Jesse Brown: Shouldn’t we be more concerned about our privacy?

Every trip to the mall, every phone call, every email can be stored and potentially used against us in the future
By Jesse Brown | Illustration by John Ritter

What’s your privacy worth? According to a recent study by the German Institute for Economic Research, less than 66 cents. The Institute presented moviegoers in Berlin with a choice when they purchased film tickets online. They could buy them from a theatre that demanded their cellphone numbers, which could be used however the theatre pleased, or, for the same price, they could buy a ticket from a theatre that didn’t ask for any personal information. Eighty three per cent of patrons chose the latter. The next batch of customers was presented with the same choice, only this time the privacy-friendly theatre charged a little bit extra—half a euro, or 66 cents Canadian. Sales dropped to 31 per cent. The lesson? We may prefer privacy, but we’re not really willing to pay for it.

We are willing to trade our privacy, it seems, in exchange for convenient and fun gadgets and apps, offered by private companies that sell our information on a new and largely unregulated data market. Most of us have incredibly personal information sitting on Google’s servers, or Yahoo’s, or Facebook’s. Our cellphone providers track our whereabouts through GPS and cell tower data. Our Internet providers know where we’ve been online. Google has our search and email histories. Amazon and Apple know where we live, our credit card numbers and what products we’ve bought. Facebook knows explicit details about our social lives. We trust that all of this information is protected in secure, independent silos. It’s highly valued by the companies, which have strong incentives not to share it with each other. Yet not only are all of these companies vulnerable to hackers, they’ll hand our information over to the police under the right circumstances. And their extensive privacy policies protect them from any legal recourse.

In the U.S., the American Civil Liberties Union has revealed that hundreds of police departments are receiving GPS location data on customers from their cellphone providers without having to produce court orders. Here in Canada, when the RCMP asks Internet providers for subscriber data, it’s handed over without question 94 per cent of the time. ISPs aren’t required to release information unless the Mounties have a warrant, but they do so anyway. And a burgeoning industry of legal hacking has sprung up to help law enforcement spy on us. When hackers discover a technique for gaining surveillance access to, say, the Google Chrome web browser, they’ll sell it to a law enforcement agency—the police, CSIS, the CIA or the FBI—for tens of thousands of dollars. The agency can then gain secret access to any Chrome user’s computer, logging everything that person does online without anyone ever knowing, exploiting the vulnerability until Google figures it out. Such methods are entirely unregulated, because the law is years behind the technology.

Of course, most of us don’t plan on being the targets of police investigations. Those who feel they have nothing to hide also feel they have nothing to lose. This attitude assumes that police are collecting data only on crime suspects. Assumptions like these are proving overly optimistic, if not downright naive. The ACLU study of U.S. cellphone tracking uncovered cases in which, instead of requesting the location of an individual at a specific time, police requested the names of all the individuals at a location at the time a crime was committed. If this technology had been in use during the G20 protests, police could have instantly created a list of everyone present on a particular street at a particular time. There’s no indication these techniques are being used here yet, but Toronto police do collect data on non-suspects through the 23 CCTV cameras they’ve installed on our streets, and approximately 52 new cameras are on the way.

You might not mind if the police have hours of video footage showing where you go and when, but who’s to say the police will keep it safe? Google the phrase “police data leak” and you’ll discover dozens of instances of cops accidentally losing the information they collect. Maybe it’s incompetence, or maybe it’s because police servers are plum hacker targets. Last summer, the hacker group LulzSec grabbed 10 gigs of data from more than 50 U.S. police departments and dumped it on the Internet, just to prove they could. As Internet and cellphone companies provide police with easy-to-use web portals for accessing subscriber data (which Sprint Nextel has done in the U.S.), we can expect more breaches.

The public safety minister, Vic Toews, learned first-hand what it’s like to have your personal information exposed after he tried to sell Canadians on the Harper government’s Internet surveillance law, Bill C-30, which would have allowed police to spy on citizens without a warrant. In defending the legislation, Toews famously told his fellow parliamentarians that they either stood with it, or they stood “with the child pornographers.” One Canadian took it upon himself to see where Toews himself stood. Liberal party staffer Adam Carroll turned up an affidavit from Toews’ 2008 divorce. It was juicy stuff, covering allegations of an affair with a baby­sitter and an illegitimate child, and accusations of expense account impropriety. Carroll created an anonymous Twitter account, called it “Vikileaks” and posted the dirt online. Within hours, the account had thousands of followers. Newspapers that had previously declined to expose Toews’ personal problems now eagerly reported the fact that someone else had done the job for them. MPs of all stripes decried the stunt as foul play, but for many critics of Bill C-30, it was not just effective politics, it was poetic justice. What sweet irony to turn the tables on Toews and air his dirty laundry.

If there was a point to Vikileaks beyond the usual political mudslinging, it was that no one is safe from exposure. Toews’ secrets were hidden in plain sight, and all Carroll really did was copy and paste them from one public database (a court archive) to another (the Internet). Doing so was perfectly legal. What protects most of us is not so much a clean history, but the fact that no one is interested in us. At least not yet.

The police are but one link in a chain that gets longer and weaker by the minute. Every day we generate more and richer data about ourselves, and every day the cost of storing it drops while the speed at which it moves increases. The likelihood of that data being exposed is nudging ever closer to 100 per cent. Will we be scandalized? Will we be defrauded? Will we be flagged, audited or blacklisted? Or will the sheer amount of our collective information provide some strange kind of reverse privacy? If we’re all naked, who’s going to point and stare?

The topic quickly veers into sci-fi territory, and privacy fatigue has set in. You can’t blame the many people who’ve checked out of the privacy conversation. Nobody wants to look paranoid, and nobody wants to disconnect. When outliers are exposed, we habitually blame these victims for having things to hide in the first place.

Perhaps that’s why we’ve lost our way. Because privacy is about personal information, we mistakenly think of it as a personal issue. It’s not. The burden of privacy must be shared with any organization that asks us to entrust it with our data. These websites, telecom firms and police departments should be careful about what they ask of us. Ultimately, there is only one way to make absolutely sure that personal information is never made public, and that is to not collect it in the first place.