The Week of Holding “Big Data” Accountable

The world of “Big Data,” “The Internet of Things,” or simply… “Cyberspace.”

Whatever we choose to call it, never in human history has something so profoundly consequential for so many people’s daily lives been unleashed in such a short period of time.  Certainly, the printing press, the telegraph, radio, the television, were all extraordinary.  But what is going on now is truly unprecedented in its sudden, dramatic impact.  In the span of a few short years, billions of citizens the world over are immersing themselves in an entirely new communications environment — one that is changing not only how we think and behave but, more profoundly, how society as a whole is fundamentally structured.  Information that previously was stored in our office drawers, in locked closets, in our diaries, even in our minds, we are now transmitting to thousands of private companies and, by extension, to government agencies.

This world of Big Data is a supernova of billions of human interactions, habits, movements, thoughts, and desires, ripe to be harvested, analyzed, and then fed back to us, in turn, to predict and shape us.  It should come as no surprise, given the rate at which this transformation is occurring, that there will be unintended — and possibly even seriously detrimental — consequences for privacy, liberty, and security.

Evidence of these consequences is now beginning to accumulate.  First, there are privacy issues. Data breaches that expose the email and password credentials of tens of millions of people have become so routine that researchers are now describing them as “megabreaches.” Our research at the Citizen Lab has shown how numerous popular mobile applications used by hundreds of millions of people routinely leak sensitive user information, including, in some cases, the geolocation of the user, device ID and serial number information, and lists of nearby wifi networks. We have discovered that some applications were so poorly secured, that anyone with control of a network to which these applications connects (e.g., a WiFi hotspot) could easily spoof a software update to install spyware onto an unwitting user’s device.  

Poorly designed mobile applications, such as those we have examined, are a goldmine for criminals and spies, and yet we surround ourselves with them. Disclosures of former National Security Agency (NSA) contractor Edward Snowden have shown that state intelligence agencies routinely vacuum up information leaked by applications in this way, and use the data for mass surveillance.  And what they don’t acquire from leaky applications, they get directly from the companies through lawful requests.  The confluence of interests around commercial and state surveillance is where Big Data meets Big Brother.

Beyond privacy issues are those of security. For example, researchers have demonstrated how they could use remote WiFi connections to take over the controls of a smart car or even an airline’s cockpit systems.  Others have shown proof of concept attacks against “smart home” systems that remotely cracked door lock codes, disabled vacation mode, and induced a fake fire alarm. Of course, what happens in the lab is but an omen of what’s to come in the real world. Several years ago, a computer virus called “Stuxnet” reportedly developed by the US and Israel, was used to sabotage Iranian nuclear enrichment plants.  Dozens of countries are reportedly researching and stockpiling their own Stuxnet like cyber weapons, which in turn is generating a huge commercial market for such hidden software flaws. Perversely adding to the insecurities (as the FBI Apple controversy showed us), some government agencies are, in fact, pressuring companies to weaken their systems by design to aid law enforcement and intelligence agencies.  As such insecurities mount, and as more and more of our critical infrastructure is networked, the Big Data environment in which we live may turn out to be a digital house of cards.

This past week, the Citizen Lab and our partners, Open Effect, produced several outputs and activities that related to concerns around privacy and security in the world of Big Data, including some that we hope can help mitigate some of these unintended consequences.

First, the Citizen Lab and Open Effect released a revamped version of the Access My Info tool, which allows Canadians to exercise their legal rights to ask companies about the data they collect on them, what they do with it, and with whom they share it.  I wrote an oped for the CBC about the tool, and there were several other media reports, including an interview by the CBC’s Metro Morning host Matt Galloway with Andrew Hilts of Citizen Lab and Open Effect.

Also, yesterday the CBC Ideas broadcast a special radio show on “Big Data Meets Big Brother,” in which I participated alongside Ann Cavoukian and Neil Desai, with Munk School director Stephen Toope moderating.  We discussed the balance between national security and privacy, and focused in on the limited oversight mechanisms that exist in Canada around security agencies, and especially the Communications Security Establishment (CSE).

Finally, Citizen Lab and Open Effect, as part of our Telecommunications Transparency Project, released a DIY Transparency Reporting Tool.  The tool is actually a software template that provides companies with a guide for developing transparency reports. To give some context for the tool, companies are increasingly encouraged to release public reports on the length of time client data is retained, how the data is used, and how often—and under what lawful authority—the data is shared with governments agencies.  The DIY Transparency Reporting Tool is the flipside of the Access My Info project:  whereas the latter encourages consumers to ask companies and governments about what they do with our data, the Transparency Reporting Tool provides companies with an easy-to-use template to take the initiative to report that information to us.

The world of Big Data has come upon us like a hurricane, with most consumers bewildered by what is happening to the data they routinely give away.  Meanwhile, companies are reaping a harvest of highly-personalized information to generate enormous profits, with very little public accountability around their conduct, or the design choices they make.  It’s time we encouraged consumers to “lift the lid” on the Big Data ecosystem right down to the algorithms that sort us and structure our choices, while simultaneously pressing companies to be more responsible stewards of our data.  Tools like “Access My Info” and the DIY Transparency Toolkit are a good first start.