Authors: Bruce Schneier
CORPORATE SURVEILLANCE COSTS BUSINESS
It’s been almost an axiom that no one will pay for privacy. This generalization may
have been true once, but the attitudes are changing.
People are now much more cognizant of who has access to their data, and for years
there have been indications that they’re ready to pay for privacy. A 2000 study found
that US Internet spending would increase by $6 billion a year if customers felt their
privacy was being protected when they made purchases. And a 2007 study found that
customers were willing to pay more to have their privacy protected: $0.60 per $15
item. Post-Snowden, many companies are advertising protection from government surveillance.
Most companies don’t offer privacy as a market differentiating feature, but there
are exceptions. DuckDuckGo is a search engine whose business model revolves around
not
tracking its users. Wickr offers encrypted messaging. Ello is a social network that
doesn’t track its users. These are nowhere near as big as their established competitors,
but they’re viable businesses. And new ones are opening up shop all the time.
We are seeing the rising importance of customer and user privacy in the increasing
number of corporations with chief privacy officers: senior executives responsible
for managing the legal and reputational risk of the personal data the corporation
holds. These executives have their own organization, the International Association
of Privacy Professionals, and are establishing rules and regulations even in the absence
of government impetus. They’re doing this because it’s good for business.
T
he most common misconception about privacy is that it’s about having something to
hide. “If you aren’t doing anything wrong, then you have nothing to hide,” the saying
goes, with the obvious implication that privacy only aids wrongdoers.
If you think about it, though, this makes no sense. We do nothing wrong when we make
love, go to the bathroom, or sing in the shower. We do nothing wrong when we search
for a job without telling our current employer. We do nothing wrong when we seek out
private places for reflection or conversation, when we choose not to talk about something
emotional or personal, when we use envelopes for our mail, or when we confide in a
friend and no one else.
Moreover, even those who say that don’t really believe it. In a 2009 interview, Google
CEO Eric Schmidt put it this way: “If you have something that you don’t want anyone
to know, maybe you shouldn’t be doing it in the first place.” But in 2005, Schmidt
banned employees from talking to reporters at CNET because a reporter disclosed personal
details about Schmidt in an article. Facebook’s Mark Zuckerberg declared in 2010 that
privacy is no longer a “social norm,” but bought the four houses abutting his Palo
Alto home to help ensure his own privacy.
There are few secrets we don’t tell
someone
, and we continue to believe something is
private even after we’ve told that person. We write intimate letters to lovers and
friends, talk to our doctors about things we wouldn’t tell anyone else, and say things
in business meetings we wouldn’t say in public. We use pseudonyms to separate our
professional selves from our personal selves, or to safely try out something new.
Facebook’s CEO Mark Zuckerberg showed a remarkable naïveté when he stated, “You have
one identity. The days of you having a different image for your work friends or co-workers
and for the other people you know are probably coming to an end pretty quickly. Having
two identities for yourself is an example of a lack of integrity.”
We’re not the same to everyone we know and meet. We act differently when we’re with
our families, our friends, our work colleagues, and so on. We have different table
manners at home and at a restaurant. We tell different stories to our children than
to our drinking buddies. It’s not necessarily that we’re lying, although sometimes
we do; it’s that we reveal different facets of ourselves to different people. This
is something innately human. Privacy is what allows us to act appropriately in whatever
setting we find ourselves. In the privacy of our home or bedroom, we can relax in
a way that we can’t when someone else is around.
Privacy is an inherent human right, and a requirement for maintaining the human condition
with dignity and respect. It is about choice, and having the power to control how
you present yourself to the world. Internet ethnographer danah boyd puts it this way:
“Privacy doesn’t just depend on agency; being able to achieve privacy is an expression
of
agency.”
When we lose privacy, we lose control of how we present ourselves. We lose control
when something we say on Facebook to one group of people gets accidentally shared
with another, and we lose complete control when our data is collected by the government.
“How did he know that?” we ask. How did I lose control of who knows about my traumatic
childhood, my penchant for tasteless humor, or my vacation to the Dominican Republic?
You may know this feeling: you felt it when your mother friended you on Facebook,
or on any other social networking site that used to be just you and your friends.
Privacy violations are intrusions.
There’s a strong physiological basis for privacy. Biologist Peter Watts makes the
point that a desire for privacy is innate: mammals in particular don’t respond well
to surveillance. We consider it a physical threat, because animals in the
natural world are surveilled by predators. Surveillance makes us feel like prey, just
as it makes the surveillors act like predators.
Psychologists, sociologists, philosophers, novelists, and technologists have all written
about the effects of constant surveillance, or even just the perception of constant
surveillance. Studies show that we are less healthy, both physically and emotionally.
We have feelings of low self-esteem, depression, and anxiety. Surveillance strips
us of our dignity. It threatens our very selves as individuals. It’s a dehumanizing
tactic employed in prisons and detention camps around the world.
Violations of privacy are not all equal. Context matters. There’s a difference between
a Transportation Security Administration (TSA) officer finding porn in your suitcase
and your spouse finding it. There’s a difference between the police learning about
your drug use and your friends learning about it. And violations of privacy aren’t
all equally damaging. Those of us in marginal socioeconomic situations—and marginalized
racial, political, ethnic, and religious groups—are affected more. Those of us in
powerful positions who are subject to people’s continued approval are affected more.
The lives of some of us depend on privacy.
Our privacy is under assault from constant surveillance. Understanding how this occurs
is critical to understanding what’s at stake.
THE EPHEMERAL
Through most of history, our interactions and conversations have been ephemeral. It’s
the way we naturally think about conversation. Exceptions were rare enough to be noteworthy:
a preserved diary, a stenographer transcribing a courtroom proceeding, a political
candidate making a recorded speech.
This has changed. Companies have fewer face-to-face meetings. Friends socialize online.
My wife and I have intimate conversations by text message. We all behave as if these
conversations were ephemeral, but they’re not. They’re saved in ways we have no control
over.
On-the-record conversations are hard to delete. Oliver North learned this way back
in 1987, when messages he thought he had deleted turned out to have been saved by
the White House PROFS Notes system, an early
form of e-mail. Bill Gates learned this a decade later, when his conversational e-mails
were provided to opposing counsel as part of Microsoft’s antitrust litigation discovery
process. And over 100 female celebrities learned it in 2014, when intimate self-portraits—some
supposedly deleted—were stolen from their iCloud accounts and shared further and wider
than they had ever intended.
It’s harder and harder to be ephemeral. Voice conversation is largely still unrecorded,
but how long will that last? Retail store surveillance systems register our presence,
even if we are doing nothing but browsing and even if we pay for everything in cash.
Some bars record the IDs of everyone who enters. I can’t even buy a glass of wine
on an airplane with cash anymore. Pervasive life recorders will make this much worse.
Science fiction writer Charles Stross described this as the end of prehistory. We
won’t forget anything, because we’ll always be able to retrieve it from some computer’s
memory. This is new to our species, and will be a boon to both future historians and
those of us in the present who want better data for self-assessment and reflection.
Having everything recorded and permanently available will change us both individually
and as a society. Our perceptions and memories aren’t nearly as sharp as we think
they are. We fail to notice things, even important things. We misremember, even things
we are sure we recall correctly. We forget important things we were certain we never
would. People who keep diaries know this; old entries can read as if they were written
by someone else. I have already noticed how having a record of all of my e-mail going
back two decades makes a difference in how I think about my personal past.
One-fourth of American adults have criminal records. Even minor infractions can follow
people forever and have a huge impact on their lives—this is why many governments
have a process for expunging criminal records after some time has passed. Losing the
ephemeral means that everything you say and do will be associated with you forever.
Having conversations that disappear as soon as they occur is a social norm that allows
us to be more relaxed and comfortable, and to say things we might not say if a tape
recorder were running. Over the longer term, forgetting—and misremembering—is how
we process our history. Forgetting is an important enabler of forgiving. Individual
and social memory fades, and past hurts
become less sharp; this helps us forgive past wrongs. I’m not convinced that my marriage
would be improved by the ability to produce transcripts of old arguments. Losing the
ephemeral will be an enormous social and psychological change, and not one that I
think our society is prepared for.
ALGORITHMIC SURVEILLANCE
One of the common defenses of mass surveillance is that it’s being done by algorithms
and not people, so it doesn’t compromise our privacy. That’s just plain wrong.
The distinction between human and computer surveillance is politically important.
Ever since Snowden provided reporters with a trove of top-secret documents, we’ve
learned about all sorts of NSA word games. The word “collect” has a very special definition,
according to the Department of Defense. It doesn’t mean collect; it means that a person
looks at, or analyzes, the data. In 2013, Director of National Intelligence James
Clapper likened the NSA’s trove of accumulated data to a library. All those books
are stored on the shelves, but very few are actually read. “So the task for us in
the interest of preserving security and preserving civil liberties and privacy is
to be as precise as we possibly can be when we go in that library and look for the
books that we need to open up and actually read.”
Think of that friend of yours who has thousands of books in his house. According to
this ridiculous definition, the only books he can claim to have collected are the
ones he’s read.
This is why Clapper asserts he didn’t lie in a Senate hearing when he replied “no”
to the question “Does the NSA collect any type of data at all on millions or hundreds
of millions of Americans?” From the military’s perspective, it’s not surveillance
until a human being looks at the data, even if algorithms developed and implemented
by defense personnel or contractors have analyzed it many times over.
This isn’t the first time we’ve heard this argument. It was central to Google’s defense
of its context-sensitive advertising in the
early days of Gmail. Google’s computers examine each individual e-mail and insert
a content-related advertisement in the footer. But no human reads those Gmail messages,
only a computer. As one Google executive told me privately in the early days of Gmail,
“Worrying about a computer reading your e-mail is like worrying about your dog seeing
you naked.”
But it’s not, and the dog example demonstrates why. When you’re watched by a dog,
you’re not overly concerned, for three reasons. The dog can’t understand or process
what he’s seeing in the same way another person can. The dog won’t remember or base
future decisions on what he’s seeing in the same way another person can. And the dog
isn’t able to tell anyone—not a person or another dog—what he’s seeing.
When you’re watched by a computer, none of that dog analogy applies. The computer
is processing what it sees, and basing actions on it. You might be told that the computer
isn’t saving the data, but you have no assurance that that’s true. You might be told
that the computer won’t alert a person if it perceives something of interest, but
you can’t know whether that’s true. You have no way of confirming that no person will
perceive whatever decision the computer makes, and that you won’t be judged or discriminated
against on the basis of what the computer sees.
Moreover, when a computer stores your data, there’s always a risk of exposure. Privacy
policies could change tomorrow, permitting new use of old data without your express
consent. Some hacker or criminal could break in and steal your data. The organization
that has your data could use it in some new and public way, or sell it to another
organization. The FBI could serve a National Security Letter on the data owner. On
the other hand, there isn’t a court in the world that can get a description of you
naked from your dog.