privacy2In helping to create the Privacy Rights Clearinghouse with Beth Givens, I learned about the importance of privacy in our world.  And yet, as the Internet has developed,  the concept of privacy is changing, if not eroding, quickly.  In order to “exist” in the Internet, you have to share data about yourself, your friends, family and even more.   Privacy, as we once knew it is gone.  And in this information/surveillance world, it may turn out that George Orwell’s vision of the future was far more ideal than we ever imagined.  In his dystopia, he had one Big Brother;  in our world, we have many such “Brothers” and we don’t know who most of them are.

The news that rocked much of the privacy world recently comes from a study conducted by a number of data scientists from around the world.  Most of the privacy laws in the U.S. encourage anonymization as a key means of privacy protection. However, in a study appearing in this Science–part of the journal’s “Privacy in a Data-Driven World” special issue– data scientists showed they can identify a person with more than 90 percent accuracy by looking at just four purchases….and only three purchases if the price is included.  As an example, the researchers wrote about looking at data from September 23 and 24 and who went to a bakery one day and a restaurant the other. Searching through the data set, they found there could be only person who fits the bill — they called him Scott. The study states: “and we now know all of his other transactions, such as the fact that he went shopping for shoes and groceries on 23 September, and how much he spent.”

They were able to accomplish this feat even after companies “anonymized” the transaction records, i.e.  saying they wiped away names and other personal details. Using both the credit card and transaction information the researchers identified 90 percent of the individuals in the data set.  This study blew away the notion that anonymizing data creates some semblance of privacy.   Their research found that adding just a glimmer of information about a person from an outside source was enough to identify him or her in the trove of financial transactions they studied.

This study substantiates privacy advocates concerns about “correlation attacks”.   The study points out that hacks of personal data became famous in 2014 when the New York City Taxi and Limousine Commission released a data set of the times, routes, and cab fares for 173 million rides. Passenger names were not included. But armed with time-stamped photos of celebrities getting in and out of taxis—there are websites devoted to celebrity spotting—bloggers, after deciphering taxi driver medallion numbers, easily figured out which celebrities paid which fares.  The MIT scientists were able to demonstrate how relatively simple it was for knowledgeable data crunchers to duplicate such personal data hacks, like the New York City Taxi hack.

Government efforts to expand warrantless searches go beyond petitions to courts and Congress. State and local law enforcement agencies borrow so-called “StingRay” devices from the federal government to scoop up all cellular communnications within range of the stingray’s faked “cellular tower.” Local law enforcement officers were trained to lie under oath to protect the secret of stingrays’ very existence from court scrutiny. The data gathered includes the communications of many innocent people, and while law enforcement pinky-swears that it deletes what is not relevant to a case, there is no accountability.

Law enforcement has proposed amendment to Rule 41 of the Federal Ruels of Criminal Procedure that would expand the geographical jurisdiction of any district court from its local district to “anywhere in the world” when the location of a target computer is obscured by technological means. The effect of the amendment is to permit the government to hack into your PC any time your physical location is unclear. Users of VPNs and proxy servers such as the Tor network are directly threatened by this change. The Judicial Conference has recommended the changes to Rule 41 to Congress, which has until December 1, 2016, to modify or repudiate the changes. If Congress does nothing (as it usually does), then the amendment takes effect in every court throughout the land.

Even more bad news:  a Federal court ruled recently that home computer users should have “no expectation of privacy” if they connect to the Internet.   What this means is that if you connect your computer to the Internet, you should assume that it can and will be hacked.  Therefore, it’s okay for government agents to hack your computer without a warrant.  Goodbye Fourth Amendment!

This and other important discussions about Privacy has begun and some excellent resources are now available for people trying to get their arms around privacy’s changing looks.   We recommend the following:

The Future of Privacy – Pew Foundation

Privacy Experts’ Predictions

The Future of Privacy Forum

EPIC.org

Electronic Frontier Foundation