TRI In The News
Is Privacy Dying? ‘Technology is Pervasive and Invasive’
From Providence Journal
We have gathered here today to discuss our old and ailing friend, Privacy.
Please be advised that someone may be watching.
Those of us who came of age before the Internet may remember when Privacy was in better condition.
Back then, what you did in your own space was pretty much your business. Your home really was your castle.
Back then, you did not have to wonder whether some stranger across town
or on the other side of the world was studying your home on Google.
When you stepped outside, your whereabouts could not be tracked and recorded precisely.
You did not imagine that machines in distant places ever would analyze your intimate behaviors. You thought that only in fiction might government be spying on you, an innocent person suspected of nothing.
Privacy was not a setting on Facebook. Privacy meant your permission mattered. It enhanced your well-being.
It required minimal maintenance. It even was held to be an American birthright, guaranteed by the Founding Fathers in the Fourth Amendment:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The Fourth Amendment’s about gone,” says John W. Whitehead, Army veteran, constitutional lawyer, and founder and president of the Rutherford Institute, a prominent civil-liberties and human-rights organization based in Charlottesville, Va.
Technology debilitated privacy, Whitehead and others assert. Mainframe computers gave way to smaller, more powerful machines. The Internet matured. Broadband replaced dial-up. Cellphones became smartphones. Email and texting abounded. Social media proliferated. Clandestine data-stealing programs known as spyware and malware multiplied. Cameras sprouted everywhere and drones took to the civilian skies.
“The technology is so pervasive and invasive,” Whitehead says. “Technology’s driving the show.”
Digital technology did not debilitate privacy on its own. Many of us have been complicit.
We have bought the machines and subscribed to the services. We have volunteered intimate details of our lives to the engineers, entrepreneurs and others who rule the digital world. In return, we have received connection and gratification — and 10 percent off our next purchase.
It has been so seductive. The siren called, and we opened our arms.
“Certainly in the last few years, when we’ve gone to smaller devices, more mobile devices, we’ve agreed that the excitement, the interest and the convenience is worth the surrendering of various bits of privacy,” says Robert Beck, professor and chairman of the Department of Computing Sciences at Villanova University. “A lot of this we’ve done to ourselves.”
The new gold
Mark Zuckerberg, a co-founder of the social networking website Facebook.
More than 150 million Americans (a billion worldwide) maintain accounts with Facebook, entrusting their information to 29-year-old Mark Zuckerberg. Twitter users send their messages by the millions into the digital universe, a public place.
In return for loyalty cards that bring a few bucks in discounts, we share identifying information with grocers, pharmacy chains and apparel stores. As cash recedes as a method of payment, we leave a record of our transactions with banks, credit-card companies and e-commerce firms such as PayPal.
Led by Amazon, online merchants track our purchases, with our consent. YouTube, Netflix and other video services track our viewing, as do cable and satellite TV companies; iTunes knows our listening preferences. As health-care providers forsake paper, medical histories go online. Ditto with school, employment and property records.
Internet service providers maintain logs of our online activity. Communications companies log our telephone calls, text messages and emails. Mobile devices leave a digital trail of our travels. Even cars have black boxes now.
All of this data can be analyzed and stored permanently. It can be shared and cross-referenced. It can be stolen. To advertisers and others, well-intentioned or not, it is virtually priceless. Data is the new gold, its allure irresistible.
Whether through inadvertence, incompetence or malfeasance, so-called data breaches — “exposure” of confidential information to unapproved parties — have become an iconic, if chilling, characteristic of the digital age. The point is illustrated by a visit to the San Diego-based Privacy Rights Clearinghouse website, which lists breaches from 2005 to today.
Nearly 4,000 breaches, resulting in exposure of more than 608 million records, are chronicled — and with many breaches going unreported, it is far from a comprehensive list, the group notes. Among the 35 breaches documented in June alone:
A Facebook glitch opened contact information of about 6 million subscribers to unauthorized users for months, beginning at some undisclosed point in 2012.
A mistake exposed private information, including Social Security numbers, of about 47,000 Florida teachers. The information “was publicly accessible for 14 days,” Privacy Rights Clearinghouse reported.
A malware program opened files kept by the University of Massachusetts at Amherst. “The information of almost 1,700 clients of the Center for Language, Speech, and Hearing may have been exposed,” Clearinghouse reported. “Client Social Security numbers, addresses, names of health insurers, and primary health care or referring doctors may have been accessible.”
An email sent by an employee of the Massachusetts Mutual Life Insurance Co. revealed sensitive details of an unknown number of clients’ 401(k) retirement accounts, including names, Social Security numbers and account balances.
A hacking incident exposed names, phone numbers, addresses and email addresses on records kept by the Health Information Trust Alliance of Frisco, Texas. On its website, the firm describes itself as committed to the principle that “information security should be a core pillar” of “any and all organizations that create, access, store or exchange personal health and financial information.”
The power of Google
With its Gmail, YouTube, Android, Chrome, Wallet and many other products, Google is the mightiest commercial digital entity on earth. Its servers process more than a billion questions a day, more than any other search engine, by far.
Google makes most of its money from ads, harnessing the power of its algorithmic formulas to match advertisers’ needs with data generated by Google users. (Facebook uses a similar process.) Last year, the company earned a profit of $10.7 billion on revenue of $50.1 billion. On Friday, its market worth was $301 billion, more than the combined gross domestic product of many nations.
Managed irresponsibly, such power could be damaging.
But while Google seeks to reassure — “Your privacy matters,” it states at www.google.com/policies/privacy –– the company has been investigated, sued or threatened with legal action on privacy issues by government entities in several countries and the European Union. It has paid large fines, including $22.5 million ordered last year by the U.S. Federal Trade Commission, the largest civil penalty the FTC has ever levied.
In that case, the agency found that Google sidestepped privacy settings in Apple’s Safari browser that allowed it to clandestinely target Google ads to Safari users.
“The social contract has to be that, if you’re going to hold on to people’s most private data, you have to do a better job of honoring your privacy commitments,” said David C. Vladeck, the director of the FTC’s Bureau of Consumer Protection.
If that sounds familiar, that’s because it is.
In 2011, the FTC charged that Google had violated its own privacy rules and used deceptive practices when launching its now-discontinued social-networking service, Google Buzz, in 2010. The FTC ordered the company to “implement a comprehensive privacy policy” and submit to independent privacy audits for 20 years. Google signed the consent decree requiring the audits but did not admit wrongdoing.
Outsiders rarely get glimpses into Google’s internal thinking on such matters. But in a December 2009 interview aired as part of a CNBC documentary, then-CEO (and currently Executive Chairman) Eric Schmidt provided insight.
The interviewer asked Schmidt: “People are treating Google like their most trusted friend. Should they be?”
He replied: “If you have something that you don’t want anyone to know,” Schmidt said, “maybe you shouldn’t be doing it in the first place.”
To some, that seemed a cavalier attitude. And Schmidt was not even addressing Google programs that collect information about nonconsenting people who are “doing” nothing more questionable than living.
The map-and-photo service called Street View, for example.
“Street View lets you explore places around the world through 360-degree street-level imagery,” Google proclaims. “You can explore world landmarks, view natural wonders, navigate a trip, go inside restaurants and small businesses — and now, even hike the Grand Canyon!”
You also can explore someone’s property, in extraordinary detail. Add in Google Satellite and Google Earth (or Microsoft’s equivalent, Bing Maps), which provide sharp aerial and 3-D images, and a stranger with an Internet connection can become very familiar with your home, workplace or hangout. The implications for criminals and others with ill intent are obvious.
Privacy defenders and government entities have assailed Street View as particularly invasive, and in many countries, they have sued to stop Google’s army of car-mounted cameras as they travel the streets, capturing the images that are uploaded to Google servers. Google removed (or blurred) certain images from its database — domestic violence shelters and U.S. military bases, for example. Not satisfied, some European countries have delayed or curtailed Street View image-capturing.
But nothing has infuriated privacy defenders like the revelation in 2010 that, for three years, Google’s camera cars also had been secretly collecting unsecured Wi-Fi data from homes and businesses that it was photographing.
A British official investigating Street View said Google was recording “[Internet Protocol] addresses, full user names, telephone numbers, complete email messages, email headings, instant messages and their content, logging-in credentials, medical listings and legal infractions, information in relation to online dating and visits to pornographic sites, and data contained in video and audio files.”
Google initially stated that a rogue engineer was responsible and that the data collection was “a simple mistake,” according to Steve Eckersley, chief enforcement officer with the British Information Commissioner’s Office. But the company refused to allow regulators to examine the data it had collected.
Faced with investigations and fines from the U.S. Federal Communications Commission and agencies in other countries, Google conceded that it had “intentionally intercepted payload data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the project,” according to the Electronic Privacy Information Center, in Washington, D.C.
Google says it has stopped the practice and purged its records, but investigations continue.
‘Be prepared to BE SHOCKED!’
Google does not sell its raw data. But many companies do sell information about individuals. In Privacy’s better days, such data was not remotely accessible, if accessible at all to a stranger.
One such firm, instantcheckmate.com, which lists a Las Vegas address, states “our goal is to provide you with the most useful, detailed and important information on just about anyone.” One search costs $29.95. Monthly and yearly plans are available.
An Internet ad link to the company warns customers to “be prepared to BE SHOCKED! If you are going to RUN this report on ANYONE like your Wife, Husband, Mother-In-Law, Father-In-Law, Step Dad, Brother, Sister, Uncle, Aunt or ANYONE you Know or might Soon Know you BETTER Be READY FOR What Could Come Back. … Now this is 100% Fully Anonymous who ever you RUN Full Background Checks on WILL NOT KNOW IT EVER Happened.”
Instantcheckmate and similar firms see value in more than the fees their customers pay. “We may share certain types of Personal Information with advertisers and other third parties,” the site states. “The other parties with whom we share the information may want to send you information about products or services.”
And so it goes, with the might of algorithms and the speed of fiber optics — information legally sold and shared, and sold and shared again.
Beyond companies like Instantcheckmate lies the shadowy world of hackers, some of whom work for governments. Other hackers seek profit in extortion, blackmail or identity theft — or find satisfaction simply in demonstrating their abilities or in making political statements. Russian hackers apparently did both in March, when they publicly posted the Social Security numbers, home addresses, credit-card data and other sensitive information about several politicians and celebrities, including Beyonce, Hillary Clinton, Vice President Joe Biden and First Lady Michelle Obama.
“Hackers have always had great success stealing our private information,” says Barry Shteiman, security strategist with Imperva, a data security firm based in Redwood Shores, Calif. “The ‘industrialization’ of hacking has turned this theft into a numbers game: The more people are willing to pay for stolen data, the more hackers will work to get it.”
Another shadowy world is populated by people who create, use and sell malware, which can reach undetected into a stranger’s computer.
“Once your computer is compromised, there is nothing the attacker cannot steal,” says Bruno Scap, president of Galeas Consulting, an information technology firm in Astoria, N.Y. “This includes your bank account and credit-card information, email, pictures, usernames and passwords to your social media websites, and anything else that is either stored on the computer or accessed with the computer over the network.”
“Anything is possible,” says Marc Gaffan, cofounder of Incapsula, another California data-security company. “Malware can intercept all communications to and from your device, log your keystrokes and even turn on your Web cam.”
In other words, someone could watch and record you while you’re sitting at your computer or using your smartphone.
A window into the world of spyware opened when Gamma International, an English company that sells “The FinFisher Suite,” made international news for its apparent use by repressive regimes. Gamma provides little information about itself or its FinFisher software on its website, but presumably individuals and corporations can purchase its products, along with government entities.
“This malware provides the attacker with clandestine remote access to the victim’s machines, as well as comprehensive data harvesting and [exportation] capabilities,” according to research published last July by the University of Toronto’s Munk School of Global Affairs. “The malware employs a variety of techniques designed to evade detection and frustrate analysis.”
Not even Big Brother in George Orwell’s novel, “1984,” envisioned surveillance capabilities like that.
An idea as old as Aristotle
The idea that citizens of a democracy have a right to privacy dates to at least Aristotle, who more than 2,000 years ago drew a distinction between politics and domestic life. The idea infused English political philosophy, which influenced the men who wrote the U.S. Constitution and Bill of Rights.
“Privacy is a basic human right and it’s a basic fundamental value. It’s a need that we have,” says Timothy H. Edgar, visiting fellow at Brown University’s Watson Institute and the first-ever director of privacy and civil liberties for the White House national security staff under President Obama.
In the pre-industrial era of Franklin, Jefferson and Madison, protecting one’s privacy required little effort. But modern technology complicated matters.
Nineteenth-century cameras, increasingly lightweight and accessible to consumers, could capture permanent and reproducible images. The telephone brought the first two-way communication into the home. But cameras were not ubiquitous and film had to be processed and printed. Operators and party-line subscribers could listen in on a telephone call, but everyone knew that was the deal.
Until the last half of the 20th century, people used cash or checks for financial transactions. TV and radio entered homes — but they were one-way technologies, in but not out. Governments and businesses did not mount cameras on buildings, and in public and “private” spaces. Written correspondence was conducted mostly through the Postal Service, and most records were kept on paper. There was always the chance that private information could be stolen, but not by someone in Moldova or a suburb of Shanghai.
Computers brought potential for abuse, which Congress addressed in the Privacy Act of 1974. That act affirmed principles of the 1973 Code of Fair Information, which stipulated:
“There must be no personal data record-keeping system whose very existence is secret. There must be a way for an individual to find out what information about him is in a record and how it is used. There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.”
The years passed, and the 1974 act, quaint-sounding today, remained essentially unchanged.
The Patriot Act and 9/11
And then came Sept. 11, 2001, when terrorists killed nearly 3,000 people. As President George W. Bush sent America to war, security at any cost seemed to be the cry of the land.
In this climate of fear, Bush secretly authorized the National Security Agency to begin monitoring domestic communications of suspected terrorists without obtaining a warrant. With startling speed and minimal dissent, Congress passed the Patriot Act, which gave the government unprecedented new powers of surveillance — and broadened the scope of the secret Foreign Intelligence Surveillance Court, which already smacked of Big Brother.
“The existing law was written in the era of rotary telephones,” Bush said in putting pen to the Patriot Act that Oct. 26. “This new law that I sign today will allow surveillance of all communications used by terrorists, including emails, the Internet, and cellphones.” Scared citizens applauded as privacy advocates’ warnings fell on deaf ears.
Expressing the view that government had overstepped its bounds under Bush, presidential candidate Barack Obama, who once taught constitutional law at the University of Chicago, promised change.
“My administration is committed to creating an unprecedented level of openness in government,” he wrote in a memo he signed on Jan. 21, 2009, the day after he was inaugurated president. “We will work together to ensure the public trust and establish a system of transparency, public participation, and collaboration.”
Yet Mr. Obama, in 2011, signed congressional legislation renewing the Patriot Act, and in 2012, he blessed a five-year extension of the Foreign Intelligence Surveillance Act, a companion bill that also empowers the NSA, FBI and other agencies.
Enter Edward J. Snowden
The date when the condition of Privacy was downgraded to critical may never be precisely determined. But confirmation was made public on June 5 this year.
On that day, The Guardian newspaper, based in London, published a secret court order that showed that the NSA secretly collected data on phone calls made by millions of American customers of telecommunications giant Verizon. The vast majority of customers were not suspected of any crime.
In the weeks that followed, The Guardian and The Washington Post published a succession of stories on information leaked by Edward J. Snowden, an analyst employed by NSA contractor Booz Allen Hamilton. He had been a model employee, taking a course to join the elite ranks of “certified ethical hackers,” according to a report July 4 in The New York Times.
Government snooping went well beyond monitoring phone calls, according to Snowden’s documents: The NSA and FBI were monitoring email and other information, some of it obtained from servers owned by AOL, Apple, Facebook, Google, Microsoft, Skype, Yahoo and other entities.
Mr. Obama joined some congressional leaders and NSA and FBI officials in seeking to convince the public that the government had struck “the right balance,” as the president put it, between privacy and security.
“Nobody is listening to your telephone calls,” Mr. Obama said.
But privacy advocates — and a growing percentage of the American public — were not convinced. Some raised the specter of “1984,” pointing to the abuses of former FBI head J. Edgar Hoover, Sen. Joseph McCarthy’s House Un-American Activities Committee and Richard Nixon’s Watergate as real-life precedents.
“Obama ran on opposing the Bush policies,” says the Rutherford Institute’s Whitehead. “Now people are calling him George W. Obama. He’s accelerated it. I have people on the far left calling me and saying, ‘What’s happened?’ ”
Snowden’s leaks prompted fears of a disturbingly cozy relationship between the NSA and private Internet giants. Speaking to reporters on July 3, Hans-Peter Friedrich, Germany’s top security officer, said people concerned about the privacy of their data should stop using websites such as Facebook and Google.
“Whoever fears their communication is being intercepted in any way should use services that don’t go through American servers,” the German minister said.
“Google is unique in seeking more ways to monitor more people’s behavior more intimately than any entity ever,” says Scott Cleland, author, blogger and president of Precursor LLC, a research firm based in McLean, Va., that has Fortune 500 clients, including some Google competitors.
“Other than an Orwellian ‘Big Brother’ state, Google is the only entity that aspires to collect and store indefinitely all private, intimate information on everyone online.”
Future peril
As technology reaches deeper and deeper into our lives, Whitehead envisions an intensifying nightmare.
He sees peril in biometrics, including iris, voice and facial recognition software, which the FBI is incorporating into its Next Generation Identification system. NGI reportedly will have the ability to identify an individual based on one’s physical appearance and voice from cross-linked databases of audio and image recordings from many sources: Google, security cameras, the video you posted to Facebook.
Whitehead also sees peril in drones, some of which in development are the size of a mosquito. With industry group Association for Unmanned Vehicle Systems International predicting a multibillion-dollar drone market, the Federal Aviation Administration estimates there will be 10,000 “active commercial” drones in the United States in a few years.
Some will be used for agriculture and other economic purposes, but privacy advocates fear abuse by the police, government agencies and others.
“They’re going to be everywhere,” Whitehead says. “They’ll have scanning devices; they’ll be able to fly over your home and scan your home. What do you do then? What if you’re having sex with your wife? Whatever you’re doing, they’ll know if they want to know.”
Whitehead further worries that technology is eroding free-speech rights guaranteed by the First Amendment.
He notes Google’s attempt to obtain a patent for “methods and systems for identifying problematic phrases in an electronic document, such as an email,” according to the company’s application to the U.S. Patent and Trademark Office submitted May 2. Use of such phrases could be accessed by governments and other parties to identify potentially “problematic” individuals. Orwell comes to mind again.
“This ‘problematic phrase’ thing was a tipoff by Google,” Whitehead says. “I’ve got friends and they text me silly things, like ‘the movie bombed.’ I go, ‘Don’t use the word bomb. Just say it’s a bad movie.’
“I always say living in a free society means not having to look over your shoulder to see who’s watching. But that’s exactly where we’re at.”
In his introduction to Whitehead’s recent book, “A Government of Wolves,” historian and author Nat Hentoff wrote: “If James Madison or Thomas Jefferson were brought back to life today, they would not recognize this country.”
But they undoubtedly would recognize the debate that Snowden’s revelations have rekindled — intrusion into the private lives of citizens.
“Unfortunately, people tend to feel pretty helpless to do much about it, so a common reaction is to shrug and move on,” says Lorrie Faith Cranor, head of Carnegie Mellon University’s Privacy and Security Laboratory and a board member of the Electronic Frontier Foundation.
Cranor suggests supporting privacy groups and writing to elected representatives urging stricter privacy laws. Whitehead concurs. He urges action on the local and state level, too, pointing to his effort this year to persuade the City Council of Charlottesville, Va., where he lives, to adopt a two-year moratorium on drones.
“People say, ‘Who’s the problem?’ I say, ‘Look in the mirror. You haven’t done anything. You can change history, but you have to go out and do it. It’s not going to happen by going to the mall.’ ”
Whitehead is not ready to pronounce Privacy dead.
“There is always hope where there is vigilance,” he says. “That’s what Jefferson said, essentially.”
