Hey netizens, doing some research, and I'd like to ask you a few questions.

What do you consider to be the biggest threats to online privacy in the world today?

If there were one thing you could have visibility into the practices of, what would it be?

@thegibson I'd break the question into a few parts:

- WHO or WHAT represents a threat? Actors.

- What MECHANISMS does that threat manifest as?

- What ACTIVITIES contribute to this?

- What specific RISKS are prresented?

Possibly a few others, though I'll try to hit on these points.

1/

@thegibson I'd also like to take a stab at how privacy and surveillence are related.

Confirming against the OED, though my use differs somewhat.

"Private" and "public" are essentially opposites. Public is "of the people as a whole", whilst "private" is "not public" or "specific to an individual or group".

"Surveillance" is interesting, and I quote: "Watch or guard kept over a person, especially over a suspected person, a prisoner, or the like."

2/

@thegibson The working definition I've had of "privacy" as a capacity or power doesn't seem widely used, though it's generally conformant with usage:

"The ability to define and enforce limits on the sharing or distribution of information, secrets, or data."

I'm working with that as a foundation, in case anything that follows isn't clear.

3/

@thegibson As to _why_ privacy matters, I'll borrow from Paul Baran in 1966:

"Privacy is really the right to be wrong, then go on and live the rest of your life, without having it mark you forever"

invidio.us/watch?v=FwaDvJYZTVk

Baran is one of the inventors of packet-based switching, the foundation of the Internet, and worked at RAND in the 1960s. His writings there are freely available online, many address social concerns of computer networks:

rand.org/pubs/authors/b/baran_

4/

@thegibson There's also the relationship between _stress_ (and all its consequences), and _agency_:

the ability to perceive and to change the environment of the agent, but crucially, it also entails intentionality to represent the goal-state in the future, equifinal variability to be able to achieve the intended goal-state with different actions in different contexts, and rationality of actions in relation to their goal to produce the most efficient action available.
en.wikipedia.org/wiki/Agency_(

5/

@thegibson I'm going to hand-wave a bit and say that privacy is a key component of agency. If anyone has issues with that, hit me with a question and I'll try explaining in more depth.

There are also notions of _vigilance_ and _alertness_, and of _harassment_, "to vex by repeated attacks"
etymonline.com/word/harass

Simply being under observation, _especially_ by a potentially threatening adversary, is a form of harassment and intimidation.

There's Bentham's Panopticon, a literal prison.

6/

@dredmorbius I have not yet disagreed with any of your assertions. Agency does require privacy.

@thegibson There's also the notion that information overload is a form of attack. I'm going to build off my earlier comments and claim it is an attack on _agency_. Specifically, it confounds (and overloads) the ability to perceive the environment.

Alvin Toffler's "Future Shock" explores many of the dynamics of this, in 1970, and is surprisingly prescient.

Awareness of surveillance is a form of information overload, especially of _unseen_ surveillance, or surveillance one cannot avoid.

7/

@dredmorbius causes social chilling... just ask the East Germans.

@thegibson So one effect of surveillance is simply on individual behaviours.

And of course, group behaviours are aggregated (and emergent) individual behaviours. So: surveillance also affects group behaviours.

This is before considering the _actions enabled_ based on surveillance. Call it the observer effect: if you watch people, or animals, their behaviour changes. Again, Bentham's Panopticon is predicated on this.

Small animals, birds, reptiles, and fish will scatter.

8/

@thegibson Then there's what information does for the surveillor.

I'd like to address a common and ancient myth: knowledge is not power.

Knowledge is a power *multiplier*.

If you have no power to act in a situation, then more knowledge does _not_ give any advantage.

If I tell you that the Sun will go nova tomorrow, there is nothing you can do to save yourself or stop it. (Though suicide might be an option.) There is no other potential for human action even collectively.

9/

@thegibson For any given entity -- a person, organisation, government, firm, group, mob -- information can inform about the environment, express desire, and provide feedback.

*Information guides intent.*

The first widely used computer systems were used for government census and military fire control. The first acquires information on a dispersed envrionment, the second focuses intent, literally.

Business accounting and modelling were other early uses, both again informational.

10/

@thegibson Just to round out cases: you can use computers for control systems (industrial processes, remote control, guidance systems), for communications (e.g., Mastodon), for sensing, for _processing_ received data, and for detection -- spotting incoming threats and taking action.

Communications -- well, just read Sun Tzu on the Use of Spies. You can both receive _and_ transmmit information, to your advantage.
suntzusaid.com/book/13

11/

@thegibson All of which has been a bunch of stage-setting to get to this point:

The more capable, powerful, flexible entity will, in general, gain a larger benefit even under _equal_ informational access.

They've got more means to attack, distract, deflect, confuse, and predict. If information is equal, _their_ power is magnified more than _yours_ is.

Yonatan Zunger, chief architect of Google Plus made this point some years back (not sure if archived). That's stuck with me.

12/

@thegibson And of course, information _isn't_ equal -- your more-powerful adversary is also going to have a vastly superior information gathering and processing capability.

They are also very likely to have something you don't have: immunity or impunity.

Impunity is the ability to act without regard for harm, though not necessarily without risk.

Immunity is freedom from risk, often by a legal shield, though various forms of distance can apply.

The powerful write law in their favour.

13/

@thegibson There are some potential levellers of these risks.

Highly-organised, complex, and multi-party entities (states, businesses) can be strong but brittle, and be highly loss-averse.

Loosely-organised, simple, and collective entities (mobs, the public, irregular military forces) may be relatively weak, but resiliant against attack, and more able to face risks.

So David occasionally trumps Goliath.

Enhancements in ranged and automated attack systems makes that increasingly costly.

14/

@thegibson The actors in surveillance are generally: individuals and the public, against an array of surveillance threats: state (domestic and foreign, allied and opposed), corporate, non-state, criminal, and private actors.

Keep in mind that the powerful themselves are affected by this: governments, government agencies (US State Dept, NSA, GSA), companies (Sony, TJ Maxx, Equifax, .... basically every data breach evar), generals, presidential candidates, congressmembers, judges ...

15/

@thegibson ... Jamal Khashoggi, Jeff Fucking Bezos ... have all had data breached.

The Panama Papers, Mossack Fonseca, Paradise Papers, Implant Files, etc., etc.

Not as devastating as many may have hoped, but painful all the same.

But yes: The Powerful and The Establishment are getting their buts kicked and are paranoid.

And The World's Richest Man can't keep his smartphone secure.

Just ponder that for a few minutes.

16/

@dredmorbius
Getting their butts kicked? They're get more rich and more powerful, every yearly stat shows it. That is *despite* whatever leak and 'scandal'. No consequence came out of the revealing of their crimes. Also, Vladimir Putin is the richest man on the planet and it seems he kept his shit protected and mostly secret until now.

@zeh Butts kicked in the sense that they cannot control access to devices or exposure of data.

They're susceptible as anyone, largely.

@dredmorbius
Yes, that may be, but the larger point is that they may be technically vulnerable but not otherwise, not in terms of power. Exposure is not significant to rich people because of their power, they are not impacted much, they do not suffer consequences.

@thegibson But generally, the powerful have, well, _power_:

- Financial wealth that can be deployed on short notice. 40% of Americans can't cover a $400 emergency expense. Facebook's purchase of WhatsApp for $19 billion *in cash* compares against 40 million Californians * $400 or $16 billion. One person controls more purchasing power than 40 millions of the public.

- Political clout. "Wealth, as Mr Hobbes says, is power", wrote Adam Smith in 1776. It's not a direct conversion, ...

17/

@thegibson ... but money buys representation, laws, treaties, embassadorships, and occasionally favours, court cases, and other elements.

- Though state and business power are often portrayed as independents, sometimes opposites, the truth is that they often work together.

There are companies with, or at times (Academi, formerly Xi, formerly Blackwater) _as_ military forces. Companies can drive prosecutions (Aaron Swartz, Jackson Games). They have greater access to courts.

18/

@thegibson And often can bypass courts entirely through binding arbitration "agreements" (take-it-or-leave-it conditions, changed at will).

And they've got computers.

Their unit for computing power is the acre (or hectare).

You have a smartphone. Facebook has at least a dozen datacentres, totalling over 15 million square feet (344 acres, 140 hectares, 1.4 km^2, over half a square mile).

Google has 19, with over 2.5 million servers (2016).

Amazon: 22 regions, 69 availability zones.

19/

@thegibson What enterprises bring to the fore is discretionary revenue-generating capital, in a way that even major governments have difficulty matching, especially with requisite talent, that commercial firms can generally hire away with better compensation.

The NSA can build data storage monoliths in the middle of Utah. But it's got to pay Booze Allen Hamilton to hire Edward Snowden to administer it.

What could possibly go wrong?

Which gets to another point that applies globally:

20/

@thegibson There are very few geniuses, evil or otherwise. Mostly you've got organisations and individuals operating fallibly, seeking refuge in counterparties' incompetence, and general immunity and impunity.

Terrorists operate much the same: they're not immune to bullets and bombs. But most of the time they can pretend they don't exist.

(That's ... gotten a lot harder with drones. So now they're getting their own. Which are now cheap. Interesting times....)

21/

@thegibson Yes, Google, and Facebook, and Amazon, and Apple, and Microsoft, have some pretty smart people.

They've also got a bunch of idiots.

Worse: they've got a _lot_ of True Believers. Which is a problem because True Believers don't Question the Mission or Leaders, and that can lead to all kinds of issues.

I've watched that particular disease afflict Google over the past decade or so, and it's been kind of sad. There's a countermovement, but it will likely fail.

22/

@thegibson Facebook is if anything worse. Amazon, given that Bezos is _such_ an asshole, seems to actually fare slightly better: people know they're there for the money, not the mission. Not drinking the Cool-Aid can be a benefit.

Apple is mixed bags, though I'll note that the term "Reality Distortion Field" was born there. Do the math.

Microsoft used to be staffed by a mix of True Believers and FYIFVs. After the DoJ and Ballmer years, that improved, though groupthink seems back.

23/

@thegibson The scary thing about government is that, well, it has sanction of law.

And it's not just Big Government -- national level -- that should be a concern. There's little more oppressive than petty, prissy, local politics at the city, regional, and state level. Remember that virtually the entire Civil Rights debate occurred at this level.

And cooption of local and state governments by business is also common. The history of Montana, Texas, and W. Virginia stand out especially.

24/

@thegibson Worse: pervasive data means that politicians, bureaucrats, judges, sheriffs, chiefs of police, selectmen, aldermen, supervisors, and more, are all subject to manipulation.

The first generation of MySpace and Facebook politicians are coming on-line. These people have pasts *and the texts, pics, and vids are available.*

Maybe we'll all develop a tremendous amount of tolerance and acceptance.

Increasing purity tests, across the political spectrum, suggests otherwise.

25/

@thegibson Having officeholders in positions of responsibilities with closets full of secrets which might break loose at any moment ... is not a good look.

Much of the (flawed) rationale behind barring individuals with specific personal inclinations and behaviours from public service in the 1950s-1970s was that they might be blackmailed.

If you cannot live openly with a secret, then someone who knows that secret can influence you. Perhaps a little, perhaps a lot.

Russia loves this.

26/

@thegibson Kompromat: damaging information about a politician, a businessperson, or other public figure, used to create negative publicity, as well as for blackmail and extortion.
en.wikipedia.org/wiki/Komproma

A little pain can be a powerful thing. Barbed wire fences don't work by killing cattle, but they will suffice to corral a herd to the slaughterhouse.

Many politicians hold their seats through a fluid and narrow balance of interests and powers. Find a way to put the squeeze on them...

27/

@thegibson ... and you can turn them any way you want.

One of the more disturbing scenarios describing current politics in the United States is that the entire political establishment is effectively controlled through covert knowledge and intelligence. I don't know if this is true. But even if it isn't now, it's quite possible that this will be the case in the future, either in the US or in other countries.

Which makes for a rather difficult time for democracy.

28/

@thegibson : a government in which representatives, bureaucrats, judges, and heads of state are beholden, in which their digital pasts hang over their heads, virtual swords of Damocles.

The same holds in business, in cultural institutions, in religious institutions, in the military, in healthcare.

And again: the Facebook Generation is coming of age, entered the workforce a decade ago, and is approaching positions of power and management.

29/

@thegibson So long as we're talking about government, let's dispense with another canard.

There's been a tremendous amount of misunderstanding, or more likely, deliberate misrepresentation about Max Weber's functional definition of government. The one you've probably heard of as "having a monopoly on violence".

The accurate translation is "the monopoly on the legitimate use of physical force."

All qualifiers are critical:

Monopoly: exclusive right.
Legitimate: sanctioned.

30/

@thegibson What happens if you take away the elements?

If there's no monopoly, then _any_ party can use physical force. Which bodes poorly.

If there's no _legitimacy_, then ... the use is illegitimate.

Incidentally, the definition is reflexive: whatever entity has a legitimate monopoly on physical force assumes the role of government.

One might hope that there is no physical force, but experience shows that is unlikely. Witness the long passages of "Wealth of Nations" discussing ...

31/

@thegibson ... corporate garrisons, the British East India Company's private army and de facto corporation-as-government rule of India, two centuries of corporate violence against labour union movements, incidents such as the West Virginia Coal Wars, the Pullman Porters Strike, the Battle of Johnson County, and more.

Drawing a line between government and corporate threats is at best indistinct.

More generally, they tend to operate in at least a loose alliance, if not more closely.

32/

@thegibson The notion of regulatory capture is well known: government departments established to control a given industry often end up being controlled by them. The misleadingly name Texas Railroad Commission is in the pocket of the state's fossil fuel industry (which it of course regulates). The FCC is captured by the telecoms industry, the FAA by Boeing, the FDA by PHARMA, and the FTC by the transport entities it regulates.

But the reverse is also true: government pressures business.

33/

@thegibson Or probably more accurately: the two strike up a mutually beneficial relationship. So you have (frequently) cozy relationships with the press, the aerospace sector operating closely with both the military and Nasa, and the telecoms industry serving national intelligence and law enforcement.

As Snowden's revelations made clear, that practice has been extended to the online world. Not always strictly voluntarily, but I suspect more often so than believed.

Again, a key point.

34/

@thegibson Painting "government" and "business" as separate threats is not accurate.

Business interests and opportunities create circumstances which government surveillance can leverage, often with direct and willing cooperation, occasionally through some degree of arm-twisting or coercion.

But the capabilities created by businesses serve government interests.

Often quite directly and deliberately, through direct policy. That's the story of NSTIC, the secret behind social media.

35/

@thegibson "The NSTIC proposes the creation of an “identity ecosystem” online, “where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.” The strategy puts government in the role of a convener, verifying and certifying identity providers in a trust framework."

radar.oreilly.com/2011/05/nsti

That's in 2011.

Google launched its "Identity Service", Google+, that year.

forbes.com/sites/kashmirhill/2

36/

small question 

@thegibson Mind, outside that one interview, Google didn't discuss their "identity service" role, and you'll find _no_ mention of NSTIC by senior Google executives -- Schmidt, Page, Brin, or then G+ head "Vic" (not his Real Name) Gundotra.

A personal note: my reading of that interview was when I personally noped the fuck out of using my given name online. I'd already been dialing back for some years, despite decades of use.

If government and business are joined at the hip, so are others.

37/

@thegibson It's business and business practices which enable many black-hat actors to operate, including state and non-state actors, organised crime, terrorist groups, scammers, and more.

The state of digital security, starting at the chip and CPU level on out is ... poor.

Intel's pursuit of higher performance via ever-more-sketchy memory tricks has saddled the entire PC, laptop, and server industry (all but entirely dependent on Intel chips) with a massive security hole spanning years.

38/

@thegibson Mobile comms hardware (especially phone chips, but also WiFi and Bluetooth) and software drivers are often proprietary messes. Operating systems and app have their issues, with exceedingly poor patching and update capabilities. It's quite possible to buy a brand new device with an already obsolete OS, never receive vendor updates, and be unable to update or install independent updates.

And of course the Web has become a giant malware distribution slash surveillance network.

39/

@thegibson Government policy limits access to strong encryption, seeks backdoors, and generally further hinders good security practices.

Such that the Richest Man in the World finds his smartphone hacke personally by the murderer of Jamal Khahshoggi.

Celebrities have their intimate photos shared with the world.

China hacks Tibetan rights activists Gmail.

Russia hacks the personal email account of the manager of a major-party US presidential candidate.

Hackers stop global shipping.

40/

@thegibson Or, to wrap on ACTORS: Business, government, hackers, terrorists, scammers, stalkers: the ecosystem facilitates all of them, all of them are actively exploiting the system, most are mutually benefitting off each other.

There's no real separation.

The system is sick.

41/

@thegibson On threat Mechanisms:

Data lingers.

The amount created has been doubling every year for at least the past decade. 90% of all information ever recorded is less than 2 years old.

forbes.com/sites/bernardmarr/2

Most of that is automatically created via tracking and monitoring tools. IBM estimated 2.5 exabytes in 2016. Four doublings laters, that's about 20 EB, or about 2 GB per person on Earth, half of whom are online.

web.archive.org/web/2018082223

42/

@thegibson The amount _per person_ is highly variable, and the amount in structured datastores is a small fraction of the total.

But there's a lot of data.

AT&T have comprehensive call history logs dating to the 1980s, in a project known as Hemisphere:
eff.org/cases/hemisphere

For those of you alive at the time, it's likely you don't even remember the phone number(s) you had during this period.

AT&T knows. Every. Last. Call. You. Made. Or. Received.

And shares the information.

43/

@thegibson Not with customers. With law enforcement and intelligence.

So, you did nothing wrong, right?

But ... suppose someone you talked to, once, 30 years ago, comes to the interest of some police or sheriff's department somewhere. Or the FBI, or CIA, or NSA.

You're no on a list. And your call history is being filtered. For any signs of possible interest.

There's a phenomenon that comes up in healthcare testing and systems monitoring when looking at things for the first time.

44/

@thegibson Even for something that's behaving perfectly normally, you'll find odd stuff.

Shadows on X-rays or imaging. Weird results or records in system logfiles. Unexpected network connections.

If you've ever had medical images made (and eventually you will), most of the reading is usually the doctor saying "there's something here but that's probably not important". There's a lot of stray noise.

When you start digging through a person's life in data, it's the same: lots of noise.

45/

@thegibson Interesting noise, but really, nothing significant.

Except ...

... if you've got someone who really _wants_ to find something, they can, and will.

In the worst case, a set of vague impressions can be strung together into a compelling narrative to tell a story. There are "facts", in the form of data artefacts. They don't _really_ mean anything. But there's this weird thing about people.

We tell stories.

And we believe the stories people tell us.

I mean, _crazy_ stuff.

46/

@thegibson You've probably heard a story about a boy born on a faraway planet who came to Earth, flew through the sky, lept over tall buildings, and saw through walls.

Or a boy born in a galaxy far, far away, who uses a mysterious "force" to manipulate objects, guide his fighter craft, and pals around with androids, walking carpets, and glowing swords.

Or a boy born in England with a strange scar on his forehead and magical powers.

And you didn't immediately jump up and yell "Bullshit!"

47/

@thegibson And don't even get me started about the girl who got pregnant from an alient who came down from the sky....

You _listened_ to the stories (or read them, or watched them). You _enjoyed_ them. You may well have obsessed over them, and talked for hours about what they meant, or what was real or fake within the story (um ... _all_ of it?).

This is what makes a lair's job so easy: We Want to Believe.

And if you've ever run into a pathological lair, and realised it ....

48/

@thegibson .... it's _really_ disconcerting. You'll question your own sanity before you'll confront a lair.

And when someone in a position of authority spins a lie -- or worse -- _believes_ the lie they're spinning. Shit gets weird fast.

"If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged."

mastodon.cloud/@dredmorbius/10

There's a *reason* I've had Cardinal Richelieu's quote on my online profiles for near a decade.

49/

@thegibson Times change.

I'm ... old.

Old enough, at any rate, that I can remember racial and gendered slurs being dropped casually. Did that myself at times. Homosexuality's gone from fringe to mainstream. Cigarettes went from commonplace and accepted to rare. Visiting where smoking is generally permitted seems repellent, though I remember ashtrays in airlines and cars and restaurants and the homes of nonsmokers.

Cannabis is now legal in much of the US, psylocibin now in Santa Cruz.

50/

@thegibson Age of consent in various US states has been as low as 13. Hopping in a car after a couple of drinks, or a dozen, was once just what was done. Pressuring (or much worse) a date, or subordinate, or service worker, was scarcely noticed. Touching, teasing, or harassment were simply accepted.

Those now end jobs, careers, or land prison sentences. With big changes in only the past few years.

Mores, standards, morals, and laws change.

Sometimes with time, sometimes with place.

51/

Sign in to participate in the conversation
mastodon.cloud

Everyone is welcome as long as you follow our code of conduct! Thank you. Mastodon.cloud is maintained by Sujitech, LLC.