The elephant in the room that CNN doesn't want to talk about or admit to is that much of the problem lies in Big Media (of which CNN is obviously a part).
US/Western media companies are more aligned with the government of China than any notion of freedom when it comes to the interests they pour money into (as opposed to platitudes they might espouse).
The push to lock down computers and make it hard/impossible to buy one that doesn't clearly identify you - so that you cannot "steal" big media content - is exactly what makes it hard/impossible to prevent yourself being tracked and surveilled.
Can knowledgeable hackers beat the system...? Sure, somewhat, and increasingly this is harder and harder to do. But society is lost in the middle not on the fringes.
We live in the Panopticon  and this is a problem for many reasons. When a small elite can strengthen its ability to pull the levers of power decision making is concentrated in a smaller and smaller group. Small groups make worse decisions than large scale collective "marketplaces" of ideas and thought. This is what allowed the US and the West to flourish for so long. But it's easily lost. We are moving to a world where elections lead to less and less change, where major problems are going unresolved and punted to a future on the assumption that exponentially growing challenges can be out-waited. The only hope is in the increased connectivity of the Internet, access to information, and ability to share dissenting views. As this is taken away, to preserve Hollywood profits, and in the name of "security", we run further and further off the cliff.
Even Wylie Coyote has to look down eventually and see that it's time to fall to the canyon floor.
I can't help but wonder about the top rated comment on HN being one that kindly shifts attention away from our beloved ad-powered Silicon Valley firms, to the Real Bad Guys all the way in LA and Washington.
While I do believe that all of the reliance on ad revenue contributes to the "Internet surveillance state," I wouldn't exactly say that the newspaper industry would agree that ad-supported blogs are 'furthering their goals.' I think that many big newspapers would disagree with you there.
I think that's a valid point. Clearly the Silicon Valley firms delivering ads are building in metrics and tracking.
However, my point was that this would not matter if one had capabilities at hand to control what information your own machine sends out about you for these ad trackers to capture. What Washington and Hollywood are doing is passing laws together that prevent this.
There are situations where I am perfectly happy letting a company have information about me, on which it makes profits, but that I feel on balance is in my interests. (For example personalization algorithms in some services I feel provide me with added value). There are plenty of situations where I do not want this. When I have the option to disengage with services that track me in ways I don't want to, and thereby reduce my surveillable footprint I am fine with Silicon Valley doing its thing. When I don't have such options because Hollywood has lobbied to ban computers which don't identify their owner clearly to all in the foodchain, and by extension the government - and when I have no idea about the security of my own machine thereby undermining my own crypto choices, that's a fundamental undermining of my liberties.
Silicon Valley firms may deliver services to Hollywood and DC but ultimately both of those are more powerful in the decision making hierarchy than is the tech sector.
Now, you 're attacking the messenger and sidestepping the issue. The kinds of surveillance the article talks about are inherent in the structure of the internet, hardly anything to do with hollywood lockdowns.
>The kinds of surveillance the article talks about are inherent in the structure of the internet
You're not talking about the internet, you're talking about Google, Apple, Facebook and Microsoft. The internet allows you to share your public key with your friend in person and from then on connect directly to their computer and communicate securely. People can tell who you're communicating with but not what you're saying, and if you use an anonymizing service they can't even tell who you're communicating with. Distributed is good for privacy.
The problem is the centralization. The fact that you get your email from the same company you do your web searching with and the same company that hosts your blog means that they have access to all that information about you. If it was all different companies -- or no companies at all, because you host your own email or blog from your house -- then that wouldn't happen.
That is largely a result of the efforts of governments and media companies. Encryption is not the default for email because of the efforts of the US government. People who run anonymity systems are routinely harassed by the government (try running a Tor exit not or an anonymous remailer -- you had better be ready for early-morning paramilitary raids). Peer to peer filesharing was effectivelly killed by the RIAA and MPAA. The world was forced to move to centralized, insecure systems because the more secure alternatives were all shut down before they could become entrenched.
I've been thinking about dumping Gmail for a few days now. What are good web-based alternatives, with an even better interface, that I can run locally and have it connect to a server on Heroku or something like that? I feel like I have relied on Google's software for so long, as a no-brainer, I don't even know what other good web mail clients there are, and I'd think there must be something great and open source out there.
Roundcube, and SquirrelMail are the two alternatives I can think of. Last time I tried Roundcube was years ago, so I don't know what the state of it is now, but it was an attempt at a more Gmail-ish interface.
1. I don't think that Node.js specifically is the answer.
2. Most of the alternatives are just web-based front-ends to IMAP. My feeling is that to make a 'true' OSS Gmail alternative would require an integrated solution (i.e. an 'email system' with SMTP, IMAP, Web interfaces).
3. I think that the 'state of the art' has languished because everyone has doubled-down on Gmail, and the (now defunct) free-tier of Google Apps for Domains.
E-mail is just a terrible mess of insecurity and spam no matter how you look at it. Rather than worrying about my e-mail provider I've been focused on eliminating e-mail from my life as much as I can. (I'll admit it's not easy and progress is slow.)
If a man bursts into the room armed to the teeth, points pistols at us and yells that the problem in society today is too many guns, it's okay to attack that messenger and point out that he is part of the problem.
Yes for brevity I skipped a couple of steps in my argument that I knew/assumed most folks on HN wouldn't need spelling out >> surveillance can be beaten by various forms of anonymizing technology >> such technology requires control of your technology environment, hardware & software >> big media companies such as the one printing the article (albeit one by a respected security researcher whose articles I read - via Google Reader - le sigh) are among those entities most aggressive in restricting access, by you and I, to control over our technology choices. [Updated to correct imprecise language]
So... the messenger - or at least the part I criticized, CNN - is not a neutral party in this story and as such it's perfectly legitimate to question their role and interests in the message.
I highly doubt that's a stable or dominant strategy. As long as there's pressure to build systems, they will find people to build them. Not to mention, those sorts of jobs can be fun, intellectually challenging problems.
Like Narus - we probably agree it's not in the world's interest to have companies or governments with such technologies. But offered money and a chance to work on such a system, I'd work on it in a heartbeat.
It's unlikely that there will be a shortage of qualified people or that the extra money required will make any impact. And you could always take such jobs, and donate to the EFF.
This is such a common argument, I'm sure it has a name.
"offered money and a chance to work on such a system, I'd work on it in a heartbeat"
You would. But that doesn't mean that everyone would.
I am appealing to those of us who value privacy and ethics above making a quick buck or getting to play with neat toys.
It's not like there's some huge shortage of interesting technology jobs in this second internet/startup bubble. And not all of these jobs are for companies that want to spy on their users. Many of us still have a choice.
Even if you are at a company which spies on its users, you could at least try to make some positive change from within, or at least avoid advocating for going down the road of ever more surveillance and spying.
Way too many developers, VCs, and founders either don't consider the privacy implications of what they're doing, or are only too happy to collect and sell data about their users to the highest bidder.
This mercenary mentality is not some unchangeable part of human nature, but is a learned attitude that can be countered and rejected.
My point is that it's not even remotely practical to convince enough of the population to "value privacy" so much that these things won't be built or to even remotely hinder them. The population of earth is just too large. "HN readers" aren't some magic special bunch that cannot be replaced.
> This mercenary mentality is not some unchangeable part of human nature
No, it's just basic game theory. The more people that refuse to sign up for these "unethical" things, the higher the reward for those that do. And those rewards are very small compared to the pressures involved.
So even if you succeed in convincing a ton of hackers to join your cause, you've done what? Raised the salary from $250K to $750K a year for the people that do defect? That's nice, but the actual effect on privacy is zero.
"My point is that it's not even remotely practical to convince enough of the population to "value privacy" so much that these things won't be built or to even remotely hinder them. The population of earth is just too large."
When you get enough people educated and caring enough about some issue do something about it, what you have is a social movement. Such social movements have a long history of bringing about significant changes, especially when they are well organized.
If there are enough HN users caring and doing something about privacy, there is no doubt in my mind that positive, significant change will come about. HN users might not be "magical", but they are pretty special in that most of them are very technologically savvy (especially compared to the typical internet user), with a deep knowledge and understanding of the very technologies which make the surveillance state so effective.
Knowledge is power, and we have to recognize that collectively we hold a lot of power in our hands. Our collaboration with the surveillance state or our opposition to it, our advocacy for and work to build privacy-respecting alternatives could be a major game changer.
Quite apart from the effectiveness of such opposition are the ethics behind it. Some of us believe that we should do what's right even when the odds of success are against us.
There will always be developers who will be willing to do this either because it's challenging or because they need to put food on the table. You can't win that fight. The people who take those jobs also have the potential to become whistle-blowers and throw 6 months+ of internal emails to $POPULAR_TORRENT_SITE showing all kinds of interesting dialog and/or corruption.
Concentrate on getting laws passed or technology made to stop or avoid the tools of "Big Brother" and educating the general public on what's going on with the internet and BigCorp/government. What I would like to see is a browser extension or app that makes PGP easy for the masses so they can encrypt emails, messages, etc. Open source of course. We don't need any secret backdoors.
"There will always be developers who will be willing to do this either because it's challenging or because they need to put food on the table."
But those people don't have to be us. Each of us has a choice to make: to cooperate with the construction and maintenance of the surveillance state or not.
Perhaps I am too much of an optimist, but I'd like to think that many of the most talented and capable of us want to make positive, constructive changes in the world. We don't want to be a part of making the world worse. Many of us are lucky enough to be in an industry where we actually have a choice in this respect.
If the most talented and capable of us deny the surveillance state our talent and capability, they'll have to make do with whatever ethically challenged people they can scrounge up. I'd like to think that they'll be the worse off for it, and the resulting surveillance state will not be nearly as powerful and effective as it would be were everyone to unhesitatingly and willingly participate in it or sell themselves to the highest bidder without thought of the consequences.
> There will always be developers who will be willing to do this either because it's challenging or because they need to put food on the table.
Of course, but that's bullshit, and they're being immoral. Evoking romantic images of providing for your beloved family is misplaced here. No programmer is left with the choice of either working for evil scumbags or starving.
The more talented people work on privacy-invading technology, the more powerful, pervasive, and smoothly-running the surveillance state will be.
Most of us have the choice to deny the surveillance state our own talent. We can work at more privacy-respecting firms and on more privacy-respecting projects. We can try to educate people about privacy, and advocate for positive change. We can even actively work to counter the surveillance aparatus by building crypto, stego, mesh-network and other privacy and anonymity enhancing technologies. Most of us probably don't have the luxury of doing this latter as our day job, but certainly as a side project -- if we care enough and want to make a difference.
I think the cost can be raised, at least, if people not only refuse to take such jobs themselves, but attach some social and professional stigma to those who do. Sure, with enough money you'll likely be able to find someone who will do pretty much anything unscrupulous; even extreme examples, like getting someone to program a human-trafficking back-office app, can be completed if you offer enough money and look in the right places.
But the idea is to reduce the supply of willing workers for surveillance-state applications, and raising the cost of those who can be hired for the job, by making sure it's seen as a somewhat shameful job, rather than just another "regular" one. That at least incrementally slows things down and drains resources of the people building such systems. That would have a real effect, except in the case of an adversary who actually has infinite resources and can solve any staffing problem by just throwing more money at it, without compromising anything else.
> As long as there's pressure to build systems, they will find people to build them.
Right. But you could find people easily or with great difficulty. Imagine a whole generation of "ethical" hackers who refuse to become pawns in the industrial military complex and/or surveillance sectors. Who will build the police state then?
My point is that "the system" depends heavily on the humans and the best way to fight the system is not to work for the system. Just don't join //them// and (A) you will sleep better at night and (B) you will be helping the world.
The argument "someone was going to do it if I don't" doesn't hold any water. Just stick to what you believe is right and don't worry about the others.
> The argument "someone was going to do it if I don't" doesn't hold any water.
Can you elaborate or suggest some further reading on this? If someone possesses rare talent or technology, I can understand it. But that's hardly the case in what we're talking about.
I see approximately zero difference in the world if I write surveillance software or if someone else does. It will get done. Government and telecom companies aren't going to shrug and drop the issue. So why should I allow someone else to benefit from my refusing a contract?
I am honestly asking for the logical steps in arriving at your outcome.
You don't see a difference because you don't seem to have a strong feeling about the ethics of these kinds of jobs. I don't say this to attack you or to judge you.
To understand what others are saying here, you need to substitute some other ethical question that you do have strong feelings about.
Regarding your game-theory comments -- you're implicitly assuming that "winning" involves maximizing your income. For me, how I feel about myself is part of assessing any potential win or loss.
Fundamentally, you can't really answer ethical or moral questions using market or game-theoretic thinking, without considering how you feel about what you're doing as part of the win/loss metric. If you don't care about an issue, you don't care about it.
So, "how will my caring about this make a difference" isn't really the right question. Instead, ask "why should I care about this?"
Yes I might lack empathy for other people's privacy, especially as it seems that most people just don't care. Those that care can use technology to benefit themselves. You're right though, I have a hard time answering why I should care, personally. If I eliminate emotion from the question, I cannot come up with any rational reasons.
But more than that, blaming a single low-level actor in a system seems kinda pointless. It's like hating an individual DEA agent instead of the idiotic system that creates the DEA. Shaming DEA agents will accomplish next to nothing; the effort would be better spent where it might make an impact (like on elected officials).
The number of hackers you need to implement surveillance (or land mines) is pretty low, and you can get people from the worldwide population. Not to mention there are going to be a fair number of patriots that believe what they're doing is good, anyways.
The only question is which individual will profit and how much from actually building it. In this hypothetical situation, I can't see any reason to let someone else (who may have values I don't like) get paid to build the technology.
> This is such a common argument, I'm sure it has a name.
Someone who is willing to do the unethical dirty jobs that take a toll on society, because they pay so well and because if he didn't take them, they'll just hire someone else to get it done?
Yes, the name for that is "mercenary".
Adjective: Motivated by private gain.
Noun: A mercenary is a person primarily concerned with making money at the expense of ethics, [most often used to refer to a soldier who fights for hire].
Interestingly, being "fun and intellectually challenging" doesn't really factor into pattern much, except as a justification certain people need to make the job seem more glamorous or honourable. But as it happens, even with that factor absent, if they don't take it, somebody else will, right? For the right price, of course. The difference between those prices is literally the monetary value of your honour. Most people won't set a price on that, but you're a mercenary now, so you already did. Funny thing is that difference isn't exactly traded on a free market, it could even be negative, however/whatever gets the job done for your employers.
Those were all technologies that were "known" to be "evil". But to get that point, there were probably scientific advancements made that were pretty benign, in isolation. And those advancements were probably used to develop other technologies that were "known" to be "good". The people working on those earlier advancements had no way (necessarily) of knowing what would be derived from their work. The same is true of technological advancements advancements today. The people who first started working on the internet probably had no idea (for the most part) of the privacy issues that have arisen. Ditto for satellites, GPS. . .
I'm actually sort of surprised by the negative sentiment here. A project with government backing and legal cover will get done, regardless. This is hardly a case where you need some 4-sigma genius (which I am not) to conceive of some major breakthrough.
But creating something like Narus must require all sorts of interesting research and engineering. I wrote a packet analyzer for a single protocol and was just barely able to parse at 1Gbps speed, off a loopback device. Actually getting it deployed at much lower speeds was rather difficult.
Doing the same at 10Gbps, multiprotocol, actually doing neat stuff to the data? Unless their boxes have incredibly expensive hardware inside, they must have done some pretty neat hardware and software designs.
The way to fight this type of surveillance isn't convincing people to avoid working on such projects. That's hopelessly naive or incredibly optimistic. Change the rules of the game: Either make it illegal and enforce or spread proper privacy software like cryptography.
You're missing the point. Social conditioning and shame are very powerful.
It's likely that designing land-mines involves many interesting technical problems. Regardless of whether there are still engineers who will work on land-mines, there's a social good to shaming them (assuming you think land-mines are bad).
If you don't have strong feelings about land-mines, or you don't think they're all that bad, then this argument won't make any sense to you.
People can choose to do or to not do things regardless of their effectiveness.
Do you realize that you're implicitly adopting an amoral viewpoint when you raise pragmatism above ethics or morality? That's a choice -- not a given. This is why you're getting the strong negative reaction, here. History is littered with examples of how this leads to bad outcomes and evil systems.
The way to fight this type of surveillance isn't convincing people to avoid working on such projects. That's hopelessly naive or incredibly optimistic. Change the rules of the game: Either make it illegal and enforce or spread proper privacy software like cryptography.
Why not simultaneously push for change in government, develop powerful and easy-to-use cryptographic tools, AND refuse to work on projects that are very likely to have a negative impact on society?
I don't deny what you're saying, that these projects will end up being built by someone (hopefully someone less qualified though, and at a higher cost to the contractee), but by the logic in your first post in the chain, anything could be justified morally as long as someone is paying you to do it. What's wrong with pulling the lever in the gas chamber? If you don't, the next guy will, right?
I think your solution would suffer from the tragedy of the commons--it would only take a few defectors to ruin the whole scheme.
My guess is that the only durable way to increase digital privacy protections is through law. To achieve what you want, you would need to get Congress to pass a bill, or the Supreme Court to hand down a favorable decision, or maybe both.
I long ago installed a plug-in that blocks most or possibly all of the above. There are several now that will do this for, say, Firefox.
In a related benefit, sites load way faster for me and consume substantially less bandwidth, since I'm not constantly waiting and paying to download the malware that so many sites now feel the need to embed.
Ghostery takes care of most such things, including blocking the major spying tricks by the likes of Google and Facebook.
A decent ad blocker like AdBlock Plus will go some way to helping as well, though it's more of a side effect in that case.
There's also BetterPrivacy, which mostly deals with the non-cookie cookies like Flash LSOs.
Unfortunately, for reasons I can't fathom, even generally privacy-friendly browsers like Firefox still seem quite happy to send vast amounts of fingerprint-friendly information that serves almost no legitimate purpose to anyone who cares to listen. However, there are clearly people thinking about this, e.g., see https://wiki.mozilla.org/Fingerprinting.
I have absolutely no facts whatsoever that they are misusing information. The only fact is that they have an obvious conflict of interest. I assume people interested in privacy would like to be aware of it. I'm sorry that you don't consider it relevant but I am certain others do.
This doesn't have to be a conflict of interest (as they list themselves when they appear), but rather an attempt at self-regulation. Ghostery, and Scott Meyer, has done a lot to advance the discussion of privacy in advertising; they are educating the consumer-giving them tools that make it more difficult to do their job, or at least doing it in a shady and lucrative way for the good of the consumer and the industry.
Similarly much of the opt-out discussions as well as the ad choices icons are industry-driven.
Are you considering what the GP said, i.e. builds of popular browsers; or another browser entirely? I've been using Luakit a lot recently and it stands for a lot of the open and tweakable traits I care about in software. It probably comes with little spying mechanisms, and could be further strapped on with protections.
Privacy-friendly (as far as it can go) builds of available OS browsers is the way to go.
There are simple things, like changing the default settings for cookies, that do not require rebuild of course, and more involved things like making the browsers emit less information (panopticlick) on every request.
It is obvious, that it might break some things, which should then be possible to change by the user. E.g. not sending out installed fonts and screensize and tons of other info about your system might break some websites - webmasters should learn to ask friendly for that data, not expecting it.
This is not about engineering a new browser, but about privacy aware defaults for software distribution.
The biggest success of such a project would be that browser distributors will change their default distribution to maximum privacy. Obviously some of them will never do it - what will be a good thing as people will better learn about the differences.
Another big success would be that users will learn about their natural right to be asked before a browser sends out any information that is not absolutely needed to view a webpage.
I know that this is only a small piece in the puzzle, but browsers are still not privacy aware by default atm. it would be interesting to see what happens next.
Firefox certainly is one of the top targets for such a project, as Mozilla browser defaults are not acceptable for a project that wants to teach you about your online rights on first browser start. Transforming Firefox into a browser that actually delivers what Mozilla promises, will give a good discussion point for changing their distribution policy.
There is, btw., a similar project for chrome, Iron - but the panopticlick results for iron are still not perfect - minimizin the emitted information to only the neccessary bits is still ahead also for this browser.
Please note: a discussion about "destroying jobs in the ad industry" or "destroying the internet at all" is absurd in this context. If advertisers want to collect data, they must ask me to agree. It is good for the internet future, if only business models survive, that people agree to support.
Firefox is NOT privacy-friendly. The default settings save cookies forever and there is no blocking of any tracking code by default - you are spreading misinformation declaring FF as "privacy-friendly". Another big problem is the fingerprintable request firefox generates - FF developers do not seem to see privacy as a concern.
We are always under surveillance - my neighbours know I stay up late watching crap tv, the bookshop assistant knows I browse the comics section but don't buy, and a hundred people each day see me do weird or normal things.
I am not oppressed when they do that. Embarrassed maybe, but not dragged of for "re-education".
As long as no-one uses the surveillance to force political outcomes from me or any individual, then this is pollution, not dictatorship.
Yes we need radical privacy laws - but not ones trying to put the genie back in the lamp. There are amazing benefits from technology - the sharing of knowledge seamlessly across 7bn people is going to ,produce wonders we cannot guess.
But we must embrace this new world - a world without secrecy. For privacy is not secrecy - it is politeness of our neighbours.
The problem is not my neighbours who know, it is companies across the world who now know. Their knowledge and actions are kept secret from me - and that must be prevented. Sunlight is the best disinfectant applies to targeted ads as much as corrupt politics.
Firstly any organisation that holds informant that can be used to identify and track people must publish the identifications they hold in real time. Expect a cottage industry of telling me about everything about me. Oh and those cottage industries must publish as well. So not a profitable cottage industry.
Seen me walk out the door of mcdonalds after paying with my Loyalty card - great mail me the link so I can see.
Secondly a legal framework that makes commercial profit from my identity only allowed if I consent and preferably if I get a cut. Want to sell me ads - great pay me. Oh suddenly finding ads less profitable? Want to sell me a coffee after that burger - you could use the freely published info mcdonalds has to fling my phone a coupon - but that's my information. I charge a flat 2c for every commercial use of my info - I get 2c even if I don't want coffee.
Thirdly, get used to the idea your wife instantly knows you are sleeping with the secretary.
No company can possibly be expected to know exactly who they have information about, as would be needed to publish the disclosure you're talking about. On any web server, you have countless logged HTTP requests that are effectively anonymous to the business, but if a subpoena comes in asking for all activity from a specific IP, they're forced to disclose that activity. Only once the data is in law enforcement's hands does it cease to be anonymous, so sites can rat you out without knowing your name.
The same scenario applies to third-party data sales. A company pays you to serve a tiny JS tracking snippet on your site, and because they have many such sites they can resolve the traffic back to real names, but you as a webmaster cannot. You've just sold data about a person you can't identify.
What's more is big data has the potential to do great good.
For example Googles flu trends - http://www.google.org/flutrends/ - already helps us plan and use our resources efficiently when it comes to responding to mass illness. As we plot a course to 9 billion people on the planet being able to detect trends like this will be essential.
On a more personal level, it's also telling us we're all human and all make similar mistakes. It's also telling us a lot about what being human actually means. This has the potential to move us past taboos and stigmas and address deeper questions about how to make ourselves smarter, better, happier. Here an example would be porn - the funny tale of a scientist who tried and failed to find a male control group that didn't watch porn - http://arstechnica.com/science/2009/12/weird-science-fails-t... . Now we've learned we're all watching porn we can move on from questions of right and wrong and begin dealing with questions like is it making use happier, how do we deal with addiction, why does it make some of us addicted and so on.
So plus one to more sunshine. Lets use that data to learn about ourselves
Who will be running that totalitarian regieme and can we see their Facebook pages from their early twenties?
In the end how the hell will you use data against people if you do not already do all the dictator necessary things anyway - torture, secrecy, disappearances. These are the things to fight, not the data storage but the people torture.
March to stop privatisation of the army, to stop torture in our names, to stop child labour. Fix those, then we have nothing to fear about our Facebook shopping trends.
Edit: some might comment that eg their sexual preferences might be discoverable on Facebook and that would be a breach of their rights to privacy. Firstly we change privacy - it has always been politeness not to mention what all your friends knew. The fact that anyone interested can now piece it together does not change that.
Second - the use of that data "against" you only matters if it matters outside of politeness. Alan Turing could not today be prosecuted for being gay, could not be chemically castrated nor driven to suicide. Because the legal system has been changed - so that the only thing that matters if people find out you are gay is politeness. Live in a free society - have to learn to deal with impoliteness. Don't live in a free society - deal with that not the Internet. We know how to defeat dictators, and the iPhone won't fix it for free.
I worry about the opposite--that we will lose too much information over time when everything is stored digitally.
My employer has been running at least one website for almost 15 years. We've been collecting server logs that entire time. Where are they now? With the exception of logs from the last year, I could not tell you. They were all discarded or lost.
On a larger scale, look at the problem of link rot. We can't even keep track of the public information we have.
The Rosetta Stone (the real one) survived thousands of years of neglect to teach us about our past. What digital assets will survive that long? How many digital assets from 20 years ago are still findable, recoverable, readable, searchable?
Outside of an electromagnetic pulse or similar disaster, I'm not worried at all about that outcome. The Wayback Machine archives almost everything publicly available. When you put stuff in the cloud — which includes tweets on Twitter, photos on Facebook, and emails on Gmail — you'll never lose it to a hard drive crash.
When I have fears of losing data, I have to ask myself: is that data really important to begin with? Or is it junk, digital detritus? I've simplified by selling, giving away or throwing out a lot of my physical possessions, and it feels great to do so. Recently I'm beginning to feel the same way about digital possessions. It is better to reduce.
Unless you have some specific business case for extrapolating from your over-a-year-old logs, what do you need them for? Do you just want them because you could make a neat graph or something? Why not let it go?
Your possessions start to own you. Extra data that could get you or other people in trouble, can similarly be a liability.
You're with David Brin's side as far as the secrecy issue goes, aren't you? It's definitely intriguing response to the traditional cypherpunk response of more secrecy- if you can watch the watchers right back, then the governments and corporations in the world are as vulnerable to surveillance as John Q. Public.
> We are always under surveillance - my neighbours know I stay up late watching crap tv, the bookshop assistant knows I browse the comics section but don't buy, and a hundred people each day see me do weird or normal things.
But none of this data is kept around forever, centralized, searchable and subpoena-able.
Sure, in a sense, we've always been smearing our private data everywhere. But what you describe is tiny pieces of data distributed over many human agents with imperfect memories, especially with respect to the irrelevant details on the actions of the many people they encounter every day.
This article is talking about databases, the largest of them owned by a handful of gigantic corporations. And even the smaller ones are just as easily accessible to the state. Hence, surveillance state.
It doesn't matter that it's too much data, either. Storage is cheap, it'll just stay there waiting until someone needs to query it. And analysis and machine-learning algorithms are only getting better, to make these queries increasingly more specific, accurate and informative.
I think that this is one of the big reasons that privacy-focused named-data networking will become popular. Another reason is that that model fits better with most internet usage today where data is disseminated from a source to a number of users.
Of course, surveillance can be built into those types of systems as well, but I think that the right engineering approach building in features like encryption and anonymity, especially combined if possible with mesh networks, could be a big advantage for privacy.
[After-post update: I've no idea why this got auto-dead'd. Ideas?]
What is the way out though? Nobody cares about privacy. Nobody.
Google used to be happy divining long clicks from access logs. Then, they said "screw privacy!" and started explicitly tracking every outbound search click (I'm ignoring all your email, calendars, contacts, and phone data they have).
Twitter used to be happy being just messages, then they click-nabb'ed every link. At least the interaction model on twitter is mostly benign.
Facebook does mephistopheles-knows-what with everything they have. It can't be good. They're in an unspoken competition with Google for who can get users to voluntarily exploit themselves over the widest personality surface area.
Then there's the hundreds of spy-tracking JS, ad networks (Hi, Google/DoubleClick!), ad markets (Hi, AppNexus!), mobile networks logging every URL you visit (Hi, Verizon!) and everything else tracking almost your every move across the Internet.
Why don't we just make it illegal to have a webpage without embedding https://js.gov/tracker.js and give the information to everybody in realtime?
Interestingly, I consider that a fair equilibrium. Not something to despair over. I think it would be worse if the director of the CIA could keep privacy but not random individual. That power does not affect ability to avoid lack of privacy means things are becoming more balanced.
Yes, I'd say privacy is actually much more of a problem for the elite. How many investigations dig up infidelity, etc, in the normal population and then carefully step around it instead of enlarging the investigation?
But I do think the power elite are driven by excessive compulsions, and I worry if we eliminate the ones with relatively normal/outside compulsions we will be left with the Machiavellian freaks running everything.
Eh, the director of the CIA has a different threat profile than a regular user. I don't have a security clearance (anymore) that I have to maintain that gives anybody direct reason to consider thwarting tracking to be dangerously suspicious.
There is a privacy ecosystem that is rising from it all.
There are ways. the TOR network allows you to anonymize your dealings from your ISP. Some sites are now advertising the anonymity and encryption they are using for their services (MEGA). Bitcoin has seen a stellar growth (and still poised to) due to its uncontrollable nature, and can be tweaked to achieve pseudo anonimity through enough shuffling of the coins. Assange puts it best by saying that "The universe believes in Encryption - [it] is the ultimate form of direct non-violent action." What WE can do, is help put the blocks in place...
Sorry, I can't resist. And, I'll preface this by saying OF COURSE I AM JOKING. Here it goes:
I've clashed many times with folks here on HN who are super-pro-government liberals. They take every opportunity to point out how government has built everything of value to us and how government has wisely invested in infrastructure and other projects that make our lives possible. The implication, of course, is that we should be pro-government, pay more taxes and be thankful we are allowed to flourish under such a system.
One of their favorite things to say is "government created the Internet".
Fantastic! Let's take the good with the bad. If government is going to be credited with the good then we credit them with the bad as well. They created such a shitty system that we are all under surveillance, like it or not.
Not so you say? Well, this kind of thing was nearly impossible before our government created the Internet. They must have had ulterior motives and knew it could be used for this.
Why didn't they protect us with regulations BEFORE the Facebook's and Google's of the 'net were even up and running? They knew what they were creating.
Anyhow. I am not much of a comedian but there's a joke in there somewhere. The point is that government is an ass. They fuck-up nearly everything they do.
This "internet == surveillance state" thing is very real and it is something governments (PLURAL) are benefiting from immensely. Never before in the history of humanity has it been possible to spy on individual human beings with this degree of granularity. And it won't get any better for probably another five to ten years, if ever.
>I've clashed many times with folks here on HN who are super-pro-government liberals.
Since we're talking about the surveillance state, we shouldn't be leaving the super-pro-government conservatives out of this. In the US (where these lib/con terms seem to matter most), both major parties love the surveillance state, and this is tied in heavily with the warfare state that both parties love as well.
I'm not very optimistic that the situation is going to improve. Privacy is increasingly something of yesterday, not today, and certainly not of the future. Those who will enjoy some degree of privacy will be the ones who know how to achieve it, and many aren't going to bother, just as they don't today (people are lining up to give it away, in fact).
>The point is that government is an ass. They fuck-up nearly everything they do.
No disagreement here, though I'd suggest that the only things at which government seems to excel are areas where no one should want to excel. I'm thinking primarily of war, excessive policing, and weird, arbitrary laws.
I don't believe it was a conspiracy from the start, but it was serendipitous for governments that the internet is so leaky security-wise. It would be wise to establish privacy boundaries that governments and companies cannot cross by international law, but it would be even wiser if our technology could become inherently secure.
I didn't downvote you, because I think your heart is in the right place. But this statement:
"...Well, this kind of thing was nearly impossible before our government created the Internet..."
really does betray a fundamental misunderstanding of the technologies that were around before the internet. The government really has had this power for quite a while. In fact, the only difference now... is that people give the government pictures of themselves to match faces to the phone conversations. And, of course, continuous position data... as opposed to the sort of discrete position data you could get in the 70's and 80's.
Well, I am not a surveillance expert by any possible stretch of the imagination. That said, I seriously doubt governments could access the kind of personal data (behavioral and otherwise) they can today back in the 70's and 80's. sure, if they targeted someone they could follow their life and gather lots of data. That required devoting people to follow, watch, study and record a persons every action. Today things are quite different. A "recording" of everyone's actions is being made every minute of every day. When someone becomes a government target they can virtually rewind the last n years and learn everything about them with nearly zero human cost in relative terms.
And while using Disconnect and Ghostery you still got tracked by IP address, your installed fonts, screen resolution, installed plugins, while your internet activity was stored by your internet provider.
Eventually there will be some good and accessible options that will enable you to truly opt-out of the internet surveillance state.
Other than the occasional embarrassing thing (like googling a dance song) I really can't think of anything I have to hide.
Even so, I would pay a subscription fee to keep all of my internet communications completely private. I don't like being profiled, and it feels like an infringement on my freedom. I would even pay enough of a fee that the company I pay it too could in turn pay lobbyists to help protect their interests or headquarter in another country etc.
And the worse it gets, the more I'm willing to pay.
I'm sure I'm a minority right now, but I think our numbers are growing.
I used to think people actually wanted privacy. (I did, why wouldn't everyone else?) But the data does not support that hypothesis -- in fact, I think the exact opposite is true.
People's personal information is not being stolen from them, it is given away; and not even for free -- more than 70% of the US population  pays an ISP a monthly fee in order to connect to Facebook's servers and upload their data. That is how the Internet works -- it is not Facebook sending the SYN packets.
In general society (outside of our tiny bubble), not having a Facebook account is considered strange. It is even seen as grounds for suspicion of criminal activity. 
Everyone says they want to eat right, exercise and be healthy, but more than a third of them are obese.  The surveillance state is not happening despite us, it is precisely what the majority of people want, even as they deny it. If you wish to change this unfortunate fact, change the culture.
This comment probably won't go down well considering the audience ... but here goes:
Yes the internet is a surveillance state ... and that is terrible ... except ... except ... is it?
My long held belief is that in an age where even the most tech-savvy cannot possibly remain anonymous all the time our best hope for privacy is in the simply overwhelming volume of data being collected. Unless I do something worthy of government attention I have reason to believe no human is going to closely examine my gmail - why on earth would they?
Therefore the only breach of privacy is by a parser collecting information for an algorithm. So I get a few ads in gmail ... 90% of the time I ignore them ... the other 10% of the time I would MUCH rather they were targeted at my interests than just meaningless drivel! Furthermore - if the ad revenue collected by these companies allows them to continue to improve a free service I love then power to them! People bitch about ads, without considering the reality that without them most of the service we value which make up the internet would not exist without them. You can't always have your cake and eat it.
Lastly I would like to address the point of privacy invasion by a government body. This is nothing new! It has just become easier. I live in the UK - a tiny island with 4,000,000 CCTV cameras. There is probably an accumulation of hundreds of hours of footage of me throughout my life... So What ?! I have done nothing wrong, and if the existence of that footage allows the prevention or solving of even one crime then I'm all for it.
If a government body wants your data - the chances are they are going to get it. Through warrant or some other means. The acceleration of this process is not necessarily a bad thing. They are, after all, the elected officials.
i agree with you about how nice it is to have targeted ads (although Google still hasn't gotten good enough that I have ever clicked on anything).
The dangers for the government are when it uses its powers to stay elected (Nixon), or spy on activists (Nixon, Bush), or pilfer the IP of other countries (Airbus). And of course these dangers also apply to commercial enterprises - if I were a MS competitor, I sure as heck wouldn't allow Skype in the office.
Great read, but I wish he hadn't glossed over the part about not being something the free market can fix; and explained why only strong government will can.
He admits that governments are partaking in the frenzy at least as much as are companies, but doesn't explain why it would be easier to get a government to change, than to change a company, or start a new one.
I think it's more accurate to say that the free market currently does not think that Internet surveillance is a problem. Consumers in general have decided that for Internet services and Internet access devices, factors such as cheapness, ease of use, and trendiness are more important than privacy.
Governments are able to reach more definitive consensus than free markets - a market would be not easily be able to make everyone use an anonymizing proxy, for example, but a government could legislate that. Governments can also move costs around, such as by funding a national proxy service with tax money.
But on one level, free markets and democratic governments are both just methods that societies use to enforce their collective wills. There are limits to how much their decisions can differ. There's a reason Schneier calls a situation created by Internet companies a surveillance state.
What's the incentive for free market solutions to the problem? The free market is motivated by profit. The gov is ostensibly motivated to serve its citizens. There's a better chance of the latter being effective, IMO.
There's another aspect to that.. if you're tired of what a company is doing, you can opt out and stop using their services. If enough people do this, they'll change their behavior or simply be no more. We saw that in how Godaddy finally came around against SOPA.
When we talk about government, the only way to opt-out is to physically leave and then that can only take you so far.. because even then, you might fall under other countries' jurisdictions no matter where you live. :(
That's exactly where I got hung up as well. If there is a demand for anonymous access tech, I think that the free market will eventually fill that demand (barring interference from the state). I don't think it's wise to entrust the government with limiting its own powers in general. "Strong government will" rarely seems to mean "empowering people to be free and anonymous," at least in my experience.
Its not like people are victims here, for the most part they've chosen the "free" privacy violating services over the paid ones every time.
If people cared about their privacy, this wouldn't be the case, they'd be willing to pay for useful services. There was a chance that a market could have developed for services that protected privacy, but thats long gone.
At this point kids growing up are used to the idea of a world withoit secrets. Its terrifying to people over 30, but it could lead to a better world, because even those in power cannot escape the watchful eye of Big Brother.
That would be a fine argument if the majority of computer users actually understood what tracking is being performed and how it is performed. Most computer users have no idea how they are tracked, nor do they understand how they can be tracked.
People generally do not know how their computers work, and companies take advantage of that ignorance when they track people. Most people do not understand that they are trading privacy for access to websites and web apps.
"At this point kids growing up are used to the idea of a world [without] secrets"
Nonsense. Kids just have a different idea about what should be kept secret. There are still plenty of in-the-closet gay teenagers whose friends understand that they are being trusted with a secret. Plenty of kids have odd habits they do not want to tell their friends about. Teenagers still keep secrets from their parents -- that is basically an invariant. There are many college students who work hard to keep their Facebook profiles "clean" in an attempt to present the best image possible to potential future employers.
What has changed is the meaning of keeping things secret. A 15 year old in-the-closet gay teenager most likely has no idea that "deleting" a "private" message sent over Facebook does not actually delete the message from Facebook's servers. That same teenager probably has no idea that his public "friends" list is sufficient to determine that he is gay with high probability. That is the problem society faces right now: people want to keep things secret, but it is very difficult to actually do so.
I think that eventually society will adapt and people will learn how to keep secrets in an age of widespread surveillance. It is inevitable: eventually there will be so many incidents of embarrassing secrets being revealed by these various companies that people will start to use technologies to hamper the tracking.
That's an unfair criticism. If you look upthread, a commenter points out that the CNN page for this article includes at least 10 third-party tracking scripts. Most people are unaware that tracking is going on at this scale, how it works, or what they can do about it.
Watch this video of a bunch of people who don't know what a browser is. That's most people. Do you think they understand how internet tracking works? Hardly. You and I, as techies, can perhaps make an informed decision, but most people can't and if you step outside the bubble you'll see that.
It's never okay to blame the users for hidden privacy consequences.
Scheier is right that information will be collected, and that the government will have access to it. That genie is out of the bottle. But there is still hope for reasonable and even strong controls on the USES of information. This is exactly the distinction I've been drawing for years, e.g. in http://www.dbms2.com/2012/03/01/where-the-privacy-discussion...
A lot of commenters focussing here on technical privacy solutions - but that seems to be missing the current move towards behavioural tracking. And the irony is that this is a lot of the really exciting stuff for many here - look at truelens and storm for example. Given the adulation and reverence here for highly politically engaged and extreme right-wing characters like Peter Thiel, we shouldn't be at all surprised by this kind of outcome.
When the gold rush came, it was easy to see that prospecting was not where the value was at. Smart entrepreneurs sold pans, shovels and dungarees. Likewise in the age of surveillance, the Ciscos and Choicepoints rake in, handing off infrastructure and data to the highest bidder. The gold ran out, but we still have the Gap.
As long as you don't trip any of the automated checks to see if you are using a fake name or get manually flagged as using a fake name. The automated stuff is pretty stupid at the moment thankfully, but it's not something you can do if you care about not getting your account closed.
I don't know about you but I have many family members who have practically given up on using email for important announcements like wedding, birth etc. People use Facebook for such communication needs because it is lot more convenient than email.
Also, not sure if you noticed but Facebook messaging provides a "return receipt" feature by default. So you know if and when your message (email) is picked up. Try doing that with the free email accounts like gmail, hotmail etc.
Run your own resolver on 127.0.0.1, and your own authoritative nameserver on 127.0.53.1, and configure the resolver to ask the nameserver (returning NXDOMAIN) for
* su (abuse)
* any others you want; get ideas from the MVPS hosts file
Since facebook domains (fbcdn.net, facebook.net, etc.) are all serviced by facebook.com nameservers, returning NXDOMAIN for *.facebook.com will thereby sabotage all facebook related queries. This way you won't have to play whack-a-mole with future facebook tracking hosts, so long as they use facebook.com nameservers.
Or hell, just create a list of prefixes announced & owned by AS32934, Facebook, and block all. Just to be sure.
It's not like your friends would suddenly not know who you are anymore. You do also talk to your friends in person right? I use a fake name on FB and so do lots of my friends. Like the OC says; there's no magic.
I also use an alias email address. Together you can use FB apps without spreading too much easy data around.
The point is, facebook is tracking your location via IP address. They are most definitely not interested in knowing your real name, so your fake name is as good as anything else. They are dumping relevant Ads on you based first of all on where exactly you're located at. They'd then attempt to dump relevant Ads based on how you (the fake or real name) interacts with the facebook site. They are watching your eyeballs and you can't escape the moment you make a single move.
Facebook doesn't care about exact name and personal information except to target their Ads effectively. Its no big deal if you don't tell them your real name, they will jump over to the next field. Sooner or later they're going to connect the dots to provide you effective advertisements. It starts with them tracking your location via IP address.
The original opinion piece of this thread notwithstanding, but for the majority of the Internet users, the issue is not if and why the state is tracking you (because people at the large scale are not criminals trying to hide from the state), but the issue is whether we should give up liberties in order for the corporations to serve us effective advertisements. The old fashioned TV box was effective only because it had no competitor. The same is not the case on the Internet.
PS: the only reason Facebook requires real name (or the reason it has built its social network as a walled-garden) so each person stays unique and does not infiltrate or corrupt the data by signing up multiple times via pseudo-identities. Again, look at it from the advertising perspective. Do we think advertising works effectively if one person shows up as multiple? It doesn't.
People have control over their individual online use cases and should assume more personal responsibility for managing their online profile. It is voluntary to join the LE email spam network, FB/G privacy invasion operations, disqus commenting, etc.
It's a shame that these social networks that were intended to enable friend and family (biz in LE case) have devolved into open public access to your personal interactions. As they further infringe on the original use cases more people will leave them for alternative solutions.
I don't think the typical user thinks he's got nothing to hide.
More probably, he doesn't realize just how much he's spied on or by whom. Nor does he realize how the information these spies gather on him could be or is being used to his detriment.
He also probably doesn't know about any privacy-respecting alternatives, or if he does, he finds them too much of a pain to use, or doesn't want to sacrifice his Facebook friends or his nifty smartphone.
Fortunately, the masses are slowly becoming educated, more computer literate, and more privacy/security aware overall. It is heartening to see stories about online privacy on mainstream news sites like CNN. Being a victim of identity theft, stalking, or harrassment can also be an unfortunate but powerful wake up call to the need for privacy.
It's a slow process, but the more people become aware of their vulnerability and victimization by the surveillance state, the more they will try to seek alternatives and call for positive change. I just hope by then it won't be too late.
I wish I could agree, but I recently explained to one of my most intelligent friends just how much tracking is done, by whom, and how. She just argued that she didn't have anything to hide. A few days later, she admitted that I might have a point, but still wasn't interested in ditching Facebook.
I hope you're right. If something doesn't change for the masses, alternatives will never really gain traction.
The throughput, latency, computing power and memory wasn't sufficient to do what we can do today a short 5-10 years ago. The hardware has advanced so much over the past decade that it is attainable at the consumer/non-sovereign level now. Anyone with a thousand bucks free monthly cash flow and the coding chops can get very far independently.
I don't have any info on intentional tracking but Macs surely do leak a lot of data. If you install Little Snitch you will have a better feeling of what is being sent over the network. These are the rules that I have regarding apple: