The PATRIOT Act, for example, compels US companies to turn data over to the US government when asked, no matter where it is stored. You might be a French citizen living in France, and Microsoft might store your e-mail solely on servers in Ireland. But because Microsoft is a US company, the US maintains that it is compelled to produce your data on demand. The UK wants similar access.
This means you have to decide: which countries do you trust with your data, and which companies do you trust with your data?
Corporations are not all equally bad. You can get your e-mail, calendar, and address book from either Google or Apple. They will both protect your data from bulk government collection, but will give your data to many of the world’s governments when legally compelled. Google is embarking on a major project to improve the security of its users against government surveillance. But Google is in the business of collecting your data and using it for advertising, whereas Apple’s business model protects its customers’ privacy.
Do you trust a company in the US that is unfettered in what it can do with your data and is also subject to NSA and FBI legal requests? Or do you trust a company in Europe that is tightly regulated by the government with regard to corporate surveillance, but is also subject to unfettered surveillance by both its own government and that of the US, and whose use means your data crosses international borders? If you don’t buy networking equipment from Cisco because you are concerned about NSA backdoors, whom will you buy it from? Huawei? Remember my feudal analogy from Chapter 4; which lord do you trust more?
It is hard to know where to start. In today’s cloud computing world, we often have no idea which companies actually host our data. An Internet company like Orbitz might host its infrastructure on a provider like Atlassian, which in turn hosts its infrastructure on a provider like Rackspace. Do you have any idea where your Orbitz data actually is?
We need to be able to know where our data is stored, and to specify which countries we want our data stored in, and which countries we want our data never to go near. In the meantime, we have to do the best we can. And recognize that in most cases we simply don’t know.
But when it comes to governments, unhappy as I am to say it, I would rather be eavesdropped on by the US government than by many other regimes.
AGITATE FOR POLITICAL CHANGE
In 2014, the European Court of Justice struck down the EU’s data retention rules, which required service providers to save e-mail and information about phone calls for two years. In response, the UK government rushed through a new law that reinstated the data retention requirement and also gave the police new surveillance powers over its citizens. It was an ugly political railroad job, but what’s interesting is how Prime Minister David Cameron justified the law on a radio program: “I am simply not prepared to be a prime minister who has to address the people after a terrorist incident and explain that I could have done more to prevent it.”
That’s fear talking, but it’s not fear of terrorists. It’s political fear of being blamed when there’s a terrorist attack. The career politician wants to do everything possible, regardless of the cost, regardless of whether it actually makes anyone safer, regardless of the side effects, to avoid blame for not having done enough. This fear explains most post-9/11 anti-terrorism policy, and much of the NSA’s mass-surveillance programs. Our politicians are scared that we’ll blame them because they didn’t do everything the intelligence agencies said they could have done to prevent further terrorism.
We have to convince them—and our fellow voters—that they should do the right thing anyway.
Most of the solutions offered in the preceding two chapters require the government to either enforce existing laws or change the law. By and large, neither of these things will happen unless we demand them. Politicians are reluctant to engage in these debates, and even more reluctant to enact meaningful constraints on government surveillance. Legislatures are naturally deferential to law enforcement demands, and the vast surveillance-industrial complex employs a powerful lobbying force to back them up. No one wants to be painted as being soft on crime or terrorism. And today, when US intelligence agencies are caught breaking the law, the only ones threatened with jail time are the whistleblowers.
On the corporate side, throngs of lobbyists are doing their best to ensure that there’s no meaningful reform of corporate surveillance. Free markets are held up as a justification to continue to do nothing. And the police and the national security apparatus are also pushing to ensure that all of our data remains available to them for their own use.
If we want our legislators to vote against the powerful interests of the military, law enforcement, and lobbyist-laden corporations (both the ones that supply the government and the ones that spy on us directly), we’re going to have to make ourselves even more powerful. And that means we have to engage in the political process. I have three specific recommendations here.
Notice Surveillance. This is the first step. Lots of surveillance is hidden, but not completely invisible. The cameras might be small, but you can still see most of them if you look. You can notice when someone scans your ID when you enter a bar. You can install a browser plug-in and see who’s tracking you online. You can pay attention to news stories about surveillance. There are online sites that identify surveillance cameras. The more you know, the more you’ll understand what’s going on.
Talk about Surveillance. This is the next step. The more we talk about it, the more people realize what’s going on. And the more they realize what’s going on, the more they’re going to care about it. And the more we talk about it publicly, the more our elected representatives will realize that we care about it.
I mean this very generally. Talk about surveillance with your family, friends, and colleagues. Don’t be one of those annoying people who never posts about anything else, but share interesting news stories on social media. Attend rallies and sign petitions. Write to your elected representatives. Give copies of this book to all your friends as gifts. Make your opinions known. This is important.
Talk about the laws in your country. What kinds of government surveillance are legal in your country? How are your country’s businesses complicit in this, and what sorts of surveillance are legal for them to conduct? What rights do people have to use privacy enhancing technologies? Find out.
One of the most surreal aspects of the NSA stories based on the Snowden documents is how they made even the most paranoid conspiracy theorists seem like paragons of reason and common sense. It’s easy to forget the details and fall back into complacency; only continued discussion of the details can prevent this.
Organize Politically. This is our most effective strategy. There are many good recent examples of people organizing against surveillance: South Korean teachers objecting to new student databases, German consumers opposing RFID-enabled shopping carts, Facebook users objecting to new terms of service, US airline travelers objecting to airport full-body scanners. The campaigns are not always successful and the outcomes are imperfect, but the significance of collective action can’t be overstated. We need to see these problems as common to us all, and the solutions as general.
This isn’t a book about political organizing, and there are far better people than me at advising how to agitate for political change. I do know that politics isn’t just something that happens at election times. It’s a continual process that involves engaging with legislators, protesting in public, and supporting relevant nonprofit groups. Look at the Electronic Frontier Foundation, the Electronic Privacy Information Center, the Center for Democracy and Technology, Privacy International, the Open Technology Institute, and others. They’re all fighting for more privacy and less surveillance. Help them.
There’s nothing we can do about much of the world, of course, but we can push for change where we can. And then we can slowly move outwards. It’s how worldwide change happens.
DON’T GIVE UP
Fatalism is the enemy of change. Fatalism as in: governments and
large corporations are both all-powerful, and the majority of politicians have no desire to restrain either of them, so there’s nothing we can do to change things. And fatalism as in: mass surveillance is so ubiquitous that there’s nothing we can do to resist it, and resistance only makes us more interesting to them anyway.
The assertions have some truth to them, but the conclusions are false. Good computer security and pervasive encryption make mass surveillance difficult. Choosing companies to do business with on the basis of their privacy policies makes companies more likely to have good privacy policies. Political organization is effective. Our infatuation with big data and our irrational fear of terrorism will both wane over time. Laws will eventually constrain both government and corporate power on the Internet.
The policy shifts I advise are major, and they’re going to take work. Every major policy shift in history looked futile in the beginning. That’s just the way of it. We need to fight for political change, and we need to keep fighting until we prevail. And until then, there are lots of little battles we can win along the way.
There is strength in numbers, and if the public outcry grows, governments and corporations will be forced to respond. We are trying to prevent an authoritarian government like the one portrayed in Orwell’s Nineteen Eighty-Four, and a corporate-ruled state like the ones portrayed in countless dystopian cyberpunk science fiction novels. We are nowhere near either of those endpoints, but the train is moving in both those directions, and we need to apply the brakes.
16
Social Norms and the Big Data Trade-off
In the preceding three chapters, I outlined a lot of changes that need to happen: changes in government, corporate, and individual behavior. Some of them are technical, but most of them require new laws or at least new policies. At this point many of them are unrealistic, at least in the US. I’m not yet living in a country where the majority of people want these changes, let alone a country where the will of the people easily translates into legislative action.
Most people don’t seem to care whether their intimate details are collected and used by corporations; they think that surveillance by the governments they trust is a necessary prerequisite to keeping them safe. Most people are still overly scared of terrorism. They don’t understand the extent of the surveillance capabilities available to both governments and private parties. They underestimate the amount of surveillance that’s going on and don’t realize that mass government surveillance doesn’t do much to keep us safe. Most people are happy to exchange sensitive personal information for free e-mail, web search, or a platform on which to chat with their friends.
Europe is somewhat different—it regulates corporate surveillance more heavily and government surveillance much less so—but for most purposes the public sentiments are the same.
Before we get meaningful political change, some of our social norms are going to have to change. We need to get to the point where people comprehend the vast extent of surveillance and the enormous concentration of power that flows from it. Once they do, most people will probably say, “That’s just not okay.” We need to summon the political will to fight both the law enforcement and national intelligence communities on the government side, and the government contractors and surveillance industry on the corporate side. And before any of that can happen, there must be some major changes in the way society views and values privacy, security, liberty, trust, and a handful of other abstract concepts that are defining this debate.
This is hard. Public sentiment tends to move towards actual practice. We’re good at accepting the status quo—whatever that is and however recently it has emerged. (Honestly, it blows me away that most of this surveillance has emerged in less than two decades.) We’re growing accustomed to the panopticon. You can see it writ large, when people shrug and say, “What are you going to do?” You can see it in a microcosm every time Facebook degrades its users’ privacy options; people complain in the beginning, but soon get used to it.
What follows in this chapter are all changes in attitude. They’re ways in which we are going to have to modify our feelings and thoughts if we are ever going to get beyond the surveillance society.
RECALIBRATE OUR FEAR
The PATRIOT Act was signed into law on October 26, 2001, just 45 days after the terrorist attacks against the World Trade Center and the Pentagon. It was a wish list of police and intelligence powers and authorities, passed overwhelmingly in both houses with minimal debate. No one in Congress read it before voting. And almost everyone in the country wanted the law to pass, despite not understanding its provisions.
In 2014, I attended a talk in which Tim Duffy, the chairman and chief executive of the advertising agency M&C Saatchi, tried to improve the messaging of privacy. He suggested “Where do you draw the line?” as a possible framing. But if listeners are scared of terrorists, they will draw the line in such a way as to allow a whole lot of surveillance. Harvard Law School professor Jack Goldsmith pointed out that when we’re scared, more congressional oversight yields more NSA authority.
Fear trumps privacy. Fear of terrorism trumps fear of tyranny. If strong enough, it trumps all the concerns in this book piled together. In the people, it’s fear of the next terrorist attack. In politicians, it’s that and also fear of being blamed for the next terrorist attack. But it’s fear, nonetheless. Recall Prime Minister Cameron in the preceding chapter. This is what I hear again and again from government officials when I ask about the obvious ineffectiveness of mass surveillance against the terrorist threat. Yes, they admit, it hasn’t resulted in any successes; but it’s an insurance policy. They know that their targeted surveillance efforts will fail at some point, and they hope that mass surveillance will be there for backup. True, the odds are low that it will work like that, but they believe they have to do everything possible—both for the security of the country and for the security of their jobs.
Regardless of the magnitude of the threat, mass surveillance is not an effective countermeasure; conventional police and intelligence work is. We need to resist the urge to do something, regardless of whether or not the proposed action is effective.
Keeping the fear stoked is big business. Those in the intelligence community know it’s the basis of their influence and power. And government contractors know it’s where the money for their contracts comes from. Writer and Internet activist Clay Shirky has noted that “institutions will try to preserve the problem to which they are the solution.” Fear is that problem.
It’s a fear that’s stoked by the day’s news. As soon as there’s a horrific crime or a terrorist attack that supposedly could have been prevented if only the FBI or DHS had had access to some data stored by Facebook or encrypted in an iPhone, people will demand to know why the FBI or DHS didn’t have access to that data—why they were prevented from “connecting the dots.” And then the laws will change to give them even more authority. Jack Goldsmith again: “The government will increase its powers to meet the national security threat fully (because the People demand it).”
We need a better way to handle our emotional responses to terrorism than by giving our government carte blanche to violate our freedoms, in some desperate attempt to feel safe again. If we don’t find one, then, as they say, the terrorists will truly have won. One goal of government is to provide security for its people, but in democracies, we need to take risks. A society that refuses risk—in crime, terrorism, or elsewhere—is by definition a police state. And a police state brings with it its own dangers.
It’s not just politicians who are to blame for this. The media are culpable, too. By fixating on rare and spectacular events, they condition us to behave as if terrorism were much more common than it is and to fear it far out of proportion to its actual incidence. And we are also at fault, if we buy the propaganda the media are selling.
We also need to counter the notion that modern technology makes everything different. In the days and weeks after the 9/11 terrorist attacks, as we debated new laws
and new police powers, we heard this sentence: “The Constitution is not a suicide pact.” It expresses a sentiment based in fear, and its meaning is worth unpacking. What it says is something like this: “The people who wrote our laws couldn’t possibly have anticipated the situation we now face. Therefore, the limits they put on police power and the prohibitions they enacted against surveillance should not apply to us. Our situation is unique, and we must ignore all of that.” The primary reason for succumbing to these notions was that we believed that the damage terrorists could cause was so great that we could not conceivably rely on conventional law enforcement means and after-the-fact prosecutions.
It’s just not true. It’s a common psychological fallacy to believe that we live in unique times, that our challenges are totally unlike anything that came before and necessitate ignoring any of the societal controls we previously put in place to check the powers of governmental authorities. President Lincoln succumbed to the fallacy when he suspended habeas corpus during the Civil War. President Wilson did so when he arrested and deported Socialists and labor leaders just after World War I. President Roosevelt did so when he interned Americans of Japanese, German, and Italian descent during World War II. We did it during the Cold War’s McCarthy era. And we are doing it again after 9/11.
Fear isn’t the only way we can react to these threats, and there are many instances in history where society did not give up its rights in an effort to remain safe. In the wake of the horrific 2011 massacre in Norway by Anders Breivik, that country has largely preserved its core values of liberty and openness. And, of course, there’s FDR’s famous line “The only thing we have to fear is fear itself.” Indomitability is the correct response to terrorism.
There’s hope for the US. We don’t always respond to terrorism with fear. Looking back through recent history, the presidents who stood up to terrorism—Truman, Eisenhower, Nixon, Reagan some of the time, Bush the elder—achieved better operational and political results than those who used terrorism as an opportunity for political grandstanding: Carter, Reagan the rest of the time, Bush the younger. We need to recognize the strength of politicians who protect our freedoms in the face of risk, and the weakness of those who cannot solve problems and choose to sacrifice our freedoms instead. More than a decade after 9/11, it’s well past time to move beyond fear and return to our core American values of freedom, liberty, and justice. And there are indications that we are doing so. In 2013, we started seeing a significant shift in Americans’ perceptions regarding the trade-off between civil liberties and national security.
Data and Goliath Page 25