If you want our metadata, show us yours

With many governments around the world looking to consolidate communications surveillance as a central tenet of society, security expert Mikko Hyppönen has put forward the idea of transparency reports on what governments do with metadata.
Written by Chris Duckett, Contributor

Often, when governments propose unpopular measures, a quid pro quo occurs and the electorate receives something in return. A lack of such arrangements sent 13 British colonies into rebellion over 200 years ago, so the idea is far from being new or revolutionary.

However, in recent times, when it comes to increasing the powers of intelligence and policing organisations across much of the developed world, all that has been offered in return are feelings of protection and comfort, and, as a pair of instances have shown recently, having an existing metadata regime or preservation notice scheme cannot prevent the types of events that they were designed to prevent.

Nevertheless, the public is unmoved from its malaise, and continues to accept the premise that widespread surveillance on a nation's own citizenry must occur in order to safeguard the nation.

If such schemes are to hold a place in our everyday lives, then at the very least, something should be offered back to the electorate in return. Something concrete that informs the public of how the surveillance conducted on them is keeping them safe, rather than just relying on feelings.

Mikko Hyppönen, chief research officer at Finnish security company F-Secure, told ZDNet that the internet as we know it is under threat.

"We got a free and open internet -- we're going to give a totally different internet to our kids, which is sad," he said.

"Of course, there's the other side of the coin: There really are bad people online. If you really want to fight those criminals, we must have some kind of legal access on the internet, as well; police must be able to operate on the internet. There really are threats from foreign governments, threats from terrorist organisations, and they do operate online.

"If you want to have intelligence agencies at all in 2015, they have really no point being operational if they are not allowed to operate online, the information is online, because the question [becomes whether] to have intelligence at all, if you don't allow them to operate online. I suppose we cannot argue that there should be no intelligence access to online data."

Hyppönen said the real question is oversight, and transparency on what it is that agencies are doing online is completely missing.

"How the hell are we citizens supposed to vote on future laws if we don't really know what they are doing, and how effective it is?"

For Hyppönen, the solution is government transparency reports, akin to those released by the likes of Facebook, Google, Apple, and even Reddit on government requests.

"We need to know what our governments are doing, we need to know what kind of information they are tracking, we need to know how effective these tools are, and we can get that information quickly.

Let them generate statistics, we don't need to know details of their operations, for very good reasons they could be classified," Hyppönen said.

"But for example, if last year, the government infected 200 citizens' computers with a backdoor, and 190 of those ended up with a conviction ... they were found because of this tool. Or 190 were found to be innocent people who were doing nothing wrong, that's a big difference. Right now, we don't know which one it is.

"With transparency reports, we know such valuable information. Which would mean that we would be much better equipped to tell our politicans which one to vote [for] the next time laws are being passed."

Under the reports he is proposing, Hyppönen says the government would not need to reveal any of the exact details of their operations.

"To me, it seems like a no-brainer. You don't have to tell me who you infected, you don't have to tell me what you were charging them with, but tell me how many of them turn out to be guilty.

"If you really think that metadata is so innocent, show us your metadata."

Of course, everyone in the debate knows that metadata is not as innocent as it is made out to be. As former director of the CIA General Michael Hayden famously said: "We kill people based on metadata".

While the technically adept in the population may scoff at metadata-retention schemes, because they think a couple of VPNs and a dose of Tor will protect them, Hyppönen said it is not a solution for the bigger issue.

"I believe that technical solutions, while important, they're still more like a band aid. You can try to encrypt your traffic, you can use VPNs, you can encrypt your email -- that's not really going to change the problem. That's only going to protect you a little bit, but it does nothing for the underlying problem, which is our privacy is being violated by companies, being violated by foreign governments, and maybe by our own governments.

"The only change we can really do for problems that are hard is to lobby for a change to have better legislation restricting companies that are violating our privacy, and then trying to convince our governments about the need for privacy.

"These are crucial times ... we are the first generation that are online, and we've got a free and open internet -- how are we handling it? How are we protecting it? How are we telling our politicans and powers that be that it's important that we retain our privacy, just like we did in the real world, also in the online world?"

Given the power of metadata and knowledge of how the data scooped up by intelligence agencies is used, one could be forgiven for thinking that the answers would be forthcoming, but, a few pockets of online resistance aside, few are genuinely fussed by the idea.

Former Australian Attorney-General Philip Ruddock is representative of a view that the authorities will always behave themselves with metadata, even though Snowden showed otherwise with LOVEINT.

"I do not care how many police officers find out who is talking to me, who is visiting me, and so on. I am behaving properly," Ruddock said last month.

Hyppönen, who already has his social media entries indexed by GCHQ program Lovely Horse, is not expecting an awakening of general population to what is occurring online.

"It's hard for me to imagine what it would have to be after everything we've already seen," he said. "GCHQ monitoring people's Yahoo video chats, collecting d*** pics of thousands of people, and people are not outraged.

"If that doesn't make you angry, then what does?

"If Snowden didn't wake people up, I don't know what will."

It's hard to disagree with that diagnosis. But should the tendrils of mandatory metadata retention continue to extend their reach, the absolute very least we should expect as citizens funding surveillance on ourselves is to know what our money is being spent on, and how effective it is.

We ask far more of the rest of our tax dollars, so why should it be any different when it comes to violating our own rights and privacy?

ZDNet's Monday Morning Opener is our opening salvo for the week in tech. As a global site, this editorial publishes on Monday at 8am AEST in Sydney, Australia, which is 6pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and the US.

Editorial standards