The battle at hand is less man against machine, more man against The Man.
At issue is how much of what’s revealed about you through your digital life is harvested by robots working for government investigators and corporate marketers.
Privacy types think they’ve been losing. They’ve fought in courtrooms and on Capitol Hill with uneven success, including a fresh loss last week.
Many argue that anything short of a win on those fronts means a virtual occupation of your secrets, that citizens and consumers deserve stronger rights to know when they’re being tracked and how to control it.
Never miss a local story.
Enter the guerrillas.
“It’s time to fight back,” said Ben Grosser.
He’s a professor of new media at the University of Illinois, an artist and an online provocateur intent on alerting people about how they’re exposing themselves to snooping — and on fouling up the works of government and corporate surveillance.
When former National Security Agency contractor Edward Snowden leaked classified material exposing U.S. government surveillance programs four years ago, Grosser said, Americans got a chilling sense of the erosion of their privacy.
So he wrote a program called ScareMail that adds an extra passage to your emails. You write your message. The software dumps nonsense text — “… His domestic nuclear detections felt like securing a Tsunami Warning Center like me …” — below your signature.
That randomly generated gibberish is chock-full of search terms pulled from a Department of Homeland Security document.
If enough people threw enough alarming emails across the internet, Grosser imagines, folks at the NSA might conclude it’s not worth scouring so many messages. Too many needles planted in the haystack.
“If they want to find that person who plans to attack the United States, they can do actual, targeted police work rather than just looking at innocent people’s email,” he said.
A workshop next month at New York University sponsored partly by the National Science Foundation reads like a training camp for insurgents.
“Obfuscation strategies offer creative ways to evade surveillance, protect privacy, and improve security by adding, rather than concealing, data to make it more ambiguous and difficult to exploit,” its webpage says.
One presenter, for instance, has made his name in art works of stealth fashion. They’re ostensibly designed to thwart facial recognition with pixels on a scarf, or to hide from thermal camera detection using an “anti-drone burqa” — the ultimate tin-foil hipster hat.
Ultimately, the success of any rearguard action will need numbers. Before you can force Google and Bing to stop collecting information, critical to their business models, you need legions to take their Web searches to alternatives such as DuckDuckGo that don’t collect data.
Users of services like Signal Private Messenger will only draw more scrutiny for their users until millions sign up, forcing all messaging apps to use end-to-end encryption.
“It has to be easy so a lot of people will use it,” said Alice Marwick, a fellow at Data & Society, a group focused on the nexus of culture, technology and public affairs. “It’s only when you have a lot of people taking action that anything changes.”
For those anxious about Big Data’s ability to create intimate portraits of us, the stakes are high. As an example of the perils, they note research hypothesizing that even if you shun social networks, information about your friends on Twitter and Facebook might unveil your sexual orientation.
“We make these micropayments of privacy all the time,” said Richard Ford, the chief technology officer for cybersecurity firm Forcepoint. “As a society we seem to be very accepting of that. … Now as a society we’re working at it and wondering how we want to come to terms with that.”
Some people play defense. They tightly manage how they use the internet. Even experts such as Marwick say it requires sophistication and the sacrifice of some services to prevent data mining. Not everyone has the smarts or patience to use privacy browsers such as Tor, to bother with so-called pretty good privacy to encrypt their emails or to work only on virtual private networks, VPNs, that mask their back-and-forth of bits.
Advocates argue it’s worth the effort. They look to services like Kansas City-based SpiderOak. It gives you a place to remotely store things in the cloud, much like Google Drive or Dropbox. While you can encrypt files you store almost anywhere, SpiderOak couldn’t get into your files if it wanted to because only its customers hold the code-busting keys that make them readable. Experts say only a weak password could make you vulnerable in such a set-up.
You pay a tad more, $12 to store a terabyte for a month. SpiderOak says users big and small are warming to the premium. Its clients range from ordinary consumers to the Defense Department. Alan Fairless, the company founder, said a new Semaphor service it offers for encrypted chat and file sharing has become particularly popular with journalists after an election notable for hacks and data leaks.
“The campaign made everybody realize that email is not very secure,” he said. “We need to move to other communication tools.”
Yet privacy groups think that in a technology arms race, the big players will ultimately dominate even the most clever insurgents. The inevitable cat-and-mouse gives a sense of how consuming a guerrilla war could become.
EyeVerify, a Kansas City firm that uses an “eyeprint” as the key to unlocking a device, champions its technology as a shield to keep snoopers at bay. But to work, it’s got to fight spoofing that might use a photograph or video to mimic your eyes and trick your phone into unveiling your secrets.
So the company had to build machine-learning into its product to “determine liveness — that is, whether the camera is seeing a real, live eye or just a picture, video or other fake representation of someone’s biometric,” EyeVerify founder Toby Rush said in an email.
The iffy nature of protecting your phone or any other place you store information shows how iffy a game of data hide-and-seek can be. That’s why some privacy groups say relying on winning a technology competition can’t succeed on its own.
They believe, for instance, that something like ScareMail is unlikely to draw enough users to make keyword searches pointless. It’s more likely to draw scrutiny only to hacktivists trying to fog the scene.
Instead, they want a rules change.
“Protecting privacy is more of a policy question than a tactical one,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. “You need a macro solution to a macro problem.”
The group shares advice on how to protect your privacy with defensive measures — encryption, virus protection, password management. Rotenberg thinks going on offense deploying software or other tactics against data miners is bound to lose.
Other privacy advocates agree that regulations will ultimately prove to be the killer app for their side. Some people employ often-cumbersome methods to make sure websites can’t track their comings and goings, or they avoid using services that insist on permission to use a phone’s camera or GPS readings.
“We should be able to get cool apps and functions and have our privacy, too,” said Jay Stanley, a senior policy analyst for the American Civil Liberties Union.
Still, he said, national politics aren’t moving toward more consumer privacy.
On Thursday, the Republican-controlled Senate moved to repeal pending Federal Communications Commission rules that would force internet service providers to get your permission before harvesting and selling data on web-browsing patterns and geo-location information.
In that environment, said one longtime online privacy advocate, guerrilla tactics begin to make sense.
Joseph Lorenzo Hall, the chief technologist for the Center for Democracy & Technology, said that’s an argument for taking on software with software.
“We’ve been fighting to pass (stronger privacy) laws for years,” he said, “but there is no way anything like that is going to move today.”
In the end, computer scientists say, the machines will outrun us. They represent brute-force calculations that only get harder to beat.
“If the goal is to walk through the world and not have computers track you and know who you are and more and more about you, that’s unattainable,” said Dan Wallach, who teaches and manages the computer security lab at Rice University. “The computers are going to win this war.”