Black Code: Inside the Battle for Cyberspace (8 page)

Many network service companies stress the protections they put in place around customers’ data. They insist that what is
“theirs” is “yours” and use “I” and “my” as descriptors of their products and services. In practice, however, they treat our data as proprietary business records that they can retain, manipulate, and repurpose indefinitely. They see our habits (and us) as resources in the same way energy companies see untapped reserves of oil, for one simple reason: the online advertising industry is worth $30 billion annually. Whenever we surf the Internet today, depending on the browser we use and the settings we put in place on that browser, we give away pieces of ourselves.
A tracking-awareness project, Collusion, has developed a plug-in for browsers that demonstrates how often such “sharing” takes place, usually without our knowledge. If I were to visit, say,
http://www.washingtonpost.com
, the Collusion plug-in shows that it shares information about my visit with twenty-one other websites. One of those sites is
Scorecardresearch.com
, and it sells beacons to participating websites (like
washingtonpost.com
), which place a cookie in visitor browsers. Cookies are small bits of text deposited on your browser that act as “unique identifiers” or signatures that give website owners details about visitors to their sites: their browsing histories, locations (based on IP addresses), and so on.

In 2012, the
Wall Street Journal
conducted a study of one of the “fastest-growing businesses on the Internet” – spying on Internet users. In their look at surveillance technologies that companies use to track consumers, they highlighted fifty of the most popular websites in the U.S., analyzed all the tracking files and programs these websites downloaded onto their test computers, and found that on average each website installed sixty-four tracking files, generally without warning. The website that downloaded the most tracking software was
http://www.dictionary.com
: 234 files onto the
Wall Street Journal
’s test computer. A
Dictionary.com
spokesperson said, “Whether it’s one or ten cookies, it doesn’t have any impact on the customer experience, and we disclose that we do it.
So what’s the beef?” Users concerned about leaving digital traces of themselves all over the Internet might disagree.

The small print included with many applications and/or service contracts provides a window into the underlying reality of this market. By agreeing to terms and conditions contained in documents that scroll by on the way to the “I agree” button, users give the companies involved nearly unlimited permission to handle their data. In many cases involving mobile apps, users even give the developers the right to collect whatever images a camera happens to be focusing on, the image itself, as well as the phone’s location. For example, the Facebook app developed by the Google Android smartphone, which has been downloaded more than 100 million times, has written into its terms of service the right for Facebook “to read SMS messages stored on your device or SIM card.” The Flickr app can access location data, text messages, contact books, online account IDS, who a person is calling, and even the device’s camera. In fact, the Flickr, Facebook, Badoo, Yahoo! Messenger, My Fitness Pal, and My Remote Lock apps can all access a user’s entire contacts book and record who that user is calling. To repeat, the reason behind this data collection is advertising. As Daniel Rosenfield, director of the app company Sun Products testified in 2012: “The revenue you get from selling your apps doesn’t touch the revenue you get from giving your apps away for free and just loading them with advertisements.”

•  •  •

Few users realize how quickly
big data about their communications accumulates in the hands of third-party operators. Malte Spitz is an exception. Max Schrems, an Austrian law student, is another. In 2011, Schrems asked Facebook to send him all of the data the company had stored on him. As he is European and
Facebook’s
European headquarters is in Dublin, Ireland, Schrems had the right to make such a request. Facebook dutifully sent him a CD containing 1,222 individual PDFS they had collected about him. The company had stored information on all of his logins, “pokes,” chat messages, and postings, even those he had deleted. On a detailed map, it had also stored the precise geographical coordinates for all the holiday pictures (in which Schrems was tagged) that a friend of Schrems had taken and posted using her iPhone.

Schrems discovered that Facebook stores dozens of categories of data about its users so that it can accurately commodify its customers’ digital persona for targeted advertisements. Some examples: the exact latitude, longitude, and altitude of every check-in to Facebook, which is given a unique ID number and a time stamp; every Facebook event to which a user has been invited, including all invitations ignored or rejected; and data on the machines used to connect to Facebook, so that Facebook can connect individuals to the hardware and software they use. Schrems eventually formed an activist group, Europe vs. Facebook, to launch complaints. This led to an inquiry by Irish privacy regulators and widespread media attention about the company’s privacy policies. The battles continue.

This relentless drive for personal information leads to extraordinary encroachments on privacy by social networking companies and ISPs.
Over the years, Facebook’s default privacy settings have been continuously adjusted downwards, mostly in increments but sometimes dramatically. In 2005, only you and your friends could see your contact information and other profile data. Only your personal networks could see your wall posts and photographs, and nothing about you was shared by Facebook through the Internet. In 2007, an adjustment was made such that your personal network could see more of your profile data. And then, in early 2009, a major shift took place: suddenly, all Facebook users were permitted to see
all of your friends, and the entire Internet could see your gender, name, networks, and profile picture. Another dramatic change took place in December 2009: Facebook settings were modified such that users’ “likes” went from something exclusively seen by friends and friends-of-friends to the entire Internet. Months later, the same “all of the Internet” was extended to users’ photos, wall posts, and friends. Like a giant python that has consumed a rat, Facebook captures, swallows, and slowly digests its users.

The search for new sources of personal information has led down other frightening paths. In 2010, the Sleep Cycle app was thrown onto the market. It monitors the sleep patterns of users from their mobile phones, and works when the phone is placed on the bed of the user. The app monitors movements and other patterns that determine periods of deep sleep, dreaming, and light sleep. Thirty minutes before the alarm is set to go off, it begins monitoring for the lightest periods of the sleep cycle and then gently nudges users awake with soothing sounds, instead of honking alarm bells. Data about the night’s sleep is recorded and stored on the app’s servers. (Naturally, the app also has an option to “share on Facebook.”) Perhaps our dreams will be next, and then, worse, our nightmares.

The desire for big data is relentless, the temptations irresistibly strong, and in their lust for information about us many companies have disregarded basic privacy protections. Path, a popular social network, was
caught uploading members’ mobile phone contacts to its servers without permission. Twitter has admitted that it copied lists of email addresses and phone numbers from people who used its smartphone application. (And, again, the information was stored on its servers without users’ permission.) A 2012 study by the mobile security company Lookout found that 11 percent of the free applications in Apple’s iTunes Store could access users’ contacts. In 2012, a class action lawsuit was launched against more
than a dozen companies for selling mobile apps that uploaded users’ contact lists without their knowledge or consent. Facebook announced in December 2011 that it would post archived user information, making old posts available under new downgraded privacy settings as part of a new Timeline feature. Users were given just one week to clean up their histories before Timeline went live. The extraordinary (and brazen) announcement came only a few short weeks after a decision by the
U.S. Federal Trade Commission found that Facebook had engaged in “unfair and deceptive” trade practices when it changed the privacy settings of its users without properly notifying them.

Google’s 2010 collection of private wifi data (described in the last chapter) was but one of several concerns users have had about the company’s ambitious data collection practices. If a user employs the full range of Google products – from Search to the Android mobile operating system to Gmail, Google Docs, Google Calendar, Google Hangout, and others (all of which are free) – Google’s consolidated management of the precise detailed information about each of its user’s movements, social relations, habits, and even private thoughts is truly frightening in scope and scale, especially in the event that any of these capabilities is abused, compromised in some way, or subject to external controls and manipulation. Such a scenario is not far-fetched. In the 2009 Operation Aurora attacks Google’s networks – including many Gmail accounts and some of the company’s source code – were compromised by China-based attackers. After the attacks, Google entered into a secret agreement with the NSA to review its security. “The company pinkie-swears that its agreement with the NSA won’t violate the company’s privacy policies or compromise user data,” wrote
Wired
’s Noah Shachtman, adding: “Those promises are a little hard to believe, given the NSA’S track record of getting private enterprises to co-operate, and Google’s willingness to take this first step.” Critics
were hardly mollified when the U.S. Electronic Privacy Information Center’s (EPIC)
freedom of information request to find out more about the secret agreement was rejected in May 2012 by a U.S. federal appeals court, which said that the NSA need neither “confirm nor deny” the existence of any relationship with Google. The world’s largest data collection company secretly partnered with the world’s most powerful spy agency, and no one outside of either institution knows the full details? It would be hard to conjure up a more frightening scenario.

Along with other social networking companies, Google has strongly resisted proposed European Commission regulations, colloquially known as the “Right to Be Forgotten,” which would require companies to provide users with the option to have removed all user data they collect, including metadata. The “Right to Be Forgotten” legislation may never pass, but it does bring up a major set of issues surrounding the retention of data.
Network operators and service providers vary in how long they retain the data they collect. Among mobile providers in the U.S., for instance, Verizon keeps a list of everyone you have communicated with through text messaging for twelve months, AT&T up to eighty-four months, Sprint for twenty-four, and T-Mobile for four to six months. The cellphone data that details a phone’s movement history through its connections to cell towers and wifi hotspots is retained by Verizon and T-Mobile for twelve months, Sprint up to twenty-four months, and AT&T for an indefinite period of time. With apps, the data storage times are even more uncertain. When Twitter app users choose to “find friends,” the company can store their address books for up to eighteen months. Most other apps say nothing at all about how they store user data, or how long they retain it.

Increasingly, laws regulate how long companies should retain data. The 2006 European Union Data Retention Directive makes it mandatory for telephone companies and ISPs to store
telecommunications traffic and location data for law enforcement purposes for six to twenty-four months. All but three member states – Germany, the Czech Republic, and Romania – signed on to the law. One of its most egregious applications occurred in Poland. In its 2009 interpretation of the Directive, the Polish government gave its law enforcement and intelligence agencies the right to access data from private companies without any independent oversight, and without the government having to pay those companies compensation for the resources required to service those requests.
Polish NGO Panoptykon found that Polish authorities requested users’ traffic data half a million times more in 2011 than in 2010.

As the controversial EU Data Retention Directive suggests, the issue of what is done with all of the data we produce has become a critical public policy consideration. In a very real sense we no longer move about our lives as self-contained beings, but as nodes of information production in a dense network of digital relations involving other nodes of information production. All of the data about us as individuals in social network communities is owned, operated, managed, and manipulated by third parties beyond our control, and those third parties are, typically, private companies. In assessing the full spectrum of major social changes related to the information revolution, the entrusting of this unimaginably huge mass of civilian data in private sector hands ranks as perhaps the most important. As John Villasenor, a computer engineer at UCLA, puts it: “Most of us do not remember what we read online or wrote on April 29, 2011, or what clothes we wore that day. We don’t remember the phone calls we made or how long we talked, or whether we went to the grocery store, and if so, what we purchased there. But all of that information is archived, and if a pressing enough need were to arise, our activities on that day could be reconstructed in nearly complete detail by third parties.” All with our “consent.”

Today, just because something happened in the distant past does not mean that it is forgotten, and there is no statute of limitations on our digital lives. It is all there, somewhere, possibly even copied numerous times over in multiple places – an endlessly proliferating series of duplicates of everything we do located in the deep recesses of servers, forever open to manipulation. Big Data meets George Orwell’s Big Brother.

•  •  •

While the consumer big-data
market touches us all directly, there is another world of big-data exploitation hidden in the shadows of military and intelligence agencies, and the many “fusion” and “analytics” companies that revolve around them. This other world of big data has its roots in 9/11 and in the perceived failure to “connect the dots” that led to that catastrophe: the widespread lament among U.S. defence, law enforcement, and intelligence personnel that the assault could have been prevented had the right people had access to all of the pertinent information. If only someone had been able to piece together emails and phone calls, a car rental, someone passing through a border checkpoint on a temporary visa from a country known to harbour terrorists, civilian flight school enrolment.…