The Future (17 page)

The extreme convenience offered by Internet websites leads many users to feel that incremental losses of privacy are a small price to pay. The very fact that I can find virtually every business in Nashville, Tennessee, where I live, and virtually every business anywhere in the United States (and in almost any other country) is almost, well, magical. This is a tangible illustration of what economists call the network effect—by which they mean that the value of any network,
especially the Internet, increases exponentially as more people connect to it. Indeed, according to Metcalfe’s Law, an equation proposed by one of the early pioneers of the network, Robert Metcalfe, the inherent value of any network
actually increases as the
square
of the number of people who connect to it.

Similarly, the convenience provided by online navigational software—like Google’s Street View—makes it easy to ignore the misgivings some have about having the picture and location of their homes displayed on the Internet. (Google’s apparent collection of large amounts of information from unencrypted WiFi networks in the homes and businesses it photographed—which it says was inadvertent—is a continuing source of controversy in several countries.)

Many take comfort in the fact that hundreds of millions of others are facing the same risks. So how bad could it be? Most people are simply unaware of the nature and extent of the files being compiled on them. And for those who do become aware—and concerned—they quickly find out that there is no way that they can choose not to have their every move on the Internet tracked. The written privacy policies on websites are typically far too long, vague, and complicated to understand, and the
options for changing settings that some sites offer are too complex and difficult.

There is abundant evidence that the general expectations of privacy are at wide variance with the new reality of online tracking of people connected to the Internet, and adequate legal protections have not caught up with Internet usage. In some countries, including the United States, Internet users can choose to no longer have advertising based on the
tracking delivered to them.
But users who try to opt out of the tracking itself are presently unable to do so. The protections that supposedly provide a “do not track” option are essentially useless,
due to persistent lobbying pressure from the advertising industry. Even when people try to opt out, the tracking continues for a simple reason: there is an enormous amount of money to be made from collecting all of the information about what everyone does on the Internet. Every click is worth a minuscule fraction of a penny,
but there are so many clicks that billions of dollars are at stake each year.

The Wall Street Journal
has published a lengthy series of investigative articles on the way cookies
report information about a user’s online activities. Everyone who clicks on Dictionary.com automatically has 234 cookies installed on his or her computer or smartphone, 223 of which collect and report information
about the user’s online activity to advertisers and others who purchase the data.

The cumulative impact of pervasive data tracking may yet produce a backlash. The word most frequently used by users of the Internet to describe the pervasiveness of online tracking is “creepy.” Although the companies that track people’s use of the Internet often say that the user’s name is not attached to the file that is assembled and constantly updated, experts say there is little difficulty in
matching individual computer numbers with the name, address, and telephone numbers of each person.

As computer processing has grown steadily faster, cheaper, and more powerful, some companies and governments have begun using an even more invasive technology known as Deep Packet Inspection (DPI), which collects “packets” of data sent to separate routers and reassembles them to reconstitute the original messages sent, and to pick out particular words and phrases in packets in order to flag them for closer examination and reconstitution. Tim Berners-Lee, the inventor of the World Wide Web,
has spoken out against the use of DPI and has described it as a grave threat to the privacy of Internet users.

In one of the most publicized examples of the exposure of private data via computer, the roommate of a gay student at Rutgers was found guilty of using a webcam to share views of his roommate engaging in intimate acts (
tragically, the gay student committed suicide soon after).

Some sites, including Facebook, use facial recognition software to automatically
tag people when they appear in photos on the site. Voice recognition software is also
now used by many sites to identify people when they speak. These audio files are often used to enhance the ability of the software to learn the accent and diction of each user in order to
improve the accuracy with which the machine interprets successive verbal communications. In order to protect the user’s privacy, some companies erase the audio files after a few weeks. Others, however, keep every utterance on file forever. Similarly, many software programs and apps use location-tracking programs in order to enhance the convenience with
which information can be delivered with relevance to the user’s location. An estimated
25,000 U.S. citizens are also victims of “GPS stalking” each year.

But all such information—websites visited, items within each website perused, geographic location day by day and minute by minute, recordings of questions users ask, pictures of the individuals wherever and whenever they may appear on websites, purchases and credit card activity, social media posts, and voluminous archival data in accessible government databases—when combined, can constitute an encyclopedic narrative of a person’s life, including details and patterns that most would not want to be compiled. Max Schrems, a twenty-five-year-old Austrian law student, used the European Union’s data protection law to request all the data collected about him on Facebook, and received a CD with more than
1,200 pages of information, most of which he thought he had deleted. The case is still pending.

Even when Internet users are not connected to a social media site and have not accepted cookies from commercial websites, they sometimes suffer invasions of privacy from private hackers and cybercriminals who use techniques such as phishing—which employs enticing email messages (sometimes mimicking the names and addresses chosen from a user’s contact list) in order to trick people into clicking on an attachment that contains surreptitious programs
designed to steal information from the user’s computer or mobile device. The new crime known as identity theft is, in part, a consequence of
all the private information about individuals now accessible on the Internet.

Through the use of these and other techniques, cyberthieves have launched attacks against Sony, Citigroup, American Express, Discover Financial, Global Payments, Stratfor, AT&T, and Fidelity Investments, all of
which have reported large losses as a result of cybercrime. (Sony lost $171 million.) The Ponemon Institute estimated in 2011 that the average
digital data breach costs organizations
more than $7.2 million, with the cost increasing each year. Yet another computer security company, Norton, calculated that the annual cost of cybercrime on a global basis is $388 billion—“
more than the annual global market for marijuana, cocaine, and heroin combined.” Numerous other online businesses have also been penetrated, including
LinkedIn,
eHarmony, and
Google’s Gmail. In the fall of 2012, a simultaneous cyberattack on
Bank of America, JPMorgan Chase, Citigroup, U.S. Bank, Wells Fargo, and PNC prevented customers from gaining access to their accounts or using them to make payments.

The obvious and pressing need for more effective protections against cybercrime, and especially the need to protect U.S. companies against the grave cybersecurity threats they are facing from China, Russia, Iran, and elsewhere, have been married to the post-9/11 fears of another terrorist attack as a combined justification for new proposals that many fear could fundamentally alter the right of American citizens—and those in other nations that value freedom—to be protected against unreasonable searches, seizures, and surveillance by their own government.

There is reason for concern that the biggest long-term problem with cybersecurity is the use of voluminous data files and online surveillance technologies to alter the relationship between government and the governed along lines that too closely resemble the Big Brother dystopia conjured by George Orwell more than sixty years ago. The United Kingdom, where Orwell published his novel, has proposed a new law that would allow the government to
store Internet and telephone communications by everyone in the country. It has
already installed 60,000 security cameras throughout the nation.

Many blithely dismiss the fear that the U.S. government could ever evolve into a surveillance state with powers that threaten the freedom of its citizens. More than sixty years ago, Supreme Court Justice Felix Frankfurter wrote, “The accretion of dangerous power does not come in a day. It does come, however slowly, from the generative force of unchecked disregard of the
restrictions that fence in even the most disinterested assertion of authority.”

One of the founders of reason-based analysis of data to arrive at wise decisions, Francis Bacon, is credited with the succinct expression of a biblical teaching: “
Knowledge is power.” The prevention of too much concentrated power in the hands of too few—through the division of
governmental powers into separate centers balanced against one another, including among them an independent judiciary—is one of the core principles on which all free self-governments are based. If knowledge is indeed a potent source of power, and if the executive and administrative centers of political power in governments have massive troves of information about every citizen’s thoughts, movements, and activities, then the survival of liberty may well be at risk.

As the first nation founded on principles that enshrined the dignity of individuals, the United States has in many ways been the most attentive to the protection of privacy and liberty against overbearing intrusions by the central government. And many in the United States have taken comfort in the knowledge that throughout its history, America has experienced a recurring cycle: periods of crisis when the government overreached its proper boundaries and violated the liberties of individuals—followed soon after by a period of regret and atonement, during which the excesses were remedied and the proper equilibrium between government and the individual was restored.

There are several reasons, however, to worry that the period of excess and intrusion that followed the understandable reaction to the terrorist attacks of September 11, 2001, may be a discontinuity in the historical pattern. First, after 9/11, according to another former National Security Agency employee, “basically all rules were thrown out the window, and they would use any excuse to justify a waiver to spy on Americans”—including exercising their
ability to eavesdrop on telephone calls as they were taking place. Former senior NSA official Thomas Drake said that the post-9/11 policy shift “
began to rapidly turn the United States of America into the equivalent of a foreign nation for dragnet blanket electronic surveillance.”

One former agency official estimates that since 9/11, the NSA
has intercepted “between 15 and 20 trillion” communications. The “war against terror” does not seem to have an end in sight. The spread of access by individuals and nonstate organizations to weapons of mass destruction has made the fear of deadly attack a fixture of American political life.
The formal state of emergency first established after September 11, 2001, was routinely extended yet again in 2012. The American Civil Liberties Union reported that a 2012 Freedom of Information inquiry showed a sharp increase in the number of Americans subjected to warrantless electronic surveillance by the Justice Department over the previous two years (even as formal requests for warrants declined). Chris Soghoian,
the principal technologist at the ACLU’s Speech, Privacy and Technology Project, said, “
I think there’s really something at a deep level creepy about the government looking through your communications records, and you never learn that they were doing it.”

Second, the aggregation of power in the executive branch—at the expense of the Congress—was accelerated by the emergence of the nuclear arms race following World War II. Now, the prevailing fear of another terrorist attack serves as a seemingly unassailable justification for the creation of government surveillance capabilities that would have been shocking to most Americans even a few years ago.

History teaches, however, that unchecked powers—once granted—may well be used in abusive ways when placed in the hands of less scrupulous leaders. When Presidents Woodrow Wilson and Richard Nixon engaged in abuses of civil liberties that shocked the nation’s conscience, new laws and protections were passed to protect against a recurrence of the abuses. Now, apparently, the threshold for what is required to shock the nation’s conscience has been raised because of fear. The U.S. Supreme Court ruled in 2012, for example, that police have the right to conduct strip searches, including the inspection of bodily orifices, for individuals who are suspected of offenses as trivial as an unpaid parking ticket or
riding a bicycle with a defective “audible bell” attached to the handlebars. George Orwell might have rejected such examples in his description of a police state’s powers for fear that they would not have seemed credible to the reader. (It is important to note, however, that the same Supreme Court ruled that it was unconstitutional for police departments to secretly attach electronic GPS tracking devices to the automobiles of citizens without a court-ordered warrant.)

In another chilling example of a new common government practice that would have sparked outrage in past years, customs agents are now allowed to extract and copy all digital information contained on an American citizen’s computer or
other digital device when he or she reenters the country from an international trip. Private emails, search histories, personal photographs, business records, and everything else contained in the computer’s files can be taken without any grounds for suspicion whatsoever. It is easy to understand how such searches are justified when the government has reason to believe that the traveler has been engaging in child pornography, for example, or has been meeting with a terrorist group in a foreign country. However, such searches are now placed in
the “routine” category,
and no reasonable cause for allowing the search is required. In one case, a documentary filmmaker raising questions about U.S. government policies was among those
whose digital information has been searched and seized without any showing of reasonable cause.