In large part that’s because the degree of privacy in online environments isn’t salient. Intuition fails when thoughts of privacy fade into the background. Once we can’t directly perceive people, we don’t do so well. We don’t think, “There’s a for-profit corporation recording everything I say and trying to turn that into advertising.” We don’t think, “The US and maybe other governments are recording everything I say and trying to find terrorists, or criminals, or drug dealers, or whoever is the bad guy this month.” That’s not what’s obvious. What’s obvious is, “I’m at this virtual party, with my friends and acquaintances, and we’re talking about personal stuff.”
And so we can’t use people’s continual exposure of their private data on these sites as evidence of their consent to be monitored. What they’re consenting to is the real-world analogue they have in their heads, and they don’t fully understand the ramifications of moving that system into cyberspace.
Companies like Facebook prefer it this way. They go out of their way to make sure you’re not thinking about privacy when you’re on their site, and they use cognitive tricks like showing you pictures of your friends to increase your trust. Governments go even further, making much of their surveillance secret so people don’t even know it’s happening. This explains the disconnect between people’s claims that privacy is important and their actions demonstrating that it isn’t: the systems we use are deliberately designed so that privacy issues don’t arise.
We need to give people the option of true online privacy, and the ability to understand and choose that option. Companies will be less inclined to do creepy things with our data if they have to justify themselves to their customers and users. And users will be less likely to be seduced by “free” if they know the true costs. This is going to require “truth in product” laws that will regulate corporations, and similar laws to regulate government.
For starters, websites should be required to disclose what third parties are tracking their visitors, and smartphone apps should disclose what information they are recording about their users. There are too many places where surveillance is hidden; we need to make it salient as well.
Again, this is hard. Notice, choice, and consent is the proper way to manage this, but we know that lengthy privacy policies written in legalese—those notice-and-consent user agreements you click “I agree” to without ever reading—don’t work. They’re deliberately long and detailed, and therefore boring and confusing; and they don’t result in any meaningful consent on the part of the user. We can be pretty sure that a pop-up window every time you post something to Facebook saying, “What you’ve written will be saved by Facebook and used for marketing, and will be given to the government on demand,” won’t work, either. We need some middle way. My guess is that it will involve standardized policies and some sort of third-party certification.
ESTABLISH INFORMATION FIDUCIARIES
In several areas of our lives we routinely give professionals access to very personal information about ourselves. To ensure that they only use that information in our interests, we have established the notion of fiduciary responsibility. Doctors, lawyers, and accountants are all bound by rules that require them to put the interests of their clients above their own. These rules govern when and how they can use the information and power we give them, and they are generally not allowed to use it for unrelated purposes. The police have rules about when they can demand personal information from fiduciaries. The fiduciary relationship creates a duty of care that trumps other obligations.
We need information fiduciaries. The idea is that they would become a class of organization that holds personal data, subject to special legal restrictions and protections. Companies could decide whether or not to become part of this class or not. That is comparable to investment advisors, who have fiduciary duties, and brokers, who do not. In order to motivate companies to become fiduciaries, governments could offer certain tax breaks or legal immunities for those willing to accept the added responsibility. Perhaps some types of business would be automatically classified as fiduciaries simply because of the large amount of personal information they naturally collect: ISPs, cell phone companies, e-mail providers, search engines, social networking platforms.
Fiduciary regulation would give people confidence that their information wasn’t being handed to the government, sold to third parties, or otherwise used against them. It would provide special protections for information entrusted to fiduciaries. And it would require certain duties of care on the part of providers: a particular level of security, regular audits, and so on. It would enable trust.
Along similar lines, Internet security expert Dan Geer proposed that Internet service providers choose whether they were content companies or communications companies. As content companies, they could use and profit from the data but would also be liable for the data. As communications companies, they would not be liable for the data but could not look at it.
In the Middle Ages, the Catholic Church imposed a strict obligation of confidentiality regarding all sins disclosed in confession, recognizing that no one would partake of the sacrament if they feared that their trust might be betrayed by the priest. Today we need a similar confidence online.
INCENT NEW BUSINESS MODELS
Surveillance became the business model of the Internet because it was the easiest thing that made money and there were no rules regulating it. It has remained the business model of the Internet because the costs are low, the potential gains are enormous, and (at least in the US) there are still no rules regulating it.
By both regulating the collection and use of our data, and raising the costs of retaining our data, we will naturally incent new business models that don’t rely on surveillance. The technical capabilities already exist. There’s a lot of research on building privacy into products and services from the start: privacy by design. Credit card companies don’t have to track our every purchase in order to bill us and prevent fraud. Cell phone providers don’t have to permanently record our locations in order to let us make phone calls and send text messages. The Internet can be built with strong anonymity protections. Electronic cash can be both secure and anonymous. All of these things are possible; we just have to want them.
Admittedly, this will be a slow process. The companies that most extensively collect our data believe in the potential for massive increases in advertising revenue. Internet advertising might be a $125 billion business worldwide, but it’s still only 25% of the advertising market. Companies like Google and Facebook have their eyes on the advertising money spent on television (40%) and in newspapers and magazines (36%). They have a lot of money invested in the value of big data—collecting everything and then figuring out what to do with it later—and will not switch gears easily. Journalist James Kunstler calls this the “psychology of previous investment,” and it’s why we so often throw bad money after good. Admitting you’re wrong is hard, especially because the cost of data collection and storage is so low.
In a market economy, if a company can’t figure out a profitable business model, others that do will emerge. If we succeed in raising the cost of surveillance and data collection, new businesses that don’t rely on it will rise up and take the place of the current ones that do.
FIGHT GOVERNMENT SURVEILLANCE
So far, the most important effect of the Snowden revelations is that they have ruptured the public-private surveillance partnership I discussed in Chapter 6. Pre-Snowden, there was no downside for a company cooperating with the NSA. If the NSA asked you to supply copies of all your Internet traffic, or to put backdoors into your security software, you could assume that your assistance would forever remain secret. To be fair, not everyone cooperated willingly. Some fought in court. But it seems that a lot of them, government-regulated monopoly telcos and backbone providers especially, were happy to give the NSA unfettered access to everything it demanded. It was easy, and they did it all through the Cold War, and then immediately after 9/11, without fuss.<
br />
This is changing. There is now business value in championing privacy and fighting the NSA, and business harm in cooperation. There are basically four means by which corporations can fight: transparency, technology, litigation, and lobbying.
Many computer companies—Yahoo, Google, Microsoft, and others—are now regularly publishing “transparency reports,” giving us a general idea how many government data requests the companies have received and how many they have complied with. It’s largely PR motivated, to reassure us that only a very small percentage of users’ data is being sent to the government. For example, in 2013 Google says it turned over the Internet metadata of somewhere between 1 and 2,000 users, and the contents of communications from between 18,000 and 20,000 users, to the US government. Those ranges are regulated; the companies are not allowed to report exact numbers, although many are pressing the government for the ability to reveal more precise information. (Google already reports more precisely on requests from other governments around the world.)
Even some of the telcos and cable companies are releasing transparency reports, starting with CREDO Mobile in early 2014. These have less value. Verizon, for example, reports that it received 320,000 “law enforcement demands” for data in 2013. We know that every three months Verizon is served with a single National Security Letter that requires it to turn over the metadata of all 290 million of its customers, so what does that 320,000 mean?
Some companies are trying to go further. In 2014, Apple announced that it would inform individual users about all government demands for its data that it was not specifically legally prohibited from disclosing. Microsoft and Google have teamed up to sue the US government, demanding more transparency. Yahoo is doing the same.
Other companies are employing “warrant canaries” to try to get around legal gag orders. Starting in 2013, Apple’s transparency reports contain this sentence: “Apple has never received an order under Section 215 of the USA Patriot Act.” The idea is that if it ever receives such an order it will be prohibited from disclosing it, but it could remove the sentence as a signal to watchful readers. The courts have never ruled on the legality of this practice, and I personally am skeptical that it would work, but it’s a valiant and clever effort.
On the technology front, many companies are stepping up their use of encryption: of their Internet connections with their users and customers, of their own networks, and of their databases. After Google learned that the NSA was eavesdropping on its trunk communications links between data centers, it encrypted those links. After Yahoo learned that the NSA was eavesdropping on the web connections between its users and Yahoo websites, both Yahoo and Microsoft (which assumed its users were being eavesdropped on, too) began encrypting them. Several large e-mail providers are now encrypting e-mail as it flows between their data centers. Other companies are doing more to encrypt communications between them and their users and customers. Both iPhones and Android phones are encrypted by default. Google is now offering end-to-end Gmail encryption, although my guess is that it will be a little-used option because users won’t be able to search and sort their e-mail if it remains encrypted.
In the courts, companies should litigate on their users’ behalf. They should demand court orders for all access, and fight back against any court orders that seem overly broad. Some of this is already going on. In 2008, Yahoo secretly fought the NSA in court long and hard before being forced to join the PRISM program. In 2012, Twitter unsuccessfully fought a government demand to turn over information related to an Occupy Wall Street protester. As of 2014, Facebook is fighting a court order to hand over 400 users’ private messages, photos, and the like to a New York district attorney looking for evidence of Social Security fraud.
Companies can do more to support litigation efforts. They should file amicus briefs in any cases whose precedents affect them. In 2013, when the FBI demanded the master key for all Lavabit users in an attempt to get at one person’s e-mail, none of the big e-mail providers—Google, Microsoft, Yahoo, anyone—filed briefs in that case. Why not? They need to recognize that we’re all in this together.
The Internet’s international nature again creates a complicated wrinkle in this. It’s one thing for a corporation to comply with lawful requests for data from its own country, but what about other countries? On four occasions in the early 2000s, Yahoo complied with Chinese government requests for data about individual users that led to those people’s arrest and imprisonment on charges of “subversion” and “divulging state secrets.” Should Yahoo have done that? Does it make a difference if the repressive regime is, like Saudi Arabia, on friendly terms with the US? Many US Internet companies argue that they are not subject to the jurisdiction of countries in which they do not maintain offices. A US company probably can’t resist Chinese law, but it probably can resist those of smaller and less powerful countries. In a lot of ways, these companies can choose which foreign laws they want to follow or not. They should choose to maximize their users’ privacy.
In the halls of politics, corporations should use their political influence. Google, Facebook, Microsoft, and others are actively lobbying for legislative restrictions on how the US government conducts surveillance. This is good, but we need more. Often the most persuasive arguments in Washington come from corporations concerned about their bottom line.
It’s important not to make too much of all this. Corporate interests may temporarily overlap with their users’ privacy interests, but they’re not permanently aligned. For years, corporations fought any laws limiting their ability to collect and use data. The EU has been trying to pass an updated and stricter data protection regulation, but faces furious lobbying from US Internet companies that don’t want to stop data collection. This newfound backbone to stand up to the NSA is more about managing user perceptions than about solving privacy problems. This is why we need strong regulations on corporations as well.
A NEW MAGNA CARTA
Tim Berners-Lee, the inventor of the World Wide Web, has called for a new Magna Carta—one that restricts the actions of both governments and corporations, and that imposes responsibilities on information-age corporations rather than just rights. The historical analogy is actually not that great, but the general idea is worth exploring. It’s basically what I’m calling for in this book.
Recall Chapter 4, when I characterized the corporation–user relationship as feudal? That’s because it’s ad hoc and one-sided: based on an end-user license agreement that’s written in mind-numbing legalese and that the company can change at whim. Historical feudalism was a lot like that; the lords had the power to force the peasants into relationships whereby the lords possessed all the rights and were burdened with few enforceable responsibilities. In medieval Europe, the rise of the centralized state and the rule of law provided the flexibility that feudalism lacked. In 1215, the Magna Carta became the first modern document enshrining the idea that the legitimacy of a ruler comes from his subjects, and subjected the king to the rule of law. The document first imposed responsibilities on kings with respect to the lesser lords, and over time put society on the long road towards government of the people, by the people, and for the people.
In the 1700s, when countries were beginning to recognize that their governing power derived from all the people, the prevailing political philosophy was that of Thomas Hobbes, who argued that the people sacrifice power and freedom to a benevolent sovereign, who in return provides them with various services, including security. John Locke argued that this relationship is unfair and unbalanced, and that governments derive their authority from the “consent of the governed.” This notion fueled the English, French, and American revolutions, and led to the French Declaration of the Rights of Man and the Citizen and the US Bill of Rights.
In her book Consent of the Networked, journalist and digital rights advocate Rebecca MacKinnon makes this point: “No company will ever be perfect—just as no sovereign will ever be perfect no matter how well intentioned and virtuous a king, que
en, or benevolent dictator might be. But that is the point: right now our social contract with the digital sovereigns is at a primitive, Hobbesian, royalist level. If we are lucky we get a good sovereign, and we pray that his son or chosen successor is not evil. There is a reason most people no longer accept that sort of sovereignty. It is time to upgrade the social contract over the governance of our digital lives to a Lockean level, so that the management of our identities and our access to information can more genuinely and sincerely reflect the consent of the networked.”
Madrid Privacy Declaration (2009)
Civil Society takes the occasion of the 31st annual meeting of the International Conference of Privacy and Data Protection Commissioners to:
1. Reaffirm support for a global framework of Fair Information Practices that places obligations on those who collect and process personal information and gives rights to those whose personal information is collected;
2. Reaffirm support for independent data protection authorities that make determinations, in the context of a legal framework, transparently and without commercial advantage or political influence;
3. Reaffirm support for genuine Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information and for meaningful Privacy Impact Assessments that require compliance with privacy standards;
4. Urge countries that have not ratified Council of Europe Convention 108 together with the Protocol of 2001 to do so as expeditiously as possible;
5. Urge countries that have not yet established a comprehensive framework for privacy protection and an independent data protection authority to do so as expeditiously as possible;
6. Urge those countries that have established legal frameworks for privacy protection to ensure effective implementation and enforcement, and to cooperate at the international and regional level;
Data and Goliath Page 23