Loading summary
A
Thank you for coming. I'm Stefan Freeman. I'm the Information Security Manager at lse. This is the first of a series of three talks around raising awareness on information security risks with the hope that it will prompt a little bit of thought around people's activities when they go online. This lecture is actually being organised through IT Services at LSE and we do have a wealth of information on our website and we. We've just launched a series of leaflets with top 10 tips on how to keep yourself safe. They're available out in the foyer on the table. Please also help yourself to a mouse mat. I wanted to welcome Rob Carolina and Bob Ayres this evening. Rob is our first speaker. Rob is an LSE alumni, having studied international business law and stamped and is a solicitor of the Supreme Court of England and Wales and a member of both the American and Illinois Bar Associations. He's also a visiting Fellow of Royal Holloway on the Information Security Master's degree course. And we'll be talking tonight about how about Internet law, responsibility and de globalization of cyberspace. So thank you, Rob.
B
Thank you.
C
Let me just see if this is intuitive and it is marvelous. I love it when a plan comes together. Thank you very much, Stephan. And thanks very much to the LSE for this invitation. And thanks very much to folks we have here in the room today and to anyone who's watching this or listening to the podcast afterwards. Thank you for tuning in. The title of my talk is Internet Law, Responsibility and the Deglobalization of Cyberspace. I suppose I'm almost talking about the flip side of staying safe online. In a sense, I'm talking about the personal responsibility of users of the Internet, or you as users of the Internet, as well as generally what I think is happening to the Internet, which is very, very topical at the moment, given the recent defense review stating that this is a serious problem we're facing. You've already heard a little bit about me. The only thing I'll mention in addition, by way of background, is that a lot of my thinking on this topic, particularly with respect to the de globalization of the Internet, was very heavily influenced by the time I spent here as a law graduate student studying international business law. Although back in Those days, in 19 a room of 500 lawyers, I was known as the chap with the laptop. So that was how I was identified back in 1992. There was only one. So what will I be talking about? How why the law applies to your use of the Internet, the closing of the cyberspace frontier and the de globalization of The Internet. All great lectures begin with a story, and this story begins once upon a time. Once upon a time, a very interesting man named John Perry Barlow, who was one of the founders of the Electronics Frontier foundation, published an interesting declaration in 1996 called the Declaration of the Independence of Cyberspace. And Barlow's article is available in a lot of places, and I've excerpted a few quotes from it here, but I'll just hit some of the highlights. Amongst many other things, he says, governments of the industrial world, you have no sovereignty where we gather. He's talking about cyberspace. You have no moral right to rule us, nor do you possess any methods of enforcement. We have true reason to fear. Yaboo sucks. You know, we're out here in cyberspace, you can't find us, you can't enforce your crappy old laws against us. Cyberspace does not lie within your borders, said John Perry Barlow in 1996, which is all a very lovely idea and utterly and completely wrong. I give this article to my students to read every year as an example of what might be the most wrong thing ever written about Internet governance in the 20 years I've been working in the field. And by the way, no disrespect to John Perry Barlow, I think he's done a lot of tremendously good things and I'm grateful for one that the Electronic Frontier foundation exists. It's just that this, as a political idea, never caught on, and frankly, never will. Let's talk a little bit about how the law applies to uses of the Internet. If you want to understand Internet law, I'm going to tell you three things you need to understand. Three things and only three. There are three things and. And if you can keep those in mind, everything else starts to fall into place. Thing number one, there is no such thing as the Internet. Despite what you might believe, the Internet does not exist as a thing. It is not a single legal person, it is not a single entity, it is not a single company, it is not run by any individual or any state or any government at the same time. So I have reached the conclusion as a lawyer, there is no such legal thing as the Internet, in the same way as there is no such thing as thing as television. There are television sets, television broadcasters, television content producers, television stations, but there's no such thing, single entity as television. What's the second thing? Thing number two, there is no such place as cyberspace. William Gibson, who created the term cyberspace in the 1980s, even defined the term as our shared illusion, the place that we imagine exists when we're on a telephone call or doing something, but it's not a real place. So I was disappointed to hear him on radio 4 not too long ago. Make a couple of perhaps taking artistic license. Well, cyberspace is where our bank accounts are held. No, my bank account is held at Barclays bank plc. In fact, I have an address of the bank where it's held. And legally, for lots of reasons, that is extraordinarily significant. If you don't believe that, go find a lawyer and ask him to explain the Libyan era bank cases to you from the 1980s about what governments have the right to freeze assets. Where, when and how. No such place as cyberspace. Number three, thing number three, to understand how the law applies to the Internet. Laws apply to people, not technology. I've never heard of a computer being arrested or sued or placed in jail or satisfying a judgment. So if you want to apply the law to what you're doing, three steps. Step one, identify a person or the person somewhere who did something. Who are they? Where are they? Now, admittedly, this is easier said than done sometimes. And unfortunately for you, if you're trying to stay safe online, the people who do bad things for a living are professionals at not being found. On the other hand, if you are, for example, a student or a member of faculty at the London School of Economics, you are extraordinarily easy to find. It's really not difficult at all. Step number two in applying the law to the Internet, once you've found the people, identify what actions they took. Subject, verb, object, subject. This person. This person did what? Made a copy, used a trademark, displayed a pornographic image, published a defamatory remark, offered corporate securities for sale. Attempted unauthorized access to computers, made personal data available, accepted a bet on a sports team. Each of those verbs, each of those things might trigger legal scrutiny or liability in some places. Some of those things constitutes a crime. So step one, find the people. Step two, identify what actions they took that are legally significant. Step three, apply the old, sometimes very old law to the new facts. Lot of myth and misdirection. I Remember in the 1990s, someone phoned me up one day when I was working at the world's largest law firm and said, oh, this Internet thing will be great because then private eye will be able to publish and defamation law won't apply to them anymore because they'll be in cyberspace. No, I said, I'm sorry, life doesn't work that way. The publishers of that publication are right here in Britain and it's Very. You know exactly how to sue them. I mean, they know how to be sued. People know how to deliver a service to them. It's. It's quite understandable. Just because they happen to be using a new media doesn't change the law. The law doesn't say defamatory statements are only defamatory if they're not on the Internet. Or if a media we never heard of, it doesn't work that way. Simply doesn't work that way. So we come to the advent of the frontier metaphor, the electronic frontier, the cyberspace frontier, the lawless frontier. Where does this come from? Where did we get the idea that the Internet or that cyberspace is a frontier? Let's go back and ask John Perry Barlow. In 1990, he gave an interview describing how he was questioned by the FBI in 1989. Now, I gotta emphasize, Mr. Barlow was in no way involved in any kind of criminal activity. That's not what this is about. But the FBI were investigating what was described as the theft of source code from Apple that was used on a ROM chip. And this is Mr. Barlow's description one year after his interview with the FBI about what that interview was. Agent Baxter. I don't know who Agent Baxter is, but this must be embarrassing for him. Shows up and shows up at my ranch in Montana, and when he arrives, he doesn't know what a ROM chip is. He doesn't know what ROM code is. He doesn't know how you'd steal it or if steal is the right word. He's got all sorts of misconceptions about Autodesk and Star wars and cyberspace and hyperspace. So it suddenly occurs to me, says John Perry Barlow in 1989, the whole system's kind of jumped the groove. We're in a whole new world here. So what did Barlow see in 1989? He saw, with respect to Agent Baxter, a clueless investigator, which by extension means a clueless government. What else did he see in 1989? Well, since they can't see it, they don't comprehend being cyberspace or the use of the Internet. He also saw people like himself, an elite group of computer network pioneers, people who took the extraordinary step in the 1980s of trying to become connected. It wasn't really an easy job. Back in those days. Anyone who's old enough to remember configuring 300 baud modems to log into somebody's rubbishy old dial up, high costs of entry, you know, an elite small group of people. What does this lead to? This must be some Kind of frontier. It seems to just work as a metaphor in 1989. Of course, things have moved on since 1989. And it is my firmly held opinion that the cyberspace frontier is closed. It doesn't exist. It hasn't existed for a long time. It ceased to exist sometime when we weren't looking to understand why. I'm going to come back to this theme of what caused lawlessness in cyberspace. See, the thing is that cyberspace never had a shortage of law. If anything, we had an oversupply of law. All of these old laws, copyright, trademark, pornography, tax law, gambling law, securities regulation, all of these laws applied to this new medium. In fact, arguably, the Internet is the most regulated phenomenon in human history. We have a huge oversupply of law. What we had was a complete shortage of enforcement. We had people like Agent Baxter, who, God bless him, was trying his best, but just didn't understand what he was dealing with or what he was supposed to investigate 21 years ago, 21 years, a long time. We also had a lot of people in private practice or in the non criminal world, non criminal enforcement world, who didn't know what it was. And here's a direct question that I got from a senior partner in the world's largest law firm in 1995, who phoned me up at my desk one day, who asked, began the conversation with, so what is this Internet thing and how do we shut it down? When you're a junior lawyer at one of the world's largest law firms, you don't tell a senior partner that he doesn't know what he's talking about. So we spent some time working the problem. It's like, well, you know, after 20 minutes, this very senior person drew the conclusion. Well, you know, Robert, I've come to the conclusion that maybe we shouldn't try to shut down the Internet. You know, I think that may be wise. Yes, indeed. And besides. And we literally were trying to figure out how to do it. And what we really realized is that the cost and time that was involved and the uncertainty of gaining enforcement in every country we needed was more than the client could pay. That's really what it boiled down to. And as soon as we realized there's no margin in it and it's not going to solve the client's problem anyway, he moved on to try something else. So long as cyberspace was invisible or misunderstood, enforcement was hard, impossible, or ignored. Policymakers, what now? Let's roll the clock forward. What do we have today? Policymakers, law enforcement officers, the public at Large understand what it is. I've got my five year old godson who understands what it is, his seven year old sister who's been setting up websites since she was 4 years old. People generally understand what it is. They don't make the mistakes that Agent Baxter genuinely made back in 1989. Police officers understand what it is. Even lawyers, God help us all, even lawyers, understand what the Internet is and how the law applies to it. Consider, for example, I'd love for someone to do the statistics on how many person millennia of criminal sentences have been handed down for people who were convicted of doing something via the Internet. Well, I was just publishing pornography on the Internet, therefore it couldn't have been illegal. Lots and lots of enforcement activity has happened. The fact of the matter is we did not settle cyberspace, the cyberspace frontier. We just kind of woke up one day and realized that cyberspace is really here with us on planet Earth. Sorry, one romantic metaphor, dead. Let's move on. So now that we no longer have a frontier, we do have the problem of a media that appears to cross national borders in a heartbeat. So what would the international community do to deal with the Internet? How will laws apply internationally to the Internet? Well, first news flash, there are no we the people of cyberspace. That was one of the key flaws in Barlow's argument. He genuinely thought that, I suppose that some kind of society would emerge that would be cyberspace based or information based. Well, I hate to tell them, but unfortunately there are now so many hundreds of millions of people who use the Internet every day. They're not about to form a singular group revolution, raise a standing army, tax themselves. It's not happening. Furthermore, Facebook is not a country and it never will be. I've been in the dialogue with a very respected network engineer who's arguing with me about this because there was an article published. If Facebook were a country, it would have this many citizens, it would have that much revenue, it would have this many people. It's like, yes, but Facebook isn't a country. He says, why not? Why couldn't it be? I'll be writing an article about that soon, surprisingly, and publishing it on internetborders.com where I about these sorts of things. But Facebook is not a country and never will be. So what do we have? We have an international organizing system that we've been more or less happy with and that we have more or less honored for a few centuries now. And it boils down to this. We organize ourselves on this planet by reference to geographical sovereign states and the basic deal that we've had with one another for the last few centuries, again, with some very notable exceptions and some unfortunate exceptions. Exceptions both recent and past, are that within your own sovereign geographical territory, we'll leave you alone, and within our sovereign geographical territory, you leave us alone. That's more or less the international norm that we proceed from. So in a sense, we already have an organizing theme for how the international community and laws nationally will deal with the Internet. Laws apply in whatever way each sovereign state chooses to apply them because they're sovereign states, and that's what they do. They enforce their laws in their territory. Now, that leads to some interesting tension. Here's a list of cases. Most of them are older cases that first started alerting people to the problem of states enforcing laws across borders with respect to Internet activity. I'll talk briefly about the Last 1. Gutnick vs Dow Jones was a case decided in Australia in December 2002. Mr. Gutnick was at that time, I suspect, still is a resident of Australia. Dow Jones, for those of you who don't know, publishes the Wall Street Journal and is more or less a resident of New York City and New Jersey. As it happens, they published an article which contained a defamatory remark about Mr. Gutnick. Mr. Gutnick decided to sue Dow Jones. And where did he sue them? Not in the US if you want to. Defamation. If you want to win a defamation case, rule number one, you don't sue anybody in the U.S. u.S. Courts don't like defamation cases. So he sued them in Australia, where he lives, where he has friends, where he has business connections, where he has a reputation to defend. And the Australian court said, yeah, okay, we'll deal with that. Dow Jones, you are liable for violating Mr. Gutnick's rights. You have defamed him in Australia, they said. But hang on, our servers are in New York and New Jersey. Yes, said the court, but your screens where people read what you write are here in Australia and every other place in the world. But we don't care about every other place in the world. My job as a judge today is to figure out what you've done in Australia. Since you have published a defamation in Australia, here's a judgment for Mr. Gutnick where he can collect a lot of money from you, and you should issue him an apology, by the way. So not too surprising. The other cases on here are sort of other examples. I mean, the US has done this criminally with respect to offshore gambling operators. But I'll move on because there's a lot to cover. It's not just states who are seeking to enforce this kind of international scheme on how the Internet works. Increasingly, our experience of the Internet, one of the key factors that drives what we see is not just the URL that we type into a browser, it's our actual geolocation. So, for example, on a recent trip to Morocco, I looked Yahoo.com what ads was I given? Well, I was looking@yahoo.com, which you would think is a U.S. site, and it is. But the ads served up to me were written in French and in Arabic. Why? Because the advertisers made a reasonably good guess that I was physically geo located in Morocco. Similarly, here's a good example. The BBC. God bless the BBC makes a lot of money from Internet borders. The reason is when you look at something like the BBC news site while you're geolocated in the UK in accordance with their charter, they don't show you paid for advertising. I like the BBC. I'm one of the few people who enjoys paying the license fee because I like watching the BBC. And when I look at their website and they look at me and they say, oh, here comes someone who's geo located in Britain. Oh, don't show them any advertising, because under our charter, we're not supposed to show paid for advertising to people who are in Britain. I take my laptop, get on a plane, land in Canada, log into BBC News, bang, paid for advertising on the same site using the same URL. What kind of advertising? Well, sitting in an airport in Toronto, I got served up an ad for a Toronto car dealership, get another plane, go to the Midwest in the United States, open up my laptop, connect to the web, same URL, news.BBC.co.uk, what comes up BBC and paid for advertising. What kind of advertising? Advertising for a car dealership in Chicago, Illinois and for a television network that's only available in US cable systems. What we see online is increasingly driven and altered and shaped and modified and edited, specifically directed to you in part on the basis of where you are in the world. And it's pretty good technology and it's getting better. Why do businesses want to discriminate by geolocation? Well, it might be for targeted advertising. It might be because they want to avoid liability where their content is not supposed to be received. Yahoo got into a huge debate with the French government 10 years ago about whether they should allow Nazi memorabilia to be offered for sale in a way that could be viewed by French residents. Caused a huge diplomatic row. Recently, I was reading the book Googled and amongst other things, just flying past on around page 72, the author happens to write. Of course, Google does do some things, like they won't allow search results to serve up Nazi results to end users who are in Germany and France. Whoa, wait a minute. It's not even the theme of the book. It's almost a footnote at this point. I guess that's the good kind of censorship that Google can live with, as opposed to the bad kind that they can't live with. I'm not here to defend the human rights record of any individual country. What I'm here to say is that individual countries have a job to do, and they perceive their job as protecting their country against whatever threats they perceive. And they're sovereign within their own territory. Businesses have to make some hard decisions sometimes. All of this leads to observation number two. In case you haven't noticed, and most people haven't noticed, the Internet does have borders. Here is the traditional view of the Internet cloud. One big happy cloud in one big happy world. You're going to sign up for cloud computing. Where is the cloud? The cloud is nowhere. The cloud is everywhere. The Internet is the cloud. The cloud is the Internet. It runs over all sorts of things. This is the wrong picture. The right picture is this, which is to say every Internet cloud exists on its own within the sovereign states of where it is. And if you talk to a network engineer, very often they have to think about the Internet this way because they have to plan for shaping traffic, traffic outages, where servers should be located, et cetera, et cetera. This is the picture of the Internet going forward. Individual clouds stuck in individual countries or individual territories where we club together and agree on the rules, like the European Union. The geolocation technologies I mentioned before, that tell where you are. They used to be bad, now they're getting good, they will get better. And there's more than one of them they can use at the same time. I'll skip this slide for the moment in terms of different types of efforts to enforce Internet borders. Not just governments, state enforcement, of course, the Great Firewall of China, also the Great Firewall of Australia. Others will be coming. We saw the big defense review here in the UK yesterday. Frankly, if Western governments aren't thinking right now on the question of how do we secure our borders from overseas traffic, then I don't know why I'm paying taxes. They ought to be. Actually, I do think they are. They just don't like to talk about it. One interesting case to look for, by the way. If you Want to see this in action? Is the European Union versus the USA on the question of what do we mean by privacy with airlines and Swift caught in the middle. For those of you who know Swift, the Society for World Interbank Funds transfer, they got caught in a case of regulatory shear where complying with one set of laws caused them to break another set of laws. And the fix is to require them to re they had to reconfigure their own internal network in order to be able to comply with everybody's laws at once. Now that the Internet has borders, what about domain names and addressing? Here's one that the network engineers don't like to hear. Is there truly an authoritative root for the whole of the global Internet anymore? Answer no, of course there is not. Don't believe what ICANN tells you. Oh, there are 13 servers and they are definitive and they are authoritative and they are. Nope. All of China points to a different set of route servers and they route traffic to whatever destination they feel it should go to. It's just that they feel most of the time they're going to follow the ICANN so called authoritative route. That's not the first time this is going to happen. I think eventually we're going to see more of that moving forward. For that matter, technologically I know it's a better and more elegant design, but does ICANN or anyone really need an exclusive global DNS root server? And now we're in sort of really sciencey network engineer y territory and I better move on. This leads to observation number three. The Internet has, in my professional opinion and based on my 20 years of experience, entered a new era of de globalization. News flash. The Internet is not, despite what you've been told, inherently international. I don't think it's inherently anything. It's just that most states, most countries in the world at the moment seem to believe that the international nature or the open nature of Internet borders is more beneficial than the harm that would be occasioned by closing Internet borders. Obviously North Korea doesn't feel that way and some other countries don't feel that way. But frankly, the thing is, the Internet's international character is not a simple binary state. There are an infinite number of possibilities between totally international and totally domestic. There are a number of different states of being between having a border that's totally opened and totally closed. In the real world, I don't know of anybody who has a border that's totally, absolutely, completely open. Yes, in the Schengen area you can drive freely between France and Germany and all those kinds of places. But police officers do not really move very freely between those places. And if anybody wanted to, they wouldn't have any compunction about setting up a border if they really, really thought that they were being threatened. For some reason, they just don't feel threatened. So they don't enforce the border as strictly as they do. But when it comes time to assess and collect tax, oh, suddenly everyone's starting to look at borders again. It's like, which country is my property in? Ah, well, you know, we know that down to the inch. Borders, borders everywhere. When I talk to network engineers, they say, yeah, but I know 13 ways to get around some of this technology. Great. And that means that security services and businesses will be thinking of 25 ways to try to thwart your 13 ways to get around the border. We've entered a border technology arms race, basically, and that'll be fun to watch. One example of de globalization in practice, cloud computing. Increasingly, customers of cloud computing services are saying, yeah, cloud computing is great, so long as my cloud is in my country. Yeah, but our cloud computing solution doesn't really work that way, man. Well, make it work that way or you don't get our business. I've said on this slide that any cloud computing provider who doesn't, who isn't able to make these kind of guarantees, will be out of business before 2020. I should have said 2018, because I first said this in 2008 and it said it got 10 years or less. So 2018 is the better time. I was just looking Today at Amazon's S3 service, their Cloud service. You can actually go to their cloud service and say, where do you want your cloud? Do you want it generally in the us, Just in California, just in Ireland, or just in Singapore? And we have different pricing schedules for each one. They're getting wise cloud computing providers used to fight against this trend. Eventually they're going to gain business by complying with it. Oh, and my last comment on deglobalization. Google will not survive. I'll be happy to take questions.
A
Any questions? Deathly silence. Wait for the microphone.
B
A sort of obvious one.
D
Why do you think Google won't survive?
C
I'll back up. I've got a huge footnote here. Google will not survive as a thriving multinational enterprise with global business presence, as global business interests, unless and until it decides to undertake a major restructure of its corporate assets, its operational methods and its technical architecture. In other words, Google will not survive as it's currently structured. They have two choices. They can either reorganize or stay a US company for the rest of their lives. By which I mean they recently had a bad experience in China where the Chinese told them what rules they had to follow in order to have an office there, to have a trading presence there, to operate their website through. CEO. And they kind of worked with that for a while and then they decided we don't want to work with that anymore. So they pulled out. They just had three executives convicted of a crime in Italy because of the YouTube service. Not anything the three guys did individually, but they were found responsible on sort of a corporate control basis. If they continue to face that kind of liability, they have to make hard decisions. We either change the way we do business and change the way we structure or we start. Maybe they'll pull out of Italy next, maybe they'll pull out of Ruritania and the Land of Nod or any other place where they don't like the rules. I think unless if they want to restructure as a global business, they're going to have to realize that content businesses and telecommunications services businesses are inherently sensitive, will always be subject to some measure of local control, local sovereign intervention. In the same way that BlackBerry RIM has found out recently. And they will, in my opinion, they'd be well served to break themselves up into two different operating groups, which is one operating group or individual operating units that work on a country basis, that liaise with local countries and then have a flagship headquarters office that focuses on technology development and IP licensing so that they can literally sit in California with clean hands and say hey, that's not our Google, that's Google Ruritania. And Google Ruritania is either a wholly owned subsidiary or shoot flog it off to sell it to somebody else. To local shareholders, we license them our technology and we have no control. That's what we have to do to do business. There's. They can either go down that path which we see with things like international energy companies, or they can collapse into their own single market. I don't know which way they'll fly.
A
Now that the Internet is localizing, as you say, and it's no longer a frontier. What will criminal law enforcement look like? Online.
C
Criminal law enforcement, well, frankly is not my bag. I do almost my entire practice as non criminal so I can only make some really rough high level guesses. I think that more and more money will be and is being put into training law enforcement officials to understand how to deal with Internet related events. There's been a huge amount of training required and still required with respect to computer forensics and network forensics. But criminal law will always suffer from one significant limitation, and that is the inability to extradite criminals from one country to another. I mean, in this country there's one guy who's been awaiting extradition to the US for what's it now, six or ten years or something like that. And I don't want to comment on the merits of his case. There are merits and demerits of his case. But similarly, when the police here find evidence of criminal misdoings in, let's call the country Ruritania, because I don't want to annoy any countries unnecessarily. There's a criminal gang in Ruritania, we can tell you exactly what block they live on. And they're using the Internet to break into banks and steal money from little old ladies and all sorts of things. The police in Ruritania won't give any help. So if you can't enforce the criminal law against those people, somebody better build a better border. Or perhaps somebody had better find a better border enforcement technology. I look for the day when somebody announces we have decided arbitrarily to stop all traffic coming from Country X until they can sort themselves out, or it's all going to go through a scanner or a NAT box or something which goes through police headquarters before it's allowed in.
A
Can I just add to that as well that we do have Detective Superintendent Charlie McMurdy from the Police Centrally Crime Unit coming tomorrow, as well as David Blunket.
C
Indeed, you can ask her all of those questions about how she's trying to enforce the law. Frankly, she and the police have a very, very difficult job and if they can't do their job, then somebody else at the security level has to find a way to assist in basically protecting the citizens of this country.
A
No? Okay, well, thank you very much, Rob. I'd like now to introduce Bob Ayres. Bob is the Vice President of Intelligence and Security Celex and is a fellow Associate Fellow at Chatham House, I believe, ex Associate Fellow at Chatham House and has worked at the US Department of Defence. And his title of the talk. If you click down here, I've got.
B
A briefing hidden on here somewhere, don't I?
A
Yeah, just click on that one.
B
On what?
A
Wait, wait, wait. Just start the presentation again and you just need to click next and it'll go straight through technical pickup.
B
While they're setting that up, I'll say a few things. In my youth I was counterculture and I've hopefully maintained that throughout my life, back when it was very fashionable to have short hair, I grew mine very long. And when it became fashionable to have it very long, I cut it very short. I stand before you this Evening as a 30 year intelligence officer with the military, politically conservative, and I'm speaking to you on your right to privacy. So I'm maintaining that counterculture question is, is privacy dead? Well, let's explore what the legal basis for privacy is. Universal Declaration of Human Rights says this. I won't read all these to you. The copies will be available. You can get them online, they'll be on the website. The European Convention on Human Rights says you have a right to privacy. There shall be no interference with that right by a public authority. Typically, as citizens, you're required to provide personal information to the State with the expectation that the State will use it for its intended purpose. And here's some examples. You have to give the State information about you. If you want to get a driving license, the state will impose some requirements on you to provide information so they can tax you. All of this information was provided for a specific purpose. And we all assume that when we provide that information to the state, they will use it for the purpose intended. And the same sort of analogy exists for the private sector. You have to provide your bank with information to get an account. You have to provide the airlines with information to buy a ticket. Again, you provide that information with the assumption that it will be used only for the intended purpose. Now, right now we live in an interesting time in which the State has several criminal concerns. One of those is terrorism. And whether terrorism is a crime or an act of war. I won't debate that. The other thing the State says is they are very concerned about organized crime, drug dealing, people smuggling and criminal conspiracies. Pedophilia, activism, political, environmental. I would ask any of you who are here tomorrow night to remember some of the things I say here and ask David Blunkitt about them, because he's responsible for a lot of it. Okay, so the State's concerned about these things I just told you, basically criminal activity. And what has the State's response been to pedophilia, organized crime, people smuggling, drugs, terrorism? Well, they've implemented a lot of things. They've implemented non consensual surveillance, video technical surveillance, listening to your phones. They've introduced various forms of identity validation, and they've increased domestic human intelligence. That's a fancy way of saying they're collecting information on us. Criminal justice system has done some things too in response to Terrorism, organized crime, they've done things like they've extended the period that they can hold you without charging you. They've deprived your liberty through a non judicial process called control orders. And they've even made criminal activity of doing things like glorifying terrorism. So if you say a suicide bomber who blew himself up had to have been a brave man, that may be glorification of terrorism under the law. Problem is there's no definition for what these are. We've also made it criminal to possess information that may be used for a criminal purpose. Not that you'd ever want to do this, but if you go online and you look up something called the Devil's Cookbook, you can find all kinds of information for making bombs and explosives and infernal devices and booby traps. Under the British law today, possessing a copy of that is illegal or could be illegal. Let's look at the magnitude of this response that the state has taken because it impacts directly on our rights to privacy. And we're going to go through these in this order, starting with direct surveillance. Here are some examples of the extent and magnitude of the direct surveillance activity that the British government has implemented in response to those fundamentally criminal or terrorist threats that I talked about. They're reading our license plates as we drive around. They're images as you walk through London, putting electronic tagging on. They're even putting CCTV and microphones to hear what's happening around the TV camera on the streets of London. Some of the things they're planning on doing, or at least they were planning on doing before the government changed, remains to be seen. How many of these will not be followed by the new government using satellites to track cars on the road so they can charge you for it. They've already used satellites to determine whether or not you built a conservatory in the back of your house and as a consequence increased your tax base. So they should tax you more. Some of these are rather interesting. They were putting speakers inside of CCTV cameras. So if you're walking down the street of London, you flip your cigarette butt on the ground. I'm a smoker, so I do that all the time. You can expect to hear this booming voice from above saying, pick up that cigarette butt. This is rather awesome. One of the local councils in London has been hiding cameras inside of baked bean cans and placing them around in your neighborhood to see whether or not you are throwing your trash away illegally and putting it in your neighbor's bin. This is one of those major criminal threats that the state is concerned about have a DNA database. We all know about this. We read about it all the time. There was an article in the Evening Standard tonight where some lawyers were going in. Remember this, Robert? There were some lawyers going in to see their client and the police station changed the rules on where you had to put your briefcase when you went in. They used to throw all their stuff in a briefcase, put it in a locker and then go in. Well, they changed the rules. You could put your briefcase in a locker, but you had to put your memory sticks in another locker. And they didn't know that. And while they were in visiting their client, a policeman came in and said, you put these memory sticks in this thing. They said, oh, you must have changed the rules. He said, we did. They then arrested them, took them away, took DNA swabs, kept them for about four hours in the slammer, then let them go with no charge. Their DNA is in the database. They can't get it out. We are introducing biometric passports. These are some of the modern conveniences that we're expecting to have. School children are being fingerprinted without the permission of their parents. Biometric ID cards were planned when I wrote this. However, they're not plan now because the Tories have done away with them. What's really interesting is one of the responses to these perceived threats is communication surveillance. And this data was current as of 2008. In 15 months, there were almost a half a million requests made to monitor telephone calls, emails and posts. Now, that's a lot. But what's really interesting is in the UK today, there are almost 800 organizations that can apply for and receive permission to monitor your communications. Now, some of those, you'd expect, you know, security services, the police maybe. But some of them are kind of surprising. You know, the fire service and the ambulance service can apply for and be given permission to monitor your communications. Again, remember, this is in response to organized crime, terrorism and fundamental things like pedophilia people and drug smuggling. We all know about the television police, if we're residents here. Some other forms of surveillance are indirect surveillance. We've heard time and time again, microchip your trash can so they can tell how much stuff you're throwing away. That's trivial, but Oyster cards are not. Who uses an Oyster card here? You know, the Oyster card keeps track of where you've been. It doesn't just give you a free ticket to get on the thing. You know, the police can take your Oyster card and use that to reconstruct your journey and see where you've been. And the times you were going, it's happening more and more and more frequently. There's a lot of things that have been thought about that may or may not ever come to pass. You can see some of the things here. One of the big things right now is the use of biometrics and DNA to make decisions about things like employment. We want to employ this person because they have a genetic predisposition toward getting multiple sclerosis or something. There's an interesting discussion right now about DNA becoming readily available. So you can do it almost like a home pregnancy kit. You take a swab, send it in, and you can find out whether or not your child is really your child or whether your child was conceived while you were in Iraq. Remember what the state was concerned about, these things here. So all of that response that I just talked about of gathering information about you is all being done in the name of trying to defeat terrorism. We'll find those terrorists with that camera and that baked bean can for sure. Because we all know terrorists, the first thing they do is they go down the street and throw their trash away. We'll find the drug dealers by fingerprinting our kids. We'll find pedophiles by using satellites to look at your backyard and see if there's any pedophiles running around by your conservatory. I mean, it's kind of silly now. So observation number one. All these things that have been done suggest to me that there's. There's nothing more dangerous to our rights to privacy than a good cause. And taking on pedophiles, catching them, catching drug smugglers, catching people smugglers, these are all good causes. And while we've cheered and applauded the police in trying to intercept these heinous people and arrest them and bang them up, what they've been doing is eroding our rights as citizens to privacy. Now, now let's explore something. Right now. All of us have. In that place that Bob says doesn't exist, we have some Personas. And the word Persona here is used to say there are certain attributes that really reflect us. We have things like a national insurance card, national insurance number, and that's associated with us. We have an auto number plate, and that's associated with our car, and our car is associated with us. You can see more and more examples here. But there's a lot of different various attributes that all are affiliated with us individually. There's also privately held information that's a Persona like information. You know, your phone number is associated with you. Your home address is associated with you. Your Sainsbury loyalty card is associated with you. So we have both public and private information that is being held in the private sector and in the public sector that's uniquely associated with us. And in most cases we've provided that information again in return for a service with the expectation that it would only be used for the purpose to which we provided it. We also increasingly feel compelled to go off and provide information about ourselves to whoever wants to read it. And here's some examples of how we provide that information. The interesting thing about this is once you provide it, you cannot un provide it. You can't take it back. So if you write something down, last night I was drunk and I bonked my sister in law. Well, 20 years from now, when you're running to be the Archbishop of Canterbury, that may sort of impede your nomination. Anyway, let's take a look at what we can start doing with all of these bits of information. Remember, I'm a former intelligence officer, so when I stand before you and say there's some interesting things you can do, you can take it to the bank that I'm not just talking. First one, this is kind of fun. We're talking about today, benefit fraud. Once you start taking all of these different data structures with these various elements in them, it's very possible to start doing things like, let's take Rob. Has Rob owned an overseas banking town lately? Yeah, somewhere in the Bahamas and then flying first class back and forth to Singapore. I wouldn't say too much. He's registered a new Ferrari and he's on benefit. Well, that would suggest that perhaps there's benefit fraud underway. Now that's kind of an example of another one of these good causes of data that we put into this one. The first time I gave this, there was a man in the audience. As I went through this, he blanched. What this says is when you travel, it's very, very easy to determine who's been on the same plane with you more than once. So if you fly back and forth to, say, Paris 15 times a year, you can find out that Rob or this young lady right here was on the plane with you 14 of those 15 times? You can also find out who stayed in your hotel room with you. Was it only you or was it that young lady who sat and decided you wanted to plane 13 times of the 15 you flew to Paris. So if you're traveling with your secretary, you have to be a little careful because you can start putting yourself in a position where simply correlating the information that already exists can get you in real trouble. This is something that I just point out. This is kind of cute. Possessions Activity Analysis. There was a man who was charged with murder in the United States, and his alibi was that he was out of state somewhere else for 30 days right around the time of the murder occurred. And the burglars cut men down by question. I said, well, we've gone for 30 days. Yes. Well, who had access to your house? Nobody. Not me or anything? Nope. Nobody comes in. The door's locked, stays locked. Okay. Did you go back and visit? Nope. You gone 30 days here. Well, what they did is they went into this refrigerator and they pulled the chip out of it. It controls the temperature on the refrigerator. When you open the door and the temperature goes up, chip tells the cooling system to increase the output and it cools down. There's a regular thing. So what they were able to do was to use the chip out of his refrigerator to track all the temperature spikes that showed the door opening and closing and prove that he was in his house going back and forth to the refrigerator while he was gone. So in this case, this man was convicted of murder by his refrigerator, which I find really fascinating. Okay. European Convention on Human Rights says, you have the right to privacy. State shall not interfere with that right. Correct? Well, I kind of left something off. What I left off are the exceptions. And here are the exceptions. You have a right to privacy unless national security interests override that right. You have a right to privacy unless public safety overrides that right. You have a right to privacy unless the economic well being of the country is being jeopardized. You have the right to privacy unless somebody wants to violate your right to privacy to prevent disorder or crime, not catch them, but prevent it. You have the right to privacy for the protection of health or morals. That's a scary thought. And you have the right to privacy unless somebody wants to violate your right to protect the rights and freedoms of others. So what I would suggest to you is that you have a right to privacy unless any of these exception conditions apply, which in a cumulative sense mean you don't really have much of a right to privacy. Now, what's kind of cute is exception conditions exist. That's law. But let me ask you a few questions. Who determines when your right to privacy falls into one of those exception conditions? Who makes that determination? Do you know? No. What legal protections do you have that prevent the state from abusing your right to privacy or the private sector from abusing it? You might want to put that question to Bob, because I haven't seen anyone in the state that has been convicted, at least in the Daily Mail, of heinous privacy violations from ever suffering any punitive sanctions. Second observation. George Orwell was an optimist. Questions? Oh boy, Let me have that thing. I gotta read this. Yeah. This is staggering. Please note, these are guidance for the people that are here. You should issue the following declarations in the first instance. This is if you're doing something bad, like heckling. As chair of this public meeting, I remind you that it is the policy of this school to allow freedom of speech to the visiting speakers. Please stop disturbing the meeting. If it continues, you say, you, sir, madam, are disrupting this meeting. Unless you stop, I will ask you to leave the meeting. This is a public warning to you. Please stop disturbing the meeting. If the disruption continues, you have no alternative but to say, I've asked you twice to stop. I'm reminding you that this school is determined to allow freedom of speech to visiting speakers. Unless you give me a clear undertaking now not to disrupt the meeting, I will ask stewards to remove you. So this is the first time I've ever heard that LSC had its own homegrown version of the riot act. That's really cool. So everybody's very comfortable with their rights to privacy here in the United Kingdom, where you've all abandoned them and given up and decided you don't have any and you're not going to worry about it.
C
That too.
B
If you do nothing wrong, you will have nothing to fear. Trust us. We're the government.
A
It was quite interesting actually. It if any of you made the Steve Ballmer presentation a couple of weeks ago, but he made the observation that his 15 year old son was happy to give away any information about himself as long as he got like something for free. So there is an interesting perspective. Thank you, Bob.
B
Ask about that life insurance policy.
C
Actually, Bob, since you're here, we have a few minutes. I thought maybe it might be. One of the things that. That struck me is that a lot of the circumstances you were talking about in terms of concerns about privacy dealt with some type of state intervention or invasion of privacy or privacy rights being aggregated with respect to the relationship between the individual and the state. You know, admittedly, whether it's The Metropolitan Police, MI6 or Herringate Council, I suppose that's a very significant, significant difference and some of us are more concerned than others that perhaps it's gone a bit too far. But what about. But do you hold the same sort Of I take your view as relatively pessimistic. Do you take the same view with respect to private invasion of privacy? I mean we've had in the news recently things like Facebook. It turns out that some of those innocuous looking apps about farming and, and you know, sort of mob hits or whatever it is they do on Facebook. I have a Facebook account, but I assiduously refuse to enable any of the apps. And I guess this is another reason I never thought of. But I mean, what about the private invasion of privacy?
B
Well, typically the private sector invades your privacy. If a company invades your privacy overtly with malice of forethought and intent, then you have recourse, at least a civil recourse in the courts. It's very difficult to establish a in the public sector who did it, what was the mechanics or the process for allowing that decision to be made? Who made the decision? Where's the record of that decision? So how do you substantiate who violated? Now of course you can always step back and say, would you sue UK plc? But that's something that makes, you know, a very difficult case to win because you don't have the resources to take them on. You can't get one of those law firms that will take on, take you on on a contingency basis to sue the United Kingdom.
C
Well, not in this country, no. Because you can't take contingency cases in this country.
B
I know, but you can take them for free and then bill hours.
C
I'm sorry, I'm a lawyer. You said take something for free. Let me think about that. I mean, actually the concern that I have though, I mean from a practical self protection perspective is that with a lot of these apps, I don't know how someone would take a direct case against some of these people providing the applications. Because I mean, truthfully, one of the reasons that I've never enabled one of these things on my Facebook account is every time I'm getting ready to up comes this window that says, oh, you want to play our game or get involved in our universe or whatever it is. In order to do that, you have to authorize us to big long laundry list. You know, read your contacts, read your wall, post on your wall, post to your contacts, contact other. This big long list. It's like, do you want us to do that? And I'm thinking I've never seen one of those yet where I thought, yeah, I really feel comfortable with you doing that. So I always say no, then forget it. I don't want to Play Farmville that badly?
B
Well, the point that I was trying to make is that there are multiple recurring instances in which we all have provided information to somebody for something. And we do that usually with the sort of belief in the back of our minds that when we provide the information to Sainsbury's or to the Post Office or to Barclays bank or to Inland Revenue or to hmrc, that each of those bits of information we've provided are somehow going to be held in confidence. Well, they're supposed to be. They're not supposed to be. We've got local councils selling voting rolls. I mean, they're selling your information.
C
By statute, they're required to.
B
Yes, well, that's not exactly holding it for the purpose to which we provided it. What I'm trying to suggest to all of us is that there is a cumulative effect to providing this information and the ability to exploit in new and novel ways that aggregate of information is something that very few of us understand nor consider. When we provide information to each of these individual places, it's extremely dangerous to all of us. From what can be done for.
A
I have to say, I find it very interesting that the perceived value of personal information seems to be dropping and that people are more and more willing to provide increasing amounts of personal data.
B
For.
A
Very, very little. And we. Would you say that there's a time bomb here? I mean, if people are giving away all of their personal information now, how will it affect them in the future?
B
I think what we're going to see, we're on the cusp of combinatorial database exploitation. We were in a position up until fairly recently in which we were really on the cusp of being in trouble. By that, I mean, the biometric identity cards were going to do something that was going to be extremely dangerous to all of us. Something was this. Right now you go off and you pay your taxes and the tax guy has a database and Barclays bank has a database and Sainsbury's has a database and they're all different and they all put your name in differently and some of them spelled it wrong and it's all screwed up. So if you wanted to search across multiple databases, it's problematic whether or not you could even consult construct a search statement that would actually work against them all. Well, the identity card was going to have a key data element on it that was unique to you. That's the purpose of having it. And so when you want to file your taxes, you use that key data element to represent you. When you get a driving License. Use that key data element to represent you. When you go to the bank, you hand them your ID card and in your bank record goes that key data element that represents you. This propagates across all these data structures over time. And now if someone wants to search for any and all information about you, they've got one key field, that one data element that they can search across all of the databases and any information in them. Resident key to you and your national identity unique identifier pops up a very, very powerful tool. What everybody was fighting about here in the UK was the wrong problem. They were fighting about having a big database with your information on it. That's not the danger. The danger is you now have a data element that will work across all databases.
C
Well, the funny thing is that, I mean most of my work is done with the private sector and on that side of the fence we're having just the opposite problem. On behalf of people who are collecting data for a living, we've got things like the recent revision to the Data Communications and Privacy Directive which upped the level of consent required before someone can place or make use of a cookie on a browser. I got clients tearing their hair out trying to figure out how to comply with this thing. Because if you read it literally it suggests that. I said, well, if you want the perfect compliance strategy, then before you place a cookie on someone's machine, you better have a pop up window that explains what you're using the cookie for and who you are and who you know and why you're doing it. And then every time you read the cookie, put another pop up window that says who you are and what you're doing and why you're reading it and get them to agree to it. I said, now I know you're not going to do that, but I mean that is the sort of ultimate compliance strategy in order to do what the law says, which is you must get the consent of the data subject or the end user before you stick a cookie on your machine. Now the funny thing is, is that there are some really valuable things that people do want from that kind of technology, like a persistent shopping basket or to not have to re enter all of your data when you go back to particular websites. So on the one time you're complaining about sort of state intervention and state action which appears to be far too aggressive. On the other hand, I've got a compliance problem with my private sector clients who are trying to figure out, you know, all this legislation, all the regulations coming down on us about trying to respect People's privacy rights. We're having a difficult time figuring out how to actually conduct our business in a way that makes sense. So it seems to me something's kind of gone wrong on the policy making front or on the law making front.
B
Yeah. Well, we have a series of very interesting problems when it comes to national policy. We live in an environment now where technology is changing over on about a six month generational basis. Something new in technology comes along about every six months. We have a national government that operates on a five year budget cycle. So the government has to program and budget money today for expenditure five years from now. And in five years from now, the technology that they're trying to target that money toward will have turned over 10 times. It takes years to get a policy into effect. It took almost three years to get the Civil Contingencies act into being. And in that three year period of time, using a nominal six month window, the technology base changed six times. So even if we do write good policy, by the time it is passed into law, it will be obsolete and archaic and it won't work because it won't suit the environment at the time. So we're always going to be in a position whereby the legal framework is trying to catch up with the technology framework. And the legal framework as it exists today is not going to be compatible, consistent, and actually apply to that technical environment as it exists today.
C
Well, that's sort of a great summary of data protection law in a nutshell, really debated in the 70s, drafted in the 80s, adopted in the 90s, and now trying to apply to technology in the 21st century.
B
Yes. And that statement does not even consider the fact that. Remember Tony Blair? Tony Blair was a great believer in using information technology and the Internet. Excuse me, Rob. To provide goods and services from the state to the citizens. He really believed in that. He was passionate about it. And one of the things Blair said is he was getting ready to resign and leave office. Was. Now I'll have time to get one of my kids to teach me how to log onto the Internet. That's a serious problem when you're talking about legislators or lawyers or judges or police. Because these people that pass our laws, enforce our laws, put people in jail, are technologically unsophisticated, at least in many cases. So you're standing in front of a judge who's, you know, some of the, some of the things you read about, the older judges are mind boggling. Yes, yeah, the judges, you're standing in front of them and your, your life or your liberty is on the line and you're trying to argue some sophisticated IT like issue, and he's sitting there thinking about or he's going to go salmon fishing in the summer because he didn't have a clue what you're talking about.
A
Well, I was going to ask you.
C
That question from the audience, the actual audience.
B
I'm impressed.
C
We could ask each other questions all.
A
Night when we're done.
C
That's what we're planning to do. Bob and I have, you know, we're going someplace. We just question each other for days. Good evening. You said that. On the one hand, there's a problem with legislation keeping up. On the other hand, there's a problem with the enforceability of law in different jurisdictions. So is there any way that individuals can protect themselves or is this really a hopeless case?
B
Well, let me, let me protect yourself from what? Let's be a little more specific.
C
Bad guys, evil people, black guys, I don't know. Identity. Identity theft, for instance, or someone logging into your bank account just basically doing any harm to.
B
There's no way that you as an individual can protect yourself against identity theft because the processes, the other process. We're not talking just about identity theft by somebody emulating you online. We're talking classical identity theft. Go down to the graveyard, find a grave for somebody about your age, born on Tuesday, died on Friday, get a copy of the birth certificate, and now you're that person. You apply for all the other forms based on that, you're taking notes and you've created. Yes. Or you join the intelligence business and we'll build you an identity for you.
C
So are we in a hopeless situation in that case?
B
It's not hopeless. I mean, don't cut your wrist and bleed in the tub.
A
I feel this just for a second. We, we've produced a little bit of advice for people to help them to act safely online. And one of the key things is that what I'm trying to do is get people to think a little bit more before they actually go and do stuff. So simple things like if you're using Facebook, don't put your birth date on.
B
There.
A
Check your privacy settings and change your passwords. Doing these sorts of things. When you're talking about identity theft, what you're really thinking is somebody opening up a bank account in your name and then taking out money and then leaving you with the bill, effectively. I mean, there are other things you can do. For example, signing up to Experian or another credit ratings agency to check on a regular basis that this hasn't happened. I was speaking to an information security, the global information security manager for Barclays, and it seems that nearly all the banks are very happy to refund every penny that you lose in identity theft as long as you weren't negligent. So the key.
B
Well, that's not exactly true.
C
Well, it's exactly their obligation under banking law.
A
So they. There are some simple things you can do. I mean, ultimately, if somebody's absolutely determined to get at you, there's not an awful lot you can do, which is effectively what you're saying, Bob. I mean, if somebody's targeting you as an individual. But one of the things was it. Someone told me a joke the other day saying that there were two people in the desert or in the savannah in Africa, and they were confronted with a hungry lion. And one said to the other one, you better run away from this. And the other one put his shoes on. And he says, well, you can't outrun the lion. He said, well, I don't need to. I just need to outrun you. So the idea that you're not the least vulnerable person out there, and that's.
C
Very often what happens in this kind of environment I've talked about to any number of businesses and information security managers for businesses where basically that's their entire defense at the moment, is there are easier targets than me. Just to correct one thing, though, I didn't mean to suggest that the law wasn't keeping up with technology or that there wasn't enough law out there. On the contrary, I think there is too much law already. Way too much. I think that the Computer Misuse Act 1990 is a law. We could cut about half of that out and not lose very much. What we don't have is the kind of stuff that Bob is talking about, which is knowledge, awareness, training, understanding this, that and the other thing. But when you're. When you're a hammer, every problem looks like a nail. And when you're a politician and a legislator, every problem looks like it needs a new piece of legislation. I remember when labor were out of power, I talked to one of their researchers back in the mid-1990s who was very excited to meet me because they're always looking for an angle. Oh, what, what kind of law should we pass to. To deal with this new Internet thing? I said, I don't really think you need very many new laws, really. If you want to make a splash, then up the budget for computer crime enforcement over at the. Well, that's not very exciting. You know, it's a Very junior person, not speaking on behalf of the party obviously, but it's that sort of thing. I'll tell you in terms of what do. I'll tell you what I do because if you look from, I'm not that difficult to find. Robert Carolina is a slightly unusual name. So there aren't that many of us out there. But I'm not the photographer in the us I'm the lawyer in London and I have Facebook and I have LinkedIn and all that kind of stuff. I do what a lot of people increasingly are doing, which is I tell a lot about myself, but only the part about myself that I want to tell. Like Stephan says, I don't enable display of my birthday. Facebook can reach in and get it if they want to, but you know, I don't just make it easily available. I don't log into all these crazy applications that Facebook has and turns out that was a pretty well founded fear. You know, it's a lot of little things like that, a lot of little tips that you pick up, you know, realizing that when you publish to these places, you're publishing to the world and the world and their dog can see what you're up to.
B
Think about what are the, the data elements that would be necessary for someone to behave as a virtual you? I don't mean in virtual world, but I mean steal your identity and act as you. What do they need?
C
Name?
B
Sure. Birthday? Sure. Address? Sure. Do you have a bank account? Bank account? Sure. If you make a list of the things that are necessary to be able to be a successful identity thief, I'd be willing to bet you that just about everything on that list you've provided somewhere at some point in time online. So it's there. So you're saying I'm worried about identity theft. What can I do about it? Well, right now you can't do anything about it. But you've already done it.
C
I'm not quite as pessimistic as you are, Bob.
B
Well, you still have rudimentary vestigial remnants of morality.
C
I'm sorry, I thought someone explained I'm a lawyer, so that can't quite be right. But I'm not quite as downbeat on it. I mean, I will. I do agree with you, Bob, in the sense that if a government's going to come after you, they're going to get you. Particularly a well financed government that wants to spend a lot of money finding out about you and reaching into your life and making your life misery. I mean, they have infinite resources, relatively speaking, and they can do that. My main concern tends to be the three people who've stolen my identity in the last 12 years and siphoned lots of money out of my bank account, which the bank thoughtfully put back as soon as I drew their attention to it. It's that kind of thing that I'm more worried about. The criminal gangs who seek to grab your debit card number, who shoulder surf it. I mean, I'm less worried about giving my birthday to an online insurance comparison website than I am to using my ATM card at a sort of an airport in a slightly dodgy part of the world. That makes me nervous about who's looking, you know, who's nearby and looking over my shoulder. So I'm. I'm a bit more upbeat generally, but it's. It's one of these, you know, take caution in a lot of things you do in life.
A
I mean, it's also worth noting that part of the point of having these talks is to sort of raise a little bit of awareness and make people think. One of the things that many people haven't tweaked is the Facebook privacy policy, for example, states in it near the bottom, I believe that everything you put on their site may or at some point be made public. So that's a thought. Have we got another question at the back?
D
Sorry.
B
Gentleman has been smiling a lot as we were talking. I'm curious as to what he's going to.
D
You may not like the question, though.
B
I've got the form that will just accuse you of heckling as long as.
D
You don't have to read it too quickly. To me, I agree with a lot of what you're saying, and I'm one of those pessimistic and fearsome people who will not put my or set up a Facebook account. I've read those T's and C's. I don't like them. And so with my wife as a teacher who is advised professionally not to open a Facebook account, having read in the paper accounts of teachers who've been caught by having posted their details up there.
B
Yeah.
C
Caught in what way?
B
One teacher put a picture of herself on there in a very skimpy bikini and got in trouble because the school said, oh, the students will see you like that. And that's not responsible and professional.
D
That's exactly the article that I. Yeah.
C
Why is that a surprise? Why is that a surprise? What if someone were a schoolteacher and, I mean, how many times have we had cases where.
B
Wait, wait, wait. Stop, stop, stop, stop. He never got to his Question. Oh, you're right.
D
I was going to say Facebook are nice because they actually say that, but the government don't. And my question is sort of a two pronged one. With all of the examples that you've given and Stefan's suggestion that there's a prevalence of devaluation of personal information, do you see it going so far that the government say all of your information is ours and that we lose right to it? Maybe that will go in cycles, cyclical, to get to that point. Or do you ever see a reaction whereby this general progression of the creation of data items that link all of these separate data database pieces, will that ever be rolled back?
C
In my opinion, the part of your question that we could spend days unpacking was the question of is my data mine or does it belong to somebody else? This concept of belonging or ownership doesn't fit really well with data, whether it's personal data or any other kind of data, because we're dealing in intangibles all of a sudden. And you know, when someone asks who owns this data or this database, which I get this kind of question I ask all the time, it's like, well, copyright and database right vests in that person. Data, data subjects have certain data protection rights. You don't really own your data. The government doesn't really. The data doesn't really belong to the government in that kind of strict ownership sense. Because when we talk about the word belong, we tend to think of exclusive ability to use, dispose of, direct at our will, something like that. It's slightly more nuanced. But the answer to your question is the government, when it wants to, can reach in and find out all sorts of things. And different governments have different protections that they put into place. Where Bob and I grew up, we had the fourth and Fifth Amendment, Fourth and Sixth Amendment of the US Constitution, as it's been interpreted in various federal statutes that do this, that and the other thing which the Bush administration then decided to ignore most of and pass other laws to get, you know, in your stuff more easily. This country has very different types of protections. And RIPA 2000 is, in my opinion, a bit of a mishmash. It's. It's not. If you really want to go to sleep, rip read Ripa 2000. Just try. You won't get past section three. But will it ever. Will they ever just say, well, your data is ours? No, because they don't have to. The question isn't whose data is it? The question who has the ability to look at it, collect it Analyze it or otherwise process it. And that's, I think part of what's got Bob upset, and what has me upset as well, is wearing my human rights hat because despite the fact that I'm a private sector lawyer, actually do believe in the cause of human rights. And that does make me a bit nervous. Whenever a state says that, we can look at you and correlate your this data with that data with the other data. It's an incredibly powerful analysis tool. Let me see if I said that.
B
Let me see if I can answer that.
C
Isn't the genie out of the bottle?
B
You might as well think this way. When you fill in the form, whether it's on paper or online, that information is gone. You have no control over it. You shouldn't expect to have any control over it, regardless of why you provided it. Will the phenomenon of data mining and cross database correlation be curtailed, limited, constrained? The answer is no. It's like trying to take a supertanker and make it do a sharp right hand turn at 30 knots. It'll never happen.
C
I disagree.
B
Well, you can disagree. That's one of the great things about democracy.
C
The reason I disagree is because my clients spend a lot of time and a lot of money trying to figure out they would love if what you're saying is right, my clients would be in seventh heaven because it would be, oh, we just take Bob's data and everybody else's data and cross correlate this and sell it to this guy and flog it to those guys and get these marketing people and those marketing people, they spend an enormous amount of time and effort in Europe, at least not in the U.S. but in Europe, at least with European data protection, enormous amounts of time trying to figure out what they can do.
B
I can see why you would be concerned if suddenly this was permitted without any legal constraints because all those fees you're.
C
I'd lose a lot of revenue.
B
Absolutely. It's a terrible threat to a lawyer.
C
It is.
B
You have to excuse me, but I really, really have to leave. I've got to be over on the other side of town in 12 minutes. So thank you very much. I'm going to run away.
A
Fine, thanks. Thank you, Bob. We'll wrap up. I'll give some last comments.
B
You. Right. You stepped on your coat. I hope you didn't have anything in my pocket.
C
Not anymore.
A
No. Not in one piece anyway. Thank you, Bob. Thank you, Rob. Just to sum up, as I say, the intention of this is to get people thinking about some of the issues. It's not necessarily to solve it, everybody's problems. But there are places where you can go to get advice, certainly if there are issues personally that you want to have resolving, especially if you're in LSE. Certainly. Have a look at Rob's blog, internetborders.internetborders.com I didn't get a fee for that.
C
Neither do I.
A
And there are many resources within LSE if you're an LSE staff or student. We have the laptop surgery. We have advice and guidance guides are available on the Internet on the IT Services website. Please do come back for more if you can stomach it. Tomorrow night is David Blunkett and Detective Superintendent Charlie McMurdy from Police Central Elite Crime Unit. And on Thursday, the cops on the Justice Department. And on Thursday we have Dr. Steve Marsh, who is one of the directors of the Office of Cyber Security and Information Assurance in the Cabinet Office Office, and me talking about issues relating specifically to personal use of the Internet and things that have cropped up at ursi. So thank you very much all for coming and hope you enjoy it.
This episode, hosted by the LSE Film and Audio Team, focuses on the pervasive risks and evolving landscape of information security, law, and privacy in the digital age. Featuring Rob Carolina (Solicitor, LSE alumnus, expert in international business law and information security) and Bob Ayres (former military intelligence officer, privacy and surveillance specialist), the event delves into changing understandings of law and responsibility online, the “deglobalisation” and “bordification” of cyberspace, and the steady erosion of personal privacy by both states and the private sector.
Speaker: Rob Carolina
[01:22–32:34]
Speaker: Bob Ayres
[33:23–77:40]
[27:49–77:40]
| Timestamp | Segment | Speaker(s) | Key Topics | |--------------|--------------------------------------------|---------------------|------------| | 00:00–01:20 | Introduction | Host (A) | Context for series; speaker bios | | 01:22–32:34 | Internet Law & Borders | Rob Carolina (C) | Law’s application, end of cyberspace 'frontier', deglobalisation | | 33:23–52:34 | Privacy and Surveillance | Bob Ayres (B) | Surveillance, privacy rights, state overreach | | 52:53–62:33 | State vs. Private Privacy Risks & Q&A | Carolina & Ayres | Private sector data abuse, growing tracking, policy lag | | 62:33–77:40 | Audience Q&A and Discussion | Multiple | Law vs. tech, identity theft, personal safety tips, future of personal data | | 77:40–78:27 | Closing Remarks | Host, Carolina | Resources, event promotion |
The podcast balances technical clarity and legal insight with a conversational, sometimes wry or ironic tone. Both experts draw from personal anecdotes, practical analogies, and concrete cases, grounding complex issues in everyday language while signaling the real consequences for individuals and society.
For further resources and advice, visit Rob Carolina’s blog at internetborders.com, and for LSE staff/students, consult IT Services.