Redefining Privacy

We are in the process of redefining privacy. More shadowy actors than we can count, in both corporate and government sectors, have dedicated themselves to hoovering up, archiving and cross-referencing every bit of information they can about our personal lives.

We might not be able to stop them. We may, however, be able to enact changes, as individuals forming a society, that would render them relatively powerless.

The power of metadata

It's not necessary to monitor what you actually say or type, or to interrogate you to figure out why you said it. Who you communicate with, when you do it, and how the communication is made can, these days, provide more than sufficient information to infer the rest. In the words of computer security expert Dan Geer from a speech last month:

We know, and have known for some time, that traffic analysis is more powerful than content analysis. If I know everything about to whom you communicate including when, where, with what inter-message latency, in what order, at what length, and by what protocol, then I know you. If all I have is the undated, unaddressed text of your messages, then I am an archaeologist, not a case officer. — Dan Geer

Expert opinion does not seal a case. For that, we need scientific evidence, and there's a team of researchers that recently provided that hard proof. Patrick Mutchler's team at the Stanford Security Lab performed a "What's In Your Metadata?" study with the intent of figuring out exactly how revealing NSA-style metadata collection could be. A few hundred volunteers installed an Android app that periodically sent data on phone numbers and call times back to the researchers over a few months. Then, using only those records and publically available information, the researchers tried to reconstruct the participants' lives.

The results to date are scary. Call history alone was enough to discover that one participant had a rare form of multiple sclerosis, another had cardiac arrythmea, a third was fond of AR-series semiautomatic weapons,  one was likely growing weed, and another seemed to be having a hard time dealing with an unplanned pregnancy. Just this small data set – which numbers were called at what times – was enough to figure out who was a firearms owner, who frequented which strip clubs, who was sleeping around (or getting divorced), and who had substance abuse issues.

Multiply the number of subjects by about a million, stretch the data collection period from months to a decade, and add police and government records, cellphone GPS positions and CCTV camera records to the list of data you can correlate against. Now you can start to visualize the scope and capability of the modern surveillance state.

The American NSA may be the most famous, but it is now known that the intelligence services of many major countries – the UK, Canada, Russia, Australia and more – have and use this capability, hoovering up everything they can find about everything that their scan systems touch.

Automated Hacking

Among recent revelations of the NSA's previously secret capabilities, the "Turbine" automated hacking tool has apparently been operational since 2010. Turbine is a sort of AI that takes an instruction (I imagine it to be a structured syntax form of "Turbine, please break into the accounting systems of all military hardware vendors in the Arabian Peninsula") and figures out which malware to install, via what channels, on which computers, to provide the requested access.

Systems like these are designed for use against hardened, security-aware targets. Most of us don't stand a chance against them. I could try tunneling my connections to a friendly country over an IPSec VPN; they'll hack one of the core routers that carries the signal and intercept the key exchange between me and the trusted VPN server. I could try a ciphered SIP voice-over-IP phone to avoid the wiretaps on the hardlines; they have a dedicated system for tracing and decoding SIP calls.

If a spy agency is interested in you, there's not much you can do to stop them. That, as we all know, has been the case for a century. What's changed is the threshold for how much interest is required in order to actually do something. Where monitoring someone used to require a substantial commitment of money and manpower, the threshold is now a low-level analyst saying "I'm bored today, I think I'll pull profiles on all single women in Fort Mead who have recent evidence of emotional vulnerabilities and who have webcams." (When someone at Britain's GCHQ decided that it would be a good idea to secretly watch the webcams of 1.8 million Yahoo users – many of whom, given Yahoo's demographics, would be teenage girls – they also felt the need to compile statistics and a report on what they found, including an "undesirable nudity" rate of 7.1%±3.7%. They neglected to explain what "undesirable" meant in this context.)

A New Kind of Privacy

The first thing that needs to happen here – and I very much doubt that I will find anyone outside the spy community who disagrees – is that governments need to rein in their dogs. If there's no justifiable national security rationale for spying on a specific target, the agencies have no business montioring that target. We can help with this part; as voters, we can turf any politician who's unwilling to help solve the problem.

The next thing that has been repeatedly suggested by many well-informed thinkers is that several hundred senior intelligence officers in a dozen Western democracies need to be brought into court on charges of treason. Much of what has been happening recently grossly oversteps the authority granted by law to these agencies, and in many cases is in direct violation of the constitutions of the respective countries. If those in charge are not charged, then the rule of law as a fundamental pillar of society is dead and gone.

On a broader scale, though, we must surely realize that military and surveillance capabilities, once created, never go away. Even if we rein in GCHQ, CSEC and the NSA, then Google, Yahoo, Equifax, Bell, Facebook, TransUnion and a hundred other organizations will still be watching us. Pervasive surveillance is now here to stay; privacy as we currently know it is likely a dead or dying concept. And that means we, as individuals, are going to have to change some of our ways and attitudes.

Most of us, consciously or otherwise, carefully cultivate specific images of ourselves to present to the world. There's the image we're expected to present to our managers and co-workers: the industrious, reliable, clean, competent, trustworthy employee. There's the image we're expected to present on a night out downtown: the easy-going, fun-loving, carefree, occasionally wacky friend. There's the image we're expected to present in our religious communities: virtuous, pious, upstanding. There's an image for our kids, one for our extended family, one for our lovers. Most people have an appreciable collection of these images, and I suspect that most people are at least a little bit afraid of what folks in one of those groups would think if they saw us in the "wrong" image.

Keeping all aspects of our lives squeaky-clean by the standards of the Powers That Be is not a solution. For one, it would make life boring as hell. And, of course, it's no longer possible for an individual to have comprehensive knowledge of what is and is not deemed to be OK; the United States Code alone is said to contain over two hundred thousand pages of federal laws. More importantly, regimes and rules change; records of personal behaviour that is perfectly OK and normal today might become a political liability under an oppressive future regime.

I'm going to keep emphasizing the need to put the brakes on today's privacy-violating data collection programs. But all of us should also pledge that, if and when private, intimate and/or embarrassing personal information does make its way into the public eye, we will not judge anyone based on material that should never have been collected or distributed. In effect, we can recreate a sort of privacy – even in a pervasive surveillance state – if enough of us simply declare that we will respect each other's rights in reality, regardless of what low-life actors do in virtual reality.

Respect when Everything is Public

This means training ourselves to think and react differently than we currently do in situations where our currently trained instinct is to snap to judgment on someone else's worth and character.

It means we'll have to judge political candidates based on their policies and their track records, rather than by what they may have smoked at the Spring Break party in second-year undergrad. (Candidate X's decision to share a few doobies twenty years ago is completely irrelevant when Candidate Y is up on stage saying "I think most of you normal people are overpaid and have too much job security, and I'm going to change that.")

It means we'll have to move above to the 'slut shaming' that breaks out every time some teenage boy unwisely shares a girlfriend's private selfies and the Internet runs away with them. (News flash: Sexuality is a biologically hard-wired imperative in our species; if adults deny that it happens, teens will figure it out for themselves. Images themselves are, at worst, harmless; it's the after-the-fact public shaming that does the psychological damage.)

It means taking the time to understand ideas that are unfamiliar to us, refusing the temptation to jump to ill-informed wrong conclusions. (That nude beach vacation your co-worker wouldn't talk about around the water cooler was mainly about equality of class and gender, relaxation, and distancing oneself from the toxic materialism of the modern urban world, and was almost certainly not about random sex.)

It means thinking about what values should guide our decisions, and never assuming that our own perspective is superior. (If you have an office administrator who is friendly and helpful to the clients, quick and accurate with the books and as reliable as a Swiss watch, but spends her off-hours supporting politicians who are critical of your company's environmental policies, which is more likely – that the administrator's evening activities are a threat to your company, or that your environmental policies really are out of step with 21st-century reality?)

In short, it means that respect for someone's inherent worth as a fellow human being must trump any prejudices, any third-party information, any public reputation that's been (fairly or unfairly) associated with that person or the activities in which they've been purported to engage.

If enough of us can make that respect into the basis of our social interactions, then I think society has a good chance of surviving the death of privacy as we used to know it.



Add new comment