Written by Dr Carissa Veliz
This article first appeared in El Pais
Time and again, we have been sold the story that we need to give up privacy in exchange for security. According to former NSA security consultant Ed Giorgio, ‘Privacy and security are a zero-sum game’—meaning that for every increase in one, there is a decrease in the other. The go-to argument to justify mass surveillance, then, is that sacrificing our privacy is necessary for government agencies to be able to protect us from the bad guys.
Shielding themselves with the righteous justification of protecting people, the NSA set out to hack the Internet in order to better surveil. In addition to developing their own hacking tools, they also went about stockpiling what are called ‘zero-day’—or unpublished—vulnerabilities. Vulnerabilities are mistakes or cracks in the design of websites and systems that allow intruders. Both criminals and intelligence agencies exploit vulnerabilities in order to hack their way into computers, steal passwords, eavesdrop, and so on. Exploiting vulnerabilities is useful for collecting and accessing data. When someone discovers a vulnerability, they can alert the relevant institution so that it can be patched and its details published so that others can learn from the experience. They can also keep it to themselves to exploit it now or in the future, or they can sell it to other hackers who want to take advantage of it. The NSA hoards zero-day vulnerabilities in case they might be useful in the future, thereby leaving institutions susceptible to attacks. Finally, the NSA inserts ‘backdoors’ (or deliberately created vulnerabilities) into commercial IT software and hardware.
Years ago, security and privacy experts such as Bruce Schneier warned that the problem with vulnerabilities is that they not only allow access to the government, but to anyone who finds them. But the NSA didn’t pay heed to warnings. Now, its hubris has turned into humiliation. The team in charge of accumulating these hacking tools and keeping them secure, the Tailored Access Operations, lost them—and they don’t even know how. Whether it was Russian hackers that got to it, or an insider, what is clear is that the Pandora’s Box of hacking tools got stolen and sold piecemeal.
The result has been disastrous, and we have probably not seen the last of it. Millions of computers have been hijacked by ransomware (remember the WannaCry incident?); hospitals in the UK, the US, and Indonesia, had their operations interrupted; thousands of companies have been affected worldwide, costing them hundreds of millions of pounds.
There is little, if any, evidence to think that the NSA kept people safe, and plenty of evidence to see how it made the Internet dangerous. The lesson is clear: more often than not, privacy is a means to ensure security, and policies that undermine privacy often end up undermining security too. Therefore, be very suspicious of any scheme that purports to trade-off security against privacy. Your safety should not require you to surrender your privacy. On the contrary—protecting your privacy is one of the most effective ways to safeguard yourself.
So when Facebook asks you to send them your nude photos so they can keep you safe from exposure, think twice. The pilot programme seeks to ‘hash’ images to prevent attempts to upload the same photos. But if the NSA was not able to keep its hacking treasure trove safe from leaks, what are the hopes for Facebook?
Users are supposed to send their nude photos to Facebook through Messenger. Community operations analysts will then access the image and tag it. The photos will be stored for a “short period of time” on a database shared with Google and Twitter. What could possibly go wrong? Lots. For starters, Messenger is not the safest of messaging apps. Furthermore, we know nothing about these analysts and the measures, if any, used to constrain them. For all you know, the analyst accessing your most intimate pictures might be a twenty-year old eager to boast about his find with his friends (if NSA analysts did that, what would stop Facebook analysts from doing it too?). Then there’s the question of how long is a “short” while—the longer the riskier—and how to make sure photos have actually been deleted (Facebook would not be the first company to lie about such things). Finally, a database shared by the world’s largest online media corporations—who all profit from personal data—sounds about as private as being on the headlines of a newspaper. Beware trusting your most private photos to a company founded by someone who started his business by creating a database that rated women on their hotness without their consent.
No one can take better care of your privacy than yourself. Among other reasons, because no one except you has much to lose by its loss. Don’t let anyone trick you into relinquishing your privacy for an illusion of safety. It’s not worth it.
The privacy we enjoy now has in no small part been constructed by technology. The buildings we live in, communications systems, transport, banking and finance, etc. are technologies that have been constructed and maintain our privacy. But the age of the privacy technologies is coming to an end as we give up our privacy for connectivity and convenience. This, of course, is matched by governments that are massively increasing their surveillance technologies in the name of security. Within a generation or two, privacy as many of us understand and ‘live’ it, may be thought of as a remote historical “thick” concept in much the same way the concept of chivalry is to us now.
Given that privacy, and of course autonomy, were constructed without any loss of security, there can be no zero-sum game at play. Indeed, during its construction, privacy has for the most part increased our security and the security of democratic states.
Comments are closed.