Christopher Soghoian of the ACLU talks privacy, security and why you should put a sticker on your webcam right now, in conversation with investigative journalist Will Potter.
As the principal technologist at the American Civil Liberties Union, Christopher Soghoian (TED talk: How to avoid surveillance … with the phone in your pocket) spends much of his time thinking about privacy and surveillance and how individuals can protect themselves from spying. Recently, he recorded a Facebook Live conversation with his fellow TED Fellow, Will Potter (TED Talk: The secret US prisons you’ve never heard of before), a reporter and author who specializes in covering dissident politics and culture and whose first question to Christopher was: If I don’t have anything to hide, why should I be concerned about privacy or security, anyway? With that, they were off.
Christopher Soghoian: I hear this all the time from people, and you know, I think many of us do have something to hide. We may not all be worried about the government, but there are things we may not want our employers or members of our families to know. We have curtains in front of our windows, we wear clothes, we get prescription medications, and we have components to our lives that we don’t reveal to everyone we know. Children may not be worried about the government, but they may not want the principal at their school to know what they’re interested in or who they’re talking to.
The concept of privacy is more nuanced than just, “do I care about my privacy or not?” It’s, “who am I worried about? Who am I trying to protect my information from?” Yes, every once in a while, you find someone who has truly no secrets, but there are plenty of other people who do have things to hide, and we shouldn’t flush privacy down the toilet because a few people are privileged enough to have nothing to worry about.
Will Potter: What are the top few things we should all do to protect our basic information?
There are some general tips that I would recommend for everyone. The most basic one, and the tip that is really the best bang-for-buck when it comes to privacy, is putting a sticker or a Band-Aid over your webcam on your laptop. When I first started researching privacy and surveillance, I was shocked to learn the capabilities of the many software tools that people can buy online and install surreptitiously on someone’s computer. The ease with which someone can take over your webcam, turn on the camera and have it surreptitiously collect video footage even without the light on the camera turning on is really staggering.
And while I hope that one day we will have computers that are secure enough that they can protect us from that, when you put a sticker or Band-Aid over the camera, you don’t have to worry about that any more. Now you’re not trusting the security of your operating system or the security of your computer, you’re trusting the fact that there’s something physical between the lens and you.
Would you suggest covering up the microphone as well?
Certainly there is spying software that is both commercially available and used by governments that can remotely enable the microphone either in a smartphone or in a laptop when it’s not being used. The problem with the sticker approach is that a sticker over the microphone doesn’t actually work that well. The folks I know who are truly paranoid either put hot glue in the microphone port, or they will actually open up their laptop and cut the wire. Now you know, I’m not going to recommend invasive laptop surgery for the layperson. But it’s really hard to protect the microphone on your device. There’s no easy sticker-thing you can do for the microphone.
So if you’re worried about sensitive conversations being picked up with a hacked microphone, the best thing to do is to leave that phone out of your bedroom. If you’re having a private conversation in your office, leave the phone outside. Maybe you don’t need to take that phone into the bathroom. There are places that maybe we shouldn’t have microphones.
Okay, so how likely is it that I’m actually being watched if I’m just a regular person going about my life?
The first thing you really need to think about is, who am I worried about? Depending on where you live, your socioeconomic status and your race, maybe you’re less worried about the police. But there are plenty of law-abiding African-Americans and Latino-Americans who have good reason to be worried about the police, even though they’re just regular, tax-paying, law-abiding individuals.
Then again, maybe you’re worried about your employer watching what you’re doing or what you’re saying. Maybe you’re worried about advertisers tracking you as you surf the web. You visit a page on WebMD because you’re worried about some potential disease you might have, and then two weeks later, you see a popup advertisement for a related medication. Maybe someone harassed you in the past, either in person or over the internet, and you’re now worried this person may be furthering that stalking through technology. The first question to ask is, who is out there that I’m worried about — and then what can I do to limit their access to my information?
You’ve talked about how the encryption tools that are built into certain devices are disproportionately favoring privileged populations over others. Can you explain a little bit more about what that means, and the repercussions that that has?
Sure. In a nutshell, Apple has spent a lot of time and money to build security features into mobile products such as the iPhone and the iPad. Those devices encrypt data by default, which means that if you have a password on your device and someone tries to get into it, they’re going to have a really difficult time, whether that someone is an employer, your partner or a government agency, Apple devices are really, really secure.
Separately, Apple devices automatically encrypt text messages sent by one person with an iPhone to another person with an iPhone, which means if the police are investigating you, and they go to Verizon or AT&T and they say, “hey, last week Will and Chris exchanged messages, can we get a copy of them?” AT&T or Verizon will say they don’t have them, because the messages are transmitted in a way that the phone companies cannot read them.
For Apple’s customers, this is a great thing — but Apple devices are expensive. Not everyone can afford to spend $600 on a smartphone. With its $50, $100 Android phones, Google is really killing it at the lower end of the smartphone market, and unfortunately, the security of Android is really lacking in comparison.
This isn’t just a privacy issue or a cyber-security issue. It’s really an issue of equality and racial justice, because if the poor and vulnerable in our societies are using devices that do nothing to protect them from surveillance, and the rich and powerful are using devices that make them essentially off-limits to the government, that creates a system of surveillance inequality, and further perpetuates the existing problems of inequality that we have in our society.
What advice do you have for teens and young people online today?
I’m not a teenager anymore, and I haven’t been a teenager in a while. I don’t know what it’s like to be a teenager in this modern world, but I have to imagine it’s truly terrifying. But one thing I hear over and over again when I talk to adults is this feeling that young people don’t care about privacy, and how awful that is.
And that’s actually not true, and some amazing research has been done on this by academic experts. danah boyd has a book about how teenagers use technology, and how teenagers view privacy, and her big insight is that yes, teenagers are not concerned about the FBI or the NSA, but they are concerned about their teachers, their principals and their parents. And teenagers are so good at protecting their privacy, they’re so good at hiding sensitive information from their teachers and their parents, that their adults think they’re not taking any actions at all. They’re basically hiding in plain sight.
So if you are a parent, and you’re worried that your kids are sharing more information online than you think they should be, I think you’ll be surprised at how tech-savvy and privacy-savvy many kids are. And I think the massive popularity of services like Snapchat, which delete messages after a very short period of time, demonstrates that kids inherently get the harm that comes from the long-term retention of data. We’ve all been idiotic children at one point, and some of us have done idiotic things later in our lives too. When technology captures that and saves it forever, we can be haunted by those stupid things. I think kids using services like Snapchat are super smart, because they shouldn’t be haunted for the rest of their lives because of something they say or do when they’re 16.
How heavily are social media platforms like Facebook and Twitter used for surveillance by governments and organizations?
There are two types of surveillance of social media that we should be thinking about. One is surveillance of private communications, and one is surveillance of what you might call public communications. So if you have a public Twitter profile, and anyone can follow you, there are still going to be companies and governments that want to see that information. And there are so many people tweeting every day that it’s actually difficult for these large organizations to focus on individual things.
Now Twitter has had a very difficult time making money, and one of the ways that Twitter makes money is by selling access to what’s called the firehose: they basically sell bulk access to every tweet. And then analytics companies come in, mine the tweet stream and sell data to companies and governments that want it. There are companies that say they can predict social uprisings or major, world-changing events before CNN has even reported them. A few months ago, Twitter announced they would no longer sell this data to the CIA. But the Department of Homeland Security is still a subscriber.
So that’s the public surveillance. But all of the tech companies also routinely receive demands for private user data from government agencies in the US and from abroad. To their credit, Facebook, Google, Twitter and all these big tech companies publish an annual transparency report revealing how many requests they’ve received. And I’m not blaming the companies for this. In many ways, if they have data, they’re required to turn it over to governments when those governments satisfy legal requirements. But what is clear from these transparency reports is that governments in the US and elsewhere have an enormous appetite for data.
The last thing I’ll add is that there is an extremely common practice, particularly in schools, for police officers who are posted in those schools to create fake Facebook accounts — friends, students — in order to try and learn what’s going on. They’re not submitting a court order and demanding data from Facebook; they’re tricking the students into sharing their data.
Law enforcement has been using this against political activists as well, increasingly.
For sure. And there are a number of Black Lives Matter activists, Tea Party groups and others who are worried they are being surveilled. It’s really hard when you’re organizing a social movement that anyone can join. How do you know if the person who’s seeking to join is truly an interested individual who wants to change the world, or an undercover law enforcement agent?
Right — how do you be inclusive, while also being safe? So is there any kind of software that might be useful in tackling or detecting unwanted surveillance?
One of the most interesting things for me is that the best practices for security that are followed by experts are so different from the best practices followed by laypeople. So none of the experts that I know, myself included, use antivirus software. We think of antivirus software, essentially, as a scam that’s designed to take money from consumers who don’t know any better. Whereas if you ask the average person what they should do to protect themselves from viruses, the first thing they’ll say is, “antivirus.”
Ask a regular person what kind of password they should have and the layperson would say they’re supposed to have uppercase and lowercase and numbers and special symbols. The expert says you should have a bunch of words, they can all be lowercase. Have a password that’s three or four words long, and the words should have nothing to do with each other. It shouldn’t be lyrics from a song, but it should be easy to type and easy to remember.
We never hear that! A lot of websites now will prompt you and say you have to have X number of numbers and characters and whatever.
And that’s super infuriating. And, you know, we live in a world now where it seems like there are data breaches every week. So if you are using the same password to access multiple websites, it’s only a matter of time before one of your passwords gets hacked. And there’s no way for a human being to remember 50 different unique passwords; our brains don’t work that way.
So I recommend the use of tools like password managers where you install the tool and then it creates random, long passwords for every website you visit. It enters them automatically into the sites you visit, so you don’t have to remember any of that stuff, you just need the one passphrase for the password manager. There are several out there: LastPass, 1Password, KeePass. I don’t really care which one you use, but use one of them.
Okay. So if you don’t do any of this, and then something happens and you get hacked or lose your information, what steps should you take?
It’s really hard to recover after a hack. In the US and in many other countries, laws are really built around data breaches in which financial information is stolen. So you can put a fraud alert on your credit file. You can ask your banks to send you new credit card numbers, and in many cases the banks will know if your card is hacked before you will. But that, in many ways, is a system that is built around the kinds of hacks that we had two or three years ago, where it was just financial information that was being stolen.
Today, you have forums like Ashley Madison, a dating website for people who are engaging in nontraditional relationships, in many cases outside of marriage. Or there are websites for people with some kind of sensitive medical condition. You can get a new credit card number, you can even get a new Social Security number, but you cannot establish an entirely new life, and if the first Google result for your name is that sensitive medical result from a test that got hacked, you’re toast. If you have photographs of yourself without clothing that are hacked and put online, and the first Google result for your name is a nude photo of you, that’s going to haunt you for the rest of your life. Every future job interview, your employer’s going to type your name in and see this information.
We don’t really have a way to deal with breaches of non-financial information, and in many ways, the financial ones are the easiest to deal with — it’s a pain in the butt, you get some new cards. But in all countries around the world it seems like hospitals are moving towards electronic health records, and it’s terrifying. I’ve been in the situation where I’m filling out an intake form at the doctor and I’m wondering how much of my medical history I actually want to disclose. Normally, I want my doctor to know everything possible so they can help me, but now I’m asking myself what exactly I want to tell this doctor, because I’m worried that at some point down the line this doctor might get hacked, and all my stuff will be online.
It sounds like fundamentally we need better education about privacy, technology, and how to be smart from the start.
In the same way that it would be great if we taught financial literacy to young people in schools, I think it would be great if we taught digital security and privacy. I think kids do figure out privacy, but they don’t always get all the details right, and I think the threats that are out there are so real that everyone would be helped by learning a little bit more about privacy and security.
Would we be safer if we used open-source software like Linux or Mozilla?
Open-source software is not always more secure. There’s this idea that the more people who can look at software, the easier it is to find the bugs — and that hasn’t actually shown to be true. Flaws can hide in plain sight for long periods of time. In many cases, what affects the quality of the software, what affects the security of a tool, is more about how many people are working on it. If you have one tool made by a volunteer, it may be less secure than a tool made by 50 people who were getting paid to do it full time. So while the Firefox browser is probably more privacy-preserving, it is actually less secure than Chrome.
It’s unfortunate that we have to choose between which browser is more secure and which browser is more private, that we cannot have one that does both. I mean, Google is the largest advertising company in the world. It shouldn’t be a surprise to anyone that the web browser given away for free by the largest advertising company in the world is not going to protect you from other advertising companies, or companies including Google, online. Chrome facilitates that mass delivery of your personal data to every advertiser when you browse the web. You leave a trail of data behind you when you browse with Chrome. At the same time, the Chrome team does a great job of keeping you secure from hackers. And so you sort of have to pick your poison: are you more worried about being hacked, or are you more worried about online advertisers tracking what you’re doing online?
When you set your security settings on Facebook or on social media to allow only certain people to see what you’ve posted, is that stuff still being recorded or monitored or open to surveillance, despite you trying to stop it from blasting out to the world?
Privacy settings really only control the distribution of information through the platform. The privacy settings do not stop Facebook’s ability to collect and retain data, and they don’t stop Facebook’s ability to turn over your data to the government if the government asks for it. Separately, I think many people think that Facebook is only watching what they’re doing when they’re on Facebook. That is a huge misconception. Everywhere you see a Like button on the internet, Facebook is watching you. Think of the Like button, in many ways, as a pair of eyes. [Editor’s note: At this point in the Facebook Live conversation, all “likes” stopped cold … before starting up again about ten seconds later.]
Newspapers and blogs have Like buttons so that you can like an article. What that means is that Facebook has this view of what you’re doing online. They know which articles you’re reading, they know which videos you’re watching, they know which content you’re looking at. And so they can pool this information, and then monetize it and use it to deliver ads to people that the company thinks are more relevant. But what that also means is that Facebook has truly unparalleled access to information about the kinds of people we are, what makes us tick, what makes us happy, what makes us sad. That’s information that they leverage for advertising purposes. It’s also information that governments or divorce lawyers could come and ask for really at any moment.