Why I'm Not Freaked Out About Surveillance, and Why You Should Be

Last night was a propitious moment to have this conversation, admittedly, but as a friend of mine and I pulled up in an ride-sharing driver’s car to a benefit event, he posed the ominous question: “With all that you know about surveillance and stuff, aren’t you paranoid?”

No, I replied.

Not paranoid.

Rather the opposite. I worry that knowing too much can lead to complacency if my knowledge isn’t shared, or if I feel overwhelmed by the knowledge to a point where I can’t do anything about it.

Not paranoid because nothing that’s reported in the press about surveillance, privacy and abuses-of-power that surprises me.

I’ve spent a while studying the drivers of this new experience in life, digesting Douglas Rushkoff and Shoshana Zuboff and Safiya Noble and Jonathan Taplin , and I’ve read all of the NSA/GCHQ documents that Edward Snowden released, and I have a Google alert set up to let me know every time Bruce Schneier or Charlie Warzel posts a new article. So I understand WHY. There is no conspiracy. There is simply the world as it is. The world that we’ve been watching for a while. A world that is emergent from the pairing of technological progress and capitalism, that was created with rules that we did not design, with consequences that we did not anticipate, and that has surpassed the ability of policymakers, technologists, and average people to adequately deal with.

The occasion of our conversation was Mr. Warzel’s latest eye-opener, written with Stuart A. Thompson. The New York Times’s op-ed team obtained, from a source unnamed, 50 billion phone pings from 12 million unique phone sets, and managed to figure out the identities, locations, activities, proclivities, potential vulnerabilities, and life patterns belonging to individual human mammals, including politicians, celebrities, engineers — and Secret Service agents covering the president.

Key points:

THE COMPANIES THAT COLLECT all this information on your movements justify their business on the basis of three claims: People consent to be tracked, the data is anonymous and the data is secure. None of those claims hold up, based on the file we’ve obtained and our review of company practices. Yes, the location data contains billions of data points with no identifiable information like names or email addresses. But it’s child’s play to connect real names to the dots that appear on the maps.

But location data is different. Our precise locations are used fleetingly in the moment for a targeted ad or notification, but then repurposed indefinitely for much more profitable ends, like tying your purchases to billboard ads you drove past on the freeway. Many apps that use your location, like weather services, work perfectly well without your precise location — but collecting your location feeds a lucrative secondary business of analyzing, licensing and transferring that information to third parties.

Buyers are typically data brokers and advertising companies. But some of them have little to do with consumer advertising, including financial institutions, geospatial analysis companies and real estate investment firms that can process and analyze such large quantities of information. They might pay more than $1 million for a tranche of data, according to a former location data company employee who agreed to speak anonymously.

Location data is also collected and shared alongside a mobile advertising ID, a supposedly anonymous identifier about 30 digits long that allows advertisers and other businesses to tie activity together across apps. The ID is also used to combine location trails with other information like your name, home address, email, phone number or even an identifier tied to your Wi-Fi network.

There are several challenges we face in trying to convince people that they need to approach their digital activities with a different sensibility.

(a) Data breaches are so common as to be background noise; even though, ideally, we should check to see whether our own credentials have been compromised every time we hear something, we don’t. Doing so would take time that we don’t have, or cognitive capacity that we don’t want to share. It’s kind of like, well, trying to cover President Trump’s daily departures from the ordinary. (Note to partisans: I mean that neutrally).

(b) We really, still, do not have a shared, collective sense about what basic steps we need to take in order to minimize our risk on a daily basis AND on an ongoing, evolving basis. Patching up the holes — resetting passwords, etc — is poor practice. And even if you use a password manager (YOU SHOULD) and enable Two-Factor Authentication (YOU MUST), you still, in these scenarios, have to go back and fix stuff that might be broken. And that’s not easy for most people to do.

(c) The basic: “I have nothing to hide, so I don’t really care” objection, which is really your brain’s way of defending itself against vulnerability. As someone smarter than I has said, if you have nothing to hide, you have … nothing. You DO have something to hide, or you should, because your life should have different dimensions to it, and you ought to be able to control, to some extent, what you can and cannot hide.

(d) We see digital defense as an individual problem and not a civic problem. We don’t fully appreciate how we let down our neighbors if we fail to practice good digital security skills. We leave the herd vulnerable. I like immunization analogies because I think they convey the urgency of the problem.

I’ll end with some practical advice. First, follow the Times’s suggestions about locking down your Android and iPhone mobile advertising identifiers.

But note, also, that there are a number of other settings that won’t turn off unless you specifically disable them. On my iPhone, you they’re located in PRIVACY/LOCATION SERVICES/SYSTEM SERVICES…. which is ALL the way at the bottom of the menu, after the listing of all of your apps.

There’s also a weird little box called “Significant Locations” — that, when I clicked on it, led me here:

I confess I don’t know exactly how this interacts with the app ecosystem, but it helps provide suggestions about where I might want to go and what I might want to do. (When you power up a ride-sharing app and it knows exactly where you might want go go, based on where you are and what time it is, this setting is probably one reason why.)

Finally, be aware that there are at least 10 different ways that your phone is tattling on you. It tattles because it has to: it needs to know which cell towers to connect to, which Wifi access points to reach out to, which stores you’re going in order to customize your experience.

The thing about app developers is that they often need access to ALL TEN OF THESE THINGS

Your MAC address. Your IMEI. Your SIM card data. Your phone number. Your Bluetooth ID.

And more.

Without those things, you can’t have the seamless app experience you want.

With those things, you’re giving these apps a trove of extremely valuable data that they can sell to almost anyone, including:

Big Corporations Who Want To Track Who Talks to Journalists

Private Investigative Firms Who Want to Track Who Talks to Journalists

People who want to sell you things.

So - no. I’m not freaked out. I’m realistic.

And I’m hungry to learn more, and do more, and share more.