October 02, 2013 00:00 By Derrick Ho
The Straits Times
Governments' violations of online privacy are sinister and worrying, but there may be more to fear from corporations' use of private data to target consumers
Whether Internet users are aware of it or not, a good chunk of their personal and private information is sitting somewhere on the Internet. Like most “netizens”, I use Web services to share vacation photos, and social media to share thoughts on the latest government policies. I e-mail travel plans and itineraries, some of which contain passport and banking details.
Like most responsible netizens, I dial up my privacy settings on these platforms to a pretty high level, limiting my online pourings and photos to only those I intend them for.
Or so I thought.
Over the past few months, the technology giants – Microsoft, Google, Twitter, Facebook and Yahoo – have all revealed that they disclose details of their users to governments that have demanded them. Facebook acceded to almost three-quarters of 107 requests for details on 117 individuals it received from the Singapore government in the first half of the year. Yahoo disclosed user details in 75 instances within the same period.
The companies claim that most of the data released concerned basic user information such as names and how long a user had been using their services. Yahoo disclosed extracts of e-mail messages, contents of messenger chats and even entries in address books and calendars.
All the tech giants have insisted they released details only if the requests were valid: those pertaining to national security or investigation of a crime. But what exactly constitutes a matter of national security or a criminal act, and the decision of whether they accede to the requests, seems to remain at their discretion.
When asked about the nature of the Singapore government’s requests, a Ministry of Home Affairs spokesman would say only that law enforcement agencies may request data from persons or organisations for investigations into criminal cases, “as part of the evidence-gathering process provided for under the law”.
The reports come on the heels of revelations of the US government’s top-secret surveillance programmes, which allegedly allow it to access data from major Internet companies.
Late last month, an Australian newspaper suggested that SingTel has been aiding a highly secretive intelligence unit of the Ministry of Defence and its Australian counterparts in harvesting communications carried on a major undersea telecommunications cable between Tuas and Perth. According to The Sydney Morning Herald, this is part of a partnership between intelligence agencies in Singapore and Australia, which extends to the US, Britain, New Zealand and Canada as well.
When asked about the matter, SingTel declined to comment. The Singapore Defence Ministry would not respond to any queries either.
What does it all add up to for data privacy in Singapore and elsewhere?
In short, there is none.
Technology allows Internet companies and telcos to store and retrieve data. Laws allow the state to demand access to them.
In Singapore, laws such as the Criminal Procedure Act give the government wide access to data and communications such as SMSs, e-mail, call logs and websites accessed. It does not need a court order, as laws allow it to directly obtain such information from firms. Similarly, under the Telecommunications Act, the government can order telcos to provide any document or information related to an investigation.
The Singaporean state seems to be an outlier in the wide powers it holds. While some governments have managed to attain sweeping powers to gather user data since the September 11 terrorist attacks in the US in 2001, many are still in the midst of pushing for wider access.
In Britain and Australia, law enforcement agencies still need a warrant to access a computer within their borders. However, lawmakers in both countries are now proposing to force phone and Internet companies to hold – and surrender without a warrant, in Britain’s case – records of digital communications to track potential criminal activity.
In Singapore, the government doesn’t need a warrant. That may sound scary to some, but the truth is that the same can be said of companies and even individuals.
Already, Google and Facebook track users’ interests and online activity to earn money from targeted advertisements. Businesses can buy data on where you live, how much people spend on shopping and even cellphone numbers. All of this is mined and harvested from a variety of sources – lucky draw forms, survey forms and name cards you drop into a bowl at product launches.
Then, there are hackers and cyber-criminals who are increasingly eyeing your mobile devices, a treasure trove of intimate data.
Earlier this year, I saw an IT security expert’s demonstration on how easy it is for a hacker to gain control of a phone with a single SMS. Once in, the hacker can instruct the phone to record audio or snap photos, all without the user ever knowing.
In recent months, hackers have managed to infiltrate the systems of Sony, Apple and Yahoo, compromising user names and passwords of customers.
The bottom line: If someone has the will to get hold of your data, there will be a way to do so.
Hence, it is worth asking yourself: Who would you trust the most with your data – the government, a company or an individual?
Herein lies the politics of trust. Who has the biggest tendency to abuse your data and betray trust?
In the absence of checks and balances, there is a valid concern that a government may use its powers to collect data for its own political agenda. For now, though, there is no evidence that the Singapore government is collecting data for anything other than bona fide purposes. Conversely, citizens don’t know this for sure. Until proven otherwise, citizens can only rely on trust and the state’s goodwill.
This same benefit cannot be afforded to profit-driven companies or deviant individuals. Time and again, they have proven they will do anything to cash in on your data – tech giants included.
A Pew Research Centre study released last month found that while the American public is concerned about Internet privacy, they are far less worried about government snooping than their online activity being monitored by hackers and advertisers. In Singapore, the Data Protection Act may already be in place to restrict companies’ use of data, but there is no saying what firms might do to bend it.
The irony in all of this is that despite privacy concerns, people all over the world continue to share personal data online. Netizens make it easy for anyone to collect data about them by blithely sharing their details on social media sites.
Perhaps this invasion of privacy is the price to be paid for enjoying the convenience of staying connected via the Internet. And if you object to anyone knowing what you buy? Go to a brick-and-mortar store and pay in cash.
The rest of us who want e-mail, Facebook and the convenience of transacting online continue to hand over our personal data to a myriad of individuals and companies daily.
Sure, the state can get its hands on that data. But you should probably worry more about nefarious companies crunching your data to sell you something you don’t want, or criminals out to steal your identity or money, rather than a nefarious state out to get you because of your critical comments online.
In other words, don’t be too alarmed about Big Brother. It’s what companies and criminals do with Big Data that’s more unnerving.