What Privacy Can You Expect?

Back in 1999, before 9-11, before Snowden and Assange, The West Wing had an episode about choosing a new Supreme Court justice. Seaborn says that the judge’s views on abortion are noteworthy, but the really important thing over the next 20 years will be privacy.

Today, this comment seems prescient—privacy is in the news more than ever before. One of the comments on the last blog asked about to what degree privacy actually exists online today. I think that’s a difficult question to answer, because people tend to keep privacy violations, well, private. So, I think I’ll instead talk about what people should expect in terms of privacy.

Social Media

The terms and conditions for using many websites indicate that any information you submit on that website becomes the property of the website itself. As such, you shouldn’t have any presumption of privacy for most websites. On some social media platforms such as Facebook, it’s a bit different—you continue to own the content and grant Facebook a temporary license for as long as the content is on the site.

According to Facebook’s privacy policy, they will keep track of all sorts of information about you, not just what you submit. They’ll also look at your device information, physical location, all the websites you go to (Facebook or not), and your relationships with all your friends. They’ll sell this information to advertisers and data miners, though sometimes personally identifying information will be stripped. Thus, if you use Facebook, you should expect your interests, demographic, friends, location, browsing habits, and mobile phone applications are all known by Facebook and its customers.

Similarly, like most companies, Facebook will abide by requests by the US government and other governments for data. To me, the language around that clause is weak:

 We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so.

They use court orders as examples of legal requests, but don’t specify that the request must be a court order, or that they won’t reveal information if they aren’t required to do so. Thus, I interpret this clause as not limiting. It’s saying, “we’ll certainly reveal information under these circumstances, and we may give them information just because we feel like it.”

To me, this means that you can assume anything on Facebook is in the government’s hands and the hands of people who will give Facebook money. But they’ll consider stopping people who don’t pay from knowing about you.

Cloud Data

When data’s stored in the cloud, there are four main parties that you have to be concerned about:

• the general public
• the cloud application company: the company that’s building the application that stores the data in the cloud. e.g. Reddit
• the cloud service company: the company that owns the servers and communication infrastructure comprising the cloud, that is providing a service to the cloud application company. e.g. Amazon Web Services, AWS
• the government

The ability of the general public to access your private information is similar to anything electronic—in theory, they have no access. In practice, they have access to whatever they can (illegally) hack.

The cloud application company has access based on their terms and conditions and privacy policy. Often, these would be fairly expansive. Frequently, the company would own the content in the cloud, and be able to use it however they liked.

The cloud services company typically will have clauses in place that deny them access to the data. Thus, while they would be capable of violating privacy, they are usually limited from doing so. This is a noteworthy contrast to the Social Media guys, a differentiation which exists because of the distinct customer bases. While Facebook has to convince the unsophisticated everyman to use their service, AWS has to convince knowledgeable and suspicious application developers to develop their applications on the AWS platform.

You can see the difference in the strength of AWS’s disclosure clause:

We do not disclose customer content unless we’re required to do so to comply with the law or a valid and binding order of a governmental or regulatory body. Unless prohibited from doing so or there is clear indication of illegal conduct in connection with the use of Amazon products or services, Amazon notifies customers before disclosing customer content so they can seek protection from disclosure.

Of course, the biggest potential privacy violator is still the government. Cloud providers are subject to legal requests like any other organization and will provide information as necessary. What’s more, PRISM—leaked by Snowden—provides backdoor for the government to access Internet communications at most of the large technology companies, including Google, Facebook, Apple, Microsoft, and Yahoo. Basically, the NSA can specify keywords or personal identifiers, and have all relevant information routed to them directly from the Internet companies’ servers.

So far, the information about PRISM seems to focus on communication-based cloud applications like email and Skype. However, it would surprise me if the NSA wasn’t trying to add backdoors into cloud infrastructure in a more general way (if it doesn’t have them already).

The bottom line

Thus, when it comes to online and cloud interactions, the safest thing seems to be to presume a lack of privacy, particularly when it comes to the government. As if that wasn’t enough, we’re still in the early stages of this transformation—as artificial intelligence is applied to the task, I’d expect that the government will be able to access almost anything they want about you online and I’d expect companies like Facebook will only know a little less.

So be careful. The key rule of thumb is, if you aren’t paying for the product, you are the product. To that I’d add, and even if you are paying for the product, you’re probably also the product as well….