Digital Surveillance: Who Do You Trust?

In Common ByAngus Batey / 22nd July 2013

The revelations that have been hitting the web and the newsstands since June, when the first stories written from the documents former NSA contractor Edward Snowden leaked to The Guardian were published, continue to shock. Many readers, in the US and the UK particularly, have been at best surprised and at worst outraged to discover the scale of their governments’ capability to monitor digital communications they had hitherto believed to be private. Yet there seems to be a peculiar disconnect between the reaction in newspaper website comment threads and on social media about government collection of communications metadata, and the vast amounts of personal information those same people apparently give quite happily to private companies doing business online.

Just as Snowden’s leaks have opened many people’s eyes to the scale of government surveillance, so the installation of a single program can reveal the systemic, pervasive and shocking level of online tracking of private web browsing habits that is conducted by for-profit private companies. Though it probably won’t come as a surprise to Acumin’s site visitors, for those of us outside the IA profession, watching what happens during browsing sessions with the help of the free Firefox plug-in Collusion is a sobering experience.

For the purposes of this blog post, I visited the Guardian‘s homepage recently (Monday October 7) and made a record of the companies Collusion told me were tracking me as a result. Simply landing on the newspaper’s home page instantly threw up 16 different entities that were now tracking my use of the site; after clicking on one story – a piece by James Ball, Bruce Schneier and Glenn Greenwald on how the NSA has attempted to circumvent TOR – the number of different companies tracking my browsing had risen to 50.

It’s easy to understand why this happens: free-to-read newspaper websites need every last fraction of a penny of income they can generate, so efforts to personalise the user experience, and ensure that ads served alongside the stories are likely to appeal to the specific reader and thus perhaps better entice them to click through, are obviously vital to the bottom line. The reporting Greenwald, Ball, Schneier, and staff at the paper such as the defence and security specialist Nick Hopkins have been doing on the NSA and GCHQ this summer has been extensive, impressive and thorough: such work cannot exist without money, so The Guardian is entirely justified in pursuing whatever income its journalism can generate.

It is also worth noting that The Guardian has an extensive and unusually clear privacy policy on its website, which explains to readers how its OBA – online behavioural advertising – service works. It makes clear that the data the paper shares with outside companies are anonymised, explains that your browsing of other sites is also tracked and used to serve personalised ads, and offers a means of opting out. None of which is true of NSA or GCHQ interception of digital communications, of course; and the entire process can to some extent be circumvented by disabling cookies in your browser, albeit at a cost in terms of website functionality – with even TOR under threat, if not already compromised, workarounds for state surveillance are not as easy to deploy.

But the part of this that interests me is the apparent discrepancy between the reactions of Guardian readers against state surveillance, and their tacit acceptance at having their web browsing habits tracked, possibly in far more detail, by profit-making private companies. While there are obvious and considerable differences between a law-enforcement agency and a private advertising company, many of the arguments made over online snooping apply equally to both.

Data-retention periods have become a key issue to many people concerned about digital surveillance, with the unlimited time NSA or GCHQ can store metadata becoming a major bone of contention. Yet among those 50 companies that tracked my browsing this week, at least five (imrworldwide.com, part of Nielsen; outbrain.com; owneriq.com; eqads.com; and The Guardian itself) have no published policy on data deletion, so could conceivably be intending to store it forever. Several trackers also refuse to confirm that they don’t acquire and use data considered sensitive – health or banking information, for instance – while some are not subject to any recognised system of oversight.

A total of 16 of the 50 companies that were tracking me after reading that NSA/Tor story are rated red – “of concern” – on the independent privacy website PrivacyChoice’s traffic-light system of warnings to web users concerned about their privacy online. In many cases, PrivacyChoice’s ratings are decided based on their reading of a website’s published privacy policies, and it’s entirely possible that some of their caution is overplayed or under-researched. Still, the fact that many of the companies they surveyed have taken account of privacy concerns suggests that there are plenty of firms out there who, at very least, consider user privacy to be of such reduced importance that clearly informing web users about how their data are used is not considered part of their core business.

Obviously, I can see the difference between an individual’s concerns about state surveillance, and the implicit consent a web-user gives to a website when using its services. And I am also well aware of the very different issues involved in deciding whether or not you’re comfortable with your government having theoretical access to aspects of your digital communications, and allowing a few private companies to know where you’ve been online so that they can better target ads at you. Yet both, to me, seem similarly sinister. Both transactions treat my consent as implicit, both are equally opaque to me as the user, and both rely to an almost total extent on me trusting the people who are handling my data to use them in the ways they say they will. And there is clear water between the position NSA and GCHQ have stated they adopt – that they only examine metadata, not message content, unless and until there is reasonable grounds to suspect that criminal activity is taking place, and then only in strict compliance with all relevant laws – and that of, to choose just one example, Google, who have clashed with European regulators over the question of their compliance, or otherwise, with EU law and whose Gmail product routinely scans the content of users’ emails to serve relevant ads when those mails are displayed.

Personally, I’m willing to let GCHQ know who I email and at what time, if that genuinely helps keep the country safe from terrorist attack or organised crime. That feels, to me, like a fair trade – though it would benefit both public and state for the process by which agency work is audited and monitored to be made more transparent and accountable. I’m less inclined to feel that being targeted with advertisements relevant to my browsing history or the content of emails I send or receive is an entirely acceptable price to pay for letting a plethora of private companies know about my online habits and behaviour. And I also feel that any meaningful debate on the nature, value and degree of state surveillance into our online lives needs to be balanced with a similar investigation and understanding of the way private companies exploit our digital trails for commercial gain.

Until we understand who uses our data, when, how, and why, we can’t really hope to know what level of intrusion we each, as individuals, can accept. And it will only be after we’ve answered that personal question that we can realistically play a part in the wider debate we should be having, about what degree of surveillance – state or private – we, as a society, are willing to tolerate.