APPENDIX 47
Memorandum submitted by Dr Andy Phippen,[238]
Dr Hazel Lacohee,[239]
and Professor Steven Furnell[240]
In this response to the call for evidence for
the Home Affairs Committee's inquiry into "A Surveillance
Society", we present a response that considers the citizen's
perspective, examining their perceptions toward monitoring via
various ICTs, before considering their awareness of protection
mechanisms. The evidence presented is drawn from a major study
in collaboration with BT Group Chief Technology Office and Hewlett
Packard, supported by a number of further studies carried out
by the University of Plymouth's Information Security and Network
Research Group.[241]
The Trustguide project[242]
was concerned with exploring issues of trust, security and privacy
in ICT based applications and services with the general public
through direct dialogue, facilitated via 29 discussion groups
between September 2005 and October 2006. In total approximately
400 citizens took part in discussions. Our findings suggest that
UK citizens are technology-aware and have belief systems informed
by a mix of mass media communication, personal, and peer experiences.
This has significant implications for service providers and policy
makersthe age of the naïve ICT user is over, replaced
by a population who may not have experienced specific technologies
first hand, but have confidence in their understanding based upon
numerous information sources (albeit from sources that one might
consider to be unreliable or subjective sources). We are faced
with a population who believed they are well-informed regarding
their understanding of ICTs, and are cynical when "sold"
a technology for reasons that conflict with their own belief systems.
In considering surveillance technologies, and
citizen's attitude toward such, one of our more interesting initial
findings was the tolerance of UK citizens toward CCTV monitoring.
We felt, through our initial discussion, that citizens would be
intolerant of such systems. However, in-depth discussion provides
two key reasons why such tolerance exists. Firstly, CCTV exists
in public spacespeople do not mind monitoring when it is
open and not invasive of their private space (their homes, workplace,
etc). In addition, media coverage of crime and terrorist attacks
had demonstrated the value of CCTV in protecting society. The
power of the media as a persuasive mechanism for the general public
should not be underestimated, and it is something that we will
return to later in this piece.
However, this attitude should not lead to Government
complacency related to further monitoring. We found high levels
of concern regarding what is perceived as increasingly heavy surveillance
of day-to-day movements and activities. State claims and justification
for current and increased levels of surveillance (eg control of
terrorist activities, reducing crime, road user monitoring) were
greeted with scepticism both in terms of a genuine need for such
high levels of surveillance and any evidence that it serves the
stated purpose. Many citizens feel that their constitutional rights
are being eroded in the name of security, yet few feel under the
degree of threat that might warrant such measures.
We have found this opinion results from a number
of different beliefs. Firstly, as we have stated above, CCTV is
tolerated because its benefits are clear to see via the media.
Technologies such as ID cards, biometrics and DNA databases have
less of an "evidence base" from which citizens can draw
to inform their opinions. An important key finding from our work
is that technological engagement with the general public has little
to do with technical elegance, guarantees of security, and reliability.
It does, however, have a lot to do with convenience for the citizen.
If the citizen can see a clear benefit for either themselves or
their community (whether their concept of community might be)
they will be far more accepting of a technology than one where
they cannot see such.
So if we consider the issue of ID cards, we
can see difficulties in being able to demonstrate the benefit
to the individual. Indeed, what is the benefit for the individual
in carrying an ID card? Clearly there are benefits for Government,
security services and industry, but the individual can see little
benefit to having one in their possession. Therefore, with an
unreliable foundation upon which to build trust in ID cards, there
is little wonder that further opposition is met with the proposals
to have mandatory ID cards paid for by the citizen.
Another key factor in the public's mistrust
of surveillance systems is again something drawn from media influence.
Numerous participants in our discussions stated that the Government
were not effective at "doing IT". High profile public
sector failures, or predicted failures, such as the Child Support
Agency system, have resulted in a public who do not feel that
the Government are capable of effectively managing the systems
required to ensure the efficient operation of such surveillance
system. Therefore, guarantees of 100% secure technologies are
met with scepticism by citizens who, even if having no personal
IT expertise, have been exposed to increasing reports in the media
demonstrating this to be untrue. Compounded with this mismanagement
is another factor that has eroded the public's trust of the Government
looking after "their" data (individuals clearly believe
that data held about them still belongs to them). There were subsections
within many groups that were uncomfortable, not from the privacy
issues but because they felt if the Government had physical ownership
of that data, there might be temptations to sell such information
to interested bodies, as has occurred with DVLA data.
We believe that the Government's key issue with
the acceptance of a reasonable "Surveillance Society"
is not one of technology but education and informing the population.
We have discussed at length the information sources that citizens
draw upon when forming opinions regarding ICTthe main influencers
are the media and peers. While those citizens that have access
to professional advice will take it, the majority of their awareness
comes from what they see in the newspapers, what they watch on
television, and what they discuss with their peers.
A key issue Government faces is that these information
sources do not have an objective viewpoint. Arguably, the World
Wide Web is a major threat to the media industrytherefore,
where is the incentive for a media outlet to report "citizen
uses ICT successfully to enrich life"? Previous attempts
to use the media to disseminate objective material about Internet
awareness and protection have only had limited impact. We discussed
the Get Safe Online campaign[243]
within both the Trustguide and subsequent survey work (surveying
approximately 500 citizens regarding their ICT security practices
and their sources of education), and in each case, impact had
been minimal. In the survey responses, 12% of the population was
aware of the campaign and only a third of those felt the information
was useful.
However, there is a belief among citizens that,
while they have opinions regarding ICT and its threats, they do
not have the confidence or concrete knowledge to protect themselves.
In our survey work, the majority of respondents felt that they
did not do enough to protect themselves from online threats for
a variety of reasons, including lack of understanding, cost of
products, or that they simply did not feel it was their responsibility.
This was reflected in our Trustguide discussions, where many participants
stated that either they did not feel equipped to protect themselves,
or it was someone else's job to do so. When discussed in more
detail, the responsibility for protection, in the eyes of the
citizen, normally lies with either Government or manufacturers
and service providers. There were many comparisons with motor
vehicle safety, where citizens would not expect to purchase a
car without it being roadworthy.
However, some of our recent research would suggest
that while IT providers are doing more, citizens are still failing
to take any responsibility for protection. In carrying out a survey
of unprotected wireless network access in cities and towns in
the South West, we discovered on average around 25% of networks
were not encrypted. This is a significant change from previous
years, where generally around 60% were found to be unprotected.
This change corresponds with a period in which the wireless hardware
provided by vendors is now encrypted "out of the box".
This means that the individual does not have to set up the encryption
themselves, it is there by default. This represents a significant
shift for IT vendors in taking steps to protect the citizen.
Around the same time, a complementary experiment
scanned for unsecured Bluetooth devices and, when discovered,
the devices were sent a harmless, but unsolicited, image file.
In over 50% of cases, the recipient was happy accepted the file
without querying what it was or where it came from.
These experiments show that while manufacturers
taking greater responsibility to protect the public, some of the
responsibility ultimately has to rest with the citizen. To take
the motor vehicle analogy once more, someone purchasing a car
and driving it home is not faced with an ever-evolving environment
with new threats emerging on an hourly basis. However, this is
exactly the environment facing IT users. Therefore, we feel we
should stress the importance of reaching the public with accurate,
objective information regarding ICTs so they can make informed
decisions, rather than the current climate of building belief
systems on very weak, ill constructed, foundations.
Of more immediate concern is the protection
of young people. Within our discussion with young people, it became
very apparent that while they were technically capable, they had
little awareness of the threats that exist in going online, and
only had a veneer of knowledge regarding protection mechanisms.
On three separate occasions in discussions with young people,
we encountered experiences of stalking attempts via messenger
services. While in all three cases, the perpetrator was blocked
by the intended victim, there was no reporting of the incident
to an authority figure. When asked why not, the responses ranged
from "what's the point?" to "I didn't know how
to". The majority of young people we spoke to felt that authority
figures (such as parents and teachers) had less knowledge about
online threats than they did, and as such would not know what
to do either.
This discovery led to further investigation
into the exposure young people get to Internet awareness and protection
through school curricula. Certainly GCSE and A-level curricula
for ICT and Computing that we examined had virtually no mention
of protection mechanisms, aside from those to deal with business
ICT. However, we found that young people are receptive to the
idea of classes in such an area, some suggesting Citizenship classes
could cover such things. Certainly, the work of the Child Exploitation
and Online Protection Centre,[244]
with their schools programmes, is having an effect, but this is
a small Government department reaching out the approximately 25,000
schools in the UK. Young people also felt the media could play
a part, but were more likely to be engaged through drama than
direct information presentations.
In considering the safeguards for data use,
and abuse, we finally consider legislative measures. While our
studies with citizens have shown some awareness of measures such
as the Data Protection Act and other legal mechanisms to ensure
adequate protection, we also, unsurprisingly, discovered that
the majority of citizens will not consider things such as Terms
and Conditions in depth when registering with an online service,
particularly if such a service is offering them some sort of material
or social benefit. Obviously this can potentially leave the citizen
open to all manner of data abuse, but the general opinions were
that while they knew they should read such things, they lose interest
in the legal syntax of such. Therefore, stronger legislation to
ensure more effective privacy policies would have little impact.
However, we believe there is one area that could
potentially have more significant impact is more effective regulation
of the service providers. At present, there is little professional
liability within the IT industry. Hence the number of breaches
and information thefts that occur online, the majority of which
are down to poor security practices, design and implementation,
rather than issues with the technology itself. The IT industry
is one driven by the sort of remunerative rewards that one might
expect from any professional discipline, but without the legislative
controls that apply to, for example, the legal or medical professions.
Therefore, service providers are happy to commit to service delivery
without actually considering the feasibility of such approaches.
Certainly, our own experiences acting as intermediaries between
clients and service providers when troubleshooting what went wrong
in projects would suggest the lack of legislative control results
in a highly unregulated industry without some extremely unethical
practice. While the British Computer Society is making great strides
forward with its professionalism agenda, its membership is still
only a small part of the IT industry, and complimentary to their
reward-based incentives to become an "IT professional"
could be stronger legislation. A service provider may become far
more likely to carry out effective risk analysis, and penetration
and boundary testing, on their services if they were to be held
accountable for any avoidable breaches, in the same way that society
would expect a surgeon behaving in an unethical manner would be
held to account. Currently, we exist in a culture of "well,
you signed-off the specification" where the responsibility
is placed back with the procurer, rather than provider, of a service.
In conclusion, we believe that while technology
has a part to play in the public attitudes toward whether we exist
in a "surveillance society", the major issue lies within
the public perception of such approacheswhether they consider
them to be acceptable and good for the private citizen. We believe
education and information are key drivers in ensuring a society
that is more aware, and accepting, of realistic surveillance
measures in place to protect them. Our work also suggests that
understanding of public perception still requires far more work,
as our discoveries about the public's attitudes toward ICTs is
in conflict with conventional wisdom. Finally, we believe that
dividing responsibility between citizens and service providers
is necessary to ensure more effective safeguards, and feel that
stronger legislation of the ICT industry, with greater awareness
of professional liability, is an important step forward in achieving
such protection from data theft and abuse.
July 2007
238 Information Security and Network Research Group,
School of Computing, Communications and Electronics, University
of Plymouth, Drake Circus, Plymouth, UK. Back
239
BT Group Chief Technology Office, Adastral Park, Martlesham
Heath, Ipswich, UK. Back
240
Information Security and Network Research Group, School of Computing,
Communications and Electronics, University of Plymouth, Drake
Circus, Plymouth, UK. Back
241
http://www.network-research-group.org/ Back
242
http://www.trustguide.org.uk/ Back
243
http://www.getsafeonline.org/ Back
244
http://www.ceop.gov.uk/ Back
|