This article is part of a limited-run newsletter. You can sign up here.
You can’t solve a problem that you can’t define. That’s why I love this dual definition of privacy by Maciej Ceglowski, one of my favorite writers and thinkers on technology. It’s from his written testimony submitted to the Senate Banking Committee last week.
The first definition is the classic one, that data privacy is “the idea of protecting designated sensitive material from unauthorized access.” Easy enough. His second is much more profound and, as he puts it, “until recently was so common and unremarkable that it would have made no sense to try to describe it.” Here it is:
That is the idea that there exists a sphere of life that should remain outside public scrutiny, in which we can be sure that our words, actions, thoughts and feelings are not being indelibly recorded. This includes not only intimate spaces like the home, but also the many semiprivate places where people gather and engage with one another in the common activities of daily life — the workplace, church, club or union hall.
What Ceglowski is really talking about is the ability to “opt out.” It’s a phrase that big tech companies love to use. Just toggle this button and you’re free! David, the user, has control, not Goliath. This is, of course, quite disingenuous. As Ceglowski argues:
A characteristic of this new world of ambient surveillance is that we cannot opt out of it, any more than we might opt out of automobile culture by refusing to drive. However sincere our commitment to walking, the world around us would still be a world built for cars. We would still have to contend with roads, traffic jams, air pollution, and run the risk of being hit by a bus. Similarly, while it is possible in principle to throw one’s laptop into the sea and renounce all technology, it is no longer be possible to opt out of a surveillance society.
We’ve built a society and economy that runs on surveillance, a world where the price for participation is tracking, targeting and disclosure of data. “Opting out” might as well mean heading to Walden Pond (and even then it’s likely that, in preparation for your journey to Thoreau’s cabin, you’d be targeted by ads for self-reliance books on Amazon, freeze-dried prepper meals and 12 different iPhone meditation apps).
I called up Ceglowski after his trip to Washington to inquire about the experience and what he thinks we can do to make opting out less of a pipe dream. Like anyone with a decent understanding of how the web works, he has a healthy skepticism that we’ll rein in privacy violations, but his one potential area of optimism really stuck with me. It’s the concept of positive regulation.
The gist is that Google and Facebook and the entrenched platforms are truly vulnerable only in one area: privacy. He argues for a legally binding framework with harsh penalties (criminal liability) for playing fast and loose with data. The logic is that big tech companies are so reliant on invasive privacy practices and deal with so much information that there’s no way they can play by such rules. But new entrants — companies that are smaller and that actually put a premium on privacy — might be able to differentiate themselves and disrupt the space.
“If we use privacy constructively and create a legal framework, we can incentivize those who want to go up against the entrenched players by marketing themselves as explicitly privacy-focused,” he told me.
Perhaps most important, Ceglowski’s approach would finally test the idea of just how much internet users value data privacy. “It is possible that the tech giants are right, and people want services for free, no matter the privacy cost. It is also possible that people value privacy, and will pay extra for it, just like many people now pay a premium for organic fruit,” he wrote in his statement.
Over the phone, he explained that, while it might seem small, if real people on the internet vote with their wallets to use privacy-focused services over big data-sucking platforms like Facebook and Google, the effect could be profound. He cited the telemarketing wars of the early 2000s as an example.
“When telemarketers were fighting the ‘do not call’ list they argued that people loved having the opportunity to hear about great deals and products via phone during dinner time,” he said. “But once the regulation passed, everyone signed up for that list and it became obvious that the industry’s argument was laughable.”
So far, nobody’s been able to poke a hole in big tech companies’ argument that we enjoy their services enough that we’re O.K. with constant privacy violations. Perhaps that’s only because, as Ceglowski suggests, it’s all we know. “In the best case, you could have companies who can make the argument that real people care about privacy, as long as they’re given a realistic option,” he said.
In other words, it’s actual opting out.
From the Archives: The ‘Do Not Call’ List Debate
Today’s archive pick is a pair of articles documenting the story Ceglowski told above about the “do not call” list. The first a 2003 report that centers on efforts by congressmen including Representative Ed Markey, Democrat of Massachusetts, to put the list into effect after court rulings against it:
Trade commission officials say more than 50 million phone numbers have been listed since registration began on June 26. A former F.T.C. lawyer called the registry the “most populist effort in the history of the agency.” So when the list appeared threatened, lawmakers of both parties rushed to defend it. “This legislation got to the floor faster than a consumer can hang up on a telemarketer at dinner time,” Mr. Markey said.
The second is from November 2005 that reflects on the success of the list two years later. It’s especially striking if you apply it to our current sentiments about privacy and the possibility of consumer-empowering legislation:
Some 109 million telephone numbers have been registered on the National Do Not Call list since it opened for business; many states, among them New York, had registries in place even earlier. The process is free and remarkably easy; a few clicks and your home and cellphone number can be listed for five years. Harris Interactive conducted a survey of people who signed up for the list and found that 92 percent said they had received fewer calls since signing up and 25 percent said they had received no calls.
Tip of the Week: Use A Disposable Email To Filter Spam
You get a lot of email. And since many of us are constantly coughing up our email address to do everything from online shopping to subscribing to news sites, inboxes can quickly shift from a helpful feed to a rat’s nest of spam.
Much of this isn’t anything to worry about. But occasionally, your email address can fall into the hands of bad actors who’ll use it to bombard you with garbage and, worse yet, mount phishing attacks that seek to get you to inadvertently share your passwords or personal information. These attacks are getting more sophisticated and can dupe even the most cautious internet dwellers.
So one way to protect your privacy is to create a disposable email address when you’re signing up for services. It makes your inbox less chaotic and focused on real correspondence with real people you know. It’s also a great way to inoculate yourself from attacks.
There’s a number of burner email companies, some of which auto-delete after only 10 minutes (great if you need to sign into a weird or suspect site that requires an email). Some to check out: MaskMe, which lets you create unlimited burners; BurnerMail; Mailinator, which self-deletes; and 10 Minute Mail, which is self-explanatory.
And Digital Trends has a nice primer here on how to create email tags on Gmail (not quite a burner, but a helpful filter that will delete unwanted mail).
Reader Q. and A.
Q: I am in a profession that requires me sometimes to meet remotely with colleagues. Is there a relatively safe platform, or are they all invasive?
A: Before digging in, I’ll parrot some grim-but-important advice I received from Amir Orad, a security expert with deep experience in the information wars, that changed the way I think about privacy. “Whatever you do online, operate with the assumption that every picture, email, communication will be one day made public on a big bulletin board,” he said. “If you don’t accept that you’re not living in reality.”
Terrifying, I know. But I take that less literally and more as a guide for how to discuss things online. If you’re dealing with intensely personal information or very, very private, high-level corporate information — if the stakes are obscenely high — then nothing is better than face-to-face conversation. An encrypted phone call on a service like Signal is also very good and (so far) reliable.
But face to face isn’t always possible and sometimes the information isn’t top-secret — you just want to know you have a reasonable expectation of security. To my knowledge, popular conferencing platforms like Zoom and GoToMeeting are Hipaa-compliant and offer end-to-end encryption. They also have security white papers, like this one, which gives the fine print. Privacy seems to be a competitive feature for these services, so my advice is to talk to the I.T. team at your workplace to determine which platform they use and then poke around a bit.
Lastly, you can push for your workplace to develop working guidelines for calls that can help police the weakest link in any security chain: the humans on the call. Some guidelines might look like this. A few examples might be: “Users must get permission to record a video conference from everyone on the call” and “Video conferences conducted at a user’s desk should train the camera to focus on the user’s face, and any visible confidential data should be removed from camera view.”
What I’m Reading:
Here’s a horror story about GPS trackers that can remotely turn on your microphone.
A good explainer on the recent WhatsApp hack and what to do.
I was deeply fascinated by this piece on health aides “crossing the line” on privacy.
NBC News has a good look at the implications of the California privacy law that goes into effect next year and the ways it could change the internet.