Samu: Who wants to pay forever?
At Samu, we work mindfully with data. We build things with data, we know it is the lifeblood of many businesses.
We are aware that any relationship where you allow us access to your data is about trust. We take client confidentiality seriously, placing it at the heart of our ethical policies.
This is why, alongside a diverse range of organisations like the Electronic Frontier Foundation (EFF), social media website Reddit, Firefox producer Mozilla, and search engine DuckDuckGo, we lent our support to the Day We Fight Back – a campaign “intended as a day of “worldwide solidarity” in protest against NSA surveillance. It was at once an action against censorship and surveillance, and a commemoration of late “open-Internet activist” Aaron Swartz.”
We believe that, as well as being a violation of human rights, indiscriminate mass-surveillance programs like those used by the NSA, present a significant threat to the commercial security of the internet and the infrastructure used to run it. Contrary to the oft-stated intent of increasing security, Nationally or otherwise, the actions of the NSA and GCHQ merely serve to make the web and all its users more vulnerable to a wider range of a attacks.
Once again, we are in good company, standing shoulder to shoulder with the father of the worldwide web, Sir Tim Berners-Lee, who said when interviewed in The Guardian:
“It’s naïve to imagine that if you introduce a weakness into a system you will be the only one to use it.”
Edward Snowden’s revelations make clear that it is wise to wonder if the public would ever learn of a breach in security to a data store which was never supposed to exist. If President Obama was unaware that Angela Merkel’s mobile phone was being tapped, would he be kept abreast of developments in a mass leak of sensitive commercial data by shadowy third-parties with fewer ethical concerns than Mr. Snowden?
For an explicit clarification of the depth and breadth of the threat, this excellent talk To Protect And Infect, by internet activist and Cypherpunk, Jacob Appelbaum is well worth a watch.
Trust begins with openness
We understand that 100% security can only exist in an ideal world, and that a significant part of the effort to ensure secure systems is about mitigation of risk and adherence to legislation and best-practice.
It is in accordance with these principles that we strive to use Open Source software wherever we can. Open Source software differs from proprietary software (like Windows) in that the source code used to create the software is open to anyone to view. While you could be forgiven for assuming that such openness would compromise security, the kind of scrutiny allowed by being open actually makes it far more likely that anomalies like built-in backdoors would be spotted by independent members of the community who would have no hesitation in revealing the vulnerability to the wider public. Many government, defense and law enforcement agencies use Free Libre Open Source Software (FLOSS) – even the Executive Office of the President of the United States of America uses Drupal, an open source content management system (CMS) for their website, Whitehouse.gov.
FLOSS for sustainability
There are some niche areas where proprietary solutions still offer the industry cutting edge technology but all do so at a price. Increasingly, proprietary business models utilise rentier pricing which further increases costs by charging annual or monthly subscription fees. It’s not enough that operating systems and most of the basic software that runs on them have to be replaced every few years, tech giants like Adobe and Microsoft are using the popularity of cloud computing to gouge customers even deeper.
Use of FLOSS keeps our overheads low and means we don’t have to pay forever for tools that are vital to our day-to-day running. Scalabilty means that many of the open source solutions we use suit small start-ups and larger, established organisations alike. Savings can then be passed on to customers, creating a more sustainable income in tougher times.
The Way We Fight Back
As yet, there is no one-size-fits all solution for those seeking to build trust and security. Fortunately, the existence of groups like the EFF and Amnesty International USA means that the campaign against those in the shadows who seek to abuse their privilege will not be a quiet one. You may remember the internet “blackout” of various high profile sites like Wikipedia in protest at government censorship. Grassroots activism against draconian legislation like SOPA and PIPA was successful in preventing poor policies being passed into law with many groups coming together to form unlikely alliances, as detailed in “Hacking Politics – How Geeks, Progressives, the Tea Party, Gamers, Anarchists and Suits Teamed Up to Defeat SOPA and Save the Internet.”
It seems that today we need to save the internets again, though this time from something more abstract than censorship.
Legality: Any limitation to the right to privacy must be prescribed by law. The State must not adopt or implement a measure that interferes with the right to privacy in the absence of an existing publicly available legislative act, which meets a standard of clarity and precision that is sufficient to ensure that individuals have advance notice of and can foresee its application. Given the rate of technological changes, laws that limit the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process.
Legitimate Aim: Laws should only permit communications surveillance by specified State authorities to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society. Any measure must not be applied in a manner which discriminates on the basis of race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.
Necessity: Laws permitting communications surveillance by the State must limit surveillance to that which is strictly and demonstrably necessary to achieve a legitimate aim. Communications surveillance must only be conducted when it is the only means of achieving a legitimate aim, or, when there are multiple means, it is the means least likely to infringe upon human rights. The onus of establishing this justification, in judicial as well as in legislative processes, is on the State.
Adequacy: Any instance of communications surveillance authorised by law must be appropriate to fulfil the specific legitimate aim identified.
Proportionality: Communications surveillance should be regarded as a highly intrusive act that interferes with the rights to privacy and freedom of opinion and expression, threatening the foundations of a democratic society. Decisions about communications surveillance must be made by weighing the benefit sought to be achieved against the harm that would be caused to the individual’s rights and to other competing interests, and should involve a consideration of the sensitivity of the information and the severity of the infringement on the right to privacy.
Specifically, this requires that, if a State seeks access to or use of protected information obtained through communications surveillance in the context of a criminal investigation, it must establish to the competent, independent, and impartial judicial authority that:
- there is a high degree of probability that a serious crime has been or will be committed;
- evidence of such a crime would be obtained by accessing the protected information sought;
- other available less invasive investigative techniques have been exhausted;
- information accessed will be confined to that reasonably relevant to the crime alleged and any excess information collected will be promptly destroyed or returned; and
- information is accessed only by the specified authority and used for the purpose for which authorisation was given.
If the State seeks access to protected information through communication surveillance for a purpose that will not place a person at risk of criminal prosecution, investigation, discrimination or infringement of human rights, the State must establish to an independent, impartial, and competent authority:
- other available less invasive investigative techniques have been considered;
- information accessed will be confined to what is reasonably relevant and any excess information collected will be promptly destroyed or returned to the impacted individual; and
- information is accessed only by the specified authority and used for the purpose for which was authorisation was given.
Competent Judicial Authority: Determinations related to communications surveillance must be made by a competent judicial authority that is impartial and independent. The authority must be:
- separate from the authorities conducting communications surveillance;
- conversant in issues related to and competent to make judicial decisions about the legality of communications surveillance, the technologies used and human rights; and
- have adequate resources in exercising the functions assigned to them.
Due process: Due process requires that States respect and guarantee individuals’ human rights by ensuring that lawful procedures that govern any interference with human rights are properly enumerated in law, consistently practiced, and available to the general public. Specifically, in the determination on his or her human rights, everyone is entitled to a fair and public hearing within a reasonable time by an independent, competent and impartial tribunal established by law, except in cases of emergency when there is imminent risk of danger to human life. In such instances, retroactive authorisation must be sought within a reasonably practicable time period. Mere risk of flight or destruction of evidence shall never be considered as sufficient to justify retroactive authorisation.
User notification: Individuals should be notified of a decision authorising communications surveillance with enough time and information to enable them to appeal the decision, and should have access to the materials presented in support of the application for authorisation. Delay in notification is only justified in the following circumstances:
- Notification would seriously jeopardize the purpose for which the surveillance is authorised, or there is an imminent risk of danger to human life; or
- Authorisation to delay notification is granted by the competent judicial authority at the time that authorisation for surveillance is granted; and
- The individual affected is notified as soon as the risk is lifted or within a reasonably practicable time period, whichever is sooner, and in any event by the time the communications surveillance has been completed. The obligation to give notice rests with the State, but in the event the State fails to give notice, communications service providers shall be free to notify individuals of the communications surveillance, voluntarily or upon request.
Transparency: States should be transparent about the use and scope of communications surveillance techniques and powers. They should publish, at a minimum, aggregate information on the number of requests approved and rejected, a disaggregation of the requests by service provider and by investigation type and purpose. States should provide individuals with sufficient information to enable them to fully comprehend the scope, nature and application of the laws permitting communications surveillance. States should enable service providers to publish the procedures they apply when dealing with State communications surveillance, adhere to those procedures, and publish records of State communications surveillance.
Public oversight: States should establish independent oversight mechanisms to ensure transparency and accountability of communications surveillance. Oversight mechanisms should have the authority to access all potentially relevant information about State actions, including, where appropriate, access to secret or classified information; to assess whether the State is making legitimate use of its lawful capabilities; to evaluate whether the State has been transparently and accurately publishing information about the use and scope of communications surveillance techniques and powers; and to publish periodic reports and other information relevant to communications surveillance. Independent oversight mechanisms should be established in addition to any oversight already provided through another branch of government.
Integrity of communications and systems: In order to ensure the integrity, security and privacy of communications systems, and in recognition of the fact that compromising security for State purposes almost always compromises security more generally, States should not compel service providers or hardware or software vendors to build surveillance or monitoring capability into their systems, or to collect or retain particular information purely for State surveillance purposes. A priori data retention or collection should never be required of service providers. Individuals have the right to express themselves anonymously; States should therefore refrain from compelling the identification of users as a precondition for service provision.
Safeguards for international cooperation: In response to changes in the flows of information, and in communications technologies and services, States may need to seek assistance from a foreign service provider. Accordingly, the mutual legal assistance treaties (MLATs) and other agreements entered into by States should ensure that, where the laws of more than one state could apply to communications surveillance, the available standard with the higher level of protection for individuals is applied. Where States seek assistance for law enforcement purposes, the principle of dual criminality should be applied. States may not use mutual legal assistance processes and foreign requests for protected information to circumvent domestic legal restrictions on communications surveillance. Mutual legal assistance processes and other agreements should be clearly documented, publicly available, and subject to guarantees of procedural fairness.
Safeguards against illegitimate access: States should enact legislation criminalising illegal communications surveillance by public or private actors. The law should provide sufficient and significant civil and criminal penalties, protections for whistle blowers, and avenues for redress by affected individuals. Laws should stipulate that any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information. States should also enact laws providing that, after material obtained through communications surveillance has been used for the purpose for which information was given, the material must be destroyed or returned to the individual.”
You can find out more about the campaign from the EFF here and spread awareness on Twitter using the hashtag #stopspying.