In case we didn't get the point some years back when warrantless wiretapping was the shock du jour, we now know with some certainty that the National Security Agency has been sifting through our phone records and Web activities. But there's still a great deal that we're in the dark about: Whose data is being accessed? How much are they looking at? Who is they? And to what extent? But one fact isn't in question: Your data is out there.
Mountains and mountains of personal data about you are being collected, stored, bought and sold every day. Phone companies, tech giants, cable providers and marketers -- they all want a digital piece of you, and that piece is getting bigger and bigger. So what can a privacy-conscious consumer do to fight back? And in the 21st century, how much does privacy even matter? If you answered "a lot" to the second question, the good news is the same answer applies to the first.
Long before Edward Snowden dumped NSA surveillance secrets into Glenn Greenwald’s lap, privacy watchdogs have been railing against the extensive data-collecting practices of the country’s largest tech giants, in particular Google Inc. (NASDAQ:GOOG), whose suite of cross-platform services -- Gmail, Chrome, Google+, Google Voice, etc. -- touch every corner of the Internet. Of particular concern is how deftly Internet-based companies can share personal information about where you shop, what you buy, what you read, who you email, what you say in emails, the files you maintain on your computer, your favorite websites and on and on among their various offerings -- and use this data for marketing and revenue schemes.
In response to concerns over the loss of online anonymity, a new frontier of private Web options has emerged. Companies such as DuckDuckGo and Hush Communications, and organizations like RiseUp.net, promise private online alternatives to traditional data-collecting behemoths. One of the first of these stealthy services was Ixquick, which launched in 1998 and was purchased two years later by the privately held Dutch company Surfboard Holding BV. In 2006, the company launched StartPage, which touts itself as the world’s most private search engine -- no data collection, no search history, no tracking. And the best part? Its search results are generated by Google itself, offering a familiar feel without the uncomfortable feeling of being watched.
“We’re like a proxy,” said Katherine Albrecht, a longtime consumer advocate who helped launch StartPage. “We sit between you and Google. You get their search results, but we don’t record your IP address or track your searches.”
StartPage serves results from a syndicated Google search feed. (Albrecht said Ixquick has a “European contractual relationship with Google.”) But users who want nothing to do with Google can get results from a variety of search engines through Ixquick. Because the operation is based in the Netherlands, it isn't subject to law-enforcement requests for information, and even if it were, it keeps no information to share.
A person familiar with the interworkings of Google Inc. pointed out that Google does offer a variety of private options, including “Incognito” mode for Chrome and the ability to turn off search history. The source also said that users could create different profiles for each Google service, which Google doesn't cross-reference. But Albrecht said that user behavior could still be tracked via IP addresses, which StartPage doesn't store.
If there’s one thing Albrecht values, it’s privacy -- not just her own but everyone’s. Since the 1990s, she's been one of the most vocal critics of tracking technologies, in particular RFID tags, which are miniature chips that use radio waves to exchange data with reading devices; they've been used to monitor the whereabouts of children, retail products, industrial parts and components, among many other things. When she speaks about the various ways in which data collection fosters government and corporate malfeasance, there's a hint of conspiracy-theory alarmism in her voice, but it’s backed up by a Harvard education and a diverse background in human development, psychology and international marketing. Asked whether she’s seen an increased interest in private services since the NSA-surveillance scandal broke, Albrecht responds with an emphatic “huge!”
“I’m trying hard not to say I told you so,” she said jokingly. “But I’m really glad this is waking people up.”
No Scanned Messages
In 2004, Albrecht was one of 31 privacy advocates who signed an open letter blasting Google for its then-just-announced Gmail service. The advocates called on Google to postpone the launch of Gmail until it adequately addressed various privacy issues. (It never did.) One particular point of contention was Gmail’s “email-scanning infrastructure,” through which the service scans users’ messages and places targeted ads based on certain keywords. Critics warned that the infrastructure would essentially normalize the automated snooping of private messages and pave the way for evermore invasive technologies.
Google stressed then, as it does now, that the scanning is done by an automated algorithm similar to a spam filter. “No humans read your email or Google Account information in order to show you advertisements or related information,” a Google spokesperson said.
In the meantime, other email providers have been working to play catch-up. This month, Yahoo Inc. (NASDAQ:YHOO) became the latest tech giant to get into the email-scanning game, discontinuing its old mail service and implementing a Gmail-style, contextual ad-targeting policy. Users were forced to comply with the new terms if they wanted to continue using the service. Albrecht surmised that most would, given that the Yahoo Mail network delivers more than 50,000 emails per second, making it a heavily relied-upon service for millions of users.
“This is how these companies work,” she said. “They introduce invasive technologies very quietly, and by the time you find out what they’re doing, you just lick your wounds and figure there’s nothing you can do about it.”
Still, Albrecht insists there's something you can do. This month, in fact, Ixquick began beta testing StartMail, an email service that Albrecht said will offer a private alternative to data-collecting services such as Gmail and Yahoo. Albrecht said the ultimate goal for Ixquick is to offer an entire suite of completely private Web products. Convincing people to use them? That’s another story.
When Free Isn’t Free
At some point in the 1990s, consumers made an unspoken deal with tech companies: We agreed to hand over our personal data, we allowed them to track and monitor our every habit, and in return, we got email, Web browsers, blogging platforms and social networks -- all totally free.
Some in the tech industry say that exchange was less a synergetic tradeoff than a Faustian bargain. In his new book, “Who Owns the Future?,” the influential computer scientist Jaron Lanier argues that that the Internet’s ever-growing “Culture of Free” has had devastating effects on not just our privacy but also our economy, disseminating the middle class and funneling power into a few monopolistic companies.
Lanier is known as a pioneer in tech circles -- he helped popularize the term “virtual reality” in the 1980s -- but in recent years, he’s become one of the most vocal critics of prevailing conventional wisdom surrounding the Internet. In a phone interview, he said the idea of giving away privacy to powerful companies in exchange for free services should’ve been met with skepticism from the beginning.
“It’s just life 101,” he said. “Whenever something is offered for free, you have to ask yourself, ‘What’s the game here?’”
Yet, both Lanier and Albrecht agreed that weaning people off free is an uphill climb, one that presents a potential snag for private Web companies such as Ixquick. Its StartPage browser is free for users, but StartMail, once beta testing is over, will be a paid email service, costing about $5 per month, Albrecht estimates. The question, then, becomes whether or not consumers will ever wrap their heads around the idea of paying for email. Albrecht acknowledges the challenge, but she said it’s ultimately a matter of paying with your wallet or with your data.
When Private Isn’t Private
In a recent press release, Ixquick touted the fact that it hadn't participated in the U.S. government’s controversial PRISM program nor has it ever provided data to any government. One reason is it collects no data to share, but if everyone else on the Internet does, how anonymous can you really be? Ashkan Soltani, an independent researcher and technology consultant who specializes in online privacy, said that many good companies offer quality private services, but he added that such services are only so effective. Private email, for instance, uses encryption technology to store email conversations, but users are still open to potential tracking if they send messages to third-party servers. (Google, in fact, is in the middle of a class-action lawsuit over charges that Gmail intercepts messages before they even reach their intended recipients, a violation of wiretapping laws.)
What’s more, Soltani added, individual privacy needs aren't necessarily a one-size-fits-all model. While some email users might be concerned with the watchful eye of Big Brother, others may be more worried about security threats from hackers, identity thieves and other cybercriminals. And larger companies such as Google have more resources to ward off such threats. Google’s own encryption techniques have even been praised by some privacy advocates as being superior to those of other large tech companies, as Cnet reported.
“It all depends on your own threat model,” Soltani said. “If you’re worried about hackers, then Google may be a better bet. They have very skilled and dedicated engineers. However, if you're worried about government surveillance, then it’s important to know that Google does comply with law-enforcement requests -- primarily from the U.S., but other places as well.”
Even the staunchest privacy advocates admit that, in today’s world, it’s almost impossible to completely avoid data collection. Consider a typical outing to buy clothes. You might start by Googling the address of a department store. Maybe you look it up on your smartphone, which already knows where you are at all times. On your way, you swipe your MetroCard, altering the MTA of your subway route. Once inside the store, you can wave to the security cameras as you use your debit card to make the purchase. When it’s all said and done, your activities have probably been added to the databases of a dozen different companies.
Of course, databases in themselves are nothing new. But 21st-century technology makes it easier than ever to link databases together. At the same time, the number of touch points between links is rapidly increasing. Soltani said online privacy often starts with a common-sense approach to choosing services. In other words, don’t make it easy for Google by using it as your browser, email provider, social network and everything else.
“If you want to stay anonymous online, you have to break links at every step,” he said.
Why Should I Care?
The old adage “If you’re not doing anything wrong, then you have nothing to worry about” is often criticized as a cop-out by champions of civil liberties. Yet, it appears many of us believe it. According to a recent Reuters/Ipsos poll, nearly half of all Americans say broad government spying is acceptable within limits. Many respondents simply believe that the need to fight terrorism trumps any notion of privacy.
Meanwhile, advocates insist that people should care about privacy -- not just because of some hypothetical notion of an Orwellian security state, but also because your data can be, and often is, used against you. For instance, as Soltani pointed out, a Wall Street Journal investigation last year revealed that several companies -- including Staples Inc. (NASDAQ:SPLS), Discover Financial Services and Home Depot Inc. (NYSE:HD) -- charge online customers different prices based on their location. Staples, in fact, even took into consideration customers’ proximity to its competitors. That investigation came a few months after a much-publicized report that Orbitz Worldwide (NYSE:OWW) was testing a system that would show Mac users pricier hotels than people who use PCs. Soltani said such stories are often eye-opening for consumers who have been trained to shrug their shoulders at lost anonymity.
“They really hit home,” he said. “People start to realize that data collection can affect them in ways they didn’t imagine.”
Of course, it goes well beyond paying a few more dollars for office supplies. Consumer advocates warn that people could be turned down for jobs, loans or medical insurance based on digital data as well. Then there's the abuse potential from within the tech companies themselves. Consider the exceptionally creepy story of the voyeuristic Google engineer who was fired in 2010 for allegedly snooping on underage teens. According to Gawker, the employee hacked into personal chats, contact lists and even Google Voice accounts. And apparently, he did it all simply because he could.
It’s hard to talk about online privacy without bringing the conversation back to Google. The company has become a metaphor for our modern-day loss of anonymity, and Albrecht, for one, thinks it’s a well-deserved image. She cheekily calls Google the “most brilliant market research company in history,” a master manipulator that has convinced us to share our most-private thoughts by promising us the world and convincing us that no one is watching. So the next time you sit down to plug something into that search engine, think about how it is that such an amazing service is provided for free. And then, ask yourself if it really is.
“Google’s search engine was never the product,” Albrecht said. “It’s just the bait. You’re the product.”
Correction: An earlier version of this article noted that Ashkan Soltani cited Hushmail as a service that does a good job at protecting privacy. Solanti merely cited Hushmail as a private mail service and did not specifically said it was good.