Worried about being watched? Me too. So who’s doing it, and why, and what can they see, and what can you do about it?
[This is part of the Federation Conversation series. Even though there’s nothing here about federated identity, I think this background should be helpful in dealing with the (very sensible) paranoia about who’s watching you.]
The parties out there who are watching you fall into three groups: Spooks, people who want to hurt you, and people who want to monetize you.
Spooks · I’m talking about your own government’s employees. This is the era of Snowden and Manning and whichever ethically-exigent millennial comes along next; so we know, more or less, what it is they know.
They want to know everything, of course. In particular they want every heartbeat and breath from the guys they think are out to wreak havoc, but they also want as much as they can get about everyone else so when they catch a Known Havoc-Wreaker on the wire to someone saying “Helmut and Fuad and the homies in Calgary are about ready to launch”, they can retroactively pull the records for all the Helmuts and Fuads in Calgary and see if they or anyone near them have been on the phone to suspicious places recently, and if any of them have, then they want his heartbeat too.
And they can pretty well get it. A lot of us in the biz sort of knew this pre-Snowden (see, I did in 2005) but here are some of the things they do:
Put boxes at the big Internet interchanges and run pipes from the routers, capturing as much of the backbone traffic as they want.
Use FISA to make your ISP give them all your traffic.
Use FISA to make your email provider give them all your email.
Use FISA to make the sites you visit disclose what you do there.
Use FISA to make your IDP disclose where you’ve been signing in.
Coincidentally, as I was writing this, the Wall Street Journal published a helpful article with lots of the technical details: New Details Show Broader NSA Surveillance Reach.
Can you stop them? Mostly, but it’s hard.
Well, unless you’re a big Internet company (in particular Google, Facebook, and Twitter), who pay bucketloads of money to smart expensive lawyers to push back as appropriate, ensure that the civil servants are following their own rules, and fight for transparency.
So yeah, the big Internet companies are highly visible targets for over-attentive spooks, but on the other hand we’re a little more hardened. I bet a high proportion of the apps and sites out there just wouldn’t imagine spending the dough and taking the risk to push back; so probably you’re at higher risk from inappropriate legal fishing trips when your data’s not at a big player.
In this context, I recommend Bruce Schneier’s The NSA is Commandeering the Internet; I agree with every word in it.
People who want to hurt you · Crooks, mostly. The list is dreary: They want accounts to send spam from, to launch phishing attacks from, to use in irritating scams and real serious crimes. By the way, these guys operate in plain sight, to a surprising degree. Want to buy a stolen account? Drop by BuyAccs.com (note that stolen Google and Facebook accounts are immensely more expensive than the competition’s); or just search for “PVA accounts”.
Then, there are employees of other governments who want to burn you down. Most people can ignore this, but people who work for Google can’t; nor can people working on Iran’s nuclear program, nor Al-Qaeda staffers.
Fortunately, neither class of bad guy can use FISA to capture all your traffic. Stopping them is work, most of which should be done by your employer’s security pros, but it’s tractable. They win a few rounds now and then, but the competent good guys can mostly stay ahead.
People who want to monetize you · I work for one of those. We and Facebook seem to be best at generating ad revenue, but I guarantee this game isn’t over.
The idea comes in two parts. First, the more data-gatherers know about you, the better the chance they’ll be able to show you a useful ad. Second, they might be able to improve the service based on knowing you better; to the extent you’ll keep dropping by and see more ads.
Simple enough, and ethically neutral in my view. Lots of people dislike advertising viscerally, but it seems to work anyhow. This feels like a straightforward business transaction: Let us learn about you and we’ll try to turn that into ad money. In exchange, you get free services; well, after you pay the ISP and electricity bills.
The thing that very quickly becomes not-OK is if the data that’s being gathered shows up in a place that’s embarrassing or damaging or surprising. Privacy policies matter but I’m not going to claim there haven’t been problems here. At the end of the day, while I respect what places like the EU are trying to do with aggressive privacy legislation, I still have hope that it comes down to a matter of trust; and that a consumer business that loses trust just won’t do well in the big picture/long term.
How much can monetizers track you? Really a whole lot, with cookies and other Web wizardry. Can you stop them? Yep, and a whole lot easier than you can dodge the NSA. Cookie blocking goes a long way, and check the rest of your browser settings. But by default, there are multiple parties who each know a lot of the places you visit, how long you spend there, and so on.
And of course Facebook and Google and so on can sell ads based on the payloads; what’s in your email and in your timeline. I’m not sure whether that counts as “tracking” exactly, but it’s real.
Is all this a problem? · What bothers me most, as I’ve written before,is what my own government might be up to. And while I can and will deploy technology to get in their way, at the end of the day it’s about politics not technology, and if you don’t engage at some point you lose the right to complain.
Then there are the actual bad guys. But that one has the virtue of being uncomplicated: Nuke the site from orbit, it’s the only way to be sure. We don’t need to be that sure; but I bet a huge majority of the Internet population would love to see those guys doing perp walks and getting jail time.
As for the monetizers, well, meh. I know there are many out there who loathe being tracked for profit, and I’d never say it’s wrong to have that feeling. I don’t particularly share it; But I’m totally among those who would cheerfully pay a few bucks here and there to be a customer to my providers, rather than their product. I seem to be in an tiny minority, but I’d love to hear I’m wrong on that.