Photo Credit:

The Social and Technical Tribulations of Data Privacy in a Mobile Society

This essay first appeared in the Internet Monitor project’s second annual report, Internet Monitor 2014: Reflections on the Digital World. The report, published by the Berkman Center for Internet & Society, is a collection of roughly three dozen short contributions that highlight and discuss some of the most compelling events and trends in the digitally networked environment over the past year.

Written with Nathan Freitas (@n8fr8) of The Guardian Project

As the world begins to fully embrace digital communication, there are inherent benefits and challenges in its adoption. More than ever, the Internet and Internet-enabled devices allow us to nimbly organize, mobilize, and strategize. Increasingly, we’re taking that connection with us in the form of mobile devices. Indeed, mobile adoption is quickly becoming ubiquitous globally. But with the omnipresence that allows fluid communication are new opportunities for surveillance and tracking. Our mobile phones are essentially homing beacons, emitting GPS coordinates almost constantly to a variety of companies and organizations both known and unknown to the consumer. Through text messaging and social media we are able to stay in touch with loved ones thousands of miles away, organize action, or disseminate revelatory information at the speed of light. But these digital traces also allow oppressive governments to track a dissident’s every move[1], a jealous spouse to surreptitiously monitor their partner’s phone messages [2], or a marketer to unknowingly reveal guarded secrets about a consumer. [3] As we continue developing mobile technology, the key question is: how might we mitigate its basic security flaws and cogently minimize the leakage of data to unknown individuals and groups?

A challenge in standardizing mobile security is the lack of consumer knowledge. The interfaces for popular products naturally highlight the benefits of data gathering, while downplaying the privacy sacrificed. While Google Maps’ traffic overlays of red, yellow, and green roads have all but replaced the radio station traffic report for some, it is easy to overlook the vast number of users who are unconsciously submitting their exact location and speed to Google in order to build that accurate picture.

To combat this lack of information, privacy proponents have begun to compile user guides for secure technology use. Notably, the Electronic Frontier Foundation just completed the Secure Messaging Scorecard, a first-of-its-kind survey of a comprehensive list of messaging services, from Facebook Messenger to WeChat. [4] The list may not be surprising in its findings, but for many consumers it will make many of the “unknown unknowns” of security at least into “known unknowns.”

At its core, the Scorecard asks: What makes an app secure? It identifies several touchpoints, from the very basic, such transit encryption, to the more involved, like allowing for code audits. For the technically indoctrinated, the list is a fascinating first look into the nuances of various communication clients, and for the global NGOs, activists, and journalists the list will become especially indispensable.

But the ubiquity of some of the most insecure apps (i.e., Facebook Messenger, Skype, and Google Hangouts) on the list demonstrates how low consumer demand for security — limited to the few aforementioned circles — truly is. Upon further investigation, it becomes easier to understand why the Facebook-and-email mobile user might seem lackadaisical. In the methodology section, there are many references to “endpoints,” “user keys,” and other cryptographic jargon which can feel opaque and confusing to the casual user.

For example, one question on the Scorecard, “Can you verify contacts’ identities,” seems utterly inapplicable to the “average” consumer, who knows every person in their phone’s address book. But this question actually refers to a hacker’s ability to essentially trick an app into thinking it is communicating with a trusted source, and then stealing or re-routing any information the user enters. China was recently caught doing this to Chinese citizens’ iCloud accounts[5].

It is in this dense and complicated verbiage that privacy activists and the public find the chasm separating them. Much the same as the term Net Neutrality was labelled more boring than Sting,[6] many of the terms that come second nature to privacy groups are either misconstrued or off-putting to the public at large.

However, mobile messaging service WhatsApp might be a signal of a changing tide. Recently, the company announced their partnership with Open Whisper Systems to introduce end-to-end encryption.[7] End-to-end encryption is the envelope to a non-secure message’s postcard. While it may not solve the problem of back doors or security holes, it at least ensures a message’s journey will be uninterrupted by prying eyes.

Admittedly, the move by WhatsApp translates to little more than Google introducing https into Gmail. In 2010, Google announced a move to full adoption of the secure protocol that would protect email data from computer to server, from an opt-in model that was rolled out in 2008. [8] It hasn’t protected Gmail users from NSA or even Google surveillance, but it was also a relatively simple implementation that caused little customer pain. Like Google, WhatsApp’s decision to encrypt traffic has had little effect on the customer’s daily use of the product, and the press surrounding the move may be enough to spark conversations among a mainstream audience and bring attention needed cultural shifts. In this way, even a rudimentary technical upgrade can have much larger societal impact.

We as a society are still continuing to chart dark waters in the field of digital security. The complacent adoption of surveillance devices is surely not what casual users think about when purchasing the latest mobile device, but it is imperative that privacy activists find shared ground and open accessible conversation around mobile security. The major challenge is that users, at best, don’t understand the need for complex security systems and, at worst, demonize these measures as the realm of criminals and terrorists. The greatest progress to be made in the near future is less about the development of new technologies, and more about social buy-in to these paradigms.