Street surveillance and skyrocketing self-defence

At the World Forum for Democracy 2015, we interviewed the former Electronic Frontier Foundation activist about their work, hopes for inspiring legislative change, and building on the stubborn success of Max Schrems.

David Krivanek Dia Kayyali
25 January 2016

This interview took place on November 20 at the World Forum for Democracy in Strasbourg. For more coverage of the conference's key theme, 'Freedom and control in the surveillance age', see here.


Flickr/EFF photos. Creative commons.

David Krivanek(DaK): Do introduce yourself to openDemocracy readers.

Dia Kayyali (DK): Sure my name is Nadia Kayyali and I am an activist at the Electronic Frontier Foundation. For those who don’t know our work, we are based in San Francisco and we do an array of digital rights work, including working on surveillance, which is mainly what I focus on, as well as free expression and privacy.

DaK: I saw that you are currently working on one project entitled ‘Street level surveillance and profiling’…

DK: We have started off focusing on domestic use technology at the local level. But we definitely want to talk about it at the international level too, because we are seeing what we call ‘street level surveillance technologies’ adopted around the world - many of them coming from US companies.

Street level surveillance technologies are technologies that local law enforcement would be using directly to do surveillance. So these are things like IMSI-catchers (devices that act as cellphone towers and trick your phones into connecting with them so that they can determine your location); drones, of course; biometrics, so finger prints, iris-scanners, DNA technology; and then there is just a huge array of other, small pieces of technology that we are seeing popping up all over the place, such as automated license-plate readers - another piece of technology that we are working on.

All of these technologies are being used in a way that is very direct and immediate. With NSA spying, people question what exactly is the result of the surveillance? We all know that NSA surveillance is absolutely chilling free speech. But it’s harder to tell when that surveillance puts somebody in jail.  With these technologies, we physically can see them being used on the street. We know they are being used particularly in street demonstrations, and certainly not only in the United States, to repress political activity. 

This technology has been installed on a huge scale after major events. So in Brazil, with the demonstrations over the fare increases that happened in the run-up to FIFA, the surveillance technology which was supposedly in place for international security purposes was really focused on the demonstrations. The same thing happened in Athens where the austerity protests were being surveilled with technology that was implemented for the Olympics.

2013 protests in Brazilia, Brazil.

2013 protests in Brazilia, Brazil. Flickr/Valter Campanato/ABr. Some rights reserved.This is absolutely a global problem. There are companies that are making so much money. It is a huge industry. They have a huge influence in the US and frankly internationally. I know that in the UK these companies have an incredible amount of influence and some of them are UK-based. It’s a big problem and not enough people are working on it. The way people end up in enforcement is because people are reporting them.

Of course, NSA spying is another large chunk of my work, mainly this is the domestic activity – we have an international team and try to coordinate with them. We work on the legislation in the US, and also we do a lot of education – explaining to people just what is going on and also giving them tools to try to defend themselves from surveillance. EFF has a surveillance self-defence project and I actually get to go and do security and privacy trainings. This is one of the funnest parts of my job.  

And then as I mentioned I also do work on privacy, anonymity and freedom of expression. Another very large project that I have been involved in recently is around Facebook’s real names policy. Facebook asks people to use their real names on the platform (in the States they stopped using the term ‘real names’ and asked for ‘authentic names’ instead. This was actually a response to some of the activism that started up about a year ago, but the policy is still the same). You don’t necessarily have to use your legal name, but you have to use a name that can be ‘proven with identification’ which essentially amounts to government identification.

The policy is actually unlawful in most of Europe, and has been ruled unlawful by the Hamburg Data Protection Authority. There are just a lot of problems with it and it has been used very much to silence human rights activists, to kick off transgender people, to kick off people with names that don’t fit some sort of norm that Facebook expects – because it is driven by user reporting.

It is not like when you sign up for Facebook and have to send them an ID. The way people end up in enforcement is because people are reporting them. I have been working on a big campaign to get Facebook to change that policy. And they have made some substantive changes, which they are testing starting in December.

DaK: What kind of changes?

DK: Originally, when people wanted to report somebody for a fake name, they literally had to do one click – that’s it – no explanation. You could have your account suspended just based on somebody else who decided they wanted to report you. And of course this is used against the most vulnerable people on Facebook.

Now, instead, when you make a report for a fake name, you then have to go to another screen which is saying: do you really think this person is abusing you? Are they spamming you? It will talk a little bit about the behaviour. Then you have to fill out a text field. So this is adding two more steps. But even that puts some constraint on those people who will literally go on a reporting spree, and just go click, click, click, for a whole of group of, let’s say, human rights activists, or, “I’m going to target this whole group of drag queens that I don’t like…”. This makes it a little bit more difficult for them. The architecture of surveillance, you know, starts from the ground up.

They are also going to change the ‘enforcement process’ once somebody finds themselves reported and in this process where Facebook says,” Now you have to submit some ID.” In the past, people said that they thought they were getting responses from a machine, because they were so mechanical, even though it was actually a person who was doing it, but their responses were very mechanical. Instead they will have a team that will respond, not in every situation, but when they identify those populations that we have talked to them about. They are going to have their most experienced enforcement officers responding in a team that will have a little more time to interact with people and figure out what is going on. They need a few technical changes, because we also brought up the example of people in authoritarian regimes sending ID – which is very dangerous – and we know for a fact that there have been fake Facebook sites that have been used by the NSA to gather information about people. So it is not a hypothetical concern.

We want them to do more when it comes to security. With the real name policy in general, we think they should just get rid of it. Anything else is really measures to make it less harmful to people. But in terms of security they will now be encrypting ID’s and storing them for as long as it takes to resolve the case but no longer than I believe 90 days. And the only people who will be able to access them are employees that are working on the case and they will have a key to decrypt that ID and be able to look at it.

These are some of the improvements, but there really needs to be more. This is just a start. What we hope is that one of the things which they are doing in implementing these improvements is that they are going to gather more data on what is actually going on. As a result we hope they will eventually come to the conclusion that they should get rid of the policy.

DaK: Fighting for minority rights online sometimes seems to be such an uphill battle, when money and state interests seem to collide to conspire against you… take the Cybersecurity Information Sharing Bill (CISA) which gets defeated one year, and is then brought back by the US Government a year later, maybe under a different name and passed!

DK: They like to give them different acronyms but it’s really the same Bill, yeah. CISA was a very difficult one. I was one of two people working on that as well, and it was such a flawed bill, it is incredible that it was passed.

Ferguson protests in Seattle. December 2014.

Ferguson protests in Seattle, December 2014. Flickr/ scottlum. Some rights reserved.One of the reasons that I love working on street-level work is precisely that – that we do actually see victories at the local level. The architecture of surveillance, you know, starts from the ground up. NSA spying and spying on Black Lives Matter supporters is not two different things. NSA spying and spying on Black Lives Matter supporters is not two different things.In the US and I imagine elsewhere, there used to be barriers between foreign intelligence and domestic intelligence. We used to think of them as different things. But now all of those barriers have been broken down and these systems really work together. So that surveillance that starts at the local level will eventually filter up to the NSA, or to the Department of Homeland Security, or to the FBI. 

So we have seen at the local level, that communities have successfully fought the implementation of this technology. And we have also seen really good laws being passed at state level.  In California for instance, we have just had a huge victory there. We just passed the California Electronic Communications Privacy Act (CalECPA). This is a very strong law: it requires a warrant to access digital communications. In the States, essentially there are court decisions which say that anything that you have passed on to a third party, you have entrusted to them, and you can’t claim that the government doesn’t have a right to look at it.  Under that dispensation, technically speaking, any e-mail that you send shouldn’t be protected. So CalECPA is a very strong protection that doesn’t only apply to e-mail but also to MC Catchers. It’s a huge victory because California is a huge state, so the laws that are passed there do have an influence on the rest of the country. California has often changed laws in ways that we see filtering out across the country. There are people working on similar laws now in other states.

We focus mainly on California laws and have had several victories in 2015, which are especially encouraging to smaller countries as well. It is so hard in a place like the United States to get federal laws passed. But if you have really committed people who are paying attention to these issues, particularly if you have easier access to your governments, it is actually possible to restrict the use of these technologies and that starts to get people thinking about the issues of surveillance that they can’t see! So there is certainly hope.

DaK: In terms of gaining awareness, do you get a good response from the social movements themselves?

DK: You know, I think that in the last couple of years, people’s concern about and understanding of surveillance has sky-rocketed, in every movement. I actually was incredibly lucky to have the opportunity to go to Ferguson shortly after the demonstration started there. I wasn’t going in my EFF capacity – but I was listening. And I was hearing people saying, “Things are happening with my phone – what do you think this is about?” “Oh I just saw a drone, but there isn’t supposed to be any press coverage, so it must be a law enforcement drone.” And more and more, people who are on the ground doing direct action and activism are asking for digital security trainings. So there is a growing awareness and so many materials out there. And at our end, in privacy advocacy, we are also getting better at putting things in terms that make sense to people. A good example is this fantastic guide which was released I believe by Coding Rights just last week, and it is a guide to safely sending nudies! – and that’s great because it is something that people do think about. I don’t know if you saw the John Oliver episode where he interviewed Snowden, you’ll remember the exchange about the ‘Dick-Pic Program’– sometimes you really have to think about how to put things in those terms, and it makes sense. This is a hard economic time around the world, and people have so much that they are thinking about just trying to survive. So we need to really think about how what we are concerned about integrates into what they are already thinking about…

DaK: Early on, there was so much talk about how to make people care about these issues, so that is really a big achievement. There’s still a lot of work to do at the level of political and legislative change – but one of the main changes we are beginning to see is that movements can relate to people better. Everybody who does this work needs to have a response prepared to, “I don’t have anything to hide.”

DK: Everybody who does this work needs to have a response prepared to, “I don’t have anything to hide”, or, “The companies are collecting so much, there’s nothing I can do.” Depending on who it is I am talking to, I will have different responses. I often hear, “I’m not breaking the law, so why should I care?” One response I like to have to that is that in the US, there are so many criminal laws that there was actually an effort to catalogue them all by the Government, that is, to count all the ones that are on the books – and they gave up because it was too difficult! The point being, you are probably breaking the law. Most people, in one way or other, are going to break the law. Of course I use the Dick Pic example – concrete examples are really important. If I’m talking to activists, I will tell people how this person posted this on social media, and three weeks later it is showing up in their court case. This is something that I have seen on a semi-regular basis. There are actually officers who are specifically tasked with looking at social media, with combing through YouTube videos. San Franscisco Police Dept. has an Instagram Officer, and this officer recently got a warrant based on a photo that somebody posted, which is incredibly disturbing. Because I am so steeped in this work I have examples like that that I can share with people, which is really helpful.

The intellectual argument that privacy is necessary for democracy is important, and we need to keep saying that because it is true and it is why we care so much about this work. But it’s not the first argument that I will go to, and I try to think of concrete examples that will be applicable to the lives of the people that I’m talking to.

DaK: What type of international coalition do you think can take best advantage of the successes in one country to build the momentum in others ?

Max Schrems after winning his Judicial Review case against the Irish Data Protection Commissioner.

Max Schrems after winning his Judicial Review case against the Irish Data Protection Commissioner. Flickr/Simon McGarr. Some rights reserved.

DK: We have an international team that works with organisations doing a whole variety of different types of work. Some of them are working on individual advocacy. There are so many really disturbing stories out there of bloggers and technologists and activists that have been put in prison based on some things they have said on the internet or technology that they are developing! We do individual activities and advocacy for those folks.

We also do the surveillance self-defence trainings that I was talking about. I haven’t had the chance to do those internationally, but there are some people on our team who I think can’t even count how many countries they have done trainings in. They have given them in the Middle East and Europe of course, and just about everywhere.

We also have one staff person who does a lot of work providing comments to the United Nations, as well as a lot of work with South and Central America of course in collaboration with local groups there. We have specifically focused on the passage of some laws in Brazil, such as the strong protections for freedom of expression and internet intermediaries in the civil framework (Marco Civil), and have organised action alerts around bad data retention law in other countries of South America, making it possible for people to tweet their representatives for example.

We opposed the Snoopers’ Charter, which fortunately was stopped in its tracks from going forwards in the House of Lords. So as much as possible we try to combine the work, making sure that the parallels are clear.

It is interesting of course, given the US Constitutional framework, we face a situation where the rights of US residents and citizens are so different that it can be very difficult to try to talk to senators about how whatever we are doing will do absolutely nothing to enhance the lives of non-US citizens, whose rights are being violated. But as much as we can, we are trying to bring those conversations together.

DaK: So do you have any advice for non-Americans acting on their own behalf at this juncture?

DK: Max Schrems is a very good example of some very creative actions that we have already seen. He is just one person who saw a problem and decided not to let it go. He is just one person who saw a problem and decided not to let it go. This is one person whose actions are going to have a huge effect on US companies and the reaction to that decision in the US has been one of outrage from elected representatives and intense irritation on the part of US companies! And you know what? That’s great. That will effect domestic policy as well.

The last big legislative action that we did around Section 215 of the USA Patriot Act, and the changes that were made by the USA Freedom Act, don’t really do anything for people residing outside the US. Section 702 of the Foreign Intelligence Surveillance Amendments Act (FISA) is the legal authority that the NSA has used to collect the contents of e-mails, so this is UPSTREAM and PRISM. This is the collection directly from the internet backbone and it is hugely violative of the privacy of US citizens, of course, but particularly of people outside of the US. That law expires on 31 December, 2017. We are already starting to think about that, and precisely about how the Safe Harbour decision is going to effect that. They didn’t come out and say that they were talking about Section 702, but it was quite clear that the type of surveillance that they were concerned about that violates EU citizens’ rights is Section 702. So we are hoping that what Schrems has achieved will be to point out to lawmakers that you literally cannot go forward with the model that you are operating on, because it is unlawful. When it comes to NSA surveillance, Section 702 is going to be a harder fight, but we have time to prepare and like I said, things like this Safe Harbour decision will ultimately be really helpful for us.

There is an acute and growing tension between the concern for safety and the protection of our freedoms. How do we handle this? Read more from the World Forum for Democracy partnership.

Had enough of ‘alternative facts’? openDemocracy is different Join the conversation: get our weekly email


We encourage anyone to comment, please consult the oD commenting guidelines if you have any questions.
Audio available Bookmark Check Language Close Comments Download Facebook Link Email Newsletter Newsletter Play Print Share Twitter Youtube Search Instagram WhatsApp yourData