Watching the Watchmen
A crash course in privacy, in case you've been (not unreasonably) living under a rock
Perhaps counterintuitively, privacy is an inherently social concept. What are people willing to expose, to whom, and at what scale? Activist efforts and government responses will doubtless have some impact on government and commercial uses of data, but there's a bigger question of what futurist Jamais Cascio referred to as "the participatory panopticon." A panopticon is a space arranged so that everything is visible from a single point. In 2005, Cascio wrote: "Soon – probably within the next decade, certainly within the next two – we'll be living in a world where what we see, what we hear, what we experience will be recorded wherever we go. There will be few statements or scenes that will go unnoticed, or unremembered. Our day to day lives will be archived and saved. What's more, these archives will be available over the net for recollection, analysis, even sharing." He noted that this panopticon is "not imposed on us by a malevolent bureaucracy or faceless corporations," but something we built ourselves. Cascio's comments were prophetic.
The actions of Edward Snowden, Chelsea Manning, and WikiLeaks are examples of challenges to surveillance authority, but within the participatory panopticon, there's also the concept of "sousveillance," which is the opposite of surveillance; it's what you have when the "veillance" is in the hands of ordinary people doing the watching, including watching those who watch them. So we're not just being watched – we're also the watchers, and we're documenting what we see via social media, stored as data.
For all the talk about online privacy, the social tendency is to communicate and share. John Perry Barlow, at the Conference on Computers, Freedom, and Privacy in 1993, talked about his hometown of Pinedale, Wyo., where there wasn't much privacy, where everybody knew everybody's business. My own hometown was the same way, and your hometown or neighborhood was probably that way, too. Information sharing via gossip over the (real or virtual) fence is a feature of any community. People talk about one another all the time, and watch one another's doings, and whatever we might want to hide or just hold close is liable to be exposed, discovered by others through observation, be it snooping or spying or news gathering. Journalism and surveillance are both about exposing facts about people; the difference is what is shared by whom, with whom, and with what intent. The NSA shares its information on a need-to-know basis; journalists figure everybody has a need to know.
Cascio suggested that users, not authorities, were creating the new participatory panopticon, and given our traditions of distributing and reporting knowledge and information, that's not surprising. Communication technologies have accelerated in the 21st century so that social sharing is becoming the pervasive, persistent rule. Given this, you might say there's a new addendum to the social contract about the expectation of privacy, and it's still being negotiated as we realize how public and exposed we've become. As I write these words, new proposed laws and regulations are being debated, as is the role of privacy in the marketplace. It's an interesting time.
All Your Data Are Belong to Us
The new world of privacy (or lack thereof) starts with data. There's an increasingly pervasive, relevant, and valuable world of digital information, easily stored and replicated and transmitted. Revolutionary digital communication technologies have taken the world's information and media products and converted them to digital formats. As a result, we have digital convergence, a merging of information technology with telecommunication and networking, consumer electronics, and infotainment media. This started in the latter part of the 20th century era of mass media, and it's proceeded apace over the last decade, in which we've seen the ascendance of smartphones and similar mobile devices, streaming music and video, and high-definition media. Cinema, television, and music are all now created, stored, and distributed via digital processes. In this new world, we've all become "users," and we are referenced by many forms and factors of data. We live by our numbers and passwords and digital devices. We carry powerful computing devices in our pockets, networked persistently with all the other similar devices across the globe.
Eventually, the digital and the material will merge in an "Internet of things," wherein objects as well as personal data points are referenced and findable through related data. So much of our lives depend on the security and integrity of the computer systems that hold this new world, and our stake in it, together. As there's more and more data created and stored about each individual, containing it, while sustaining some realistic expectation of privacy, is challenging. Our information ecosystem is outrunning our ability to secure it, leaving our most personal and sensitive data vulnerable to attack.
Here's a story to illustrate online vulnerability in a personal context, where one individual was "pwned" by another. Last May, activist Ruby Sinreich had the rudest of awakenings: She'd been hacked, and hacked bad. In a day's time, she lost control of almost a dozen Web properties associated with her name and identity, including her Amazon and Apple accounts, her Twitter account, and most damaging, her DreamHost account, which included her primary email and all of her websites. So much of her data had been compromised that it was difficult for her to prove her ownership of the accounts.
This wasn't a hack perpetrated by professional criminals – it was an intrusion by a 17-year-old computer maven who attempted to sell her @ruby Twitter account in an online forum. Ultimately, it took Sinreich several days to get her accounts back. Every day without access was a day of potential personal and reputational damage.
This is just one personal instance of data vulnerability exposed, out of a large and growing set of privacy and security issues that are only growing. As we extend the scope and reach of our lives online, our precious bits proliferate and are stored on increasingly distributed systems connected through various broadband network service providers and what Bruce Sterling calls "stacks" – vertically organized corporate silos like Google, Apple, Microsoft, Amazon, and Facebook – as well as smaller systems that aggregate our data behind more or less simple systems of authentication. These are the new cross-sector industrial powers that have emerged in the era of convergence, and their business models depend on user data.
Big Data, Big Problems
Sinreich's story illustrates the susceptibility of computer systems to the kind of hacker mischief that has been going on since the Nineties, and it points to difficulty in protecting personal systems and data from attackers with the knowledge, time, and more or less malicious intent required to do harm. If it's that easy for a teen who's just screwing around to take ownership of an experienced user's Web properties, what might professional criminals do?
Then there's that issue of surveillance. In today's clouds of networked distributed storage, personal data tends to be imperishable and persistent, and the online movement of data leaves a trackable trail. Larger entities, corporations, and governments, can analyze "big" data for intelligence about social behavior and movement, macro and micro. As we users generate and depend on data, we can be tracked and sorted, with or without our awareness or consent. A conversation over the fence in the Fifties had no more persistence than memory, which is inherently flawed, but a conversation on Facebook can be stored accurately and forever, and as stored data, it can be aggregated with other data, packaged, and interpreted in various ways. This is happening faster than we can build policy around it.
In addition to potential personal hacks we've described, commercial abuse of online personal data is a growing problem. As commerce has moved online, data about consumers has become a commodity – bought, sold, and manipulated as an inherent aspect of market activity. Email spam was the first step on the path to more sophisticated and less obvious forms of data harvesting and marketing. The ultimate data-driven marketing systems are Amazon, Google, and Facebook, all of which use algorithms to drive marketing subtly but effectively into the user's social experience. While some activists deplore any involuntary use of personal data for marketing purposes, consumers are taking it in stride. The trade-off is that we all have free, powerful online tools that support social interaction and sharing.
Outside the U.S., the story's somewhat different. The European Union foresaw issues of data exploitation and created a Data Protection Directive that includes principles of notification when your data is collected, limitations on the use and sharing of data, and requirements for data security. This doesn't prohibit personalized marketing, but it does include stringent protections for identifiable personal data.
So far, the U.S. hasn't adopted similar principles as enforceable policy, though there are relatively strict protections for certain kinds of information, most notably the HIPAA protections for the privacy and security of personal medical data.
While the "social" industry provides many services to its users, those users are not customers; they're the product, sold in aggregate to advertising and marketing organizations and to the brands they serve. Companies like Google and Facebook will argue that they're using your data to enrich your online experience and many consumers accept the bargain, either because they're barely aware of it, or because they feel that they're getting sufficient value in exchange.
Surveillance by government agencies is another high-visibility privacy issue where technology has outrun policy, and policy is trying to catch up. Recent WikiLeaks and Snowden revelations tell us that government surveillance programs are collecting more and more data about our lives and activities, stored in the various "clouds" of networked computer systems. For example, cell phone technology depends on tracking each device's proximity to cell towers, with tracking data stored by service providers and accessed repeatedly by the NSA and law enforcement agencies. It's broadly accessible via subpoena with no judicial oversight, though there's a Fourth Amendment argument that a warrant should be required. The FBI and some local and state police departments also have a mobile device called Stingray, which simulates a cell phone tower, and can intercept and relay cell phone traffic while capturing surveillance data, also without a warrant. Legislators like Sen. Edwin Markey (D-Massachusetts) and Rep. Jason Chaffetz (R-Utah) are seeking legislation requiring law enforcement to show probable cause and obtain a warrant in order to capture and use any domestic cell phone data.
The issue of domestic surveillance in the U.S. is heating up. Criticism of NSA surveillance programs led President Obama to end some of the routine surveillance practices, meanwhile Rand Paul and FreedomWorks are suing Obama and the NSA, challenging the constitutionality of the phone surveillance program.
So as you head into the Social and Privacy sessions at SXSW Interactive – some of which focus on privacy in a world of social media and in the data-driven marketplace, while others tackle breaking issues about government surveillance – remember there are no easy answers forthcoming on any of this. In the participatory panopticon, security and privacy are wicked problems. And with no purely technical solution, it's a social and political problem that we, the users, have to resolve.
Is Privacy a Right or an Illusion? Friday, March 7, 5pm Sheraton Austin Capitol View North
A Virtual Conversation With Julian Assange Saturday, March 8, 11am Austin Convention Center Exhibit Hall 5
In Data We Distrust: Fixing Online Privacy Saturday, March 8, 12:30pmSheraton Austin Capitol View North
After Snowden: Privacy, Surveillance, & the NSA Saturday, March 8, 3:30pmAT&T Conference Center Room 106
Privacy Is Dead: Long Live Privacy Sunday, March 9, 3:30pmSheraton Austin Creekside