Hacker News new | past | comments | ask | show | jobs | submit login
Metadata Equals Surveillance (schneier.com)
320 points by antsar on Sept 23, 2013 | hide | past | web | favorite | 106 comments



Schneier sets up and knocks down a strawman:

"Back in June, when the contents of Edward Snowden's cache of NSA documents were just starting to be revealed and we learned about the NSA collecting phone metadata of every American, many people -- including President Obama -- discounted the seriousness of the NSA's actions by saying that it's just metadata."

The NSA and Obama aren't "discounting" the NSA's actions because it's "just metadata." They're defending the legality of the NSA's actions by saying that it's "just metadata."

The legally relevant distinction isn't how informative data versus metadata is, but who generated and controls the information that's the subject of surveillance. AT&T's metadata about your calls is generated by AT&T's equipment, stored on its servers, and is generally not even accessible to you. That not only puts it squarely within the domain of the third party doctrine, but makes it very hard to argue that it fits within even a common sense lay person's reading of the 4th amendment (which guarantees "right of the people to be secure in their persons, houses, papers, and effects."). Arguing that AT&T's data is your data is an uphill battle to say the least.

Now, maybe third party doctrine is obsolete in a world where people voluntarily give over to third parties every detail about their lives.[1] But it doesn't contribute to that debate for Schneier to totally mischaracterize what Obama is saying.

[1] In my opinion, privacy is obsolete in a world where people voluntarily give over to third parties every detail about their lives, but reasonable minds can differ on that point.


Schneier sets up and knocks down a strawman ... The NSA and Obama aren't "discounting" the NSA's actions because it's "just metadata." They're defending the legality of the NSA's actions by saying that it's "just metadata."

Well, here's what the president actually said:

When it comes to telephone calls, nobody is listening to your telephone calls. That’s not what this program’s about. As was indicated, what the intelligence community is doing is looking at phone numbers and durations of calls. They are not looking at people’s names, and they’re not looking at content. But by sifting through this so-called metadata, they may identify potential leads with respect to folks who might engage in terrorism. If these folks — if the intelligence community then actually wants to listen to a phone call, they’ve got to go back to a federal judge, just like they would in a criminal investigation. So I want to be very clear. Some of the hype that we’ve been hearing over the last day or so — nobody’s listening to the content of people’s phone calls.

http://blogs.wsj.com/washwire/2013/06/07/transcript-what-oba...

He didn't make the "it's legal because it's only metadata" argument. He did claim that the program is legal, and that it is overseen by Congress and a secret court.

Maybe it's just a matter of opinion, but I'm very comfortable characterizing this reply as "discounting because it's just metadata."

I'm unhappy about this, and I voted for the guy twice.


>Maybe it's just a matter of opinion, but I'm very comfortable characterizing this reply as "discounting because it's just metadata."

Perhaps. But keep in the mind the context: "nobody’s listening to the content of people’s phone calls"

The president spells out a specific concern that people are saying out loud. Is it "discounting" to disprove a specific concern by accurately characterizing the activity as something other than "listening to the content of people’s phone calls"? That he so happens to use "metadata" does not make his argument wrong or misleading. What word should he use?


Well, if we get really pedantic and nit-picky, the alarming news that the president was responding to was actually that a tremendous percentage of phone calls are being recorded, IIRC. Strictly speaking, it's actually impossible for NSA employees/contractors to "listen to" more than a tiny fraction of them, there simply aren't enough human-hours to do that. Nobody seriously thought that the NSA actually had a human being snooping on every phone call.

So the people say "You're recording our calls!" And the official answer is "Well we're not actually listening to them. We analyze the crap out of the metadata, though."

I'm still OK with calling that "discounting."


I don't think Schneier's intention was to call President Obama a liar. Rather, I think he intended to say that, even if we accept President Obama's factual claims, we should still take issue with the government's actions.

In other words, Schneier's not disputing the facts, but suggesting we ascribe different value to them.

So when you say "That he so happens to use 'metadata' does not make his argument wrong or misleading," you're correct. But that also doesn't make Schneier incorrect. (Not that you said he was.)


In other words, Schneier's not disputing the facts, but suggesting we ascribe different value to them.

I've seen arguments like the president's called "true lies." A technical truth that obscures the larger more relevant issue.

In this case, the real issue that people care about is that the government knows stuff about them that they expect to be private information. Whether they got that information via eavesdropping, metadata analysis or some other technique is largely irrelevant to the issue that makes people uncomfortable with the current state of affairs.


Calling it a "true lie" implies that there is some intentional misdirection. But we could just as easily conclude that the President genuinely holds a different opinion as to the relative value of phone call audio vs metadata. Suppose the President feels collection of metadata is not intrusive. In that case, his comments are merely a legitimate and accurate statement of his personal opinion, rather than a deliberate attempt to obscure the issue.

None of this is to say that I personally consider metadata harmless. I'm actually rather protective of my data privacy. I'm merely pointing out that the President's stated valuation of metadata isn't an inherently dishonest rhetorical tactic.


I don't think there's a consensus on what the more relevant issue is here. Based on my discussions with people I'm acquainted with, I'd bet a lot more are concerned about the legality issue: is the government making a good faith effort to stay within the bounds of the law.


What they have declared legal is obviously the least of anyone's concerns. We care what they are actually doing. I'm not sure how one could think that people are just fine with being violated as long as there is a law that permits it.


Yup, it's the GP that seems to be attacking (or rather defending?) a straw man.


"Mr. President, no one is saying you broke any laws, we're just saying it's a little bit weird you didn't have to."

–John Oliver of the Daily Show on the NSA spying scandal


It is. But when you make that observation, you should be aware that the weirdness dates back into the 1800's (at least); metadata surveillance was litigated in the dawn of the telegram era.


This is one of the things that surprised me the most. After reading about the Snowden documents this summer, I did some historical reading on the topic. I was amazed at the lengthy progression of surveillance in the U.S., and as a result, I am no longer amazed at the Snowden documents. It's all business as usual.

(I'm not convinced, though, that it's all okay... there seems to be both real and potential abuse in the system.)



Our ability to exploit metadata has grown by leaps and bounds since the 1800s. What was possible then and what is possible now are two different things entirely.

It's simply not possible any more, except via face-to-face chat, to communicate with someone without turning over some metadata (or possibly data) to a 3rd party.

Letter? Envelope gets scanned. Calls? Logged and your location is tracked to boot. Internet? Tapped. What's left?


Carrier pigeons? On my commute this morning, while dodging a flock of Canada Geese that live in park, I was wondering if anyone has ever tried to ship illegal items via migrating birds. I had to ponder how much cocaine, or other illicit substance, a goose could carry. And if the shipment didn't make it, does the bird get whacked?

Anyway, if you're face-to-face with someone they still tracked both of your positions to/from the meeting and used cameras in the area to run facial recognition. Then they transcribed the convo to text by hijacking area mics or using the cameras for speech recognition.

If you're really important they'll land a tiny UAV on your person and literally 'bug' you. Better to just stay inside and keep your waste in mason jars...


There was also the case of the prisoners smuggling cell phones into prison via pigeons.

http://www.nbcnews.com/id/29980598/ns/world_news-weird_news/...



Thanks for the link! I Googled this half-heartedly this morning while cleaning out my inbox but didn't have time to sift through the results. Funny stuff!


If you're in public, you have no expectation of privacy. So as cameras and facial recognition roll out further, you won't be able to go to another person's house to do that face-to-face without the metadata being created anyway.


In public, people instinctively have an expectation of privacy. If you started following people around with a video camera and microphone (or even just started staring at every passerby in the eye without breaking eye contact), you'd get a lot of unhappy reactions.

Having ubiquitous automated surveillance is effectively the same as having someone follow everybody around with a camera and microphone, so the public's reaction to the latter should be used to determine policy with regard to the former.


That's not what privacy is.

The lack of privacy in public spaces is such because it's unreasonable to have an expectation of privacy. Until we're all cyborgs and have our vision automatically filtered, it's unreasonable to expect that you will remain unseen when walking through a public park.

The lack of privacy in public spaces is based on the ubiquity. If you followed someone around, the issue isn't a violation of privacy. It's harassment: the singling out of an individual for exceptional behavior. If you plant a camera and watch everyone, then it becomes a lot more OK. (Still arguably not, but you'd get far fewer "unhappy reactions".)


The lack of privacy in public spaces is such because it's unreasonable to have an expectation of privacy. Until we're all cyborgs and have our vision automatically filtered, it's unreasonable to expect that you will remain unseen when walking through a public park.

It's only unreasonable if you say it is. Different cultures have made different decisions with regard to what's socially acceptable to notice about others' behavior in public. It's perfectly reasonable to expect that you will remain unfollowed when walking through a public park, and ubiquitous surveillance is much closer to following everybody than noticing everybody.

If you plant a camera and watch everyone, then it becomes a lot more OK. (Still arguably not, but you'd get far fewer "unhappy reactions".)

I'd argue this is only because people aren't cognizant of the fact that planting a camera to watch everyone is the same as planting people to follow everyone. People's instincts haven't caught up with the reality that is presented by ubiquitous surveillance, so IMO the right way in this case to decide whether surveillance is acceptable is by analogizing to the closest available cultural and instinctive concept that is still fully functional.


> ubiquitous surveillance is much closer to following everybody than noticing everybody

The issue is still that you're likening surveillance to harassment more than you're likening it to an intrusion of privacy. Based on this argument alone, I'm less inclined to agree with your position, because surveillance isn't harassment.

> People's instincts haven't caught up with the reality that is presented by ubiquitous surveillance, so IMO the right way in this case to decide whether surveillance is acceptable is by analogizing to the closest available cultural and instinctive concept that is still fully functional.

You realize you're not saying anything more than, "I think it's wrong, so I'm going to go searching for a rationalization," right?

I don't disagree that the surveillance we can safely suspect is being done by governmental organizations is probably immoral and should be illegal, but what I'm not hearing is a solid, justified argument for your position other than, "It's icky." You don't even have the fallback of "everyone thinks it's icky" since by your own admission, people don't.

I'm not interested in doing that hard philosophical work, personally, so I'll leave you with a suggestion. Privacy, at its root, is really about dignity: its most ancient manifestation is the capacity to relax without tainting one's public image, whatever that image may be. It is from this foundation that all other arguments about privacy are really built. So I'd challenge you to show that ubiquitous surveillance necessarily violates everyone's dignity.

I think you'll find that more difficult than you expect, but I don't think it's impossible to come up with a reasonably sound proof.


The issue is still that you're likening surveillance to harassment more than you're likening it to an intrusion of privacy. Based on this argument alone, I'm less inclined to agree with your position, because surveillance isn't harassment.

You're still using definitions of privacy violation, surveillance, and harassment with which I do not agree. The distinctions between the three don't have to be drawn where you seem to be drawing them, and both the example I gave and invisible surveillance should qualify as all three.

By the way, would you still call it harassment if you never got in the way of the person you were following, never acknowledged your presence, and generally let them go about their business while you were busily recording everything they did? Most people would still be very unhappy.

You realize you're not saying anything more than, "I think it's wrong, so I'm going to go searching for a rationalization," right?

That's not the case at all. I've raised arguments that appeal to technical people in the past, and users like rayiner jump in with a claim that "common people" just don't care about technical stuff. Now I'm using arguments that appeal to the aforementioned "common people," and you're jumping in to say they aren't technical enough :-).

Moreover, I was responding to your specific claim that "it's unreasonable to expect that you will remain unseen when walking through a public park."

I'm not interested in doing that hard philosophical work ... but I don't think it's impossible to come up with a reasonably sound proof.

I don't expect to conclude the privacy and surveillance debate once and for all in this thread. No doubt Bruce Schneier, the EFF, and others are way ahead of us on formalizing the best arguments.


> By the way, would you still call it harassment if you never got in the way of the person you were following, never acknowledged your presence, and generally let them go about their business while you were busily recording everything they did? Most people would still be very unhappy.

... they certainly are:

https://www.youtube.com/watch?v=Uz8PdALdQDI


> By the way, would you still call it harassment if you never got in the way of the person you were following, never acknowledged your presence, and generally let them go about their business while you were busily recording everything they did? Most people would still be very unhappy.

Google "paparazzi". Notice the distinctions between a legal claim of privacy intrusion and the legal claim of harassment. And also, notice the legal claim of freedom of the press.

Your model of "people with cameras following you around" might sound really novel and clever to you, but we've had such people for a long time. And guess what? In public, no one considers it a privacy intrusion. It's harassment.

> Now I'm using arguments that appeal to the aforementioned "common people," and you're jumping in to say they aren't technical enough

Technical arguments are not philosophical arguments. Believe it or not, programmers do not have a monopoly on The Right Way To Do Everything. A philosophical argument can depend too much on jargon and be perverted by political spin, this is true. But you can still methodically break it down and explain it to a non-technical person if you've put it together well.

Watch http://justiceharvard.org sometime.

Failing to convince someone is your fault, not theirs.


Fine, if you prefer, let's label ubiquitous surveillance as harassment. And the NSA are not the press.


Wow. You have no capacity to listen to what I'm saying at all, do you?


Wrong. Anonymity is a form of privacy, and it's often one of the things that people who become famous miss the most.

The simple fact that it can be stripped from some (who are famous) and retained by others (who are not famous) even when they are both in the exact same public space means that some people (i.e. the non-famous) have a reasonable expectation of anonymity in public - which is to say, a certain form of privacy - where the famous do not.

And that's not the only fault with the "you have no reasonable privacy in public" line of thought when it comes from people who say that technological advances have, in effect, made us all famous. The assertion is valid only if reasonable expectations are limited by what is and is not technically possible, which is not the case. In truth, we need a sense of privacy to function as free humans. You can't have a working democracy without it. To the extent that it's reasonable to expect whatever level of privacy a functioning government of the people, by the people, and for the people requires, you maintain a reasonable expectation even when advancing technology renders you vulnerable.

Ultimately, the thing that keeps people from kicking in our doors isn't the thickness of our doors, but the strength of the laws that restrain those who would do the kicking.

To date, we've been able to rely on technical hurdles to protect our absolutely essential sense of privacy. If technological advance means those days are behind us, then we need the law to do what previously it didn't have to deal with doing. That transition still needs to happen. But at no point in the course of this transition does the reasonable expectation itself go away. Indeed, it becomes even stronger no that it can no longer be taken for granted.


If you're in public, you have no expectation of privacy.

People keep saying that in this debate, as if it's some sort of self-evident principle that must not be questioned, but is it anything more than a meaningless tautology? Aren't you in public by definition in places where you have no privacy? If so, then being in public is defined by how we define privacy.

The public/private distinction has never been absolute, such that everything about you and what you're doing is either in public or in private at any given time. We're sharing our thoughts on a public forum on the Internet, but at least one of us is physically sitting in his own home while doing so. I have different expectations of privacy for what I'm saying on HN vs. the conversation I just had with someone in this room.

The lines are similarly blurred if we go out. For example, in most jurisdictions you do not give up all rights to privacy just because you went out your front door. If a guy follows you around with a video camera and tries to watch you enter security details when you're paying for stuff at a shop, he's probably going to get in trouble. If a public venue installs video cameras in its bathrooms or changing rooms, it's probably going to get in trouble. If some pervert tries to film up your or your wife's/sister's/daughter's skirt, he's probably going to get in a lot of trouble. These things are all easily possible with technology, and all happen in a "public place", yet I think almost everyone would still consider them unacceptable invasions of privacy and the law in many places would prohibit such behaviour.

Maybe as technology that can be used for surveillance and data mining evolves, we need to evolve our understanding of what should be considered private as well, in order to maintain effective protection of the same underlying values. If metadata alone can now be used to determine sensitive details about us that we would consider to be private if collected directly, then perhaps the collection and use of that metadata should be controlled in the same ways as direct collection and use of the implicit data. If sensitive data is collected for one purpose with consent but can now be repurposed more easily for additional uses, maybe there need to be explicit safeguards to control that risk.


Cool, mind if I photograph up your wife's skirt and post it online? Actually nevermind, I don't even need your permission.


There is a long history of pubic photography (and longer history of painting public scenes). So there is that tradition of photography and absence of an expectation of privacy in public paces (sometimes there are restrictions on commercialization of such images); private areas such as commercial spaces are not 'public' and they have some discretion on what goes/does not go. Taking lewd pictures of people is covered by a different section of the law --usually state laws or local laws.

Taking creepshots is totally divorced from the private/public issue. It's kind of like trying to make S&M into a private/public debate.


Maybe it's time for a new Constitution amendment then. In a world where surveillance is so pervasive, and so potentially dangerous, the laws should be updated, if the old ones aren't sufficient to provide people the privacy they need in a democracy.


The impact of unchecked surveillance, like bad security, is impossibly difficult to quantify until shit hits the fan long enough for it to inconvenience people. Furthermore it's simple and easy to dismiss serious problems as exceptions to the rule, for example Snowden was branded as "very smart" after there were claims that a "high school dropout" evaded NSA's internal security systems and successfully escaped to Hong Kong.

If there are egregious violations of privacy and freedom then we won't be seeing the admissions of guilt/reform, but instead we'll be seeing recriminations and diversions. There needs to be punitive measures in place to deter that kind of negligence and recklessness, in addition to the punishment for actual violations.

Rehabilitation and recidivism are very serious issues that need to be focused on, especially because those who disregard privacy will do so on an ideological level -- it's part of their personal belief system.


An amendment would be nice though I'd settle for a lesser law to resolve these issues as well. Whatever can get it done.

Seems to me there are a number of legal bugs where our laws fall apart at scale. The 2nd amendment is all well and good (my opinion) but arms tech scaled way beyond anything imaginable at the time and some line needed to be drawn on what qualified. Privacy law is having a similar issue as society shifts all its important data to digital storage and into third parties. Who could've imagined that centuries past?

As a programmer it makes me wonder what the common anti patterns of law are.


would only work if you, the people, would make the laws. but since that's not the case anymore all these clueless law makers would shoot themselves in the foot.


More like shoot us in the foot. They will surely have been incentivised by the relevant parties to leave gaping loopholes allowing said relevant parties to continue doing what they're doing.


already going on. practically no difference.


It was never the case.


there you go...


Third party doctrine cuts deep. See Couch v. US, 409 U.S. 322, 335 ("there can be little expectation of privacy where records are handed to an accountant..."). For example, all the prosecuting of banks and big corps that the Daily Show cheers on depends quite heavily on investigators having access to third-party accounting and financial records. The doctrine might need to be reformed, but it's a monumental task touching many areas and longstanding practices.


For example, all the prosecuting of banks and big corps that the Daily Show cheers on depends quite heavily on investigators having access to third-party accounting and financial records.

Aren't those records of companies, not of people?


In case you forgot. Corporations ARE people.


Even a light reading of the Corporate personhood page on WP would have told you that the issue is much more complex than that knee-jerk reaction. For example, the courts ruled they can't invoke the Fifth.


forgot to insert sarcasm tags


I think there were laws broken, though. It is my understanding that the NSA was restricted to spying on foreign targets, and not supposed to be collecting data of any sort on Americans domestic phone calls. Of course, the laws a purposefully kept complex and plenty of loopholes are snuck in, so I may be missing somthing.


> In my opinion, privacy is obsolete in a world where people voluntarily give over to third parties every detail about their lives, but reasonable minds can differ on that point.

This seems wrong. People have been giving details about their lives to their doctors, lawyers and priests for centuries, relying on convention that they keep it private. Why we cannot continue with the same convention in Facebook age?


Doctors, lawyers and priests have legal, financial & spiritual repercussions for not keeping these details private.

Giving your details to Facebook is the pre-Facebook equivalent of putting an ad in the paper with your details. You're not just giving your details to Facebook, you're giving them to everyone who has access to your page.


Then we should "fix" that. Instead, we've been letting the government give these companies immunities for letting them gather the data in bulk from them.

I think people just want to communicate with each other, and the Internet is the best way to do that right now. If we can build an Internet where we can easily do that without giving all this data to 3rd parties, people would use that, but until then they don't have much choice.

As Schneier says, advising people to "quit Google" or Facebook, is not really a choice in today's Internet. But if developers and the architects of the Internet realize what a problem this is, then maybe we can come up with other more secure alternative solutions.


it would have to be one where the NSA armed goons can't walk into a room full of servers and tell the admin: "Do what we tell you or else."

Essentially, we're going back to computers in the house doing everything, since the network can't be trusted, and encryption can't be trusted.


Perhaps, then, one move in the right direction would be to start adopting similar legal policies for online services?

Of course, this won't prevent the NSA from doing what it has always done: "We're snooping. No, you can't tell the user. No, you can't do anything about it." but that is another issue, one that we can hopefully resolve with a bit of legislature and oversight.


Perhaps facebook should have a responsibility similar to that of other professionals?

Granted some data you put on facebook you obviously intend to make public or semi-public but not necessarily all of it.


In many EU countries insurance companies and banks can't do social network analysis of your public Facebook profile or buy your private data from Facebook.

Some countries have laws that limit the use of the information in public records. Even if some party is allowed to collect the information, like phone company, they are not automatically allowed to use the data in any way they please.

There is also huge difference of having access to data you need and keeping and collecting records of people using publicly available data.

US has very backwards privacy laws. Basically once your data is out there anyone can do anything they please with it. This does not mean that this should be the case or that rest of the world acts like this.


People have been giving details about their lives to their doctors, lawyers and priests for centuries, relying on convention that they keep it private.

It's not convention. Those conversations are privileged (literally 'under private law' and the notion is relatively recent in legal terms. Until 1840, for example, a lawyer in Britain was not expected to defend a client that he knew to be guilty.


Doctors, lawyers, and priests are required to turn over to the police information that's explicitly criminal. IANAL and that's not the precise criterion, but the point is that such a convention doesn't actually maintain privacy and really never has.


"[1] In my opinion, privacy is obsolete in a world where people voluntarily give over to third parties every detail about their lives, but reasonable minds can differ on that point."

Speaking of straw men...ha.

While your assertion here may be true, the world you describe (in which people - as in all nearly all of them - hand over EVERY detail) is not the world we live in. Not even close. You're knocking down a figment of your own imagination. In other words? Yup, a straw man.

Meanwhile, back in reality, lots of people have plenty to hide and do their best to keep their secrets. And this isn't just criminal activity. It's also their private feelings, impolitic thoughts, confidential business plans, romantic intentions, parameters of negotiating positions, health concerns, etc. Very, very obviously, they do not share "every detail."

To the extent that indiscriminate openness can be used against people, there are always going to be people who want more of it. For these assholes, the evaporation of privacy lowers the cost of abusing others while making the abuse itself far more profitable and / or intimidating. And obviously, there are a lot of businesses and government agencies that would love to see privacy norms, laws, and technical barriers rolled waaaay back. To the degree there's been natural erosion, they've seen how profitable and efficient this erosion can be. Of course they want moar, Moar, MOAR! Power and profit depends on nothing less!

And one of their favorite ways of getting it is by insisting that privacy is already dead, that protecting its ghost is a fool's errand, so honestly, why not give up already? Just submit! Why won't you submit?


For phone calls, I wouldn't call it voluntarily. In order to call someone I need to dial a number and to rely on third party infrastructure, such as I have to at least put a receiver on a snail-mail. I believe the reason why past legislature did not have an eye on that is that it was not viable to slurp up this data en-masse. Such as writing down and correlating each mails sender and receiver. This is easily automatable nowadays. I am convinced that we need to fix this unless we want to live in some dystopian future.


It's not just a 4th Amendment search issue, it's also a 1st Amendment freedom of assembly issue. "We know who you're talking to" is a chilling effect on freedom of assembly.


In a podcast with Steve Gibson I was watching this morning, they were talking about whether it would be OK for us to follow all children on their way from home to school (and back) and everywhere they were in public, listening to (and logging) every single thing they say because they were talking in public.

>The school district’s move has raised privacy concerns, with some comparing it to government-sponsored stalking.

Read more:

http://nation.time.com/2013/09/14/glendale-school-district-h...

But on the other side of things, there is targeted collection of public data, where teens trashed a home in New York and caused over $20k in damages.

>"parents of the hundreds of teens who broke into and destroyed former NFLer Brian Holloway's upstate vacation home are threatening to sue him for outing their brats on Twitter — saying he's spoiling their chances of getting into college."

Read more:

http://www.npr.org/blogs/thetwo-way/2013/09/20/224382580/tee...

http://nypost.com/2013/09/20/parents-want-to-sue-former-nfle...

I don't understand why vandals would post on twitter to boast publicly (in a way that can be easily linked back to their name) about their deeds. It seems to me that the school being proactive is morally wrong [TM] while someone trying to piece together who was present at the home at the time of the vandalism is right [TM].

[TM] my personal interpretation of right vs wrong. Not a legal opinion.


" In my opinion, privacy is obsolete in a world where people voluntarily give over to third parties every detail about their lives, but reasonable minds can differ on that point."

I disagree. Just because some people give out personal data does not mean that I should lose my rights to privacy.


> [1] In my opinion, privacy is obsolete in a world where people voluntarily give over to third parties every detail about their lives, but reasonable minds can differ on that point.

The surveillance done by the big marketing firms today has nothing to do with "give over voluntarily". It is digital stalking done with very little consent from the subjects. "Give over voluntarily" means the subjects actively provides information. "Stalking" means the system monitors the activity of the subject with no active participation other than (maaaybe) clicking once "I agree to the terms" five years ago, probably on a different ToS anyway.


Don't you know? Your continued use of the service constitutes acceptance of any and all ToS changes with or without notification, in perpetuity.


"Back in June, when the contents of Edward Snowden's cache of NSA documents were just starting to be revealed and we learned about the NSA collecting phone metadata of every American, many people -- including President Obama -- discounted the seriousness of the NSA's actions by saying that it's just metadata."

You left out the part where he knocks it down with 9 different articles from various credible sources on the VERY NEXT LINE. Who is trying to deceive people here?


Of course he can knock it down with lots of sources--that's the whole purpose of a straw man (http://en.wikipedia.org/wiki/Straw_man).


Not really. It is usually used as a deceptive argument by one person. This is what you implied by leaving out all the people who supported his assertion.


The fact that a bunch of people knocked down the same straw man doesn't make it any less of a straw man.


What I am saying is that you are accusing Schneier of setting up a straw man when in fact you and he have a difference of opinion. This is not a straw man. He left nothing out of his assertion. However you did. Care to respond to what I actually said?


If you're going to get picky about rhetorical devices, this is the one you're currently using:

http://en.wikipedia.org/wiki/Argumentum_ad_populum


No, Obama actually sounded like he wanted to confuse the public about what they were doing. I didn't get the impression that he was discussing the legality of it in his speeches at all, when saying "metadata".


he will do anything BUT turning against his puppet masters. you all saw what could happen - dallas, 1963.

the good thing is: since then, nothing changed. keep calm, people.


> just metadata

Entire national strategies for surveillance in wartime were entirely based on "just" metadata. (Japan in WWII. Back then, it was called "traffic analysis.")


Good point. On the other hand, many people have hand-waved the issues by saying "it's just metadata" in the sense that Schneier is describing. While Obama and the NSA might not have dismissed it that way, many people have, and it's that view that Schneier's objecting to.


You presume that a reader of the word "discounting" in thsi context doesn't infer "legality".

The big questions here are simple.

1. If any organization holds your data, is it still your data, or have you surrendered ownership of it?

2. Is there a concept of ownership for record-oriented data, captured by a third party?

If you store a copy of a screenplay you're writing in the cloud, you haven't surrendered ownership of it. The cloud provider cannot just copy your data and hand it to someone else, who now has ownership of it.

Let's say you are generating a novel by writing short paragraphs, which are then recorded by your cloud provider as records -- time and content. The contents of the fields are created by you. Can the cloud provider simply provide a copy of that data to anyone who asks?

There's not much difference between a phone call record and my time-content example. Most (all?) fields in a call record are generated as a result of the user, who is more or less the author. And as the author of the information in those phone records, do you hold the copyright?

This isn't AT&T's data. It's my data, or your data. When press the dial button, we are creating these fields of data. It is an act of creation. We expect that AT&T will use this data to bill us (and we find that acceptable). We do not, for example, expect AT&T to sell our call records to some company, for marketing purposes. If the data is owned by AT&T, then they would be perfectly free to do that.

There's a pretty simple principle that could be followed: If the cloud provider or telecom company wouldn't grant access to the information to any member of the general public, access shouldn't be granted to law enforcement without a warrant or review of some kind. If the government can convince a judge that access is warranted, then go for it.

To do otherwise creates an environment where it's far too easy to harass or pressure "regular" people.


But they are also blurring the lines between legally acceptable and what is acceptable to the public.

The UK has had similar discussions over new laws being introduced - people wanting the new laws have been saying "It's just metadata; it's not the content".


Thanks for making that subtle but important distinction, and for calling Schneier on the straw man attack.

I've been feeling a bit jaded with the Schneier posts on HN lately. Between the reposts of his columns from other newspapers (sometimes a couple of weeks later) and generic meta summary posts with a dozen links to what others are saying, I'm finding it a bit hard to pin down the really insightful Schenier pieces.

Maybe it's impossible for him to keep posting superb stuff all so often. Or maybe many of us expect each of his posts to be superb nonetheless. Or maybe both :)


I think some of his writing is brilliant, but it is impossible to consistently come up with brilliant material on a schedule. However, if he were to publish a post only when he has enough insightful, original, and quality material, his posts would probably be weeks apart. Perhaps he wants to keep his blog more active than that, and does so by linking to others' writing deemed "good enough" in lieu of his own.

Personally, I like this approach because it exposes the reader to more sources which one can then subscribe to.


We also give third parties the content of our calls as well. Under the third party doctrine, it's then legal for the government to listen to the content of our calls. The reason they claim they don't collect all the content of our calls is that they know people would be up in arms. But it's perfectly legal for them to do so according to the third party doctrine.


So I actually think Katz, which held that wiretaps were a 4th amendment violation, was wrongly decided, or at least makes no sense in the context of packet-switched VOIP. And I think that for the reason you point out: it's hard to reconcile Katz with third party doctrine, at least when AT&T has digital copies of your calls.

But ultimately this is the problem with inventing "privacy rights" out of thin air and duct-taping them to the 4th amendment, which has no such broad concept of "privacy." There's no broad principles to rely on, just case-specific hacks.


[1] In my opinion, privacy is obsolete in a world where people voluntarily give over to third parties every detail about their lives, but reasonable minds can differ on that point.

A free society can only accept the obsolescence of privacy if there's a suitable replacement that affords the same level of independence of thought and action.


AT&T's metadata about your calls is generated by AT&T's equipment, stored on its servers, and is generally not even accessible to you.

Two strawmen and a falsehood.

AT&T's equipment doesn't randomly go about generating customer metadata (given that much of the information is used for billing purposes, that's fraud). Rather, it is recorded based on the actions of customers AND those contacted by, or contacting, customers. Which is to say, it's a detailed record of activities of third parties (a large number of whom are not even AT&T customers).

In the case of data which merely transits AT&T's equipment, neither party need be an AT&T customer (instead some other telcoms provider is).

And the data collected is available through privacy rights, subpoena, or other processes.


> maybe third party doctrine is obsolete in a world where people voluntarily give over to third parties every detail about their lives.

In these types of analyses, the doctrine of reasonable expectation of privacy is a good candidate to supersede the third party doctrine. The argument would be: I reasonably expect that the third parties whom I entrust with my private data and metadata will not disclose it except as required by the courts.

The question then is whether this expectation is reasonable. One theory holds that any time you give your information to anyone else, it's the same as giving it to everyone. You have no reasonable expectations that someone else will keep your data private.

But that theory seems outdated to me. Participation in modern society is preconditioned on trusting others with our private data. It's not optional. (The response that "you can always live in a cave instead" is neither realistic, humane, nor consistent with the values of a free society.)

Not only must you allow third parties access to your private data, you rarely have a meaningful choice about which third party, or the ability to negotiate the terms. Where I live, there is exactly one ISP. There are a number of cell phone providers, but to my knowledge, none offer a privacy guarantee, and I can't negotiate for one.

Because we have no choice but to trust third parties, it seems morally right that we should have a reasonable expectation of privacy when we do so. You can voluntarily surrender your privacy, and that's fine, but you shouldn't be forced to do so in everyday circumstances. This is a subjective judgment, but it's one I make based on what I consider widely held beliefs about the nature of a free society.

> In my opinion, privacy is obsolete in a world where people voluntarily give over to third parties every detail about their lives

The relevance or obsolescence of privacy is a spectrum, not a binary choice. Right now, we have less privacy than we used to, but we are far from the point of it being wholly obsolete. Have you really thought through what that world would be like? Are you OK with the idea that your every word and action is recorded forever and potentially subject to scrutiny by everyone who will ever live? (Extreme as that sounds, it's what we mean when we say privacy is truly and wholly obsolete. Anything less that that is just partway along the spectrum. So be careful when you say something like "privacy is obsolete" without any qualification.)

Consider the stress imposed by 24-hour surveillance. Every moment of your life, you would have to dedicate part of your consciousness to calculating how your actions may be interpreted by others, some of whom may be hostile to you.

When you search for something on Google, do you want your coworkers, bosses, friends, and enemies making inferences about your thoughts? Do you want to give potentially hostile parties the opportunity to build a damaging narrative around what are in truth innocuous searches?

When you begin typing a sentence, and then revise it because the first version didn't express what you wanted it to, do you want your critics to be able to read the first version and make claims about your "secret, true intentions?"

When you have a drink with your friends in the privacy of your own home, and you make an off-color remark, do you want to be the victim of an Internet witch hunt after it gets posted to YouTube?

When a gay middle schooler visits itgetsbetter.org, do you want the bullies at their school to know about it?

When you read a political blog, do you want your boss with diametrically opposed political views to find out about it and pass you over for promotion, never telling you why?

You may think these scenarios are far-fetched. But they are all logical implications of privacy's obsolescence. As I said before, anything less extreme would be an adjustment to our current notions of privacy, not the obliteration thereof.

Now, if you're arguing for the latter (adjustment not obsolescence), that's different. It's only realistic to believe that ideas of privacy change over time. And we must think carefully about how they're changing, and whether it's for the best. But that's far, far different from surrendering to the idea that privacy is obsolete altogether.


>Consider the stress imposed by 24-hour surveillance. Every moment of your life, you would have to dedicate part of your consciousness to calculating how your actions may be interpreted by others, some of whom may be hostile to you.

That stress only need exist when the lack of privacy is asymmetrical. When everybody has dirt on everybody else, it gets a whole lot harder to shame someone.

I do find myself wondering what a completely post-privacy society would look like and how/if it would function...


> When everybody has dirt on everybody else, it gets a whole lot harder to shame someone.

That point of view is a credible hypothesis. Despite being a defender of privacy, I too have wondered whether perfect knowledge, perfectly distributed, might lead to some kind of utopia that we can hardly imagine.

But that's all speculation. I don't want to count on it. It seems equally plausible to me that the abolition of privacy will lead to a nightmare scenario in which everyone has dirt on everyone else, and it's ruthlessly exploited. Everyone is throwing stones from their glass houses. In that scenario, people would no doubt adapt. They would learn to calculate their every action, every facial expression. This is the source of the stress to which I alluded.


When everybody has dirt on everybody else, it gets a whole lot harder to shame someone.

Not really. The bounds of what we know about eachother's behavior would just widen from "the things everyone shares about themselves" to "the things everyone actually does." There would still be people who's behavior falls within 1 standard deviation of the average/default/acceptable everyman. And they'll still shame everyone who does not.

It also puts a whole lot of glue onto the current social structures. Imagine in a society intolerant of homosexuality with no privacy. Unless the dictator and most of his inner circle are gay, the fact everyone has dirt on everyone doesn't stop him from killing all the gays. When people can't express their secret orientation to eachother in private, there is no way for gradual acceptance to be a thing.

Sure it's a contrived example, but someone already wrote about these problems [1] more clearly than I can in a quick break form work.

You could argue that this wouldn't be a problem in some societies. Even if we posit that it could work under some conditions, the properties of necessary for it to work are not guaranteed by the abolition of privacy. And they sure as hell don't exist anywhere in the world today.

[1] http://www.wired.com/opinion/2013/06/why-i-have-nothing-to-h...


Part of the problem, I think, is that our concept of privacy is tightly linked with our physical embodiment. But our concept of self is no longer limited to our bodies. We conceive of our online avatars as ourselves. But our instincts about privacy haven't kept pace.


Right. Once upon a time, the physical control over our bodies and our personal property was an adequate definition of privacy. Yes, there were many corner cases, even two centuries ago, but it was "good enough" approximately always. Why make messy legislation over small problems? The Constitution never even tried to touch these issues.

Over time the importance of all those corner cases has expanded, and the increased rate of growth of that importance is downright dizzying in the last decade or two.

In today's world we have our old fashioned physical privacy (for the most part), and HIPAA to cover some narrow issues. That is it.

In our brave new world, we do not really own our financial transaction records. For the most part those are privately owned records in the hands of various profit-driven corporations, and some of them happen to send us a copy of a subset of those records every month.

rayiner (above) discusses this topic rather well. But I want to emphasize a different point: we can have privacy but we need to recognize we are basically starting from scratch. Trying to bemoan that the laws have been broken is counterproductive -- the spies have good lawyers and they have correctly identified gigantic legal loopholes. Even if privacy advocates win a few battles, the spies are still going to win the war, until we change the basic rules of the game with new legislation.


Another way to look at it is that we haven't worked hard enough to build tools that adequately help us either build a new intuition, or maintain the physical metaphors.

Perhaps more fundamentally, we haven't found business models to sustain the practice of thinking about digital tools in that way.


Remember when Nixon said "when the President does it, it's legal" ?

Well we've reached the point where the government is arguing whatever it wants to do is legal.

Of course metadata is surveillance, it is pretty darn obvious it is. It is just easier to spin.


I don't know about all cases, but in some cases, that's spot on. The Government doesn't need to know WHAT you discussed with Saddam Hussein, they just need to know that you were there at some time talking to Saddam to place you under the radar. In other words, 'information about information'.


And that's exactly how they're picking some of their drone targets, too. If you've talked to the leader of al qaeda, it doesn't really matter what you discussed (maybe he was just quering about the neighborhood or whatever), you'll probably end up dead.

So yes, metadata is very much "content", and can be very, very dangerous in the wrong hands.


That is the most ominous scenario, which is likely complete fiction (so far).

Finding the high value targets requires good detective work. Blowing up acquaintances is destroying good leads. The metadata creates leads, and helps narrow them down to a more promising and manageable subset.


I found Cory Doctorow's recent short screenplay on the topic quite fitting:

http://www.theguardian.com/technology/2013/jul/05/metadata-w...

(features Winston Churchill, Alan Turing and Theresa May)


The NSA has the actual data as well. The metadata is there to serve as an index, for easy searching.

Ref: http://www.wired.com/science/discoveries/news/2006/05/70944


"Metadata in aggregate is content" - Jacob Appelbaum


Quantity has a quality all its own. - Stalin.


Everything counts in large amounts - Depeche Mode


My cat's breath smells like cat food! - Ralph Wiggam


Welcome to the United Snakes

Land of the thief home of the slave

Grand imperial guard where the dollar is sacred and proud

...

The Cold Continent latch key child

Ran away one day and started acting foul

King of where the wild things are daddy's proud

cos the Roman Empire done passed it down

Imported and tortured a work force

and never healed the wounds or shook the curse off

Now the grown up Goliath nation

Holdin' open auditions for the part of David

...

Only approved questions get answered

Now stand your ass up for that national anthem

- Brother Ali, Uncle Sam Goddamn

... I usually never listen to rap, but if you think the US is screwed up, you have to listen to this: it's gold! https://www.youtube.com/watch?v=OO18F4aKGzQ


Don't usually expect to see Brother Ali lyrics on HN! It is a great song. If you're not a big hip hop head but wish to find more similar stuff, hit me up on twitter (@WickyNilliams), happy to recommend!


Somebody should start selling bumper-stickers with catchy phrases like this. I'd get one for my car.



I like it, but it won't resonate with my non-technical family.


Everyone assumes metadata doesn't include the source data.

Even a compressed copy of your telephone conversation isn't the actual call, just the 'metadata' describing how it is compressed...


The government does not care what we think it is.


How can we hide or encrypt Metadata?




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: