The Spyware World: Privacy in the Age of Surveillance Technology

The technologies we rely on, both new and old, are now very effective tools that both governments and private firms are using to gather, analyze, store, and sell information about our private lives, habits, purchases, whereabouts, and even thoughts and beliefs. But some of this invasion of privacy pays a welcome dividend in convenience and power in our own lives. Where do we draw the line, and how can we use this potentially-invasive technology for our benefit, without sacrificing our private lives to commerce?
Successful political regimes have always relied on effective intelligence networks. Knowing other people’s secrets helped rulers thwart internal plots against them and helped undermine enemy countries. Before the 19th century, spycraft consisted almost entirely of physically infiltrating personal meetings, intercepting written communications, eavesdropping, and extracting information from people by interrogation.

The 20th century, a time of so much technological and social change, brought about a whole new era of spying. Legendary, if sometimes infamous, organizations like the East German Stasi, The American NSA, and the British codebreakers at Bletchley Park made startling innovations in the art of using technology to listen in on, read, decode or otherwise intercept messages from anyone. The “surveillance society,” which some people merely feared, and others actively inhabited, has been a grave concern for advocates of liberty, due to its tendency to secretly grow in scale and scope, until it surveils not just known enemies of the state, not just suspected enemies, but all potential enemies (i.e. everybody).

As enlightened government leaders struggle to reconcile the need to protect the general populace from harm versus the right of people to live private lives, technological progress marches on, and the capability of spy agencies increases daily. This is an ongoing subject of debate among the political class, privacy advocates, and the general public, and that’s a very good thing. Something that’s less part of the public dialogue is the growing capability for private organizations to spy on people. I’m not referring to high profile cases like AT&T handing over information to the government, but to private companies collecting and analyzing private information about us for their own gain (or even for ours). Just as the TV sets in Orwell’s 1984 turned double-duty as an eye to spy on people in their homes, our computers, TVs, and the technology that powers the retailers and service providers who offer us entertainment and goods, also form a many-tenticled arsenal for private firms to compile and use our personal information for their own gain.

A few years ago, a small car rental company came under fire when a customer discovered that he had been charged a fine for speeding. This wasn’t a case of the car company forwarding on a fine levied by some local police force, but rather, the company had installed a GPS unit that monitored where their cars went and at what speed. The renter had agreed in the contract to pay a fine for speeding, but it was not made clear to him that he would be constantly monitored by satellite. Eventually, the state consumer protection agency determined that it was improper for a private company to levy a fine when there has been no damage done.

Inexpensive and feature-rich GPS tracking and networking technology have made it possible for the owner of every vehicle to be able to track the vehicle’s, movement, location, speed, and other data, and have it transmitted in real-time. Actions could even trigger automatic reaction, such as the issuance of a fee, an audible notification to the driver, or a text message to the owner. This certainly makes the enforcement of rules easier, and might even afford the driver of the car increased freedom.

Consider this scenario: sending a teenaged child out into the world with a car is very nerve-wracking for a parent. Many parents lay down rules to try to mitigate the dangers to inexperienced drivers, such as carry no passengers, only drive in specific areas, only drive during the daytime, don’t drive on the freeway, etc. If parents are unsure whether their child would be able to adhere to these rules, due to peer pressure or just plain bad judgement, they might resolve that uncertainty by not letting the teen drive at all. However, if that car were equipped with a GPS tracking device, and the teen knew about it and agreed that he could drive on the condition that his location and speed be monitored, it would be a welcome alternative to not being able to drive at all, and having to be chauffeured by mom. Most teens would agree to those terms, I suspect.

The rental car/speeding controversy wasn’t really morally defensible because the rental car company didn’t have a stake in whether their car was driven at 77 miles per hour instead of 65. It wasn’t damaging the car, and if the driver crashed, he would be legally responsible for the damage anyway. But there’s another scenario that’s a bit murkier. In the United States, auto insurance is a gigantic business. A study released last week determined that traffic crashes in the US cost a staggering $164 billion per year, or over $1000 per person. Much of that money is channeled through auto insurance companies, who collect premiums from drivers and pay out claims for damage, medical bills, and court settlements. The way it works is that insurance companies have developed sophisticated models to determine a profile of risk for each insured person. Teenagers and people with sports cars and 4x4s pay more, older, experienced drivers with five-year-old sedans pay less. But some fifty-year-old Honda Accord owners drive recklessly and will eventually cause deadly ten car pileups, while some sixteen years olds in sports cars are careful and responsible drivers.

Likewise, some stretches of road are much more prone to accident than others, due to weather conditions, the makeup of the road (curvy, unpaved, narrow), lighting, proximity to bars, etc. Building a database of the likelihood of accident on a particular stretch of road is not hard, and many states already release this data to the public. Furthermore, it’s easy to understand that the more time a driver spends on the road, the more likelihood of an eventual accident. So is it fair that the 50 year-old sedan driver who clocks 120 miles daily, travels on both congested urban freeways and treacherous country byways, stops nightly at bars, and regularly speeds should pay a fraction of what the 16 year-old sports car driver who drives the speed limit five miles between home and school each day does? No, it’s not fair, of course. But the insurance company doesn’t have enough data to charge each person a fair rate. But they could.

The technology exists today that would allow insurers to offer a discount to people who would agree to have their driving monitored by satellite. It would start out with discounts, but as more people signed on, in order to balance the books insurers would have to shift the burden of higher rates onto those people who didn’t want to be monitored. There would eventually be a presumption that people who didn’t want to be monitored were reckless drivers, and the price for privacy would be punitive insurance rates.

Personally, though I’m a staunch privacy advocate, I would seriously consider spying on my sons when they’re sixteen year-old drivers. I remember how I drove at that age. Personally, I don’t believe that childeren have a right to privacy from their parents, past a certain point. And I would even consider letting my insurance company spy on me, particularly on my old pickup truck that I rarely drive, and slowly at that. How many others would sell their privacy to a private company to save some money? Or compromise their child’s privacy to keep them safe. A majority, I’d suspect.

The car/GPS scenario is only one example of where it might be advantageous for an individual to allow a private company to violate their privacy to save money, achieve some convenience, or get some other benefit. Imagine if you could put your finger on a device that would monitor your body daily for substances or markers that would indicate health risks. Such a technology isn’t too far off. Now imagine if your health or life insurance rate were tied to your commitment to allow your insurance company to monitor those results? What if your employer were to make submitting those results to them a precondition of employment (perhaps for an airline to monitor the health and sobriety of its pilots, for example).

One of the best things ever invented was EZ-Pass. If you’re not familiar with it, it’s an RFID-based toll road pass. Instead of stopping to fumble for change to cross a toll brigde or enter a toll highway, these kinds of passes let a driver go right through, sometimes at full speed, and the toll is debited from their account. It’s incredibly convenient and most EZ-Pass users would never go back. But guess what? EZ-pass now has a record of where you’ve gone, and when, up to a point.

Taking the EZ-pass method to its logical extreme, the technology currently exists to use an RFID chip on a device you carry (or even embedded in your body), or use your phone’s Bluetooth ID as a unique identifier as you go walking around on a typical day. A network could easily be built, using existing technology, that would identify you as you walk by various shops and service providers. Some of the benefits of this system would be quite useful and convenient: you could pay for transactions without opening your wallet, you could be admitted to private clubs or events without having to show ID, you could be text messaged with a special offer at the restaurant that you’re just walking by.

Tivo and Netflix know which shows and movies I like to watch, and even how much I like them. Amazon knows what kinds of products I’m interested in buying. Doubleclick knows what web sites I read. My pharmacy, insurance company, and doctors all know various things about my health and medical treatment. The grocery store knows what I eat. My various financial and credit card companies all know a hell of a lot about what I do and where I do it.

Dozens of private companies already have massive amounts of data about various aspects of my life. For many of these, I have not entered into any meaningful, legally-binding contract, nor have I made any agreement with them about whether they can gather this information or what they can do about it.

Even if you leave surreptitiously-installed spyware and monitoring of office networks for another conversation, the average person’s daily computer usage leaves them open to massive amounts of routine surveillance by private companies. Certainly, a savvy computer user can all but eliminate much of this surveillance, but at some cost of extra work and reduced convenience. Most people just don’t bother, or don’t know any better.

So what’s the downside to all this commercial spying? I mean, if it saves you money on your insurance, keeps your dumb kid from killing himself, helps recommend great movies, lets your friends know what kinds of gifts you’d like, and helps the medical system prevent bad drug interactions, then what’s the problem?

The most obvious problem is the opportunity for abuse. The news is full of stories of massive breaches of security by both public and private organizations. Databases containing sensitive personal data are routinely lost or stolen, and when this data makes it into the hands of scammers and criminals, the resulting identity thefts can cause huge problems for victims, including lost money, wasted time, and damage to credit ratings. In other cases, the possessors of this data abuse it on purpose. Employees of these firms have been known to root though personal data for curiosity or to sell to identity thieves.

RFID systems like the ones discussed above pose some interesting problems: because they can be read from a distance, you don’t have any control over who’s reading it. If the RFID only transmits a unique ID tag, then only subscribers to a service that identifies you could abuse that information (which could still be very annoying, if you have ever seen “Minority Report” and seen when they walk through the mall and all the stores are calling his name), but it’s much more serious when you consider schemes like the US passport, which contains information about you that you might want to be able to be read from a distance, like, for example, “I’M A US CITIZEN, AND I HAVE A US PASSPORT IN MY POCKET, THAT IF YOU WERE TO STEAL FROM ME COULD BE SOLD EASILY FOR $100. AND BY THE WAY, GO AHEAD AND KILL ME WHEN YOU MUG ME SINCE YOU HATE AMERICANS!”

Another reason why we might not want to live in a high tech privatized surveillance society is that you never know when the data that’s out there could be used to paint an inaccurate (but convincing) picture of you, or perhaps worse, an accurate one. There’s the possibly-apocryphal story of the man who slipped and fell at a grocery store, and when he tried to sue the store, they brought out his club card readout showing the vast amounts of alcohol he bought at the store. Countless straying spouses have been busted by their cell phone bill. A GPS or other electronic monitor in your car could be used to establish fault in an automobile accident – which you might not want, if it was your fault. That same GPS or other monitor in your car (EZ-Pass) might prove very inconvenient during your divorce trial.

Perhaps the most mundane – and realistic – objection to companies stockpiling and reselling our ever-more-personal personal data is that the most likely outcome is that we will be inconvenienced and annoyed by additional “targeted” marketing as a result. All those trees cut down to make catalogs we don’t want to choke our mailboxes. All those unwanted telemarketing calls. All those pre-approved credit offers that open us up to identity theft. So the deal works like this: companies sell the data, resulting in our inconvenience and annoyance, but they make the money. How unfair is that?

In an “innocent until proven guilty” legal system, often one of the main allies the accused has is a dearth of information on the part of prosecutors. The more mundane data presented in court (and data held by private companies could be demanded by subpoena for criminal and some civil cases). An innocent person could be convicted under a mountain of circumstantial evidence. With enough surveillance, and masterful editing, anyone could be made to look guilty of any crime.

The paranoid could say that all of this data out there in private hands could be manipulated to frame you. I’d say they’ve probably seen the movies “The Net” and “Enemy of the State” too many times, but it’s certainly possible.

Privacy rights are a political issue, and have ping-ponged from the center to the fringes of the political world for decades. It’s a debate that hasn’t traditionally fallen along party lines. The liberal case for privacy from government snooping is straightforward: that the government exists to serve the people, not to subject and dominate the people. Similarly, corporations’ impulses to own and exploit everything, including our personal data must be measured against the public interest.

For some reason, in the current political landscape, conservative lawmakers in many countries have been the ones who have supported the erosion of our rights to privacy, as far as giving government agencies a free reign to spy on citizens. I suppose it’s because “national security” and being “tough on crime” has been interpreted as giving the intelligence community and law enforcement all of the tools they could ever ask for. Likewise, conservatives have generally been reluctant to burden businesses with regulations, so the kinds of corporation-on-consumer spying we’ve examined in this area has faced little opposition from conservatives. For me, this is a little puzzling, because I understand that limiting government’s power over the individual is a pillar of conservatism. Likewise, private companies using your personal information in ways you don’t approve of is actually a case of someone profiting from something that belongs to you, and there’s a way of looking at personal information as a sort of property right that can be useful as a framework for examining this issue. (see this 1993 Cato Institute paper) Conservatives love property rights!

In conclusion, many of the assaults on our privacy made by private companies and the government, individually, look rather piddling and inconsequential. Only when viewed in the aggregate can the amount of our personal information floating out of our control look alarming. Even so, the most dire predictions of the 1984-ish surveillance society have not yet come to pass.

Some privacy advocates’ first reaction to these scenarios may be to invoke the slippery slope theory. Generally, I’m skeptical of these reactions, because it seems like you can take anything to its most extreme conclusion and make it sound bad. Just because some outrageous abuse is theoretically possible, doesn’t mean we should forego the benefits of a new technology to avoid it. It is valuable, however, to consider the possible negatives thouroughly.

Personally, I’m quite excited about some of the technologies that will require me selectively giving up tidbits of my personal data. When I walk by a new restaurant, I’d like it to recognize me as a cheapskate by my Bluetooth ID and TXT me a coupon for use immediately. I’d sign up for that service. I already said I intend to watch my teenage sons’ driving via GPS. But I hate magazines that sell my address to catalogs, and want to keep a careful eye on the government’s ability to maintain a Stasi-like dossier on all “potential terrorists,” i.e. everybody.

If we want to turn back the tide of other people having more and more sensitive information about it in their databases, several things will have to happen: first, the average person will have to make the decision to sacrifice some measure of convenience for the sake of reduced exposure. Second, laws protecting citizens from routine electronic surveillance by their governments will need to be meticulously safeguarded, because law enforcement and intelligence services will always be pushing for greater surveillance powers to make their jobs easier. Third, ordinary people will have to retain some measure of authority, by law, over their own personal information, requiring that private firms that collect, store, sell, or otherwise use that information, be somehow accountable to the individual for their actions. As a people, we’ll just have to decide how important privacy is.

If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSNews.


  1. 2008-03-19 2:53 pm
    • 2008-03-19 3:31 pm
    • 2008-03-19 3:35 pm
    • 2008-03-19 6:27 pm
    • 2008-03-19 7:13 pm
    • 2008-03-20 1:06 am
  2. 2008-03-19 5:03 pm
  3. 2008-03-19 8:09 pm
    • 2008-03-19 10:28 pm