How to Disappear (almost) Completely: the illusion of privacy
Can anyone ever really leave the internet? And if you had the choice, is that something that you'd want to do? After all, abandoning the connected world might help you reclaim some privacy, but even if you smashed your PC, burned your tablet and tossed your smartphone, you might still not be able to escape constant surveillance. In our three-part series How To Disappear, we're going to look at why you'd think about going offline, what you can do to tidy up your digital footprint and what happens to those who have made the leap into the darkness.
Back in 2009, Wired sent contributing editor Evan Ratliff on assignment to go "off the grid," with the publication offering a bounty of $5,000 to the first person who caught him. It took the community less than a month to track him down using the electronic trail left by his ATM history, travel records and browsing activity. This effort wasn't led by some obscure government organization either, but by a group of ordinary members of the public participating in a competition. That well-funded game of cat and mouse took place five years ago, and with advances in technology since, it's safe to assume the hunt would be much easier to complete today. Which is all the more reason we need to take a long, hard look at how we live our lives online.
The fact is, simple metadata records can be used to easily draw conclusions about your activity; to "connect the dots," so to speak.
Pamela Jones is a paralegal based in New York City who worked part-time editing Groklaw, a website that reported on legal news around the open-source movement. But on August 20th, 2013, Jones left the internet forever. She would never again browse websites, correspond with her former collaborators or idly browse Amazon in her downtime. Why? Because she, like the rest of us, had learned the terrible truth about the National Security Agency's PRISM program. Suddenly, online privacy was a commodity that no longer existed.
Two months before Jones fled her digital life, government contractor Edward Snowden had leaked the files that would send a shockwave through the media, causing worldwide alarm. The NSA's PRISM program, it was revealed, was harvesting all of our emails, videos, photos and VoIP data from the servers of companies like Microsoft, Google and Yahoo, whether they knew about it or not. That data harvesting was done in the name of counter-terrorism: Scores of analysts at the NSA's Fort Meade headquarters were scouring through our online histories to identify and track known criminals and suspicious persons of interest.
Edward Snowden photographed in Hong Kong.
Then, more cracks in our perceived privacy began to show. It wasn't just our online activity that was being scrutinized, as it was soon revealed the US security agency was also bulk-collecting the phone records of every US citizen. Former NSA chief General Keith Alexander defended that policy during an appearance on HBO's Last Week Tonight with John Oliver, saying that his team was merely collecting "two phone numbers, date, time and duration of [the] call." In other words, the NSA wasn't transcribing your every word; it was just innocently keeping records of our metadata.
Heartbleed enabled hackers to easily access both secure servers and your password at the same time.
That form of surface snooping may come off as innocuous, but the fact is simple metadata records can be used to easily draw conclusions about your activity; to "connect the dots," so to speak. Consider this example of the power of metadata from the Electronic Frontier Foundation, a nonprofit that advocates for our digital rights: You make a phone call from a bridge to a suicide prevention hotline. The contents of the call aren't recorded, but your location is. And well, the general purpose of that call is, more or less, clear. Or ponder this: A person's file shows that they spoke to an HIV-testing service, a doctor and their HMO all within the space of an hour. Again, none of the conversations have been logged, but is it really even necessary? What conclusions would you naturally come to?
The revelations of our digital insecurity didn't stop at pilfered web and phone call histories, either. Months later, news hit that national retailers had left our private information wide open for criminal use. Over the 2013 holiday season, Target revealed that 40 million credit and debit card numbers were stolen from the company's servers. And then shortly after, the company conceded that the data breach also leaked the names, addresses, phone numbers and email addresses of up to 70 million people. Neiman Marcus was next, announcing a similar breach that leaked 60,000 data entries and around 350,000 credit card numbers between July and October of 2013. Then Michaels, a US arts-and-craft supplies store, revealed in April that around 2.6 million of our credit card numbers may have been compromised. Are you sufficiently paranoid, yet?
But wait there's more. If it wasn't bad enough that the government had violated our privacy and the nation's retailers had left us open to fraud, a vulnerability was then discovered that shook the fundamental infrastructure of the internet. Heartbleed, as it was called, enabled hackers to easily access both secure servers and your password at the same time. Essentially, every time you logged in to a site, you could have been handing your email address and password over to anyone savvy enough to scrape it. Heartbleed was a nightmare for almost every company on the internet that had relied upon open-source security protocols in the hope of avoiding this exact problem. Many scrambled to fix the hole, which was found in around 18 percent of all internet servers, but by that point it was too late. The backdoor had been left open for too long.
"It behooves us as individuals to behave as if the battle is lost, and privacy is dead."
And it's not like this increasing trend toward insecure data is going to improve in the next few years. David Barroso, who runs Telefónica's security business Eleven Paths, is concerned that the next vulnerability will be even more detrimental to the privacy of internet users. Barroso fears Branch Distribution Points, the facilities that control a nation's internet infrastructure, are next on the list of potential targets. And if someone manages to gain access to these BDPs, Barroso believes they'd be able to make man-in-the-middle attacks on a near-global scale.
It makes you wonder if the illusion of privacy is even worth upholding anymore. Why bother hiding when another leak, another break, another vulnerability is lurking just around the corner? Perhaps we should just heed the advice of Nathan Borenstein, the original inventor of email and now chief scientist at Mimecast: "It behooves us as individuals to behave as if the battle is lost, and privacy is dead."
It very well may be.
[Image credit: Glenn Greenwald and Laura Poitras/AP Photo/The Guardian (Snowden); Kurt Opsahl/Electronic Frontier Foundation/'Through a PRISM, Darkly' (EFF Slide)]