Internet Surveillance State

All of us being watched, all the time, and that data being stored forever.

do-you-know-whos-watching-you

Bruce Schneier argues “The Internet is a surveillance state.”

The Internet is a surveillance state. Whether we admit it to ourselves or not, and whether we like it or not, we’re being tracked all the time. Google tracks us, both on its pages and on other pages it has access to. Facebook does the same; it even tracks non-Facebook users. Apple tracks us on our iPhones and iPads. One reporter used a tool called Collusion to track who was tracking him; 105 companies tracked his Internet use during one 36-hour period.

[…]

Facebook, for example, correlates your online behavior with your purchasing habits offline. And there’s more. There’s location data from your cell phone, there’s a record of your movements from closed-circuit TVs.

This is ubiquitous surveillance: All of us being watched, all the time, and that data being stored forever. This is what a surveillance state looks like, and it’s efficient beyond the wildest dreams of George Orwell.

[…]

Maintaining privacy on the Internet is nearly impossible. If you forget even once to enable your protections, or click on the wrong link, or type the wrong thing, and you’ve permanently attached your name to whatever anonymous service you’re using. Monsegur slipped up once, and the FBI got him. If the director of the CIA can’t maintain his privacy on the Internet, we’ve got no hope.

In today’s world, governments and corporations are working together to keep things that way. Governments are happy to use the data corporations collect — occasionally demanding that they collect more and save it longer — to spy on us. And corporations are happy to buy data from governments. Together the powerful spy on the powerless, and they’re not going to give up their positions of power, despite what the people want.

[…]

Welcome to a world where Google knows exactly what sort of porn you all like, and more about your interests than your spouse does. Welcome to a world where your cell phone company knows exactly where you are all the time. Welcome to the end of private conversations, because increasingly your conversations are conducted by e-mail, text, or social networking sites.

And welcome to a world where all of this, and everything else that you do or is done on a computer, is saved, correlated, studied, passed around from company to company without your knowledge or consent; and where the government accesses it at will without a warrant.

Those of us who’ve been paying attention have seen all this coming incrementally. But what hasn’t been as apparent is the degree to which all of these individual concessions of privacy would be networked. Because of the mobile web, especially, our Google, Facebook, and other data are now hooked to GPS and rather easily cross-referenced.

To the extent all of this yields the immediate goal of all the tracking—serving web-based ads that are more appealing to the consumer—it’s a little creepy but not really a big deal. Indeed, it’s arguably a boon for all concerned: advertisers underwrite excellent content on the web and targeted ads are worth more to both advertisers and consumers.

But, for starters, the information we share with one company should stay with that company. It’s no use saying that we “volunteer” to give them the right to sell. Companies like Facebook and Google are functional monopolies and the terms of service are so absurdly long and change so often that the notion that we’re actually giving meaningful consent when we click “Agree” is a joke.

Further, it’s problematic that government has easy access to all this information—often without even obtaining a warrant. While the Supreme Court has always interpreted the 5th Amendment’s protection against self-incrimination incredibly narrowly—and the 4th Amendment’s guarantees limiting search and seizure haven’t fare all too well, either– it strikes me as obvious that one’s conversations via email and text messaging should be at least as protected as those via telephone.

FILED UNDER: General
James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College and a nonresident senior fellow at the Scowcroft Center for Strategy and Security at the Atlantic Council. He's a former Army officer and Desert Storm vet. Views expressed here are his own. Follow James on Twitter @DrJJoyner.

Comments

  1. john personna says:

    In 1999, Sun Microsystems’ then-CEO Scott McNealy infamously declared, “You have zero privacy anyway. Get over it.”

    My personal journey towards acceptance of that was long, as evidenced by past conversations here, but I think I’m there now.

    Scott saw the guts of the internet and what they implied. That architecture has been reinforced now for a decade.

    … but relax, don’t worry, you are probably more typical and uninteresting than you think.

  2. James in LA says:

    The only way this can remain in place is by retaining the ISP model of internet access, where a small number of gatekeepers turn an otherwise open mesh network into a hierarchy.

    The clouds of always-on devices are now the size of cities. Every new fancy appliance when unboxed expands this cloud. Soon, they will be the size of counties, then states. This will form a mesh network open to all with no access restrictions. Everyone will be an ISP.

    SmartPhones are capable of managing many more network connections that the carrier allows. They are powerful devices and getting more so by the hour.

    There is work underway to make this mesh cloud secure: http://projectmeshnet.org

    Absent an ISP there can be no censorship. And it is most assuredly coming because those under 45 will see that it happens, having been robbed blind in plain sight with zero consequence to the robbers. The ISP model cannot be allowed to stand if we want to have any hope of checking our creeping greedy police state.

    The next iteration of social media will include direct participation in politics. Meshnets will be leading the way..

  3. Mikey says:

    @john personna:

    In 1999, Sun Microsystems’ then-CEO Scott McNealy infamously declared, “You have zero privacy anyway. Get over it.”

    Pretty much. Privacy as it had been understood prior to the “digital age” is dead. With both storage and data-mining technology so cheap, there’s no way to maintain true anonymity.

    Schneier says, “Welcome to an Internet without privacy, and we’ve ended up here with hardly a fight.” There’s a reason for that: people perceive a lot of benefit from what the lack of privacy provides. It’s very convenient that Amazon knows your shopping history and what kind of products you prefer. It’s very comforting living inside Google’s “filter bubble.” And we gain a sense of security when we learn how easy it is for law enforcement to use these gathered technologies against crime and terrorism.

    One key factor that needs to change, though, is how government handles this information. The government wants to be able to have easy access to e-mails and texts under the stored communications exception to the 4th Amendment (a third party hosts your e-mails on a server somewhere, therefore you have no expectation of privacy, etc.).

    James is 100% correct when he says “one’s conversations via email and text messaging should be at least as protected as those via telephone.” There is no good reason to treat e-mail any differently from snail mail. We don’t apply the stored communications exception to letters just because the post office has possession of them between your home and the destination, and the same should be true of e-mails and text messages.

  4. OzarkHillbilly says:

    To the extent all of this yields the immediate goal of all the tracking—serving web-based ads that are more appealing to the consumer—

    More appealing to whom? I curse every time I get a pop-up and keep my computer muted all the time so that if some video comes up while I have multiple windows open, I don’t have to go looking for it to close it. Ignorance is bliss. I really suspect that on-line advertising has so little effect on me that it might as well not be there.

  5. slimslowslider says:

    Project Mersh? oh… Mesh. I got D. Boon excited for a second. Watt was I thinking?

  6. Mikey says:

    @OzarkHillbilly: I use the AdBlock Plus extension for Firefox and Chrome. Good stuff. The ads don’t even load. Saves bandwidth, too.

    Also recommended: Ghostery. It reads all the trackers on every page you visit and has a large database you can choose to “allow” or “deny.” There are 11 trackers on this very page…

  7. john personna says:

    @James in LA:

    Is there legal spectrum for mesh networks now available? Because I’d expect entrenched providers and homeland-security types to lobby against it pretty strongly.

  8. Mikey says:

    Now why did my last comment go into purgatory? Not a curse word or link in the thing.

  9. john personna says:

    @Mikey:

    James is 100% correct when he says “one’s conversations via email and text messaging should be at least as protected as those via telephone.” There is no good reason to treat e-mail any differently from snail mail. We don’t apply the stored communications exception to letters just because the post office has possession of them between your home and the destination, and the same should be true of e-mails and text messages.

    The technical bar to use PGP for mail has always been low. It is much harder to open than steaming an envelope. And yet it never took off. People much prefer convenience, and would rather not come off as a privacy nut.

  10. rudderpedals says:

    As the “cypherpunks” know the only net privacy you get is the self-help kind. For a year or so in the early days pre-dejanews in netnews it was a thing to tack “nsa bait” in signatures on posts to waste time of those assumed to be tapping the net at the interchanges. 10+ years later he Times confirmed those suspicions and more with the 2005 investigation into the illegal NSA wiretap details http://www.nytimes.com/2005/12/16/politics/16program.html?pagewanted=all&_r=0 .
    What was left of the 4th Amendment disappeared in a puff of greasy black smoke with the congressionally granted indulgences towards the telcos and blessing of the warrantless tapping program.

    David Brin has a radical yet persuasive proposal to deal with this in “The Transparent Society” but it’s probably too utopian for the real world.

  11. Scott says:

    I think it is impossible to fight this gathering of data. Perhaps a different tactic is to pollute the data. Example: where it doesn’t matter provide incorrect phone numbers, different middle names, different version of first name.

    I’m surprised that there isn’t any utility software to accomplish muddying up your tracks.

  12. PJ says:

    These are some of the reasons why I’m very happy that OTB never decided to force people to comment under their real names or, as some other sites did, give the comment section away to Facebook.

  13. Ron Beasley says:

    I guess that’s the price we pay for all “free” stuff we get on the intertubes. I use SpeedingPCPro to clean out all the cookies every couple of weeks.

  14. Tsar Nicholas says:

    I didn’t realize that Google, Apple and Facebook were the government.

    Speaking of which, what’s sort of funny about these sort of hysterical screeds from the cocooned demographics which make up such large percentages, ironically, of the Internet’s chattering classes, is that they don’t even get the irony. Whining about the putative “Internet Surveillance State,” duh, on the Internet, and then waking up the next morning not only not in cuffs or chains, but able to rinse and repeat 10x over, is fairly obvious proof that this isn’t “1984.” Not even close. Not even in the ballpark. Not even in the same town. Not even in the same county.

    We’ve lost an entire demographic to being spoiled, loopy and hysterical. Is it any wonder that our politics is a farce? Geez.

    Here’s a suggestion: You don’t like the fact that Apple for example tracks every thing you do on your iPhone? Well, Sparky, then don’t buy an iPhone. Toss out your existing one. There are plenty of other options. Like for starters not being a spoiled brat who needs an iPhone.

  15. grumpy realist says:

    @Tsar Nicholas: I suppose you want us all to go back to landlines and rotary dials? Or do you simply hold stock in RIM? (Or even earlier–a Palmpilot!)

  16. rodney dill says:

    I think the capability of using the internet to spy on others is far overrated…
    …and OzarkHillbilly… put your pants back on…

  17. J-Dub says:

    I believe the benefit of having the ability to mine the huge amounts of data that is being collected will eventually outweight any privacy concerns. They can already forecast flu outbreaks from Google searches. The possibilities are endless.

  18. J-Dub says:

    You don’t need an iPhone when most of your communication consists of “Stop, or I’ll shoot!”.

  19. Mikey says:

    @Tsar Nicholas: Man, the whole point of Schneier’s piece seems to have gone straight over your head.

    You might as well have ended your comment with “Now GET OFF MY LAWN!”

    Also, while Google, Apple, and Facebook are not the government, you would be exceedingly naive if you didn’t think they offer a very high level of cooperation when the government comes asking for data. In fact, they are compelled by law to do so.

  20. Ben Wolf says:

    Mot generally known is that police, intelligence agency and corporate hacking of smartphones and workstations is a commonly used tactic. The microphone and/or camera can be switched on remotely without the device appearing to be active. If you own a desktop or laptop, disable the camera built into the monitor. If you want to have a private conversation, do it face-to-face and remember to take the battery out of your phone.

  21. Jeremy R says:

    There a some things that could be done, but probably won’t be since they’d annoy end-users. Various browsers have started enabling the ‘do not track’ header which in theory information aggregators are supposed to respect, but most ignore. Some browsers are planning on blocking third party cookies by default (so only the website you’re actually visiting gets to set cookies, not the ad company hosted in a frame on the page). And then what would be really useful is blocking all cross-domain requests by default, requiring the user to opt-in / whitelist allowing embedded content from websites outside the one you’re currently visiting. There are browser plugins that do this, but I imagine most users would find it much too cumbersome (as it currently would break practically every website in existence prior to the user whitelisting).

  22. J-Dub says:

    I never should have bought that Fleshlight online.

  23. mantis says:

    @Ben Wolf:

    Mot generally known is that police, intelligence agency and corporate hacking of smartphones and workstations is a commonly used tactic.

    Could you back this up a bit? I’m also curious what you consider “common?”

    The microphone and/or camera can be switched on remotely without the device appearing to be active.

    Not without some sort of pre-existing access to the device, they can’t.

    If you own a desktop or laptop, disable the camera built into the monitor.

    If your computer was issued to you by a company or school, this may be a good idea. If you bought the computer and you don’t just loan it out to whomever, the chances of someone using it to spy on you are very slim (but not impossible).

    All that said, security for devices and data is the user’s responsibility. Everyone who uses computers/devices connected to the Internet and who uses cloud services should take steps to protect their data and devices. Would you leave sensitive documents sitting out on your front porch for passersby to peruse or steal? No, you would secure them somewhere in your home, office, or safe deposit box. The same goes for your digital data.

    – Lock your devices with password protection
    – Set robust passwords for your devices and services
    – Vary your passwords across devices and services (use password managers if you can’t remember them all)
    – Install anti-virus/malware software on your computers and mobile devices
    – Be careful about from where and whom you accept files and messages (a hacker can install malware from a text message to your phone)
    – Be careful about what you install on your devices
    – Keep your software up to date
    – Back up your data.

    If you really deal with sensitive info, you should also implement disk encryption (standard feature on Android devices, for one). And under no circumstances should you ever perform any banking on your phone or any device that is connected to a cellular or public WiFi network. Just do your banking at home. Also, put a WPA or WPA2 key on your home wireless network. WEP can be easily broken.

    If it’s not secure, it’s an invitation. I could leave my front door unlocked every day and it’s unlikely that anyone will come in and steal everything, but one day someone might try the knob. Better off locking the door.

  24. john personna says:

    @rodney dill:

    If you are going to ague against McNeally, shouldn’t you do it with a little more substance?

    This is 2013, and “ratters” are a thing now.

  25. john personna says:

    @mantis:

    It’s interesting that back in McNeally’s day Sun put a physical slider in front of the web cam. This was deemed necessary by knowledgeable people. Suddenly that went away. It wasn’t because a new profound software security system was discovered. It was just that (a) the parts cost was non-zero, and (2) people became inured.

  26. Scott says:

    @mantis: In our facility we are not allowed cell phones and thumb drives for these exact reasons.

  27. Ben Wolf says:

    Finfisher is sold to police agencies and repressive regimes world-wide to allow for hijacking and remote infiltration of computer-based devices, and that’s just one example. Your smartphone is a tracking/eavesdropping device you use to make calls. That’s it and that’s all.

  28. rodney dill says:

    @john personna: just setting up a punchline.

  29. mantis says:

    @Ben Wolf:

    Your smartphone is a tracking/eavesdropping device you use to make calls. That’s it and that’s all.

    Oh, ok then. Thank you, Mr. Expert.

  30. Ben Wolf says:
  31. Ben Wolf says:

    FYi for those who won’t read the link: physical access to to your mobile device is not necessary to use it as a surveillance device. Simply clicking on a bad link or an infected file, just as you would on your home computer, is sufficient . The police can build dummy cell towers called an IMSI catcher in your vicinity and wait for your phone to jump to it. Then they record your identifier and use their access to their records to identify and track you. This process has been used around the world by governments to surveil “unwanted” elements, typically people a given regime doesn’t like.

  32. Ben Wolf says:

    I’m surprised more people aren’t aware of this:

    http://projects.wsj.com/surveillance-catalog/

  33. mantis says:

    @Ben Wolf:

    The existence of spyware/malware does not automatically make all of our phones “tracking/eavesdropping device you use to make calls.” This is hyperbolic and silly. Our phones are computers and they can be exploited, yes, but users can do a lot to prevent that if they understand the machines they are carrying around with them.

    Finfisher cannot just install itself on a phone without any action by the user. Users who familiarize themselves with their devices, use passwords and encryption, keep their O/S and apps up to date, install virus/malware software, and are careful about what they install and what links they click are far, far less vulnerable than users who just assume everything is peachy. I’m not the slightest bit concerned about my phone (Nexus 4, in case you are wondering) being a “tracking/eavesdropping device I use to make calls.” It’s a pretty damned secure computing device, and it is that way because I understand it and control it.

    Of course, if you aren’t interested in learning and putting forth the effort to keep your phone secure, then I would recommend not using a smartphone, or at least not using one for anything you wouldn’t want some random hacker to see. There are plenty of phones out there that just make calls and send text/MM messages.

  34. mantis says:

    @Ben Wolf:

    The police can build dummy cell towers called an IMSI catcher in your vicinity and wait for your phone to jump to it. Then they record your identifier and use their access to their records to identify and track you. This process has been used around the world by governments to surveil “unwanted” elements, typically people a given regime doesn’t like.

    Yes, but that is true of any cell phone, and has been since before smartphones came around. The use of stingrays by law enforcement, if I remember correctly, is currently being litigated in court. And to my knowledge there is no evidence of regular police forces using this tactic. IIRC, just the FBI has done so, as far as we know, and they actually had a warrant (the question is whether the warrant actually covered constructing a stingray instead of tapping into telecom towers). In any case, I have seen nothing to suggest that all our movements are being tracked by police.

    If we had a Congress that passed laws, maybe we could provide some statutory restrictions on law enforcement, but I digress….

  35. Ben Wolf says:

    @mantis: Almost no one takes precautions with their devices, or is aware of the dangers. Vendors and service providers certainly make no effort to warn consumers of the dangers when they see the chance to sell another $500 iPhone and the
    lucrative data package which goes with it. Furthermore passwords and encryption aren’t particularly secure when back door kits are commercially available to brute-force their way through your security. All it takes is one bad link/infected email, and even generally trustworthy sites get compromised.

    Your phone is a tracking/eavesdropping device because it continually broadcasts your position and ID to a vast unsecured network. It’s generally not a good idea to shout “here I am!”, when you’re surrounded by predators. Even with all precautions taken you remain vulnerable, only relatively less so than others.

    I use a “dumb” phone for a reason: unlike the most popular smartphones I can take the battery out.

  36. OzarkHillbilly says:

    @rodney dill: …

    and OzarkHillbilly… put your pants back on…

    What? Were you gittin’ excited??? (I play a mean banjo….)

  37. john personna says:

    @rodney dill:

    Sorry, I couldn’t make sense of the pants comment at first

  38. Al says:

    Has no one mentioned this piece which takes the implications of Google Glass’ features to their logical conclusion? (If you want something with less words this comic gets close to the same point a lot faster.)

  39. rodney dill says:

    @OzarkHillbilly: I wasn’t going to mention anything really embarrassing… like the banjo playing part…. Can you play Banjolina?

  40. Rafer Janders says:

    @mantis:

    Users who familiarize themselves with their devices, use passwords and encryption, keep their O/S and apps up to date, install virus/malware software, and are careful about what they install and what links they click

    So that’s about 1% of users.

    are far, far less vulnerable than users who just assume everything is peachy.

    And that’s everyone else.

  41. mantis says:

    @Ben Wolf:

    Almost no one takes precautions with their devices, or is aware of the dangers.

    I understand that. It’s why I have taken the time over the past several years to teach my parents and my sister about their technology and how to protect themselves as they have slowly (and not so slowly) adopted new technologies.

    Vendors and service providers certainly make no effort to warn consumers of the dangers when they see the chance to sell another $500 iPhone and the lucrative data package which goes with it.

    And car salesmen don’t explain to customers that they should lock the doors of their new cars because thieves exist.

    Furthermore passwords and encryption aren’t particularly secure when back door kits are commercially available to brute-force their way through your security. All it takes is one bad link/infected email, and even generally trustworthy sites get compromised.

    A spoofed link is not a brute force attack. A brute force attack is an attempt to break encryption by systematically trying every possible code. That’s why you have strong passwords and good WiFi security. A spoofed link, or back door, is another method that relies on people not being careful about what links they click and what files they open. If people better understood the risks and were more careful, such attacks would be less successful.

    Your phone is a tracking/eavesdropping device because it continually broadcasts your position and ID to a vast unsecured network.

    This is true, to a certain extent, of all cell phones. If you don’t want to be on a cell phone network, and thus trackable, you shouldn’t get a cell phone at all.

    It’s generally not a good idea to shout “here I am!”, when you’re surrounded by predators. Even with all precautions taken you remain vulnerable, only relatively less so than others.

    Vulnerable to what? Someone who wants to randomly listen in on cellular conversations in the nearby area? I’m willing to take that risk, which is one that every single cellular phone user takes.

    I use a “dumb” phone for a reason: unlike the most popular smartphones I can take the battery out.

    I can’t imagine a reason for that other than a) criminal behavior or b) cheating on a spouse. If I find myself in one of those situations, I’ll buy a burner and leave my Nexus at home. Until then…

  42. James in LA says:

    @john personna: Meshnets will begin by using the existing wireless spectrum. The local clouds will grow to a critical mass where the pathways through them outnumber any attempt to block them. Because the conversations are encrypted, snoopers will see data passing but won’t know where it came from, what it contains, or where it is headed.

    In the beginning, you would download an “app” that performs these functions. Later, much smarter smart phones will do it as part of their construction.

    From the standpoint of an outside observer, nothing will change, so it will be difficult to know something is “wrong” before it is far, far too late. You would have to set up jamming devices, and then we’d be on our way to China and Iran.

    ISP’s won’t go away, any more than broadcast TV has departed. Both will remain redundant and largely for the easily offended.

    That critical mass will arrive in the form of state-to-state meshes by 2020. It’s already here on the coasts. And all you have to do is unbox that new fridge…

  43. john personna says:

    @James in LA:

    So basically you are offering your assurance that use of unused spectrum will transition to wider use of allocated spectrum? Because “they can’t stop it?” That’s a little Sci-Fi for me, and indeed I’ve read just that story from the cyberpunks.

    I mean, it would be fine with me, but I see it difficult to make such assurances.

    I mean, equally we could all be using PGP for privacy now, right? Because “they can’t stop us?”

  44. Ben Wolf says:

    @mantis: Of course: anyone who doesn’t want government eavesdropping on them is a criminal or just a bad person. We all know that.

    It’s just so darned easy to make broad judgements against groups of people, how can you resist?

  45. mantis says:

    @Ben Wolf:

    Of course: anyone who doesn’t want government eavesdropping on them is a criminal or just a bad person.

    I didn’t say that. I said I can’t think of a reason to need to take the battery out of my phone unless I was engaging in activities where I thought government might have an interest in surveilling (or, I wanted to make sure my activity couldn’t be subpoenaed in a divorce proceeding). That doesn’t mean other people might have their own reasons, and I did not suggest otherwise.

    It’s just so darned easy to make broad judgements against groups of people, how can you resist?

    Well I didn’t actually do that. But it’s just so darned easy to invent strawman arguments, how can you resist?

  46. Mikey says:

    @mantis: Were you at Megacon this week?

  47. James in LA says:

    @john personna: First, it’s already happening. The government is focused on catching “torrents” and such but hackers long ago moved away from these technologies. Like them or not, “cyperpunks” have always led the way. Always. And that is not going to stop, slurs aside.

    You mentioned PGP… strong encryption has been with us for decades, yet no email programs or document managers have easy strong encryption built into them, despite most the big titles being well into double digits regarding their versions. Neither software companies nor government have any interest in strong encryption. It’s bad for the oppression bidness.

    Meshnets are going to change all this and move the control back toward the user.

    If it happens with secure encrypted connections, how do you, the ISP or govt, know what to shut off?

    If it happens through one of any of 10’s of thousands of possible pathways, including my new stove and my neighbor’s new fridge, each part of your message taking a different route, how do you know what to shut off?

    How is any “additional spectrum” required? I can set up a 4G hotspot with my non-carrier phone. An ISP or Govt would have to deploy jamming tech that would cripple the whole to stop it.

    It is coming. The demand for it is sky-high, growing larger with each attempt to further turn clickers of mice into criminals.

  48. mantis says:

    @Mikey:

    Were you at Megacon this week?

    Imposter!

  49. john personna says:

    @James in LA:

    Can you give us any measure of mesh net “call volume?”

    I mean, if it is happening, that would b e one way to show it.