A Quick Thought on Privacy
There is an important difference between private companies holding private data and government holding it.
I heard a piece on NPR this morning that underscored a notion that I have heard and read on numerous occasions lately, which is that despite the fact that there is a lot of concern at the moment over privacy we Americans actually have willingly given up a lot of privacy, especially in the contemporary sea of technology in which we swim.
For example it is often stated that we share a lot of private information on social media sites like Facebook (I certainly shared a lot about a recent family vacation, for example) or that we provide lots of data to private companies (and that, indeed, they often collect information in a less than transparent way).
All of this is, of course, quite true.
However, if a company I do business with gathers information about me (that I have given mostly of my own volition as the price of doing business) the worst they can usually do to me is attempt to market products in my direction (with onscreen ads, spam and phone calls usually being the most intrusive manifestation thereof).
If the federal government of the United States is collecting information about me (that I have mostly not given of my own volition) the worst they can do is confiscate my property and incarcerate me (if not worse).
This is an obvious distinction that is not made often enough, I would argue, in these stories on privacy. Yes, a lot of are willing to share more than perhaps we should in public settings. But the fact that we choose to do so is key, and more importantly, the stakes for Facebook sharing and NSA snooping are not, at least in theory, anywhere near the same.
In other words: to say that we have become more public is our daily doings is not the same as saying it is okay for the government to secretly gather reams of data about us and store it for future use. Both are roughly about the concept of “privacy” but they are quite distinct in terms of kinds and consequences. I think this needs more stressing as telling the public, even in stories that are critical of the NSA programs, that sharing on Facebook is somehow in the same category as Verizon handing over reams of phone records to the government is creating false equivalencies. Verizon, after all, does not have prosecutorial powers. The feds do.
True if. If you assume that Big Business will continue to be restrained within current bounds.
And if you assume that while Big Business is behaving itself, the US Government has become a dystopian Orwell state.
Apples and oranges: current practices vs. future paranoid fantasy world.
Someone on another site commented about this issue by saying that it’s not so comforting to know that the NSA’s computers key on words related to possible terrorist plots when those computers can be easily reprogrammed to key on words related to opposing the administration’s programs and politics (this administration or a future one).
After all, if the NSA can ID emails or phone calls that include the words, “kill the infidels,” it can certainly ID those that say, “vote against the president.”
@michael reynolds: There are always ifs. However, my cell phone company always will have, by definition and necessity, a record of my calls. While there are scenarios in which they can abuse that information, the bottom line is that that have little reason or institutional function that would lead them to start trying to put me in prison or to call me to court.
In other words: all this information is already out there. The potential for abuse grows when it is gathered into a central location and is held by institutions that have the means to abuse it.
I am not even talking Orwell. I am talking the same government that, in its Drug War zeal, regularly breaks down the wrong doors.
@Donald Sensing: I honestly don’t think the likelihood of that sort of thing is high. What I do find problematic is that the more data can be gathered the more we lose protections of overzealous prosecutors and law enforcement agencies who want to “keep us safe” (in the same way the no-knock raids are supposed to keep us safe from drug dealers.
@Steven L. Taylor: A disgruntled employee with a personal vendetta can use a business’s data-mining against you as well as one in the federal government. The difference is the business probably has less safeguards than the government’s, or that the business is under less pressure to institute such safeguards.
This issue, to me, has moved beyond privacy concerns. It’s all about potential for abuse now, the main concession being that privacy isn’t really the issue so much as protection from blowback for public activities.
“However, if a company I do business with gathers information about me (that I have given mostly of my own volition as the price of doing business) the worst they can usually do to me is attempt to market products in my direction (with onscreen ads, spam and phone calls usually being the most intrusive manifestation thereof).”
Or, if it is a credit bureau that you have not chosen to do business with, provide the information (and often information which is not correct) to other businesses to help them decide whether to do business with you.
I think the key is to look at this as a point along a transition, rather than as a defined world.
We’ve had a lot of arguments based upon the opposite, an implied stasis, and the idea that this is the new world, get used to it.
I don’t think we are remotely near the endpoint. Both corporations and governments are busy building data centers, and importantly, busy integrating existing data sets.
At this point Facebook has a slice of voluntary subscribers, your cable company has another slice, the advertising cookie empires have more, and so on. Local governments have their slices, as do state governments, and various federal agencies.
Without clearly defined limits there is no reason these things should not merge, and right now there are few limits. Or, the analogy might be that we lock one door (FISA) and leave open another (government purchases of commercial metadata).
I think it adds up to us already having a loosely connected surveillance state, but better connections are the natural direction.
(Note yesterday’s straw-man arguments that if facial recognition and auto license recognition are not universal, they are not real. Of course they are real, and of course they are being built out.)
@Tillman:
Disgruntled employees could, theoretically, do all manner of harm to my cell account, my cable access, my brokerage account, my bank account, etc. Or, to put it another way, individuals can act in a criminal manner.
But the issue is the marrying of capabilities to institutions with authority to act, and to act in a way that they think is just and good. Again: no knock raids are a good example. These are legal activities done by people who truly think that they are doing the right thing and are supported by a public because they fear drugs and any given individual is unlikely to have their home raided.
(If Verizon metadata has no expectation of privacy, because it fails the 3rd party test, is there any reason every police department in the country should not have access? And if they may, isn’t the continued framing that this is “an NSA issue” plain wrong?)
This is an important distinction, but perhaps not one that needs to be stressed over others. After all, if Google wanted me prosecuted, they can petition our mostly responsive government to prosecute me. Once it gets into the courtroom, though, they better have a case.
Which is also true when the government decides on their own to prosecute me.
@john personna: It is more than an NSA issue, yes.
This is the NY Times:
and
@James Pearce: Google itself, however, cannot prosecute you on its own. It has to file charges and the government prosecutes. This is a rather significant distinction.
Moreover, it is not part of Google’s raison d’etre to prosecute people. It is, however, an inherent government role and power.
@Steven L. Taylor:
DEA are breaking down the wrong people’s doors because of very old-school trick called swatting. In effect they’re being spoofed and because they lack data they’re targeting the wrong people. An argument could be made that if they had better data they’d be less easily manipulated.
There’s a separate argument that can be made that we have things like the drug war in part because “privacy” enables hypocrisy. Privacy allows people who use drugs to oppress other people who use drugs, just as closeted gays often became involved in oppressing outed gays.
What we have here is a failure of imagination when it comes to business and an over-active imagination when it comes to government.
Let’s take Booz Allen — the company that employed Snowden. They had access to all of this secret data, including — according to Snowden — a complete list of CIA agents around the world and the ability to tap the president’s phone. So, let’s say I own a competitor of Booz Allen. Let’s say they want to run me out of business. Well, with access to the president’s emails to his girlfriend and a list of CIA agents, Booz Allen could blackmail the administration into having me dragged off to Guantanamo. Right?
Mr. Orwell has conditioned us all to fantasize easily about government abuse. But of course there’s the Robocop version of dystopia, too, in which the villain is Big Business. Both are fictional.
@john personna:
The original SCOTUS decision involved FBI surveillance in a Maryland drug case, so it always was more than the NSA.
What I would like to see is less hand-wringing about “I’m concerned for privacy!” and more policy ideas. I guess we haven’t gotten to that stage yet.
@michael reynolds: I do not deny the potential for abuse by large corporations.
Still, the main reason Booz Allen was in the position they were in is because they were contracted by the government to do what they were doing.
Mission statement, so to speak, matters. The nature and types of abuses of a given emerge from what a given system was designed to do in the first place.
@stonetools:
Can’t come up with policy proposals that accomplish legitimate intelligence goals and also protect a basically nostalgic notion of privacy. Much easier to huff and puff indignantly.
@stonetools:
I believe that there are some rules that data sharing must be anonymized, but I think technology and practices have outpaced those.
If that genie could be put back in the bottle, it would be a good boundary.
@michael reynolds: I don’t think I am huffing nor puffing, or even being indignant. I am actually noting that the nostalgic versions of privacy don’t really exist (e.g., Facebook and the fact that Verizon does, in fact, have all one’s phone calls on file).
@Steven L. Taylor:
The mission of all business is to make profit. Do individuals sometimes get in the way of that mission? For example, will a chemical company do unsafe things at a fertilizer plant and, let’s say, blow up an entire Texas town? That’s 15 people dead for profit.
The mission statement of government is actually to avoid blowing up Texans for money.
@Steven L. Taylor:
Oh, dude, that was not a shot at you.
@michael reynolds:
As I have said, the attitude that a surveillance state might not be so bad, and might even have some safety benefits, is defensible. One reason for the fall in violent crime might be the more rapid response to arrest.
Perhaps one could even say “OK, knowing this is a surveillance state, I will just live an unremarkable life.”
The thing one can’t do, IMO, is say “well, it’s just a few isolated actors, like the NSA, and we know their limits.”
@michael reynolds: This all true, but actually not really on point.
Or, more accurately, it makes my point: abuses are likely to flow from mission statements. A chemical plant is more likely to abuse its mission to make money by being unsafe and blowing up a town.
A security agency whose job it is to “keep us safe” is more likely to abuse the information at its disposal.
I am not in any way arguing that the private sector is more benign than the public. I am arguing that the nature of malignancy is likely different, especially at the macro level.
@michael reynolds: Gotcha–thanks.
Dr. T – I would note the Supreme Court says there is not a distinction in its case law. In Smith v. Maryland, they allowed, for example, monitoring of phone records because by using phone records you are no longer doing something “private,” as you are using equipment belonging to a third party. Similarly, the internet is not your private space – and I think the mistake was to think we could ever make it so in the first place. The minute you are out on the internet, you are in a space over which you have no control. I think the distinction that is the problem is not government v. corporations but between our own private spaces and public spaces that we may perceive as private. Not that I necessarily agree with this area of the law, but I think this is something people should understand – your internet communication is not private. The minute you connect, you are voluntarily subjecting yourself to a network of hackers, corporations, and yes, governments.
@Brett: This is certainly true.
Still, sticking with phones, the government still should need a probable cause, and have to go through some hoops, to access my phone records even if they were never fully private in the full sense of the term.
@Brett:
Yes, a network, but not one limited to what we narrowly think of as “connecting to the internet.” Credit card purchases produce a lot of “metadata” which has the same non-expectation of privacy.
To go off the network you’d pretty much have to ride public transportation, pay cash, and wear a false beard.
@Steven L. Taylor:
The freely available metadata is actually useful in many more situations than the need for a traditional “tap.”
How many times in a modern crime drama do they say “use his phone to find him” and how many times do they say “I need to listen to his next conversation?”
Even TV writers know it is all about the metadata.
@john personna:
Well, I’m glad you came up with SOMETHING we could discuss, rather than “Look! Electronic Surveillance!AAAARGH!”
Most of the civil libertarians here just seem to want to get rid of data mining by the government , or even electronic surveillance altogether. It’s hard to say really, because of all the huff puffing.
So then your argument is along the lines of;
To which I would reply; the authorities always have had the means to make your life miserable. Ask Valerie Plame and her husband. Even the cop on the beat has immense power. Just ask black men. Especially if they are driving on the Jersey Turnpike. Is this really any more onerous? Is it any more prone to abuse? And is the theoretical victim any less able to defend themselves against it?
And then there is always this:
http://rlv.zcache.com/funny_keep_calm_and_hang_up_red_iphone_5_cover-r0ed2cb6ae9e4494c837cd7f05f3fdb6e_80c4n_325.jpg?rlvnet=1&bg=0xffffff
@stonetools:
It is apparent that most readers do not know the extent of tracking data (to use a good generic), and many writers lose the forest for the tree. In that environment, education is not just huffing and puffing.
I mean, I did not know last month that police cars now have technology to drive around logging every license plate they see (time and place) nor that there was a national database where they sent such information. That’s breaking news for me.
Once people know this stuff, they can make an informed decision about whether they can live with it, or what limits here should be.
I did not write:
Is a democratic surveillance state possible?
but I think Mike Konczal shows good timing.
@john personna:
Great article. The best starting point yet I have seen for this discussion. I like this:
@stonetools:
@Steven L. Taylor:
As we’ve discussed in a previous thread, I think the only feasible solution here that would limit (but not eliminate) the potential for abuse would be to restrict the NSA’s ability to share this data with any other governmental agency or office for any purpose other than investigations relating to terrorism or espionage.
This way, no one at the DEA is going to be able to ask the NSA to search for call patterns that match drug dealers and use that as evidence to get a no-knock warrant on your house. Granted, you can still get raided if they mistake your patterns for terrorism, but at least we’re limiting the number of things that they can use this data to accuse you of.
There really isn’t a meaningful distinction anymore. If your information is out there, the government is going to pick it up, whether it’s just sucked off your Facebook page or obtained via request or warrant. If we didn’t assume that before last week, we certainly should now.
The areas where we must concentrate our efforts, if we wish to maximize protections against government abuse of that information, are legislation and oversight.
For example: We know metadata is easy for the government to obtain, but wouldn’t it be possible to set a line beyond which the aggregation of enough metadata on a person requires a warrant?
And couldn’t we legislate time limits on the retention of information? Right now, it appears whatever the government gathers is held forever.
Just throwing some suggestions out there, since this issue seems to be generating a lot of heat but very little light.
@Ben:
Another good suggestion. This would limit the potential for abuse two ways–first, by limiting the uses of the information, and second, by reducing the motivation to gather more of it.
@Steven L. Taylor:
The real mission statement of the NSA is to grow the NSA budget. But, that snark aside, their official mission is to protect us from terrorist attack. I think it runs counter to experience with government bureaucracy to imagine that they would hand their prized data over to the DEA. Since when have agencies shared anything voluntarily? We have Homeland Security in large part because no one could get Intel Agency #1 to share with Intel Agency #2.
@john personna:
(Note yesterday’s straw-man arguments that if facial recognition and auto license recognition are not universal, they are not real.
Thank you for admitting those were strawman arguments you erected, as opposed to the actual arguments people made.
@michael reynolds:
In many of the cases swatting has nothing to do with getting the wrong door. The broader problem is that the government doesn’t have the best track record in making sure that the are actually targeting the right “John Smith.”
One of the sober things I discovered in going through the annual FISA reports was that in 2008, ~22% of the time the FBI pulled private records (call records, bank statements, etc) on an US citizen, they targeted the wrong “John Smith.” Granted, they fixed their mistake (submitted a corrected request for information), but that’s a pretty significant error rate.
Unfortunately, from what I can tell, the government stopped issuing reports on the correction rate because they were not required by law to disclose that information. And to some degree, that gets back to Steven’s broader point.
@Matt Bernius:
Yeah, I saw that part of your post and passed it along to my 16 year-old for whom it supplied a “win” in an ongoing debate between us. The numbers were really striking and rather cast doubt on the efficiency of the NSA’s dat mining.
@michael reynolds:
Tell me about it. I wish that they were continuing to report on that particular number. One would hope that they would get that down. But given the number of drug raids that end up kicking down the wrong “John Vasquez”‘s door, I’m not particularly hopeful.
@Matt Bernius:
I have a sneaking suspicion the NSA is just going after “Mohammed, last name unknown, Yemen,” until they hear something interesting.
@john personna:
Exactly the point of Smith v. Maryland 442 US 735 (1979) !
Phone metadata is NOT protected under the 4th amendment.
@Ben: @Mikey:
Well gents, it sounds like we need some new laws then!
*looks to Congress*
*keels over dead before they act*
And don’t give me that BS about congressmen being unable to debate these things in public. I wish I could recall Stormy Dragon’s quoting of the Constitution, but it said they could do just that without being lawfully charged.
@stonetools:
Small point here, it was not a drug case. It was a robbery.
If NSA has been collecting metadata on phones for sometime, why did the DOJ need a warrant to get phone metadata to investigate James Rosen – Kim connection? Or the AP phones ?
@michael reynolds:
Since big data became both affordable and useful:
…
In this high tech age absolutely nothing is private anyway. This NSA issue is much ado about nothing. As I have said before, privacy won’t matter one iota if your dead due to lack of security no matter how the NSA goes about it.
@Caj:
“privacy won’t matter one iota if your dead due to lack of security”
That’s a rather Cheneyesque stance.
@michael reynolds:
No, in most cases it’s pure human error, sloppiness and other mistakes inherent in the system. They get the house numbers transposed, they go to 123 Elm Street instead of 123 Elm Avenue, they rely on a junkie informant who can’t be bothered to get it right, etc.
@Caj:
People who want to pretend that surveillance is necessary for protection don’t like the numbers.
“you are 40 thousand times more likely to die crossing the street than in a terrorist attack on a commercial airliner”
Perhaps jaywalking cameras, with automatic citations, by face recognition, would save a lot more lives, eh?
[link]
Two words have not been spoken in this thread: business records. I don’t think a strong wall has ever existed between business records and government activity. If my ex-wife should take me to court to re-settle our divorce and be awarded $100K in back alimony, that government action would not escape the notice of credit agencies and banks for long. But apparently there are those who think that some sort of barrier should keep my creditors in the dark. I hope they have good investment advisors and do not choose their own financial preparations for retirement because they are very poorly connected to the actual world.
As has been noted, the Supremes decided that phone company records of who calls whom and for how long they talked are business information that should be available to law enforcement without a warrent. NOTE: That information belongs to the phone company not to the person making the calls no matter how it ‘feels’.
@Steven L. Taylor: “…the government still should need a probable cause, and have to go through some hoops, to access my phone records even if they were never fully private…”
Pause….. While we consider – on what legal or ethical basis the government “should” treat information as if it were somehow closely held, confidential or available only upon “discovery” in a court. Because, well, it just “should”. And that’s how he feels, G*dd*mmit!
It has seemed to me — and I am not a lawyer (thanks be to the FSM!) and have not followed the debate so closely that I am certain that I’m correct — that before the NSA actually “accesses” Dr Taylor’s phone records to pull them individually out of the huge tangle of phone records stored in Utah, they do in fact have to get a FISA warrent.
So WTF?! Is the point of this entire OP and 50-some comments that this NSA business doesn’t FEEL right?.
It’s as if Mr Mataconis wrote this under an assumed name. I expected more.
@JohnMcC: Actually, I made no claims about feelings. Indeed, I made no claims specifically about the NSA.
@Steven L. Taylor: But the US Gov’t just “should” jump through hoops to access information that you freely entered into the “cloud”. Because…..
@JohnMcC: If the US government wants to read this blog, my Twitter feed, or view my public photos on Flickr, more power to them. They are in public space and I knowingly put them there.
If they want to look at my e-mail inbox, Google Drive or Dropbox, or anything else in the Cloud that is not intended for the public then, yes, they should have to get a warrant, Do you disagree?
I’ve seen this argument about the difference between business and government collection of data, and it doesn’t make any sense to me at all. The government, by and large, is not collecting the data: the private businesses are and the government is requesting the data from them. To say “I’m okay with businesses collecting my private information” ignores the fact that that is where the government is getting the data anyway (Verizon, Facebook, etc.) Drawing a distinction between the two seems like a thin thread to me. It also seems to assume that the data collection on the private sector side is guaranteed safe. We all know that isn’t the case–anything from a programming error to a sophisticated hack can make all of that information public anyway. The question then is, in the case of an accidental/nefarious publication of private data to the public sphere, what are the ramifications?
@Jen:
Yes, this is the ultimate question.
The point being, the DOJ can do a lot more harm to my life and liberty than can Verizon or Facebook. And, moreover, DOJ can do that damage in pursuing its basic mission. Facebook operating under its basic mission is rather unlikely to make errors that utterly ruin my life.
@JohnMcC:
Not for “metadata,” no. That’s why we’ve gone on about the 3rd party rule, and no expectation of privacy.
The NSA may have made a FISA request to get the whole block of Verizion data, but once it was approved (probably using the 3rd party rule) they owned a complete copy. If they then restrict themselves in its use, that is kind of extra effort on their part … because of the no expectation of privacy part.
I am still uncertain whether the content of a phone call is open to the NSA merely because the records of the call being made (from whom, to whom, for how long) has been obtained via a FISA warrent. Since you seem quite certain, Mr Personna, I am waiting for a citation.
@Steven L. Taylor: You and I both have the same understanding of this, sir. If I understand the controversy correctly, a FISA warrent would be needed to discover the content of your phone conversations, emails and such.
FISA is a very thin reed to hang our traditional liberties on. But I do not forget that the previous administration did not ever grant us that much.
@JohnMcC: Ooops! “…the previous administration did not EVEN grant us this much.”
@JohnMcC:
I was responding to this:
Phone records are extensively meta-data.
And there is no database in Utah that I know of storing the opposite, content, for later retrieval.
@JohnMcC:
Is that the case? Assuming you are American citizen, I’m not sure if that request goes through the FISA courts. Or does that occur via the National Security Letter requests?
@Steven L. Taylor:
“Facebook operating under its basic mission is rather unlikely to make errors that utterly ruin my life.”
As I noted in the beginning and you did not respond to, credit agencies operating under their basic mission and making an error can utterly ruin your life, though. Watch how quickly your life would turn around if another Steven Taylor’s bankruptcy were coded to you.
@Moosebreath: This is certainly true. But of course, even bankruptcy is not as bad as going to prison.
@Steven L. Taylor:
True, but if your credit rating tanks due to incorrect info, it will likely affect future job applications, being able to purchase a new car, and a whole host of other day-to-day relationships. That’s a far cry from your original statement: “However, if a company I do business with gathers information about me (that I have given mostly of my own volition as the price of doing business) the worst they can usually do to me is attempt to market products in my direction (with onscreen ads, spam and phone calls usually being the most intrusive manifestation thereof).”
@Moosebreath: All true, and all very serious.
And in the quotation I was referring to basic business relationships. Yes, errors can be problematic, to put it mildly. However, again, the business of national security is a more direct route to abuse than is the that of the credit bureau or the bank.
And there is more recourse against private sector screw ups than there are to the screw ups of government,
@Steven L. Taylor:
It seems you are comparing government action at its worst against business action at its typical and saying government can harm you more. This seems an unusual comparison, to say the least.
“And there is more recourse against private sector screw ups than there are to the screw ups of government”
I strongly disagree with this. Indeed, it took government action to create _any_ recourse against the private sector credit reporting agencies, even to get them to acknowledge and correct mistakes. And at least I vote for the people who set governmental policy; I don’t get that privilege in the business community.
@Moosebreath:
First, I am unclear on ultimately what you are defending. (I am not saying private industry is good and government is bad, but I am saying that ceiling for problems is higher for government, and therefore the needs for safeguard are higher).
Second: yes, you can appeal to government for help against private enterprise (as well as, sometimes, other private enterprises). You can appeal to government to deal with abuses of government, but at the end of day there is not higher level to appeal to. Again, a higher ceiling for possible abuse. This has to be taken into consideration.
@Steven L. Taylor:
“First, I am unclear on ultimately what you are defending. (I am not saying private industry is good and government is bad, but I am saying that ceiling for problems is higher for government, and therefore the needs for safeguard are higher).”
You started out in the post saying that the problems with government are potentially life-changing (property seizures, prison time) and the problems with private industry are trivial (i.e., the worst that can happen is that you get some spam). I was originally trying to get you to acknowledge that this is not the case, and that the potential harm from abuse by the private sector is potentially life-changing as well, which you did above. Now, the next step is comparing the likelihood of undeserved harm and the ability to mitigate the undeserved harm from the government and the private sector.
In other words, while the ceiling is higher from harm from government, I believe the likelihood of signficant undeserved harm is far higher from business and the ability to obtain redress from undeserved harm is far lower from business. Your comparison (limited to Facebook versus the entire federal government) is the false equivalency.
@Moosebreath: I was never trying to equate Facebook and the federal government.
Indeed, in many ways my point was that media stories about privacy are, in fact, making false equivalencies between Facebook and privacy (and like services) and the federal government and privacy,
Regardless, government abuse and power increases are often quite difficult to scale back and therefore worthy of concern.
@Steven L. Taylor:
I am going to end it here, as I think it is impossible to square what you have just written with your original post.
@Moosebreath: As you wish.
I have suggested that the idea of a difference between private and government tracking is outdated.
This Bloomberg story backs that up.
Also related:
SLAVES TO THE ALGORITHM