The Corporate Roots of the NSA Spying Controversy

The feds wouldn't be able to accumulate this data if private companies weren't already doing it.

By SHARE
(iStockPhoto)
Apps such as Seecrypt allow users to send encrypted text messages and make encrypted calls to other users of the app.

Yesterday, President Obama for the first time publicly addressed the controversies surrounding the National Security Agency’s Internet snooping, noting that there’s an important discussion to be had about the balance between security and liberty in a free country. “I welcome this debate,” he said.

I wonder, though, whether this debate is too narrowly drawn: Is the nub of the problem too much government surveillance or too much surveillance, period? After all, the government wouldn’t be able to so easily accumulate all this data on private citizens if private companies weren’t collecting it first.

In case you live under a rock, the kerfuffle involves a pair of National Security Agency programs. In one the agency spent years collecting the nation’s phone records – who called whom when and from where. In the other, codenamed PRISM, it has reportedly mined data – emails, chats and photographs, for example – of ostensibly foreign targets from prominent Internet providers like Microsoft, Yahoo, Google, Facebook, AOL and Apple, to name a few. (For their part, these companies have issued various types of denials regarding their cooperation in the program.)

[ Read the U.S. News debate: Should Americans be worried about the NSA's data collection?]

But as I said, the government surveillance, which is deeply unsettling, raises a larger question about corporate surveillance. Amie Stepanovich of the Electronic Privacy Information Center points out that none of the information in question would be sharable if Internet and telecommunications companies encrypted it to protect privacy. In other words, it’s not a given that corporations must collect vast amounts of information from and about us. But failing to do so wouldn’t be good for business.

Somebody's watching you. As security technologist Bruce Schneier has written, “ The Internet is a surveillance state.” The mere act of visiting websites means you’re being tracked whether you’re aware of it or not. “Click tracking is a huge source of personal data that most people aren’t aware is being collected,” says Stephen Wicker, a Cornell University professor and author of the forthcoming “Cellular Convergence and the Death of Privacy.” He adds that “sites that you would think are relatively benign are actually hosting third party click trackers that take this data and then resell it.”

Indeed, earlier this year The Atlantic’s Alexis Madrigal dug into the world of Internet tracking and discovered 105 companies that had tracked him in a 36-hour period of normal Web surfing. “Every move you make on the Internet is worth some tiny amount to someone, and a panoply of companies want to make sure that no step along your Internet journey goes unmonetized,” he wrote. (Full – or at least partial – disclosure: I do not know whether and to what extent usnews.com employs click trackers.)

Or consider the big data kid on the block: Google. Many people probably view the company as a search engine, or a map provider, or a mobile phone company or a cloud repository for documents. What Google is, in fact, is a data collection company: It collects data on you 15 ways to Sunday, sorts it, chops it up and sells it. And as Robert Epstein pointed out on this site in May, it’s not just when you’re using the Google search engine or Gmail (though it is assuredly the case then).

The Internet behemoth is collecting information on you whether you know it or not and whether you’re using its products or not. Using Safari or Firefox? Both web browsers, Epstein wrote, use Google’s blacklist, “an ever-changing list of about 600,000 websites that Google's bots have identified – sometimes mistakenly – as dangerous. No government agency or industry association ever gave Google the authority to maintain such a list, but it exists, and Firefox uses it.” So does Safari. If you’re visiting a website that uses Google analytics (and most major sites do) or is serviced by Google ads or has Google maps embedded in it then Google, as Epstein writes, has gotcha.

[ Blog Buzz: No secrets on the Internet?]

But Google’s the “Don’t be evil” company, right? (After all, they’ve just gotten Vince Vaughn and Owen Wilson to star in a two-hour movie-cum-commercial.) And don't all major social media platforms have privacy policies to protect consumers? Maybe. But in the last few years Google, Facebook and MySpace (remember that site?) have reached settlements with the Federal Trade Commission for charges related to how they handled users’ personal and private data.

The spy in your pocket. And that doesn’t even get into the personal, portable surveillance tools practically everyone in the country voluntarily carries around with them: mobile phones and other wireless devices. Pew Research reported this week that for the first time a majority of Americans own a smart phone of some kind, while fully 91 percent of the adult population now owns some flavor of cell phone. (The wireless industry lobbying group CTIA reports that wireless devices have now reached 102 percent penetration in the U.S. and its territories, which means that the machines now outnumber the people.)

And if you’re using your mobile phone, you’re being tracked. “I don’t think people realize they’re revealing their location to their carrier just by using their device,” says Ashkan Soltani, an independent privacy researcher and consultant. A 2011 investigation by the Wall Street Journal (on which Soltani consulted) found that Apple and Android smart phones routinely send location information, including information about local Wi-Fi networks, back to Apple and Google. Separately, the Journal reported in 2011, Apple’s iPhone collected and stored location data even when users had turned off “location services” – which is to say when they thought they had opted out of being tracked.

[ Read Susan Milligan: Blame Congress, not Obama, for NSA surveillance.]

Why? This information is a potential treasure trove for these companies. From the Journal:

Google and Apple are gathering location information as part of their race to build massive databases capable of pinpointing people’s locations via their cellphones. These databases could help them tap the $2.9 billion market for location-based services – expected to rise to $8.3 billion in 2014, according to research firm Gartner, Inc.

Google uses this information to help show on its maps where automobile traffic is especially heavy or light. Verizon sells aggregate location data to advertisers, according to Soltani, so they can know where to place billboards. The wireless companies' viewpoint, according to Soltani, is “we got this information for free, let’s use it for this other use-case, which is the marketing data.”

And there are a lot of companies trying to get a piece of this financial pie. In another story, the Journal surveyed 101 popular iPhone and Android apps and found that “56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders.” As Soltani told a Senate subcommittee in 2011, “applications can access and transmit data which includes text messages, emails, phone numbers, contacts stored and even browser history stored on the device.”

[ Take the U.S. News Poll: Should the Government Stop Collecting Phone Records?]

So if you woke yourself up this morning with an alarm clock app on your phone, the instant it went off, says Soltani, not only did it transmit noise to your ears but location data back to people you don't know. “There are times where there are 50 or 100 third parties – companies that you’ve never had a relationship with – who are able to monitor your … activities,” he says.

Not big on apps? Consider your next visit to the local mall. Carriers and other companies are installing sensors around shopping malls, Soltani says, allowing them to track where people are lingering, what’s popular and what’s not, analytics that then go to the mall.

Perverse incentive. All of this creates what Soltani calls a “perverse incentive that creates this worst case scenario for consumers.” Companies have an incentive to collect and keep user data; and that trove proves an irresistible target for the government in its ongoing war on terrorists.

[ Read Peter Fenn: Throwing America's privacy under the bus]

Which brings us back to the current uproar over the NSA’s data collection and data mining. The outrage is justified, as is the broader concern about how the cult of secrecy has infected and distorted the government. But there is something somewhat comforting to the notion that government agencies are ultimately responsible to the voters, even if that process has become calcified and overly complex.

But the surveillance state is built upon its corporate counterpart. And who watches those watchers?