amillionlittlepieces

UK technology trains of thought...

Sunday, January 15, 2006

If you know a criminal, are you therefore a criminal?

Social Networking

I am an avid user of certain services, currently Plaxo and LinkedIn, that could be generalised as social networking sites. Plaxo enables me to keep my contacts, task list and calendar integrated between two computers on separate networks, and a PocketPC. Unlike other methods, this does not require them to be interconnected. The social networking comes into play when you become ‘linked’ to somebody else who is already a member, when their details change, your address book is automatically updated.

LinkedIn enables me to keep track of professional contacts whilst carefully controlling the information available to them. Whilst it is similar to Plaxo in some ways, the information you are providing is around your history, skills and contact list rather than actual contact details.

The benefits of these sites are countered with an exposure of information in two ways, in the case of LinkedIn, you are giving the people you know access to the names and profiles of your professional contacts, in both cases, you are giving a private company full access to a lot of information about you – potentially protected by rather weak terms of service.

Criminally Social


Commercial social networking services generally fall into two types, social (Friendster, Friends Reunited, Facebook and Orkut), and professional (Plaxo, LinkedIn, Ryze). Oddly, both Orkut and Friendster have been linked to criminal professional networking. In both cases, the police have stumbled across these social creations after the fact, rather than driven their investigation from it. Nevertheless, it has undoubtedly provided a significant source of intelligence.

It’s fairly hard to have sympathy for a career criminal who is stupid enough to use Orkut. Then again as it is a popular service in Latin-America, is it hard to have sympathy for people who were innocently associated with him? Unwittingly linking themselves to a known criminal forever. In the Cold War, and now again with the looming nemesis of terrorism, social networks becomes the main way in which preliminary intelligence is gathered about individuals suspected of crime.

Acquaintances of terrorists, terrorism suspects, terrorism financiers, terrorist supporters and terrorist sympathisers are at risk of being allocated into a grey zone of terrorist associates. A tag of that kind is potentially as harmful to a person as have been negative categorisations made in previous contexts, such as 'etranger', 'subversive' and 'unamerican'.

- Roger Clarke, Very Little Black Books

Jacob Morse makes a lot of comments here about the connection between an incredibly popular social networking site for US students called Facebook. He describes links between the site and the venture capital gold pot of the CIA. Whilst the relationship is pretty tenuous, the potential objective is quite clear. He also draws attention to a rather ominous sentence in the terms, which implies they will be gathering information about you irrespective of whether you use the service.

Whilst it is fairly unlikely that investigation of social networking is anywhere near standard operating procedure, the value that it can add is clearly recognised.

Data Retention

Whilst the information gathered by these services is useful to the users, and the relationships they illustrate interesting, they will not provide high-quality intelligence to governments and security services. They are limited to the information provided by the user. For example, whilst LinkedIn and Plaxo sync fairly seamlessly with Outlook and Thunderbird, the information they can collect is limited to interactions I have choose to have through Outlook. It is in a sense, active participation.

In the UK we have to implement the Data Retention directive within 18 months. This will mean that certain pieces of data about us will be available that have never been available before. The Data Retention directive will compel service providers to keep specific data about their customers for 12 months. This could effectively result in aggregation of information from private companies I have agreed to give information to. Because I have not consented to this information being aggregated, this is passive participation in the mapping of not just my network, but the interactions I have with them.

The Directive suggests to retain for one year the following categories of data:

• data necessary to trace and identify the source of a communication;
• data necessary to trace and identify the destination of a communication;
• data necessary to identify the date, time and duration of a communication;
• data necessary to identify the type of communication;
• data necessary to identify the communication device;
• data necessary to identify the location of mobile communication equipment.

This means for me, at a minimum:

• My location to within a reasonable degree of accuracy, all the time. The required accuracy for this is laid down by FCC standards for tracking 911 calls from mobile phones (E911 mandate) is to within 100 meters.

• Any telephone I call I have made, from either a home phone, business phone or mobile phone. Presumably indirectly also the names, addresses, and possibly locations of people I call or people who call me.

• Any SMS messages I have sent or received. Where I was at the time.

• The email address, date, time and subject of any email I send or receive, and the IP/MAC of the computer I send or receive it on.

• Any MSN conversations I have, and the IP/MAC of the computers used.

I should be clear that the service providers are not compelled to keep the content of the communication, but they are compelled to keep the details of the transmission. Not only will it be possible to see people I have interacted with, it will be possible to ascertain who I was with and where we were at any one time.

Information about my network can be created on a quantified basis, for instance the frequency with which I exchange email with people, I am in the same room in them, or how often I talk to them on MSN. This vastly exceeds the capabilities of any existing consumer services.

Although we are not talking about a huge big brother database, we are talking about the ability to analyse a substantive portion of the last year of somebody’s life - In a way that has never been possible before. If not already, I am sure there soon will be a way of using data gathered through this means to create integrated intelligence maps.

Access to the data through RIPA

RIPA, the Regulation of Investigatory Powers Act, currently regulates access to data gathered voluntarily by service providers. Access to this newly required information is likely to also be controlled under RIPA, rather than court orders. The controls and oversight protection associated with this are somewhat controversial:

"Under the law as it stands, if existing powers are not rescinded then people will be able to act within or outside the guidelines," - "There's a strong argument that government should go back and get it right,"

The list of organisations with that will have access to this information is quite large; especially when you consider the amount of banal queries they will be responsible for (tax audit etc).

• Police forces
• National Criminal Intelligence Service
• National Crime Squad
• HM Customs and Excise
• Inland Revenue
• Security Service
• Secret Intelligence Service
• GCHQ

The limitation that applies to the police - is simply that they must believe they are preventing or detecting crime, protecting public health, collecting any money owed to the government, or anything else the Secretary of State thinks up. This is not just a little bit broad, and it is a significantly wider remit than was mandated by the EU Directive. Bear in mind that the 'reason' we are implementing this legislation is because of an EU directive, albeit under a UK presidency of the EU.

Aggregation

Over time, this information will continue to be aggregated. A similar case of security enforced through technology is the UK DNA database. This now contains 3 million samples. By 2007 it is expected to contain a sample from 7% of the population. Many, many of these people are not criminals, or suspected criminals, but their DNA may have been taken at a crime scene for the purposes of elimination.

Likewise with the Data Retention Directive, any ‘intelligence’ database will eventually be huge. Whilst the number of DNA samples you would find at a crime scene is significant, it is the equivalent to everyone in your address book?

It is reasonable to see the next step in the intelligence effort against crime may be the technological advances that enable government agencies to automatically aggregate and analyse social and location data that is gathered because someone is suspected of a crime.

If you know a criminal, are you a criminal?

The realisation of the ability to generate suspicion based on automatically analysed, loose social networks, is incredibly scary. The powers that restrict the access and use of this information are weak. It is quite clear that now this data can be gathered, there is no need for further legislation or public support. The use of data is not legislated anywhere near as tightly as the gathering of it, and it is undoubtedly true that we are sleepwalking into a future new era of digital rights.

We can only hope, that the use of this data will first come to light through a significant error, which will hopefully result in a media frenzy and urgent legislation to restrict its use.


technorati tags: , ,

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home

Property in France