NSA Prism Data Mining – Are we just talking about privacy concerns?

digitalIDIn the last few days there has been a lot of talks about the fact that NSA and FBI  might be collecting and analyzing data from major service providers like Google, yahoo, apple and others in order to spy on citizens and internet users. Now while the concerns about privacy are legitimate I believe it is important also to start a proper debate about regulation for legal intercept on one end and what analysis these same internet players can do on their own without violating privacy.

While NSA and FBI are supposedly accessing the central servers of  leading U.S. Internet companies in order to extract audio, video, photographs, e-mails and documents that enable analysts to track a person’s movements and contacts over time, the key question remains: how do we regulate the service providers and authorities?

Service Provider Regulations

Now while the regulations in the telecoms are quite mature I can feel that for internet service provides still a lot remains to be done and much is still blurry. For regulated services provides like telcos, it is quite clear on what can be done and not, especially when it comes to voice services. Authorities can perform lawful intercept, record and analyze voice calls of a suspected criminal after a court order has been issued. The tapping could also be done on the data traffic and deep packet inspection mechanisms can be used to understand what is said on the data connection as long as the traffic is not encrypted. Encryption is why Blackberry had issues in middle east and had to deploy proxy servers to allow tapping into their traffic. In any case their is a clear identification of the user by the service provider and that is enough to provide court order and do the tapping.

Internet services providers like google, yahoo, apple and others have on the other hand hardly been subject to regulations, and even though the internet as we now it is now almost twenty years old, the regulations are still in their infancy. What one can and cannot monitor is not that obvious and in that ambiguity and in an era of BigData the ambition for both service providers and authorities is to monitor more and more to get better insights.

The Digital ID at the heard of the problem?

I believe the decoupling of a digital ID from a physical ID is at the heart of the some of the issues we are talking about here. Let’s have a look at how you are identified as a user. For phone numbers their is usually quite a strong link between that phone number and a physical person, since you have to use your national ID or passport to get that service from your telecom service provider. You pretty much know who is at the end of the line or at least you know who is accountable for that phone or internet connection.  Yes, sure there is fake ID’s but still…

Now, how about a digital ID created over a public internet connection? There is no way you can be sure about the real identity of that digital user. I guess, and this is only a guess, that one of the mechanisms to validate an ID is to cross reference some of the content including messages, pictures and videos. Image recognition algorithms can fairly accurately identify persons and that maybe a way to uncover fake users. I believe the main purpose to analyze content is to identify dangerous content like terrorist messages or child pornography, but also because looking at the actual content  and applying BigData technology can help you in the identification process.

Another issue that might arise is how do you issue a court order when the user ID is not that clear? The digitial ID might be enough but it does not necessarily give you access to the physical person, but that is maybe a lesser problem.

Now while authorities are interested to identify people and their behaviors for national security reasons, the internet providers are doing the same with the intent of selling you more or at least get more of your attention. In both cases, I believe regulations have to evolve to properly handle a multi-faceted digital ID.

This article takes a bit different angle than what you might read in the common press and I do not intend to defend any abusive privacy invasion, but I think we need to have more structured debate on Telecom and Internet Service Provider regulations and put the digital ID at the heart of it.