The right to not be spied on

Rehabilitating online privacy after Prism

Graphic: Dany Reede

In a world increasingly driven by the exchange of data over the Internet, the issue of online privacy is never far from the public eye. This is especially true recently, in the wake of the revelations about the extensive program of all-but-warrantless online surveillance by the NSA and similar organizations in other countries. The stakes are higher in this day and age – we are now more likely to do our banking online, for example, and the explosion of information giants like Google has made it easier than ever for organizations to draw sophisticated conclusions about you from a small amount of data.

An important point about the Edward Snowden leaks that has not been widely publicized is that modern data analysis is so powerful that big inferences can be drawn from relatively small amounts of information. A famous paper published in 2000 found that 87 per cent of Americans can be uniquely identified by the combination of their ZIP code, gender, and date of birth – all of which are generally considered public information. The article highlighted the consequences this has for “anonymous” public records that contain this kind of information –they are not anonymous at all.

Since that time statistical analysis has only become more powerful. A couple years ago, a scientist named Kalev Leetaru used a supercomputer known as “Nautilus” to run statistical analyses on a large corpus of global news articles. One of his results was that he was able to “retroactively predict” the hiding place of Osama bin Laden. By correlating news articles that mentioned bin Laden before his death, Leetaru’s system narrowed down his location to a 200 km radius containing Abbottabad, Pakistan, where the al-Qaeda leader was eventually found.

The problem is that, while it takes very little information to identify you and draw major conclusions about your habits, you cannot avoid putting at least some information out there. One of the basic tensions in online privacy is between the user’s desire to keep their information private and their need to give information to websites in order for certain online services to work. This is best illustrated by “cookies,” which are small files left on your computer by websites you visit, accessible only to the site that leaves them.

Some sources will tell you that cookies are harmful to your computer. This is not strictly true because a cookie is just a piece of text that persists after you close a website and allows the site to identify you again. If cookies did not exist, your logins would only be good for one page view, and you would have to retype your user name and password every time you clicked a link. This would make web-based applications like Facebook nearly impossible.

However, many sites—especially ones with ads—will embed a bit of code from a tracker site that lets the tracker put a cookie on your computer without you knowingly visiting their web page. That allows the tracker or advertising provider to trace your movements across all the websites they are connected with.

Generally this is pretty harmless stuff—it is used to track who is clicking on an ad and how often, and to provide advertising targeted at specific users—but no one ever straightforwardly asks your permission. The data is handled automatically and most likely never seen by human eyes, but the fact is that there are large databases out there with vast amounts of detailed information about millions of people. And, as Edward Snowden’s NSA leak has confirmed, the people who have this data are not terribly scrupulous about protecting the privacy of users – who are, after all, the product, not the customers.

For most of us, these minor violations of privacy are of little concern. Even the fairly major violation represented by the NSA’s data collection in the U.S. does not affect most people in any significant way. The fact that the NSA has a single line in their database indicating that you phoned Pizza Hut at 2 a.m. on August 5 has practically no bearing on your life. And since protecting privacy is such a tricky proposition, why do we bother with it?

But there are people for whom the right to privacy does matter. We sometimes talk as if the only people who would ever need privacy are criminals, but this is not the case. This can be illustrated by a recent news story. A security flaw was recently discovered in Tor, a widely used anonymity program. A piece of malicious software was able to use a vulnerability in Firefox to execute code on users’ computers. Since the exploiter can run any code they want, they could do anything up to and including taking over the affected computers. Instead they are simply sending IP information to a location in Reston, Virginia.

This is believed to be the FBI’s law enforcement spyware program, observed for the first time in the wild. Its recent dissemination coincides with the arrest of Eric Eoin Marques, an Irish-American dual citizen who has been described by the FBI as “the largest facilitator of child porn on the planet.” This is all well and good, but Tor is used by people other than criminals: citizens of oppressive regimes that censor the Internet, visitors to forums for rape and abuse survivors, journalists, and members of non-governmental organizations. It is not clear to what extent these groups, who have legitimate reasons for pursuing privacy, might have been compromised.

Perhaps more relevant to the average user is the fact that large conclusions can be drawn from small data. One of the significant points in the Prism story was that the NSA was unable to provide an estimate of how many Americans had been “inadvertently” spied on. Simply counting them was a computationally intractable proposition. That’s how much data they have. If we recall Leetaru and Nautilus, it becomes clear that not even our Pizza Hut phone call log is innocent.

Most importantly, protecting privacy is a matter of principle. The Canadian Charter of Rights and Freedoms includes a protection against unreasonable search and seizure, and this has been interpreted as implying a legal right to the protection of privacy. For what it’s worth, the UN’s Universal Declaration of Human Rights states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.”

The idea of a right to privacy as a basic component of human dignity is fairly entrenched. Part of the point of having a right is that you do not have to justify yourself. Philosopher Ronald Dworkin describes rights as “trumps” which permit or prevent certain courses of action, even if those courses of action serve some noble social goal. So while, no doubt, some fraction of the people the NSA has been spying on actually are terrorists, catching them comes at too high a cost if it violates the rights of countless others.