Stop blaming the NSA. We did this to ourselves.
- By Daveed Gartenstein-Ross and Kelsey D. Atherton<p> Daveed Gartenstein-Ross is a senior fellow at the Foundation for Defense of Democracies and an adjunct assistant professor in Georgetown University's Security Studies Program. He is the author or volume editor of twelve books and monographs, and earned a Juris Doctor degree at the New York University School of Law. Kelsey D. Atherton is a contributing writer for Popular Science, where he focuses on defense technology issues. </p>
Privacy in 2013 does not exist as we knew it in 2000.
But don’t be fooled: The almost complete erosion of what we would have considered our private spaces at the beginning of this millennium is not entirely — nor even mainly — a result of the National Security Agency’s surveillance. While nobody should doubt that the government’s electronic spying is intrusive, we largely let online privacy slip away without any assistance from security agencies. Each step along the way was, for the most part, understandable and reasonable rather than nefarious. But the fact is that privacy in the United States is not what it used to be, and until we realize that, our debate about electronic privacy — Manichean as it is, and focused almost exclusively on the relationship between the government and its citizens — will fail to resurrect its value.
Four distinct factors have interacted to kill electronic privacy: a legal framework that has remained largely static since the 1970s, significant changes in our use of rapidly evolving technology, commercial providers’ increasingly intrusive tracking of our every online habit, and a growth in non-state threats that has made governments the world over obsess about uncovering these dangers. Only by understanding the interaction between these factors can we begin the necessary discussion about what privacy means in the 21st century — and how to forge a new social compact to address the issue.
Our Decades-Old Privacy Laws
While technology has massively evolved since 1979, the laws governing electronic privacy have not. Two legal frameworks, both forged in the 1970s, have fundamentally shaped our understanding of electronic privacy.
One of these frameworks is statutory. Congress passed the Foreign Intelligence Surveillance Act, which is at the heart of so much current political debate, in 1978 to govern the collection of intelligence aimed at foreign powers. Although the Act has undergone multiple amendments, its language has remained eminently recognizable to lawyers active in the late 1970s.
The other legal framework is a 1979 Supreme Court case, Smith v. Maryland, which addressed whether the State of Maryland required a warrant to install a pen register (which would record telephone numbers called, but not the contents of those calls) on a suspect’s home phone. The Court held in Maryland’s favor, finding that though the actual contents of a call were protected by the Fourth Amendment, and thus were subject to its warrant requirement, information about the call — like the number being dialed — was not protected. This is because the Fourth Amendment only applies when the government’s actions intrude upon what might be considered a reasonable expectation of privacy. The Court found that no reasonable expectation of privacy existed for the numbers a person dials: all phone users were aware that they conveyed this information to a third party, "since it is through telephone company switching equipment that their calls are completed." Further, the court noted that all phone users realize "that the phone company has facilities for making permanent records of the numbers they dial," since they see this information in their monthly long-distance bills.
In other words, when a third party is able to see what a person is doing in an electronic environment, no reasonable expectation of privacy exists. And one can draw a number of conclusions about the legal precedent Smith sets.
One conclusion is that the NSA’s metadata collection appears legal. Every call that is part of this collection has, like the calls at the heart of Smith, been transmitted to a third-party commercial provider. Whether or not one thinks the law should protect metadata, Smith sets the precedent that it likely does not.
A second conclusion is more disturbing, given the role technology plays in our lives: our use of the Internet probably enjoys no constitutional protection. The Internet is designed to connect an individual to other parties, and most emails, Internet chats, or web browsing is routed through multiple servers. All Internet users are aware that their online activities are conveyed to a third party, which suggests there is no reasonable expectation of privacy, and no Fourth Amendment protection. (There are, however, some statutory protections, such as the Electronic Communications Privacy Act.)
And a third conclusion is that existing laws are intensely focused on privacy from the government, not privacy from non-governmental entities, be they corporations or other citizens. This focus on the government is unsurprising, since the Bill of Rights is meant to constrain the government’s powers over its citizens. But, as explained, these non-governmental entities have also become the very reason that our metadata and online activities do not enjoy constitutional protection from the government.
The manner in which we use technology, and hence what we consider private, has changed significantly since 1979. From a court’s perspective, however, this is a distinction without a difference: unless the Supreme Court alters Smith‘s holding or a statute grants greater protection to call data and online activities, information that is transmitted to third parties no longer has a reasonable expectation of privacy, and therefore does not enjoy Fourth Amendment protections. But beyond the legal perspective, the changes that have occurred in the way we use technology should matter to us.
Our Evolving Use of Technology
Privacy has long been an unsettled concept. As Frederick S. Lane explains in American Privacy: The 400-Year History of Our Most Contested Right, it was "at best a sometime thing in seventeenth and eighteenth-century America," but was by no means non-existent. The concept of privacy underwent continual evolution, including important legal changes, through the middle of the 20th century. One of the most noteworthy legal developments was the 1965 Supreme Court decision Griswold v. Connecticut, which held for the first time that the Constitution provided a free-standing right of privacy. Griswold would give birth to several controversial progeny, including Roe v. Wade, which held that the constitutional right to privacy included abortion rights.
By the end of the 20th century, while privacy remained unsettled in important ways, it was expanding rather than shrinking. In 2000, the Supreme Court held that the right to privacy precluded state bans on partial-birth abortions, and in 2003 it struck down a Texas law that criminalized consensual oral and anal sex by gay couples. These decisions were consonant with what in 2000 was seen as a fairly stable and expanding conception of privacy. American observers and the legal system paid little attention as technological developments and accompanying changes in the way we relate to technology upended that conception.
The Internet only gained one million users worldwide in 1998, the same year Google was founded. Email was widely used in the United States by 2000, but did not enjoy the same degree of penetration worldwide, and Google’s Gmail service wouldn’t launch for another four years. Internet penetration was still undergoing rapid growth; by 2005, the Internet boasted one billion users.
Social media evolved markedly in this period. LiveJournal and Blogger launched in 1999, at a time when the word blog still hadn’t become common parlance. The once-popular MySpace launched in 2003, followed by Facebook (which enjoyed more staying power) in 2004. These services introduced two innovations. First, they made it possible to map users’ social networks in ways that the users didn’t comprehend. Second, MySpace and Facebook encouraged frequent status updates rather than the longer entries that characterized previous services like Blogger. Posting became more impulsive, and — particularly as methods of data analysis advanced — users divulged much more about themselves than they knew. By 2013, for example, researchers found that by relying only on users’ Facebook "likes," they could discern who was gay, and how users voted in elections.
As people increasingly lived their lives online, they divulged more and more intimate details about themselves, sometimes without realizing that they were doing so. Unfortunately for traditional conceptions of privacy, commercial providers’ capacity to track every movement of users’ digital lives was also growing.
Our Consent to Being Tracked Online
Internet law specialist Joanna Kulesza recently noted in the University of Arkansas at Little Rock Law Review that while Europeans see protection of personal data as a human right (yet struggle with how to protect it), Americans perceive personal data "primarily as a commercial commodity."
There are several ways that commercial providers track user activity. Social networks require tracking in order to function: a server has to authenticate a password in order to return user requests. Cookies are placed in a browser by a website to remember this information, so that, for example, a Facebook user doesn’t have to re-enter his password with every click to a different page on the site. Cookies make the social Internet work; they’re a compromise between privacy and utility that is accepted with every single login.
But cookies don’t just remember passwords. Once a user has picked up cookies on a website, those cookies can follow the user’s activity across the web, potentially recording information entered into different web pages and building a profile of the user. As the Germany-based academic André Pomp explains in a paper on tracking Internet users, "if a user visits a computer website first, then a social network website containing name and age and finally a diving website, a cross-site tracker, that is included on all three websites, could be able to create a single profile for this user."
Cookies are just one method of tracking. As Pomp writes, in a typical visit to the Internet, a user will encounter "hundreds of different trackers trying to track users by collecting their data." He notes a recent study in which researchers, by visiting Alexa’s top 500 domains and clicking on four random links on each site, stumbled upon 7,264 trackers. Online tracking by commercial entities is pervasive, a fact of online life.
Those who are best at tracking you have the most to gain commercially. Facebook may know your sexual orientation, but Google knows even more about you. As the Wall Street Journal has noted, "the breadth of Google’s information gathering about Internet users rivals that of any single entity, government or corporate." It is helped in this endeavor by the fact that, as CNN reports, Google on average "accounts for about 25 percent of all consumer internet traffic running through North American ISPs."
Our cell phones can also reveal where we are at all times. Smartphones are equipped with GPS systems, and even with the GPS turned off, connecting to a cell tower still provides an approximation of a person’s location. A study by MIT reveals that, with just four proximate locations, it’s possible to identify an individual with 95-percent accuracy.
There are advantages to treating personal data as a commodity. Companies can provide remarkable services at no cost to the user. Google, Facebook, and similar companies could certainly command subscription fees if they chose that route, but the fact is that the companies make more money by getting to know their users — understanding their interests, their aspirations, their likes and dislikes — than they would by charging users twenty or thirty dollars a year. It’s understandable that these companies would treat user data as a commodity, and no doubt many users would willingly sacrifice privacy for top-quality free services.
There are also disadvantages. When we think about the information we are disclosing, and the methods of data analysis now available, we are apt to grow uncomfortable with what these companies know about us — our social networks, sexual predilections, voting preferences, and much more – and how they’re sharing this information.
Our Response to Terrorism
Just as commercial providers have responded to market incentives, the NSA has responded to the incentives provided to it in a world of growing transnational threats. The threat of a terrorist attack is real, not a chimera, and the NSA after 9/11 was charged with sifting through electronic data to shake out the dangers. To accomplish this, the agency wanted a lot of data. As Deputy Attorney General James Cole has said, "If you’re looking for the needle in a haystack, you have to have the haystack." This is not to say that we should accept the NSA’s programs as they are — hard questions have been raised about its broad collection of metadata and its internal safeguards against privacy violations — but the present debate has taken on a Manichean quality in which the NSA is often portrayed as rapacious. It is in fact aggressively pursuing the mission with which it was charged — of trying to prevent another attack on the homeland.
The NSA also undertook its surveillance efforts at a time when the meaning of privacy was shedding its old meaning due to the migration of our lives online, into an environment where –unlike in the offline world — we are being constantly tracked and monitored, and everything we do is remembered.
So what does privacy mean now? The answer isn’t entirely clear; but what is clear is that we need to have the right kind of discussion about it. Perhaps a good place to start is asking whether lawmakers should limit commercial entities’ ability to retain user data indefinitely.
There is, of course, good reason for these entities to be able to track users. User data gives them a source of revenue, and they invested in their services with the expectation that their ability to profit from these services will continue. We are not arguing that the government should constrain the ability of these companies to generate revenue, but is very old data really essential — or even relevant — to their business efforts? Do commercial entities really need to know what websites you visited, and who you sent instant messages to, and the location of your cell phone, eight or ten years ago in order to understand your consumer preferences today? The government could require these entities to purge all digital user data (including messages sent, websites visited, records of individuals called, and geolocations) that is more than, say, five or seven years old if a) the user has tried to get rid of it by, for example, deleting the information; and b) there is no independent reason, such as ongoing litigation or national-security concerns, to retain it.
This would be an admittedly small step, but one in the right direction that could help kickstart a badly needed conversation on privacy. Contrary to the absolutist claims that have dominated the public debate on the issue, there is a complex balancing act at play. It involves not only liberty and security, but also commerce rights, Internet users’ appetite for free and convenient services, and the desire for privacy not only from one’s government but also one’s neighbors. The right kind of privacy conversation would recognize this.
But given the way the surveillance debate has been proceeding so far — focused exclusively on the government, lacking a concrete conception of what privacy means today, and framed in harsh Manichean terms — we’re unlikely to get there.