Regulation - What is it Good For?

Companies Choose Sides on Surveillance Legislation

There is a battle brewing on Capitol Hill over the future of data security and surveillance. The proposed law is called Cisa (Cybersecurity Information Sharing Act). A summary of the bill is here.

A lot of the large tech companies like Apple, Amazon, Google, Microsoft, Dell, Netflix, Oracle, Twitter, Yahoo, and Wikipedia have come out against the proposed law. But on the other side, in favor of the legislation, are a few tech companies and the large carriers such as AT&T, Verizon, Comcast, Cisco, HP, and Intel.

In a nutshell, the legislation replaces the former NSA surveillance program with a program under the Department of Homeland Security. While a significant portion of the bill is aimed at creating a national cybersecurity policy, the legislation also allows for government surveillance of phone and data records very similar to what has been collected by the NSA. Interestingly, the Department of Homeland Security is not in favor of the bill and says that it sweeps away privacy protections.

One thing is clear through many polls: American citizens don’t like the idea of being spied on by the government. It’s an issue that polls consistently across political, religious, and age differences. And so, to a large degree, the tech companies against this surveillance are voicing what they hear from their customers. And not unexpectedly, many of the companies in favor of the legislation are those that profit significantly by handling the government surveillance work.

The biggest issue the opponents see in the bill that is that it requires that data gathered anywhere in the government then be shared with multiple federal agencies. I suppose this is a way to not let only one agency like the NSA gather and hold all of the data on citizens. But nobody believes that the government is capable of protecting all of the gathered data. In a recent discussion on the floor of the Senate, Senator Ron Wyden (D-Ore.) summarized this well, “There is a saying now in the cybersecurity field, Mr. President: if you can’t protect it, don’t collect it.” If the NSA couldn’t keep things secret, then how can multiple federal agencies protect against hacking and leaks?

Certainly the recent attacks on government personnel records are a good indicator of this. I have many friends who work in the government and they tell me that government computer and software systems are typically a few generations behind the commercial world, and due to the antiquated government purchasing process their systems are likely to always be behind.

I am certainly no security expert, but I do know that I don’t like the idea of the government gathering data about everyone. And I certainly don’t trust them to keep that data safe from hacking from the outside or abuse from the inside.

The other feature of the bill that is not very attractive is that it seems to put a lot of emphasis on creating a new government bureaucracy, which is likely to be nearly worthless in actually stopping cyberterrorism. The security fight on the web is already being fought by a number of web security companies and it’s a battle that changes daily. It just seems unlikely that government bureaucrats and policies can keep up with the real world security issues that require a daily fight against new viruses and new threats.

I’ve written a few times about how one of the biggest threats to the health of the web is government surveillance. It has already driven a lot of countries to erect firewalls around their country’s data. And it is driving people, and companies like Apple, to encrypt everything. It’s extremely naïve to think that the real terrorists in the world aren’t already fully encrypted and part of the dark web. I can understand the feeling that we have to do something about security, but gathering data about every citizen in the country and then sharing that across multiple government agencies doesn’t feel like the way to do anything but make us even more vulnerable.

Current News

AT&T and the NSA

It’s been revealed recently that AT&T has been the largest partner of the NSA in collecting data and spying on the Internet. A number of leaks came from the Edward Snowden data that points to AT&T and a lot of other evidence points to them as well.

It appears that AT&T has been a willing partner in surveillance activities since 1985, so this is not a new relationship, but one that has been ongoing for decades. It looks like AT&T is far larger than any of the other NSA partners.

The surveillance goes beyond just telephone records – something that started in a major way in the years after 9/11. All large phone companies have been required through the Patriot Act to submit phone records, and so naturally AT&T would comply just like the other big phone carriers.

But it appears that the NSA, with AT&T’s help, has been spying on Internet traffic for a very long time. AT&T certainly is a natural partner in this because they are one of the few companies that has always had a reason to be present at every major Internet hub in the country.

I have been a customer of AT&T’s for a long time. While their cellular service is significantly overpriced, it works in all of the places I have lived and traveled and I can’t recall ever having had a problem with them as a service provider.

But I wonder how much I should be bothered about this revelation. Part of me says that what AT&T did all these years was a good thing. Clearly the US security system must have a way to keep tabs on suspects in a world where terror is so prevalent. But today you have to wonder how much good all of this spying does. It seems like most of the ‘terrorist’ plots that have been uncovered in the US over the last decade have been misguided people who didn’t have the wherewithal to actually do any real harm. Actual terrorists are sophisticated enough to know that everything is being watched and certainly they have developed ways to avoid surveillance.

And then there is the realization that the NSA hasn’t just been watching the bad guys, but they have been spying on all of us. I don’t have anything in particular to hide, but I still don’t like the idea of the government watching me or the rest of us. And that is mostly because the government is not some nebulous force for good but is rather made up of regular people who are undoubtedly going to abuse the power this surveillance gives them. It’s inevitable that there will be abuses of power when regular people are given access to far more knowledge about people than they should have.

And so I’ve been considering if I should perhaps boycott AT&T as a quiet protest against what they have done and continue to do? But while they have been the largest partner in helping the government spy on us they are certainly not the only one. I have to imagine that the other large carriers all have some role in this as well. For instance, it’s clear in Snowden’s material that Verizon has been involved in this, just not to the extent of AT&T. In the carrier world our choices are limited and I doubt that any of the big carriers are totally clean in this. That would make a boycott somewhat hollow.

So I have really mixed feelings about this. I’ve read all of the science fiction stories that paint a picture of how surveillance eventually works to strangle any society. We have plenty of evidence of how this might look by looking back at the Soviet bloc or looking at places today like North Korea. It would be naïve to think that something like that couldn’t happen here. There would be an uprising in the US if the government tried to impose harsh rules on us in one big swoop, but if they just chip away at freedoms a little bit, day by day, we can eventually end up with a very restricted society. And surveillance is the number one tool that would allow the government to gain that kind of control. In some ways it feels like we have already started down that path.

The Industry

How We Deal with Surveillance

The fact that governments spy on us has been in the news a lot in the last two years since Edward Snowden revealed the extent of the US spying. It’s not just the US government; similar revelations have come out even in countries like Canada.

The folks at the Pew Research Center asked Americans how the knowledge that they are being watched has changed their behavior. Not surprisingly, a pretty large majority of people have made no changes. But the survey found that some people have changed their behavior, and here are some of the key findings in this survey:

  • 87% of people said that they had heard about the government surveillance. Only 31% said they had heard a lot about it and 56% said they had heard a little about it.
  • 34% of those who were aware of the surveillance had made at least one change to shield or hide their information from the government.
    • 17% changed their privacy settings on social media
    • 15% have used social media less often
    • 15% have begun avoiding apps that want access to their personal data
    • 14% say they are speaking to friends in person rather than communicating online or using the Internet
    • 13% uninstalled apps
    • 13% have edited themselves so as not to use what they consider to be sensitive terms online
  • Those who have made changes tend to be younger than 50 and also to be in the category of those who heard a lot about the surveillance, or who thought that the surveillance was not in the public’s interest.
  • Many people just cut back on using certain applications or have modified the way they use them. 18% did this with email, 17% with search engines, 15% with social media sites, 15% with cellphones, 13% with mobile apps, 13% with text messages, and 9% with landline phones.
  • 25% of people have started using more complex passwords.
  • Most people either do not know about or have not considered using tools that make it harder to track them. The percentages of people in these categories for various anti-surveillance tools include: 68% for search engines that don’t track you, 59% for email encryption software, 74% for browser plug-ins like DoNotTrackMe or Privacy Badger, 74% for proxy servers, and 70% for anonymity software like Tor.

The survey also asked how people feel about government surveillance and the results were mixed. 40% of Americans found it acceptable to monitor other Americans, 54% to monitor citizens of other countries, 60% to monitor leaders of both the US and of other countries, and 82% for monitoring ‘terrorists’.

Of those who are aware of the surveillance, 61% said that they are not confident that surveillance is serving the public interest. Republicans and those leaning Republican were more likely than Democrats to say they are losing confidence in surveillance.

In an interesting divide of opinion, 49% thought that courts were doing a good job of balancing the needs of intelligence against the rights to privacy while 49% thought they were not.

And finally, when asked how people felt about the government looking at their own personal data, 38% were concerned about emails, 39% were concerned about search engine results, 37% were concerned about cellphone usage, 31% were concerned about social media, and 29% were concerned about mobile apps.

I know I personally have cut way back on my viewing of cat videos. After all, I don’t want the government knowing I am a crazy old cat man (which unfortunately might be the case!).

Current News

Pew Research Privacy Studies

Pew Research recently took two separate looks at the issue of privacy. First, they conducted a survey to see how the general public in the US feels about on-line privacy. They also polled 2,511 “technology builders, researchers, managers, policymakers, marketers, analysts and those who have been insightful respondents in previous studies.”

Some of the more interesting results of the survey are as follows:

  • 91% of adults agreed that consumers have lost control of how personal information is gathered and used on the Internet.
  • 88% agree that it would be very difficult to remove inaccurate information about themselves online.
  • 80% who use social media are concerned that businesses are accessing what they share.
  • 64% thought the government should do more to monitor on-line advertisers.
  • 61% disagreed with the statement, “I appreciate that online services are more efficient because of the increased access they have to my personal data”.
  • But to show how mixed feelings are about online advertising, 55% agreed with the statement, “I am willing to share some information about myself with companies in order to use online services for free”. There must be people who agreed with this who also disagreed with the previous question.

There were also questions about government spying on Americans:

  • 95% were aware that the NSA is collecting telephone records and online records on everyone.
  • 80% were concerned that the government is monitoring phone calls and monitoring the Internet.
  • Only 36% agreed with the statement, “It is a good thing for society if people believe that someone is keeping an eye on the things they do online”.

People were asked which method of communications they felt most secure using. Following are the percentages of people that felt either somewhat secure or very secure: landlines – 67%; cellphones – 52%; email – 40%; text messages – 39%; IM or chat – 29%; and social media – 16%. These findings correlated well with knowledge of the NSA surveillance – the more somebody knew about the NSA the less secure they felt using communications.

Only 62% of people have ever used a search engine to look up their own name to see what is known about them on the Internet. 47% of people assume that people they meet will look them up. Only 6% of people have set an automatic alert to notify them when their name appears on the web.

People are cautious about posting controversial comments on the internet. 59% have posted using a screen name that people associate with them. 55% have posted using their real name, and 42% have posted anonymously.

24% say that their employer has rules or guidelines about how they are allowed to present themselves online. 11% say that their job requires them to promote themselves through social media or other online tools.

In the poll of the industry experts, only 55% believe that there will be a “secure, popularly accepted and trusted privacy-rights infrastructure by 2025”. The experts almost universally agree that we are living in a period of ubiquitous surveillance.

Many of the experts believe that it is not possible to create an effective privacy rights system. They believe that both government and industry have very little incentive to reverse the already invasive status quo and that they have much to gain from continued monitoring of information.

It’s obvious in looking at these results that people are aware of how ubiquitous surveillance is and that what they say on the Internet is seen by others. Most people are concerned about how the government or businesses view and use their information, and of the consequences of what they post with their employer. Of course, this still leaves me wondering how to explain drunk selfies!

The Industry

Predictions Ten Years Later

I often report on how industry experts see the future of our industry. It’s an interesting thought experiment, if nothing else, to speculate where technology is moving. In 2004 the Pew Internet Project asked 1,286 industry experts to look ten years forward and to predict what the Internet would be like in 2014. I found it really interesting to see that a significant percentage of experts got many of the predictions wrong. Here are some of the specific predictions made in 2004:

66% of the experts thought that there would be at least one devastating cyberattack within the following ten years. While there have been some dramatic hacks against companies, mostly to steal credit card numbers and related information, there have been no cyberattacks that could be categorized as crippling. The experts at the time predicted that terrorists would be able to take over power plants or do other drastic things that have never materialized.

56% thought that the internet would lead to a widespread expansion of home-schooling and telecommuting. There certainly has been growth in telecommuting, but not nearly to the extent predicted by the experts. It’s the same with home schooling, and while it’s grown there is not yet a huge and obvious advantage of home schooling over traditional schooling. The experts predicted that the quality and ease of distance learning would make home schooling an easy choice for parents and that has not yet materialized.

50% of them thought that there would be free peer-to-peer music sharing networks. Instead the recording industry has been very successful in shutting down peer-to-peer sites and there are instead services like Spotify that offer a huge variety of free music legally, paid for by advertising.

Only 32% thought that people would use the Internet to support their political bias and filter out information they disagree with. Studies now show that this is one of the major consequences of social networking, in that people tend to congregate with others who share their world view. This finding is related to the finding that only 39% thought that social networks would be widespread by 2014. The experts en masse did not foresee the wild success that would be enjoyed by Facebook, twitter and other social sites.

52% said that by 2014 that 90% of households would have broadband that was much faster than what was available in 2004. At the end of 2013 Leichtman Research reported that 83% of homes had some sort of broadband connection. That number was lower than predicted by the majority of experts, but what was even lower is the average speed that people actually purchase. Akamai reports that the average connection speed in the US at the end of 2013 was 8.7 Mbps. But this was not distributed in the expected bell curve and that average consists of a small percentage of homes with very fast connections (largely driven by Verizon FiOS and other fiber providers) but with many homes with speeds that are not materially faster than what was available in 2004. For example, Time Warner just announced this past week that they are finally increasing the speed of their base product from 3 Mbps to 6 Mbps.

32% thought that online voting would be secure and widespread by 2014. There are now a number of states that allow on-line voter registration, but only a tiny handful of communities have experimented with on-line voting. It has become obvious that there is a real potential for hacking and fraud with on-line voting.

57% of them thought that virtual classes would become widespread in mainstream education. This has become true in some cases. General K-12 education has not moved to virtual classes. Many schools have adopted distance learning to bring distant teachers into the classroom, but there has been no flood of K-12 students moving to virtual education. Virtual classes, however, have become routine for many advanced degrees. For example, there are hundreds of master degree curriculums that are almost entirely on-line and self-paced.

But the experts did get a few things right. 59% thought that there would be a significant increase in government and business surveillance. This has turned out to be true in spades. It seems everybody is now spying on us, and not just on the Internet, but with our smartphones, with our smart TVs, and even with our cars and with the IOT devices in our homes.

The Pew Institute continues to conduct similar surveys every few years and it will be interesting to see if the experts of today can do better than the experts of 2004. What those experts failed to recognize were things like the transformational nature of smartphones, the widespread phenomenon of social networking and the migration from desktops to smaller and more mobile devices. Those trends are what drove us to where we are today. In retrospect if more experts had foreseen those few major trends correctly then they probably would have also guessed more of the details correctly. Within the sample of experts there were undoubtedly some experts who guessed really well, but the results were not published by expert and so we can’t see who had the best crystal ball.