Everybody wants your private data. Bruce Schneier on how surveillance has become the business model of the internet.
Every morning when you put your cell phone in your pocket you’re making an implicit bargain with the carrier: ‘I want to make and receive mobile calls; in exchange, I allow this company to know where I am at all times.’
The bargain isn’t specified in any contract, but it’s inherent in how the system works.
This is a very intimate form of surveillance. Your cell phone tracks where you live and where you work. Since it knows about all the other phones in the area, it tracks whom you spend your days with, whom you meet for lunch, and whom you sleep with. The accumulated data can probably paint a better picture of how you spend your time than you can. In 2012, researchers were able to use this data to predict where people would be 24 hours later to within 20 metres.
Your location information is valuable. There is a whole industry dedicated to tracking you in real time. Companies use your phone to track you in stores, to learn how you shop, track you on the road to determine how close you might be to a particular store, and deliver retail advertising to your phone based on where you are right now. Your location data is so valuable that cell-phone companies are now selling it to data brokers, who resell it to anyone willing to pay for it. Companies like Sense Networks specialize in using this data to build personal profiles of each of us.
US company Verint sells phone-tracking systems to corporations and governments worldwide. Its website says that Verint is ‘a global leader in Actionable Intelligence solutions for customer engagement optimization, security intelligence and fraud, risk and compliance with clients in more than 10,000 organizations in over 180 countries’.
‘Free’ is a special price, and people don’t act rationally around it
Cobham sells a system that allows someone to send a ‘blind’ call to a phone – one that doesn’t ring and isn’t detectable. The blind call forces the phone to transmit on a certain frequency, allowing the sender to track the phone to within one metre. The British company boasts government customers in Algeria, Brunei, Ghana, Pakistan, Saudi Arabia, Singapore and the US.
Defentek, a company registered in Panama, sells a system that can ‘locate and track any phone number in the world… undetected and unknown to the network, carrier or target’.
A feudal relationship
It’s not just cell-phone location data. Most of us don’t realize the degree to which computers are integrated into everything we do, or that computer storage has become cheap enough to make it feasible to save indefinitely all the data we churn out.
All this data is used for surveillance. It happens automatically and it’s largely hidden from view. This is ubiquitous mass surveillance.
Surveillance data is largely collected by corporations we interact with as customers or users. In 2012, the New York Times published a story about how corporations analyse our data for advertising advantage. The story included an anecdote about a Minneapolis man who had complained to a Target store that sent baby-related coupons to his teenage daughter… only to find out later that Target was right.
If you want to know who’s tracking you, install one of the browser plugins [such as Lightbeam or DoNotTrackMe] that let you monitor cookies. I guarantee you will be startled. One reporter discovered 105 different companies tracked his internet use during one 36-hour period.*
Surveillance is the business model of the internet for two primary reasons: people like ‘free’ and people like ‘convenient’. ‘Free’ is a special price, and people don’t act rationally around it. Free warps our sense of cost versus benefit, and people end up trading their personal data for less than it is worth. If something is free, you’re not the customer: you’re the product.
Our relationship with many of the internet companies we rely on is not a traditional company-customer relationship. That’s primarily because we’re the products those companies sell to their real customers. The companies are analogous to feudal lords, and we are their vassals, producing data that they then sell for profit.
Governments want to spy on everyone to find terrorists and criminals, and – depending on the government – political or environmental activists, consumer advocates, freethinkers.
Corporate and government surveillance are intertwined: the two support each other in a public-private surveillance partnership that spans the world. This isn’t a formal agreement; it’s more an alliance of interests.
Although Edward Snowden’s revelations about US National Security Agency (NSA) surveillance have caused rifts in the partnership, it’s still strong. The NSA legally compels internet companies like Microsoft, Google, Apple and Yahoo to provide data on several thousand individuals of interest. Sometimes they’re forced by the courts to hand over data, largely in secret. At other times, the NSA has hacked into those corporations’ infrastructure without their permission.
Britain’s communications headquarters GCHQ pays companies like BT and Vodafone to give it access to bulk telecommunications all over the world. Vodafone gives Albania, Egypt, Hungary, Ireland and Qatar – possibly 29 countries in total – direct access to internet traffic flowing inside their countries.
Italian cyber-weapons manufacturer Hacking Team sells hacking systems to governments worldwide for use against computer and smartphone operating systems. Customers include the governments of Azerbaijan, Colombia, Egypt, Saudi Arabia, Turkey and Morocco.
Most of the big US defence contractors, such as Raytheon, Northrop Grumman and Harris Corporation, build cyber weapons for the US military. Syria used German company Siemens. The Qadafi regime in Libya used China’s ZTE and South Africa’s VASTech.
We don’t know whether governments attempt surreptitiously to insert ‘backdoors’ into products of companies over which they have no direct political or legal control, but many computer security experts believe it is happening.
At a 2013 technology conference, Google CEO Eric Schmidt tried to reassure the audience by saying that he was ‘pretty sure that information within Google is now safe from any government’s prying eyes’.
A more accurate statement might have been: ‘Your data is safe from governments, except for the ways we don’t know about and the ways we cannot tell you about.’ The other thing Schmidt didn’t say is: ‘And of course, we still have complete access to it all, and can sell it to whomever we want... and you will have no recourse.’
Why it matters
Defenders of surveillance – from the Stasi to Augusto Pinochet to Google’s Eric Schmidt – have always relied on the old saying: ‘If you have nothing to hide, then you have nothing to fear.’
This is a dangerously narrow conception of the value of privacy. Privacy is an essential human need and central to our ability to control how we relate to the world. Being stripped of privacy is fundamentally dehumanizing, and it makes no difference whether the surveillance is conducted by undercover police or by a computer algorithm.
Government mass surveillance is often portrayed as a security benefit, something that protects us from terrorism. But there is no actual proof of any real successes against terrorism as a result of mass surveillance, and significant evidence of harm. Enabling ubiquitous mass surveillance requires maintaining an insecure internet, which makes us all less safe from rival governments, criminals and hackers.
We need to protect ourselves from government and corporate surveillance and to be proactive about how we deal with new technologies.
The remedies are as complicated as the issue. They require a shift in how we perceive surveillance and value privacy, because we’re not going to get any serious legal reforms until society starts demanding them.
For now, fear trumps privacy. And fear of terrorism trumps fear of tyranny.
This is excerpted from Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (Norton, 2015). Bruce Schneier is a security technologist and a Fellow at the Kennedy School of Government at Harvard University. You can find him online at schneier.com
*Most of the companies tracking you may have names you have never heard of: Rubicon Project, AdSomar, Quantcast, Plus 260, Undertone, Traffic Marketplace.