Is Amnesty giving spy victims a false sense of security?

Amnesty International is getting a lot of attention with the launch of a new tool to detect government and corporate spying on your computer.

I thought I would try it myself. I went to a computer running Microsoft Windows, an operating system that does not publish its source code for public scrutiny. I used the Chrome browser, users often express concern about Chrome sending data back to the vendor about the web sites the users look for.

Without even installing the app, I would expect the Amnesty web site to recognise that I was accessing the site from a combination of proprietary software. Instead, I found a different type of warning.

Beware of Amnesty?

Instead, the only warning I received was from Amnesty's own cookies:

Even before I install the app to find out if the government is monitoring me, Amnesty is keen to monitor my behaviour themselves.

While cookies are used widely, their presence on a site like Amnesty's only further desensitizes Internet users to the downside risks of tracking technologies. By using cookies, Amnesty is effectivley saying a little bit of tracking is justified for the greater good. Doesn't that sound eerily like the justification we often hear from governments too?

Is Amnesty part of the solution or part of the problem?

Amnesty is a well known and widely respected name when human rights are mentioned.

However, their advice that you can install an app onto a Windows computer or iPhone to detect spyware is like telling people that putting a seatbelt on a motorbike will eliminate the risk of death. It would be much more credible for Amnesty to tell people to start by avoiding cloud services altogether, browse the web with Tor and only use operating systems and software that come with fully published source code under a free license. Only when 100% of the software on your device is genuinely free and open source can independent experts exercise the freedom to study the code and detect and remove backdoors, spyware and security bugs.

It reminds me of the advice Kim Kardashian gave after the Fappening, telling people they can continue trusting companies like Facebook and Apple with their private data just as long as they check the privacy settings (reality check: privacy settings in cloud services are about as effective as a band-aid on a broken leg).

Write to Amnesty

Amnesty became famous for their letter writing campaigns.

Maybe now is the time for people to write to Amnesty themselves, thank them for their efforts and encourage them to take more comprehensive action.

Feel free to cut and paste some of the following potential ideas into an email to Amnesty:


I understand you may not be able to respond to every email personally but I would like to ask you to make a statement about these matters on your public web site or blog.

I understand it is Amnesty's core objective to end grave abuses of human rights. Electronic surveillence, due to its scale and pervasiveness, has become a grave abuse in itself and in a disturbing number of jurisdictions it is an enabler for other types of grave violations of human rights.

I'm concerned that your new app Detekt gives people a false sense of security and that your campaign needs to be more comprehensive to truly help people and humanity in the long term.

If Amnesty is serious about solving the problems of electronic surveillance by government, corporations and other bad actors, please consider some of the following:

  • Instead of displaying a cookie warning on Amnesty.org, display a warning to users who access the site from a computer running closed-source software and give them a link to download a free and open source web browser like Firefox.
  • Redirect all visitors to your web site to use the HTTPS encrypted version of the site.
  • Using free software such as the GNU/Linux operating system (using one of the Debian, Fedora or Ubuntu systems is one of the more common ways to achieve this) and LibreOffice for all Amnesty's own operations, making a public statement about your use of free software and mentioning this in the closing paragraph of all press releases relating to surveillance topics.
  • Encouraging Amnesty donors, members and supporters to choose similar software especially when engaging in any political activities.
  • Make a public statement that Amnesty will not use cloud services such as SalesForce or Facebook to store, manage or interact with data relating to members, donors or other supporters.
  • Encouraging the public to move away from centralized cloud services such as those provided by their smartphone or social networks and use de-centralized or federated services such as XMPP chat.

Given the immense threat posed by electronic surveillance, I'd also like to call on Amnesty to allocate at least 10% of annual revenue towards software projects releasing free and open source software that offers the public an alternative to the centralized cloud.


While publicity for electronic privacy is great, I hope Amnesty can go a step further and help people use trustworthy software from the ground up.

Comments

You complain about the cookie warning (which I didn't see, probably as I didn't run javascript from them) but no mention of the handfull of other sites they try and hand you to?
The near ever present google analytics code.
The facebook iframe.
The twitter javascript.
The addthis javascript.
The googleplus javascript.
There may be more, but I can't be bothered to try and pick apart the code to see if there is anything else trying to do a google-analytics and semi-hide itself such that it's attempts to make external requests are only revealed in the event of running the javascript.
So simply by visiting that page (without a locked down browser) you have not only given google, facebook, twitter and addthis the ability to track you but have also handed over code access to your insecure browser to them ... and you are worried about a cookie from amnesty?

To be fair, just stopping and highlighting the cookie warning and tracking rhetoric provides enough for us to discuss (at least from a social perspective), but I noted the use of cloud-based traffic analysis tools some time ago in the context of organisations who are presumably against tracking and privacy intrusions.

Charitable and ideological organisations don't always make good choices, even when they supposedly have a technological focus. For instance, Fairphone still seems to be negligent with regard to privacy issues and the use of proprietary firmware/software, and that's a group of people who are actually delivering "ethical" technological solutions. Other organisations either seem to delegate technological matters to people who don't share their views or perspectives, or they choose a last-minute solution on the basis of ignorance or misplaced optimism or trust: they may want the popularity benefits of Facebook and will happily pretend or believe that the negative aspects of such services will not affect them or people they know.

Cookie warnings are inescapable these days thanks to legislation and the automatic usage of cookies by many Web development frameworks. But they do offer a reasonable way of starting a discussion about how and/or why Web site users might be monitored, and from that basis they might also provide a way of educating everyone concerned as well.

Amen.

It can't be said clearer... If only there were more people like you!

Cookies are used for far more than just tracking. Most sites that support logins use cookies to do so; sites with user preferences use cookies to remember them...

The warning at the top of the site exists to satisfy a misguided EU requirement; it can't simply be removed, sadly.