The Market for Online Privacy Is Broken

Photograph by Stuart McClymont

Yesterday, Google asked Attorney General Eric Holder for permission to publish the number of national security requests it receives through the FISA court, as well as the number of accounts covered by those requests. The company seems worried that not enough has been made public about the NSA’s Prism program. It wants to say more. “Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made,” the letter to Holder reads. “Google has nothing to hide.”

Surveillance and wire-tapping used to be expensive. What we now call “gathering metadata” we used to call “tailing:” sitting in a car, noting comings and goings. Actually recording what we now call “content” required a trip to a telephone switching box with some alligator clips, or even into a home with a bug. This stuff used to suck up agent time and agency money. Christopher Soghoian, a privacy researcher and activist now with the American Civil Liberties Union, laid this out last year in his doctoral thesis, The Spies We Trust: Third Party Service Providers and Law Enforcement Surveillance (pdf). Soghoian’s thesis is the best possible backgrounder you could read to understand last week’s revelations of NSA surveillance. Forget natural law or federal code (for now); the problem with data surveillance is economic.

Metadata—information about a thing, rather than the thing itself—has always been valuable. But collecting it used to be thankless and expensive. Think of the actual physical index cards that libraries used to organize in card catalogues. Each card displayed author, title, Dewey Decimal number—the metadata for one book. Someone actually had to type and amend that card by hand, which constrained the metadata that any library could reasonably collect. A limited number of subject categories for the book, for example. No chapter headings.

Yahoo’s first maps of the Web were akin to a card catalogue, ordering Web pages one by one into categories, a human decision each time. Google improved on this by treating incoming links as metadata, a way to order the importance of a page. Then the tools of the Web flipped. In the early 2000s, new Web services allowed us to enter our own information: to blog, to tweet, to tag, to like. In each case, we created metadata about ourselves. This had always been valuable, but suddenly we had an incentive to write our own card catalogue entries. In return for a community, or even just a personalized stream of music, we happily provided metadata. This is the basic transaction behind every free Web service.

This creates a tremendous temptation for even the saintliest NSA analyst. Data centers and mathematicians with security clearances are expensive, but every additional bit of metadata is now close to free. The data state has expanded not because the people in Washington have become more craven or callous, or even necessarily because American voters are more scared of terrorists. If the price of a good drops, demand for it increases. When you’re no longer limited by the number of G-men you can put on the street, why not surveil everyone?

Commercial companies have interests other than providing the government with information. In a competitive market to win new consumers, these interests should raise the price of data for the government. As Soghoian points out, companies can choose to notify customers that the federal government has requested their data, which could spur law enforcement to seek an injunction against the notice from a court, adding expense (and oversight). But few companies choose to notify their customers. Soghoian documents several more examples. Companies can choose to charge the government for data, which directly raises its cost and provides a paper trail. Again, few do.

This means one of two things. Either consumers don’t care about privacy, or the commercial market for privacy is broken. Soghoian writes that, generally, Web companies have more aggressively resisted government requests for data; they are likely to suffer more if they are not seen to protect their users, which is why Google might feel impelled suddenly this week to ask Justice for permission to be more open about FISA requests.

But ultimately, the government has two ways to encourage companies to keep the price of data low. The first is regulation. The federal government is not a monolith, but more heavily regulated industries, such as telecommunications, have to prioritize what they complain about in Washington. The same senators that oversee intelligence might sit on committees that oversee the Federal Communications Commission, and the FCC has far more direct and tangible power over a telecom’s profits than the NSA does. The second is the power of secrecy. If the government makes it hard to reveal its practices, companies can’t distinguish themselves through heightened privacy protection.

Google’s letter leaves some hope that consumer-facing companies might see privacy as a distinguishing feature. Notably, after Google sent Holder its letter, Facebook quickly followed suit. Nothing yet from AT&T or Verizon Wireless on disclosing metadata surveillance, though. Privacy, as a selling point, is more crucial to some industries than others.

    Before it's here, it's on the Bloomberg Terminal.