Privacy? It's not gone (yet), but you'd better be careful

Many in the tech community have been concerned for a while- quite a long while- that privacy as we used to know it is a rapidly disappearing concept. Year after year, they've been dismissed as alarmists, radicals, and so forth.

It is now becoming increasingly obvious that those "alarmists" were right. Whenever we interact with anything involving a networked computer, we leave a digital trail that can and will be mined for someone else's financial benefit.

The surveillance state, version 2013

Well-known security consultant Bruce Schneier, arguably one of the world's leading experts on information security, recently claimed on CNN that the Internet is a surveillance state. It's not becoming one, it's not in danger of becoming one. It already is one, and has been for some time now.

If this comes as a surprise to you, I have to ask what rock you've been hiding under for the last few years. (Really, I want some of that rock- evidently it's some seriously good shielding.) When I try to read the front page of today's Toronto Star, the site asks my browser to run programs from no less than 14 different domains, at least four of which are dedicated primarily to tracking what I look at and what I click on. Every query I run on Google, along with every search result I click on, is added to my permanent file in that company's massive disk banks. Amazon knows just about everything about my discretionary spending- even if I didn't buy a particular item from them, the odds are I price-checked them at some point, and that's logged. And don't get me started on Facebook.

Even if you avoid the online giants, details of your habits are in the databases of many shadowy corporations. if you have any dealings with a developed nation's banking system, your banker is almost certainly reporting your financial history to the likes of Experian, TransUnion and Equifax, whose detailed records will determine the terms of engagement in your future financial dealings. You undoubtedly have a friend who's tagged you on Facebook despite you not having an account; those records can be linked to rapidly growing facial recognition databases. And if smartphone and CCTV video weren't commonplace enough already, we'll soon have Google Glass to deal with.

Like it or not, your activities, interests, habits, whereabouts, communications and financial dealings are being studiously logged and archived for the financial benefit of others.

Finding patterns in chaotic data

A few years ago, concerns about such tracking could be easily dismissed: "Nobody cares that much about little old me." Or "but it's just an automated system for ad targeting, nobody actually reads it".

This is 2013, though- the era of Hadoop, EdgeRank, Autonomy and other incredibly sophisticated tools designed specifically to turn vast amounts of unstructured data into financially meaningful decision points. Building a detailed profile of an individual's activities, communications, social circles, buying habits and other personal information is no longer the domain of highly qualified CIA specialists- it can be automated on a population-wide scale, millions of people at a time.

Let's work through an example. I use the break room computer to check Gmail over lunch, and see that a friend has tagged me in a Facebook post about a mental health awareness rally. I check the Facebook link, leave a comment, and log out of both FB and Gmail. I take a look at a list of side effects for sertraline hydrochloride and briefly wonder why the drug info page has a "like on Facebook" button. Next it's off to Ebay and Amazon to track down a replacement graphics card (why are the new ones so damned expensive? I'll take a previous-generation Nvidia, thanks) before getting back to work.

From that brief bit of surfing, what can be inferred? Facebook and Google both saw me comment on the mental health rally and visit the drug site (both can track me even when I'm logged out) and can therefore figure out that I'm probably suffering from depression, am taking Zoloft and not doing so well on it, and might therefore be a good target for ads about Eli Lilly Co.'s Prozac. Amazon knows from my IP address that I work at a steel mill, and since I therefore don't need that graphics card for work, I must be a gamer. Since I looked at (but didn't buy) the latest model, I'm probably either frugal or short on cash, and since the shipping address is in a first-quartile income district, it's probably the latter. Google scans the Amazon receipt email and now has enough information to build a pretty complete picture of my situation.

All of that can be easily inferred from the data collected by a few major companies in just a few minutes of idle browsing, with no prior knowledge. Consider what information can be inferred when you extend the observing time to months or years, or when you add a smartphone or Google Glass to the mix. This is not an Orwellian fantasy; this is happening now, in real time, to all of us.

(The details above are, of course, completely fake- realistic, yes, but they're not mine or those of anyone I know.)

What can you do about it?

Do Nothing. That's what most folks are doing, and- on the surface- it appears to have no ill effects. I can't recommend it, though. This kind of widespread, pervasive surveillance is becoming (or perhaps already is) a true existential threat to the fundamentals of our way of life. If we want to retain privacy as one of our major social rules, we cannot stand by and do nothing.

Fight back with technology. This can go a long way towards protecting your privacy, but there's some learning involved. Step one is to lose your fear of unknown technology: you're about to jump into jargon stew, a bizarre mix of XSS, browser extensions, SSL, Tor, PGP and VPNs. It's all well within the ability of any computer user to comprehend, but it won't be intuitively obvious and you have to be willing to learn.

Technical solutions aren't perfect. With NoScript, Adblock, PGP and an occasional dusting of proxies, you can screw up the tracking companies' data well enough that their files on you will be all but useless. The FBI, though, will have little trouble cutting through the mess if they really want to find you.

Fight back with law. The businesses that profit from this kind of tracking are wealthy, they're powerful, and they're very good at helping out politicians when it comes to two key tasks: reviewing draft legislation and funding re-election campaigns. This results in a distinct lack of enthusiasm for enhanced privacy legislation in the governing bodies of many countries.

Only if large numbers of citizens pressure their governments, peacefully, to strengthen and enforce privacy protections in law- among them, the cruical and nearly brand-new legal concept of "public but ephemeral" information- will corporations see any incentive not to wantonly violate individuals' privacy.

Fight back with culture. Modern Western culture places considerable value on privacy, secrecy and a rather strict separation between different forums of human interaction. We've all heard stories about a human resources department rejecting applicants on the basis of college party photos snagged from Facebook, even though it's blindingly obvious that almost anyone with an advanced degree must have been to at least a few college parties. Another worrisome (and remarkably common) scenario is someone being fired for expressing the wrong political views, or indulging in off-duty activities deemed controversial by the powers that be in that office. Being accused of viewing kiddie porn- even if the court eventually finds that the cops acted on bad intel and you didn't actually do it- is a career-ending stigma that never goes away. Pervasive, automated tracking all but guarantees that some corporation, somewhere, knows information about you that you'd rather not share. (Google, for example, surely knows everyone's tastes in pornography.)

We are free to choose to change our culture so that we do not need to hide so many things about ourselves. We can say, to ourselves and to those we know, "I will not judge anyone on such grounds, and I will not tolerate you doing so either." It would be a rather dramatic change in the way we, as individuals, interact with each other, and certainly not something that would be easy for all of us to do- many among the older generation, I'm sorry to say, would likely be unwilling to even consider it. And changing the rules of society so that we don't need to rely on strict privacy to preserve our reputations wouldn't do anything to stop the loss of said privacy. But it's something we must discuss, as- unless the politicians of a hundred nations suddenly come to their senses or we can get everyone hooked on Blowfish- there may be no alternative.





Host files

One of my favorite, fairly easy tech steps to protect my privacy is to download and install an add blocking hosts file (easy enough to search for).

It's a far from perfect technique because you can never keep up with the list of all tracking web sites, but it should at least start putting holes in your unwanted online profile(s). And it has a side benefit of slightly increasing web browsing speed. You do sometimes get odd looking error messages inside some web pages, but oh, well.

Re: Host files

Matthew's picture

Host files can be one component of an overall privacy strategy, but they are indeed a long way from being a perfect solution.
The principle here is that you put a file on your own computer that, in essence, tells the computer "Any request intended for should be sent to a nonexistent address".
The advantage of this approach is that it works low in the network stack, and therefore applies to everything on that computer- unlike browser plugins, which only work for the browser they're installed in.
There are many problems with the hosts file approach, though:
- They only block big, established scumbags. New or small-time scumbags haven't had time to be added to everyone's blacklists yet.
- They only block pure scum. The really dangerous stuff, from a privacy perspective, is services like Google and Facebook that also provide services you don't want to block.
- They're difficult to deploy and maintain across multiple computers.
- They don't do anything to shield you from legitimate sites that have been hijacked for malicious purposes.
I would argue that for the average user, as of 2013, Adblock+ and NoScript make for an easier and more powerful solution to the same problems that a custom host file solves.

Add new comment