Terms of Service:

How You’re Unwittingly Contributing to the Surveillance-State and the End of Privacy

https://download.unsplash.com/photo-1416400453940-65c69d70ad91

Alain Philippon’s landing at Halifax Stanfield International Airport began simply, a routine trip to the immigration line at the Canadian border on his return from the Dominican Republic. But when he was asked to turn over his phone and its passcode by border agents, he refused. Philippon’s trip ended with him in handcuffs. In the United States, requiring Alain to give up his passcode would have violated his Fourth and Fifth Amendment rights. Reading years of his personal emails, location data, and sensitive financial information online however, well that would have been completely legal.

In 1978, in the wake of the Watergate scandal and the findings of a special Senate committee, Congress sought to reign in abusive domestic surveillance practices by establishing the Foreign Intelligence Surveillance Act, or FISA. FISA established secret courts where government agencies could request warrants for secretly wiretapping or otherwise spying on American citizens, especially within the country.

The courts were meant to implement the checks and balances of the judicial system without compromising either the secrecy of the request or the rights of every day Americans. But there don’t seem to be too many restraints imposed on intelligence agencies because in 33 years, only 11 out of more than 33,900 FISA surveillance requests have ever been denied. “That system in the Constitution has gone seriously off the wheels,” said Congresswoman Zoe Lofgren in an interview with The Guardian.

The intelligence community has argued in the past that its internal system of checks and balances prevents abuses of power. When conducting surveillance on a target, for example, the intelligence agencies are only allowed to widen their surveillance to what is called “three hops” from the target. This allows the agencies to keep an eye on the people who talk to the people you talk to. In 1978, when this was essentially limited to your acquaintances’ friends and family and their friends and family, the restriction might have been deemed sufficient. But with modern, internet-based social networks where the average user has close to 125 friends, the total population that can be spied on is often as large as the population of Colorado. If you are like me and have over 600 friends on Facebook, we would be talking about a target population closer to the entire population of Chile, or 18,500,000 people, or what the NSA director Keith Alexander would call ‘a dime in a basketball court.’That’s one big basketball court.

The reality seems to be that the digital age has made intra-agency checks and balances obsolete, and in a way that the intelligence community finds to be extremely beneficial. With the upswing in ownership of connected devices taking place in the 1990s, legislation has not had the time to catch up to the pervasive and personally sensitive use of these devices. And as the modern world has become almost singlehandedly reliant on these connected devices and services to communicate, agencies like the NSA have gained the ability to amass and analyze huge quantities of data.

The growth of personal information being collected comes partly from the the intelligence agencies’ use of “upstream” data collection, which taps into data from internet traffic flowing into and out of the U.S. The United States is connected to 63 countries worldwide via underwater fiber optic cables. The UK, which shares access to its cables with the United States through a program called “Tempora,,” is connected to 57. Combined, the US and UK tap into most of the world’s internet connections.

With access to an overwhelming mountain of data, the NSA needed a way sift through it without having to know where it came from or where it was going, which is why it created “Prism.” Unlike Tempora, Prism allows the NSA, in collaboration with privately owned companies, to directly tap into communication companies’ drives and search through their stored data. This way, rather than having to guess what service the target might use in real time, they can simply canvas all of the services after the fact.

The dictum, “What goes on the internet stays on the internet” has then taken on a new reality; not only are your public statements or files going to remain visible forever, but now your private communications too can be accessed long after they’ve become irrelevant or out of context. And if the content they’re searching for is 180 days or older, government agencies wont need a warrant. In other words, that angry breakup email from your high-school days could very well end up target in the dragnet of thousands of acquaintances linked to a “suspect”, i.e. just about any vocal journalist.

It is therefore surprising to see so little litigation against the major technology companies that chose to comply with secret FISA court requests and PRISM searches.

There is a precedent for pressuring companies to discuss how their policies are benefiting and harming consumers. In the case of the Ford Pinto, a car that turned out to be dangerous because it could be set on fire with a rear collision, a memo within the Ford Motor Co. cited an analysis of how much it would cost to replace fuel tanks placed directly behind the rear axle versus paying out damages from possible lawsuits. Although the plaintiffs lost the case, it reformed industry safety standards and the car was later forcibly recalled. To sue Google would then seem not only feasible but just, considering how little effort it has made to inform its users of the cost-benefit analysis it must have made between protecting a user’s privacy and publicly fighting against overreaching FISA requests.

There has been, after all, a strong demand for them to do so.

Norman Sadeh, professor in the School of Computer Science’s Institute for Software Research at Carnegie Mellon University, was able to create an application that notified the user how many times their person’s geo-location had been shared with other software over the course of the day.”[Users] really care about privacy, but were just unaware of how much information was being collected about them,” Sadeh said in an interview with Carnegie Mellon University. His study found that applications were requesting users location information anywhere from 360 to over 5,000 times every two weeks. Whenever in the study a user was nudged, reminded of the number of times his location had so far been requested, Sadeh found them far more likely to take steps to change their location-data-sharing settings. Shortly after Sadeh’s app received widespread press coverage, Google updated its Android OS, disabling the researchers application.

Even if a user were to turn off their GPS entirely, they still would find that companies can triangulate and store location data.

Researchers at Stanford University determined they could track a phone with GPS disabled using a technique they dubbed PowerSpy, which gathers a phones location data by analyzing its battery usage. The amount of information relayed back is limited, and deciphering it required researchers to know the users exact path and routine. The applications are nonetheless frightening, as Stanford researcher Yan Michalevski explained in an interview with WIRED, an app as simple as FlappyBird could track you without requesting permission “And does it all by just reading power consumption.”

Users have in some ways begun to take steps to protect their privacy, but the measures prove to be limited and passive in nature. Developer Sonny Tulyaganov, created a web browser extension called UglyEmail, which notifies GMail users if the email they’re about to open is being tracked by a third party. It does so by detecting what is called a pixel-tracking, where an email contains a 1x1 pixel image that reports back to the sender if the message has been opened. “[Pixel-tracking services] allowed users to track emails, see when, where and what device were used to view email” Tulyaganov explained in an interview with WIRED, and although practiced mostly by email marketers, anyone with malicious intent could easily extract the same information.

UglyEmail does little to protect users against sophisticated, server-side surveillance like PRISM, but it is a proof of concept with significant enough a popularity that Google will have a hard time ignoring it.

Some technology companies have begun to respond to customer complaints. Apple recently revised their device encryption settings to keep anyone but a device’s owner from being able to access the data stored on its drive. The company has also publicly condemned NSA’s and others agencies’ data surveillance programs, granting it much public acclaim and a high rating for data privacy commitment from the Electronic Frontier Foundation. Microsoft too has been on the headlines after it sued the Federal Government for the right to disclose just how many FISA court requests they’ve been receiving.

Brad Smith speaking at CEPS

Brad Smith, General Counsel and Executive Vice President at Microsoft, said recently at the Center for European Policy Studies, “In democratic societies the appropriate way to strike the balance between privacy, free expression, and public safety is through application of the rule of law rather than by asking private companies to make decisions about where to draw the lines.”

As for where Google draws the line, “Because the Gmail [Users] are bound to Google’s TOS and/or Privacy Policy, they have expressly consented to the scanning disclosed in these terms..” they recently argued in a California court case. Unsurprisingly, the district agreed. Maybe that’s why President Obama’s own email being hacked by Russian actors didn’t make any rounds in the national press, we’ve all consented to the privacy status quo.

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”