It’s been just over a month since The Guardian broke the story about the National Security Agency’s (NSA) massive data collection program known as PRISM. The fervor has not died down and additional revelations about how the program works and similar systems existing in other countries have only stoked the flames
That anger has culminated in both “Restore the Fourth” rallies across the U.S., outrange online and a great deal of mockery as people turn to humor to best express their feelings. The nation, and indeed the world, has also turned its attention to the flight of Edward Snowden, the NSA contractor who originally leaked information about the program to the media.
But in the midst of the anger, lawsuits and questions, a larger conversation is taking place, one that revolves around privacy online, how much information we put out about ourselves on the Web and who has access to it.
That is because, while the Internet has certainly made our lives more convenient, it has also made them more trackable. In our bid to communicate better and easier, we put out so much information about ourselves, both intentionally and unintentionally, that the discovery of the NSA’s program may be as much a moment of reevaluation of our own practices as well as our government.
After all, for the government to collect the information it does, someone else has to have it first and the government is not the only entity with a vested interest in tracking you and monitoring your activities.
Staying Private in a Very Public Place
If the Internet were a physical place, it would easily be the most public place that has ever existed. It’s a place where, theoretically, your every action is visible to the entire world, akin to the Roman forum but on a global scale.
However, we’ve tried to carve out private areas in that very public place. Our private emails, our private chats, even our private phone calls, etc. For the most part, we’ve done a good job keeping other members of the public at bay. For example, I can’t trivially access your emails without first gaining unauthorized (and illegal) access to your account.
But it’s easy to forget that all parts of the Internet, the public and the private, travel across the same infrastructure and pass through the same companies’ hands.
Though your data might be safe from your family and friends, it’s not safe from those who have access to the infrastructure upon which the Internet is built. This includes the companies, government agencies and even individuals who can save and look at that data.
On some level, we have long known this. Few, for example, would send a personal email over their corporate servers because they know the company has access to it. However, that actually applies to all of the Internet. After all, someone owns every connection, whether it’s a private company a non-profit organization or a government agency.
In short, every step the data you send online takes, someone owns the line it is carried on and, while historically that has not been a serious problem, as the NSA scandal shows, it can easily become one.
Unfortunately, there’s a temptation at moments like this to seek quick fixes, such as using widespread encryption or avoiding key services. However, those fixes aren’t going to solve the problem.
Though encryption can certainly help if it’s done well, it leaves many holes behind.
For one, there’s at least some reason to believe that the NSA (or another agency) may still be able to access your data even if SSL encryption is used as subpoenaing and accessing the private key used may still be possible.
But even if they can’t, most encryption schemes are aimed at protecting the content of a message, not the metadata around it. Much like a letter in a sealed envelope, postal workers can still see who sent it and where it’s going, even if they can’t see what is being said.
In many cases, that’s more than enough to get seemingly private information on someone. In fact, much of the controversy surrounding the NSA has involved metadata alone, including the metadata of phone calls, which shows just how valuable that information is.
However, the biggest hurdle to encryption has always been that it isn’t widely used. Even simple encryption methods, such as SSL, are not widely used because they create overhead, create extra costs and add a layer of complexity (no matter how small). Time and time again on the Internet, we’ve seen that individuals are willing to trade security for more convenience.
A technical solution won’t work unless everyone, or nearly everyone, is on board. There’s so much entropy built up into the way things are online that trying to change behavior on a massive scale is nearly impossible. So even if a technical solution comes along that is able to address all of these issues, its chances at broad adoption are fairly low.
Clearly, technical solutions alone aren’t going to fix it, though it’s unlikely that a legal solution is on the horizon either.
A Difficult Evaluation
Though the pushback against PRISM and the related programs is strong, it’s unclear what impact they will have in the long run. But even if they are successful at getting every government and every agency to stop collecting and sifting through data, governments are not the only ones interested in collecting information on you. Advertisers, marketers and private companies are just as eager to know everything they can.
We already know that Gmail, for example, parses your email to deliver targeted ads and various companies work to track you across the Web. AT&T is looking to follow in the footsteps of other cell phone companies and start selling your (anonymized) information including approximate location, browsing history and app usage (unless you opt out). Finally, Facebook is rolling out its controversial Graph Search to all users, giving others on the site increased access to you information unless you change your privacy settings.
Clearly the NSA is not the only organization we have to worry about when it comes to our privacy. While the NSA’s activities certainly are a breach of trust as they come from our government, every day we trust our data to companies and organizations who have interests that are counter to our own.
The problem is that information you send via the Internet, whether it’s an email, a blog post, or a chat message, travels large geographic distances, passes through countless miles of cable, possibly dozens of routers and through countless networks. You have no way of fully knowing what path it took, what machines it passed through and who has access to those machines.
In short, as a user of the Internet, what going on behind the scenes is opaque to you and though tools can help you glimpse, there’s no easy way to learn the full truth.
Among the many valid questions the NSA scandal brings to mind, it should also serve as a reminder just how vulnerable we are online. In an era where we have GPS receivers in our pockets at all times, where every communication is logged and everything takes place over an infrastructure we have no oversight over, we are at risk.
Just as we need to address the immediate issues before us, we need to think about the larger picture as well. We have gotten too comfortable with the Internet and the false sense of privacy that comes with it.
This isn’t to say that we deserve to be spied upon because we use the Internet or that we’re fools for trusting the technology. Rather, it’s a simple acknowledgement that the problem is bigger than the NSA, Apple, Google, Facebook, Microsoft or any other single organization.
People are right to be angry, but that anger will only do so much good if the larger problem isn’t addressed, as difficult as it may be.