Worried about being watched? Me too. So who’s doing it, and why, and what can they see, and what can you do about it?
[This is part of the Federation Conversation series. Even though there’s nothing here about federated identity, I think this background should be helpful in dealing with the (very sensible) paranoia about who’s watching you.]
The parties out there who are watching you fall into three groups: Spooks, people who want to hurt you, and people who want to monetize you.
Spooks · I’m talking about your own government’s employees. This is the era of Snowden and Manning and whichever ethically-exigent millennial comes along next; so we know, more or less, what it is they know.
They want to know everything, of course. In particular they want every heartbeat and breath from the guys they think are out to wreak havoc, but they also want as much as they can get about everyone else so when they catch a Known Havoc-Wreaker on the wire to someone saying “Helmut and Fuad and the homies in Calgary are about ready to launch”, they can retroactively pull the records for all the Helmuts and Fuads in Calgary and see if they or anyone near them have been on the phone to suspicious places recently, and if any of them have, then they want his heartbeat too.
And they can pretty well get it. A lot of us in the biz sort of knew this pre-Snowden (see, I did in 2005) but here are some of the things they do:
Put boxes at the big Internet interchanges and run pipes from the routers, capturing as much of the backbone traffic as they want.
Use FISA to make your ISP give them all your traffic.
Use FISA to make your email provider give them all your email.
Use FISA to make the sites you visit disclose what you do there.
Use FISA to make your IDP disclose where you’ve been signing in.
Coincidentally, as I was writing this, the Wall Street Journal published a helpful article with lots of the technical details: New Details Show Broader NSA Surveillance Reach.
Can you stop them? Mostly, but it’s hard.
Well, unless you’re a big Internet company (in particular Google, Facebook, and Twitter), who pay bucketloads of money to smart expensive lawyers to push back as appropriate, ensure that the civil servants are following their own rules, and fight for transparency.
So yeah, the big Internet companies are highly visible targets for over-attentive spooks, but on the other hand we’re a little more hardened. I bet a high proportion of the apps and sites out there just wouldn’t imagine spending the dough and taking the risk to push back; so probably you’re at higher risk from inappropriate legal fishing trips when your data’s not at a big player.
In this context, I recommend Bruce Schneier’s The NSA is Commandeering the Internet; I agree with every word in it.
People who want to hurt you · Crooks, mostly. The list is dreary: They want accounts to send spam from, to launch phishing attacks from, to use in irritating scams and real serious crimes. By the way, these guys operate in plain sight, to a surprising degree. Want to buy a stolen account? Drop by BuyAccs.com (note that stolen Google and Facebook accounts are immensely more expensive than the competition’s); or just search for “PVA accounts”.
Then, there are employees of other governments who want to burn you down. Most people can ignore this, but people who work for Google can’t; nor can people working on Iran’s nuclear program, nor Al-Qaeda staffers.
Fortunately, neither class of bad guy can use FISA to capture all your traffic. Stopping them is work, most of which should be done by your employer’s security pros, but it’s tractable. They win a few rounds now and then, but the competent good guys can mostly stay ahead.
People who want to monetize you · I work for one of those. We and Facebook seem to be best at generating ad revenue, but I guarantee this game isn’t over.
The idea comes in two parts. First, the more data-gatherers know about you, the better the chance they’ll be able to show you a useful ad. Second, they might be able to improve the service based on knowing you better; to the extent you’ll keep dropping by and see more ads.
Simple enough, and ethically neutral in my view. Lots of people dislike advertising viscerally, but it seems to work anyhow. This feels like a straightforward business transaction: Let us learn about you and we’ll try to turn that into ad money. In exchange, you get free services; well, after you pay the ISP and electricity bills.
The thing that very quickly becomes not-OK is if the data that’s being gathered shows up in a place that’s embarrassing or damaging or surprising. Privacy policies matter but I’m not going to claim there haven’t been problems here. At the end of the day, while I respect what places like the EU are trying to do with aggressive privacy legislation, I still have hope that it comes down to a matter of trust; and that a consumer business that loses trust just won’t do well in the big picture/long term.
How much can monetizers track you? Really a whole lot, with cookies and other Web wizardry. Can you stop them? Yep, and a whole lot easier than you can dodge the NSA. Cookie blocking goes a long way, and check the rest of your browser settings. But by default, there are multiple parties who each know a lot of the places you visit, how long you spend there, and so on.
And of course Facebook and Google and so on can sell ads based on the payloads; what’s in your email and in your timeline. I’m not sure whether that counts as “tracking” exactly, but it’s real.
Is all this a problem? · What bothers me most, as I’ve written before,is what my own government might be up to. And while I can and will deploy technology to get in their way, at the end of the day it’s about politics not technology, and if you don’t engage at some point you lose the right to complain.
Then there are the actual bad guys. But that one has the virtue of being uncomplicated: Nuke the site from orbit, it’s the only way to be sure. We don’t need to be that sure; but I bet a huge majority of the Internet population would love to see those guys doing perp walks and getting jail time.
As for the monetizers, well, meh. I know there are many out there who loathe being tracked for profit, and I’d never say it’s wrong to have that feeling. I don’t particularly share it; But I’m totally among those who would cheerfully pay a few bucks here and there to be a customer to my providers, rather than their product. I seem to be in an tiny minority, but I’d love to hear I’m wrong on that.
Comment feed for ongoing:
From: Charles (Aug 21 2013, at 13:54)
I'm also willing to spend money to be a customer of a company rather than the product.
With regards to free services, I would feel better about them except for one thing: we are not fully informed of what it is we are exchanging for the service. I use a free service, and in return the company does exactly what with my information? I'd prefer if they spelled it out, even in excruciating detail.
Terms of Service and Privacy Policies are opaque and do not meet my needs. It doesn't help that service providers universally have wording along the lines of, "We can change the deal any time we want. (We might even let you know if *we* think it is relevant.)"
Because of these issues, my trust is extremely limited. I prefer to reduce my exposure to free services as much as possible.
Anyway, beyond that, I'm enjoying this series. I realize it is part of your job, but thank you for taking the time to write about these issues.
[link]
From: David Magda (Aug 21 2013, at 15:03)
Charles,
Just because you pay money to be the company's customer, doesn't mean you're not also a product too. They're not mutually exclusive. :)
[link]
From: John Gill (Aug 21 2013, at 17:56)
The scary bit for me with the spooks is that you cannot guarantee the government will always be benign.
Indeed, the UK has just demonstrated, without apparently any sense of irony, that they will abuse laws created to fight terrorism: holding Glen Greenwald's partner for 9 hours in Heathrow airport proves that.
So even the current US and UK governments are quite capable of abuses of their legislation. Now imagine a system like PRISM in the hands of a totalitarian regime.
For the same reason, the big monetizers are pretty scary. They simply have too much data about everyone. Google and Facebook are a spooks wet dream. While I believe Sergey and Larry really are not evil, how long before a faceless MBA takes over?
[link]
From: Dave (Aug 21 2013, at 22:08)
"Well, unless you’re a big Internet company (in particular Google, Facebook, and Twitter), who pay bucketloads of money to smart expensive lawyers to push back as appropriate, ensure that the civil servants are following their own rules, and fight for transparency"
Other than actual errors in the warrants, like incorrect addresses, spelling errors, Google et al really can't do anything about FISA warrants.
There is no "Oh, you can't have all that data, that's unconstitutional."
[link]