Edward Snowden’s Legacy, A Movement To Prevent Surveillance

Predictions of the impending downfall of network surveillance

Revelations about personalized information gathering by agencies of the US government have attracted some attention to issues of privacy and the resultant notoriety of these practices may well spell the demise of intrusive network assaults on individual privacy.

Information as the tool and weapon of the future

Only recently has it become clear that nearly every aspect of our lives is open to scrutiny – every word read, typed or spoken and to whom, every product purchased, ailment treated, location visited, television program watched.  From this, a great deal can be derived – far more than just one’s current financial state, buying habits, sexual attitudes, menstrual state, self-image and likelihood of going postal.  Though buying or borrowing a specific book or following a certain writer or speaker may well put one on certain watch lists, personality profiling can be far more sophisticated and infinitely more insidious.

The potentials for collection of personal information and the uses to which it can and will be put are more far-reaching and portentous than anyone currently supposes, yet the vast majority of citizens remain altogether oblivious of their impending importance.  Personal profiling and scrutiny may serve both good and bad purposes but the fact is that access to this kind of information and the ability to analyze it is, or soon will be, the ultimate power to sway the destiny of the world.  What data should be collected and whom society should entrust with it are questions that deserve to be addressed in the media, the classroom and the dinner table if democracy is to play any role in future world culture.

The current controversy over whether security agencies and law enforcement should be granted the power to access and analyze this information, and what oversight should be brought to bear on its use is crucial to bringing the subject to light but remains rather insignificant and inconsequential when viewed with a broader perspective.  Yes, data and their analysis may indeed play (and have been known to play) a vital role in preventing terrorism and catching terrorists or would-be terrorists as well as for tracking and targeting foreign agents, terrorists, domestic political adversaries, dissident writers, journalists, activists, and potentially subversive students.  It is perfectly understandable that policies for regulating this use be established and submitted to public scrutiny, but this is only a tiny corner of the picture.

Detailed dossiers can be created instantly

Adequate horizontal data (lists of who was present at this or that specific political rally) can always be converted into vertical data (what political rallies, campaigns, protests etc. has this person participated in?).  Much concern has been generated over the real or supposed existence of dossiers kept upon individual private citizens.  It’s important to understand that, whether or not such dossiers exist, they can be brought into existence almost instantaneously.  Running a vertical query on the repository of information that is now known to exist, together with sophisticated analysis would produce an incredibly comprehensive and detailed dossier, in most cases chronicling every minute aspect of an individual’s existence from the subject’s whereabouts at all times, interests, friends (and their friends), education, history, to relationships, likes and dislikes, food and drug preferences, insecurities, perversions and phobias.  Subjecting correspondence and conversational data to language and keyword analysis while comparing the overall profile with those of thousands of other subjects with known histories and problems could produce a personality picture of far greater precision than almost anyone has imagined.

Campaigning and advertizing focuses far less upon conveying information about an issue or product than upon conveying an image and impression that will push just the right psychological buttons of the target audience.  The speeches of politicians frequently contain less information about issues and what the politician thinks than they do specific key phrases and talking points proven in tests to appeal to a target constituency and to shift opinion in the desired direction.  Studies of popular reaction to news media define how best to use sensationalism to derail public awareness of issues that deserve to be in the spotlight.  But the very rudimentary way in which the viewing/voting/buying public can be diverted, sidetracked, excited and anesthetized as a group is vastly overshadowed by the persuasive and manipulative potential that can be brought to bear by lobbyists of all stripes, carefully custom shaping, matching and coloring the images presented to the frailties, enthusiasms and loyalties of each target individual.  Manipulating popular opinion for whatever reason – commercial, political, ideological – can be extremely effective as it becomes possible to aim scientifically tailored appeals at minutely targeted segments of the population and this may be the ultimate power wielded by future leaders. The campaign appeals for candidates or votes on specific measures will be custom created for each voter who will hear only the points with which he/she is in agreement.   Arguments based on current relationship state, menstrual cycle state, despondency, ennui, anger, obesity, self image, fanaticism, perversions and random fits of manic temerity are all possible and even likely given extensive knowledge of conversations, texts, purchases and sophisticated analysis of an endless nimiety of other factors.  All decisions made by the public are more likely to be dependent upon flashing the perfectly crafted image and pushing just the right emotional button than upon cogent argument, research and reflection.

The public is increasingly becoming a herdable animal

The extent to which highly focused psychological manipulation is being practiced is currently unclear, but there is no question that it can be done and will be done!  At present, information of the depth and detail necessary is only known to exist in the records of governmental databases but despite assurances, this is not something to be relied upon.  The assumption that governmental agencies have a right to and can be entrusted with cripplingly personal information on every resident of this and many other countries is still fairly wide spread.  But even if this rather naïve perspective had some justification, it is an act of pure ignorance and optimism to assume that information will remain exclusively in the hands of those who can be trusted with it.

It is the nature of data to leak.  Despite denials and assurances to the contrary, data gets out.

Much information kept in government databases exists also elsewhere, though perhaps in fragmentary forms that might require merging and consolidation – vehicle plate and registration data exists in insurance databases, medication and medical history in medical databases, correspondence history in mail server and ISP records, etc.  Information is an extremely valuable commodity and it is naïve and unrealistic to assume that a product for which there is an immense lucrative market will not eventually be made available to that market.  Virtually no organization is willing to guarantee the security of the information it keeps and will willingly take full responsibility for damages that might result from the abuse of that information.  Even if such a guarantee were offered, it would be nearly impossible to prove where the data came from, where it went and who is responsible for its abuse. Figures regarding the sharing, leaking and theft of data are very hard to acquire or to trust but it is very reasonable to assume that the vast majority of cases of security breaches and information theft go undetected, and that of those detected, few are reported due to the furor that is likely to ensue.  This makes figures on data theft very hard to analyze.  With such a highly valuable commodity as information and the fact that its theft can go entirely undetected, there is really very little grounds for confidence in the security of our data.

Data abuse by government agencies may be but a wee corner of the problem.

The instances of data leakage and theft that are made public do seem to be restricted to those that simply cannot be denied or covered up, and these tend to be cases in which the motive is not clandestine profit but intentionally public whistleblowing.  It does seem, judging by these alone, Bradley Manning and Edward Snowden being the more obvious examples of undeniable leaks, that even our government agencies do not have a particularly good track record when it comes to safeguarding information and the security of information stored by other organizations may be far more doubtful.  If one adds to publicly known leaks those that have been detected but not reported and a possibly vast number that have gone undetected, one must conclude that assurances of the security and sanctity of our personal data either by government agencies or elsewhere are preposterous.  It is extremely difficult to swallow the assumption that the only actual cases of mass information theft are motivated by idealism, and absolutely none by profit or greed.  Of all possible motives for information theft and all the thousands of people who have access to these vast repositories that have recently been shown to exist, only those perpetrated by whistleblowers have become known to the public.  Are we to assume than no others exist?  In any environment, what is the ratio of actions motivated by conscience to actions motivated by self interest?   If one ponders the fact that, of those data breaches that have become public, not one seems to have been a case of simple theft that could have been denied and suppressed, the only conclusion that can be drawn is that this leakage iceberg is vastly larger that what we can see.  Non governmental agencies are also perfectly capable of amassing their own data repositories, augmented perhaps by marketed data from all manner of legitimate and illegitimate sources.  Whether or not information is being used responsibly by agencies in our own government is now receiving some perhaps well deserved public scrutiny, but given the greater picture, it becomes rather a side issue.  The existence of the data itself is the issue and its use and potential abuse seems inevitable and poses a fundamental threat to all of society.

Fighting Back

As information collection, use and importance increases with a rapidity commensurate with progress seen elsewhere in information technology, public awareness increases only at its normal glacial rate – inspired only occasionally by momentary shocks and frights caused by world events.  There do exist a few solid safeguards that individuals can use to prevent surveillance and tracking of correspondence and online activity, but current use of these remains largely restricted to a few obsessive and highly savvy activists together with the well prepared criminals and covert operatives who use them as a matter of course.   When Edward Snowden initiated communications with journalist Glenn Greenwald of the Guardian newspaper, he insisted that Greenwald install and use PGP (Pretty Good Privacy: http://www.gnupg.org) encryption for correspondence.  Greenwald found the setup process daunting and was only able to install it later with assistance.  Snowden’s endorsement of and Greenwald’s difficulty with the package sum up PGP and most privacy technology nicely:  Privacy is possible but safeguards are not easy to implement.  Internet usage can also be made secure by various other means: Virtual Private Networks (VPNs e.g.: https://www.privateinternetaccess.com/pages/buy-vpn/), The TOR project (The Onion Router: https://www.torproject.org/) and various other tunneling and anonymizing systems, providing a range of security and anonymity usually inversely proportional to simplicity and ease of use.  TOR provides free web surfing anonymity but is slow and does not permit the use of scripting language so often required on websites.  VPNs provide greater speed and volume at minimal cost but are commercial entities and thus potentially subject to coercion.  PGP (http://www.gnupg.org/) encryption is free (though a commercial version also exists: http://www.symantec.com/products-solutions/families/?fid=encryption) but requires significant set up.  Sending PGP mail requires a recipient with PGP capability and leaves all routing information visible unless used in combination with other systems.

Privacy and anonymity is already possible on the net!  But that fact is likely to have negligible impact upon data acquisition until it becomes so simple that no thought or effort is required to implement it.

All usable Internet data mining could become infeasible.

As awareness of the insidious use of information increases, possibly inspired by a few high-profile egregious examples of abuse, a number of effective responses may emerge and gain popularity.  In fact, it is perfectly possible that the large-scale online collection and analysis of personal data could be made impossible and the data found, probably rendered useless.

Only a major shift in the accessibility of online privacy systems or a fundamental change in attitudes towards online privacy, or both, will curb the ramping onslaught of intrusive profiling, and these will only appear if resolve increases.  Further revelations and uproar may prod that resolve however, and it is conceivable that a significant level of general privacy could emerge very quickly.  It may indeed be this fact that has inspired such vehement and disproportionate vilification of those who have brought the subject of mass surveillance into public view.

Given a few clever plugins, net privacy could blossom overnight.

PGP encryption (http://www.gnupg.org) and plugins that use it (http://webpg.org/) in their current state are likely to be used only by a few and have little impact upon data collection.  However, if turnkey privacy plugins were to become the new fad in browsers, chat, and mail handlers, and if they were to include PGP and/or similar products and private web browsing by default, or at least with a one-click install, things could change overnight.  If, with no expenditure of effort on the part of the user, beyond checking a settings option box, all communication were rendered totally private, the surveilable traces of a large portion of network activity would diminish dramatically.  Information already collected would still be stored but information has a fairly short shelf-life and will rot into fuzzy irrelevance if not updated.

Even visible data can become useless.

The aggregation of personality traits into a sharp personal profile for each and every citizen depends upon sorting and weighing millions of phrases, ideas, opinions, and interpreting them based upon extensive testing and research.  However, this process can be subverted fairly easily using similar logical processes.  Polluting one’s visible information tracks cleverly and scientifically with quantities of contradictory, irrelevant and misleading detritus could render them utterly useless for inferring anything meaningful with any degree of certainty and it would be extremely easy to devise browser, chat and email plugins that could do this in accordance with whatever  parameters the user might choose.  The presence of large quantities of spurious data indistinguishable from the rest would also drastically reduce the reliability coefficient of data in general.  Data pollution may actually serve an important transitional role in between total transparency and complete invisibility.  A combination of accurate visible information and total invisibility can provide more significant personal content than visible information of dubious authenticity.

Network privacy and security could be as easy to use as changing the screen color or moving toolbars around

It would not be technically difficult to produce one-click transparent turnkey privacy programs which would combine information obfuscation capability in various ways, probably including encryption, data pollution, steganography and possibly many other strategies yet to be devised (all open-source and publicly vetted of course) – open source community please take note; any commercial entity to undertake this would be subject to control and coercion.  Provided that individual implementation of security requires no effort on the part of the user – beyond simply toggling on the security option – network intrusion into privacy could find itself blocked by a possibly somewhat yielding but ultimately impenetrable wall.  This development would certainly not please those intent on exploiting personal data but should probably not be a cause for concern to IT staff.  As information becomes harder to find, sort and sift, the demand for expert and knowledgeable staff will only increase.

Beyond network privacy

Other threats to personal privacy are harder to foil than those of the Internet.  Each cell phone in purse or pocket is only nominally in the service of its owner.  It has its own agenda and yields up its location, history and contents upon demand to the service provider, any of a vast number of government agencies with their armies of access-enabled employees and whoever else may have hacked, bought or otherwise insinuated their way into the system.  License plate scanning technology together with historical stockpiling can also prevent the citizen from travelling untraced.  Mass recording of snailmail addressing data will still yield much and hardcopy reading matter sent through the mail cannot be feasibly encrypted.  Of course, many transactions also demand that personal information be provided and threaten penalties for inaccuracy.  Subverting Internet information delving would be a major step towards privacy however, and as phone and conferencing capability together with reading/viewing/listening matter are increasingly subsumed within a turnkey privacy envelope, the net could become the only reliable sanctuary from prying eyes.

These other pernicious forms of information collection will probably only be reined in after major abuse becomes an issue, perhaps through unrestricted and illicit use by law enforcement or, as the technology and data spread, when courts, attorneys, private investigators, stalkers, scammers and street gangs manage to victimize those whose information, historical whereabouts and travel patterns become available.

Snowden’s revelations may begin a groundswell of concern and the net is the place to start a response.

A movement for simplified and fairly ubiquitous online privacy is at least possible, but would have to overcome both the apathy of the public and concerted zealous opposition by very powerful interests with much invested in information gathering, processing and purveying.  These interests may well rely upon maintaining a balance – collecting personal data but avoiding blatant abuse of that data (or at least preventing abuse from becoming public) for fear that resultant outrage may cause the data stream to suddenly dry up.  The largely oblivious populace has undergone a bit of conceptual buffeting at the hands of Snowden and could actually see a need to take steps, if not now then after the next disconcerting revelation. It seems highly likely that the absurdly extreme threats against, and deprecation heaped upon Snowden and other whistle blowers may well have been caused far more by fear of a secrecy backlash than by any direct damage that those revelations might cause.

K. Titchenell is a retired computer science professor.