While it's wise to guard data from ISPs, authoritarian governments' access to personal info is a far more sinister threat to every global citizen.
While most pundits agree that Trump’s first hundred days in office were underwhelming on the legislative front, he did manage to pass a measure on internet privacy that caused quite a stir in the media. This would be the rollback of privacy regulations that prevent ISPs (internet service providers) from selling user browsing history to third parties. As soon as the measure appeared likely to make it to the president’s desk, article after article was written decrying the development. Sensational headlines spelled out the end of the internet as we know it, a complete surrender of our personal data to big corporations, and social media was aflame with cries of "the end of privacy."
We can no longer outsource our research and decision-making about technology – everyone must be an informed user of the digital tools that structure our lives.
As with most tech stories, the nuances were underreported, and the majority of the public likely came away with an incomplete version of events. That sides quickly formed along partisan American party political lines made it even worse. I would like to offer a more balanced view and, in so doing, address some misconceptions around these issues. It is important for everyone to have a solid understanding of these concepts, and I encourage you to research them more on your own. We can no longer outsource our research and decision-making about technology – everyone must be an informed user of the digital tools that structure our lives.
First of all, while I do not laud the legislation as benefiting the consumer, it is also not the dramatic backsliding the panicky headlines made it out to be. The rules it repeals were introduced by the Obama administration in 2016, so they were relatively new and controversial in that they were issued by the FCC and not the FTC (which ISPs argue is the agency with the power to regulate internet privacy). Moreover, companies like Google and Facebook are already able to collect their users’ information and hand it over to third parties for advertising purposes. This information is kept anonymous, but it would remain so if it were harvested by ISPs; the regulation that prevents tying browsing data to individual identities remains in place. A reason to be concerned, however, is the scope of browsing history available to ISPs. While Google, Facebook, and the like can only access a segmented portion of your internet activity, your ISP has access to everything you do online – another reason why encrypted connections are more relevant than ever.
It’s reasonable to be concerned with this expansion of data gathering, but it pales in comparison to other threats in the internet age. As an individual who wants to keep oneself secure online, there are steps one can take that will offer a reliable level of protection (more on that below). But consider the far-reaching effects of internet surveillance on those who do not live in free societies. It may be a bit disconcerting to see an ad pop up when checking your email, hawking the hiking gear you were just perusing. But this information is handled by known companies with the motivation of earning money from your clicks and purchases. It may be invasive, but in most cases it’s something you can opt out of and companies that abuse your information are subject to lawsuits and public backlash. Similarly, elected officials are accountable to voters, and a flood of phone calls is often enough to turn the tide.
It’s reasonable to be concerned with this expansion of data gathering, but it pales in comparison to other threats in the internet age.
In stark contrast, repressive regimes that try to exploit these repositories of data have very different, and far more sinister, goals. Their aim is not to increase quarterly revenue, or to protect citizens from terrorism, but to get a stronger grip on their populations, including the persecution of dissenters. It is worth defending every right and resisting the expansion of corporate and public power in our lives, but it is important to keep perspective. Authoritarian governments are taking steps to influence and control a growing portion of the digital sphere. And due to the borderless nature of the internet, they are reaching into the free world to pursue their interests.
One example: the Yarovaya law passed in Russia in 2016, which requires all internet companies operating inside Russia to retain copies of communication for six months, and metadata for three years, within the country’s borders. The law further stipulates that companies must disclose this information to the government upon request and without a court order. Finally, information that is encoded must be handed over to authorities with an encryption key. Google and Apple have already complied, while Twitter is battling the government over certain provisions, and LinkedIn has been banned for not complying. The consequences for users of these services in Russia is enormous—it gives the government virtually unrestricted authority to review any communications it sees fit, at any time, and this cannot fail to impact users in other countries as well. And in Russia, there are no checks or balances or oversight like citizen groups or an independent judiciary to watch the watchers.
Authoritarian governments are taking steps to influence and control a growing portion of the digital sphere. And due to the borderless nature of the internet, they are reaching into the free world to pursue their interests.
Users around the world should know about these dangerous developments and pressure the companies involved to reconsider succumbing to dictators’ demands. The media must also shift its focus – from largely political battles to the troubling moves being taken by repressive regimes to curb internet freedom.
My advice is twofold: keep yourself safe, of course, but keep an eye on the bigger picture, too. In terms of the first recommendation, do not take excessive measures where they are not warranted, such as tools that sound useful but may actually do more harm than good. Amidst all the noise surrounding Trump’s deregulation move, many sites touted the benefits of VPNs (virtual private networks) to escape the eyes of service providers. What was mentioned far less frequently was that some VPNs do more to track and log your browsing than ISPs. Some also may not be as secure as you think. If you do choose to go this route, make sure you use a company with an established reputation, and read the fine print. Collective defense means being able to hold companies accountable if they betray our trust.
As for my second recommendation: as you employ the digital tools we rely on daily, remember that everything comes with a footprint. In the same way many have become aware of the labor practices behind their favorite clothing labels, we must be conscious of the policies that major internet companies adopt around the world. There is no easy-to-grasp image of a sweatshop or child laborer here, but rather the understanding that our internet experience is facilitated by the same companies that may be complicit in cybersecurity abuses elsewhere. If we care about the future of the internet more broadly – beyond a narrow interest in our personal security – we must make clear that we will not tolerate any sacrifices of freedom for the sake of profit.
Image: Erwan Hesry
Garry Kasparov on how the internet magnifies what is already a delicate balance between regulating defamatory language and allowing for free expression.
Avast Security Ambassador Garry Kasparov spoke at DEF CON. We talked to him and our Threat Intelligence Director Michal Salat about man-machine collaboration.