Digital Privacy

Threats and Protections in Today’s World

By Will Uhl

Digital communication has made the world a more interconnected place. Instant global communication has allowed for more international collaboration. But as digital communication becomes more centralized, government and corporate surveillance bleeds further into everyday life. Now, as world leaders make bolder legislation and multi-billion-dollar companies produce more invasive products, rights and convenience are clashing -— and there is more than personal privacy on the line.

For Fun and Profit

Social media has introduced another party to surveillance: technology corporations. Facebook is the obvious example; the company is infamous for the amount of information it collects about its users from their smartphones. Facebook has documented calls and texts made outside their apps, constantly recorded the phone’s geographic location, and deceived users into uploading the phone’s contact list. However, every popular social media giant is guilty of tracking more personal data than users realize, including Twitter and Tumblr. It’s their business model.

Social media sites make most of their profits from advertising, and being able to target advertisements to specific users is good business. As a result, Facebook tracks not just the location, age, gender, language, and education level of its users, but also categorizes users according to details as specific as “Users who are ‘heavy’ buyers of beer, wine, or spirits” and “Users whose household makes more purchases than is average.” The more data advertisers collect, the better they can target users.

In some cases, users don’t even have to be logged in for websites to track their information. Using a technique called browser fingerprinting, advertisers can piece together a logged-out user’s identity based on their computer. To quote the Electronic Frontier Foundation (EFF)’s example, “yours is likely the only browser on Central European time with cookies enabled that has exactly your set of system fonts, screen resolution, plugins, and graphics card.” By using browser fingerprinting and similar techniques, advertisers can piece together user identities from separate accounts. And when data harvesting companies start piecing together user information, the whole is greater than the sum of its parts. “If I collect information from different resources — different websites, different social media platforms —and put them together, we can infer almost everything about a particular user. Right now, there’s no policy or something to prevent that kind of privacy risk,” said Dr. Hai Phan, an assistant professor at the New Jersey Institute of Technology. His research, in part, focuses on data privacy on social media and medical social networks. “It’s not like one plus one equals two; one plus one equals everything.”

Because of this, users have less control over their own information than ever. The adage “the internet is forever” still rings true – anyone posting personal information online can generally assume it will stick around indefinitely. The steps required to delete a Facebook account are a perfect example of how reluctant companies are to forfeit user data. Prompts attempt to redirect users who want to deactivate their accounts (leaving their data with Facebook), and a mandatory two-week delay after confirming account deletion assumes that second-guessing users will change their minds. And users rarely, if ever, know how their data is being used. “There’s no guarantee or policies that the data they are selling is safe or the clients are notified,” said Phan. “There’s no formal metric to measure the risk there, so they’re just selling data.”

Outside of the United States, however, there are more legislative protections for users. In 2016, the European Union introduced the General Data Protection Regulation (GDPR). The acronym may seem familiar to anyone who remembers the flood of “updated privacy policy” emails around May 2018, when the GDPR started to be enforced. It introduced data privacy-focused rights, such as the “right to access,” which entitles users to learn if, how, and why their data is being used, and the “right to be forgotten,” which entitles users to erase their personal data and stop its use. Though imperfect, the GDPR was in many ways a win for consumer rights. For everyone else, their aggregated personal information remains invisible, intangible, and invaluable.

A London protest in March 2018, following the Cambridge Analytica and Facebook data scandal. Photo by David Lubbock.

Nothing to Hide?

The danger with personal data is not just how it is acquired, but also how it is used. Again, Facebook is an example, with countless headlines regarding its unethical practices intermittently appearing in the past decade. While Facebook is conducting research to exploit teenage insecurity, it is also covertly giving personal data to companies like Mastercard, Apple, and Huawei — a firm flagged by the U.S. government as a Chinese spy.

More troubling is how Facebook and other data-harvesting companies enable others to manipulate people’s opinions. In February 2019, The Guardian reported on anti-vaccination groups targeting nearly 900,000 people that Facebook marked as “interested in ‘vaccine controversies.’” In an open letter to Facebook, California Congressman Adam Schiff wrote, “the algorithms which power these services are not designed to distinguish quality information from misinformation or misleading information, and the consequences of that are particularly troubling for public health issues…. Repetition of information, even if false, can often be mistaken for accuracy, and exposure to anti-vaccine content via social media may negatively shape user attitudes towards vaccination.”

It can also be a politically useful tool, as evidenced by The New York Times’ “How Trump Consultants Exploited the Facebook Data of Millions.” It was one of several articles exposing Cambridge Analytica, the voter-profiling company that served several conservative campaigns between 2014 and 2018. As noted in the article, “The firm harvested private information from the Facebook profiles of more than 50 million users without their permission, according to former Cambridge employees, associates, and documents, making it one of the largest data leaks in the social network’s history. The breach allowed the company to exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.” Cambridge acquired the data through a third party who, according to Facebook, claimed it was for academic purposes.

Big Brother, Streamlined

Much in the same way that corporate data aggregation has been misused, U.S. government surveillance projects have been appropriated for political gain and silencing dissent, even decades before the internet. “Even here in the U.S., where we have a constitutional right to speech, assembly, [and] the press, our government has repeatedly actively worked — and I’ll use the FBI’s word here — to ‘neutralize’ domestic social movements,” said Shahid Buttar, director of grassroots advocacy at the EFF. Buttar is a constitutional lawyer focused on community organizing, policy reform, and resisting mass surveillance. “What people think of as ‘privacy’ actually stands in for something far more fundamental. So in the context of surveillance, it’s not privacy that’s at risk, it’s democracy. Surveillance and restrictions on speech silence discourse, and through silencing discourse, they undermine democracy. There is a public harm beyond the individual interest in not being observed. To construe privacy as merely an individual interest in not being observed is a very thin conception of privacy that overlooks a historical litany of examples.”

Ubiquitous and widespread telecommunications have opened the door for more state surveillance. The New York Times revealed the National Security Agency (NSA)’s warrantless domestic wiretapping program in 2005, and in 2013, Edward Snowden leaked documents exposing the NSA program PRISM, which monitors all kinds of internet communications between American citizens. Most of Congress either didn’t understand or didn’t know about the program, which continues to this day.

One of the most notorious known examples of misused government surveillance is COINTELPRO, an FBI operation meant to disrupt organizations deemed subversive. In 1976, the U.S. Senate wrote, “The Bureau conducted a sophisticated vigilante operation aimed squarely at preventing the exercise of First Amendment rights of speech and association,” according to Book 3 of the Church Committee Investigation, which examined abuses by the CIA, FBI, IRS, and NSA.

Its targets included women’s rights advocates, Vietnam protestors, and the civil rights movement, and its tactics involved stalking, wiretapping, and more. “If you had any opinion in the United States for the 50 years between the second World War and the exposure of this program in the late ’70s, you were basically a criminal, despite our First Amendment rights. Many Americans have forgotten that era.”

The final report of the Church Committee Investigation concluded, “Too many people have been spied upon by too many Government agencies and too much information has been illegally collected…. Governmental officials — including those whose principal duty is to enforce the law — have violated or ignored the law over long periods of time and have advocated and defended their right to break the law. The Constitutional system of checks and balances has not adequately controlled intelligence activities.” Though COINTELPRO officially ended, internal FBI documents from 2017 showed the FBI conducting surveillance on members of the Black Lives Matter movement similarly, including tracking travel and staking out residences.

The National Security Agency’s headquarters in Fort Meade, Maryland.

Moving Forward

From corporate profiling to government silencing, privacy has become a dire issue. “The only places we have ever witnessed the kind of ubiquitous monitoring that the U.S. government and the NSA and the entire intelligence community, including the DIA, the FBI, etc., subject Americans to is … A: in dystopian science-fiction novels, Orwell and Huxley in particular, and B: in contemporary China,” said Buttar. “The Stasi had nothing on us. East Germans were far less monitored behind the Iron Curtain than Americans are today. And if you take from that that the implication is not privacy but freedom and liberty, and freedom of speech, conscience — that is exactly the reason that we are concerned about it at EFF.”

Public awareness has gradually caught up with the power of government and corporate surveillance. However, privacy violations have become increasingly unavoidable for the average user. “It started with ignorance, particularly in ways these tools could be used against us and what people give up in the aggregate by seemingly-innocuous disclosures that empower these companies to essentially gain control over many civilizations’ discourses,” said Buttar. “I think more than the ignorance at the moment, what constrains concerted response is powerlessness…. I generally think [the internet] gives the illusion of power and influence, but in this context, the emergence of the corporate internet — the one centered on the Googles and Facebooks of the world — has certainly narrowed the choices that are easily available to users. Even if the full range of the internet remains available, increasingly, users’ experience of it is filtered through these corporate platforms.”

The corporate centralization of the internet is increasingly unavoidable in everyday life, but there are solutions.

One of the leading ideas for empowering users is interoperability — “basically requiring companies to allow consumers to walk away and not say ‘by abandoning this platform, I’m going to lose the accumulated data I’ve posted over the last several years – all my connections with friends and whatnot,’” explained Buttar. “Interoperability means you can take your posts and take them somewhere else, and that control over user data is one of the central provisions that we hope to see emerge in any potential data privacy regulation.”

Mandating interoperability would be a major step forward for consumer rights and data privacy. Five years ago, that may have been a political long shot in America, but the GDPR has set a powerful precedent. Its requirement for data portability already allows users to export their data in common formats. “I think a lot of people feel increasingly conscripted by the network effect — that is to say, the pull of these tools,” said Buttar. “If you want to participate in public life, increasingly, you have to be on this platform or that platform. That pull, I think, is ultimately forcing users to adopt tools that they might defect from if they had alternatives. Or, if they could, for instance, take their content from corporate social media platforms and port it to an open-source federated alternative — if that option were available, we might see a dramatic change in the internet marketplace effectively overnight. It’s not like these tools don’t exist, they just don’t have the network effect created by half a billion users or what have you.” Moreover, due to how reliant government surveillance is on corporate surveillance as seen with programs like PRISM, fixing one may help mitigate the other.

While there are individual steps one can take to protect their own privacy, there is only so much an individual can do to avoid surveillance. Richard Stallman, president of the Free Software Foundation, wrote, “Self-protection is essential, but even the most rigorous self-protection is insufficient to protect your privacy on or from systems that don’t belong to you. When we communicate with others or move around the city, our privacy depends on the practices of society. We can avoid some of the systems that surveil our communications and movements, but not all of them. Clearly, the better solution is to make all these systems stop surveilling people other than legitimate suspects.” Buttar agrees, emphasizing the power of group action, “Small numbers of people acting together in concert, even doing something as simple as signing a letter together, can meet a very difference response than isolated individuals acting alone. Organizing locally, thinking globally, but acting locally by meeting one’s neighbors, discovering common causes, discussing those issues, and particularly formulating a plan, however infinitesimal, to raise their voices.”

Change is happening already: the Data Care Act, a GDPR-style privacy bill, was introduced in December 2018 by 15 U.S. senators. While it does not go as far as the GDPR in many areas, if it passes, it may act as a foundation for future legislation.

Buttar emphasizes the importance of local involvement. “That’s the basis for legitimacy in the constitution: popular sovereignty. It’s an organized populace — it’s just a matter of neighbors knowing each other.”