'Tesco probably knows more about me than GCHQ': Infosec boffins on surveillance capitalism

Privacy of medical data and the machinations of surveillance capitalism were under the spotlight at a Cambridge University symposium last week.

Much of the day-long event, marking the 20th anniversary of think tank the Foundation for Information Policy Research (FIPR), was spent debating state-backed surveillance in its many forms from bulk data interception to equipment interference. But the discussions also touched upon how privacy was affected by large internet giants.

The systematic data collection by intel agencies has been facilitated by the business models of companies like Facebook and Google. The internet habits of hundreds of millions are collected by these firms in the interests of targeting ads and this data also provides a high source of intelligence for governments as well as presenting a privacy risk in its own right.

"Tesco probably knows more about me than GCHQ," as one delegate put it.

There was little appetite among speakers, who took a generally libertarian view, for tighter regulation against the likes of Facebook, much less dismemberment of the privacy-chaffing social network.

Guy Herbert, the privacy campaigner behind the successful No2ID campaign, said advocates need to think "long and hard" about what concerns individuals about the use of their data.

"What is being collected and how it is being used are distinct things from the point of view of a consumer and people may not be able to take that extra step," Herbert said. "What is interesting is simply trying to get them [the public] to obtain their data as a public information thing."

An audience member pointed out that there was a "lively grass-roots movement" geared towards helping individuals make Subject Access Requests to organisations that hold their data. Online forums have sprung up to make such requests under GDPR.

Journalist Wendy Grossman pointed out that data downloads from Facebook only include information that people have given directly.

She argued that getting people off Facebook isn't a terribly good idea because not being able to volunteer a social media profile can make someone the subject of suspicion in countries such as the US. This makes leaving Facebook problematic for mainstream consumers.

The ongoing controversy over the alleged abuse of Facebook data to run an influence and misinformation campaign targeting the 2016 US presidential election has driven the issue up the political agenda.

Anthony Finkelstein, UK government chief scientific adviser for national security and a chair in software systems engineering at University College London, petitioned for research and greater investment in privacy technologies.

"We also need to increase our investment into understanding how complex networks of data interplay," Finkelstein said.

The comments were made during a panel called From personalised ads to personalised warfare?, which closed the event.

An earlier session focused on privacy in health and social care. A doctor attending stressed its importance by referencing historic work she had done on how the Millennium Bug might have affected insulin-dependant diabetics. In the worst case, she said the research suggested diabetics would "all be dead within three to six months" as supplies dried up and labs stopped producing shipments of vital medical supplies.

The growing use of IT technologies in the last 20 years underlines the need to patch or maintain medical devices. The WannaCry outbreak is just one example highlighting healthcare's dependence on IT. Some speakers, including journalist Erich Möchel, argued that the NSA bears a large portion of blame because it created the leaked exploit that WannaCry abused.

But Ian Levy, technical director of the National Cyber Security centre, the defensive arm of GCHQ, argued that there have been hundreds of SMB vulnerabilities and hacks over the years, and the Eternal Blue exploit abused by WannaCry was just another.

"We need to get away from calling these things cyber-weapons and start talking about the impact of these attacks instead," Levy said. "We need to design systems that fail in predictable and safe ways. That will make us much better prepared the deal with things when they do go wrong."

FIPR launched in May 1998 ahead of the UK's Regulation of Investigatory Powers Act (2000). Its work helped the curb some of the most privacy-threatening aspects of the surveillance legislation.

FIPR head Ross Anderson said it isn't a campaigning organisation as such but a think tank that provides the ammunition for others to use.

As well as organising conferences on surveillance, FIPR has researched myriad issues involving privacy, digital rights and cybercrime, and acted as midwife to UK health data privacy advocate medConfidential. ®