Recently, our CEO Jon von Tetzchner was invited to voice his thoughts on privacy at the European Cybersecurity Forum in Krakow, Poland. Jon and Warwick Ashford (Security Editor, Computer Weekly ) had a chat on the state of privacy today. As technology advances we are presented with a choice – will it continue to offer an overall benefit to society, or will we allow it to be used as a tool for total intrusion into our lives?
Food for thought. Watch the video in full below or scroll on to read the highlights in the transcription below.
https://www.youtube.com/watch?v=x7n1Q61DASA
(This transcription has been edited slightly for clarity)
Warwick Ashford: Most people, I guess would know who you are but could you just give us a brief background. Tell us why are you so passionate about privacy?
Jon von Tetzchner: My name is Jon von Tetzchner. I’ve been on the Internet – should we say, the web from the very beginning. I feel a certain ownership of it in some strange way. I started to work with the web in 1992 and at the time our group set up the first web server in Norway. It was the starting point for Norwegian web – one of the first 100 in the world. Kind of been there from the very beginning and then I founded a browsing company with Geir Iversøy.
WA: As you do….
JvT: Yes. We started working on it from mid-1994. I’ve been doing browsers for a really, really long time and as I’ve seen the internet evolve from the very beginning when it was just simple documents. So, did the Opera browser for 17 years – most of the time as a CEO and then quit the company and was thinking I would do something else. Now back in the browser business doing Vivaldi.
WA: Why Vivaldi? I’ve got to ask. I mean it’s logical progression perhaps from Opera to Vivaldi but just quickly, why? I love the name.
JvT: There’s a need for something different. My feeling is with the older browsers, there’s been a focus on the business model. I would like to focus on the end-user and provide the best possible tool for those of us that spend a lot of time on the Internet. After I left Opera, it went in a different direction, more like the others. There was a need in the market for something different. That’s why we felt the need to go out and build another browser.
WA: I’m sure there’s no one here who hasn’t felt some concern about the erosion of our privacy. It has become more and more dependent on the Internet and there are two aspects of this. On one hand, we’ve got Liberty organization taking on the government because our government has chosen foot in some rather what some people consider to be Draconian legislation.
We have Investigatory Powers Act which enables the state to access all our information without any suspicion. On the other hand, you’ve got citizen activist, Max Schrems, trying to get action further out of Facebook on the exchange of information there.
Let’s look at the ‘state’ thing first. I’m going to play devil’s advocate a bit here. Do you feel that we have less privacy now than we did before?
JvT: Before when we would go for a walk no one would know where we are going. Now you go for a walk or when you go into a cafe and it says, ‘Hey! You’re at cafe X. Do you want to write a review?’
WA: True...
JvT: The amount of information collected is massive. There are cameras on every corner. Basically, with the mobile system, we are tracked all the – through GPS technology, mobile, and the like. So, all our movements are traced. We now have nice cool technologies like voice where everything we say is being recorded and sent to servers and then handle there. It is a significant problem and you just add this all together.
WA: So then to go to the other extreme. Do we have any privacy now? Is that a reality at all? What if there is there is no privacy? Are we there, already?
JvT: In many ways, there’s more tracking now. We have really come far. The amount of information that is collected is insane. And sadly, it’s also then available for commercial use.
There was a time when Norwegian spy chief was dealing with questions and he said, “You guys you shouldn’t worry about me. We don’t collect that much information. The commercial companies do.”
In Norway where I used to live, I feel that would be true. I would trust the Norwegian government to collect no more than needed and only use in the right way. Obviously, what we are seeing on the commercial side, there’s a lot more information being collected. It’s not being used in the best possible ways. It’s used in the worst possible ways. You’re using big data analytics to provide the best ways to target people and it’s being used for commercial purposes.
WA: We’ve gone down the commercial route. Are we not all somehow to blame that we’ve signed up to these services? We’ve provided information. So, isn’t it kind of strange to think that on one hand, we’re kind of worried about our privacy but we’ll give up the personal data quite freely and sign up to all these services? We have the location services turned on and out on our phones. Aren’t we to blame partly for the commercial side?
JvT: No. I don’t think companies should be able to say – “Okay, you can’t use my service unless you give me all your information.”
I think it’s totally unreasonable. For any kind of information, it should benefit you as a customer. If you look at recent situations in the U.S, you kind of get the feeling who is the customer? (with regards to Facebook). There’s this talk of these thousands of ads that have been placed on Facebook and obviously, I mean you’d expect – these ads placed on Facebook should be easy to see. Most advertisers would like their ads to get more exposure. And in any case, shouldn’t those be more available than our information? The question is – “Okay, why is it like that?” It is because those advertisers are customers and we are merchandise. To me, this is just plain wrong.
We must look at technology. Is technology doing things that are good for us or bad for us? We have some examples of how great technology is being used for bad things. And that’s where the governments and regulators come in. To keep the citizens safe. They basically track you everywhere. It’s a bit creepy. From that perspective, why should we be asked to give that information? I mean even when you install the latest version of Windows 10 and have the quick route, it is the level of the information that we are being asked to give up voluntarily. It is placed on us. It basically says: This is your problem of what is collected but it’s actually a ‘society’ problem. We are letting everyone’s information be collected like this and most people are not technical enough to understand this. When you’re collecting all this information about all those people, it’s a question of what does that do to our society? Is the targeting that is made available here reasonable or not? It can be reasonable and nice for small companies at times but I think the negative is just so much bigger.
WA: Don’t you think we’re quite fortunate here in Europe that we’ve got the GDPR. Our compliance goes into effect not too long in the future, so that piece of legislation is looking far better than in the US. We have this new legislation and in the UK they’ve adopted new parallel legislation that reflects it. Consumer rights and right to privacy is something that’s been entrenched in that legislation.
JvT: No. It’s not consumer rights. This is not about your data or my data. It is a much bigger issue because of the targeting opportunity that is being provided.
This is a serious security problem. We are having so much data being placed in this cloud. The internet was built to be safe. Going back in the early days of the web, one machine would go down because it was made for military use. If you would attack one machine, the system would not collapse. By having all those centralized systems, you’re making the system a lot more sensitive. I would look at how can you do more distributed systems. I would look at the Internet of Things and try to improve on the state of things rather than have a situation where we say – let’s get rid of the Internet of Things because it’s kind of a problem.
Yahoo is a brilliant example where three billion accounts were hacked in one go. When I was dealing with competing with Microsoft and the like, I remember when we were always doing a lot better than them in every test on security because we were closing our security holds a lot faster than they did. They said that the reason why we have more holes is that we were a bigger target. They had a point. Now obviously, they should have fixed their security issues a lot quicker but the reality was those bigger targets were a problem and when we are building what was the distributed system. Similarly, we’re talking about power plants. What if we had everyone had solar, it would be a lot more difficult system to break. We have to think in the right way even about distribution systems. In this case, the fact that we are being forced to give up our privacy as if that is something natural is actually a security problem.
WA: The argument is that all these services make our lives so much easier. It is more convenient and this kind of data enables them to deliver more apt advertising. Do you think there’s a balance to be struck between providing appropriate services like advertising and other things that are tailored to the individual and the very real security and privacy concern?
JvT: You’re talking about two things at the same time. If you look at the services, you can provide those services and still not collect all the data. You need some of that data and then you can say you can use that data to form the service. Now when it comes to the ads, there is value there for certain companies and the like. I see there is a problem there but for the end users, I think most would be just fine with getting that we used to get. By the way, we would still get relevant ads because let’s say if you’re a geek, you’d go to geek pages and you would get geek ads. You wouldn’t get an ad for women’s clothes or something like that. Now, we just might. If I look at underwear for my wife, I will see underwear on every site I visit. It looks like I’m a creep. Things have gotten worse from that perspective.
WA: But how do you police this? I don’t disagree with you at all but we’ve got things like the Android apps. One of the biggest issues is when you agree to the end-user license, the EULA. You agree for them to be able to turn on your microphone and all this kind of stuff. Is this something that the government could realistically….?
JvT: Realistically, a regulation exists. Obviously, you can regulate this and ideally, this would be something that should be done both here and over the pond. I’m an optimist which is why I don’t just accept that this is the state of affairs and this came from a certain territory. For the longest time, we did not have this kind of tracking or this kind of targeting on the Internet. A lot of this is recent. From that perspective, it’s not that difficult to go back. It will be a change for some business models but I’m pretty certain that these companies will do just fine with a business model that doesn’t treat their customers as merchandise.
WA: Don’t you see the GDPR are addressing that in any respect? I mean people will have to opt in or they will have to give their consent.
JvT: This would be really simple: no opt-in or no opt-out. Only regulation. Period.
I don’t know what happened to the rules and regulations. If I get information from my customers, I will not share it with anyone else. Not without their permission. If I visit your site and another site, typically what happens is that the other side knows about what happens on your site. How did that happen? My relationship is with your site. Why is my data available on that site? The fact that you’re using the same content, you may be using Google for ads or Google Analytics or something. Why is that information then available across devices and sites? I don’t think it’s natural. The treatment of the customers’ data is sacred. You have to keep it safe. You do not share it with others and if you share it with others, you’re at the very least breaking some ethics and morals. There may be differences between many countries but I think privacy is important and in this case, privacy and security go hand in hand. The level of information that is being collected is a security problem.
WA: On the way the UK looks at it because now our Prime Minister pushed those new legislation. For her, the equation was simple – for better state security, we need to be able to access this information. Things like end-to-end encryption are making policing and counterterrorism more difficult. On one hand, you’re saying because of a lack of security in the likes of Yahoo, it’s a privacy issue but the UK is arguing that we need to be able to access this stuff to make you more secure. Is there a happy middle ground to be found in the trade-off between security and privacy?
JvT: I think one of the simple things is for commercial use. There’s no reason to do this. Part of the problem is even if you’re doing it and a lot assuming you’re living in a country where you trust your government and assume that they’ll do right and a part of the problem is that not everyone does. For the tech companies that are having to deal with being in multiple countries, this becomes a dilemma. This collection of information that’s being collected is also security. Even the government has a tendency to be hacked. We could manage fine without collecting all this information and limit the collection significantly with stricter rules.
We are all being mapped today into different groups. We’re getting propaganda and advertising based on who we are. The propaganda side is ugly whether that’s done by foreign powers or just scrupulous political parties or individuals.
WA: I like this idea that we can just take a step back and sort of go roll back to a previous good state but what did we do in the meantime? What can individuals, organizations and service providers/developers do to kind of go forward to go back? How do we do that?
JvT: This is a difficult problem to solve. If few of these larger companies would say that they will change their ways and will not collect this data and not provide targeting – I think that’d be great. I even think many of them would like to do that because there are a lot of good people that work at these companies but how do you square that off?
If the government tells them to do it, it’s much more likely that they will and I really think that this needs to be done. I find it very difficult because people ask me, “What do you do for security for your users?”
Choose a good browser that doesn’t track you – like us. Use a good search engine that doesn’t track you, like DuckDuckGo. Then you go from there.. but you quickly get to install Tor or you need to go on the black net and as we heard earlier that anyone that’s on the black net is a bad person which obviously is untrue. Basically, we’re telling people to live reasonable private lives and go underground. I mean, come on…
WA: Do you think that it’ll make a difference for people to demand a greater privacy and security controls?
JvT: This is not about control and individual. This is about regulation. This is about what is collecting on us, collectively. This is a nuisance. We spent so much time talking about propaganda and fake news now. For every election, there’s this talk of this being part of a problem. The problem can be fixed but you will have to change some regulations and it will hurt some bottom lines. But you have to think about the about society as a whole.
WA: It’s the bottom line that worries me because at the end of the day, it is the commercial imperative. One organization is not going to peddle back when their competitors are doing it. One can get competitive advantage out of doing it and if the government doesn’t have the political will to do it because the big companies that support it are making their money that way, particularly in the U.S. Is the reluctance of government to anger big business particularly big?
JvT: Money in politics is such a big problem. I wish if everyone wants to get some good advice should go to Norway. They have rules and regulations. No political ads. We have significant problems with money in politics. It is a difficult discussion because you’re talking about major companies with significant cloud and you need to get them to do the right thing.
WA: So, who’s got to give the impetus? What do you think individuals and organizations can do?
JvT: We need to handle this sooner rather than later. We’re dealing with this problem on a daily basis. Living in the US, we are definitely seeing it. There are multiple sides. The political side of this and basically doing what’s right for the world needs to come first.
There is no way to fix this on an individual basis. You and I can both go to dark. It doesn’t change the picture. There needs to be a change so the money in politics is visible.
The quickest and simplest fix – stop the collection of information. Stop the targeting opportunities and you have a lot solved.
WA: What is your kind of takeaway for this audience because I should imagine most people here because of they work in cybersecurity and related industries are very keenly aware of this problem and how can they as collectively address this problem?
JvT: My impression from having been at these conferences is that quite a lot of people don’t get this. It’s been quite fascinating for me to watch because the focus is on the security on an individual level, companies, and the government but they’re not thinking about the bigger picture. Seemingly, we are all talking about things like fake news and propaganda on the internet and everyone says that it is bad. I’m not saying to fix all problems but it would reduce the problem quite significantly. If you think this is a big problem for society, then we should do something about it.
WA: Please join me in a big round of applause for Jon von Tetzchner. There is a fix. It’s in your hands. Stop collecting the data.
Goodbye, everyone.