In this response to the call for evidence for the Home Affairs Committee's inquiry into "A Surveillance Society", we present a response that considers the citizen's perspective, examining their perceptions toward monitoring via various ICTs, before considering their awareness of protection mechanisms. The evidence presented is drawn from a major study in collaboration with BT Group Chief Technology Office and Hewlett Packard, supported by a number of further studies carried out by the University of Plymouth's Information Security and Network Research Group.[241]

  The Trustguide project[242] was concerned with exploring issues of trust, security and privacy in ICT based applications and services with the general public through direct dialogue, facilitated via 29 discussion groups between September 2005 and October 2006. In total approximately 400 citizens took part in discussions. Our findings suggest that UK citizens are technology-aware and have belief systems informed by a mix of mass media communication, personal, and peer experiences. This has significant implications for service providers and policy makers—the age of the naïve ICT user is over, replaced by a population who may not have experienced specific technologies first hand, but have confidence in their understanding based upon numerous information sources (albeit from sources that one might consider to be unreliable or subjective sources). We are faced with a population who believed they are well-informed regarding their understanding of ICTs, and are cynical when "sold" a technology for reasons that conflict with their own belief systems.

  In considering surveillance technologies, and citizen's attitude toward such, one of our more interesting initial findings was the tolerance of UK citizens toward CCTV monitoring. We felt, through our initial discussion, that citizens would be intolerant of such systems. However, in-depth discussion provides two key reasons why such tolerance exists. Firstly, CCTV exists in public spaces—people do not mind monitoring when it is open and not invasive of their private space (their homes, workplace, etc). In addition, media coverage of crime and terrorist attacks had demonstrated the value of CCTV in protecting society. The power of the media as a persuasive mechanism for the general public should not be underestimated, and it is something that we will return to later in this piece.

  However, this attitude should not lead to Government complacency related to further monitoring. We found high levels of concern regarding what is perceived as increasingly heavy surveillance of day-to-day movements and activities. State claims and justification for current and increased levels of surveillance (eg control of terrorist activities, reducing crime, road user monitoring) were greeted with scepticism both in terms of a genuine need for such high levels of surveillance and any evidence that it serves the stated purpose. Many citizens feel that their constitutional rights are being eroded in the name of security, yet few feel under the degree of threat that might warrant such measures.

  We have found this opinion results from a number of different beliefs. Firstly, as we have stated above, CCTV is tolerated because its benefits are clear to see via the media. Technologies such as ID cards, biometrics and DNA databases have less of an "evidence base" from which citizens can draw to inform their opinions. An important key finding from our work is that technological engagement with the general public has little to do with technical elegance, guarantees of security, and reliability. It does, however, have a lot to do with convenience for the citizen. If the citizen can see a clear benefit for either themselves or their community (whether their concept of community might be) they will be far more accepting of a technology than one where they cannot see such.

  So if we consider the issue of ID cards, we can see difficulties in being able to demonstrate the benefit to the individual. Indeed, what is the benefit for the individual in carrying an ID card? Clearly there are benefits for Government, security services and industry, but the individual can see little benefit to having one in their possession. Therefore, with an unreliable foundation upon which to build trust in ID cards, there is little wonder that further opposition is met with the proposals to have mandatory ID cards paid for by the citizen.

  Another key factor in the public's mistrust of surveillance systems is again something drawn from media influence. Numerous participants in our discussions stated that the Government were not effective at "doing IT". High profile public sector failures, or predicted failures, such as the Child Support Agency system, have resulted in a public who do not feel that the Government are capable of effectively managing the systems required to ensure the efficient operation of such surveillance system. Therefore, guarantees of 100% secure technologies are met with scepticism by citizens who, even if having no personal IT expertise, have been exposed to increasing reports in the media demonstrating this to be untrue. Compounded with this mismanagement is another factor that has eroded the public's trust of the Government looking after "their" data (individuals clearly believe that data held about them still belongs to them). There were subsections within many groups that were uncomfortable, not from the privacy issues but because they felt if the Government had physical ownership of that data, there might be temptations to sell such information to interested bodies, as has occurred with DVLA data.

  We believe that the Government's key issue with the acceptance of a reasonable "Surveillance Society" is not one of technology but education and informing the population. We have discussed at length the information sources that citizens draw upon when forming opinions regarding ICT—the main influencers are the media and peers. While those citizens that have access to professional advice will take it, the majority of their awareness comes from what they see in the newspapers, what they watch on television, and what they discuss with their peers.

  A key issue Government faces is that these information sources do not have an objective viewpoint. Arguably, the World Wide Web is a major threat to the media industry—therefore, where is the incentive for a media outlet to report "citizen uses ICT successfully to enrich life"? Previous attempts to use the media to disseminate objective material about Internet awareness and protection have only had limited impact. We discussed the Get Safe Online campaign[243] within both the Trustguide and subsequent survey work (surveying approximately 500 citizens regarding their ICT security practices and their sources of education), and in each case, impact had been minimal. In the survey responses, 12% of the population was aware of the campaign and only a third of those felt the information was useful.

  However, there is a belief among citizens that, while they have opinions regarding ICT and its threats, they do not have the confidence or concrete knowledge to protect themselves. In our survey work, the majority of respondents felt that they did not do enough to protect themselves from online threats for a variety of reasons, including lack of understanding, cost of products, or that they simply did not feel it was their responsibility. This was reflected in our Trustguide discussions, where many participants stated that either they did not feel equipped to protect themselves, or it was someone else's job to do so. When discussed in more detail, the responsibility for protection, in the eyes of the citizen, normally lies with either Government or manufacturers and service providers. There were many comparisons with motor vehicle safety, where citizens would not expect to purchase a car without it being roadworthy.

  However, some of our recent research would suggest that while IT providers are doing more, citizens are still failing to take any responsibility for protection. In carrying out a survey of unprotected wireless network access in cities and towns in the South West, we discovered on average around 25% of networks were not encrypted. This is a significant change from previous years, where generally around 60% were found to be unprotected. This change corresponds with a period in which the wireless hardware provided by vendors is now encrypted "out of the box". This means that the individual does not have to set up the encryption themselves, it is there by default. This represents a significant shift for IT vendors in taking steps to protect the citizen.

  Around the same time, a complementary experiment scanned for unsecured Bluetooth devices and, when discovered, the devices were sent a harmless, but unsolicited, image file. In over 50% of cases, the recipient was happy accepted the file without querying what it was or where it came from.

  These experiments show that while manufacturers taking greater responsibility to protect the public, some of the responsibility ultimately has to rest with the citizen. To take the motor vehicle analogy once more, someone purchasing a car and driving it home is not faced with an ever-evolving environment with new threats emerging on an hourly basis. However, this is exactly the environment facing IT users. Therefore, we feel we should stress the importance of reaching the public with accurate, objective information regarding ICTs so they can make informed decisions, rather than the current climate of building belief systems on very weak, ill constructed, foundations.

  Of more immediate concern is the protection of young people. Within our discussion with young people, it became very apparent that while they were technically capable, they had little awareness of the threats that exist in going online, and only had a veneer of knowledge regarding protection mechanisms. On three separate occasions in discussions with young people, we encountered experiences of stalking attempts via messenger services. While in all three cases, the perpetrator was blocked by the intended victim, there was no reporting of the incident to an authority figure. When asked why not, the responses ranged from "what's the point?" to "I didn't know how to". The majority of young people we spoke to felt that authority figures (such as parents and teachers) had less knowledge about online threats than they did, and as such would not know what to do either.

  This discovery led to further investigation into the exposure young people get to Internet awareness and protection through school curricula. Certainly GCSE and A-level curricula for ICT and Computing that we examined had virtually no mention of protection mechanisms, aside from those to deal with business ICT. However, we found that young people are receptive to the idea of classes in such an area, some suggesting Citizenship classes could cover such things. Certainly, the work of the Child Exploitation and Online Protection Centre,[244] with their schools programmes, is having an effect, but this is a small Government department reaching out the approximately 25,000 schools in the UK. Young people also felt the media could play a part, but were more likely to be engaged through drama than direct information presentations.

  In considering the safeguards for data use, and abuse, we finally consider legislative measures. While our studies with citizens have shown some awareness of measures such as the Data Protection Act and other legal mechanisms to ensure adequate protection, we also, unsurprisingly, discovered that the majority of citizens will not consider things such as Terms and Conditions in depth when registering with an online service, particularly if such a service is offering them some sort of material or social benefit. Obviously this can potentially leave the citizen open to all manner of data abuse, but the general opinions were that while they knew they should read such things, they lose interest in the legal syntax of such. Therefore, stronger legislation to ensure more effective privacy policies would have little impact.

  However, we believe there is one area that could potentially have more significant impact is more effective regulation of the service providers. At present, there is little professional liability within the IT industry. Hence the number of breaches and information thefts that occur online, the majority of which are down to poor security practices, design and implementation, rather than issues with the technology itself. The IT industry is one driven by the sort of remunerative rewards that one might expect from any professional discipline, but without the legislative controls that apply to, for example, the legal or medical professions. Therefore, service providers are happy to commit to service delivery without actually considering the feasibility of such approaches. Certainly, our own experiences acting as intermediaries between clients and service providers when troubleshooting what went wrong in projects would suggest the lack of legislative control results in a highly unregulated industry without some extremely unethical practice. While the British Computer Society is making great strides forward with its professionalism agenda, its membership is still only a small part of the IT industry, and complimentary to their reward-based incentives to become an "IT professional" could be stronger legislation. A service provider may become far more likely to carry out effective risk analysis, and penetration and boundary testing, on their services if they were to be held accountable for any avoidable breaches, in the same way that society would expect a surgeon behaving in an unethical manner would be held to account. Currently, we exist in a culture of "well, you signed-off the specification" where the responsibility is placed back with the procurer, rather than provider, of a service.

  In conclusion, we believe that while technology has a part to play in the public attitudes toward whether we exist in a "surveillance society", the major issue lies within the public perception of such approaches—whether they consider them to be acceptable and good for the private citizen. We believe education and information are key drivers in ensuring a society that is more aware, and accepting, of realistic surveillance measures in place to protect them. Our work also suggests that understanding of public perception still requires far more work, as our discoveries about the public's attitudes toward ICTs is in conflict with conventional wisdom. Finally, we believe that dividing responsibility between citizens and service providers is necessary to ensure more effective safeguards, and feel that stronger legislation of the ICT industry, with greater awareness of professional liability, is an important step forward in achieving such protection from data theft and abuse.

July 2007

239   BT Group Chief Technology Office, Adastral Park, Martlesham Heath, Ipswich, UK. Back

240   Information Security and Network Research Group, School of Computing, Communications and Electronics, University of Plymouth, Drake Circus, Plymouth, UK. Back

241   http://www.network-research-group.org/ Back

242   http://www.trustguide.org.uk/ Back

243   http://www.getsafeonline.org/ Back

244   http://www.ceop.gov.uk/ Back