You Were Promised Neither Privacy Nor Security
Unwadding our panties about surveillance
If you remember hearing the song Istanbul (Not Constantinople) on the radio — when sung by The Four Lads — then you probably remember all the predictions about what life in the 21st century was supposed to be like: flying cars, jet packs, robot butlers, food that came in pill form and taking vacations on Mars. The year 2000 was going to be awesome!
It is 2014 and Siri is the closest thing we have to a digital manservant. While we can go to Mars, right now it would be a one way trip. These disappointments in what was supposed to be ‘the future’ were addressed recently online when someone (for the life of me I can’t find the link) made the observation that if you are the children of the people who were promised jet packs and flying cars you should not be disappointed because you were not promised these things: you were promised life as depicted in Snow Crash or True Names.
Finally! Generation X gets one over on those selfish baby boomers.
If you listen to some people, the future as depicted by Messrs Stephenson and Vinge is here, and the proof is in the amateur interpretations of leaked NSA documents. We need no less than a “Magna Carta” to protect us against the evils being perpetrated by the National Security Agency, which would be a great idea if the ‘Net were actually being used by the government to oppress people and punish them arbitrarily without due process.
Just a reminder: the Internet is not a person, nor is it run by DIRNSA. The only people being punished for what they do or say online are actual, real-life law-breakers (that we need better or more nuanced laws on this topic is related but separate issue). There is no ‘chilling effect’ of government actions online because if there was, all the people complaining about the ‘chilling effect’ would have been disappeared by now. As it stands you can’t get them to shut up.
In the early 90s my first exposure to life online was stereotypical. I knew what it took to protect computer networks because that was my day job for the government; accessing the nascent ‘Net or BBSes at home was basically the wild west. There was no Sheriff or fire department if case things got dangerous. Everyone knew this, no one was complaining, and no one expected anything more.
What would become the commercial Internet went from warez and naughty ASCII images to tools for house hunting, banking, news, and keeping up with your family and friends. Now it made sense to have some kind of security and/or privacy mechanisms in place because, just like in meat-space, there are some things you want people to know and other things you do not. But online there was no legal or policing authority that did that for you, you entrusted that job to the people who were offering up the service you were using.
In hindsight, probably not the best idea.
Did those companies really have an incentive to secure your information or maintain your privacy? Not in any meaningful way. For one, security is expensive and people want functionality not security. It actually makes more business sense to do the minimum necessary for security because if there is a breach, you can make up any losses on the backs of your customers (discretely raising prices to pay for those fines and incident response costs).
Secondly, your data can’t be too private because there is value in knowing who you are, what you like, what you do, and who you talk to. The money you paid for your software license — if you paid anything at all —is just one revenue stream; a company can make even more money mining and/or selling your information and online habits. Such practices manifest themselves in things like spam email and targeted ads on web sites. The people who were promised jet packs know it by another name: junk mail.
Let’s be clear: the only people who have really cared about computer security are the military and intelligence agencies; everyone else is in this to make a buck. Commercial concerns operating online care about your privacy only until it impacts their money. You wouldn’t pay for half the services and apps you use today if you had to pay market price. The apps are free because you and your data the product.
Some have argued that introducing weaknesses into computer programs really just puts innocent people at risk. I would like to agree except that for all practical purposes most computer code is so shoddy one need not intentionally introduce a weakness: there are already plenty built in natively. There is in fact no evidence that the security mechanisms available in products today are an adequate defense against malicious attack, even in security products themselves. Have none of the people raising these concerns heard of Pwn2Own? Or that there is a global market for 0-day and the US government is only one of many, many customers?
People who are complaining about the actions of intelligence agencies talk like the internet is this free natural resource that belongs to all and come hold my hand and sing the Coca Cola song… I’m sure the Verizons of the world would be surprised to hear that. Free WiFi at the coffee shop? It’s only free to you because the store is paying for it (or not, because you didn’t notice the $.05 across the board price increase on coffee and muffins when the router was installed). The ‘Net is another medium upon which people communicate. Where people communicate so goes intelligence collection, that’s Intelligence 101.
Let’s go back to an age before the Internet. In those dark days the NSA did things like listen to radio transmission. Their antenna farms — in far flung locations around the globe — could pick up just about every radio transmission there was, but they only listened to a relatively select few because the vast majority of communications in any medium has no intelligence value whatsoever. This is a basic principle about signals intelligence that every amateur railing about a few out-of-context PowerPoint slides misses: having access to a lot of data and actually looking at it are two different things.
Unlike a certain wayward sys admin, I’m a trained intelligence officer (in two intelligence disciplines). I spent most of my career as an analyst sorting through the proverbial haystack for that precious needle. I had access to far more data than I could ever read or listen to. At no point in my career did I ever wish for an exponentially larger cache of hay to be piled on top of the stack I already had. Only someone who has zero knowledge about how signals intelligence works would think that bulk collection of data — meta or otherwise — meant wholesale and widespread eavesdropping on individuals.
Intelligence analysts have very specific jobs — lanes in the road — down which they travel. They use this thing the kids today call “search” to help narrow down what to pay attention to. Before intelligence agencies bought Google appliances search was a very cumbersome and tedious process but you learned to do it well if you wanted to deal with a manageable data set. This is a core principle that has only grown in importance in the information age.
Ascribing nefarious intent to government action — in particular thinking the real NSA operates as the fictional one does in Enemy of the State — displays a staggering level of ignorance about how government — in particular intelligence agencies — actually work. Talk about movie-plot-thinking. The public health analog is useful in some regards, but it breaks down when you start talking about how government actions online are akin to putting civilians at risk in the real world. As stated previously, software companies do that just fine on their own thankyouverymuch.
Our government’s number one responsibility is to keep its citizens safe. That it has the capability to intrude on the lives of massive numbers of people does not mean it is doing so. It collects what it collects — in a wide range of communications mediums — because technology has not reached the point to where we can spot just needles on the fly: we have to collect hay as well and then search and sort through it all later. Contrast this with outfits that don’t care a wit about your rights or safety and view you simply as a cash cow.
Claiming the ‘Net as a human right doesn’t make it so. Just like claiming to be a whistle blower doesn’t make you one, or claiming something is unconstitutional when the nine people specifically put in place to determine such things haven’t ruled on the issue. You can still live your life and exercise your rights as a citizen and human being without using TCP/IP or HTTP, you just don’t want to. When it comes to the Internet you were promised neither privacy nor security and you demonstrate on a daily basis — mindlessly downloading apps, linking online accounts, reusing weak passwords, not using encryption, sharing your location and pictures of your meals — that you do not truly care about either.