03 July 2011

P2P, surveillance and breaches

'Privacy as Invisibility: Pervasive Surveillance and the Privatization of Peer-to-Peer Systems' [PDF] by Francesca Musiani in 9(2) tripleC (2011) 126-140 considers surveillance in relation to P2P.

Musiani's article -
addresses the ongoing, increasing privatization of peer-to-peer (P2P) file sharing systems – the emergence of systems that users may only join by personal, friend-to-friend invitation. It argues that, within P2P systems, privacy is increasingly coinciding with “mere” invisibility vis-à-vis the rest of the Internet ecosystem because of a trend that has shaped the recent history of P2P technology: The alternation between forms of pervasive surveillance of such systems, and reactions by developers and users to such restrictive measures. Yet, it also suggests that the richness of today's landscape of P2P technology development and use, mainly in the field of Internet-based services, opens up new dimensions to the conceptualization of privacy, and may give room to a more articulate definition of the concept as related to P2P technology; one that includes not only the need of protection from external attacks, and the temporary outcomes of the competition between surveillance and counter-surveillance measures, but also issues such as user empowerment through better control over personal information, reconfiguration of data management practices, and removal of intermediaries in sharing and communication activities.
In commenting on "the alternation between manifestations of 'pervasive surveillance' of P2P (ubiquitous and generalised search of poten-tial infringers carried out by copyright owners) and reactions by users Musiani suggests that -
the richness of today’s landscape of P2P technology development and use, mainly in the field of Internet-based services, opens up new dimensions to the conceptualization of privacy, and may give room to a more articulate definition of it; one that includes not only the need of protection from external attacks, and the temporary outcomes of the competition between surveillance and counter-surveillance measures, but also issues such as user empowerment through a better control over personal information, reconfiguration of data management practices, and removal of intermediaries in sharing and com- munication activities.
The article initially introduces "conceptualizations of privacy and surveillance that are relevant" -
After touching upon David Lyon’s depiction of the “World Wide Web of surveillance” (Lyon, 1997), it outlines Sonia Katyal’s concept of “piracy surveillance” (2005) as pervasive detection of consumer infringement, and Frances Grodzinsky and Herman Tavani’s argument (2005) that placing the burden of infringers’ identification on copyright owners has opened up a new culture of surveillance, one that entitles copyright owners to pervasively search the Internet for potential infringers.

P2P technology’s history, as Niva Elkin-Koren remarks (2006), has been deeply informed by the frequent, almost overwhelming, association of such technology with one of its possible uses, (illegal) file-sharing.
The article next outlines -
the different generations1 of P2P file-sharing systems' genealogy, starting from the moment in which the public at large first accessed them (Napster, 1999). The genealogy of P2P file-sharing systems is, in fact, a story of tensions between surveillance and counter-surveillance technologies. It is argued that the ways in which P2P systems have taken shape and evolved in the last decade are closely linked to the dialectic between juridico-technical measures restricting P2P-enabled file sharing activities, and socio-technical responses that have shortly followed each of them: in other words, to the constant attempts of surveillance technologies and sharing technologies to outrun each other. In this sense, the genealogy of P2P file-sharing systems is also a history of resistance towards regulation of user behaviour by means of digital surveillance, a concept that is receiving increasing attention in surveillance studies (Hollander & Einwohner, 2004), not only as an umbrella term for protest or oppo- sition practices taking place between the surveyor and the surveilled, but as a "more complex, multi-directional and multi-actor (...) process" (Martin, van Brakel & Bernhard, 2009, p. 214).
The article then introduces third-generation, "private" P2P networks and explores how developers and users of these systems seek to take their main weapon away from copyright holders, by placing a special emphasis on a friend-to-friend paradigm that allows users to join the system only by personal invitation of another user (Rogers & Bhatti, 2007; Le Fessant, 2009; Wood, 2010), shaping privacy as de facto invisibility from pervasive surveillance.

Musiani suggests that -
The fourth and conclusive part opens up to a conception of P2P systems as possible tools for the materialisation of a social, political and economic "opportunity" for Internet-based services. It suggests that, while paramount for putting into perspective the evolutions and developments of P2P systems over the last decade, the "surveillance-and-counter-surveillance" paradigm may entail an exclusively "defensive" conception of privacy; a conception that, while an important one, is only a part of the story. Other parts – enacted daily in a number of projects and applications for P2P Web search, social networking, data storage that are being developed since 2006 – are user empowerment through a better and more nuanced control over personal information, reconfiguration of the balance between users' and service providers’ rights over personal data, and removal of intermediaries in sharing and communication activities – parts that if neglected, may lead to overlook the potential of P2P as an effective, scalable and stable way to distribute, exchange and communicate online, in a variety of ways.
The NSW Privacy Commissioner has released the report [PDF] of its Own Motion Investigation into the data breach at Sydney University noted earlier this year.

In essence, the University has received a warning rather than a penalty, on the basis that it admitted a web application hole had allowed access to personal information but had responded quickly once altered.

The Commissioner held that "The university had not taken reasonably available steps to avoid the risk that the leaks would eventuate" and the exposure was avoidable with "appropriate testing". He commented that -
including public sector agencies, because they enhance opportunities for our prosperity, social inclusion and
convenience. Additionally, these technologies allow significant savings to be made to administration costs because they promote a more efficient management of customer transactions and other communications.

Increasing the uptake of web-based facilities requires public sector agencies to maintain their clients’ confidence that personal information will be protected, whether it be from intentional or accidental hacking into their databases.

Small businesses and individuals, who have limited capacity at implementing effective information protection programs, may at times be unknowingly operating compromised online systems.

Large corporations and public sector agencies have available to them dedicated resources in the form of:
• intrusion detection systems
• sophisticated firewalls
• IT security staff
• chief information officers
• chief technology officers.
This entitles the community to expect from them higher rates of awareness of information security risks and vigilant
breach prevention programs.

Section 12 of the PPIP Act imposes a positive obligation on the University to take all reasonably available security measures to ensure a student’s personal information recorded on the University's web-accessible records through the many transactions students complete on-line does not become available to unauthorised persons and bodies.

Determining what is reasonable requires a balancing exercise that takes into account the following two factors:
• On the one hand, the facilities and specialist staff available to the University regarding the management of its web-based student transaction systems, and
• On the other hand, the awareness the University should have that it holds sensitive personal information about thousands of people, which, if it fell into the wrong hands, could lead to potential physical and financial threats to them, or cyber stalking
However -
In light of the steps the university took to fix the problem and as noted above, and further advice it has provided about the introduction of security reviews and testing of the penetration potential of various information systems, the acting Privacy Commissioner considers that the university responded to being informed of this breach of security with urgency and effectiveness.