“Who Watches The Watchers?”: The Government Wouldn’t Be Able To Accumulate Data On Citizens If Companies Weren’t Collecting It
Yesterday, President Obama for the first time publicly addressed the controversies surrounding the National Security Agency’s Internet snooping, noting that there’s an important discussion to be had about the balance between security and liberty in a free country. “I welcome this debate,” he said.
I wonder, though, whether this debate is too narrowly drawn: Is the nub of the problem too much government surveillance or too much surveillance, period? After all, the government wouldn’t be able to so easily accumulate all this data on private citizens if private companies weren’t collecting it first.
In case you live under a rock, the kerfuffle involves a pair of National Security Agency programs. In one the agency spent years collecting the nation’s phone records – who called whom when and from where. In the other, codenamed PRISM, it has reportedly mined data – emails, chats and photographs, for example – of ostensibly foreign targets from prominent Internet providers like Microsoft, Yahoo, Google, Facebook, AOL and Apple, to name a few. (For their part, these companies have issued various types of denials regarding their cooperation in the program.)
But as I said, the government surveillance, which is deeply unsettling, raises a larger question about corporate surveillance. Amie Stepanovich of the Electronic Privacy Information Center points out that none of the information in question would be sharable if Internet and telecommunications companies encrypted it to protect privacy. In other words, it’s not a given that corporations must collect vast amounts of information from and about us. But failing to do so wouldn’t be good for business.
Somebody’s watching you. As security technologist Bruce Schneier has written, “The Internet is a surveillance state.” The mere act of visiting websites means you’re being tracked whether you’re aware of it or not. “Click tracking is a huge source of personal data that most people aren’t aware is being collected,” says Stephen Wicker, a Cornell University professor and author of the forthcoming “Cellular Convergence and the Death of Privacy.” He adds that “sites that you would think are relatively benign are actually hosting third party click trackers that take this data and then resell it.”
Indeed, earlier this year The Atlantic’s Alexis Madrigal dug into the world of Internet tracking and discovered 105 companies that had tracked him in a 36-hour period of normal Web surfing. “Every move you make on the Internet is worth some tiny amount to someone, and a panoply of companies want to make sure that no step along your Internet journey goes unmonetized,” he wrote. (Full – or at least partial – disclosure: I do not know whether and to what extent usnews.com employs click trackers.)
Or consider the big data kid on the block: Google. Many people probably view the company as a search engine, or a map provider, or a mobile phone company or a cloud repository for documents. What Google is, in fact, is a data collection company: It collects data on you 15 ways to Sunday, sorts it, chops it up and sells it. And as Robert Epstein pointed out on this site in May, it’s not just when you’re using the Google search engine or Gmail (though it is assuredly the case then).
The Internet behemoth is collecting information on you whether you know it or not and whether you’re using its products or not. Using Safari or Firefox? Both web browsers, Epstein wrote, use Google’s blacklist, “an ever-changing list of about 600,000 websites that Google’s bots have identified – sometimes mistakenly – as dangerous. No government agency or industry association ever gave Google the authority to maintain such a list, but it exists, and Firefox uses it.” So does Safari. If you’re visiting a website that uses Google analytics (and most major sites do) or is serviced by Google ads or has Google maps embedded in it then Google, as Epstein writes, has gotcha.
But Google’s the “Don’t be evil” company, right? (After all, they’ve just gotten Vince Vaughn and Owen Wilson to star in a two-hour movie-cum-commercial.) And don’t all major social media platforms have privacy policies to protect consumers? Maybe. But in the last few years Google, Facebook and MySpace (remember that site?) have reached settlements with the Federal Trade Commission for charges related to how they handled users’ personal and private data.
The spy in your pocket. And that doesn’t even get into the personal, portable surveillance tools practically everyone in the country voluntarily carries around with them: mobile phones and other wireless devices. Pew Research reported this week that for the first time a majority of Americans own a smart phone of some kind, while fully 91 percent of the adult population now owns some flavor of cell phone. (The wireless industry lobbying group CTIA reports that wireless devices have now reached 102 percent penetration in the U.S. and its territories, which means that the machines now outnumber the people.)
And if you’re using your mobile phone, you’re being tracked. “I don’t think people realize they’re revealing their location to their carrier just by using their device,” says Ashkan Soltani, an independent privacy researcher and consultant. A 2011 investigation by the Wall Street Journal (on which Soltani consulted) found that Apple and Android smart phones routinely send location information, including information about local Wi-Fi networks, back to Apple and Google. Separately, the Journal reported in 2011, Apple’s iPhone collected and stored location data even when users had turned off “location services” – which is to say when they thought they had opted out of being tracked.
Why? This information is a potential treasure trove for these companies. From the Journal:
Google and Apple are gathering location information as part of their race to build massive databases capable of pinpointing people’s locations via their cellphones. These databases could help them tap the $2.9 billion market for location-based services – expected to rise to $8.3 billion in 2014, according to research firm Gartner, Inc.
Google uses this information to help show on its maps where automobile traffic is especially heavy or light. Verizon sells aggregate location data to advertisers, according to Soltani, so they can know where to place billboards. The wireless companies’ viewpoint, according to Soltani, is “we got this information for free, let’s use it for this other use-case, which is the marketing data.”
And there are a lot of companies trying to get a piece of this financial pie. In another story, the Journal surveyed 101 popular iPhone and Android apps and found that “56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders.” As Soltani told a Senate subcommittee in 2011, “applications can access and transmit data which includes text messages, emails, phone numbers, contacts stored and even browser history stored on the device.”
So if you woke yourself up this morning with an alarm clock app on your phone, the instant it went off, says Soltani, not only did it transmit noise to your ears but location data back to people you don’t know. “There are times where there are 50 or 100 third parties – companies that you’ve never had a relationship with – who are able to monitor your … activities,” he says.
Not big on apps? Consider your next visit to the local mall. Carriers and other companies are installing sensors around shopping malls, Soltani says, allowing them to track where people are lingering, what’s popular and what’s not, analytics that then go to the mall.
Perverse incentive. All of this creates what Soltani calls a “perverse incentive that creates this worst case scenario for consumers.” Companies have an incentive to collect and keep user data; and that trove proves an irresistible target for the government in its ongoing war on terrorists.
Which brings us back to the current uproar over the NSA’s data collection and data mining. The outrage is justified, as is the broader concern about how the cult of secrecy has infected and distorted the government. But there is something somewhat comforting to the notion that government agencies are ultimately responsible to the voters, even if that process has become calcified and overly complex.
But the surveillance state is built upon its corporate counterpart. And who watches those watchers?
By: Robert Schlesinger, U. S. News and World Report, June 8, 2013
“Non-Factual Facts”: Washington Post Hedges Claim That Google, Facebook, Gave The Government Direct Access To Their Servers
Yesterday, the Washington Post reported a shocking story about how the FBI and National Security Agency had partnered with Google, Facebook, and many other tech companies to spy on the tech companies’ hundreds of millions of users.
The government agencies, the Post said, were “tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.”
This surveillance program, the Post reported, had been “knowingly” facilitated by the tech companies, which had allowed the government to tap directly into their central servers.
The Post story described a “career intelligence officer” as being so horrified by the power and privacy intrusion of this surveillance system that the officer was helping to leak the news to expose it.
“They quite literally can watch your ideas form as you type,” the officer reportedly told the Post.
Not surprisingly, the Post’s story created an instant explosion of outrage. The ire was directed at both the government and the technology companies.
The story also led to immediate, explicit denials from the technology companies. Google, Facebook, and Yahoo all said that the government did not have “direct access” to any servers. Apple said it had never even heard of the program it was supposedly partnering with.
So The Post’s claim that the companies had voluntarily given the government direct, open, un-monitored access to their servers quickly seemed suspect.
And now, 24 hours later, after more denials and questions, the Post has made at least two important changes to its spying story.
First, the Post has eliminated the assertion that the technology companies “knowingly” participated in the government spying program.
Second, and more importantly, the Post has hedged its assertion that the companies have granted the government direct access to their servers.
The latter change is subtle, but important. In the first version of its story, the Post stated as a fact that the government had been given direct access to the companies’ servers.
Now, the Post attributes the claim to a government presentation–a document that has been subjected to significant scrutiny and skepticism over the past day and that, in this respect, at least, seems inaccurate.
In other words, the Post appears to have essentially retracted the most startling and important part of its story: That the country’s largest technology companies have voluntarily given the government direct access to their central servers so the government can spy on the tech companies’ users in real time.
Specifically, here’s how the Washington Post story has changed…
Here’s the original first paragraph:
The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.
Here’s the updated paragraph (our emphasis):
The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.
That change is important. The direct-access claim changes from a fact asserted by the Washington Post to a claim made in a document the Washington Post has seen–a document that might be wrong.
The idea that Google, Facebook, Apple, et al, had voluntarily given the government direct unfettered access to their servers always seemed far-fetched.
This behavior would justifiably trigger the wrath of the companies’ hundreds of millions of users worldwide and exacerbate already existing concerns that these companies routinely trample all over their users’ privacy.
Furthermore, the government’s assertions that its spying programs are directed primarily at foreigners, not US citizens, would not be viewed as comforting to Google, Facebook, et al.
Why not?
Because the vast majority of the users of these companies’ services are foreigners.
If the international users of Facebook, Google, et al, were to feel that the companies were opening their data centers in this way, the international users might revolt. So it’s hard to imagine that these companies would just voluntarily open their servers to the U.S. government (or, for that matter, any other government).
The Washington Post also broke the news about the existence of the vast government program Internet spying called PRISM, which other outlets have since confirmed. And the story illustrated how extensively the government uses Internet communications in its intelligence efforts and how important these communications are to national security.
But, a day after the Post story appeared, it seems likely that the following claims are wrong or at least need major qualification:
- that the NSA and FBI are “tapping directly into the central servers” of Facebook, Google, et al, and,
- that the government can “quite literally watch your ideas form as you type.”
By: Henry Blodget, Business Insider, June 7, 2013
“Paranoid Concerns”: Making A Mountain Out Of A Digital Molehill
The revelations this week that the federal government has been scooping up records of telephone calls inside the United States for seven years, and secretly collecting information from Internet companies on foreigners overseas for nearly six years, have elicited predictable outrage from liberals and civil libertarians.
Is the United States no better than those governed by repressive dictators who have no regard for individual rights? Could President Obama credibly raise human rights issues with his Chinese counterpart, Xi Jinping, at a summit meeting on Friday, if America is running its own vast surveillance state? Has Mr. Obama, for all his talk of ending the “war on terror,” taken data mining to new levels unimagined by his predecessor, George W. Bush?
Hold it just a minute.
From what has been made public, we know that the F.B.I., under the Obama administration, used its powers under the Patriot Act to seek these records; that judges with the Foreign Intelligence Surveillance Court approved these searches; and that members of Congress with oversight powers over the intelligence community were briefed about the searches. Some of them, like Senators Mark Udall, Democrat of Colorado, and Ron Wyden, Democrat of Oregon, were uncomfortable with the scope of the data gathering and made their disapproval public, even though secrecy rules prohibited them from being more specific about their concerns, until now.
It is evident, then, that all three branches of government were involved in the records search afoot at the telecommunications carriers and Internet companies. Section 215 of the Patriot Act, which Congress passed after 9/11, governed the executive branch’s search authority. Oversight committees were kept in the loop, as Senator Dianne Feinstein, the California Democrat who leads the Senate Intelligence Committee, has confirmed. And the authorizations were approved by life-tenured federal judges who are sworn to uphold the Constitution, including the Fourth Amendment, which prohibits unreasonable searches and seizures. On the surface, our system of checks and balances seems to be working.
We cannot rule out the possibility that the voluminous records obtained by the government might, some day, be illegally misused. But there is no evidence so far that that has occurred.
First, no contents of phone conversations are being provided to the government. Indeed, the Patriot Act precludes provision of call contents.
Second, the two senators who complained in public, Mr. Wyden and Mr. Udall, apparently were in a minority on the committee. Otherwise, the bipartisan committee could have held hearings, either in closed or open session, to seek further details and prepare legislation to limit the F.B.I.’s data-gathering powers.
Third, unlike you and me, federal judges on the surveillance court, established in 1978, reviewed the government’s request for information and the reasons provided to support the request. We do know that the search requests have required periodic renewal. And we know that, for reasons the judges thought sufficient, the contents of the order were sealed, with special mention that it was not to be available to foreign entities. Judge Roger Vinson, who signed the July order extending the requirement that Verizon furnish phone logs, struck a balance: he put a time limit on the data-gathering, to ensure executive accountability, but also issued a secrecy order, to protect national security.
But shouldn’t I be concerned that F.B.I. agents are trampling my rights, just like the I.R.S. might have trampled the rights of certain organizations seeking tax-exempt status? As it turns out, the answer is no. The raw “metadata” requested will not be directly seen by any F.B.I. agent.
Rather, a computer will sort through the millions of calls and isolate a very small number for further scrutiny. Perhaps one of the numbers was called by one of the Tsarnaev brothers before the Boston Marathon bombings. Or perhaps a call was placed by a Verizon customer to a known operative of Al Qaeda. The Supreme Court long ago authorized law enforcement agencies to obtain call logs — albeit on paper rather than from a computer database — without full probable cause to believe a crime had been committed.
To listen to the contents of any particular call or to place a wiretap on a particular phone, the F.B.I. would have to go back to a judge for a more detailed order, this time showing probable cause sufficient to meet stringent Fourth Amendment standards. Otherwise, the evidence from the call could not be used to prosecute the caller or call recipient. Privacy rights, in short, have been minimally intruded upon for national security protections.
Finally, let’s consider the alternative some activist groups and media organizations seek: more narrowly tailored gathering of records, and full transparency after the fact about what kinds of records have been obtained. There are obvious problems with this approach. Let’s say the judicial order leaked to The Guardian this week had specified the phone numbers about which the F.B.I. had concerns. Releasing those numbers would surely have tipped off the people using those numbers, or their associates, and caused them to change their mode of communicating. Already, there is a real probability that individuals planning terrorist activities are using channels of communication that will not show up in the databases of service providers. If the order revealed more expansively the standards the F.B.I. used to seek broad sets of records, again those seeking to avoid detection for terrorism-related activities could simply change their methods of doing business.
In short, I think I will take my chances and trust the three branches of government involved in the Verizon request to look out for my interest. Privacy advocates, civil libertarians, small-government activists and liberal media organizations are, of course, are welcome to continue working to keep them honest. But I will move back to my daily activities, free from paranoid concerns that my government is spying on me.
By: Charles Shanor, Op-Ed Contributor, The New York Times, June 7, 2013
Share This Blog
Unknown Feed- An error has occurred; the feed is probably down. Try again later.
mykeystrokes.com 