Issue link: https://maltatoday.uberflip.com/i/1187474
17 maltatoday | SUNDAY • 24 NOVEMBER 2019 INTERVIEW concern was surveillance. But there's more to it than just that. Over the past four years, the things I have reported to the UN have included big da- ta, open data, health data (the most recent)… at present, my teams are working on privacy and gender, privacy and chil- dren… so it's a very wide range of subjects that we handle. We're also tackling the major corporations and their business models. I have regular meetings with Google, Facebook, etc., twice or three times a year… Surveillance does, however, remain a major concern. In a press article, you once wrote that 'if [data] is exchangeable, it is overseeable'. But overseeable by whom? Who can really monitor and control the data that is exchanged, and the use that is made of it? Let me clarify that 'oversee- able' comment first: it was made in the context of a spe- cific problem concerning intel- ligence services. We currently have a situa- tion where intelligence services can and do exchange informa- tion between themselves; it's a process that has also been ac- knowledged, and accepted as not running contrary to human rights practices by the Euro- pean Court of Human Rights, in a verdict [Big Brother Watch versus the UK] delivered in September last year. But those organisations which are supposed to have oversight of intelligence servic- es, are in some cases precluded by law from talking to anybody else. Ideally, oversight agency of Country A should be able to talk to oversight agency of Country B… because the intel- ligence services of both coun- tries are already talking to each other. This is quite problematic, be- cause… how can you oversee that which you're not allowed to talk about? That is why, after noting complaints from several countries, my recommenda- tion to the UN was: 'if it's ex- changeable, it's overseeable'. Other issues include that the technology use has to be pro- portionate to the risk you are trying to manage. And that the data is being collected only for a particular purpose. One of the great changes we've seen in the 35 years I've been in the field, is that pre- viously, much of the law was directed at the organisation collecting the data. Not just in- telligence services or the police, but also insurance companies, etc. Today, however, the vast ma- jority of personal data is not generated by the police or in- telligence services; but by com- mercial corporations. What the police increasingly want, then, is to have access to the data generated by those companies. What is needed is therefore the introduction of proper safeguards, so that the data can only be accessed under the proper conditions. Otherwise, any Tom, Dick or Harry could access private data of where we were, what we were doing, to whom we were speaking, and other things that are none of their business. Not even a government offi- cial, or a policeman, should be able to have that kind of access unconstrained. It should only be possible subject to very strict regulations. They would have to give a reasoned explanation as to why the citizen concerned is a subject of interest; and why they should be allowed to in- trude on their privacy. That is part of the system of checks and balances we are working on. Given the speed of technological innovation, another question is whether such safeguards can actually keep up… This brings us to the tech- nology timeline. It's always interesting to reflect on the technology you remember. I personally have been in the field since around 1983. As I like to joke: 'I'm young, but I've been younger' – so I remember attending the launch of the first IBM PC; and when the first Ap- ple Mac came out, in 1984. Not to mention the launch of the world wide web in 1991. Bear in mind that the In- ternet, at the beginning, was never intended to do what it does today. It was intended to provide a resilient information network, in case (for example) a bomb hit a major computing centre. Ultimately, the Internet today is a network of networks: the world wide web has been grafted onto it… resulting in an explosion of technology, and technology usage. Everybody started using it. And people saw commercial opportunities. The problem is that – while people were becoming more reliant on the Internet, and international commerce took off using it – there was never a really decent, global discussion about the policy side of things. And there was always resist- ance as to how to control it. So we have lived through a very awkward situation. Internet us- age has exploded; but how the Internet is regulated is a major headache. But I'll come to that in a moment. What we have seen since then is a very interesting develop- ment involving convergence of technologies. A Smartphone, for instance, is a very good ex- ample of this convergence: we call it a 'phone', but what does it do? It is a highly sophisticat- ed miniature computer, which enables me to access the Inter- net. It also takes high definition still pictures and video clips. Right now, you are using yours to record this interview. So it's a camera, a sound recorder… And… oh, by the way: you can also use it to make phonecalls! I joked about that last part, because it shows us how far removed today's Smartphone is from the first mobile phone I had in 1990. That one was big and chunky; and I could also use it as a weapon. But I couldn't send text messages. I couldn't surf the Internet. All it was, was literally mobile te- lephony…. The technological changes have meanwhile made us more dependent on our mobile phones. What are the implications, from a privacy angle? The mobile phone, to me, is probably the most significant technology insofar as privacy is concerned. Because each ac- tion you do with your mobile phone, now leaves an electron- ic footprint. During the day, every person who uses a mobile phone is generating millions of electronic footprints… which they did not do, in 1990. Not only that; but all those footprints are available to cor- porations and governments in different ways. If you had to go to Valletta and just asked peo- ple on Republic Street – even young, tech-savvy kids – 'How much data about yourself did you put out today?'… most people will tell you the stuff they are aware of: some picture or comment they posted on Fa- cebook or Twitter, for example. But that's just the tip of the iceberg. Most people are una- ware that more than 90% of the data they have generated is meta-data. It's what time they called… whom they called… how long the phonecall lasted, etc. But this takes us back to your original question: has privacy been lost? I'd say the answer is both no… and yes. If we're stupid about it; if we just say 'yes' to everything that appears on our mobile phone or laptop computer, or other digital device… then the an- swer is yes. But there are safeguards al- ready in place. People will have noticed that, in the last year since GDPR came into force, that they were being asked questions about cookies, for instance. That is typical of how you can protect yourself. Can people protect them- selves more? Yes. Are people more concerned about privacy than ever before? Yes. But do people understand and use the controls that are available? Be- cause to go back to an earlier point: at least 90% – possibly 99% – of people don't think about metadata. We are talking about untold amounts of data that is being generated every day. That data was not being generated 30 years ago. So… what can be done about it? We can use a growing number of safeguards – and that is what GDPR is all about – to reduce the amount of information we put out about ourselves. Are we doing it? I would say, not enough… because citizens are not aware enough. This is why we need to address the is- sue not only through law, but also through proper policy. But a proper policy also has to address the issue of public awareness. Data protection law is full of safeguards to prevent information about you being collected; but they only work if people use them. Frankly, my approach is that citizens should be taught how to behave online from a very early age. To me, it's at least as important as sex education. And if sex education is first taught at the ages of eight or nine, we should start with on- line behaviour and security be- forehand: at the age of five or six. surveilled? PHOTOGRAPHY JAMES BIANCHI