Privacy in the Digital World

By Joseph A. Schafer

The recent revelations that the National Security Agency (NSA) has been acquiring and using some level of data on personal communications for millions of American citizens illustrates a concern many of us have been discussing for some time: what is the future of privacy? The exact truth of the NSA efforts is still emerging and seems to be shifting and growing each week. In the weeks since the Snowden allegations emerged, there has been a mixture of truths, half-truths, distortions, and inaccuracies swirling through conventional and social media platforms. It is still not entirely clear what data the NSA was tracking, on whom, from whom, and to what end. It will likely be some time before the true breadth and scope of PRISM (Planning Tool for Resource Integration, Synchronization, and Management) and xKeyscore are fully understood by the public, as the NSA and the government will achieve limited gains by providing full disclosure.

As citizens, PRISM and xKeyscore once again reminds us that our former conceptions of privacy are being rapidly redefined in the digital world. Until quite recently, privacy was akin to anonymity. There were few ways for any entity to acquire large amounts of information on the behaviors, movements, actions, interactions, and communications of a large segment of society. Such data might be acquired on a small number of individuals, but the expense and resource investment required to achieve that outcome were high. The average citizen enjoyed a strong level of privacy (and by default, anonymity) not because there was a clear legal right to that privilege, but because technology precluded any other outcome.

In less than two decades, that situation has been completely transformed, in large part because of the massive ways communication technologies have transformed when, where, how, and why we live, work, socialize, and conduct our personal business. Debit and credit cards account for more and more of our annual spending as using cash becomes an inconvenience. Online shopping (and even online “window” shopping) is a greater part of our lives. Landline telephones have been supplanted by mobile phones that allow not only the tracking of our communications, but also our movements. The use of mobile phones for voice communications has dwindled as more and more of us relies on text messaging, placing previously ephemeral exchanges into the realm of the permanent. Written mail messages, which generally only exist in a single copy and place, have been replaced by email messages, which exist in at least two places (the email server of both sender and recipient), travel along a digital pathway that is subject to easier surveillance, and can quickly be shared with the masses.

These are but a few of the trends we all know and understand. While legal interpretations of these technologies might view our privacy as fundamentally the same today as a quarter century ago, the reality is that most of us live lives today that afford far less privacy than we had in the past. Yes, we have largely surrendered what privacy protections (legal or imagined) on our own. But even this is an overly simplified interpretation of this change. It is not that we have surrendered a certain amount of privacy because doing so is more convenient and consistent with our western desire for immediate gratification. We have shifted to the use of e-mail and text messaging because our workplaces require us to do so. We have shifted to greater use of credit and debit cards because cash is increasingly difficult to use. We conduct business view email and website because corporations, service providers, and even the government make it difficult to do otherwise. It is increasingly inconvenient and imposing to seek to live outside of the digital web that encapsulates our lives.

When we hear news akin to the Snowden allegations, it creates a strong level of fear within society. It engenders fear and concern over “Orwellian states” and the intrusion of “Big Brother” into our daily lives. We question (appropriately so) the efficacy, legality, morality, and need for such government efforts. By their very nature, thwarted terror attacks are similar to prevented crimes; it is difficult to prove efficacy and count the savings of such ventures. The public is often left weighing the level of perceived intrusion against a vague estimate of the level of gained security. The calculus of such estimations is imprecise and the interpretation of the equation’s outcomes is highly subjective.

What is lost in this discourse, however, is that in the Big Brother we ought to fear might be the corporate world, not the government. Consider the PRISM xKeyscore programs; the underlying data was not generated by the government, but by the telecommunications industry. If the meta-data used in PRISM was restrained in exactly what it contained (i.e., reflecting data on phone calls, but not actually capturing conversations), who would have the easiest pathway to more invasive data…the government or mobile service providers?

Consider briefly the act of reading a book. Conventionally, our reading habits were largely private because print based technology did not tell anyone much about our behaviors. At most, records might indicate what books we purchased from a retailer or checked out from a library, as well as when transactions occurred, how often, and for how long (in the case of library books). Beyond that, no one had an easy way to understand our actual reading habits. Did we actually read the books? At what pace? Did we finish those we started? Did we read the mystery novel its natural progression, or did we read the last chapter first to understand “who dunnit”?

Digital books and e-readers fundamentally modify this situation. In addition to tracking what was previously known, these technologies open the black box into our actual reading habits. Publishers can now access information about when, where, how, and how long we spend reading their works. This data can be tied to other data about our usage of both the reader and, perhaps, other associated devices. There is still a margin of error in these processes. All four members of my family read books on the tablet that my provider has registered under my name, although I’m the only one who also reads those books on his mobile phone.

The PRISM and xKeyscore programs raise a huge number of questions for national security, privacy, and civil liberties. But they also foreshadow what may be a growing list of parallel questions of relevance to state and local law enforcement in the United States. What boundaries should we draw around the rights and responsibilities of law enforcement agencies as they access individual and, perhaps, aggregated data from private corporations? Should the standard for accessing such data be generalized suspicion (the apparent approach in PRISM) or individualized suspicion (the more common standard for local law enforcement investigations)? More broadly, should corporations be able to share such forms of information with the government? Should US citizens have greater digital privacy rights? How much evidence do we need as citizens that these types of programs produce security gains necessary to offset privacy loses and the potential for abuse?