An unholy alliance

One of the most startling revelations of the past week – since the “Guardian” and the “Washington Post” began publishing in-depth articles about secret surveillance programs run by the NSA – has been the degree to which private companies are intertwined with, and supportive of, the data-mining nets cast out by intelligence services. It’s often tempting to separate one intrusive practice from another and argue, for example, that social network providers are more justified in collecting private data because of the voluntary consent of their users to the terms of use, or that government agencies can harvest vast troves of data as long as their work helps to protect us from whatever threat scores high on the alarm-o-meter that day. Rarely is the question asked how the interplay of different forces undermines our informational integrity, how politics and economics intersect. One of the most important consequences of the NSA leak is that it’s now possible to ask those questions without descending into conspiracy theories. There’s plenty of hard evidence.

Last Thursday, Ron Fournier, editor of the “National Journal,” summed up the NSA revelations with the following words: This decade “will be remembered for an unprecedented erosion of civil liberties and a disregard for transparency. On the war against a tactic — terrorism — and its insidious fallout, the United States could have skipped the 2008 election. It made little difference.” What Fournier didn’t add was the extent to which the erosion of civil liberties is rooted not only in Washington but also on the other side of the country, in Silicon Valley. The view that privacy discussions can be neatly separated into “threats from public authorities” and “threats from private companies” is quickly becoming less persuasive.

One of the documents leaked to the Guardian is a 41-slide PowerPoint presentation that gives new intelligence operatives a detailed overview of a program called “PRISM” – complete with a code name straight out of a John le Carré novel and a logo that could just as easily have adorned a wall on the “V for Vendetta” movie set – that details the extent to which the NSA can access information from the servers of private communications and social network companies, and the degree to which these companies are aware of the government’s surveillance activities and forced to act as facilitators. Since 2007, when the Bush administration ended warrantless wiretapping after public uproar, companies have gradually been asked to comply with the NSA’s request for continued access to stored and live communications. (For a detailed description of how PRISM requests are executed in practice, see this Washington Post article.)

Phone wiretaps have begun to look almost trivial

Public and private have entered an involuntary and unholy alliance: One side collects vast amounts of information on its users, the other side uses court warrants to scoop it up. It’s thus impossible to look at a program like PRISM without looking at the degree to which private information is already being stored and analyzed, and thus rendered intelligible, on company servers. The spawning web of social networks and communications platforms – from Facebook to email clients like Yahoo, Youtube, Skype, and Google – is a treasure trove for any intelligence operative. Compared to the wealth of data that can be harvested from tracing a person’s daily footsteps through the internet, the metadata of telephone communications has begun to look almost trivial. And it’s hard to avoid the impression that the gradual encroachment on privacy by private companies has rendered invasive surveillance not only more feasible but also more acceptable. Privacy is increasingly being turned from a central tenet of civil rights into one good among many: Privacy, security, profitability – where’s the difference?

This trend is especially evident when one considers a crucial difference between the recording of phone logs (the surveillance weapon of choice of previous decades) and today’s acquisition of social network data: The NSA’s PRISM presentation indicates that the agency actively tracked not just metadata (when did a person log into Facebook? For how long and which whom did they connect on Skype?) but actual communications content: emails, voice and video chat, file transfers, stored videos and photos. For everything not captured in the bullet point list of specific types of content, there’s a catch-all “special requests” option. While intelligence agencies must seek court approval prior to extracting this information, the Foreign Intelligence Surveillance Act provides for the option of blanket approvals, valid for up to twelve months and authorizing the NSA to collect almost any type of information. Congressional oversight is spotty at best, and often non-existent. The main purpose of classifying government documents apparently isn’t to protect a country against foreign interference but to hide from its own citizens the insidious practices of intelligence operatives.

Company spokespeople have been busy denying any knowledge of the program whatsoever. Almost all big names in the business have been implicated by the “Guardian” report except for Dropbox (which was due to be added to the PRISM program this year) and Twitter (which wasn’t explicitly mentioned). The leak comes at a particularly inopportune time for Silicon Valley: Debates about the role of privacy have spread from groups of tech aficionados into the mainstream and have even prompted Microsoft – coincidentally the first company to become part of the NSA’s surveillance program in 2007 – to launch a worldwide ad campaign with the slogan “Your privacy is our priority.” The nervousness is understandable: The digital ecosystem thrives as much on the ability of companies to generate profits as it thrives on user adoption. Without the willingness of users to share information about themselves on Facebook, the whole thing collapses like a house of cards. Instagram had to find out the hard way that users don’t like to be treated as mere data mines: When the company changed its terms of use in 2012, hundreds of thousands of users steered clear of the photo service to prevent their photos from being used for advertising purposes without prior consent. Today’s challenge is even greater: It’s simply bad business to be seen as a facilitator of classified government surveillance programs.

All of which leads to the following paradox: On the one hand, private companies and the government share a basic prejudice against privacy; the former out of business considerations, the latter in defense of “national security." The business model of the New Economy can only thrive if the economic exploitation of private data – rather than its protection – is a company’s priority. Yet on the other hand, internet companies remain at the mercy of their users, many of whom are growing more skeptical about the erosion of their privacy. And the NSA leak has suddenly created a landslide.

The relative monopoly position of Facebook and Google insulates the companies (and others like it) against mass exodus, but only to a degree. It’s certainly true that for many people a complete withdrawal from the social web is practically unfeasible and also undesired. But it’s important to remember that Facebook and Co. aren’t an “all or nothing” platform. A user may choose the degree to which private information is shared and with whom it is shared. Strictly speaking, Facebook’s business model relies not on the number of registered profiles but on the amount and type of information that flows across the network on a daily basis. The less time I spend online, the fewer links I click and the fewer “likes” I leave behind, the less I am worth from an economic perspective: Facebook cannot demand high prices for selling ads against dormant or low-activity user profiles. User skepticism undermines the business model of the New Economy.

The best bet is a change in policy

But despite the immensely powerful position of organizations like the NSA, it’s probably easier to change government policy than it is to ask private companies to be more protective of their users’ data. One important reason is that under the law (in this case, the Patriot Act, the Foreign Intelligence Surveillance Act, and the FISA Amendment Act), companies can be forced to comply with government requests for data. As long as the Justice Department and the Office of Legal Council rule that the executive branch has the legal rights to collect information, and as long as the secret court tasked with approving wiretaps and surveillance requests okays the agencies’ request – which is does in virtually all cases–, the NSA’s henchmen can force private companies into compliance relatively easily (although it remains to be seen whether participation in the PRISM program wasn’t a bit overzealous). On the rare occasions when a company mounts a defense of user privacy, courts can impose steep fines. In September 2012, a judge ordered Twitter to turn over all user information of an “Occupy Wall Street” activist after the government subpoenaed the company. Arguments about the dubious legitimacy of blanket surveillance programs carry little weight if their legality is affirmed by the courts. The fact that most of the relevant server infrastructure is also housed in the United States further strengthens the legal authority of the government.

The second reason is that an erosion of privacy is baked deep into the business model of the New Economy but is only an ephemeral political feature: If Facebook and Google cannot monetize private data, their business fails. It’s unlikely that they will voluntarily agree to changes in their data collection and storage patterns that would, for example, make it impossible to link internet browsing histories back to an individual user or that would add an expiration date for certain types of personal data (which could serve as an indirect safeguard against government surveillance as well). In Europe, national governments and the EU are now beginning to respond to concerns over online privacy by imposing limits on private companies that collect user data. But those initiatives indicate a shift in regulatory policy rather than a change of heart of the internet industry.

By contrast, governments may wish to access private data more easily, but the functioning of the government does not depend on intrusive access. Daniel Ellsberg, the whistleblower who leaked the Pentagon Papers to the “New York Times,” recently recounted the effect that his actions had on the political climate in the United States: The protracted court battles between the “Times” and the government (the courts ultimately sided with the free press) led to a more narrow interpretation of the Espionage Act and an increased awareness of the importance of checks-and-balances on government secrecy.

The malleability of government policy is where hope takes root: The wiretapping of AP reporters and of the email account of one Fox News reporter, James Rosen, have led to forceful rebuttals from media organizations and moved concerns over intrusive surveillance practices back into the mainstream. Newspaper revenues may have been declining, but the editorial pages of the national newspapers still matter (and the past week has provided us with a startling example of why professional and mainstream news organizations are sometimes irreplaceable). We are now talking about the value of privacy once more – a decade late, but better now than never.

The first challenge is to broaden the discussion beyond the immediate context of each case: The problem is not a misjudgment in the Justice Department in case X or Y, but a systemic overreach of the executive power, a system of checks and balances that appears to be rotten to the core, and a lackadaisical attitude towards those who warn against the dark underbelly of the online sharing culture. The second challenge is to translate discussion into action that allows us to address privacy comprehensively by increasing the oversight of public and private actors, and by organizing resistance against national security discourses and against post-privacy dystopians. Sinister intelligence operatives might seem like the only group we have to fear, but their snooping would be impossible without the (involuntary) support they receive from young entrepreneurs who have long abandoned traditional privacy ideals. Both approaches are ultimately political: Their success depends on the strength of coalitions that render the status quo politically costly and infeasible. That means tight limits on government-sponsored surveillance, and increased regulation of private companies that now store the vast majority of private data. Unless gains are made on both fronts, privacy remains precarious at best.

This article was first published in The European on June 11, 2013