joelkuiper.eu

A note on privacy

1984 or A Brave New World? A totalitarian surveillance state or a society drowned in apathy by entertainment? Why not both?

What is surprising about the revelations by Edward Snowden, the “voluntary” UK “porn” filter (it is not about pornography, obviously) and many other intrusions on privacy by both government and corporations is not the fact they exist, but rather the lack of public involvement.

As a society we do not seem to care about the fact that every site we visit is logged and monitored, that our precise whereabouts are known to anyone with a modicum of interest, and that through our cell phones’ microphone we are carrying a permanent surveillance bug.

<gmaxwell> 1960: “I have a great idea! lets have every person in the country carry a radio tracking beacon!” “That’ll never fly!” 2012: “I can has TWO iphones??”

We have progressed beyond the wildest Cypherpunk predictions. Strong cryptography has become a commodity. But while arguably the NSA pushed for broken implementations, it really does not matter if you go to jail if you refuse to decrypt your data by providing the key.

More pressingly: who encrypts their data anyway? We gladly sent our email via a advertising company, share our deepest secrets on an identity selling platform and communicate via channels such as SMS, Skype and WhatsApp which provide little to no guarantees about data protection.

In a sense we became the worst of both Huxley and Orwell; we live in a surveillance state and do not care at all.

Moxie Marlinspike in his talk at Defcon 18 provides a key insight into why we do not seem to care: social democracy. Instead of the feared fascist government things did not turn out that bad for us. Instead of the mandated tracking device or tattooed bar code, we now have the choice between iPhone and Android. The net result is obviously the same: a permanent tracking and eaves dropping device on everyone.

But we are okay with that, the illusion of choice “I choose to send my email via GMail” provides an excuse to, for example, selling the identity of rape victims to advertising companies (one of many standard practices of the billion dollar data broker industry).

He then proceeds to outline that these choices are false choices. Not carrying a cell phone or refusing to send email with and to anyone on GMail would mean, in a sense, not participating in society. So the choice is not “do I want my identity sold and whereabouts tracked” but rather “do I want to run a business and hang-out with my friends”?

It is the problem where small choices gradually become big choices. It used to be okay to not have a LinkedIn account if you were hunting for jobs, but now it is almost mandatory for any serious job seeker (I recently destroyed mine). So instead of the choice “do I want to share my professional career with an advertising company who sells my email address to recruiters?” it became “do I want to have a reasonable chance at a job”.

Already we are beginning to see the outlines of what might be a very dystopian future.

Gradually the larger choices about privacy will have a very real impact on our society. In the end privacy is about freedom. And without freedom we would, ironically, not have a social democracy. For recent overview see: Why ‘I Have Nothing to Hide’ Is the Wrong Way to Think About Surveillance and Why Privacy Matters Even if You Have ‘Nothing to Hide’.

For example, it has been said that everyone commits three felonies a day. Laws have become so complex and vague that anyone with malicious intend can have somebody locked away. And as an aside this is not even hard: if you want somebody gone just hire somebody to fabricate lies about sexual harassment, or do it yourself through false identities. It does not even have to be a real felony, in a leaked document the NSA revealed that it routinely gathers data on porn habits of radicalizers with the sole purpose of discrediting them publicly. The definition of radicalizers is of course completely arbitrary.

The fact that the Internet never forgets in itself should be alarming. While the law used to protect individuals by preventing prosecution after a certain time, the Internet does not provide such guarantees. The law acknowledges, up to a certain point, that people change (either by learning or otherwise), and that prosecution long after the crime was committed does not make sense. The person standing trial would likely not be the same person as the one who committed the crime. But if you were to share on the Internet today that you have used drugs, then 20 years later you might be silently turned down for a job because of it.

Furthermore the lack of Internet privacy breaks down the distinction between thought, speech, intent and action. It is now very possible to be scrutinized based on thought or speech alone. The letter and the spirit of the law have become disconnected. It is indeed very Kafkaesque. The picture that Rick Falkvinge paints is similar:

It is not you who determine if you have something to fear: You may consider yourself law-abidingly white as snow, and it won’t matter a bit. What does matter is whether you set off the red flags in the mostly-automated surveillance, where bureaucrats look at your life in microscopic detail through a long paper tube to search for patterns. When you stop your car at the main prostitution street for two hours every Friday night, the Social Services Authority will draw certain conclusions from that data point, and won’t care about the fact that you help your elderly grandmother – who lives there – with her weekly groceries. When you frequently stop at a certain bar on your way driving home from work, the Department of Driving Licenses will draw certain conclusions as to your eligibility for future driving licenses – regardless of the fact that you think they serve the world’s best reindeer meatballs in that bar, and never had had a single beer there. People will stop thinking in terms of what is legal, and start acting in self-censorship to avoid being red-flagged, out of pure self-preservation. (It does not matter that somebody in the right might possibly and eventually be cleared – after having been investigated for six months, you will have lost both custody of your children, your job, and possibly your home.) — Rick Falkvinge (founder of the first Pirate Party)

There are things that can be done to protect privacy but they are all stop-gap solutions. The real progress has to come from either radically different technology, or a profound paradigm shift in society.

Concretely one can start by caring about security. Because there is no such thing as a balance between privacy and security, you either have them both or you have none.

  • Use different strong passphrases for each site (optionally store them in an Open Source keychain such as KeepassX)
  • Keep your software up-to-date (upgrade from Windows XP would be the first thing)
  • Use a browser not build by an advertising company
  • Install a decent virus scanner and firewall (no excuses for OS X and Linux users)
  • Encrypt sensitive data (all data is sensitive)
  • Use as much Open Source Software as reasonable (RMS was right)

Next become more aware of online identity. Online identity should not be accidental to your actions, but rather a carefully constructed persona.

Delete old accounts (justdelete.me can help) and create a mental image of who knows what about you. In a sense you must become less real to the world.

The Tor best practices guide offers more concrete examples.

If you have no personal history, no explanations are needed; nobody is angry or disillusioned with your acts. And above all no one pins you down with their thoughts. It is best to erase all personal history because that makes us free from the encumbering thoughts of other people. I have, little by little, created a fog around me and my life. And now nobody knows for sure who I am or what I do. Not even I. How can I know who I am, when I am all this? Little by little you must create a fog around yourself; you must erase everything around you until nothing can be taken for granted, until nothing is any longer for sure, or real. Your problem now is that you’re too real. Your endeavors are too real; your moods are too real. Don’t take things so for granted. You must begin to erase yourself. — Carlos Castaneda (Journey to Ixtlan)

But in the end there is little we can do on our own. Anonymity and privacy are very hard, but very real problems. Eventually it is about collectively trying to push back the PTB. For some it will all seem too “tinfoil hat”. If so then the only take-home message is that each time we go online we make choices about the direction our society takes, and being aware of those choices is already very important for democratically deciding which direction we want to take.