Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance - Hardcover

1

Hacked

Who is watching you?

This was once a question asked only by kings, presidents, and public figures trying to dodge the paparazzi and criminals trying to evade the law. The rest of us had few occasions to worry about being tracked.

But today the anxious question—"who’s watching?"—is relevant to everyone regardless of his or her fame or criminal persuasion. Any of us can be watched at almost any time, whether it is by a Google Street View car taking a picture of our house, or an advertiser following us as we browse the Web, or the National Security Agency logging our phone calls.

Dragnets that scoop up information indiscriminately about everyone in their path used to be rare; police had to set up roadblocks, or retailers had to install and monitor video cameras. But technology has enabled a new era of supercharged dragnets that can gather vast amounts of personal data with little human effort. These dragnets are extending into ever more private corners of the world.

Consider the relationship of Sharon Gill and Bilal Ahmed, close friends who met on a private online social network called PatientLikeMe.com.

Sharon and Bilal couldn’t be more different. Sharon is a forty-two-year-old single mother who lives in a small town in southern Arkansas. She ekes out a living trolling for treasures at yard sales and selling them at a flea market. Bilal Ahmed, thirty-six years old, is a single, Rutgers-educated man who lives in a penthouse in Sydney, Australia. He runs a chain of convenience stores.

Although they have never met in person, they became close friends on a password-protected online forum for patients struggling with mental health issues. Sharon was trying to wean herself from antidepressant medications. Bilal had just lost his mother and was suffering from anxiety and depression.

From their far corners of the world, they were able to cheer each other up in their darkest hours. Sharon turned to Bilal because she felt she couldn’t confide in her closest relatives and neighbors. "I live in a small town," Sharon told me. "I don’t want to be judged on this mental illness."

But in 2010, Sharon and Bilal were horrified to discover they were being watched on their private social network.

It started with a break-in. On May 7, 2010, PatientsLikeMe noticed unusual activity on the "mood" forum where Sharon and Bilal hung out. A new member of the site, using sophisticated software, was attempting to "scrape," or copy, every single message off PatientsLikeMe’s private online "Mood" and "Multiple Sclerosis" forums.

PatientsLikeMe managed to block and identify the intruder: it was the Nielsen Company, the New York media-research firm. Nielsen monitors online "buzz" for its clients, including major drug makers. On May 18, PatientsLikeMe sent a cease-and-desist letter to Nielsen and notified its members of the break-in. (Nielsen later said it would no longer break into private forums. "It’s something that we decided is not acceptable," said Dave Hudson, the head of the Nielsen unit involved.)

But there was a twist. PatientsLikeMe used the opportunity to inform members of the fine print they may not have noticed when they signed up. The website was also selling data about its members to pharmaceutical and other companies.

The news was a double betrayal for Sharon and Bilal. Not only had an intruder been monitoring them, but so was the very place that they considered to be a safe space. It was as if someone filmed an Alcoholics Anonymous meeting and AA was mad because that film competed with its own business of videotaping meetings and selling the tapes. "I felt totally violated," Bilal said.

Even worse, none of it was necessarily illegal. Nielsen was operating in a gray area of the law even as it violated the terms of service at PatientsLikeMe, but those terms are not always legally enforceable. And it was entirely legal for PatientsLikeMe to disclose to its members in its fine print that it would sweep up all their information and sell it.

This is the tragic flaw of "privacy" in the digital age. Privacy is often defined as freedom from unauthorized intrusion. But many of the things that feel like privacy violations are "authorized" in some fine print somewhere.

And yet, in many ways, we have not yet fully consented to these authorized intrusions. Even if it is legal for companies to scoop up information about people’s mental health, is it socially acceptable?

Eavesdropping on Sharon and Bilal’s conversations might be socially acceptable if they were drug dealers under court-approved surveillance. But is sweeping up their conversations as part of a huge dragnet to monitor online "buzz" socially acceptable?

Dragnets that indiscriminately sweep up personal data fall squarely into the gray area between what is legal and what is socially acceptable.

●

We are living in a Dragnet Nation—a world of indiscriminate tracking where institutions are stockpiling data about individuals at an unprecedented pace. The rise of indiscriminate tracking is powered by the same forces that have brought us the technology we love so much—powerful computing on our desktops, laptops, tablets, and smartphones.

Before computers were commonplace, it was expensive and difficult to track individuals. Governments kept records only of occasions, such as birth, marriage, property ownership, and death. Companies kept records when a customer bought something and filled out a warranty card or joined a loyalty club. But technology has made it cheap and easy for institutions of all kinds to keep records about almost every moment of our lives.

Consider just a few facts that have enabled the transformation. Computer processing power has doubled roughly every two years since the 1970s, enabling computers that were once the size of entire rooms to fit into a pants pocket. And recently, the cost to store data has plummeted from $18.95 for one gigabyte in 2005 to $1.68 in 2012. It is expected to cost under a dollar in a few years.

The combination of massive computing power, smaller and smaller devices, and cheap storage has enabled a huge increase in indiscriminate tracking of personal data. The trackers are not all intruders, like Nielsen. The trackers also include many of the institutions that are supposed to be on our side, such as the government and the companies with which we do business.

Of course, the largest of the dragnets appear to be those operated by the U.S. government. In addition to its scooping up vast amounts of foreign communications, the National Security Agency is also scooping up Americans’ phone calling records and Internet traffic, according to documents revealed in 2013 by the former NSA contractor Edward Snowden.

But the NSA is not alone (although it may be the most effective) in operating dragnets. Governments around the world—from Afghanistan to Zimbabwe—are snapping up surveillance technology, ranging from "massive intercept" equipment to tools that let them remotely hack into people’s phones and computers. Even local and state governments in the United States are snapping up surveillance technology ranging from drones to automated license plate readers that allow them to keep tabs on citizens’ movements in ways never before possible. Local police are increasingly tracking people using signals emitted by their cell phones.

Meanwhile, commercial dragnets are blossoming. AT&T and Verizon are selling information about the location of their cell phone customers, albeit without identifying them by name. Mall owners have started using technology to track shoppers based on the signals emitted by the cell phones in their pockets. Retailers such as Whole Foods have used digital signs that are actually facial recognition scanners. Some car dealerships are using a service from Dataium that lets them know which cars you have browsed online, if you have given them your e-mail address, before you arrive on the dealership lot.

Online, hundreds of advertisers and data brokers are watching as you browse the Web. Looking up "blood sugar" could tag you as a possible diabetic by companies that profile people based on their medical condition and then provide drug companies and insurers access to that information. Searching for a bra could trigger an instant bidding war among lingerie advertisers at one of the many online auction houses.

And new tracking technologies are just around the corner: companies are building facial recognition technology into phones and cameras, technology to monitor your location is being embedded into vehicles, wireless "smart" meters that gauge the power usage of your home are being developed, and Google has developed Glass, tiny cameras embedded in eyeglasses that allow people to take photos and videos without lifting a finger.

●

Skeptics say: What’s wrong with all of our data being collected by unseen watchers? Who is being harmed?

Admittedly, it can be difficult to demonstrate personal harm from a data breach. If Sharon or Bilal is denied a job or insurance, they may never know which piece of data caused the denial. People placed on the no-fly list are never informed about the data that contributed to the decision.

But, on a larger scale, the answer is simple: troves of personal data can and will be abused.

Consider one of the oldest and supposedly innocuous dragnets of all: the U.S. Census. The confidentiality of personal information collected by the census is protected by law, and yet census data have been repeatedly abused. During World War I, it was used to locate draft violators. During World War II, the Census Bureau provided the names and addresses of Japanese-American residents to the U.S. Secret Service. The information was used to round up Japanese residents and place them in internment camps. It was not until 2000 that the Census Bureau issued a formal apology for its behavior. And in 2002 and 2003, the Census Bureau provided statistical information about Arab-Americans to the Department of Homeland Security. After bad publicity, it revised its policies to require that top officials approve requests from other agencies for sensitive information such as race, ethnicity, religion, political affiliation, and sexual orientation.

The United States is not alone in abusing population statistics. Australia used population registration data to force the migration of aboriginal people at the turn of the twentieth century. In South Africa, the census was a key instrument of the state’s "apartheid" system of racial segregation. During the Rwandan genocide of 1994, Tutsi victims were targeted with the help of ID cards that indicated their ethnicity. During the Holocaust, France, Poland, the Netherlands, Norway, and Germany used population data to locate Jews for extermination.

Personal data are often abused for political reasons. One of the most infamous cases was a program called COINTELPRO run by the Federal Bureau of Investigation in the late 1960s. The FBI’s director, J. Edgar Hoover, set up the secret program to spy on "subversives" and then used the information to try to discredit and demoralize them. The FBI went as far as to send Martin Luther King Jr. a tape recording from surveillance of his hotel room that was meant to cause King to get separated from his wife—along with a note that King interpreted as a threat to release the recording unless King committed suicide.

Criminal hackers have also found that using personal data is the best way to breach an institution’s defenses. Consider how Chinese hackers penetrated the sophisticated computer security pioneer RSA. The hackers trolled social media websites to obtain information about individual employees. They then sent those employees an e-mail titled "2011 Recruitment Plan." The e-mail looked legitimate enough that one employee retrieved it from the junk mail folder and opened it. That file installed spyware on the individual’s machine, and from there the attackers gained remote control of multiple computers in the organization.

In short, they hacked people, not institutions.

Hacking people is not just for criminals. Marketers are following us around the Web in the hopes that they can obtain information that will let them "hack" us into buying their products. The NSA is scooping up all of our phone calls to establish patterns that it believes will let authorities "hack" a terrorist cell.

Here are some of the ways you may be already being hacked:

     • You can always be found.
     • You can be watched in your own home—or in the bathroom.
     • You can no longer keep a secret.
     • You can be impersonated.
     • You can be trapped in a "hall of mirrors."
     • You can be financially manipulated.
     • You can be placed in a police lineup.

This is not a comprehensive list. Rather, it is a snapshot in time of real-life events that are happening right now. In the future, we will likely read this list and laugh at all the things I failed to envision.

You can always be found.

Your name, address, and other identifying details—even the location of your cell phone at any given time—are all stored in various databases that you cannot view or control. Stalkers and rogue employees have consistently found ways to abuse these databases.

In 1999, a deranged man named Liam Youens paid an online data broker called Docusearch to find the social security number, employment information, and home address of a woman he was obsessed with, Amy Boyer. A few days later, Youens drove to Boyer’s workplace and fatally shot her as she left work. He then shot and killed himself.

Boyer’s family sued the data broker, but the New Hampshire Supreme Court held that while the data broker had a duty to "exercise reasonable care" when selling personal data, it was also true that because information such as a work address "is readily observable by members of the public, the address cannot be private."

Boyer’s parents got very little: in 2004, they settled with Docusearch for $85,000, having grown weary of years of legal battles. Docusearch is still in business and its website still advertises services including "reverse phone number search," "license plate # search," "find SSN by name," and "hidden bank account search."

Since then, the price of buying people’s addresses has fallen from the nearly $200 that Youens paid to as low as 95 cents for a full report on an individual. Cyber-stalking cases have become so common that they rarely make news.

Consider just one example. In 2010, a Sacramento sheriff’s deputy, Chu Vue, was convicted of murder after his brothers shot to death Steve Lo, who was having an affair with Vue’s wife. During the trial it came out that Vue had searched law enforcement databases for Lo’s name, had asked a colleague to look up Lo’s license plate, and had searched for Lo’s address using an online phone lookup service. Vue was sentenced to life without parole.

Even the most innocent data—such as airline travel records—can be abused. In 2007, a Commerce Department employee, Benjamin Robinson, was indicted for unlawfully accessing, more than 163 times, the government database that contains international airline travel reservati...