Schneier has a great article here on the many ways you are being tracked, but I think overlooks the fact that much of this record keeping happened prior to the internet. Almost all public activity generates a paper trail, and before the internet, your phone company, bank, grocery store, even your VHS rentals and public library, were keeping records on you. The internet makes it far far more efficient, but it didn't invent the collection of such records.
I think the focus shouldn't be on the unavoidable "information radiation wake" you give off as you move through the world living your life, but on the ways people utilize this information. The government, and private entities, need to be constrained in how this information can be legally used, not in the collection of it, which I think is impossible.
Consider health records, which lots of people are paranoid about. There's a lot of diseases we might be able to treat if people's health records were available to researchers. One might be able to detect correlations in disease from these records of millions of individual cases. But insurance companies and employers could potentially discriminate against you based on these records, so it is in your interest to keep your medical conditions secret. In cases, if you have a communicable disease, it is understandable you'd want privacy too.
Point being, the biggest danger of loss of privacy is abuse by the state or other private entities, and if we could build safeguards against that, the fact that your phone signals give away your location, or your subway card shows where you've been, might not be so threatening.
> Almost all public activity generates a paper trail, and before the internet, your phone company, bank, grocery store, even your VHS rentals and public library, were keeping records on you. The internet makes it far far more efficient, but it didn't invent the collection of such records.
In addition to efficient, it also made it more convenient and secure to do so. This aspect is huge.
The local video tape rental place may have kept records of every movie you rented, but an agency wasn't going to go in and demand your records from the scumbag owner unless it had a really pressing reason to, as it would potentially blow their investigation/operational security. Scumbag owner would have some guys in dark suits visit him and it'd be all over town in a matter of hours. The end result is that they probably wouldn't sift through your rental records.
Now, with the proliferation of the Internet, the government doesn't even need active participation of the records custodian, they can pull traffic off the wire and warehouse it themselves.
And if it does require active participation from the data custodian, they have nice National Security Letters with highly-threatening gag orders, which have proven to be quite effective.
> And if it does require active participation from the data custodian, they have nice National Security Letters with highly-threatening gag orders, which have proven to be quite effective.
But they don't need NSL's to get the data. Just as a plain old warrant or subpoena would have been enough to get your local video tape rental place's records of the movies you watch, it's enough to get Netflix's records of those movies.
The data offered by my old local video place, though, was pretty minor, and they were small enough that honestly I don't think anyone higher than the local police in the food chain cared.
If you can get Netflix, it suddenly justifies the effort to mine that data and weave it into a larger tapestry.
The internet makes it far far more efficient, but it didn't invent the collection of such records.
This reminds me of a quote attributed to Joseph Stalin, "Quantity has a quality all its own."
The collection of data is not new. However, the extraordinary amount of data now collected, and the ease with which those data can be cross-referenced or otherwise mined, create a phenomenon that seems qualitatively new.
Please strike "public library" from the list of people who keep records for any length of time. This is a topic that libraries have known about for a long time, and most libraries have policies like "privacy of library users is and must be inviolable", and to "destroy [patron records] when no longer needed."
(Technically, "keep" includes "keep until the book is returned", but you mean "keep" in the sense of longer document retention, and I feel it's unfair to lump libraries into the same category as a bank, which has a legal obligation to keep long-term records.)
I remember talking with friends after we had seen the movie "Seven" in 1995 (seems like a lifetime ago). They all freaked out about the part where they said the FBI keeps records on what books people check out from the library.
Nobody would bat an eye about it today though. . .
Modeling each individual in a population the size of America based on a 1000 variables would be the realm of fantasy in the 1990s. The manpower requirements to even gather, organize and group large volumes of data made profiling, or things like Obama's campaign the things of science fiction.
Now the system has shifted dramatically. Not only is such analysis is possible, it is constant. While the models are not perfect, they managed to get Obama to 1.5 % of the final poll numbers.
Practically - this is a difference between bronze age weaponry and Iron age weaponry, and only one side has the ability to use these weapons. Normal citizens will not be able to run similar models on government.
Normal citizens dont have access to databases of such data, nor can they in turn stay one step ahead of the government.
Earlier the barrier for a government to collude against its populace meant that a strong civil rights movement could halt nascent programs because of the runway required for them to take off (Years and large manpower requirements just to record data).
Ideally at this stage, people need to know what is being predicted about them, how the data is being used. People need to be mutually armed and aware.
>I think the focus shouldn't be on the unavoidable "information radiation wake" you give off as you move through the world living your life, but on the ways people utilize this information. The government, and private entities, need to be constrained in how this information can be legally used, not in the collection of it, which I think is impossible.
You clearly describe two options: preventing collection, and limiting utilization. I agree that preventing collection is impossible, but I don't think simply limiting utilization is enough. I think limiting utilization and retention is key. As long as the data exist, it can be utilized in the future.
> I think limiting utilization and retention is key.
I think the retention point is valuable. But it also seems sort of impossible in some arenas.
Take Facebook. Say that the government can only retain information it collects for 6 months. Fine; but they could re-request that same data 6 months later.
I suppose there is always a way around this (no extensions without a warrant), but in principle retention seems both critical and a minefield of potential confusion. I'd be interested to hear others' thoughts on the topic.
Well, if the government had to 'redownload the entire Internet' every 6 months, then they might decide to curb their information habits (or like a junkie they might just look for ways to skit the rules).
>but I think overlooks the fact that much of this record keeping happened prior to the internet. Almost all public activity generates a paper trail, and before the internet, your phone company, bank, grocery store, even your VHS rentals and public library, were keeping records on you.
I think you would've had a very hard time tracking someone through these records.
As an NYer, tapping John Gotti was very traditional compared to the blanket tracking of US citizens that has been granted by FISA.
As for Schneier's link to the Atlantic's article, I think we're moving to a new era where we trust developers and not the popularity or the design of the app itself. I'm sure one will be tracked when you don't have to pay anything for it.
Real time tracking, yes. But during investigation, no. The intelligence agencies and police states weren't blind before the invention of the internet, or even digitization of records.
In some cases, organizations simply had to actively file reports with government agencies via snail mail when certain suspicious activity was encountered, sort of an active, HUMINT client-side filter.
Best examples are one-way ticket purchases, or cash transfers at banks over $5000, or Western Union telegrams, these were activity monitored via human labor and dead tree paperwork.
I just posted this a few days ago, before all of this leaked, and I argued that this is a political issue. Right now there's nothing stopping anyone in a position of power from controlling you other than the social pushback. Who gives a damn about tracking you if the powerful can just scare you into submission? But we don't allow that. That's not kosher in today's world.
I feel the same thing goes for all the data we create. That data can be seen as an important tool for law enforcement (which I no doubt think that some of it is), but we cannot let it be use as as reason for subjugation. We need make that unacceptable.
Well, before the Internet, the police could get a warrant with just cause, and tap your phone. That would end up as a box of reel-to-reel tapes that someone would have to listen to and transcribe.
Now, in the electronic age, they could demand that the phone company keep records of every phone call made by every single customer of theirs, and have it uploaded to the NSA computers for real-time analysis using AI. Different scope entirely.
Privacy is an illusion, and a dangerous one. It allows dishonest people to appear honest, and further perpetuates the lie of 'normal'. It closes minds and turns us against other people who are just as human as ourselves. Privacy allows corporations selective access to our data, with the promise that it won't be misused, sold or released to those who wish to do us harm. This is a promise that no corporation can reasonably be expected to keep, if they fall under the jurisdiction of any institution greater then themselves (Like the US government). We have a lot of anxiety around people finding out our secrets, but only because we expect privacy in a world (or internet) where true privacy doesn't really exist. If you do a thing, and you do it anywhere beyond in your own mind, you have effected reality, you have changed the universe, it is public. As terrifying as that might seem.
In a country where the average professional commits "Three Felonies a Day"
(http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/...), you're damned right, "We have a lot of anxiety around people finding out our secrets" Basically, our normal lives exist at the sufferance of these "public servants".
Selective enforcement has got to go. It's an infringement on all of our rights as human beings. Get rid of selective enforcement, and you get rid of ridiculous laws?
But how do you get rid of selective enforcement? If for no other reasons than limited resources, prosecutors have to decide who they'll pursue and how hard.
Disbarring a prosecutor from ever holding elective office is about the only thing I have been able to think of, and it's not hardly enough.
Get rid of the ridiculous laws is more like it. Perhaps our Founders had a point when they were trying to create a limited government? Gerry Ford's best ever quote puts it in the modern context, "A government big enough to give you everything you want is a government big enough to take from you everything you have." (http://en.wikiquote.org/wiki/Gerald_Ford#Address_to_Congress...)
Getting rid of the laws is the obvious move. If smoking pot is a felony, and 30% of the population has done it, then the law that makes smoking pot a felony is obviously a bad law.
A simple way to decide if a law is bad or not is to look at how many people break it each year. Any law that's broken by more than 1% of the population each year should be removed from the books.
Quick question about how it would play out in practice: how would it apply to things like financial regulation? For example, if more than 1% of banks ignore the rules about capital reserves, does that make the law about maintaining capital reserves void?
Or would this type of law only apply to laws enforced against individuals?
So how far does this go? For example, I would expect most of us litter from time to time, if only by accident (a piece of garbage flew from my car, for example). I would also say most of us speed (once again, if only by accident) and most of us have cut a corner on a noise ordinance. Does that mean we ought not to be able to fine anyone for littering, speeding or being too noisy?
The biggest issue I can see here is the "slippery slope" problem. At first parties are a bit louder, but enough people are doing it that we need to set the noise bar a bit higher. Then everyone gets a bit louder, and so on until it's untenable. It's like trying to walk across a street that never has speeding enforcement. People have long ago realized that and now drive much faster as a result. It didn't start like that, it just sort of got that way naturally.
A simple way to decide if a law is bad or not is to look at how many people break it each year.
That's one way. I'd go further and say that if the "crime" doesn't have a victim, and involves strictly voluntary / consensual actions & behavior among adults (children may be a bit of a special case) then it is no crime.
I generally agree with Bastiat's[1] sentiments on this:
What Is Law?
What, then, is law? It is the collective organization of the individual right to lawful defense.
Each of us has a natural right — from God — to defend his person, his liberty, and his property. These are the three basic requirements of life, and the preservation of any one of them is completely dependent upon the preservation of the other two. For what are our faculties but the extension of our individuality? And what is property but an extension of our faculties? If every person has the right to defend even by force — his person, his liberty, and his property, then it follows that a group of men have the right to organize and support a common force to protect these rights constantly. Thus the principle of collective right — its reason for existing, its lawfulness — is based on individual right. And the common force that protects this collective right cannot logically have any other purpose or any other mission than that for which it acts as a substitute. Thus, since an individual cannot lawfully use force against the person, liberty, or property of another individual, then the common force — for the same reason — cannot lawfully be used to destroy the person, liberty, or property of individuals or groups.
Such a perversion of force would be, in both cases, contrary to our premise. Force has been given to us to defend our own individual rights. Who will dare to say that force has been given to us to destroy the equal rights of our brothers? Since no individual acting separately can lawfully use force to destroy the rights of others, does it not logically follow that the same principle also applies to the common force that is nothing more than the organized combination of the individual forces?
If this is true, then nothing can be more evident than this: The law is the organization of the natural right of lawful defense. It is the substitution of a common force for individual forces. And this common force is to do only what the individual forces have a natural and lawful right to do: to protect persons, liberties, and properties; to maintain the right of each, and to cause justice to reign over us all.
Where I disagree is the whole "from God" bit, considering that I'm an atheist. I consider the rights he is speaking of, as being a fundamental aspect of being a sovereign individual possessed of self-ownership and agency.
So where do your rights originate from then? Ultimately it comes down to authority. You can say you have the right but so can every other schmoe. I can even argue that you are wrong about your rights and you have no greater authority to say I am not correct.
Made up beings are not a greater authority either; rights are given by the consent of the society you live in. That is truly the only place they originate. You can debate endlessly about natural rights and natural law and God this or that, but the simple fact is you can do only what others allow you to get away with.
A right that you have is one that cannot be taken away. Traditionally this is limited to things that society has agreed not to take away. However we are slowing entering into an age where a new type of right emerges: a right that you seized and society is powerless to take away.
We don't normally think of "PGP'd email can't be read" as a "right", but that is essentially what it is. A right that has been seized, not granted.
These rights are of course vulnerable, just like rights granted by society. Instead of keeping society convinced that the right must remain granted, you instead have to be careful that you remain in a position where society is powerless. In practice, this is quite difficult.
Outlawing is a meaningless gesture if the possibility of enforcement does not exist. They can outlaw seized rights but if they cannot (or do not) enforce their laws then you will remain in possession of your seized rights.
For that matter, this applies even to granted rights. There are plenty of rights that people have that are outlawed by unenforced (and unenforceable laws). Consider for example laws in less enlightened states that specify what sorts of sex two consenting adults are allowed to have. These laws are not enforced, making them little more than monuments to the ignorance of the past.
The possibility of enforcement for the example of PGP encrypted email is pretty obviously real: just throw anyone who is found to use PGP in jail for 10 days.
> Outlawing is a meaningless gesture if the possibility of enforcement does not exist
Irrelevant; it isn't a right if you can't defend yourself in court if you're caught doing it and detecting someone using encryption is not at all difficult. We're talking about rights here, not "what I can get away with". You position isn't defensible.
Right. At the end of all the debate, when the smoke clears and the dust settles, you have the rights you're willing to claim, and able to defend.
In this context, the issue though, is what rights should "society" in the large recognize and hold as sacrosanct. I argue that the basic essence of being a conscious, self-aware individual, with agency and self-ownership of your body, entails what Bastiat refers to as the "inherent right to self defense". Others are, obviously, free to disagree.
Ah, your link doesn't support that rather wild claim in the least. You're saying a majority of UK citizens are involved in some sort of crime for pecuniary gain? Absurd.
I don't buy Silverglate's thesis at all. Every long-form article of his I've ever read is awash in BS (for example http://online.wsj.com/article/SB1000142412788732382670457835...). There are daft laws that people sometimes break and get punished for, which could not have been foreseen and for which no moral culpability can inure. Those cases are exceptional. But the idea that people are typically committing three felonies a day and effectively living in a state of perpetual blackmail is just not true.
He spends much of his book complaining (with some justification) that people such as securities traders have so much bureaucracy to deal with that they face a heightened risk of criminality through non-compliance. I think that both our regulatory and litigation systems are extremely unwieldy and that what we need is a bit less mechanistic proceduralism and a bit more bureaucratic autonomy and accountability but that's a far cry from the notion that pretty much everyone is a criminal.
I should probably add I'm in favour of full and open access to all data. For CIA Directors and Fishmongers alike. There should be no secrets. This half-assed 'privacy for the powerful, illusions of privacy for all!' approach is obviously not working.
Privacy or true privacy (which is it?) is a dangerous illusion? I don't know what you mean. What does 'as human as ourselves' mean? However the gist of your rhetoric could have been tailored nicely into an address by Stalin or Ceausescu.
I just don't get it. Hacker news, just days ago had a posting: "Police admit they're 'stumped' by mystery car thefts", and the collective response was something along the lines of "silly police don't know how to use google."
And now, the "hackers" are in disbelief that the US government is actually reading their emails and listening to their phone calls. NSS!
We got what we wanted here, folks. Information is free - free to be created, free to be read, and free to be copied, stored, decrypted and analyzed by anyone with the means and drive to do so.
I don't know who said it, but "Don't put anything online you wouldn't want to appear above the fold of the Wall Stree Journal."
I think instead of trying to fight the increased levels of surveillance by both governments and corporations, we need to focus on increasing the levels of transparency. I personally don't really care that governments and other organizations have information about me. There is always an inevitable paper (or electronic) trail associated with using the internet and various services.
But I do care about the fact that the FBI can pull up information about me and I have no knowledge of it. If they collect information to combat terrorism, fine. But the 99.999 percent of innecent people being tracked have a right to be notified (and given a course of action for recourse) when they've been wrongly targeted, for whatever reason.
I know, it's an idealistic dream, but it is more realistic than combating the inevitable surveillance practices that are just now coming to light.
Agreed with your first point, and additionally we should be voting with our money(where we can) on services that have privacy and plausible deniability built into them from the ground up. There are unfortunately few examples of this out there, Mega being the only one I can conjure up at the moment(if it even works and is as secure as they claim).
What would you expect an FBI informational notification to say? What would they notify you of, that your activities have warranted investigation?
If anything, being notified that I'm being looked at would freak me out more than not knowing. We've entered this weird world of now needing to avoid appearances.
The thing that troubles me the most about the government accessing ALL of my data is the idea of false positives -- or hell, even purposefully spinning one aspect of my data to mean whatever the hell they want it to mean. If we don't have access to the same information, how are we supposed to defend ourselves against accusations?
Well, I'd probably expect transparency to at least come in two forms:
1. Broad annual reports containing the number of individuals were investigated, or whose 'file' was pulled, and the number of investigations that resulted in some sort of prosecution. Basically, give me the figures that show me the efficiency of the NSA investigations. This would help combat just broad pulling of records without specific cause and purpose. You could go so far as to say that after passing certain thresholds of efficiency, their actions would be audited. Note that I realize this is not ever likely to happen, but just trying to give an example of how increased transparency could be done.
2. Individual notification. This is obviously much more difficult because they wouldn't want to tip off a legitimate threat to the fact they are under investigation. But the general alternative is not acceptable either. The government can't just investigate people and invade their privacy without good reason. So some how, individuals need to know.
The checks and balances of Executive, Legislative and Judicial branches is an effective mode of government, but there is a second 'check': the one by the people. If I don't know my rights are being violated, how can I hold the government responsible?
So, yes, some form of individual notification is necessary. Maybe the notification happens after the investigation is finished. Maybe I'm notified a year late. But one way or another, I have a right to face my accuser.
I've honestly never really quite recovered from watching the dreams of the cypherpunks die so hideously and completely. I guess it's because the ideas / movement / whatever bubbled up when I was at that age when you think this is going to be the groundswell, my generation is going to cause a fundamental change in the world.
If you're unfamiliar, there was a strong meme in the late eighties through early/mid nineties among a certain set that the perfect storm of public key encryption (still wonderfully unbounded in our minds) and the emerging global network would be a nexus point for personal power in privacy, anonymity and security and in many real ways break down the bonds of the states. It's worth noting that this was about the time that the soviet union fell, and many in the know had gotten a first taste of global presence by hearing about the people in the streets via usenet before it made the news.
It wasn't that I was particularly a hard core believer or activist, at least compared to many I knew. But for those who understood what an immense impact the internet was going to have it seemed to everyone I knew - NSA, hackers, professors, that it was just how it would be. You couldn't hope to spy on pretty much anyone anymore when you could use perfect encryption to scramble a telephone call or an email. Kind of like when you knew everyone was about to have a touch phone.
I was ideologically aligned and mixed in such circles, nerds were still outcasts so not really too big a world, but my life was busy with other things - but I watched from a distance, fascinated with all the ideas and things to come. I'm not sure I've every really been more sure something was going to happen, at least to a very significant degree.
The government was sure too - that was when they came up with CALEA and people got upset but mostly scoffed - there was a real sense that they were just in their death throws.
Things got pretty busy, Internet boom. Company got bought by an agency, every big name anybody needed to be on the Internet yesterday. Was a blast though a bit of a blur - ended up in SF as the whole thing worked itself into a nasty hangover. Can't remember worrying too much about when the cypherpunks were going to win but still knew it had to be coming, err well it's just about adoption.
It really sucks to wake up after a bender and realize that you helped kill the dream that you were just waiting for someone else to make happen.
Working infosec as california recovered put me face to face with reality pretty early in this cycle. Not only was the thing I was so sure of totally not how it went down, with shift from relatively petty financial fraud and wankers to states and srs.bsns abandoning defense to focus solely of offense it's been very hard to square. It's hard to believe many people ever feel so sure about something that turns out so absolutely opposite.
Well, don't completely give up hope just yet! All the tools needed to create the world you mentioned exist today. We have good open-source encryption that can be applied to all sorts of data and hide your tracks if you really want to. What we don't have(yet) is something so easy that the general public can do it. Like, tap a padlock icon on your cellphone and suddenly anything your phone does is encrypted and only the receiving party can decrypt it.
GPG/PGP-plugins could be added to just about anything. Hang in there and keep up the fight. Keep explaining your point of view to anyone who will listen. There have been times in history where seemingly-invinsible corporations and/or groups of very privileged people get overturned when the general public "wake up" to what's going on.
Even what's going on in North Korea won't last forever, there will be someday that one major incident that domino-effects into the downfall of that whole system.
"And never forget, the internet only knows what you tell it... more or less" --me!
>>> tap a padlock icon on your cellphone and suddenly anything your phone does is encrypted and only the receiving party can decrypt it.
Or so you think until it turns out an amendment to 2000-page farm appropriation bill actually mandated a government backdoor to be installed into any phone legally sold in the US, and 100% of US providers implemented in 5 years ago. And this backdoor is accessible without warrant since you communicate over public airwaves so you have no expectation of privacy.
> Like, tap a padlock icon on your cellphone and suddenly anything your phone does is encrypted
Not good enough: you have to think of activating it. And even if you do, most traffic will still be unencrypted, making it easier for spies to tell who may have something to hide, and when they do.
To have real good, actual privacy, everything should be encrypted by default, the internet itself should be a giant scrambling overlay network such as Tor, and people should have symmetric bandwidth to encourage decentralization —no more need for YouTube.
I think that's what screwed it all up, in the end: lack of symmetric bandwidth. Without symmetric bandwidth, everyone needs to talk to centralized services and servers in order to pass any data around larger than an email attachment. Those services and servers become power centers, which attract surveillance and corruption.
A really safe internet has to look more like BitTorrent and less like YouTube.
Also, pervasive NAT and dynamic IPs. David Reed mentioned somewhere that he'd argued against 32-bit IP addresses and lost.
There've been powerful incentives for software on servers; I think the above got in the way of p2p getting much of a foothold to develop its own advantages.
Regarding phones, this is already the case with iOS. The Full-disk and Full-filesystem encryption mechanisms appear to be fairly/very strong. I believe since Android 4, full filesystem encryption has been supported, but I'm not sure if it's as well-integrated as on iOS.
Apple has made an effort (although an imperfect one) to make text messaging secure by default.
Obviously Apple screwed up pretty badly by making all this stuff closed-source, and it's probably full of vulnerabilities, but the reality is that this seems to be, in practice, enough to thwart LEO attempts to surveil users of iOS devices.
What's the problem with most traffic being unencrypted? If you have something in particular that you want hidden, it's possible to make sure that it gets hid. What more do you need?
Exactly. They may not know what you're hiding, but if they see small portions of your internet traffic are encrypted using a scheme very different from your regular traffic, flags are raised. Then it's simply a matter of sending an NSL to whoever they need to in order to get the content of the message.
> What we don't have(yet) is something so easy that the general public can do it.
Companies are starting to realize that providing a good experience is the most important thing your company can do to stay relevant. Dreams often die in execution -- but I think we're getting to a point where a group of dedicated individuals focused on creating an exceptional Internet experience built on privacy and encryption really could make something happen.
I used to use GPG on Linux and OS X. I tried so very hard to keep using it. But it was the biggest pain in the ass, so eventually I just gave it up. I pulled up my key not long ago and had totally forgotten my passphrase.
The devil is in the details. Creating something familiar, something usable, and something that the average person would actually want to use is the part we need to get right.
Have you used the new GPGTools client for OS X yet? It's the easiest thing in the world to encrypt emails. I don't even have to put a second thought in. OS X also supports S/MIME out of the box, which is just as easy (if not easier) to use after you get it set up.
I used something similar back in 2007 and it just became a pain. It was never unusable -- lots of people do it -- it was just never truly seamless for what I saw as decreasing value for the minor frustration. The experience of using this kind of technology should be as embedded in everyday life as keeping your keys with you all the time, in my opinion. That's how you get people to do it more.
We still haven't figured out a way around rubber hose decryption, and the sad truth is that we're more likely to draw attention to ourselves by encrypting everything in personal email than we are by trying to fly under the radar.
There is no perfect way around rubber hose decryption, but we've some defenses. Off the top of my head, some significant ones:
1) Proper anonymity, so they don't know who to beat.
2) Deniable encryption.
3) Steganography.
4) (with 2) Sacrificial data of less significance to "give up" after sufficient beatings.
5) Social norms against beatings and similar coercion, extending to extreme circumstances.
6) Governmental transparency.
Neither individually nor collectively are these perfect security (and some are only relevant to certain circumstances) but they help to limit it.
> I've honestly never really quite recovered from watching the dreams of the cypherpunks die so hideously and completely.
This is really what the rage on the internet is about. People like to pretend they're mad at the government overstepping its Constitutional boundaries, but what they're really mad about is the failure of their attempt to re-litigate the division of power between government and the people.
I think that's true, though there's a third axis, companies, which is a big part of that failure. One major change in the tech scene over the past few decades is that a significant proportion of us effectively went over the other side: many techies now work for companies whose goal is, as with the government, to collect data on people, construct profiles, and share it around as convenient. That left rather fewer (though still vocal) people working for the opposite goal of anonymity, non-trackability, and flexible/modifiable pseudonymous identities. It also made it much easier for the government to piggyback on that tracking infrastructure we ourselves are building.
Every time we see another consumer web startup which relies on advertising or mining user data, we see yet another nail in the coffin in freedom and privacy for users. But, that's okay, because we're totally killing it, and that bridge round is coming any time now to keep us in our expensive lofts and designer foods.
Way to go, folks. Hope it was worth selling out the rest of your fucking race.
It's the conflict between two different paradigms for the internet. Cyperpunks want to think of the internet as a tool for trading ideas, potentially subversive ones. Most people think of the internet as a social or commercial space.
Nicely put. When viewed that way, the internal "nymwars" at Google looks like a pretty direct culture clash between those paradigms: should G+ allow pseudonymous profiles to protect free exchange of ideas (possibly including stigmatized or even dangerous ones), or should it insist on real names, to reduce spam, trolling, and other trouble-making, and improve the quality of the data collected?
It seems Google had a significant number of employees in each camp. But the market logic was pretty firmly in one of those camps and not the other...
That's a great point, and it points to a weakness that most privacy advocates don't really address very well: knowing more about you allows some companies to do things better for you. They have to answer the question, how do we provide the same awesome services while also preserving privacy?
Oh, that's probably partly because that wouldn't help its detractors any one bit: as a dead martyr, RMS would be more powerful than as a living bitter old figurehead. (Disclaimer: I know nothing about RMS' actual mood.)
Even in those times, it was realized that there are 300,000,000 Americans. That there was no way that any techonology, including today's, could begin to monitor any but the crudest details about all the traffic so many generate. That such an insurmountable problem can be made even harder with encryption, phoney identities, phoney traffic, and dozens of counter-counter-measures. Let alone be privy to what we do and say 'out-of-range'.
Only the monitoring computers have the time and patience to look at as much as they can ... and they can't parse text sentences (let alone voice comms) well enough to do anything but scrutinize for a few common terms ... let alone nuances (seen Google translate?). A couple of back-of-the-envelope calculations will demonstrate that to anyone.
The agencies and the corporations know that but they refuse to cop to it, possibly because it's so obvious that all they can do is -pretend- to be able to monitor a significant fraction of it all. Maybe because pretending is the only hope they've got left.
There are two obvious ways to fight this. First, add a lot of noise. For example, you could change your name to something extremely common. You could broadcast inaccurate data about yourself.
Secondly, whenever you do need privacy, use the social equivalent of a one-time pad. Never execute the same mechanism twice. For example, you could conceivably use a cantenna to access a distant wi-fi spot. You could buy the wireless cards with cash (and walk to the store where you buy it, preferably in a city that you don't frequent - and get there by car with good mileage so that there's limited trace of you being there), and buy a used laptop on craigslist with cash....
While surveillors can be open-minded, to a certain degree access to enhanced tracking technology will also engender a stronger reliance on the streetlight effect - and complete expurgation of the streetlight effect is impossible.
Those who would stop this cannot: their whole lives are also part of the surveillance state. Politicians,generals, senators, prime ministers and CEO's all: their dirty laundry and skeletons in the closet that they thought were secret are no longer.
No one of power will fight this because they are afraid of becoming its target.
I am really surprised how people are reacting to surveillance revelations. These practices or obvious and have been in use for as long as I can remember. Did no one really know about widespread government surveillance? You don't have to look very hard to find evidence. Bottom line: this has been happening for a long time. Do really think that the military released the internet because it made them feel all fuzzy inside? Think about it.
why not just flood the NSA with false data? We know what they monitor all data through those big ten companies. Couldn't botnets be configured to just start surfing the internet, maybe doing keywords that would trigger the government monitoring. I assume that enough junk information would fill up the gov. databases that they would have a harder time trying to figure out what's real and what's just useless data.
Because then the government would still have our private data, the only thing you'd have effectively done is made it that much more difficult for the government to do the one and only valid thing they could have done with that data (track terrorists, child pornographers and sex traffickers, etc.)
So what if you use something like a Russian VPN or Tor? It seems like that would only be vulnerable to attacks based on exact connection times and to traffic volume analysis, both of which could be avoided by generating fake traffic.
There is no reason to trust large companies with our data. We should move to content oriented networking where data is encrypted by default and we can choose what networks our data goes into and how it is accessed.
We should also use peer based grid/mesh networks as much as possible
"If the director of the CIA can't maintain his privacy on the Internet, we've got no hope."
Blah. Ignoring for the moment that he's 6 levels removed from the agents in the field, notoriously the very few of them out there (last time I checked 90% of the CIA is desk bound in the US) are very bad at fundamental trade-craft, with the Camp Chapman attack (http://en.wikipedia.org/wiki/Camp_Chapman_attack) as a telling extreme example.
I don't think the example of CIA director John Deutch, who I tracked because of his prior role in the midnight execution of the MIT Applied Biology Department (I had a roommate in it at the time), give us any assurances of that. The bare bones from Wikipedia only hints at the severity of his crimes (read later, pardoned by Clinton in the latter's last day in office; http://en.wikipedia.org/wiki/John_M._Deutch#CIA_career):
"Deutch left the CIA on December 15, 1996 and later that year it was revealed that several of his laptop computers contained classified materials designated as unclassified."
Specifically, he took sensitive compartmented information (SCI, http://en.wikipedia.org/wiki/Sensitive_Compartmented_Informa...), stuff which was covered by special access programs (http://en.wikipedia.org/wiki/Special_access_program) that required you to acknowledge each time you accessed it that it was so, and that you not leave the secured area with it, and put it on his personal PCs connected to the Internet, which he used to write up stuff which he emailed, again over that unsecured Internet, to people in the Clinton White House.
It's hard to express just how bad this is, not to mention how this angered the community of people with "tickets" (clearances, which, BTW, I've supplied recommendations for two of my friends, one who went to the NSA, the other with a TS/SCI ... which I know nothing about, except we can and do discuss which technology he's using (e.g. Microsoft)).
I would hope "the average person", after getting the usual training, and signing off on access to SCI, would understand and follow the simple idea that "Don't take it out of this room" means exactly that.
"The average person" would, I think, know he wouldn't be protected from prosecution by political pull if he violated that simple, white line rule....
Why should I agree to that? The director of the CIA is a political appointee not an uber spy. They probably have more security training than your average citizen but not much more.
Errr, I've read that's a standard tactic nowadays. You write and save drafts, and the other person logs into the account and reads them. No email servers are touched, it's supposed to be a good method ... unless of course an IP address is compromised. As mentioned, once they started looking, they correlated the IP addresses and times with her hotel stays.
Yes, I read that somewhere as well. It is still a bad tactic.
At first you would want to encrypt the information.
Then you would like to have some method of transfer that does not stick out and could hide the intent to transfer encrypted data. Perhaps with the help of some steganography tool. And you would make sure that nobody identifies you in the process by using tools like Tor.
This "I hope they don't notice" method is just gambling.
Agreed, the "saving as draft" method is more hiding in plain site than anything. It doesn't protect the content of the data, and if you're not paying attention it's easy for someone to see who's been accessing the data. It's more a defense against people that aren't really looking that hard.
Well, it might be a good method of keeping the readers identities Anonymous(provided they use Tor or a VPN to connect). But "saving a draft" is definitely keeping a copy on Google's servers, an interested party would have no trouble getting their hands on the content.
I always wonder how fast telepests start to call you once you register at some online service with your phone number. UKFast hosting I believe sells your data immediately. Comparison sites do the same.
lol, there is no way Guns are going to get banned now. More people will buy guns cause of this. I don't know if the Government did this knowingly or unknowingly.
I think the focus shouldn't be on the unavoidable "information radiation wake" you give off as you move through the world living your life, but on the ways people utilize this information. The government, and private entities, need to be constrained in how this information can be legally used, not in the collection of it, which I think is impossible.
Consider health records, which lots of people are paranoid about. There's a lot of diseases we might be able to treat if people's health records were available to researchers. One might be able to detect correlations in disease from these records of millions of individual cases. But insurance companies and employers could potentially discriminate against you based on these records, so it is in your interest to keep your medical conditions secret. In cases, if you have a communicable disease, it is understandable you'd want privacy too.
Point being, the biggest danger of loss of privacy is abuse by the state or other private entities, and if we could build safeguards against that, the fact that your phone signals give away your location, or your subway card shows where you've been, might not be so threatening.