GDPR and you

That bundle of privacy policy updates that suddenly clagged up your inbox a few weeks back? The pop-ups that need your consent before you can visit some website or other? These are the flotsam bobbing around in the shockwaves from what just happened in the European Union. A six-year campaign to make the internet a safer and less predatory place closed out on May 25, and the consequences are now starting to sink in.

First published at the Monthly

It is a rare and important piece of good news. In the five years since Edward Snowden first became a household name, there has been precious little of that. In Australia, we got mandatory data retention laws, relentless expansions of surveillance state capabilities, and an agglomeration of unaccountable power in the hands of a home affairs minister whom most people wouldn’t trust to mind their dog. Even now, the government is flirting with a bill to undermine the encryption standards that underpin most private communications and all financial transactions. As the prime minister would have it, “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.” So when activists and legislators pull off an almost continent-wide pushback against full-blown global surveillance capitalism, it’s worth taking notice. Sometimes, we can win.

It is now fairly commonplace to see the phrase “data is the new oil” splattered on PowerPoint slides and news headlines, as though that’s a good thing. The phrase is more apt than its proponents might like to acknowledge. It implies extraction and exploitation (true), concentrated benefit and widely distributed harm (true), and huge public risks that become apparent only after the industry has amassed enormous political and economic power (also true). So, for the moment, let’s go with it.

Fine-grained details of our relationships, purchasing habits, physical locations and medical histories – some of the most intimate moments of our lives – are seen by these industries as a kind of extractible commodity to be drilled, refined and sold. If that doesn’t creep you out just a little, it gets worse, because the further assumption is that you don’t own this information, the drilling companies do. And every time we click our assent to one of those incomprehensible 500-page “user agreements”, we cement that assumption.

States obviously find these huge pools of data irresistible. One of the early striking revelations of the Snowden disclosures was that in addition to tapping the internet’s physical hardware – the routers, satellites and undersea cables – Western signals intelligence agencies had installed PRISM “backdoors” in the archives of the tech companies responsible for much of the primary data drilling. There are equally disquieting examples of various actors systematically poisoning these information wells, for the purposes of influencing public debates or tilting elections.

We don’t have to look to science fiction to contemplate what happens when these tools are turned, without restraint, against ordinary people. Right now, one fifth of the world’s population is locked behind the great firewall of China, subjected to saturation censorship and opinion monitoring. Without question this requires the abolition of any quaint notions of privacy. Late one night in Beijing, I joined the queue outside a security post to be allowed into the forecourt of the Forbidden City, over the road from the haunted expanse of Tiananmen Square. Not being in possession of an ID card, I was pulled aside after going through the scanner for a passport check, and, while waiting, I got a user’s-eye view of the system I’d just passed through. Ghostly squares settled across the faces of those shuffling through the metal detector, and one by one they were assigned an identity, names and numbers scrolling past on an adjacent monitor. In the southern industrial capital of Shenzhen, the facial recognition network can now recognise jaywalkers, and beam them and their names onto giant screens in real time. Eventually, the same system will be able to send you an aggressive message via your social media apps and issue an on-the-spot fine.

In the restive autonomous region of Xinjiang, we can see the full measure of why Snowden referred to surveillance technologies as weapons. In a place where people are rated as “safe”, “average” or “unsafe” depending on their religion, ethnicity or “social stability situation”, officials are collecting a wealth of biometric data, including pictures, fingerprints, blood type, iris scans and DNA. The region is now a laboratory for saturation surveillance, operating as a high-technology front-end to much older forms of coercion and state violence.

Russia, that other human rights stronghold, has installed a facial recognition system to weld most of Moscow’s 170,000 cameras into a single, unblinking digital eye. “We needed an artificial intelligence to help find what we are looking for,” Moscow’s IT departmental head said reassuringly in 2017.

Xinjiang and Moscow are a long way from Canberra, but ask yourself, and be honest, whether you believe that there aren’t people within Peter Dutton’s sprawling home affairs department who wouldn’t cheerfully roll out this technology across the whole Australian population. With stringent Aussie checks and balances, naturally.

There’s no need to guess, because we already have a pretty good idea. The core of the Australian system is referred to as the “National Facial Biometric Matching Capability”, or just “The Capability” if you prefer to keep your dystopian descriptors concise. At present, it is designed to provide seamless cross-matching between existing state, territory and federal holdings of biometric data contained in driver’s licences and passports. At present, we are asked to believe, by people who may even believe it themselves, that this system will never be patched into the mesh of CCTV cameras proliferating across the country, and never be perused by AI in real time to bring suspected wrongdoers to the caring attention of Border Force, or the tax office, or Centrelink.

Or, presumably, to the attention of military intelligence agencies. Months of quiet behind-the-scenes preparation were abruptly forced out into the sunlight in March when a memo from Australian Signals Directorate head Mike Burgess, seeking to “better support a range of Home Affairs priorities”, was leaked. The ASD, as the Australian “Eye” of the Five Eyes surveillance network, is prohibited, on paper at least, from spying on Australians. The leaked letter, since repudiated by everyone except Peter Dutton, proposed abolishing that threshold and formalising the ability of the ASD to engage in warrantless surveillance on the Australian population.

As a general rule, these “innovations” are rolled out stepwise, rather than all at once, preferably in the wake of some appalling attack or security near-miss in order to spook a sufficient parliamentary majority into granting them passage. That’s the Australian template, anyway: objectively untrue assurances that Australia’s spy agencies operate under “a regime of strict parliamentary oversight” combined with a one-way legislative ratchet granting them ever-more intrusive powers.

There are other templates, however, and our European colleagues just wrote a brand new one. “The GDPR strengthens existing rights, provides for new rights and gives citizens more control over their personal data,” the bills page on the EU website dryly notes. GDPR: that’s the General Data Protection Regulation to you and me, and it’s the reason we’re being sent all those emails. It goes some distance towards giving ownership and control of your personal data back to you. It is the brainchild of privacy campaigner Ralf Bendrath; former European Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding; and German Greens MEP Jan Philipp Albrecht. The story of their half-decade campaign to get the new law over the line is the subject of a recent documentary whose title translates as “Inside the Noise of Data”.

“Surveillance is not about knowing your secrets, but about managing populations, managing people,” argues the Panoptykon Foundation’s Katarzyna Szymielewicz in the film. For Albrecht, fighting upstream in early 2013 amid a swamp of industry lobbyists pushing for 4000 hostile amendments, the Snowden revelations landed like a bombshell. Just as Snowden had hoped, transparency changed the game.

“People say nothing has changed: that there is still mass surveillance. That is not how you measure change. Look back before 2013 and look at what has happened since. Everything changed,” Snowden told The Guardian on the fifth anniversary of his extraordinary disclosures.

As of May 25, 2018, if you collect information on citizens of the European Union, you’re obliged to tell people what you’re going to do with it. You’re obliged to only collect the minimum that you require in order to do whatever it is you’re doing. You’re obliged to notify people if your website is loaded up with commercial spyware. And so it goes.

In one highly instructive example, USA Today decided that it would be easier to design a special Europe-only version of its website rather than bring its main site into compliance with the GDPR. Austrian developer Marcel Freinbichler helpfully compared the size of the regular page for a US audience and the GDPR-compliant page. The latter is designed to “not collect personally identifiable information or persistent identifiers from, deliver a personalized experience to, or otherwise track or monitor persons reasonably identified as visiting our Site from the European Union”. You get the picture. As it turned out, the compliant page required less than 10 per cent of the bandwidth of the one bloated with unasked-for tracking devices.

The GDPR is a long way from perfect, as even its architects acknowledge. Despite the huge fines that can accrue for companies in breach, it will only be as good as those tasked with enforcing it. There is also a very deliberate carve-out for policing and national security agencies, which will be governed by a rather more ambiguous standard.

But credit firmly where it’s due. The GDPR is a testament to the degree by which strong civil society advocacy within an existing legal rights framework can empower committed legislators to change the law, and thus the world.

If they can do it in Europe, is there any reason why we can’t do it in Australia? At first glance, it doesn’t seem promising. After all, our current baseline is the Office of the Australian Information Commissioner’s grotesque ruling that former human services minister Alan Tudge was justified in leaking the private details of writer Andie Fox to a journalist, in order to procure a hostile story about someone who had dared to raise a public critique of the government’s “robodebt” disaster.

In fact, there’s no reason why we can’t turn the tide here too. We don’t have a sweeping mandatory internet filter in Australia, because of successful political opposition. Nor do we have mass prosecutions for minor copyright violations, and, for the time being, even the Labor Party has baulked at the prospect of giving military intelligence agencies warrantless surveillance powers over Australians.

“The internet may seem like the last frontier of a human rights battle that is increasingly hard to win,” says Tim Singleton Norton, chair of the Australian advocacy network Digital Rights Watch, “but it is also where you will witness the most creative, the most engaged, and the most dedicated defenders practise their art.”

His optimism comes in the wake of the organisation’s State of Digital Rights report, which sets out a unifying set of recommendations and directions for Australian campaigners in the wake of the GDPR. The internet, it is worth remembering, is not some frictionless post-material medium unmoored from the rest of the world. Nor are our private lives just some commodity to be sucked out of the ground and sold to advertisers. The internet is entirely a creature of engineering, power and capital, and there is no reason why we can’t win fights for justice and democratisation online, just as we do everywhere else.

The fights won’t be easy, as those who spent years advancing the GDPR discovered. We’ll know we’re on the right track when we get a batch of cheerful spam from Australian service providers, announcing our next wins.