Do you have secrets? Security expert Bruce Schneier has little patience for those who say they don’t.
When asked about government and corporate surveillance, there are some who shrug their shoulders and say they have nothing to fear because they have nothing to hide. Schneier’s response? “I ask them their salary and they won’t tell me. I ask them about their sexual fantasy world and they won’t tell me. The whole ‘I have nothing to hide’ thing is stupid, that’s a dumb comment,” he says. What’s more, your day-to-day behaviour is monitored in ways you wouldn’t even realise, so these details and many more could be open for all to see – and use against you. And that’s a problem, even if you happen to trust your government to use the data for good.
Schneier, who spoke at BBC Future’s World-Changing Ideas Summit on 21 October (see video, above), helped journalist Glenn Greenwald analyse Edward Snowden’s leaked documents from the National Security Agency. The controversy was recently documented in the film Citizenfour, and consciously or not, Schneier’s sentiments echo Snowden’s own words in an early email to the film’s director Laura Poitras: “Every cell phone tower you pass, friend you keep, article you write, site you visit, subject line you type, and packet you route, is in the hands of a system whose reach is unlimited but whose safeguards are not.”
Indeed, pretty much everything you do can be tracked now, says Schneier. “Everything involves a computer. You know that your Kindle tracks how fast you read, right? Everything you do online, everything you do on your phone, everything you do that involves any kind of payment system.”
As an example, Schneier told the World-Changing Ideas Summit that things as simple as taxi passenger and fare data could be easily de-anonymised once combined with location data, as the data analytics firm Neustar showed recently. Visit a strip club, for instance, and it’d no longer be private. In general, assume your movements are being watched. It’s a fact already made glaringly obvious in London, when the local transport authority’s public bicycle data was unwittingly made public. Individual commuters’ journeys were easily chalked up on Google maps.
Sophisticated smartphone applications are now capable of building up detailed pictures not just of our location, but the context of our environment. In a recent paper, researchers provided the example of an app called CarSafe which is able to learn the driving habits of users by interpreting data from the two cameras on modern smartphones.
Schneier also pointed out at the summit that many of the mobile phone towers in your vicinity may not have been set up by your network provider, but governments – both domestic and foreign – who want to find out who’s walking by and what they’re up to. The secretive nature of these masts makes it difficult to know how they are used, he says.
“The British government will not even acknowledge that they use them. We know they do, but they won’t even acknowledge that. The FBI does acknowledge that they use them, but is very secretive about how,” he explains. “Someone found that there are 80-100 of these in Washington DC not run by the US government. We don’t know who’s running them.”
Public wi-fi raises yet more issues, since routers that pick up your mobile phone signal are now able to triangulate your position accurately enough to tell which aisle you’re in at the supermarket. If the “MAC address” of your device – a unique identification code for your device visible to a network – can be matched to you then whoever has that data might know very intricate details of where you, personally, have spent your time.
“If the government said you have to have a tracking device, for certain you would rebel,” notes Schneier. “But the government doesn’t have to say that because you do it willingly and they just get a copy of the data.”
And so might anyone else. The same vulnerabilities exploited by intelligence agencies could be similarly exploited by corporations, insurance firms, health providers, or even malicious hackers, criminals or terrorists – the very people surveillance is supposed to target.
“We need to choose between security and surveillance,” Schneier told the summit audience. It’s just not possible to build electronic devices that keep data secret from everybody except, say, government officials trying to track the movements of terrorists. “Everybody gets to spy or nobody gets to spy.”
This is why Schneier argues that people have a right to defend themselves from tracking. That means the right to take protective technical measures, communicate via encrypted systems or browse the Internet anonymously using services such as Tor.
But recently the rapidly increasing popularity of such tools has ignited consternation at the FBI. James Comey, the Bureau’s director, has said that encryption offered by companies like Apple and Google deprives law enforcement authorities of information which could be crucial to solving crimes or saving lives.
For Tom Gaffney, technical director at information security firm F-Secure, which markets software that protects users’ privacy online, the comments rang hollow. “Effectively, the government is forcing people down the route of using these tools because of their lack of transparency, their desire to track every bit of our data rather than concentrating on criminals,” he says.
Gaffney also points out that data collected by private companies, whether encrypted or not, can still be held more or less forever, and there’s no way of knowing for sure how it will be used or sold in the future.
The point of recognising all of this is to better understand the consequences of using free services which rely on monetising our data via advertising to remain profitable. And Schneier argues that all government tracking should be legal and targeted to individuals already suspected of criminal activity, rather than having universal surveillance through which private experiences belonging to millions of innocent citizens are recorded and stored.
The information we create as we navigate the world, both physically and digitally, is sometimes referred to as a “data footprint”. This sounds relatively benign, which is why the term is a poor metaphor. The true data footprint you leave behind everywhere you go and after practically everything you do is much, much more detailed than a trace in the sand. It’s who you are: from your most public persona right down to your most private moments.