deleted as soon as they leave the queue. “If you wanted to go into the security area you pretty much had to see that there was a sign there saying ‘we're running a facial recognition trial, this is what it's for, this is how it works, if you want more information go to this website’.”

Anyone using such biometrics has to comply with the Privacy Act, but Chen says penalties or enforcement would only kick in if there is a particularly egregious use. An example might be a company that was using facial recognition without notifying its customers that they were doing so, and linking it to a loyalty system. “That would probably be a substantial breach, where the customers have no idea that this is happening.”

Supermarkets using the technology to combat shoplifting might be less problematic, though Chen notes that the argument that unhappy customers can always choose to shop somewhere else doesn’t stack up as the use of the technology becomes more widespread.

“At the point where you've got it in supermarkets, everybody's got to be able to buy food, so you're impacting all people at that point,” he says.

How did we allow it to become so pervasive?

“Let's say you've got a business who says: ‘We think that having some facial recognition in this setting might be a good idea. Do we need to poll our stakeholders? Do we need to talk to our customers? Nah, we'll just do it.’

“Even if they do [engage], do the customers say that they care? Most of them probably don't. Let's say you had a consultation survey, most of your customers probably wouldn't even reply. And so it gives the businesses in some sense licence to go ahead and do this stuff. We've kind of tacitly given them permission over time. And it's just slowly eroded away our objections until it's become the new norm.

“So if people are worried about it, then they need to go try and shift that norm back to where it was.”

Auckland University Auckland University associate professor Gehan Gunasekara says privacy could be eroded by attrition.

Mission creep is the term Auckland University associate professor and Privacy Foundation chair Gehan Gunasekara uses. Ordinary CCTV cameras need a human to make assessments, and the record is not permanent. That is different from facial recognition cameras, with AI making decisions about people, and creating a more permanent record. If left unregulated, he says privacy will be eroded by a process of steady attrition.

“Over a period of time you will get a mission creep, you'll get more and more facial recognition cameras in place, eventually the potential for them all to be connected up and then you suddenly end up living in a surveillance society before you even know about it. So it's not a conscious decision that somebody has made. But it just happens.”

This veers extraordinarily close to George Orwell’s novel 1984, in which citizens are under Big Brother’s constant watch.

Gunasekara would like a specific standalone law regulating facial recognition. While existing privacy law, requiring an organisation to be sure information is accurate before using it, could mean a company incorrectly screening a shoplifter runs into trouble, he wants the law to go further. Examples would be requiring privacy impact assessments, consideration of whether children will be affected and weighing up potential bias in an algorithm. He says it wouldn’t be difficult, with the Privacy Act allowing for sector-specific codes of practice.

Chen is most concerned about the Government’s powers against an individual, saying there is a more limited range of consequences from corporates possessing a person’s facial data.

“The government has more powers against an individual. So we should be more careful about how they might collect and use facial data, for example.”

123rf Is my smartphone listening?

When it comes to being monitored, do our devices, or apps on them, listen to us, harvest the information and feed it to advertisers, as some people believe?

An adult son staying with us after the first lockdown last year was interested – who wasn’t? – in making sourdough bread. We had a recipe from another family member, and our son got a starter going, after some discussion.

That’s when the ads started. Maybe it was coincidental. Maybe so many people were starting sourdough that everyone’s Facebook feed was full of ads.

Maybe. But the same son wanted to extend his guitar repertoire, and Youtubed some lessons using his laptop.

Cue: ads for the same guitar lessons on our Facebook feed on our laptop. This time we knew we hadn’t talked about it, and certainly hadn’t ourselves searched for anything remotely similar.

Eventually, we theorised it must be happening courtesy of the shared household modem. Although each of us was using separate devices wirelessly, somehow all that information being fed through our modem was being collectivised – and used.

The thought that our separate devices could be linked in this way was unsettling. Privacy pretty much disappears out the window when your browsing can manifest itself on another family member’s device unbeknownst to you.

Browsing incognito could be a fix, though you then lose the convenience of your browsing history. And anyway it feels weird – like you’ve got something to hide.

That’s the interesting thing about diminished privacy; most of us most of the time probably don’t have much to hide. If you’re clean, you’ve got nothing to worry about, right? But privacy is also, in itself, a desirable state, a kind of freedom.

Chen debunks the modem theory, though we were right in principle. It seems our various devices’ IP addresses are the more likely vectors, allowing the mega platforms to home in on our location and even work out our potential relations to each other.

Chen also debunks the idea that your phone is listening to you and sending data to potential advertisers, though with an equivocation. “It's very unlikely that that is happening. No one can say for certain, but it is very unlikely that it's happening.”

It’s more likely to be confirmation bias – that you have seen an ad in the past as well, but haven’t noticed it until it relates to something you’ve talked about.

“It's not that they're recording your voice all the time and then sending samples back to the advertising agencies. I think that is, for now, still reasonably impractical.”

It’s the wild west out there.

What clearly do exist, despite their invisibility, are the hackers.

Waikato cyber security expert Bradley Whittal, of DI Solutions, says his industry is booming, possibly amplified by the economic impact of Covid-19, with more people trying to steal information at what he describes as the beginner level. So-called script kiddies, for example, buy the software and a how-to book, and set about trying their luck.

Whittal is a certified ethical hacker, which means he knows the workings of the dark web, where stolen digital information is routinely traded. Ransomware like the Waikato DHB attack this year is one thing, but sometimes it is as simple as hacking into a phone, gathering its contacts, building up a database of numbers and then selling them to scam centres. That’s a billion dollar industry, he says.

“A lot of the time people think it’s not going to happen to them – until it happens.” And some may never realise they’ve fallen victim. Whittal says US stats show 70 percent of all small to medium businesses have already been hacked and don’t know about it.

“If they [hackers] really want to get in, they’ll get in. It’s just a matter of when.”

On the other hand, if they come across someone with an extra layer of security, like two-factor authentication, they are likely to move on in search of easier targets.

One of the problems Whittal sees is people who use the same password for different applications. The risk there is someone getting access to your Facebook account can use the same password to access a range of other accounts like your email, steal information and cause mayhem. The solution is to have a different password for every application. Whittal recommends using a password manager, which locks passwords behind a master password, which is the only one you need to remember. The master password is linked to a device-specific address, creating a barrier to any attempt to log in from a different device.

It’s a reassuring thread to hold onto in what can sometimes feel like the wild west.

There’s theft and then there’s theft. When it comes to the behemoths, the Facebooks and Googles, Gunasekara doesn’t pull his punches. “In my opinion, not to put too fine a point on it, they've stolen people's data. The consent that you give is fictitious, because even if you read the thousands of terms and conditions, you probably won't be able to figure out what they mean. And it's written in a way that's deliberately confusing.”

He sees two fictions, the first being that people have to give their data in order to receive the free service. “That's not really true, because the service they are really providing is to advertisers.”

The second is that users consent to their data being collected through terms and conditions. Those terms and conditions aren’t worth the paper they're written on, he says, with cases around the world where they have been struck out. “They certainly don't override privacy laws.”

There are obvious harms from the use of the data, he says. While there has been news coverage recently of the vulnerability of young people to social media, he believes the elderly are also at risk, and those with medical conditions relying on what could be faulty information.

Gunasekara sees a similar hazard around people sending their DNA to overseas companies in pursuit of their ancestry.

He describes the DNA testing companies as a “huge problem” because they are hard to regulate. In reality, they're gathering the DNA to carry out medical research, he says, potentially to generate billions of dollars through developing new pharmaceuticals or DNA therapies. “There may well be beneficial things that come out of it, but the fact is they wouldn't have that DNA unless the individuals had given it to them.”

The issue for the individual is, while you can change your identity, you can’t change your DNA. For those who shrug their shoulders over law enforcement using DNA to catch criminals, he warns inaccurate DNA analysis could present problems for anyone. “So people need to be wary about those things.”

Who’ll be the law? Like Chen, Gunasekara notes the ubiquity of data-driven technologies. “If you want to participate in the modern world, you just have to accept that there's going to be a lot of data that you're giving up. My take on that is we need good regulators, we need good privacy enforcers, to monitor situations where people might find something is a little unexpected or something beyond what most people would find reasonable.”

He says every business should have a privacy impact assessment, which they regularly review as new products are added, similar to a health and safety assessment. “Privacy by design” should be embedded in law so the default setting on new technologies is that they don’t collect information, or if information is being collected, there are clear signposts for consumers to protect themselves.

“You can't expect people to do their own detective work, because a lot of people won't have the knowledge to do that.

“Products need to be made for dumb people. Rather than having the onus on the individual to protect themselves, the companies need to be proactively taking steps to protect them.”

New Zealand’s privacy legislation, in Chen’s view, has insufficient consequences for lower end breaches, and needs updating for a range of newer technologies.

Government has a huge role to play in protecting New Zealanders when it comes to the use of their data.

“There's significant challenges with getting our government – and any other governments – to have the capacity to understand these issues and know what the appropriate mitigations are,” Chen says. “And it's not sufficiently funded. If you don't appropriately fund the problem, it's not going to get the level of attention or importance that is needed to address it.”

Facebook Mark Zuckerberg revealing Ray-Ban Stories, which could become part of the metaverse.

Then you get to Mark Zuckerberg’s creepy metaverse, a corporate vision of a world in which the physical and virtual are pretty much fused.

A step short of that, Gunasekara talks about the digitisation of society. The mega-tech companies want to create a digital equivalent of the real world, he says. “It’s to create a digital twin of the entire world, and once you have that, the digital world is more easily controllable than the physical world.”

It involves a wealth of knowledge about people’s and customers’ movements and habits, a map that he describes as the perfect global surveillance mechanism.

That raises questions about data sovereignty.

Gunasekara says in New Zealand, the government’s digital strategy, driven with “relentless passion” by the Ministry for Business, Innovation and Employment, similarly involves the idea of digital twins for businesses. In farming, for instance, Gunasekara talks about technologies enabling companies to map every blade of grass and every cow, driving efficiencies. “But who is providing these services? And once these companies know all the tricks of the trade and all the secrets that make New Zealand farming state of the art, who owns that?” he asks.

“We have to be absolutely clear that we are still the owners of that digital economy. I'm not clear that we will still be the owners of that, I'm quite concerned that the Googles, the Amazons, once they have the blueprint for our digital economy, they might even start charging us a fee, they might say, ‘Okay, thank you very much. We've mapped it all for you now. But if you want to continue using it, you have to pay us a licence [fee], because we are the owners of it.’”

Faced with that prospect, Gunasekara believes intellectual property laws and others need to be reviewed to see if they are fit for purpose.

He is concerned the same thing will happen in other areas that have happened in his area of expertise, privacy. “The reason we ended up in this mess with the Facebooks and the Googles and everything else [is] we didn't design privacy laws around those kinds of techniques or technologies. And so we allowed a free-for-all and once these companies had the information, now we're trying to figure out what we can do about it.”

I’m still unsure when I let Siri loose in my phone. It was a new phone that came with the job and the first time I had an Apple rather than Android. I was all thumbs, with nothing quite the way it used to be. There was a home wi-fi connection to establish, apps to re-download, a search engine to get used to, a decision to make around fingerprint recognition, a barrage of unwelcome prompts relating to Apple TV. You can feel your age at times like that.

And there was Siri. I’ve never used a voice activated app, and never plan to, though I can see their value for people with disabilities. Siri was a thing I had heard of, but that was about it. But then it seemed to be popping up with suggestions from time to time. I checked, and sure enough Siri had been on the whole time.

I’m not paranoid, but I think they might be watching me.