**How free are we to choose our private lives?** [Abhas Abhinav](https://abhas.io) # Background Each of us understands "privacy" in different ways. And we do varied things to protect our privacy. However, over the past 15 years, the way online services, Internet-based social networks and software development and distribution strategies have changed, they leave us with little freedom or choice on how to define our privacy. We have been tricked into giving away our power to retain our freedom to choose what is private to us. Here, we aim to analyse the tools that others use to take away this power from us. And what we can do about it. To do this - we need to first understand who is in power, what is it that backs this power up and how software is a critial way for extending this power over us. # Who is in power? What is the backing for this power? Lets examine a simple transaction to illustrate who has power and what backs it up. A programmer *(a person or a company)* has a program and they want you to have it. The program clearly adds value to our lives *(lets say, it enables us to write articles like this on our computer)*. In return for giving this program to us, the developer asks to be paid a fair sum of money. Once we complete this transaction, we have the software and the developer has the money. One would think that the developer's influence over the software ends once the transaction is complete. But not really. The software developer could still weild some power over us. For example: * They can restrict how many people get to use the software you've purchased or ask you to pay some more money for each copy of the software; or for an enhanced version of the software.. At the same time, they can restrict you from sharing the software with others - even within your own family or workplace. * They can restrict what you can do with the software and under what conditions (eg. you can use the software for non-profit or academic use but not for commercial or govt use) * If the software has apparent defects or limitations, they could forbid you from trying to cirmvent those limits or find (or share) workarounds for those defects. This becomes all the more prolematic when the software developer is able to enforce this restriction via law. I am sure we are familiar with such conditions under which we are allowed to use some software. There is no argument that a software's developer has the right to apply such conditions on the software they've authored and distributed. These rights are vested in the software developer by virtue of a well defined system called the Copyright law and this gives the developer the legal basis which empowers them to direct their software's distribution and use. The problem is not the Copyright Law, however. The problem occurs when such power is misused against the users of such software - under the guise of protecting them or enabling them, or as a price one has to pay for supporting such software development in the first place. What backs up such power with software developers is the one critical thing that they have and which you don't - the source code of the software. Because they are the sole arbitrators of this "source code", they have the sole power to control what the software does, who uses it and under what conditions. Since this source code is "hidden" (and private to the developer), it could also include malicious instructions to spy on us, to track what we do and to restrict whether we can do something at all. The question that now begs to be asked is this: > if we are uncomfortable with such power being vested with a single entity and if > we agree that its unfair for such a third part to hold such power over us, why > do we agree to give away our freedom to such third parties? How can we "need" > the software so much that compromising on our freedom is an acceptable > compromise? What freedom, you might ask. Let me give you an example: > *If you owned a car, would you agree to let the car manufacturer control > where you can drive it, at what times of the day and at what speeds? Would > you also let the car manufacturer control who can sit in the car, what > anguages they could speak, what music they could play and which colour seat > covers you could have? Extending this absurding a bit more, would you also > let the car manufacturer control who can service your car or fix your > puncture (maybe you can do it yourself or go to your favourite mechanic).* The reason we feel that such questions are absurd is because we have a very clear concept of "ownership". If we really "own" the car, then we should be free to do whatever we want to with it (limited only by law and the car manufacturer). Conversely, our freedom to do what we want with it, qualifies our ownership of the car. Do we really "own" it, if we can't play our favourite music inside it? When we claim "ownership" over something, we tacitly understand the freedoms we deserve and have. In the process of having these freedoms, we also reject the power of the car manufacturer over us. We (rightfully) assume that we have these freedoms by default and we don't have to justify why we deserve them. If we agree to let the car manufacturer control what we can do with the car (ie. we give away "our power" to them), they can get away with a lot. If they can control what music we play in the car, then by extension they must know what music we are playing in the first place. If they can control where we can drive, then they must know where we are at any given point. If they can control who sits in the car or what languages they speak, then they must necessarily be able to listen or see us all the time. This is what I meant when I said earlier that power itself is not the main problem. The problem is how this power is used, what it is used for and its potential for misuse. Because, it goes without saying, "power corrupts". And hence, the only way to escape such "corruption", is not have so much power with a single entity in the first place. All the more so since it is not within our rights to tell others how they should us their power. Now, you might agree with me when I say that, given such power with the software developer (or car manufacturer), we don't really "own" the software (or car). Conversely, if we did, then the software developer (or car manufacturer) would not be able to hold so much power over us. # Escaping and avoiding power If the source code of the software is what gives the developer power over us, what is the source code equivalent of the car manufacturer's power? Well - if you look some of the conditions we've discussed earlier, they go beyond the purview of what a car is essentially about (a vehicle). These conditions now enter into the realm of software again. Hence, if such control were possible by car manufacturer, then it must be enforced via software that runs in the car. Because you can open a car's hood and access its engine and axle and other parts, you can usually see what's wrong and fix it. But if you wanted to bypass a limit in the car which only allowed you to play Hindi songs, you would need access access to the software that imposes such a limit. If you could access this source code, you could escape, avoid and overcome this limit. If you can't, then, unfortunately, you are at the mercy of what the car manufacturer (and the software developer) allow you to do - which is then determined by their sense of "right" or "wrong", not yours'. Therefore, we can conclude two things: 1. Possessing the "source code" to something is the way to power 2. Since there is software in everything we use today, the developers of such products have a lot more control over us Now, what would happen if everyone, including you, had access to the source code of the software? Would the developer still be so powerful? Not at all! Once you've taken away that one thing that enables someone's power, they can't control you any more. So if the software in your car spied on you and if you had the source code for this software and could "fix" it to not spy on you, then you have successfully escaped from the car's control over you. By extension, if you can do it and share how you did it, others could do it too and as a result of that, have more freedom for themselves. When the car does not spy on your any more, you now have a "more private" car. This freedom to control what your car does, then, gives you the ability to have more privacy in your car. And so on with everything else. To summarize, there are three clear ways of taking our power back: 1. Use software for which the source is not private and insist on having the source for what you want to own 2. When we win freedom for ourselves, we also win it for everybody else - also having this freedom and power is a collective and community effort 3. Privacy is a side-effect of being free by way of others not having total power and control over us # Power is not new - what's new is how its fueled Throughout history, and in the current day as well, we find numerous instances of absolute power, its malicious use and the fights of those it oppresses. While a bulk of these fights are incessant, with the aid of technology they've either become more difficult, or a lost cause already. If you reflect on almost any form of power today, you might find that is aided and empowered and consolidated via software. Even when software and technology aids those who desire power, it equally aids those who want to fight against such power. As we discussed earlier, one of the simplest ways of "opting out" of others' power and control over us is to make different choices with regards to the software that we use. Among the many forms of software, there are four that we should be actively concerned about - if we care about our sustained ability to live freely and privately: 1. when the software itself is not an end in itself but is a gateway to something else, those who operate the service possesses considerable power to impact our experience of that service by controlling the software. (eg. software used to access a banking or payment system, social network or communication system or a content access system) 2. when the software itself is not what is offered (or distributed) but rather a service as a substitute for that software, it gives the software developer (also the service provider) far more control than if they gave us the software itself. (eg. document collaboration system, a business management or accounting system, an email service and so on) 3. when the software is at the "centre of the internet" and is used to provide a service such a a micro-blogging system (twitter), a communication system (whatsapp), a networking system (facebook) -- and hence, because of its size, pervasiveness and "utility", has the power to direct who we talk to, what we talk to them about and who's voice gets amplified and heard. 4. when the software is closely bound to and inseparable from the hardware it runs on and defines all the useful properties of that hardware (eg. a mobile phone or network connected gadget, or even a "car") Each of these forms of software lets their developers consolidate their power and control over us - step-by-step. There is actually a progression here. Let me illustrate: ## A service provided as a substitue for software By not distributing the software *(type #2 above)*, and instead inviting us to come to their computers to do our computing, the software developer has unique type of lock-in -- while earlier they ccontrol what the software did, now they also have to all the data we create or operate upon with that software. If the only way to access or use or operate upon this data is to use their software and the only way to access this software is access their computers (because that's where it runs now), the software developer has absolute power over us. They can now demand anything of us for continued access to the software or our data (email, contacts, files, pictures etc.) Let me illustrate the gravity of this issue by citing some examples: 1. When we use Google Docs to edit, share and collaborate on files, Google scans the documents for what it might consider a violation of its terms of service (ToS). These scans are done automatically, via a program due to scale. To flag a document as something that violates it ToS, its programs have to obviously read these documents. Here is a news report of a journalist who was locked out of the document she was editing because it violated Google's ToS. * https://www.nytimes.com/2017/10/31/technology/google-docs-glitch-bug.html Now, while Google could claim that this was an error in its program, it does point to two critical issues: - Google can lock us out of our mailboxes or documents without telling us and for reasons that are beyond our comprehension - It is the nature of software to have bugs in it. When such bugs affect our daily lives and lock us out of our data that is not admissable. This only points to the power Google has over us and what they can resort to on their own volition. A way this situation could be avoided is if we edited the documents using software running on our own computers. Yes - even that software could have bugs and such bugs could impede our ability to do our work. However, what we write is not getting monitored by someone else (unless we explicitely publish something and want others to read it). 2. There are instances where software developers using the popular source code hosting and collaboration system called Github were cut off from their source code because of their nationality to comply with US trade law. * https://techcrunch.com/2019/07/29/github-ban-sanctioned-countries/ The challenges of trusting a service like Github are the same as the challenges of trusting a service like Google. The points above that apply to google, also apply to Github in this case above. There could have been other ways of using a tool that enables developers to collaborate on software or to publish it. What such cases highlight is that when we depend upon popular services (such as Github or Google) to get our work done, we must not forget that they are still powerful enough to unilaterally cut us out of our data and their software. What makes the loss of access to such services all the more severe in such cases is that, unless we have a backup, we also loose all our data (documents, photos, source code) in addition to loosing access to the software that we were using to operate on our data. ## Mobile apps as a gateway to a website or service When the gateway to a service (eg. a shopping or payments or banking system or a communication system) is a special piece of private software, the software becomes a barrier to the service itself. Unless you consent to using this software, you are locked out of the service completely. The software developer does this for two reasons: 1. their special software (as the only way of accessing the service, and hence, the convenience of it) running on your computer (ie. phone, laptop, desktop etc.) can get a lot more information about you than if you were to just plainly use it via a web browser or some other piece of general purpose software, 2. by giving you a special piece of software as a only way of accessing the service, they don't need to disclose or document how "access to their service works"" and hence, no one else can replace their software, or bypass it it "uses you" Some examples: 1. Popular chat services such as WhatsApp require users to use a special mobile application to connect to the service and use it. It not possible for users to opt out of this application or use a competing one or simply use a web-browser in place of the mobile app. 2. Ever wondered why shopping websites keep encouragin you to use their apps? Even when it might be perfectly possible to use them via web-browsers? While a popular reason cited for such demands is that of "usability" or "security", there are other aspects of mobile apps that we miss out on. It is difficult for a web application or website to track us, know too much about us or knowing where we are or know details other people we interact with. However, getting access to our location, contacts, applications we use and so on is very trivial on a mobile phone. A shopping website or chat application can use this data for a variety of purposes. While websites and web-applications are getting better at tracking us and profiling us, they will never have access to as much personal data as a mobile application does. It is also true that a lot more data on our phones is very valuable to those who wish to track us and know so much more about us. For example, while whatsapp might know know what we talk about with others, they do know whom we talk to. They then share this data with their parent company, Facebook - which then builds large databases around our connections, how frequently we communicate with them, for how long and whether it is just messages or even voice/video calls. Similarly, a shopping website can co-relate our shopping and payment choices with our contacts, location, call logs and messages - things that are only available on our phones. Using their mobile application, then, puts them in a great position to know so much more about us and use that to build richer profiles of us. These rich profiles are then used to target advertisements to us, change the order in which products might be displayed and give us offers and discounts. While it might look like something we like (cashbacks, offers and so on), the scary part is when this data is made available to third-parties or used to influence other aspects of our lives and decision making. For example, if you use a gmail email address for making purchases on amazon and other shopping websites, google makes a unique purchase history page for you by reading the order confirmation mails in your mailbox. Check out: https://myaccount.google.com/purchases More at: https://www.cnbc.com/2019/05/17/google-gmail-tracks-purchase-history-how-to-delete-it.html With this sort of rich knowledge about us (products we purchase, for whom, where and when we get them delivered, which payment method we use, how much money we spend on such purchases, at what time of the day we make them etc.), google can then 'adjust' search results for us, show us competing shopping offers in search results and generally influence us with regards to how we search for information or make decisions. 3. Do you need anyone's permission to install applications on your mobile phone? What if one application said that you could not use it just because another was installed along it on your phone? The popular digital payments application, PayTm does this. To use this application you have to grant a very wide range of permissions that go beyond its core function (enabling payments + shopping). Irrespective of the intentions of paytm's developer, the company does not have the right to dictate what users can do on their phone or not. * https://twitter.com/jackerhack/status/1233671815022686208 * https://twitter.com/kingslyj/status/1233674319135305728 4. There have been cases of people installing stalkerware (ie. spyware) on the phones and computers of others. Eva Galperin, the Director of Security at the Electronic Frontier Foundation (EFF), gave a very popular Ted talk on this subject: * https://www.ted.com/talks/eva_galperin_what_you_need_to_know_about_stalkerware ## Software & networks at the "center of the Internet" There is yet another form of software *(type #3 above)* who's primary function is to "connect us to other people" by giving us a platform to share our thoughts and information abot ourselves and ingest similar information about others. When such software systems become large and popular and serve thousands of users, they enter into a unique problem space -- they are now at the "center of the Internet". Anyone who wants to solve their social networking problem their way, now has to to go this service provided by their software. Given that they operate in the realm of "connecting people socially", they can now exert considerable power in terms of just how they allow us to do so. If they lock us out of their networks (they have the key and wherewithal, after all), we loose the connection to our friends and consequently, our ability to communicate with them as well. For example: Twitter has a history of banning accounts across its micro-blogging websites and social media platform. * https://www.livelaw.in/interviews/will-take-twitter-to-court-sr-adv-sanjay-hegde-on-suspension-of-his-account-video-interview-149512 * https://www.thequint.com/news/india/sanjay-hegde-twitter-account-suspended-blames-organised-trolling While one could speculate widely on the reason behind such twitter account suspensions, the truth is that there is no clear or transparent process around this and Twitter does not have to cite any reasons for doing this. We need to keep reminding ourselves that Twitter is not a public service but a corporation and it really is free to do whatever it wishes to do on its website. Here is a larger list of such suspensions over the past few years: * https://en.wikipedia.org/wiki/Twitter_suspensions ## Hardware powered by software and software distributed in combination with hardware Almost all of the forms of software describe above have one unique thing in common: they purport to provide us with a unique experience in whatever we wish to do via their software by knowing a whole lot about us. Their ability to know something about us, of course, rests on our consent. What is it that is possible for someone to know about us just by using their software or visiting their website? Quite a lot, actually. But, apparently, not enough An excellent way to know more about us is to surround us with more "sensors" - things that can hear us or talk to us or know where we are or know our choices (shopping / music / movies / books), the layout of our homes and so on. Since these are not that easy (or even possible to do) via traditional computers, software developers build enticing hardware products (things) that contain sufficient software to sense us and send this sensory data back to their developers. The problem with such software is two-fold: * When such hardware is an extension of other forms of software * When the software (embedded in the hardware) is impossible to access or modify or fix Let us look at what software in combination with hardware can lead to: 1. Many cyclists use applications on their phones to record their cycling tracks. There are communities on the Internet where details of such cycling workouts can be shared publicly as well. A critical tying to recording one's track is a mapping application - such as Google maps. When we use google maps for tracking a route or a location on a mobile device, it also records our location in its location history (this can be disabled as well). Similarly recording a track, saves all the tracking data on Google servers. Hence, when the police need to know who was close to a scene of crime during the crime's time-window, they can ask Google for the locations of any people who might have been in the vicinity as they did in this case: * https://www.androidauthority.com/google-location-data-cyclist-suspect-1091027/ There are many other documented cases of privacy issues arising from the use of mapping applications. 2. Amazon Echo (and Ring)recordings, privacy and crime scenes How do voice-activated devices such Amazon Echo listen to us and interpret our commands? Well - they need to listen to us all the time and then, if they detect what might look like a command to them, they inspect it further. There are two side-effects of having such hardware in a room: 1. The company building such hardware could record whatever it hears in its vicinity. These recording are heard by human beings working at the company. Or even with third-party contracters: * https://www.bloomberg.com/news/articles/2019-04-10/is-anyone-listening-to-you-on-alexa-a-global-team-reviews-audio 2. These can be handed over to law-enforcement when the premise becomes a crime scene: * https://www.theverge.com/2019/8/6/20756555/amazon-ring-police-security-camera-footage-warrant-privacy-surveillance 3. Smart switch hardware and more... Many "smart" hardware available in India enable us to switch on lights etc using a mobile phone (or even voice commands). The sofware that ships in such devices requires one to install and use a mobile app to configure them and make them useful. Unfortunately, this mobile app needs to know your location, your phone number and your email address so that you can switch on or switch off a light from the convenience of your mobile phone. After you've done that, every time you want to swith on a light in your home, some company a few thousand kms away gets to know your desire and sends the corresponding command to the switch hardware to do the needful. When you connect such hardware to voice control ecosystems such as Amazon Echo or Google Home, Amazon and Google also get to know about this... thereby, extending their knowledge about us and also their surveillance. There are other examples of this as well. Apart from switches, there are speakers, televisions, bulbs, doorbells, locks and temperature sensors that not just collect all sorts of information about their surroundings but also store and archive them and share them with third parties... all to offer some sort of convenience to us. ## Makings of an industrial complex When a single entity build software that encompasses all these four forms of software, they have endless power and hence, control our lives. As a result of this, we have less freedom and little ability to define our privacy. Together, this form of developing, distributing and using software creates an "**industrial comlex**" where the software developers "*pursue their interests regardless of, and often at the expense of, the best interest of society and individuals. The businesses within an industrial complex might have been created to advance a political or social goal, but mostly profit when the goal is not reached.* *The industrial complex may benefit financially*" (or in terms of its consolidation of power) "*by maintaining socially detrimental or inefficient systems*". Information about us and contorl over us *(at the cost of our privacy and freedom)* is, hence, the most important face that imparts and consolidates power into such "industrial complexes". ## How do we regain power? While the intent of this article was to create greater sensitivity about privacy concerns with increased software and Internet usage, the way out can be very complex. Much of the convenience that we draw from the software, hardware and Internet services that we now use has become central to our lives. Some of these might even be addictive in nature! I feel that this dissent against power can not be pragmatic. I feel it requires tough decisions that lead to long-term freedom and it all starts with us making personal choices and then extending those choices to our families, social structures, workplaces, schools and other institutions. (whichever might be our circle of influence) While there might be a short-term side-effects in terms of productivity and convenience, these are important things to do on our long road to freedom from others' power over us: * Eliminating (or limiting) the tool that enables others' power over u Can we carefully audit our use of various forms of software, hardware and Internet services to check just how much power someone else might have over us? Think about the worst case - what if that service or software went away. What would be the outcome of that? And then - how could you protect yourself against it. From this assessment, we would realise what is essential to us and then, replace them with more ethical alternatives. * Defining privacy via a core and usable value system for choosing technical tools that liberate, empower and protect us While the first approach is more of a "top-down" approach (in that it helps us acknowledge where we are right now, what our vulnerabilities are and then how we can mitigate those), this is a more "bottom-up" approach. Lets say you were able to throw out all your software, hardware and Internet services and were now building your technical lives from scratch. Where would you start? What questions would you ask yourself for each of your choices? What sort of value system would emerge from this introspection? Can you extend it beyond your self to your family or community or workplace as well? In a second installment of this article, we will look at these questions and some of the answers that would emerge from that. These answers will help you make informed choices about software, hardware and Internet services that respect you. If you need to make a trade-off, there are ways of limiting your exposure and damage and hence, protecting yourself. We will examine these trade-offs so that you can make choices that work for you and help you strengthen your technical value system. # Why do we have to jusity our right to privacy? Before I end, I wanted to add a small note about how this might look like a defence or justification for one's privacy or freedom. However, I don't agree that one needs to defend this right with so much rationale. Our presumption of freedom should be as primary as our presumption of innocence. Let me adapt a passage from Kavita Krishnan's book "[Fearless Freedom](https://penguin.co.in/book/uncategorized/fearless-freedom/)" to our wider discussion about our freedom and privacy: Original: > "Why should women provide justifications if they want to walk out on the > streets alone, even if it late at night? Why do we need reasons such as 'she > has to work late' .... to bolster such decisions? Is it a crime for women to > want to go out at night.... ? We do not want to hear the defensive arguments > that women can only leave their homes to go to work... We believe that > regardless of whether she is indoors or outdoors, whether it is day or night, > for whatever reason, whatever she is wearing, a woman has a right to freedom. > And it is that fearless freedom that we need to save and protect... " > > -- Kavita Krishnan, "Fearless Freedom" (preface) Adapted: > Why should each of us, as users, have to provide justifications for wanting to > do things online with privacy, respect and without submitting to tracking and > data collection by others? Why do we need reasons such as 'our work is > important' or 'we care about our freedom' ... to bolster such decisions? Is it > a crime for a user to want their privacy respected? > > We believe that regardless of the purpose of why we use online services or > software, where we use them and for what purpose, a user has a right to > freedom. And it is that fearless freedom that we need to save and protect...