Cyber privacy–what it is, and what it isn’t

There has been a lot of chatter recently throwing around the term privacy in ways that are misleading and unhelpful. For example, US Court of Appeals judge Richard Posner recently stated at a cybercrime symposium held at Georgetown:

Much of what passes for the name of privacy is really just trying to conceal the disreputable parts of your conduct,” Posner added. “Privacy is mainly about trying to improve your social and business opportunities by concealing the sorts of bad activities that would cause other people not to want to deal with you.

Posner questioned why smartphone users need legal protections, saying he doesn’t understand what information on smartphones should be shielded from government searches. “If someone drained my cell phone, they would find a picture of my cat, some phone numbers, some email addresses, some email text,” he said. “What’s the big deal?

Even allowing Judge Posner a degree of latitude for rhetorical effect here, these comments border on willful ignorance and dangerous naivete. (Georgetown law prof David Cole called Posner “short-sighted.”) Judge Posner is naive because he assumes zero bad actors in his scenario, which is not the reality of the cyber landscape (and hasn’t been for some time). So-called “active defense” or offensive cyber attacks have been occurring for many years, on all sides (China and the USA are reputedly the most aggressive).

Second, everybody has something to hide. If the judge disagrees he can email me his credit card numbers and passwords along with permission to publish them, or do so himself. (At least he didn’t say “it’s just metadata.”)

Third, privacy has value and can be monetized. I wonder why the judge is willing to give this up without compensation or other controls? He speaks of “draining” his smartphone for example. But by building up a series of geolocations from his smartphone I could gain actionable information from the story it tells. Geolocation and the mobile are the emerging battlegrounds for valorization of social content. Privacy is a business model.

Fourth, privacy is not anonymity. There are ways of credentialing identity without compromising privacy, just as there are ways of providing information in more targeted ways (eg through encryption, an often overlooked but hugely critical aspect of cyberspace). But these may not be available to all, depending on where you dwell in cyberspace. Shane Harris’ @ War is the most credible report on cyber warfare I’ve read for a while and everyone should at least read his final chapter. He envisages safe zones for some, where you have credentials, but that “anonymity and collective security may be incompatible in cyberspace” (p. 226).

As importantly as all these however is that privacy is not a thing or condition, but a practice or process. One does not have privacy but rather one practices privacy, to a greater or lesser degree. If you don’t practice it you don’t get to keep it. If you prefer, privacy is a series of relations. Trust will require some oversight or transparency. At the moment we are in a highly asymmetrical set of relations with government and corporations. They demand great insight into our privacy but provide remarkably little about themselves. This inequality is neither sustainable nor compatible with democracy. The bad faith by the Obama administration in releasing the so-called torture report on enhanced interrogation and rendition (with Sec State Kerry calling Dianne Feinstein on Friday to essentially blame her for any negative outcomes) is just one example.

But above all we should continue the struggle over the corporatization of our privacy. Companies like Google are basically private versions of the NSA. Similar to the way the Hubble space telescope is just a spy satellite turned the other way, so Google is basically an inverted security service. When you think of Prism/Sec 702 of FISA and the secret government “backdoors” think of that blinking cursor in the Google search box.

By extension, cyberspace may be redefining what is sovereignty away from the government nation-state. According to the classic Weberian formulation, those that have a monopoly on violence are sovereign. But it’s clear that cyber warfare is going to be carried out by non-government actors more so than by the government. (Harris particularly has his eyes on the banks as major actors here.) Presently “hacking back” is illegal (eg Sony can’t retaliate for its recent data losses even if it knew who the culprit was). But is that really a sustainable jus in bello? And what about first strike capability or “offensive defense”? These are as, if not more capably carried out by companies such as Mandiant/FireEye, not to mention the grey market of zero-days and other attack vectors. When Eisenhower warned of the military-industrial complex most people hear the “military” part and ignore the “industrial” part.

Ultimately this is not about Judge Posner but of the many who speak like him, and urge us to give up our privacy in the name of security. Perhaps it’s time to ask why it’s people/organizations in positions of security and little oversight who are so quick to ask others to give up their privacy so they can exploit it.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s