Outrageous and possibly illegal. That's what Google's executive chairman called the latest chapter in the NSA saga – news that the NSA not only requests data from big tech and telecom companies, but also secretly hacks into their private lines. Yet, last week, seven privacy groups unmasked the real privacy villains in this story and filed a complaint against them with a federal agency.
Who are those villains? Google, Facebook and Apple – in other words, the victims of hacking. The complaint says those companies should have done more to thwart the NSA.
These privacy groups aren't the only ones blaming private companies for the NSA's actions. Advocates have told both the Washington Post and the New York Times that large tech companies are partly "responsible" for the NSA surveillance programs because they have "ad-supported business models" that entice the NSA to their data. The advocates then invoke their long-term pet project of regulating behavioral advertising, claiming "we need to focus upon the activities of the private sector as well" because "[i]t's hard to fix government access." Essentially, privacy advocates argue, these companies are to blame for enticing the NSA with all the data they collect.
There are two problems with conflating the NSA's surveillance with Facebook and Google's advertising strategy: First, it signals a complete ignorance of technology and of how people use the Internet today. Second, it reflects political incompetence. By pursuing this strategy of conflation, advocates are undermining their credibility and imperiling their own larger efforts to advance privacy.
Their argument is based on undefined fantasy – not hard facts. Limiting bulk data collection by private companies — whether they advertise or not — would do little or nothing to limit the NSA. Even when advertising is not involved, private companies must collect huge amounts of data merely to provide the most basic services.
For example, Edward Snowden's first disclosure revealed Verizon's sharing of phone-calling metadata with the NSA. Merely to connect calls, Verizon must collect data on who is calling whom. That data exists, and entices the NSA, regardless of advertising.
The second disclosure, called the PRISM program, concerns a still-disputed allegation that the NSA has "direct access" to the servers of Apple, Yahoo, Google, Microsoft, and other companies. Like Verizon, these companies must collect a lot of data to provide basic service. Users of iCloud and Dropbox cloud storage services entrust their photos, documents and videos on Apple and Dropbox servers. Indeed, the whole point of both cloud storage services, neither of which relies on advertising, is to store this very data online. Users of iCloud Mail want all their mail available to them whenever they are online, whether or not those services run ads, meaning the email must be online. Users of Google Maps or Apple Maps must reveal their locations and destinations to use the service at all, whether or not advertising is involved. Every site must still know your IP address to send back the content you want, whether they merely log it or also use the IP address in making advertising decisions. We know now that if data exists, even for a split second, even if never available to advertise, the NSA will attempt to get it.
The only way to eliminate the NSA's access to this data would be to shut down phone calls, cloud storage, web mail, maps and other services — or at least very radically hobble them. That is, the issue is much harder than privacy advocates let on, and not amenable to an easy fix.
But the logic of these privacy advocates' argument isn't simply wrong – it's dangerous. Their vilification of tech companies provides the NSA and other agencies valuable political cover in a variety of forums —cover that the agencies use to defend governmental bulk collection and mass surveillance against privacy concerns. Essentially, the advocates are cutting their noses to spite their faces.
What's more, the advocates are undermining the only political coalition that could possibly bring about meaningful change: a coalition including citizens, advocates and service providers. Many of those service providers, including Google and Yahoo, have gone to court to increase transparency, issued transparency reports regarding their compliance with government orders (transparency still limited by secrecy laws), and have invested in lobbying and education to update and strengthen the law governing access to users' data by law-enforcement.
A political combination of corporations and individuals — of lobbyists and activists — is far more likely to succeed than divided groups wrongly squabbling about the off-topic issue of behavioral advertising.
Of course, the issue of commercial privacy is important; users should have meaningful and informed choices about their privacy. But there is a crucial difference between commercial entities seeking to make some dimes off a user via potentially creepy ads and governments with an all-seeing spy system that could empower it to jail, suppress, blacklist and kill citizens.
Falsely equating the NSA overreach and Apple's business plan does nothing to advance the debate on commercial privacy and offers no solution to government surveillance concerns.
Those concerned about intelligence agencies' data collection can only succeed if they strike at the root — proposing laws to govern those agencies' actions — rather than flailing after their potential allies with mistaken equivalences and nose-less faces.
Photo Credit: Lance Albertson