Is Santa Listening?

santa-watchingThis Christmas season brings not only the usual joy and cheer, but also new challenges and privacy threats, which seem to be the nature of technology these days. It seems even Santa isn’t immune to gifting technology which invades our homes with toys that gather secret information about us.

It turns out that the My Friend Cayla doll and the i-Que Intelligent Robot have the ability to spy on everything that kids (or anybody else) says within listening range of the toy. There have been a few other toys in the past that were capable of conversing with kids. Last year’s Hello Barbie chatbox also had this capability. But the big difference is that the Hello Barbie only recorded speech when a button was pressed while these new toys are always listening.

This phenomenon is not limited to toys and there are other devices today that listen to us all of the time such as Siri-enabled iOS devices, OK Google-enabled phones or the Amazon Echo with Alexa. It seems like 2016 was the year when technology began to actively listen to us, even though the concept has been around a bit longer. In 2015 there was a furor when it was revealed that Samsung TVs could both watch and listen to whatever was happening in the room with them. But now the market is seeing a lot of devices with this capability and one can imagine this is going to soon be included in a lot of new devices.

There have always been concerns that future IoT devices would enable tech companies to spy on us. The example given in the past was that motion detectors and cameras that are part of a security system could log all movements inside a home and provide a lot of detail about how various family members move during the day.

But this new technology leaps beyond that scenario to devices that actively listen and record everything we say. One would have to think this new technology is going to be built into most future smart devices as we quickly move towards a world where we talk to our house and the devices in it. All of these technologies work today by using voice recognition software in the cloud that convert everything it hears into text. From there the software in the cloud reads the text to determine if anything said warrants a response.

I’m sure that the average person hasn’t considered what this new technology means, and perhaps having this technology show up in toys will begin the conversation. The potential for abuse from this technology is almost unimaginable. One can envision family members spying upon each other. It’s not a hard stretch to foresee a repressive government listening to everything we say looking for ‘bad’ thoughts like was predicted in Fahrenheit 451 and 1984. It’s also not a hard stretch to see transcripts of what is said in a home end up on the dark web for sale so that anybody can buy our private conversations for a price. And in the business world it’s not hard to envision hacking into office devices as the ultimate form of corporate espionage – to catch those things that are said but are not put into writing.

Probably the worst thing about this technology appearing in toys is that it was put in half-baked with no real thought about security. The Electronic Privacy Information Center (EPIC) has brought a complaint about these toys to the Federal Trade Commission and asked that they be recalled, and that no future toys be allowed with the technology until there are some basic safety requirements defined for the industry. For example, EPIC showed that these toys can be easily hacked and that hackers are able to both listen to everything said within 50 feet of one of the toys, but worse, they are able to hold a conversation with kids through the toy. This opens up the scary scenario of child molesters talking directly to kids through the guise of a supposedly “safe” toy.

The company behind the technology in the toys is Nuance. Their response to the issue is not assuring. They said that they do not sell the recorded voice data to anybody. But there is no law to stop the company from changing this policy at any time. And in today’s world there can be no guarantee that the company won’t be hacked and piles of our conversations stolen by nefarious people.

This is a new technology and now is the time to craft some laws about its use. Today there are only a handful of companies deploying the technology. But now that Amazon and Google are making their AI functions available to others as a cloud-service, this technology will soon be built into huge range of devices. I know it sounds cool to change the settings on your washing machine by telling it how to wash the next load, but is it worth it if your washing machine also sends a recording of everything it hears everything to the cloud?

So we enter this Christmas season with another new technological worry. For the first time it might really be true that Santa is actually listening and he really will know if you’ve beene naughty or nice.

The Future of Privacy

Magnifying glassThe FCC is considering new privacy rules for ISPs. The FCC is considering treating ISPs in the same way they have historically treated telcos. Telco customers have had the ability for years to opt out of having the telephone company use their data for other purposes. Most people don’t even remember this, but when you bought your last landline the telco was supposed to ask you if they can use your contact info for marketing their own products or if they can sell your information to outside companies.

But a telco doesn’t know much about you other than your phone number and who you call. Telcos have never really ‘mined’ telephone calling data and that was what made Edward Snowden’s revelations about the NSA so startling. The NSA demonstrated the ability to draw conclusions about people according to who they call.

But the data that an ISP collects from you as a customer can tell them almost everything about you. They know everything you do on the web – your social network connections, what you search for and buy online, and what you write in every email or messaging system. And – if they wanted to – your ISP could know truly private things about you, such as what illnesses you might have, if you are happy or unhappy in your relationships, or if you do anything that would embarrass you (like looking at pornography).

So the FCC wants to give customers the right to tell their ISP to not examine or use their personal data. Under the FCC’s proposed rules customers can opt out of ISP surveillance completely, or can allow their ISP to use their data in some less intrusive manner, yet to be defined.

It’s an interesting concept, because your ISP is the only entity online that knows everything about you. One would certainly hope that any such rules would apply equally to cellphone ISPs in the same manner as wireline ISPs.

These kind of privacy rules would certainly put the brakes on the money that ISPs can make from mining data about their customers. We recently saw AT&T introduce the idea of charging more to customers to avoid deep data mining – making the default condition one of being monitored.

But the FCC is not going to put these same restrictions on what they call edge providers – meaning every service on the web. Facebook or Google would be free to use whatever they know about you, with the reasoning being that people use these services voluntarily.

There is another big privacy issue looming in the near future – and that’s the surveillance that is coming from the Internet of Things. There is an amazing amount of data that can be gleaned from monitors in our home. Health monitors are going to record details about you that you don’t even know about yourself. Various monitors around the home in the form of smart locks, smart cars, motion detectors, sleep monitors, etc. are going to monitor details about you (and the other people in your home) and how you live. Those details can then be sold to data companies that will combine data from multiple sources to paint a detailed picture of what you do and when you do it. Supposedly this will be done in order to personalize advertising for you, but it’s hard to believe that companies won’t take this a lot further and use this data in unsavory ways.

Already today there are data depositories buying raw data from a number of web sources that can paint a pretty good picture of who you are. Even without the ISPs being part of the data-gathering chain it’s likely that privacy is going to become largely a thing of the past.

There are a lot of people that don’t want to be watched so closely and I think we are going to see a new industry that strives to protect you from detailed monitoring. But when I see how extensive the data collection already is today, I fear that really removing yourself from data surveillance is going to be expensive and not available to most people.

I suspect my feelings towards privacy are typical. It makes me uneasy to have companies monitoring me and I find personalized advertising to be creepy. But as our world comes to rely more and more on devices that make our lives easier, it’s not hard to see that our current feelings about privacy are probably going to become quaint anachronisms of the past.

Paying for Privacy

Keep OutYou have to give credit to the big ISPs – they are always looking for more ways to get money out of broadband and their other products. The latest innovative attempt comes from Comcast who told the FCC last week that they think they have the right to charge customers an extra fee for privacy. Comcast didn’t say that they were ready to launch this as a product, but was responding to an open investigation at the FCC over privacy.

You may recall that when AT&T announced gigabit service in Austin they charged $30 extra per month for privacy. That fee stops a user from undergoing AT&T’s ‘Internet Preferences’ – a deep-packet inspection process that tracks everything the customer does on the web.

Comcast says they have the right to charge extra for privacy and claimed that, “A bargained-for exchange of information for service is a perfectly acceptable and widely used model throughout the U.S. economy, including the Internet ecosystem, and is consistent with decades of legal precedent and policy goals related to consumer protection and privacy,”

They basically claim that other companies already charge a premium fee to customers to avoid things they don’t like. There are numerous video and music services, for example, that charge extra to avoid advertising.

But an ISP is in a different situation. These other services provide something voluntary and customers are free to buy a video service like Hulu with or without ads or not buy Hulu at all. And Hulu can only know what a customer watches and does on their site and nowhere else on the web.

But it’s mandatory to go through an ISP to reach the web and your ISP can know every keystroke you make on the web, every site you visit, everything you tell people in emails or messaging. Comcast argues that customers are free to go to another ISP if they don’t like the company’s policies. But realistically, in most markets there are no alternatives. I know my only alternative to my 100 Mbps Comcast cable modem is a DSL connection under 20 Mbps from CenturyLink, which is not fast enough for me. And if Comcast and AT&T start making money with deep packet inspections, I have a hard time thinking that CenturyLink and other ISPs won’t do the same thing.

Customers can control their privacy to a degree on the web if that’s important to them. Many people only connect to web services like Google through a proxy server that strips out their IP address and location. And there are alternatives to using the Google search engine  such as DuckDuckGo or Ixquick that don’t track people. And nobody makes you create an identity on social media sites.

But you have to put the Comcast filing at the FCC into context. The FCC has proposed that everybody has the right to privacy and that the default state for privacy should be that customers are not tracked. The FCC wants customers to opt-in to tracking, and certainly many people will elect to do that. There are plenty of people that like customized advertising and the other features that come from companies that track them. But there are plenty of people who do not want to be tracked in most cases, and almost nobody wants their ISPs to read their emails or correspondence with their doctors.

The big companies are sometimes their worse enemies because they do things without notifying their customers. Late last year, for example, Verizon admitted to using stealth cookies that could continue to track their wireless customers when they left the wireless ISP network.

This is going to be an interesting battle at the FCC and perhaps this will be the first real challenge of the new regulation under Title II rules. The FCC wants to now impose the same rules on the ISPs that have applied to years for telephone companies and voice – and which are allowed under the umbrella of Title II regulation. My bet on this issue is the FCC will prevail, but you know the big ISPs are never going to stop pushing the envelope.

What’s Next After the Net Neutrality Ruling?

Network_neutrality_poster_symbolNow that the US District Court has affirmed the net neutrality ruling in its entirety it’s worth considering where the FCC will go next. Up until now it’s been clear that they have been somewhat tentative about strongly enforcing net neutrality issues since they didn’t want to have to reverse a year of regulatory work with a negative court opinion. But there are a number of issues that the FCC is now likely to tackle.

Zero-Rating. I would think that zero-rating must be high on their list. This is the practice of offering content that doesn’t count against monthly data caps. This probably most affects the customers in the cellular world where both AT&T and T-Mobile have their own video offerings that don’t count against data caps. With the tiny data caps on wireless broadband there is no doubt that it is a major incentive for customers to watch that free content, and consequently drive ad revenues to their own carrier.

But zero-rating exists in the landline world as well. Comcast has been offering some of its content on the web to its own customers. They claim this is not zero-rating, but from a technical perspective it is. However, now that Comcast has raised the monthly data cap to 1 terabit then this might not be of much concern to the FCC right now.

Privacy. The FCC has already proposed controversial rules that apply to the ISPs and consumer privacy. In those rules the FCC proposes to give customers the option to opt-out of getting advertisement from ISPs, but more importantly consumers can opt-out of being tracked. This would put the ISPs at a distinct disadvantage compared to edge providers like Facebook or Google who are still free to track online usage.

Last year the FCC also started to look at the ‘super-cookies’ that Verizon was using to track customers across the web. This privacy ruling (which is now on a lot more secure footing based upon the net neutrality order) could end the supercookies and many other ways that ISPs might track customer web behavior. Interestingly, both Verizon and AT&T have been bidding on buying Yahoo and this potential privacy ruling puts a big question mark on how valuable that acquisition might be if customers can all opt out from being tracked. I think Verizon and AT&T (and Comcast) all are eyeing the gigantic ad revenues being gained by web companies and this ruling is going to make it a challenge for them to make big headway in that arena.

Lifeline. I think that the net neutrality ruling also makes it easier for the FCC to defend their new plans to provide a subsidy to low-income data customers in the same manner they have always done for voice customers. Now that data is also regulated under Title II it fits right in to the existing Lifeline framework.

Data Caps. At some point I expect the FCC to tackle data caps. It’s been made clear by many in the industry that there are no network reasons for these caps, even in the cellular world. The cellular data plans in most of the rest of the world are either unlimited or have extremely high data caps.

The FCC said in establishing net neutrality that they would not regulate broadband rates. And in the strictest sense if they tackle data caps they would not be. The regulatory rate process is one where carriers must justify that rates aren’t too high or too low and has always been used, as much as anything, to avoid obvious subsidies.

But data caps – while they can drive a lot of revenues for ISPs – are not strictly a rate issue, and in facts, the ISPs hop through a lot of verbal hoops to say that data caps are not about driving revenues. And so I think the FCC can regulate data caps as an unnecessary network practice. It’s been said recently that AT&T is again selectively enforcing its 150 monthly gigabit cap, and so expect the public outcry to soon reach the FCC again, like happened last year with Comcast.

The Real Impact of Network Neutrality

Network_neutrality_poster_symbolThe federal appeals court for Washington DC just upheld the FCC’s net neutrality order in its entirety. There was a lot of speculation that the court might pick and choose among the order’s many different sections or that they might like the order but dislike some of the procedural aspects of reaching the order. And while there was one dissenting option, the court accepted the whole FCC order, without change.

There will be a lot of articles telling you in detail what the court said. But I thought this might be a good time to pause and look to see what net neutrality has meant so far and how it has impacted customers and ISPs.

ISP Investments. Probably the biggest threat we heard from the ISPs is that the net neutrality order would squelch investment in broadband. But it’s hard to see that it’s done so. It’s been clear for years that AT&T and Verizon are looking for ways to walk away from the more costly parts of their copper networks. But Verizon is now building FiOS in Boston after many years of no new fiber construction. And while few believe that AT&T is spending as much money on fiber as they are claiming, they are telling the world that they will be building a lot more fiber. And other large ISPs like CenturyLink are building new fiber at a breakneck pace.

We also see all of the big cable companies talking about their upgrades to DOCSIS 3.1. Earlier this year the CEO of Comcast was asked at the INTX show in Boston where the company had curtailed capital spending and he couldn’t cite an example. Finally, I see small telcos and coops building as much fiber as they can get funded all over the country. So it doesn’t seem like net neutrality has had any negative impact on fiber investments.

Privacy. The FCC has started to pull the ISPs under the same privacy rules for broadband that have been in place for telephone for years. The ISPs obviously don’t like this, but consumers seem to be largely in favor of requiring an ISP to ask for permission before marketing to you or selling your information to others.

The FCC is also now looking at restricting the ways that ISPs can use the data gathered from customers from web activity for marketing purposes.

Data Caps. The FCC has not explicitly made any rulings against data caps, but they’ve made it clear that they don’t like them. This threat (along with a flood of consumer complaints at the FCC) seems to have been enough to get Comcast to raise its data caps from 300 GB per month to 1 TB. It appears that AT&T is now enforcing its data caps and we’ll have to see if the FCC is going to use Title II authority to control the practice. It will be really interesting if the FCC tackles wireless data caps. It has to an embarrassment for them that the wireless carriers have been able to sell some of the most expensive broadband in the world under their watch.

Content Bundling and Restrictions. Just as the net neutrality rules were passed there were all sorts of rumors of ISPs making deals with companies like Facebook to bundle their content with broadband in ways that would have given those companies priority access to customers. That practice quickly disappeared from the landline broadband business, but there are still several cases of providers using zero-rating to give their own content priority over other content. My guess is that this court ruling is going to give the FCC the justification to go after such practices.

It’s almost certain that the big ISPs will appeal this ruling to the Supreme Court. But an appeal of a positive appeal ruling is a hard thing to win and the Supreme Court would have to decide that the appeals court of Washington DC made a major error in its findings before they would even accept the case, let alone overturn the ruling. I think the court victory gives the FCC the go-ahead to fully implement the net neutrality order.

 

Is This an Activist FCC?

FCC_New_LogoSince I have been in the industry there have been fourteen different Chairmen at the FCC. And during that time those have been split pretty evenly between democrats and republicans. We had Chairmen who had the reputation of leaning towards the public such as Reed Hundt and those that have favored the large businesses in the industry like Michael Powell. But you can find FCC decisions under each of Chairman that are in favor of the public or in favor of carriers, radio and television stations that the FCC regulates.

When you read the press about the current FCC (the Tom Wheeler FCC) the public impression is that it is pro-competition and pro-public. And there are plenty of rulings that back that up such as:

  • Net neutrality that regulates broadband ISPs and stops them from various practices that would restrict internet choice.
  • The current proposal for privacy rules that would let people restrict how ISPs can use their personal data.
  • Opposed the Comcast / Time Warner merger.
  • Reset the definition of broadband to 25 Mbps down / 3 Mbps up.
  • The decision last year that said that restrictions on municipal broadband were anti-competitive.
  • Opposed the AT&T / T-Mobile merger.
  • Slashed prison calling rates to make it easier for families to stay in contact with those in prison.

Every one of these orders favors the public over the big companies that are regulated by the FCC. And there are other orders beyond this list.  It’s not hard to see why this FCC has built the reputation of being pro-competition and anti-big business. And yet there are some major decisions that have been clearly in favor of the big companies regulated by the FCC.

Probably the biggest of these was the decision to award over $6 billion to the largest telcos to upgrade rural broadband. In establishing the Connect America fund the FCC gave almost all of the money to AT&T, Frontier, and CenturyLink and is only requiring them to upgrade rural broadband over a six year period to speeds of 10 Mbps / 1 Mbps. Those speeds are already becoming obsolete today and are the equivalent of somebody still sitting on a 1 Mbps DSL connection in 2005. Those speeds will provide Internet access, but a household on those speeds can’t do the same things that those of us with faster connections can do. And by the end of the six years these speeds are going to be completely out of date and inadequate.

And just last week this FCC put a rule in its Lifeline order that can be seen as nothing but a giveaway to cellular companies. The FCC is going to allow the $10 per month Lifeline subsidy for low income households to go to a cellular plan operating on the 3G network and with a monthly data cap of only ½ gigabit. The stated purpose of the Lifeline plan is to close the ‘homework gap’ and yet this one provision will probably end up sending a billion dollars a year to the cellular providers to pay for data plans that won’t meet the stated goal of the Lifeline program.

I remember when Chairman Wheeler was announced that industry insiders assumed that he was going to be in favor of the large carriers and cable companies since he had spent his career representing them. But he immediately quieted this criticism by making a number of pro-competitive and anti-carrier rulings.

When I look at the whole record I have a hard time seeing this FCC as activist. They certainly lean towards promoting things that a democratic White House would favor, as you would expect from a democratic FCC Chairman. But at the same time this FCC has handed billions of dollars to big carriers, and in doing so has greatly harmed the public. One can just imagine how far the Connect America Funds could have gone if that money was instead given out over six years as matching funds to build rural fiber systems. That much seed money would have brought a fiber solution to millions rather than stick them with another decade of poor DSL.

But in retrospect, when I look back at all of the various FCC Chairmen I can see that they have presided over decisions on both ends of the spectrum, and that probably comes with the job. The FCC is in charge of regulating very complex industries that change rapidly and which are controlled by large and powerful companies. I’m glad it’s not me sitting in that chair.

FCC Looks at Consumer Data Security

FCC_New_LogoThe FCC will be voting on March 31 to release a Notice of Proposed Rulemaking (NPRM) concerning customer rights concerning their data on the Internet. More specifically, the NPRM is looking at the relationship between a customer and their ISP. It’s been assumed FCC Chairman Tom Wheeler already has the votes to get this passed.

The premise of the NPRM is that an ISP knows more about what a customer does than anybody else. They know what web sites you connect to and for how long, and even if you encrypt everything they know a lot about you. Most people don’t realize that an ISP has total knowledge of everything a customer does that is not encrypted. If they care to do so an ISP can record every keystroke made online.

And so the NPRM will be asking what rights customers should have as far as allowing their ISP to use or monetize the knowledge they gain about customers. The proposed rules are going to apply the same sorts of privacy rights to broadband that have been in place for telephone service. The privacy rules would not apply to social media sites, browsers or search engines, just to ISPs. The FCC’s reasoning is that customers voluntarily give their data to these edge series but they have not done so freely to their ISP.

The NPRM starts with the premise that consumers ought to have control over how their data is used by their ISP. Telephone customers have had similar rights for years. Here are the primary areas that will be covered by the NPRM:

Transparency. The FCC wants ISPs to inform people about the information they collect about them. They want ISPs to further tell customers how they use this data and if and how the data might be sold to others. And the FCC wants all of this written in plain English (good luck with that!)

Security. The FCC believes that ISPs have the responsibility to protect customer data. The NPRM wants to require ISPs to take reasonable steps to protect customer data.

  • This would mean new rules for ISPs. They would have to institute training practices for employees, adopt strong customer authorization practices, identify to the FCC the senior manager(s) responsible for data security, and take responsibility of customer data when it’s shared with a third party.
  • There would also be new rules about data breaches. Customers would have to be notified of data breaches within 10 days of discovery. The ISP would need to notify the FCC within 7 days of any breach. ISPs would have to notify the FBI and the US Secret Service of any breach of more than 5,000 customers.

Choice. The NPRM suggest that customers be given a choice to say what kind of data their ISP may use and under what conditions it can be shared with others. The FCC wants to categorize customer data into three categories:

  • First is the data that an ISP must have in order to serve customers. This would be things like name, address and other data needed to bill a customer. And because the product is broadband the FCC believes that an ISP has the inherent right to do things like measure your total data usage and other related network information.
  • Second, the FCC thinks that an ISP ought to be able to use a customer’s data to market other telecom products to them. But, like with telephone service, the FCC thinks customers should have the right to opt-out of ISP marketing activity.
  • Third, the FCC is then suggesting that customers would need to opt-in to give an ISP the right to use their data for any other purposes.

The FCC wants these to be rules about customer permission and protection of data and they are not prohibiting ISPs from gathering and using data as long as the customer approve of it. As is usual with this kind of NPRM we can expect a lot of comments both for and against the proposal. What I find most unusual about this NPRM is that it largely assumes that the FCC is going to prevail in its order to regulate broadband under Title II rules. If that gets order gets overturned then protection of customer data would probably revert back to the FTC.

Broadband CPNI?

FCC_New_LogoA group of consumer and privacy groups has asked the FCC to begin enforcing customer privacy rules. In the industry this process is called CPNI (customer proprietary network information) when applied to telephone and cable TV.

Now that the FCC has classified broadband as a common carrier service, they have the authority to investigate and regulate broadband privacy issues. This is something that the industry needs. Until now there has been very limited regulation of broadband by the Federal Trade Commission since the FTC authority was drawn only from the Children’s Online Privacy Act. But the FCC now has much stronger authority.

Current CPNI rules for telephone and cable TV are focused to a large degree on billing issues and on protecting private data like social security numbers, credit card numbers or other sensitive customer information. There is also a prohibition against disclosing the details of what customers do with those services – such as the calls they make or the channels they watch. (Of course, I guess we now know that the NSA is immune from the obligation to protect telephone records).

As sensitive as privacy matters are in those areas there are larger concerns with broadband. What people do online is extremely personal and the vast majority of Americans think that details of their online life should not be recorded or sold to others.

There are a whole lot of places that the FCC could go with broadband CPNI over and above the normal protections of billing data. For example, what are the obligations of companies to notify people when there has been a data breach and customer information has been compromised? Should ISPs have to disclose to customers if they use their data for any purposes or sell it to others in any form? And if so, how much do companies have to disclose?

An ISP is in very powerful position with a customer. If they wish to record what a customer does online they know everything that the customer isn’t somehow encrypted. They are the first in line to see outgoing bits and the only one to see all of the incoming bits.

The FCC has already started some internal work on the topic and held a workshop. From there the FCC has a number of options. They can first solicit comment and ideas from the public to see what kinds of sentiments are out there. It seems for almost everything the FCC does there are two sides of opinion, and there will be those that are in favor of very strong rules and those in favor of a very light touch. But the FCC would do well to hear all of these opinions before trying to formulate specific rules.

But they do have the option to go straight to a rulemaking. They could propose specific CPNI rules and let everybody take pot shots at them. I’m suspecting that for something this new and different that they are going to want to hear all sides of the arguments first before developing rules. The FCC also might be slow-rolling this. The whole Title II regulatory process is under appeal in the courts and they might not want to go too far down any path until they feel more secure that the courts believe they have the authority to regulate broadband in this manner.

One thing that we can probably expect from the FCC is that whatever they do is going to apply to ISPs but not to what they call edge providers. That would be all of the companies like Google and Facebook that operate on the web and that are not under the Title II regulatory regime. I know that consumer groups are going to want that kind of protection because I think it’s generally assumed that it’s the edge providers – and not the ISPs – that are using and misusing people’s data today.

The Security / Privacy Battle

SpyVsSpyEvery time there is some traumatic terrorism event like what just happened in Paris there is a renewed call by governments for better surveillance and security measures. And every time that happens, the advocates of privacy sound a loud warning. What I find most interesting about this back and forth between the two sides is that it’s not events or even public policies that are driving the battle between security and privacy, but technology.

Just during the last decade there has been a number of technologies that have assaulted our privacy – encryption, big data, cloud computing, and advertising spyware. And we are fast approaching new threats from drones and from Internet of Things sensors everywhere.

The real battle between security and privacy happens when we introduce new innovations that can invade our privacy followed by countermeasures against those new technologies. There are plenty of politicians on both sides of the privacy issue who think that creating new laws is the way to protect privacy. But there are no laws that are going to flexible enough to keep up with the new threats we are constantly seeing in the real world.

Consider the traditional privacy laws. There have been wire-tapping laws on the books for decades which are now completely obsolete. The FBI convinced the FCC a few decades ago to create a set of laws called CALEA that gives the FBI the right to subpoena ISPs and get the records of suspected law breakers. ISPs and telcos spend a lot of money to stay compliant with these rules and yet I can’t think of one of my clients that has actually gotten a CALEA request from the FBI. ISPs do often get requests from local law enforcement asking for calling records under older wire-tapping laws, but not a peep out of the CALEA folks.

And this is because those laws were obsolete before the ink was dry on them. The CALEA rules were written not long after we had migrated from dial-up to DSL and there was no such thing as the dark web and disposable cell phones and all of the other ways that serious criminals use to avoid law enforcement.

What typically happens with a new technology is that it gives one side – the police or the bad guys – a temporary advantage. But there is always a technological counterpunch as somebody on the other side figures out how to defeat and neutralize each new technological development.

Edward Snowden showed us that law enforcement sometimes is so desperate for an edge that they collect data illegally in violation of the basic rights granted to US citizens by the fourth amendment. But even that is only a temporary edge. There are now numerous groups developing strategies to counteract widespread government surveillance.

There have been numerous attempts to pass surveillance and security laws starting with the Patriot Act. But industry experts say that most of the laws that try to give the government more power are ineffective, again because technology moves a lot faster than legislative bodies.

So what we see is a cat and mouse game. The NSA spies on us and so companies like Apple develop encryption that makes it hard or impossible for the NSA to gather anything useful. And there are more and more web services that either automatically encrypt or which offer that as an option.

It seems that the privacy advocates are winning the long term fight, and this is because there are ways around almost any tool the government or big business can use to spy on people. I’ve read several articles recently that talk about how even in China people are finding ways to bypass the strict security of the Great Firewall of China. But the fight is a long way from over because there are always going to be tools that come out that can be used to spy on people and there will then be ways to defeat those measures. We are likely to see this battle for decades to come.