First published: 16th June 2013
Allan Dyer
On the first of July 1997, as I watched Martin Lee speak from the Legislative Council balcony, Hong Kong faced a lot of uncertainty, but I never imagined a reversal that would see a USA citizen seeking refuge here from his own, surveillance-mad government.
A monthly newsletter is not the best platform for commenting on fast-moving events, so these words may seem outdated when you read them. Edward Snowden says that he became a whistle-blower to reveal criminality, and as a result, the FBI is trying to prosecute him for exposing USA spying.
As we look deeper, the case becomes a mass of mis-direction and double-speak. President Obama reassures the American public that US citizens were not spied on - this probably plays well to the home audience, but it does rather imply that the rest of us were potential targets for privacy violation. Innocent English words like "collection" are twisted to mean something surprising. The data may be grabbed and stored, but, apparently, that is not surveillance until some filtering mechanism teases out the message for further analysis. It may be that the letter of USA law has been followed, and maybe the American voters, now that they know something about the extent of the spying, might decide not to change those laws, but that does not make them legal anywhere else. Edward Snowden has made accusations of crimes committed in Hong Kong, they should be fully investigated by the Hong Kong Police and Edward Snowden should certainly not be handed over to the accused criminal.
We also need to think about how the surveillance affects our risks. The stored data could be misused. Individuals with access could use it for their personal ends. Occasionally, there are cases where a police officer misuses official resources, for example, to look up data about an ex-spouse. Imagine the potential for stalking and harassment this mass collection represents. The data could also be misused to give favoured companies an edge in business - state-backed industrial espionage. In a changing political climate, a ruling party could use the information against opponents. We have little idea at the moment how long the data is stored for, so old, casual acquaintances that later become involved with "undesirable" activity could adversely affect anyone's lives. George Orwell would not be surprised.
How should we protect ourselves? Snowden revealed that they target internet exchanges for mass data collection, avoiding the need to break into many individual computers. Operator of the Hong Kong Internet Exchange, the Chinese University's statement that they have not detected any attacks to its backbone network is not reassuring. Whether ordinary end-users can protect their data against the focussed skills and resources of a state security agency is doubtful, but we can certainly make the wholesale gathering of data more difficult by using end-to-end encryption, such as SSH or SSL/TLS. Security writers like myself have been saying for years that unencrypted messages sent over a public network are open to be read by any intervening node.
We should also evaluate our usage of public cloud services, and webmail. An official request to Yahoo or Microsoft can request the entire contents of a mailbox with no notification to the subject, but if your mailbox is on your own server, it is not so easy.
What of the terrorist threats that have been neutralised? We have, of course, been assured that many terrorist plots have been disrupted, but there will be no statistics or details released, so we have the word of people caught lying. Perhaps we should remember Ronald Reagan's favourite Russian proverb, "Trust but verify" when dealing with security services that are meant to be protecting us.