They Know You're Reading This
It’s been more than one year after Edward Snowden leaked documents revealing broad government surveillance, and most Americans are no longer surprised to hear that their online activity can easily be monitored. Revelations about surveillance are no longer front-page news. But what are the practical ramifications and consequences of living in a surveillance-saturated society? The people who grapple with that question in this feature represent different interests and backgrounds: they come from disciplines as divergent as law, media, technological development, and politics. They by turns liken the current surveillance system to an organic assemblage, an Orwellian network, and a manipulative amusement park. They examine corporate surveillance, government surveillance, and the increasingly blurred line between the two. They argue variously that surveillance negatively impacts tech company profits, confidence in the government, the ability of the individual to develop fully, and fundamental human rights.
These students, professors, and practitioners offer diverse responses to the question of what it means to live in a surveillant society. Common to all of these responses, however, is a belief that surveillance as it exists now is a troubling phenomenon, and one that requires thorough examination and thoughtful response.
The following interviews were conducted by Sophie Wilkowske, CC'17 and CPR senior editor.
Interview: Ethan Zuckerman (MIT)
SW: What are some ways that average Internet users are being surveilled that they might not know about?
EZ: So, almost every webpage we’re encountering these days, and certainly any webpage that hosts advertising, is storing information about our visit, and it’s essentially reporting to a third-party server that is compiling the other websites that we’ve been to. This might just be a way of getting what people call psychographic information about us—here are the sort of sites that we look at. But sometimes, sites have a way of turning this into demographic information. If I’m reading ESPN and Reddit, I’m probably male, and between 18 and 25. Sometimes they can do it explicitly, by seeing that you went to this social networking site, you logged on with this identity, and they can link those identities together. I suspect that most web users know that a network like Facebook is reading their emails, reading their posts, and then is targeting ads to them. But I think that most people don’t know about this third-party aspect, where simply surfing the web is probably creating a trace. There’s unfortunately even more sinister things out there. There’s this system called “browser fingerprinting,” where these websites are trying to identify the very specific configuration of the web browser that you’re using. And it turns out that there are enough variables in how your web browser is set up—what fonts you have in your system, what plugins you have—that it’s almost as unique as a fingerprint, and it may turn into an individually identifiable space.
What’s happened is the commercial web as we know it is now about as far as one could imagine from an anonymous space. My colleague Matt Stempeck was just pointing out to me that this isn’t just a theoretical threat, it isn’t just a blurring of the boundaries. It’s actually a practical threat. One of the things we learned in the NSA revelations was that the NSA was requisitioning ad network tracking information, to find out who was reading what websites. So this notion of the surveillant assemblage, that I’m trying to promote here, is that it doesn’t have to be the NSA guy with his headphones on, listening in on your phone calls… It may be the combination of all the different commercial databases revealing information about who you are and what your habits are.
SW: Could you talk more about this idea of the “surveillant assemblage”?
EZ: I’m new to the paper, but it’s published by at the University of Alberta, who are wicked smart (Kevin D. Haggarty and Richard V. Ericson, “The surveillant assemblage”). They basically argue that the ways we think about surveillance aren’t actually very adequate for the modern age—that this notion of Orwellian surveillance, where some personal informant is watching you for though crime, doesn’t parallel us very well, and that this Foucauldian notion of the panopticon, a much more sophisticated model of surveillance, still doesn’t actually work very well. Because surveillance here isn’t trying to discipline you, it isn’t trying to change your behavior. All it’s really trying to do is have as accurate a data double of you as possible, to have this sort of data-body that it can act on, which is as close as possible to a shadow of you. And so, the trick with that model of surveillance is that anything that observes you can become part of that system. We didn’t even get in to some of the spooky stuff about smart cities. New York announced yesterday that they’re planning on turning all of these payphones into open Wi-Fi hotspots. Yay, open Wi-Fi! But of course, the model that they’re going to use to support the free open Wi-Fi is targeted advertising, and it would not at all be surprising to see them doing things like storing the MAC address, the unique hardware address of your phone, as you pass by. You end up with a profile that may not know you by name, but sure as hell knows that you attend Columbia, that you live ten blocks away in Morningside Heights, and that you frequent this particular establishment in this particular neighborhood.
SW: A lot of people, as you’ve mentioned before, are not at all surprised by surveillance revelations, because surveillance through various corporate measures has become normalized. Do you think there’s a compelling reason they should be worried about it anyways?
EZ: So, my argument, to the extent that I’m trying to make it in this talk, is that the danger is that corporate surveillance immunizes us to other forms of surveillance. I think, what I sort of expected to happen with the Snowden revelations was people saying, “Yeah, absolutely, I knew that corporations were doing this, but I can’t believe the government is doing this with taxpayer oversight!” And what I’ve been trying to figure out is why there hasn’t been that shocked response. There has been in some quarters—in the quarters that I hang out in, people are really outraged. But it hasn’t turned into a widespread popular movement. One argument is that people who are twenty years younger than I am, who literally grew up through twenty years of this technology emerging and becoming more surveillant, may just simply have a different sense of surveillance than I do. I still have, somewhere in the back of my head, this sense that the Net’s supposed to be anonymous, and that while it’s trying at every turn to become less anonymous, I should be able to sort of carve out and protect myself. If your first experience of the Net was Facebook, where the first thing you do is show up with your real name, as opposed to my first experience with the Net, which were MOOs and Usenet, where the important thing was to come up with a cool handle that no one would know was you, that’s a really different picture of how this space works. And what I’m a little worried about is that I do think that we may have trained a generation of people who’ve grown up on a surveilled Net to expect that form of surveillance in public space.
SW: Finally, what sort of alternative vision of governance do you see as a solution? Is a more regulated Internet, like what Brazil and Germany are working on, the right direction?
EZ: So here are two or three things that I think we could do. I think the first thing you need is an alternative business model. I think finding ways for important civic institutions like the Guardian to support themselves other than surveillant advertising is key. And I think it’s some combination of, unfortunately, the paywall subscription, voluntary donation, if there are ways to do micropayments that are less surveillant, perhaps… But most methods of micropayment are incredibly surveillant. BitCoin is a perfect surveillance mechanism, which is really awkward because it’s loved by anonymity types. As long as you can keep it clear from your real identity it’s secure, but it actually is a perfect transactional record, which makes it an amazing surveillant system. But I think the first thing we have to get, is we need plausible, non-surveillant business model alternatives.
The second thing we need is regulation. We actually need to sort of look at this space and say, “Yes, it’s amazing that you can fingerprint my browser, and figure out exactly who I am based on how I logged onto Facebook. You shouldn’t do that. And in fact, we’re going to make it legally complicated for you to do that.” I think that would be a very smart thing to start building into these systems. It would be really nice if we started seeing surveillant-resistant alternatives. Some of those are going to be sites like Pinboard, which says, “I’m going let you keep bookmarks, I’m not going to advertise to you, I’m not going to keep personal data on you. I am going to charge you five bucks when you sign up for the service, but I’m going to build a new business model and demonstrate that it’s possible as an alternative.” Because you can imagine a Google making Gmail available for fifty bucks a year, and encrypting everything on the drive and not targeting to you, and that would be a great way to go.
I don’t have a ton of faith that Brazil and Germany are somehow going to magically come up with this. I actually think it’s going to be a combination of bottom-up changes, coming from competitive companies in this space, coming from initiatives of these companies. One of the things that actually makes me really optimistic is that there are people inside these companies who woke up in the wake of the NSA and are trying to do the right thing. Google is trying to get Gmail to work with PGP. And they’re now pitching to companies saying, “Yeah, we don’t want your plaintext emails on our servers, we want it encrypted end-to-end, and we want to make it really easy for you to do it.” Facebook—Facebook!—just announced that they’re working with Tor, to make Facebook available via Tor. That’s frickin’ amazing! So that actually leaves me feeling somewhat hopeful that we will see some good stuff happening.
Interview: Bernard Harcourt (Columbia Law)
SW: Should the average citizen be concerned about surveillance? Why or why not?
BH: Yes. I think that’s an easy yes. Most of us don’t even realize the pervasive extent to which we are surveilled, both by commercial entities and by our own and other governments. When you put together all of the different forms of surveillance that are taking place right now, most people would be shocked to know how transparent they are. The question is, why be concerned? I would categorize the response under three general headings. The first is that there is a collapse of the boundary between commerce and government surveillance, between the sphere of the state and of society. That collapsing, which is reflected by fact that so much of government surveillance feeds off of commercial surveillance, is dangerous in a number of ways. It’s problematic first because we have traditionally tried to use the separation of state and society as a way to protect individuals, and to allow them to pursue their own life projects. As the differences collapse, it’s less easy to create spaces for individuals to develop on their own. Also, as those spheres collapse, they become all the more powerful. They become practically invincible, daunting in their combined strength. When commercial enterprises work with government surveillance and govern themselves through their own forms of surveillance, you get to a point where the individual has practically no ability to resist the forces that are effectively governing them. In many of the documents that were revealed by Edward Snowden, we’ve seen large corporations like Microsoft working hand-in-hand with the F.B.I. or the National Security Agency, in order to give the intelligence services greater access to personal data through the ordinary software that we use, like Outlook e-mail or the SkyDrive storage.
The second is that, as we start to feel more and more surveilled, we start to lose parts of our self. There’s a term that sociologists and other critical thinkers used to use, about the way in which surveillance technologies produce subjects, shape subjects, and can have effects on the self. I’m thinking of Erving Goffman, for instance, in his book, Asylums, who described the way in which an institution like an asylum or a prison or a convent or a monastery or a boarding school can shape our subjective beings. Goffman described it in terms of the “mortification of the self”: the idea being that these institutions had, as part of their mission, the objective of mortifying the self. The prison is a good example: part of the acculturation, part of becoming a prisoner, is losing part of your identity. I think that pervasive surveillance, by all of the institutions that we interact with, has the same effect of mortifying the self.
The third is that digital surveillance has a punitive dimension to it. As a result, our ordinary digital existence is becoming, more and more, similar to a form of electronic monitoring, more and more like a form of punishment, really. That is very troubling.
SW: Were you surprised by the amount of shock that followed the Snowden revelations?
BH: I’m surprised that there has been such a general acceptance of our new society of surveillance. What’s interesting about a lot of these forms of surveillance is that they work best when they’re not known, or when they’re not at the forefront of our consciousness. For example, the marketing that uses information that’s been captured from people on the Internet, those technologies function better when the individuals don’t realize they’re being targeted on the basis of surveillance. This makes it strange that we would let ourselves forget about the surveillance.
We should know this from media cycles: topics “trend” in the media, and on the Internet, and then disappear as a result of other topics trending. What’s strange is that we so easily let the news fade into the past, that it only surfaces once in a while with a big disclosure and then passes. What’s odd about this is that you would think, knowing what we know about how surveillance works, that there would be greater vigilance on our part, that we would resist more the forgetting of what we know. That’s what I find most puzzling. It makes us, in a way, complicit with surveillance—which we certainly are, first and foremost because we are giving so much of our information so freely, so voluntarily.
This raises the dual dimension of our complicity. Not only are we complicit because we take such little precaution in trying to protect our information. Most of us use Gmail, even though we know it’s one of the most intrusive and surveilling technologies. So on the one hand, there’s this complicity because it’s easy, it seems cheap, or inexpensive, or even free, and it’s efficient, and you can get it done in a second and you don’t have to worry about getting bills… And then there’s the other complicity, which is that we are so easily distracted into forgetting that we’re being surveilled. That seems even more puzzling to me.
SW: How do you see the distinction between corporate and government surveillance? Is there a distinction? Is one more important than the other?
BH: I think we’ve been historically conditioned to fear government surveillance because of the government’s power to punish, and to be less suspicious and cautious or careful about commercial surveillance, because we tend to associate commercial surveillance with advertising and consumption. We tend not to mind being the target of advertising as much as we tend to mind being the target of punishment. I would say that the distinction is important because it has the effect of lowering our vigilance in the face of commercial surveillance, which ultimately becomes government surveillance when the intelligence agencies get access—as they do pretty freely—to the commercial information regarding our personal data. The distinction is important because it feels today as if the intelligence services have figured out our weakness, which is to allow all kinds of surveillance and targeting in the consumer context, and can use that in the personal realm to gain the kind of information that would be hard to get from a conventional government informant system.
SW: How do you visualize the current system of surveillance? Is there a good parallel to the way that surveillance happens?
BH: I have in my mind this idea that the architecture of surveillance resembles an amusement park, or a theme park, that is trying to maximize flows of consumption by getting people to buy, visit, spend as much as possible through very deliberate forms of queuing and merchandizing and maximizing flows of people through certain spaces—by getting them to give up their personal information through consumption. This space is all about buying things, using your credit card, giving your email away, trying to get a discount, using a frequent buyer card… all of which renders you transparent to commercial interests.
The architecture may be that of the duty-free luxury shops at the airport. I don’t know if you’ve noticed, but in a lot of airports now, the high-end duty-free consumption—the wine and cheese and candy and perfume—they’ve created it as a space that you have to go through in order to get to your gate. It used to be that there were stores on the side, but now, physically, you have to walk through this space that is managed to maximize the seduction of these objects so that you will consume and in the process, give away your data, reveal your desires, render yourself transparent. Those duty-free shops make me think of digital surveillance, as a place that manipulates our own pleasures.
SW: You’ve spoken a lot about punishment as a product of surveillance. How does surveillance intersect with crime, and with punishment?
BH: I’d say that there are a number of ways in which the surveillance issues intersect with punishment issues. The first has to do with the way in which security or law enforcement are turning more and more to social media to surveil suspects and entrap them. The second has to do with this convergence that I mentioned earlier, the convergence on the one hand of living a digitally surveilled life—an ordinary surveilled life—and on the other hand of living an electronically monitored life. It feels as if, more and more, those two forms of existence are starting to resemble each other. On the punishment side, because of cost-cutting measures and because of economic instability and budget deficits, a lot of states are having to consider alternatives to physical incarceration and are turning to forms of digital monitoring. But what’s surprising to me is the extent to which those forms of digital monitoring resemble our ordinary lives, in the sense of being tracked by GPS or being located or having one’s emails read or having everything about our behavior known. That convergence raises the specter that digital surveillance might substitute for forms of punishment, in the sense that if we are completely exposed and tracked and followed, it’s almost as if there might not be a need to physically punish us. We know what people are doing, we know what their behaviors are. You are being followed.
Now, this may sound futuristic, but of course if one could then control behaviors better, knowing what all of our behaviors are, then it seems as if we could digitally monitor and digitally control, suppress, et cetera, behaviors. Then there would no longer be any need for conventional forms of punishment.
SW: Do you think that there is necessarily a trade-off between security and privacy?
BH: I would say that’s a false dilemma. I tend to think that it is too simple, too obvious to be really true. I tend to think that in the crime and punishment context, we always tend to view everything through a simplistic lens of “due process versus security,” which is the very same lens through which we look at these questions of “privacy versus security.” The mission of the new Columbia Center for Contemporary Critical Thought is precisely to question those dominant, common-sensical, overly simplistic ways of thinking—those shared belief systems that hide so much.
Security is an artifact of how people feel about their political surroundings and their life expectations, and those may not be related, in the conventional way we think they are, to privacy. In other words, lack of privacy or transparency, or the fact that you can’t have secrets, is generally thought of as the “trade-off” necessary to enhance security, when in fact there might not be a correlation between the two. It could be that having a full, autonomous, private self that is fulfilled would do a lot more toward creating a secure environment.
Peter Prak (CUCR)
The NSA scandal from last year outraged many about the extent of government surveillance of the American people. The revealed fact that the National Security Agency has been collecting information on all phone calls inside and into the U.S. through the major carriers shocked us, and angered us quite appropriately. However, now that the revelation and associated outrage have passed, it is time to assess the damage and see what can be done about it.
There are several reasons why government surveillance is dangerous. Of course, violation of the law (i.e. The Fourth Amendment’s restrictions on searches) is itself troubling. Unfortunately, mere violation of the law by officials is not rare enough to concern us.
It seems that there are three dangers stemming from government surveillance. The first is that it gives the government great ability to enforce unjust and intrusive laws. The second is that it gives the government access to personal information which could, for example, be embarrassing if exposed on the whim of the surveillance official. The third is that it permits a particular abuse of government power: selective enforcement of minor laws.
The first danger is one that anyone who has studied history will be concerned about. Given, however, that which laws are just and which unjust comprises the majority of political debate in its entirety, it is more significant that it makes the nation hair-trigger for the execution of blatantly unconstitutional policies and regime changes.
The second danger is one limitedly posed by metadata collection, since whom one calls and for how long can only be minimally embarrassing. However, phone calls to exes or strangers are known to be signs of, for example, marital infidelity, and so de-personalizing such data for low-level contractors is imperative to prevent a perverse incentive to snoop.
The third danger should be what most concerns us in modern America. Harvey Silverglate, in his book “Three Felonies a Day,” estimates that the average person commits 3 crimes per day due to inevitable legal ignorance. If officials can catch all minor crimes, their whims alone will determine punishment. It is one thing to use secret data collection to thwart terrorists – it is quite different (and much more Orwellian) to use it to stop someone from scalping sports tickets.
The president has said on multiple occasions that such NSA spying has prevented dozens of terrorist attacks. This, if true, means that we cannot afford to simply discontinue it. Given its obvious dangers however, increasing oversight through reform of the secret FISA court is necessary – a court with no accountability is not a court at all. Such steps must be taken to ensure we continue to live in an America that is both safe and free.
Rasmi Elasmar (Application Development Initiative)
The NSA’s mass surveillance programs are an abuse of government power on a scale never before practiced. Without a warrant, the NSA collects private data about every aspect of our lives through our smartphones and computers. The program has destroyed trust in US tech companies. Some companies like Google are implementing more advanced encryption by default to protect user data from mass surveillance, because it’s better to trust in the math of encryption than it is to trust a reckless government agency. Tech company profits aside, the program has destroyed trust in our own government. The Bill of Rights protects against warrantless searches, and the NSA’s collection of our personal data is in direct violation of the Fourth Amendment. The precedent must be set that our digital information is just as private as any other possession we own that requires a warrant to be searched. Our rights are slowly being dissolved before our eyes, and although the technological solutions to this problem will be put into place to protect our data as discontent over the programs grows, political solutions are the only way we can actually regain any trust in our government.
Allison Schlissel (Roosevelt Institute)
Private companies collecting consumer data is nothing new. However, contemporary data collection is much more comprehensive and potentially invasive. One possible policy solution is to mandate consumer consent.
Digital data collection and aggregation is useful for marketing purposes because it provides low-cost, easy methods to access consumer information. However, the potential risks for consumers include the loss of privacy and the misuse of personal information. There are companies that specialize in this business. For example, Axicom, one of the largest database brokerage companies, creates profiles based on over 1,500 data points, including education, type of car, and stock portfolio. In turn, these data points are supposed to help predict consumer behavior, and are then sold to other companies. Although these data collection companies can help in regards to personalizing the smartphone experience, they can also be pernicious forces. For example, there is an ongoing congressional investigation involving nine big data companies, in light of a scandal that one database brokerage company, Experian, sold sensitive consumer information to an identity theft service in Vietnam.
The trends indicate that there will be more privacy legislation in the future. The United States’ response has been in favor of private company self-regulation to balance consumer needs with business needs for information. The most recent legislation in this policy area has a narrow focus, with the last truly comprehensive bill being the Electronics Communication Privacy Act (ECPA) of 1986. The ECPA is not sufficient because it mostly pertains to government surveillance, largely excluding private companies, and has further loopholes. For example, there is more regulation for devices containing wires than wireless devices, which leaves smartphone users vulnerable.
The Geolocation Privacy and Surveillance (GPS) Act, currently in Congress, attempts to fix definitional issues that would help close the loopholes of the ECPA. Although an important first step, the bill again covers mostly to government surveillance.
One moderate step towards protecting consumer privacy is through promoting consumer awareness. This awareness rests upon the assumption that companies give consumers clear and easily accessible information of what they are collecting and the implications of using that data. Senator Franken recently proposed a bill that would require consent before collecting geolocation data. Although not a complete solution, it could pave the way to more transparent communication between consumers and private companies.
Although digital data collection is a convenient way for private companies to collect data, it has the potential of putting consumers at risk by exposing their sensitive data. The current legislation, though outdated, has the potential for improvement with the possible passage of the GPS Act and additional safeguards. It is possible to strike a balance between the evolving needs of private companies and the rights of consumers.