We do not believe that the invasion of privacy is primarily caused by design or implementation errors that can be fixed by performing Privacy Impact Assessments or adding Privacy Enhancing Technologies.
The threat to privacy is mainly caused by centralized gathering of increasingly detailed personal information. Once our personal data is stored and handled by the state our privacy is compromized no matter how the systems are designed and implemented.
To allow citizens more privacy, we have to design systems that are decentralized and require less personal information. For example it should not be necessary to identify yourself when using public libraries (you could still pay a deposit to make sure you would return a book) or medical services (it should be possible to prove that you were covered by health insurance without revealing your identity).
Our personal freedom is threatened by the vast amount of personal information we are forced to hand over to the state just to be citizens, make an income (and pay taxes), receive medical care, get an education, etc. But it is also threatened by leakage of personal information that we are not formally required to release. The latter is the focus of the Polippix project.
Privacy Enhancing Technologies are not enough. We need Privacy Guaranteeing Technologies.
In the view of many actors in the public debate, citizens are too technically challenged to be responsible for their own personal privacy. Therefore the state must do it for them.
In Denmark, all citizens can get a free state sponsored Digital Signature.
Public offices, employers, banks, etc want to save money by replacing paper-mail with electronic ``mail''. They could just encrypt documents using the public key of the recipient and send it as an email. But the general opinion is that Danes cannot be trusted with receiving encrypted email.
Instead, they use a service called Eboks. Eboks is a centralized database that receives personal electronic mail for 1.5 million Danish citizens. To read the mail, the citizen can log in using a digital signature, find the new message, download it as PDF-file and view the PDF-file.
Eboks is a private company that is partially and indirectly owned by the Danish state. The result is that a state controlled company now distributes and stores personal documents for more than a quarter of all Danes.
A working group at the Danish Board of Technology in April 2008 proposed that in order to access public web-pages, citizens would have to let the state run special software on their computers to let the state verify that the level of security was acceptable.
When IT-Pol pointed out the very obvious implication for the privacy of the citizens, the board argued that citizens already trust vendors of operating systems, middleware (e.g. Java), etc.
Many of us are perfectly able to protect our own private data. The members of IT-Pol might be better at doing this than most Danes. But we believe most Danes would prefer to be responsible for their own private data. We do not think that the state is particularly competent in handling personal information.
Many Danes could need some help in handling personal data, but the state is not suited to provide that help for the following reasons.
When personal information is handled by the state, it means that we, as citizens, have no choice in who we entrust our personal information to. Therefore, we really loose control of our own data. We might trust Apple, Ubuntu (Canonical), Sun, or Microsoft to run the software on our computers, we might trust Google, Yahoo, Facebook, Wikipedia, etc. with our online activities, but that is our choice and if we feel that they abuse our trust, we can replace any software or service.
For citizens that can not, or do not want to, take care of personal data security there is no need to leave it to the state. Citizens should be free to appoint any proxy to do it. It could be their bank, their trade union, church, a family member, Google, etc.
We believe that we have the right to communicate with each other in privacy.
Anonymity is not an objective in itself and it has some drawbacks.
When engaging in public debates, we present ourself. We want other people to be able to contact us and we get credibility from our past work.
But we also understand that we are privileged. There are people that can not always be expected to let their online statements be linked to their private lives: whistle-blowers, victims of abuse, etc.
Many of us also use the Internet for tasks that are private. As a result of state surveillance and private interests, many tasks that we used to do in our private homes are now done one the Internet. For example, before the Internet it was not a secret which newspapers we were subscribing to, which books we were buying or lending, who we sending letters to, which goods we bought. But it was also not registered in centralized databases.
Now the state mandated data retention registers every website we visit and everyone we email with. Before the Internet, we would take the encyclopedia from the bookcase and look up anything and nobody would know what we were researching. Now we might Google it, and Google will register our search and link it with our Google email correspondence, or we could look it up in an online encyclopedia, in which case the encyclopedia would log which entries we read; and probably something like Google Analytics or Woopra would also log each individual lookup and link it to other traces we have left on the Internet.
The only realistic way of regaining some of our lost privacy is to use anonymity when we want to protect our privacy.
The Polippix project is an effort to use technology to help people regain some of the rights and possibilities that have eroded either because of technology or by technology. The right to privacy is a very important example. Others, not discussed in this paper, are fair use (copyright) and the right to tinker (restricted by the Infosoc directive).
The primary expression of Polippix is a live-cd, that can be booted on most computers, and gives the user access to technologies used in Polippix.
Polippix has gotten a lot of coverage as a tool to counter excessive Danish and European surveillance and data retention. This is deserved. The September 15, 2007 introduction of the Danish data retention is an important event, marking the day from which almost every Danish citizen came under daily observation without being under suspicion for any crime.
But there are many other threats to our online privacy, which are not marked by a particular day or year. The objective of the Polippix project is to protect users against all violations of online privacy.
From a technical point of view it does not make much of a difference whether Big Brother is the national police, a search engine company, an employer, a family member, a foreign country, or organized crime. These Big Brother candidates do not act independently. Personal data is traded between private companies, police exchange personal data across borders, national states can force private companies operating locally to release personal data on their citizens. A good example of this is the 2007 Danish data retention laws. Personal data is collected on request by the state, but is collected and stored by ISP's, wireless hotspot owners, hotels, housing communities, etc. This means that it is not just a matter of trusting the national police and intelligence with our private data, we also have to trust the personal integrity and technical competence of hotel owners, ISP's, etc.
It also does not matter why a Polippix user would want to keep Big Brother out of her private life.
We therefore need a tool that will protect us against all threats to our private online life.
Polippix is based on Linux and other free software. It is a live-cd based on the Kubuntu distribution. That allows users to try the Polippix software without installing software on their computers. It also prevents private information from being stored on hard-disks when using Polippix.
Some of the Polippix software relevant for privacy are:
But when Polippix/Twinkle with macchanger is used on, for example, open WiFi access-points, registration of participants can be prevented.
Even for IP-to-PSTN calls some degree of anonymity can be achieved. In PSTN the tracking of phone calls are based on the billing system. Because the price of phone calls to PSTN land-lines have dropped dramatically, it is possible to sponsor free phone calls for every user. I.e., the originator of every phone call is the sponsor, although the phone call could have been made from any of the distributed or downloaded CD's.
The reception of Polippix outside our own environment has been overwhelming. 13,000 physical CD's were distributed to the members of trade union PROSA, more than 35,000 CD images were downloaded from our homepage and mirrors in a week, after that we lost track of downloads. Polippix has been covered on every major TV- and radio channel and all national newspapers.
In our contact with politicians, media, and even scientists, we have often encountered talking points that express that the public has accepted the invasion of privacy, that Big Brother is now a good thing, and that young people do not want privacy.
We disagree. We got in contact with many Danes after the release of Polippix. On September 15, 2007 when the data surveillance was introduced in Denmark, we took to the streets of Copenhagen, asking random people questions that reflected the effect of the introduced surveillance. The question (in english translation) included:
From this we learned which parts of their lives, people wanted to keep private and it led to very interesting discussions about privacy.
There is an overwhelming opposition to the data retention and other surveillance introduced by the state among IT-professionals in Denmark. It is our impression that this is caused by an interest in privacy, but also because most IT-professionals actually know and understand exactly what is going on, realize the enormous implications for privacy, know that the measures will not help fight terrorism, and can seriously cripple the Internet as we know it.
Free Software is particularly well suited for the objectives of the Polippix project, because we need to use software technology to counter the technology of states, private corporations, etc. That can only work if we base it on software that can be used and developed independently. This is guaranteed by the four freedoms of Free Software as defined by the Free Software Foundation. Freedom to:
If we had to use non-free software we would have needed permission from every manufacturer of software used on Polippix. Considering that the Danish minister of justice has publicly criticized Polippix and that Polippix is now being used in some countries with a history of less democracy and respect for privacy, we doubt that we would have gotten the necessary permissions.
We want Polippix users to be able to redistribute Polippix. This is the point of the CD/USB-memory replication schemes we are currently developing. If Polippix users could not freely redistribute Polippix then IT-Pol would be a bottleneck and a single point of failure for Polippix.
Polippix has helped create an informed debate about privacy.
Although most of the software on the Polippix CD originates from existing projects, getting a physical CD that circumvents the surveillance has been an eye-opener for many Danish citizens. It demonstrates that we give up privacy for practically nothing.
Although only a small part of the population uses Polippix or similar techniques, getting Polippix out to tens of thousands of Danes demonstrates that protecting your privacy is a very real concern for others than geeks and hard-core criminals.