GCHQ have the ability to hack into your computer and gain access to your webcam. Are you wary of being watched? Alarge majority of internet users are.
From looking deeply into the content of information captured by GCHQ, I turned back towards consent and the ways in which the security services invade our privacy to discover as much as they can about us. While they may not hack into each individual smartphone in the UK, they still have the capability and capacity to. While doing research, I found an article from August 2015 about Windows 10. The article suggested that, despite being told not to, Windows 10-enabled computers regularly went "online and communicat[ed] with Microsoft's servers." In other words, the computers would send reports and requests to Microsoft IP addresses despite settings intended to allow this being turned off. The article continues to note that some of this traffic is harmless, but also indicates that other traffic is more troublesome, stating "if Web searching and Cortana are disabled, we suspect that the inference that most people would make is that searching the Start menu wouldn't hit the Internet at all. But it does. The traffic could be innocuous, but the inclusion of a machine ID gives it a suspicious appearance." Essentially, when web searching and Cortana are disabled, the computer still sends traffic to Microsoft IP addresses. I, personally, did not find this to be troublesome, but understood the significance of it. As a Mac user, I was aware (and have always been) that my computer sends diagnostic reports to Apple when it encounters a problem. I was interested in finding out the extent to which my computer communicates with Apple and how much it logs each problem on my laptop.
I used a log viewer developed by Apple called 'Console'. Console, which comes preinstalled on every Mac laptop, allows users to "search through all of the system's logged messages, and can alert users when certain types of messages are logged." The application receives a constant stream of messages from the system in the form of log files. These can be navigated to find problems, pinpoint bugs and troubleshoot. Over the course of twelve hours, I documented the problems and other issues that my laptop recorded. In the first hour, 65 A4 pages worth of problems were recorded. After two, an additional 54 pages had been recorded. In the remaining ten hours, 110 pages worth of logs were made. I repeated this process the following day between the same times. In the first hour, only 18 A4 pages worth of problems were recorded. In the next hour, 80 additional pages of logs were made. Over the final ten hours, 122 pages of logs were made.
What is perhaps most unnerving about this piece is the extent to which logs are created and kept without users being aware. Whilst these logs may be harmless and may not actually be sent to Apple, the very notion of having 400 pages containing 8000+ logs from two separate 12 hours periods is incredibly startling. It ultimately begs the question: what has been sent to Apple? What do they know, if anything? It also brings forward a more important issue: users are unknowingly and unwillingly having their data sent to Apple; is there an option for consent? Do users have the ability to prevent reports being sent to Apple, if that is indeed what is happening? The simple answer is yes. According to Apple, information is only sent "with your explicit consent, and is submitted anonymously." Unlike Windows 10-enabled computers, it would appear Mac users have a certain safeguard against their information being sent. What's more, given Apple's recent statement regarding phone hacking and the need for encryption, it would seem as though the company takes a strong stance on data retention and consent. The same cannot be said for Microsoft and the revelations that inspired this piece. Perhaps it's important to question whether Microsoft users have fewer liberties than Mac users? Is the battle between Mac and PC changing to a battle for privacy and security, as opposed to usability and personal preference?
This piece has been displayed on a studio wall on paper as its physical presence brings more of a reaction from audiences. If the piece had remained digital, the full impact of these revelations would not be felt. By placing the logs on the wall, viewers are able to physically see how much a computer works without their knowledge, making them aware of the sorts of activities that may get reported to their providers. Logs have been split up into hourly sections, showing when the computer was most active. In both cases, the logs appear to be most active between 1:00am and 3:00am as these are times when I am often on my computer. If I were to continue with the idea behind this piece, I would continue to print off my logs but would attempt to fill an entire wall. This would achieve the effect that I am looking to portray and would inevitably shock audiences.
Above is an experiment I attempted following the same ideas as the log piece. Every 10 minutes I asked a number of my course mates to screenshot their laptop screens and to tell me the apps that they had open. Each time, I would note down the differences in computer activity. The experiment was, similarly to the above, intending to address the number of logs that our computers make and intended to comment on the Windows 10 article, noting how frequent these logs were. Indeed, students asserted each time I came round that 10 minutes was a shorter amount of time than they realised. The piece was incredibly hard to schedule correctly and involved disturbing other students during their work. The experiment also didn't achieve the result I expected and I quickly brought it to an end, noting that a digital equivalent that did not require human interaction would have been more successful.
Freedom of expression
As my focus continued to shift towards analysing different forms of content and consent, I began to scrutinise my own social media feed and the ways in which my friends utilised it as a form of expression. Facebook, in my eyes, has always been a powerful medium for expressing and sharing opinions amongst the world. It connects me to my friends halfway across the world, as well as those in the room next door. It allows me to remain as part of a network and enables me to communicate my opinions, either publicly or privately, to people in my social circles. Facebook's creator Mark Zuckerberg even asserts that the website's mission is to "connect the world," something I believe it does incredibly well. Yet, I noticed through closer inspection that Facebook had become less of a platform for conversation, but more one for sharing enjoyable content. Much like a TV or video games, Facebook was (and is) simply enjoyable because the content that it shares is engaging. The majority of it, however, does not push at the boundaries of expression; the content is created simply to be funny or confusing. Very rarely is Facebook used as a political tool (by my friends, anyway).
Over the course of two days, I screenshotted every post that I believed was utilising a person's freedom of expression, that is that it was commenting on something that, in certain countries, would be handled with caution due to censorship laws. These posts were often political and often came with an interesting or intriguing caption. I found over this period that a lot of my feed was filled with droll videos and planned selfies, and very little of it was dedicated to speech on politics. A number of outlets, such as Vice News, provided an exception to this rule. I found, however, that in most cases Facebook was simply a tool used to boost a person or groups' ego or to show what one person finds amusing. While I did not find this generally troubling, it did answer a number of questions.
One recurring question that concerned me was: why are people not engaged in politics? Why are some students just not interested in politics at all? The answer to this most likely lies in my social circle; the friends that I associate myself with may not be the type to advertise their political opinions on Facebook. Perhaps, this is a blessing. Yet, this ultimately creates a problem for the style of art I am trying to create. In order to engage in a conversation and debate, students need to be aware of the issues that are predominant for our generation. In this case, it is surveillance. Yet, despite this, I have never seen a single friend of mine post an update commenting on spying techniques or, indeed, the new surveillance bill that is currently being passed through parliament. Again, this might simply be down to the people I associate myself with, but it is slightly worrying. What this teaches me, however, is that perhaps my art would perhaps succeed more (i.e. create a stronger debate) amongst law students or politics students. Maybe they will have more to say about it?
This conclusion brings me to the crux of this piece. The piece was intended to look at the ways in which people within the UK use Facebook as a means of expression. Can a group of people who are spied on by their own government ever be free? Will the same liberties that are available now be available once the new draft bill is passed in April (should it succeed in doing so)? With the increase in surveillance powers bringing the inevitable rise of CNE (computer network exploitation) by GCHQ, will we be able to maintain our freedom of expression, and even if we can't, will it matter? Is Facebook actually used as a mode of expression or is it solely a platform for uploading your latest selfie in an attempt to rack up likes?
This piece is described as an experiment as it doesn't generally fit in with the definition of art. It, more so, fits under the category of research. Yet, to make this definition is to say that art has predisposed boundaries, something that contemporary society must move away from. My work can be defined as art because it addresses an important issue directly, creating awareness and allowing a conversation. The way my work is displayed also allows it to be defined as art.
The piece is also defined as experimentation as I did not consider it to be strong enough or developed enough to be submitted as a full piece of work. The project was originally intended to go on for longer than two days, but the amount of content littering my Facebook feed made it impossible for me to keep up to date.
Read more about the inspiration and ideas behind this piece here.
In addition to creating the video in response to the IPT ruling over GCHQ's computer hacking methods, I also created these fake screenshots alerting users to GCHQ activities on their iPhones. The alerts satirically make audiences aware of the capabilities that the security services have and the methods they use to hack into peoples' phones. Each screenshot is crafted from scratch on Photoshop and alerts users with different warnings. For example, the first screenshot shows a user on the Privacy International webpage. Privacy International are a campaign group seeking to "ensure that surveillance is consistent with the rule of law." The group took GCHQ to trial, accusing them of breaching the publics' basic human rights by hacking into computers, smartphones and other networks. The screenshot plays on the idea that anyone who visits this website is automatically targeted and hacked because they are seen as a "threat". This notion is continued in the next screenshot. This image shows a video shared by The Guardian's Facebook page with the caption "we are becoming a society in which censorship is the new normal." Again, the image plays on the idea that those who are aware of the extent of censorship and surveillance in this country are the ones who are targeted and silenced. This screenshot, however, may not be entirely accurate as Facebook has previously asserted that it does not grant GCHQ or the NSA access to user's information via a "back door." Despite this, the notion that GCHQ has the ability to hack into people's phones while they enter the app is still valid and shows the extent to which hacking can affect the regular citizen.
Each screenshot addresses a different aspect of the phones hardware/software that the security services has admitted to hacking into. Cameras, locations and messages are all alerts that are tackled in this piece, as well as the department's ability to install malware and tracking software onto the phone. An additional screenshot reading "GCHQ is trying to, but is unable to, access Whatsapp." was created to comment on the department's inability to access whatsapp messages due to encryption methods used by the app.
The piece is displayed on an iPhone screen to provide a sense of authenticity. By displaying the images on an iPhone screen, audiences get a sense of the techniques that the security services use to access their phones and what to be cautious of, should they feel the need to show caution. The images were constructed from scratch as the quality of a regular screenshot was not good enough to display.
How much do they have?
On 12th February 2016, the investigatory powers tribunal (IPT) ruled that the hacking of computers, networks and smartphones in the UK and abroad by GCHQ staff did “not breach human rights” (Bowcott, The Guardian) and was “within the law” (Wheeler, BBC News). The ruling came after the campaign group Privacy International and seven other international internet providers claimed the hacking operations were too intrusive and broke European law. In the trial, GCHQ admitted that it “carrie[d] out CNE [computer network exploitation] within and outside the UK,” for the first time. They stated that “in 2013, about 20% of [their] intelligence reports contained information derived from hacking.” Despite calls from large swathes of organisations, such as Facebook, Google, Yahoo! The Law Society and Bar Council and the National Union of Journalists, to curb the extent of disproportionate surveillance and the introduction of a new surveillance bill (dubbed the Snooper’s charter) later this year, these demands have been met with a silent ear. These revelations and the possible instigation of this new bill will ultimately bring the death of cyber security in the name of national security.
In an attempt to address this issue, I wanted to look at the content that was available to GCHQ through CNE, as well as directly confronting the practices that they engage in. I created a short video (shown above) depicting the capturing of my information and the methods that are readily available for the security services. The video shows a computer hacking into my iPhone, listening in on an actual phone call with my dad (that he did not know was being recorded), watching my activity on the phone and spying on a conversation between my flatmate and I (a conversation that he also did not know was being recorded). Prior to hacking into my phone, the video provides a profile of all the information that GCHQ has on me, based on data revealed by Edward Snowden and articles regarding the extent of surveillance prior to 2013. The profile names everything from my full name and birthday to frequently used apps, active social media accounts and education history. All the information provided is easily available through CNE and depicts the extent to which GCHQ can snoop into people’s lives.
What is most shocking for audiences experiencing the piece is the extent to which they can discover things about me. Through accessing my screen, viewers can gage my popularity, how active I am on social media and who I talk to, whilst also having the ability to read my messages amongst other things. Through hearing a conversation with my dad, viewers have the capacity to snoop in on my life and get a sense of the relationship I have with my family (the fact that I am thanked for buying flowers on mother’s day suggests a healthy relationship). What’s more, through listening in on a conversation with my flat mate, viewers can discover my opinions, the things I discuss with my flatmate and the activities that he and I get up to (in this case, it is him smoking marijuana). All of these small bits of information help audiences gage more about me and give them a certain power over me. As was written in a Guardian editorial on 1 March “Knowledge is power, and the number of fallible human beings who possess it – and perhaps misuse or mislay it – could soar.” Giving the audience this power over me as a member of society depicts the very dangers of GCHQ’s powers over the citizens it is seeking to protect. As Carly Nyst writes: “that privacy will be eroded as a result of a process that flaunts democratic tenets serves only to add insult to injury. It is not only democracy that the government has treated with contempt but the British public.” The piece furthermore shows how hacking into people’s phones can provide an incredible amount of information in such a short space of time.
The aim of the piece, like my work from last term addressing similar issues, is to make people aware of the dangers of mass surveillance; to enable and start a debate about an issue that has been hidden under the rug for an extended period of time. The piece acts like a visualiser for the notion that Edward Snowdon put forward: that of an open debate between the government and the people. By making students aware of these spying techniques and providing them with the tools to construct their own opinions and arguments, they can choose whether to fight for their privacy in the political arena, or to step back and make clear that it is not an issue that bothers them. The latter is something I have surprisingly come to expect from my course mates.
The piece was created as a video as this medium is able to capture and display the key elements of phone hacking: phone calls (audio), microphone hacking (audio) and screen capture (visual). The piece was created using Final Cut Pro X. The phone call with my dad was recorded using the Call Recorder iPhone app. The app does not have the ability to record calls to landlines, so all calls were made via mobile connections. This created limitations as I received a number of calls from landline phones over the course of the recording week. All working calls, however, are genuine and recipients did not know they were being recorded. The iPhone screen was recorded using Quicktime Player. The date was reset to coincide with the two audio recordings, but the clock reset itself to 9:40 when being recorded. There was no way for me to change this. The audio recording of my flat mate and I was recorded using the voice memo app on my iPhone and is a genuine conversation. All of the information provided in the profiles at the start are genuine. As a result, the video is listed on YouTube as ‘Unlisted’, meaning only those who view this blog are able to watch it.
Below are two more calls that were recorded on the same day but failed to connect.
How much would you give up?
Having looked at mass surveillance and data profiling last term, my focus began to shift towards content and consent. I wanted to focus more on the substance of the data being collected, i.e. the content of the messages or details that were being stored, and the willingness of students within the internet community to give up sensitive or personal information when asked for it. I was partly influenced by the number of spam emails that had accumulated in my junk folder in the twelve or so years I had been using my email account, and the different methods these companies used in trying to capture my sensitive information. I was also, mainly, influenced by Facebook and the ways in which external, third party apps often ask and require access to people’s profiles in order for users to access new or different content. Users, myself included, regularly accept the terms and conditions of these apps without reading or even considering what they may have access to, or the implications of allowing these apps to view the information contained within our profiles.
I decided to create a fake phishing letter purportedly from GCHQ and Lancaster University. The letter, which I created using photoshop (seen below), stated that GCHQ was working with universities across the country to conduct research for a project called ‘The Student Database’. The project, which does not actually exist, allegedly provided GCHQ with “essential security information that [could] be used to protect social media and online accounts.” The letter continued to assert that participation in the project “also determine[d] the University’s eligibility for extra government funding and aid[ed] in securing [students’] personal details from any future attacks.” Attached with the letter was a questionnaire that students had to fill out, as well as guidelines on how to fill out the questionnaire properly. Students were promised that:
“all information [would] not be passed on to third party companies and [would] not be used against [them] in anyway.” Continuing by noting that “The University [had] no authority to read or distribute [their] information, unless [they] dictate[d] otherwise.”
Despite these promises, however, there was no way for the students to be certain that their information was secure. In the final paragraph, the letter states:
“By signing the agreement below, you agree to the Terms and Conditions of The Student Database and accept that GCHQ cannot be help liable for any data breaches or errors surrounding the loss of your data while it is not in their possession.”
This sentence was essentially stating that, if the completed letters were lost or stolen in the post, students would have no one but themselves to blame.
The main aim of this piece was to address peoples’ activities on the internet; to explore the ways in which users willingly give up sensitive information without questioning who is asking for it, why they’re asking for it, or even if those asking for the details are legitimate. It was intended to establish a debate about internet security and one’s loss of privacy and identity on the net. While creating and distributing this piece, I completely understood the risks I was taking and the possible consequences that could come as a result. Due to the fact that the letter was masquerading as a document from the university and GCHQ, and the fact that it was falsely signed by Head of LICA (Lancaster Institute of Contemporary Art) Frank Dawes, I knew that there was a big risk that the letter would get reported, and that I could get in serious trouble. For my own safety, I discussed the piece openly with a number of students on my course so that they would know that my intentions were not malicious. These students would then act as witnesses should I need them to support me.
On 29th January, I distributed the first version of the letter to 20 students. This letter had a hand-written envelope as opposed to a printed one. Consequently, three students uncovered that it was me and this version was quickly abandoned. I later reprinted the student’s names and stuck them on the front of new envelopes with tape, allowing me a second attempt at the piece. Whilst this did not look as professional as address labels would have done, I could not find a shop that sold address labels on campus. The letters were redistributed to the same 20 students (excluding the three students now aware of the piece) the following week on 1 February 2016.
A timeline of events can be seen below.
What is perhaps most shocking about the piece was the extent to which students filled out the questionnaire. In some cases, students filled out the entire document, giving passwords and credit card numbers willingly. In others, students ripped up their questionnaires, refusing to take part at all. In the majority of cases, however, students filled out general details such as name, date of birth, email and address, noting that this information was not significant to them. Yet, what many students fail to acknowledge is that these details are incredibly important for identity thieves as they provide the basic initial steps for creating new accounts. As Man vs Debt states in an article outlining the pieces of information that identity thieves crave, email addresses, full names and dates of birth featured 13th, 3rd and 2nd respectively on a list of 16 items, noting that “finding your full birth name and common aliases is the base for everything else!” and that the value of obtaining someone’s date of birth “lies in the fact that it’s used in the creation of nearly every account. It’s also one of the most common and easily-used pieces of information to verify existing accounts. Along with the one before it and after it, this comprised what I like to call the “Big 3″ of your identity.” What’s more, by revealing their addresses, students give thieves the means to visit and rob their houses for additional information should they be interested in doing so. Whilst the likelihood of such a thing happening are slim, this piece was intended to show the dangers of revealing this information.
What is also interesting to note about the piece is the information students were not comfortable with revealing. In the majority of cases, students were understandably cautious with revealing their credit card numbers and phone serial numbers, but were also wary of disclosing their recent locations and amazon purchases. When approached and asked their reasons for this, many noted that they didn’t feel like it was information that the government needed to know. This answer also applied to many of the other pieces of information that the document asked for, with a number of students noting that their student ID numbers and computer IP addresses were not things that they thought were important for the government, or anyone, to know. A number of students additionally noted that they gave false information in a number of sections as they did not completely trust the letter. While they trusted the university, they found the letter to be incredibly intruding and invasive. This was perhaps the most intriguing idea to arise from the letter: trust.
In interviews conducted after the piece was brought to a close, students were asked whether they thought they should have contacted the tutors to ask whether the letter was legitimate or not. All students responded by saying that, because of the trust they had in the university and in the department, they didn’t feel as though it was necessary to contact the tutors. They believed that the student representative (the lead actor in the piece) would not give them a fraudulent document without voicing his own concerns. This gave many of the students reason to fill out the letter without properly questioning it. What’s more, it meant that some students gave more than they would normally have done.
A shortened edit of the video can be seen below, with key answers from students left in.
A key question that arises from the piece is its tangibility: why was the piece created as a letter and not as an email? Why was it distributed as a physical object when the subject it intends to comment on is digital? In my own mind, it would have been very easy for students to simply ignore an email, especially if they thought that it was phishing for their information. By distributing the letters physically, the project is given a sense of legitimacy and urgency as it is very rare that a student will receive a letter. By being given it personally, the letter appears to be of some significance and provides an author for the piece (LICA - Lancaster Institute of Contemporary Art). If the project had been completed as an online survey, the author would have been stripped of its legitimacy as it is incredibly easy to pretend to be someone you’re not online, a concept that the piece itself addresses. What's more, by creating a physical object, the piece can be displayed allowing it to be described as a piece of art. As one student noted in their interview, the act of creating these questionnaires is not art, but the way in which they are displayed is. Each questionnaire is hung with the envelope it came in, as well as the signed consent form and a transcription of each students interview.
The overall response of the university and the students to the piece was far more varied than I anticipated. I believed that some of students would not fill out the questionnaire at all, but that other would fill out certain areas. I did not believe anyone would completely fill out the document and was astounded that 3 people did. What is interesting to note is that every student was cautious about the letter, but only 2 students looked up ‘The Student Databse’ and GCHQ online to see if the programme was legitimate. These students retracted their information soon after discovering that it was fraudulent and handed the letters back. In my opinion, the way in which the university responded to the piece shows weaknesses in the system in place. When asked whether they thought the university responded well to the threat, a number of students noted that they hadn’t heard anything from the university and only knew that there was a problem through me. This ultimately calls into question the protocol that the university follows in attempting to get to the bottom of a threat such as this one. I believe the university could have completed a number of steps that would have been more beneficial: