Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World

anonymity is valuable for all the reasons I’ve discussed in this chapter. It protects privacy, it empowers individuals, and it’s fundamental to liberty.

As former NSA general counsel Stewart Baker said, “Metadata absolutely tells you everything about somebody’s life. If you have enough metadata you don’t really need content.

By 2010, we as a species were creating more data per day than we did from the beginning of time until 2003. By 2015, 76 exabytes of data will travel across the Internet every year.

Data is the pollution problem of the information age, and protecting privacy is the environmental challenge.

Embedded in digital photos is information such as the date, time, and location—yes, many cameras have GPS—of the photo’s capture; generic information about the camera, lens, and settings; and an ID number of the camera itself. If you upload the photo to the web, that information often remains attached to the file.

Estimates put the current number of Internet-connected devices at 10 billion.

Following someone covertly, either on foot or by car, costs around $175,000 per month—primarily for the salary of the agents doing the following. But if the police can place a tracker in the suspect’s car, or use a fake cell tower device to fool the suspect’s cell phone into giving up its location information, the cost drops to about $70,000 per month, because it only requires one agent. And if the police can hide a GPS receiver in the suspect’s car, suddenly the price drops to about $150 per month—mostly for the surreptitious installation of the device. Getting location information from the suspect’s cell provider is even cheaper: Sprint charges law enforcement only $30 per month. The difference is between fixed and marginal costs. If a police department performs surveillance on foot, following two people costs twice as much as following one person. But with GPS or cell phone surveillance, the cost is primarily for setting up the system. Once it is in place, the additional marginal cost of following one, ten, or a thousand more people is minimal. Or, once someone spends the money designing and building a telephone eavesdropping system that collects and analyzes all the voice calls in Afghanistan, as the NSA did to help defend US soldiers from improvised explosive devices, it’s cheap and easy to deploy that same technology against the telephone networks of other countries.

former NSA director Michael Hayden: “Give me the box you will allow me to operate in. I’m going to play to the very edges of that box. . . . You, the American people, through your elected representatives, give me the field of play and I will play very aggressively in it.

For years, well before consumer tracking became the norm, Radio Shack stores would routinely ask their customers for their addresses and phone numbers. For a while I just refused, but that was socially awkward. Instead, I got in the habit of replying with “9800 Savage Road, Columbia, MD, 20755”: the address of the NSA.

Google controls two-thirds of the US search market. Almost three-quarters of all Internet users have Facebook accounts. Amazon controls about 30% of the US book market, and 70% of the e-book market. Comcast owns about 25% of the US broadband market. These companies have enormous power and control over us simply because of their economic position. They all collect and use our data to increase their market dominance and profitability. When eBay first started, it was easy for buyers and sellers to communicate outside of the eBay system because people’s e-mail addresses were largely public. In 2001, eBay started hiding e-mail addresses; in 2011, it banned e-mail addresses and links in listings; and in 2012, it banned them from user-to-user communications. All of these moves served to position eBay as a powerful intermediary by making it harder for buyers and sellers to take a relationship established inside of eBay and move it outside of eBay.

Google knows more about what I’m thinking of than I do, because Google remembers all of it perfectly and forever.

If something is free, you’re not the customer; you’re the product.

If you have nothing to hide, then you have nothing to fear.” This is a dangerously narrow conception of the value of privacy. Privacy is an essential human need, and central to our ability to control how we relate to the world. Being stripped of privacy is fundamentally dehumanizing, and it makes no difference whether the surveillance is conducted by an undercover policeman following us around or by a computer algorithm tracking our every move.

In 2014, former NSA and CIA director Michael Hayden remarked, “We kill people based on metadata.

Innocents and criminals alike use cell phones, e-mail, and Dropbox. It rains on the just and the unjust.

In the 17th century, the French statesman Cardinal Richelieu famously said, “Show me six lines written by the most honest man in the world, and I will find enough therein to hang him.” Lavrentiy Beria, head of Joseph Stalin’s secret police in the old Soviet Union, declared, “Show me the man, and I’ll show you the crime.” Both were saying the same thing: if you have enough data about someone, you can find sufficient evidence to find him guilty of something.

I used to say that Google knows more about what I’m thinking of than my wife does. But that doesn’t go far enough. Google knows more about what I’m thinking of than I do, because Google remembers all of it perfectly and forever.

Lavabit was an e-mail service that offered more security privacy than the large corporate e-mail services most of us use. It was a small company, owned and operated by a programmer named Ladar Levison, and it was popular among the tech-savvy. It had half a million users, Edward Snowden amongst them. Soon after Snowden fled to Hong Kong in 2013, Levison received a National Security Letter demanding that the company turn over the master encryption key that protected all of Lavabit’s users—and then not tell any of its customers that they could be monitored. Levison fought this order in court, and when it became clear that he had lost, he shut down his service rather than deceive and compromise his customers. The moral is clear. If you run a business, and the FBI or the NSA wants to turn it into a mass surveillance tool, it believes that it is entitled to do so, solely on its own authority. The agency can force you to modify your system. It can do it all in secret and then force your business to keep that secret. Once it does that, you no longer control that part of your business. If you’re a large company, you can’t shut it down. You can’t realistically terminate part of your service. In a very real sense, it is not your business anymore. It has become an arm of the vast US surveillance apparatus, and if your interest conflicts with the agency’s, the agency wins. Your business has been commandeered.

Mug shot extortion sites turn this sort of thing into a business. Mug shots are public record, but they’re not readily available. Owners of mug shot sites acquire the photos in bulk and publish them online, where everybody can find them, then charge individuals to remove their photos from the sites.

One of the most surreal aspects of the NSA stories based on the Snowden documents is how they made even the most paranoid conspiracy theorists seem like paragons of reason and common sense.

Our relationship with many of the Internet companies we rely on is not a traditional company–customer relationship. That’s primarily because we’re not customers. We’re products those companies sell to their real customers. The relationship is more feudal than commercial. The companies are analogous to feudal lords, and we are their vassals, peasants, and—on a bad day—serfs. We are tenant farmers for these companies, working on their land by producing data that they in turn sell for profit.

Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect. It is about choice, and having the power to control how you present yourself to the world.

Surveillance makes us feel like prey, just as it makes the surveillors act like predators.

The most common misconception about privacy is that it’s about having something to hide. “If you aren’t doing anything wrong, then you have nothing to hide,” the saying goes, with the obvious implication that privacy only aids wrongdoers.

Those of us who fought the crypto wars, as we call them, thought we had won them in the 1990s. What the Snowden documents have shown us is that instead of dropping the notion of getting backdoor government access, the NSA and FBI just kept doing it in secret.

We kill people based on metadata.

we tend to focus on rare and spectacular threats and ignore the more frequent and pedestrian ones. So we fear flying more than driving, even though the former is much safer. Or we fear terrorists more than the police, even though in the US you’re nine times more likely to be killed by a police officer than by a terrorist.

Workforces are flexible, jobs are outsourced, and people are expendable. Moving from employer to employer is now the norm. This means that secrets are shared with more people, and those people care less about them. Recall that five million people in the US have a security clearance, and that a majority of them are contractors rather than government employees.

You can think of the difference between tactical and strategic oversight as the difference between doing things right and doing the right things. Both are required.