Asymbol of American prosperity was obliterated on September 11, 2001, along with more than 3,000 innocent American lives. It is a day (in the words of President Roosevelt after the attack on Pearl Harbor) that will live in infamy.
9/11 was a dark day that continues to cast a long shadow on the lives of affected Americans. It was also a dark day for privacy in America. Just 45 days after UA 175 and AA 11 hurtled into the towers, the USA PATRIOT Act hurtled through congress unabated, and virtually undebated. Just one day after its introduction on October 23, 2001, the Patriot Act passed in the house by a margin of nearly 300 votes; before moving on to 98–1 approval in the Senate on October 25th.
USA PATRIOT stands for ‘Uniting and Strengthening American by Providing Appropriate Tools Required to Intercept and Obstruct Terorism’. According to Wikipedia, 23-year-old Congressional staffer Chris Cylke was responsible for drumming up this impressive euphemism. Big brother would be proud, Chris.
After 9/11, every formerly basement dwelling American flag was dusted off and proudly flown. Going for a fall drive in 2001 was to experience a patriotic-kaleidoscopic Red White and Blue backdrop-ed against the ever-green American suburban lawn.
Given the overflow of national pride at the time, there was scarcely a democratically elected lawmaker in the land with the requisite lack of regard for job security to publicly scrutinize this legislation.
The USA PATRIOT Act, as it turned out, authorized unprecedented and expansive surveillance privileges to US Intelligence agencies and, despite nearly 20 years of distance between the events that spawned its creation, is still largely in place today.
As a highly simplified refresher, USA PATRIOT and concurrent amendments to the Foreign Intelligence Surveillance Act (FISA) (as revealed by Snowden) resulted in two major controversial communications surveillance programs (among many other smaller programs): PRISM and XKeyscore.
On one hand, the true scope of these programs is still being debated. And the accounts of their capabilities differ wildly depending on if you’re asking Snowden or the NSA. But there are enough now publicly available documents to be able to read through any face-saving cover up attempts by large, powerful intelligence agencies.
PRISM officially began in 2007 after President Bush signed an amendment to FISA called the Protect America Act (the trend continues). But PRISM was effectively in place since 9/11 but was challenged as illegal in court in 2006, and so rather than pause these monitoring activities deemed unpalatable by the public courts, US intelligence opted to turn on incognito mode.
PRISM meant agents for the NSA, FBI, CIA, DIA etc. could unilaterally access data and perform “extensive, in-depth surveillance on live communications and stored information”. Technically speaking, US intelligence positioned themselves behind the encryption servers of Microsoft, Google, Yahoo and many other tech companies to read data before it was ultimately encrypted and sent off to users.
This was worse than mere surveillance. It was telling the world your data is secure via the magic of “encryption” while feeding every raw and exposed data packet right into a cavernous government database instantly and eminently searchable by thousands of agents.
Such public-private covert collaboration (perhaps ‘coercement’ is a more charitable term from the perspective of tech giants) highlights the need for true peer-to-peer or end-to-end encryption instead of trusting central tech providers to manage your data and secure it. There are always conflicting demands on organizations as large as Google and Microsoft that do not always correspond to ‘Joe users’ needs and desires.
Do not listen to companies who claim “end-to-end” encryption but really mean “client-to-server” encryption. For example, The Verge published a recent expose on Zoom’s data privacy practices demonstrating they actually have access to video data that sits behind the point where data gets encrypted and sent out to customers.
The importance of the distinction between client-to-server and end-to-end encryption cannot be overstated. The below graphics highlight the key differences and the privacy implications that correspond to these differences.
(Source: Wickr).
(Source: Wickr).
XKeyscore was an even more ambitious system that listened to and forwarded internet data at the layer of the internet’s infrastructure itself: with listening devices installed inside cross-national fiber optic cables. The specific capabilities of the system were described by Edward Snowden in an interview:
‘You could read anyone’s email in the world, anybody you’ve got an email address for. Any website: You can watch traffic to and from it. Any computer that an individual sits at: You can watch it.’
The core capabilities of XKeyscore are analogous to the private website analytics tool ‘Hotjar’ which allows marketers to play back website sessions, seeing everything from where your mouse moved to what you clicked on. Except, instead of just operating on a single site, this capability was extended across the entire internet, and accessible live and at a moments notice by US intelligence.
There are some who feel this level of surveillance is unacceptable no matter the benefits to national security. But what were the impacts of these programs that buried themselves deep inside the private lives of each and every western internet user?
General Keith B. Alexander, a now retired 4-star general who served as director of the NSA cited 54 ‘terrorist activities disrupted’ as a result of information collected by surveillance programs operating under Section 215 of the Patriot Act and Section 702 of the Foreign Intelligence Surveillance Act of 1978 (FISA) (the specific programs Snowden revealed publicly in 2013).
54 sounds like a lot. And it is. But it’s important to consider that the tens of billions of dollars US intelligence agencies spent collecting and parsing this data was at the expense of traditional methods of anti-terrorist work. It also leads to information overload that many have pointed out makes the work of US intelligence less effective.
From a 2015 ZDNet interview with NSA Whistleblower William Binney, a former NSA official who spent more than three decades at the agency:
“an analyst today can run one simple query across the NSA’s various databases, only to become immediately overloaded with information…That’s why they couldn’t stop the Boston bombing, or the Paris shootings, because the data was all there,”
The information overload leaves analysts looking for a needle in a haystack.
The parallels between post 9/11 terrorism surveillance and present day COVID spread monitoring may seem tenous at first. But the core question of public safety vs. individual sovereignty and right to privacy remains the same. The only difference is these are public health officials instead of US intelligence officials pitching a need to access more data. Even if that data is highly personal and even sensitive.
“I looked at this data and thought a little bit about this being a modern day Patriot Act — a dramatic move really quick in reaction to 9/11. I think that’s kind of what you’re seeing in the public — a lot of bipartisan support for some pretty aggressive moves by the government to curb the spread of coronavirus,”
What are the programs on the table today to use mass data to increase transparency and offer insight to public health officials?
In a recent op-ed for the International Business Times, Raullen Chai, a Co-Founder of IoTeX called out some of the potential privacy invasions on the table:
“In Israel, the government has authorized its security service to track mobile-phone location-data of people suspected to have coronavirus using techniques originally deployed for anti-terrorism surveillance. China took advantage of facial-recognition systems to trace people’s movements in its anti-virus fight. And the United States is engaging in public-private partnerships with the likes of Palantir, a data-scraping company known for its predictive policing tools…U.S. President Donald Trump directed anxious Americans to Google’s Project Baseline, citing that it would help with coronavirus. But the Terms & Conditions state: “If you withdraw your consent, information that has already been gathered will be retained. Once you join, your membership could last indefinitely, or could be ended at any time without your permission.”
Recent developments point to even more expansive surveillance steps. The $2 Trillion Coronavirus relief bill includes some $500 million for tracking and data collection, as reported by Wired and others. The CDC must produce a report before the end of April outlining a new public health data surveillance system and modernized analytics infrastructure.
As quoted in Wired, Jake Laperruque from the project on government oversight said of the initiative: “I could definitely see it being used to build out infrastructure for things like location tracking, cell phone tracking tools, [or] social media monitoring tools.”
“I could definitely see it being used to build out infrastructure for things like location tracking, cell phone tracking tools, [or] social media monitoring tools.”
How do Americans feel about these initiatives in light of the Snowden revelations and what many have called the increasingly privacy aware public?
IoTeX ran a poll of it’s US based community, which is undoubtedly biased towards privacy conscious individuals (indicating these results may actually underrepresent the true COVID-19 related change of sentiment among Americans) and uncovered the following results.
Most notably, nearly 50 % of the US based respondents said they would be comfortable letting the government track them if it meant helping reduce the spread of COVID-19. Roughly 1 / 3rd of respondents felt the same way about using a Google owned COVID-19 diagnostic test.
How does this data compare with pre-COVID levels of privacy concern? Cross-referencing this data with Pew research results from June-2019, we produced the following graphic. Notably, we found an absolute increase of 13 % and a relative increase of over 63 % of the feeling that the benefits of companies collecting data on them outweighed the risks.
For governments? The change was an absolute rate of 14 % or a relative change of over 41 %.
Desperate times call for desperate measures. And there is no question that COVID-19 descending upon the world has brought on desperate times. The question then turns to how much of a privacy trade off is appropriate given the public health benefits?
Under the PATRIOT Act, we saw how this cost-benefit analysis can get badly distorted, and in many ways the measure(s) did more harm than good even before considering the sweeping infringements on American civil liberties (namely privacy).
I believe we are facing a similar cost-benefit analysis that if we are not careful, will ultimately do more harm than good. There is a false dichotomy between privacy and public health that may undermine civil liberties for years and even decades to come.
Yuval Noah Harari (author of Sapiens) made the case in a recent op-ed in the Financial Times that:
“Asking people to choose between privacy and health is, in fact, the very root of the problem. Because this is a false choice. We can and should enjoy both privacy and health.”
In reality, we are confronted with scientific facts about social interactions and the requisite public health implications of these actions all the time. We are capable of making decisions as individuals without having central authorities put a gun to our heads or a tracking device around our ankles to enforce them.
“Asking people to choose between privacy and health is, in fact, the very root of the problem. Because this is a false choice. We can and should enjoy both privacy and health.” — Noah Yuval Harari
Ultimately, our cell phones, wearables and devices need to be end-to-end encrypted, and handed over for us to control. Government needs to trust individuals to digest scientific information and decide what makes sense for them. In other words, preserve the democratic processes that have undergirded the rise of prosperity globally over the last century.
This is no time to throw away civil liberties and trust. These are the very principles that have allowed us to prosper, and we cannot abandon them when the going gets tough.
WRITTEN BY
Dean Patrick
Previously published at https://medium.com/@deanpatrick_63570/data-privacy-in-the-time-of-coronavirus-195e0409a2c2