This semester at the University of Utah I am teaching Communication 5620, International Communication. In our Thursday sessions, we do a round-up of weekly news items from the previous week, chosen by the students, that relate to international communication. Not surprisingly, most of the stories chosen for this week related to revelations of NSA surveillance, as well as cyber attacks surrounding the conflict in Syria. In turn, this sparked a number of questions and a discussion about what can be done to protect our online privacy.
Little did I realize how timely our in-class discussion would turn out to be. During the hour and twenty minutes that I was in the classroom and not following the news, the story of NSA attempts to crack and undermine the encryption that secures online communication broke in the New York Times, The Guardian, and ProPublica. Though I told students that there is no quick, easy fix for online privacy, one recommendation that I did offer was the adoption of encryption; the other was the use of VPNs. We now know that both have been targeted and, in some cases, compromised by NSA.
Had breaking news just destroyed the advice I had given my students? Is there no point in adopting these and other privacy enhancing technologies?
I do not believe that this is the case. With careful thought given to the threats that each of us realistically face to our privacy online, these tools can still be of great benefit.
With each new story about NSA, it becomes easier to adopt a maximalist mindset with regards to threats and responses. But such a mindset is counterproductive because it is potentially paralyzing. If we imagine that we are under constant, ubiquitous threat from the likes of NSA, then it’s tempting to say, “Well forget about it. There’s nothing I can do!” This is an understandable response. As Bruce Schneier wrote today, “The NSA has huge capabilities – and if it wants in to your computer, it’s in.”
But the fact is that the NSA is not likely to want into your, or my, computer. That does not mean that we should not be concerned about the revelations from the last three months. We should. We should have a national debate about what kind of domestic surveillance power we want our government to have. But in terms of making practical decisions about safeguarding our personal information on a daily basis, it is not helpful to worry about the NSA.
Though it might not be likely that the NSA wants into your computer, there are other bad actors who do. They also want into the computers of the companies to which you have given personal information. As I explained to my students today, if they must connect to an unsecure wifi network at a coffee shop or elsewhere, they can improve their security by using the university’s VPN or by using their own mobile hotspot, if they have one. Of course, we now know that NSA has worked to compromise VPN encryption, as well as 4G/LTE. So, those tools may no longer keep you safe if NSA is after you. But again, that is unlikley. They can, however, provide protection against the more likley threat, which is a malicious actor in the coffee shop sniffing traffic and stealing personal information from other users. To abandon the privacy enhancing tools that you have at your disposal in the face of actual threats because of concern about a ubiquitous adversary that is likely not targeting you, and that you likely could not stop anyway, is self-defeating.
On the other hand, taking a maximalist approach to protecting your privacy online is also unhelpful, especially if such a response is not warranted by a rational assessment of the threats you actually face. The New York Times recently ran a profile of Laura Poitras, a documentary filmaker who has been investigating NSA surveillance and who was a point of contact for Edward Snowden. It discusses the extraordinary measures that she uses to keep her information secure. Similarly, Bruce Schneier, who is now also working on stories for The Guardian based on the Snowden documents, mentions a number of tools that he has been using while working on these stories. The extraordinary measures that these individuals are taking is rational given the sensitive work that they are doing.
And yet, even Schneier admits that he does not use all of these tools all the time. There’s good reason for that. Not everything we do, not all of our information and communication, requires the same level of security. Attempting to implement the highest level of security for everything, all the time, is impractical. Instead, we should rationally assess what it is that we want to keep secure/private, who or what is likely to threaten us, what the costs would be if our information were to be compromised, and then take the actions that we can, within reason, to keep it secure.
The technologies we have available to us are not perfect. If we did not know that before, we certainly do now. We must do more to secure the Internet against state surveillance and other intrusions into our personal privacy.
But it should have also become clear by now that the surveillance state is not solely a technological problem for which there is a technological fix. Many of the techniques NSA has used to subvert Internet security and online privacy are not technological, but rather, are legal or economic. NSA and its supporters have hacked the law as much as they have hacked the technology. As such, though the creation of new and better technologies must be part of the solution, it cannot be the entire solution. A complex, socio-technical problem will require complex, socio-technical fixes.
These will need to extend to personal practices when it comes to privacy. Ultimately, while privacy enhancing technologies can still be of benefit, there is no piece of software one can download and install, no piece of hardware one can buy, that will provide guaranteed privacy. While I do not want to advocate self-censorship, in addition to deploying privacy enhancing technologies where appropriate, it seems only prudent given what we have learned this summer, that we all become a little more cautious about the information we share and the online services for which we sign up.
Though recent revelations can leave us feeling powerless and paralyzed, this need not and should not be the case. There are technologies we can use that, though imperfect, can help to protect us against the most likely threats we face on a daily basis. There will be a growing cadre of engineers and entrepreneurs who will seize this opportunity to create better technologies. But because technology is not the entirety of the problem, it is also not the entirety of the solution. We can vote at the ballot box, as well as with our dollars, in support of one kind of society as opposed to another. Though sometimes they are limited and inconvenient for us, we can, nonetheless, make choices about the information we share and with whom. None of these are perfect responses. None are guaranteed to work. But they certainly stand a better chance of securing our privacy on a daily basis and creating a better future for Internet security and privacy than the alternative, which is paralysis and certain defeat.
(This post also appears on Forbes.com.)