Data and information - Second Year, Term 2 (1/4)

​How much would you give up?
​Having looked at mass surveillance and data profiling last term, my focus began to shift towards content and consent. I wanted to focus more on the substance of the data being collected, i.e. the content of the messages or details that were being stored, and the willingness of students within the internet community to give up sensitive or personal information when asked for it. I was partly influenced by the number of spam emails that had accumulated in my junk folder in the twelve or so years I had been using my email account, and the different methods these companies used in trying to capture my sensitive information. I was also, mainly, influenced by Facebook and the ways in which external, third party apps often ask and require access to people’s profiles in order for users to access new or different content. Users, myself included, regularly accept the terms and conditions of these apps without reading or even considering what they may have access to, or the implications of allowing these apps to view the information contained within our profiles.

I decided to create a fake phishing letter purportedly from GCHQ and Lancaster University. The letter, which I created using photoshop (seen below), stated that GCHQ was working with universities across the country to conduct research for a project called ‘The Student Database’. The project, which does not actually exist, allegedly provided GCHQ with “essential security information that [could] be used to protect social media and online accounts.” The letter continued to assert that participation in the project “also determine[d] the University’s eligibility for extra government funding and aid[ed] in securing [students’] personal details from any future attacks.”  Attached with the letter was a questionnaire that students had to fill out, as well as guidelines on how to fill out the questionnaire properly. Students were promised that: 

“all information [would] not be passed on to third party companies and [would] not be used against [them] in anyway.” Continuing by noting that “The University [had] no authority to read or distribute [their] information, unless [they] dictate[d] otherwise.”

Despite these promises, however, there was no way for the students to be certain that their information was secure. In the final paragraph, the letter states:

“By signing the agreement below, you agree to the Terms and Conditions of The Student Database and accept that GCHQ cannot be help liable for any data breaches or errors surrounding the loss of your data while it is not in their possession.”

This sentence was essentially stating that, if the completed letters were lost or stolen in the post, students would have no one but themselves to blame. 

The main aim of this piece was to address peoples’ activities on the internet; to explore the ways in which users willingly give up sensitive information without questioning who is asking for it, why they’re asking for it, or even if those asking for the details are legitimate. It was intended to establish a debate about internet security and one’s loss of privacy and identity on the net. While creating and distributing this piece, I completely understood the risks I was taking and the possible consequences that could come as a result. Due to the fact that the letter was masquerading as a document from the university and GCHQ, and the fact that it was falsely signed by Head of LICA (Lancaster Institute of Contemporary Art) Frank Dawes, I knew that there was a big risk that the letter would get reported, and that I could get in serious trouble. For my own safety, I discussed the piece openly with a number of students on my course so that they would know that my intentions were not malicious. These students would then act as witnesses should I need them to support me.

On 29th January, I distributed the first version of the letter to 20 students. This letter had a hand-written envelope as opposed to a printed one. Consequently, three students uncovered that it was me and this version was quickly abandoned. I later reprinted the student’s names and stuck them on the front of new envelopes with tape, allowing me a second attempt at the piece. Whilst this did not look as professional as address labels would have done, I could not find a shop that sold address labels on campus. The letters were redistributed to the same 20 students (excluding the three students now aware of the piece) the following week on 1 February 2016.

A timeline of events can be seen below.

What is perhaps most shocking about the piece was the extent to which students filled out the questionnaire. In some cases, students filled out the entire document, giving passwords and credit card numbers willingly. In others, students ripped up their questionnaires, refusing to take part at all. In the majority of cases, however, students filled out general details such as name, date of birth, email and address, noting that this information was not significant to them. Yet, what many students fail to acknowledge is that these details are incredibly important for identity thieves as they provide the basic initial steps for creating new accounts. As Man vs Debt states in an article outlining the pieces of information that identity thieves crave, email addresses, full names and dates of birth featured 13th, 3rd and 2nd respectively on a list of 16 items, noting that “finding your full birth name and common aliases is the base for everything else!” and that the value of obtaining someone’s date of birth “lies in the fact that it’s used in the creation of nearly every account.  It’s also one of the most common and easily-used pieces of information to verify existing accounts.  Along with the one before it and after it, this comprised what I like to call the “Big 3″ of your identity.” What’s more, by revealing their addresses, students give thieves the means to visit and rob their houses for additional information should they be interested in doing so. Whilst the likelihood of such a thing happening are slim, this piece was intended to show the dangers of revealing this information.

What is also interesting to note about the piece is the information students were not comfortable with revealing. In the majority of cases, students were understandably cautious with revealing their credit card numbers and phone serial numbers, but were also wary of disclosing their recent locations and amazon purchases. When approached and asked their reasons for this, many noted that they didn’t feel like it was information that the government needed to know. This answer also applied to many of the other pieces of information that the document asked for, with a number of students noting that their student ID numbers and computer IP addresses were not things that they thought were important for the government, or anyone, to know. A number of students additionally noted that they gave false information in a number of sections as they did not completely trust the letter. While they trusted the university, they found the letter to be incredibly intruding and invasive. This was perhaps the most intriguing idea to arise from the letter: trust. 

In interviews conducted after the piece was brought to a close, students were asked whether they thought they should have contacted the tutors to ask whether the letter was legitimate or not. All students responded by saying that, because of the trust they had in the university and in the department, they didn’t feel as though it was necessary to contact the tutors. They believed that the student representative (the lead actor in the piece) would not give them a fraudulent document without voicing his own concerns. This gave many of the students reason to fill out the letter without properly questioning it. What’s more, it meant that some students gave more than they would normally have done.

A shortened edit of the video can be seen below, with key answers from students left in.

A key question that arises from the piece is its tangibility: why was the piece created as a letter and not as an email? Why was it distributed as a physical object when the subject it intends to comment on is digital? In my own mind, it would have been very easy for students to simply ignore an email, especially if they thought that it was phishing for their information. By distributing the letters physically, the project is given a sense of legitimacy and urgency as it is very rare that a student will receive a letter. By being given it personally, the letter appears to be of some significance and provides an author for the piece (LICA - Lancaster Institute of Contemporary Art). If the project had been completed as an online survey, the author would have been stripped of its legitimacy as it is incredibly easy to pretend to be someone you’re not online, a concept that the piece itself addresses. What's more, by creating a physical object, the piece can be displayed allowing it to be described as a piece of art. As one student noted in their interview, the act of creating these questionnaires is not art, but the way in which they are displayed is. Each questionnaire is hung with the envelope it came in, as well as the signed consent form and a transcription of each students interview.

The overall response of the university and the students to the piece was far more varied than I anticipated. I believed that some of students would not fill out the questionnaire at all, but that other would fill out certain areas. I did not believe anyone would completely fill out the document and was astounded that 3 people did. What is interesting to note is that every student was cautious about the letter, but only 2 students looked up ‘The Student Databse’ and GCHQ online to see if the programme was legitimate. These students retracted their information soon after discovering that it was fraudulent and handed the letters back. In my opinion, the way in which the university responded to the piece shows weaknesses in the system in place. When asked whether they thought the university responded well to the threat, a number of students noted that they hadn’t heard anything from the university and only knew that there was a problem through me. This ultimately calls into question the protocol that the university follows in attempting to get to the bottom of a threat such as this one. I believe the university could have completed a number of steps that would have been more beneficial:

1. Find out what students were involved and see if there are any similarities between them (do they do the same course; do they live together; are they in contact with each other; is there anything that brings them together in any way?)
2. Contact these students independently via email or phone and ask what they know about the threat and how they were affected. Ask if they have given away any information and who distributed the document/asked them to complete the task.
3. Confront the person that the students name as the lead in the piece. Find out what he/she knows. If this person is outside of the university, speak to and ask for help from the police.
4. See if there has been a data breach and if any other students may be affected in the future.
5. Ensure that all university students are aware of the threat by sending an email as opposed to creating an update on Moodle (these are often overlooked).
6. Ensure that you are aware of the intentions of the threat. Is the threat intended to be malicious? If so, harsher punishments are required. If the threat is intended as a joke, confront the perpetrator and make them aware of the dangers of completing something like this. Issue a warning and state that the student must stop. If the threat is intended as a piece of work, ensure that the student is aware of the risks of taking part in something like this and make sure they keep you updated on their activities with the piece. Ensure that no harm will come to any student.