Authors: Bruce Schneier
INCENT NEW BUSINESS MODELS
Surveillance became the business model of the Internet because it was the easiest
thing that made money and there were no rules regulating it. It has remained the business
model of the Internet because the costs are low, the potential gains are enormous,
and (at least in the US) there are
still
no rules regulating it.
By both regulating the collection and use of our data, and raising the costs of retaining
our data, we will naturally incent new business models that don’t rely on surveillance.
The technical capabilities already exist. There’s a lot of research on building privacy
into products and services from the start: privacy by design. Credit card companies
don’t have to track our every purchase in order to bill us and prevent fraud. Cell
phone providers don’t have to permanently record our locations in order to let us
make phone calls and send text messages. The Internet can be built with strong anonymity
protections. Electronic cash can be both secure and anonymous. All of these things
are possible; we just have to want them.
Admittedly, this will be a slow process. The companies that most extensively collect
our data believe in the potential for massive increases in advertising revenue. Internet
advertising might be a $125 billion business worldwide, but it’s still only 25% of
the advertising market. Companies like Google and Facebook have their eyes on the
advertising money spent on television (40%) and in newspapers and magazines (36%).
They have a lot of money invested in the value of big data—collecting everything and
then figuring out what to do with it later—and will not switch gears easily. Journalist
James Kunstler calls this the “psychology of previous investment,” and it’s why we
so often throw bad money after good. Admitting you’re wrong is hard, especially because
the cost of data collection and storage is so low.
In a market economy, if a company can’t figure out a profitable business model, others
that do will emerge. If we succeed in raising the cost of surveillance and data collection,
new businesses that don’t rely on it will rise up and take the place of the current
ones that do.
FIGHT GOVERNMENT SURVEILLANCE
So far, the most important effect of the Snowden revelations is that they have ruptured
the public-private surveillance partnership I discussed in Chapter 6. Pre-Snowden,
there was no downside for a company cooperating with the NSA. If the NSA asked you
to supply copies of all your Internet traffic, or to put backdoors into your security
software, you could assume that your assistance would forever remain secret. To be
fair, not everyone cooperated willingly. Some fought in court. But it seems that a
lot of them, government-regulated monopoly telcos and backbone providers especially,
were happy to give the NSA unfettered access to everything it demanded. It was easy,
and they did it all through the Cold War, and then immediately after 9/11, without
fuss.
This is changing. There is now business value in championing privacy and fighting
the NSA, and business harm in cooperation. There are basically four means by which
corporations can fight: transparency, technology, litigation, and lobbying.
Many computer companies—Yahoo, Google, Microsoft, and others—are now regularly publishing
“transparency reports,” giving us a general idea how many government data requests
the companies have received and how many they have complied with. It’s largely PR
motivated, to reassure us that only a very small percentage of users’ data is being
sent to the government. For example, in 2013 Google says it turned
over the Internet metadata of somewhere between 1 and 2,000 users, and the contents
of communications from between 18,000 and 20,000 users, to the US government. Those
ranges are regulated; the companies are not allowed to report exact numbers, although
many are pressing the government for the ability to reveal more precise information.
(Google already reports more precisely on requests from other governments around the
world.)
Even some of the telcos and cable companies are releasing transparency reports, starting
with CREDO Mobile in early 2014. These have less value. Verizon, for example, reports
that it received 320,000 “law enforcement demands” for data in 2013. We know that
every three months Verizon is served with a single National Security Letter that requires
it to turn over the metadata of all 290 million of its customers, so what does that
320,000 mean?
Some companies are trying to go further. In 2014, Apple announced that it would inform
individual users about all government demands for its data that it was not specifically
legally prohibited from disclosing. Microsoft and Google have teamed up to sue the
US government, demanding more transparency. Yahoo is doing the same.
Other companies are employing “warrant canaries” to try to get around legal gag orders.
Starting in 2013, Apple’s transparency reports contain this sentence: “Apple has never
received an order under Section 215 of the USA Patriot Act.” The idea is that if it
ever receives such an order it will be prohibited from disclosing it, but it could
remove the sentence as a signal to watchful readers. The courts have never ruled on
the legality of this practice, and I personally am skeptical that it would work, but
it’s a valiant and clever effort.
On the technology front, many companies are stepping up their use of encryption: of
their Internet connections with their users and customers, of their own networks,
and of their databases. After Google learned that the NSA was eavesdropping on its
trunk communications links between data centers, it encrypted those links. After Yahoo
learned that the NSA was eavesdropping on the web connections between its users and
Yahoo websites, both Yahoo and Microsoft (which assumed its users were being eavesdropped
on, too) began encrypting them. Several large e-mail providers are now encrypting
e-mail as it flows between their data centers. Other companies are doing more to encrypt
communications between them and their users and customers. Both iPhones and Android
phones are encrypted by default. Google is now offering end-to-end Gmail encryption,
although my guess is that it will be a little-used option because users won’t be able
to search and sort their e-mail if it remains encrypted.
In the courts, companies should litigate on their users’ behalf. They should demand
court orders for all access, and fight back against any court orders that seem overly
broad. Some of this is already going on. In 2008, Yahoo secretly fought the NSA in
court long and hard before being forced to join the PRISM program. In 2012, Twitter
unsuccessfully fought a
government demand to turn over information related to an Occupy Wall Street protester.
As of 2014, Facebook is fighting a court order to hand over 400 users’ private messages,
photos, and the like to a New York district attorney looking for evidence of Social
Security fraud.
Companies can do more to support litigation efforts. They should file amicus briefs
in any cases whose precedents affect them. In 2013, when the FBI demanded the master
key for all Lavabit users in an attempt to get at one person’s e-mail, none of the
big e-mail providers—Google, Microsoft, Yahoo, anyone—filed briefs in that case. Why
not? They need to recognize that we’re all in this together.
The Internet’s international nature again creates a complicated wrinkle in this. It’s
one thing for a corporation to comply with lawful requests for data from its own country,
but what about other countries? On four occasions in the early 2000s, Yahoo complied
with Chinese government requests for data about individual users that led to those
people’s arrest and imprisonment on charges of “subversion” and “divulging state secrets.”
Should Yahoo have done that? Does it make a difference if the repressive regime is,
like Saudi Arabia, on friendly terms with the US? Many US Internet companies argue
that they are not subject to the jurisdiction of countries in which they do not maintain
offices. A US company probably can’t resist Chinese law, but it probably can resist
those of smaller and less powerful countries. In a lot of ways, these companies can
choose which foreign laws they want to follow or not. They should choose to maximize
their users’ privacy.
In the halls of politics, corporations should use their political influence. Google,
Facebook, Microsoft, and others are actively lobbying for legislative restrictions
on how the US government conducts surveillance. This is good, but we need more. Often
the most persuasive arguments in Washington come from corporations concerned about
their bottom line.
It’s important not to make too much of all this. Corporate interests may temporarily
overlap with their users’ privacy interests, but they’re not permanently aligned.
For years, corporations fought any laws limiting their ability to collect and use
data. The EU has been trying to pass an updated and stricter data protection regulation,
but faces furious lobbying from US Internet companies that don’t want to stop data
collection. This
newfound backbone to stand up to the NSA is more about managing user perceptions than
about solving privacy problems. This is why we need strong regulations on corporations
as well.
A NEW MAGNA CARTA
Tim Berners-Lee, the inventor of the World Wide Web, has called for a new Magna Carta—one
that restricts the actions of both governments and corporations, and that imposes
responsibilities on information-age corporations rather than just rights. The historical
analogy is actually not that great, but the general idea is worth exploring. It’s
basically what I’m calling for in this book.
Recall Chapter 4, when I characterized the corporation–user relationship as feudal?
That’s because it’s ad hoc and one-sided: based on an end-user license agreement that’s
written in mind-numbing legalese and that the company can change at whim. Historical
feudalism was a lot like that; the lords had the power to force the peasants into
relationships whereby the lords possessed all the rights and were burdened with few
enforceable responsibilities. In medieval Europe, the rise of the centralized state
and the rule of law provided the flexibility that feudalism lacked. In 1215, the Magna
Carta became the first modern document enshrining the idea that the legitimacy of
a ruler comes from his subjects, and subjected the king to the rule of law. The document
first imposed responsibilities on kings with respect to the lesser lords, and over
time put society on the long road towards government of the people, by the people,
and for the people.
In the 1700s, when countries were beginning to recognize that their governing power
derived from
all
the people, the prevailing political philosophy was that of Thomas Hobbes, who argued
that the people sacrifice power and freedom to a benevolent sovereign, who in return
provides them with various services, including security. John Locke argued that this
relationship is unfair and unbalanced, and that governments derive their authority
from the “consent of the governed.” This notion fueled the English, French, and American
revolutions, and led to the French Declaration of the Rights of Man and the Citizen
and the US Bill of Rights.
In her book
Consent of the Networked
, journalist and digital rights advocate Rebecca MacKinnon makes this point: “No company
will ever be perfect—just as no sovereign will ever be perfect no matter how well
intentioned and virtuous a king, queen, or benevolent dictator might be. But that
is the point: right now our social contract with the digital sovereigns is at a primitive,
Hobbesian, royalist level. If we are lucky we get a good sovereign, and we pray that
his son or chosen successor is not evil. There is a reason most people no longer accept
that sort of sovereignty. It is time to upgrade the social contract over the governance
of our digital lives to a Lockean level, so that the management of our identities
and our access to information can more genuinely and sincerely reflect the consent
of the networked.”
Madrid Privacy Declaration (2009)
Civil Society takes the occasion of the 31st annual meeting of the International Conference
of Privacy and Data Protection Commissioners to:
1. Reaffirm support for a global framework of Fair Information Practices that places
obligations on those who collect and process personal information and gives rights
to those whose personal information is collected;
2. Reaffirm support for independent data protection authorities that make determinations,
in the context of a legal framework, transparently and without commercial advantage
or political influence;
3. Reaffirm support for genuine Privacy Enhancing Techniques that minimize or eliminate
the collection of personally identifiable information and for meaningful Privacy Impact
Assessments that require compliance with privacy standards;
4. Urge countries that have not ratified Council of Europe Convention 108 together
with the Protocol of 2001 to do so as expeditiously as possible;
5. Urge countries that have not yet established a comprehensive framework for privacy
protection and an independent data protection authority to do so as expeditiously
as possible;
6. Urge those countries that have established legal frameworks for privacy protection
to ensure effective implementation and enforcement, and to cooperate at the international
and regional level;
7. Urge countries to ensure that individuals are promptly notified when their personal
information is improperly disclosed or used in a manner inconsistent with its collection;
8. Recommend comprehensive research into the adequacy of techniques that deidentify;
data to determine whether in practice such methods safeguard privacy and anonymity;
9. Call for a moratorium on the development or implementation of new systems of mass
surveillance, including facial recognition, whole body imaging, biometric identifiers,
and embedded RFID tags, subject to a full and transparent evaluation by independent
authorities and democratic debate; and
10. Call for the establishment of a new international framework for privacy protection,
with the full participation of civil society, that is based on the rule of law, respect
for fundamental human rights, and support for democratic institutions.