Posted on Oct 2, 2016 by Rick Falkvinge

There’s exactly one way to prevent misuse of surveillance data: to never collect it in the first place




A key conclusion in my latest column deserves elaboration: why all available empiric data tells us that the only way to prevent misuse of surveillance data is to never collect it in the first place. This is a very unpopular fact with surveillance hawks, but it’s nevertheless the truth: all collected surveillance data will be abused and turned against the citizen, and that with a mathematical level of certainty.

While it can’t be logically proven that all surveillance data has been misused and that the surveillance power has been abused, there comes a point in time in any activity where all available empiric data gives the same indication of failure forcefully enough to make people stop and ask “hey, maybe this wasn’t such a good idea”. We’re there with the so-called War on Drugs, we’re there with a number of activities, but the establishment is still fighting forcefully for more surveillance – even though all the data against it is there, and has been for decades.

Let’s take one example of a super-benign data collection. Around 125 years ago, the Netherlands wanted to serve their citizens better in city planning to make sure everybody had a place of worship nearby, so they started collecting data on people’s faith and where they lived, in order to make sure everybody had a short distance to walk to places of worship.

There’s absolutely nothing wrong with this on the surface, right? Making sure people have access to services? And yet, this is squarely in the “what could possibly go wrong” category.

After Germany invaded Netherlands on May 10, 1940, and the Dutch surrendered five days later, the new administration found it very convenient to have governmental registers of people’s religion connected to their physical address. As a result, there were almost no Jews at all in Amsterdam after World War II – the Netherlands had taken an enormous death toll compared to other countries, over 75 per cent. Quoting Wikipedia:

During the first year of the occupation of the Netherlands, Jews, who were already registered on basis of their faith with the authorities (just as Protestants, Catholics and others were) […] In 1947, two years after the end of the Second World War in the Netherlands, the total number of Jews as counted in the population census was just 14,346 (down from a count of 154,887 by the German occupation force in 1941).

This is what happened when you had a governmental register connecting people’s address to their faith. The purpose was super-benign. As we can see, that didn’t matter in the least.

Even the most benign data collection can and will be abused, up to and including for genocide.

The stated purpose of a data collection must be ignored. The only thing that matters is how dangerous the data is if it gets in the wrong hands, which it always does.

For anybody doubting that data always gets in the wrong hands, consider again the data point of my last column where the US government collects data on all its top-secret-cleared (and other) employees on what kind of extortion they’re vulnerable to, and that this data set on twenty million people got in the hands of a foreign adversary. Not as in “could happen”, but “already happened”.

Mission creep always happens to collected data: once the data is in place, somebody always invents a new way to use it, which it was not collected for – and not consented to. This appears to be a mathematical certainty as well.

“If the data exists, it will be used.” — Andy Halsall

For example, consider Sweden’s DNA register, which I’ve written about before. It was created for medical research purposes (only!), and contains samples of everybody’s DNA born after 1975. This lasted until some knucklehead small-time prosecutor realized they could legally seize DNA samples from that register, instantly turning it into the largest Law Enforcement DNA register in the world, and drying up the inflow of samples just as instantly (while also making a lot of people demand their existing samples destroyed).

With the most recent news, where a full half of police data lookups were in bad faith, we can observe that there’s a lot of abuse of power going on in any surveillance environment. There’s just no empiric data point where surveillance data has been used as intended for a long amount of time without getting into the wrong hands or abused by its collectors. None. Not one.

This doesn’t mean that all surveillance officers will abuse their power at the individual level. But it does mean that in a large enough group of surveillance officers, such abuse of power will take place – by someone. We can tell this with certainty:

When there is a nonzero probability of a misuse taking place, and that probability does not decrease over time, then that misuse will happen at some point in time, with mathematical certainty.

Privacy remains your own responsibility.

About Rick Falkvinge

Rick is Head of Privacy at Private Internet Access. He is also the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. Additionally, he has a tech entrepreneur background and loves good whisky and fast motorcycles.


VPN Service

Leave a Reply

Your email address will not be published. Required fields are marked *

8 Comments

  1. dave1305

    Surveillance and data is like European bees bred with African bees.

    1 year ago
    Reply
    1. Falkvinge

      …and then one day the crossbred queen has left the nest, a behavior that was completely unexpected and not part of the specifications.

      1 year ago
      Reply
  2. Bas Grasmayer

    > “Around 125 years ago, the Netherlands wanted to serve their citizens better in city planning to make sure everybody had a place of worship nearby, so they started collecting data on people’s faith and where they lived, in order to make sure everybody had a short distance to walk to places of worship.”

    Interesting. Do you have any source for this? I did some searching on Wikipedia without success. I would like to read more about it.

    1 year ago
    Reply
    1. Falkvinge

      I’ve tried to re-source this over the past day, but haven’t found it trivially (the reason for the data collection). I studied the subject indepth a couple of years back, and don’t remember all my sources, and I apologize for this.

      Regardless, Wikipedia backs up the existence of the data collection — people registered with faith and address — as such.

      1 year ago
      Reply
      1. Bas Grasmayer

        True. Didn’t intend to dispute the fact that the Dutch gov’t registered that data – just wanted to find out a little more about my country. 🙂

        1 year ago
        Reply
  3. security test

    function getNextToken($e, &$i, &$state) {
    $state = IN_NOWHERE;
    $end = ­1;
    $start = ­1;
    while ( $i < strlen($e) && $end == ­1 ) {
    switch( $e[$i] ) {
    (…)
    case "'":
    $state = IN_STRING;
    $buf = "";
    while ( ++$i && $i < strlen($e) && $e[$i] != '"' ) {
    if ( $e[$i] == "")
    $i++;
    $buf .= $e[$i];
    }
    $i++;
    return eval('return "'.str_replace('"','"',$buf).'";');
    break;

    1 year ago
    Reply
  4. Agustina Torres

    Hi Rick, I just read your article, really interesting. I came across your link because I have been doing research about my data privacy and I was wondering if by any chance (you are an expert) you could recommend me a GPS app that I could use that doesn’t collect all my data, such as: Waze, etc. Thanks in advance!

    1 year ago
    Reply
    1. Alexander Wills

      better use no gps at all!

      12 months ago
      Reply