INTRODUCTION
Time to Disappear
Almost two years to the day after Edward Joseph Snowden, a contractor for Booz Allen Hamilton, first disclosed his cache of secret material taken from the National Security Agency (NSA), HBO comedian John Oliver went to Times Square in New York City to survey people at random for a segment of his show on privacy and surveillance. His questions were clear. Who is Edward Snowden? What did he do?1
In the interview clips Oliver aired, no one seemed to know. Even when people said they recalled the name, they couldn’t say exactly what Snowden had done (or why). After becoming a contractor for the NSA, Edward Snowden copied thousands of top secret and classified documents that he subsequently gave to reporters so they could make them public around the world. Oliver could have ended his show’s segment about surveillance on a depressing note—after years of media coverage, no one in America really seemed to care about domestic spying by the government—but the comedian chose another tack. He flew to Russia, where Snowden now lives in exile, for a one-on-one interview.2
The first question Oliver put to Snowden in Moscow was: What did you hope to accomplish? Snowden answered that he wanted to show the world what the NSA was doing—collecting data on almost everyone. When Oliver showed him the interviews from Times Square, in which one person after another professed not to know who Snowden was, his response was, “Well, you can’t have everyone well informed.”
Why aren’t we more informed when it comes to the privacy issues that Snowden and others have raised? Why don’t we seem to care that a government agency is wiretapping our phone calls, our e-mails, and even our text messages? Probably because the NSA, by and large, doesn’t directly affect the lives of most of us—at least not in a tangible way, as an intrusion that we can feel.
But as Oliver also discovered in Times Square that day, Americans do care about privacy when it hits home. In addition to asking questions about Snowden, he asked general questions about privacy. For example, when he asked how they felt about a secret (but made-up) government program that records images of naked people whenever the images are sent over the Internet, the response among New Yorkers was also universal—except this time everyone opposed it, emphatically. One person even admitted to having recently sent such a photo.
Everyone interviewed in the Times Square segment agreed that people in the United States should be able to share anything—even a photo of a penis—privately over the Internet. Which was Snowden’s basic point.
It turns out that the fake government program that records naked pictures is less far-fetched than you might imagine. As Snowden explained to Oliver in their interview, because companies like Google have servers physically located all over the world, even a simple message (perhaps including nudity) between a husband and wife within the same US city might first bounce off a foreign server. Since that data leaves the United States, even for a nanosecond, the NSA could, thanks to the Patriot Act, collect and archive that text or e-mail (including the indecent photo) because it technically entered the United States from a foreign source at the moment when it was captured. Snowden’s point: average Americans are being caught up in a post-9/11 dragnet that was initially designed to stop foreign terrorists but that now spies on practically everyone.
You would think, given the constant news about data breaches and surveillance campaigns by the government, that we’d be much more outraged. You would think that given how fast this happened—in just a handful of years—we’d be reeling from the shock and marching in the streets. Actually, the opposite is true. Many of us, even many readers of this book, now accept to at least some degree the fact that everything we do—all our phone calls, our texts, our e-mails, our social media—can be seen by others.
And that’s disappointing.
Perhaps you have broken no laws. You live what you think is an average and quiet life, and you feel you are unnoticed among the crowds of others online today. Trust me: even you are not invisible. At least not yet.
I enjoy magic, and some might argue that sleight of hand is necessary for computer hacking. One popular magic trick is to make an object invisible. The secret, however, is that the object does not physically disappear or actually become invisible. The object always remains in the background, behind a curtain, up a sleeve, in a pocket, whether we can see it or not.
The same is true of the many personal details about each and every one of us that are currently being collected and stored, often without our noticing. Most of us simply don’t know how easy it is for others to view these details about us or even where to look. And because we don’t see this information, we might believe that we are invisible to our exes, our parents, our schools, our bosses, and even our governments.
The problem is that if you know where to look, all that information is available to just about anyone.
Whenever I speak before large crowds—no matter the size of the room—I usually have one person who challenges me on this fact. After one such event I was challenged by a very skeptical reporter.
I remember we were seated at a private table in a hotel bar in a large US city when the reporter said she’d never been a victim of a data breach. Given her youth, she said she had relatively few assets to her name, hence few records. She never put personal details into any of her stories or her personal social media—she kept it professional. She considered herself invisible. So I asked her for permission to find her Social Security number and any other personal details online. Reluctantly she agreed.
With her seated nearby I logged in to a site, one that is reserved for private investigators. I qualify as the latter through my work investigating hacking incidents globally. I already knew her name, so I asked where she lived. This I could have found on the Internet as well, on another site, if she hadn’t told me.
In a couple of minutes I knew her Social Security number, her city of birth, and even her mother’s maiden name. I also knew all the places she’d ever called home and all the phone numbers she’d ever used. Staring at the screen, with a surprised look on her face, she confirmed that all the information was more or less true.
The site I used is restricted to vetted companies or individuals. It charges a low fee per month plus additional costs for any information lookups, and from time to time it will audit me to find out whether I have a legitimate purpose for conducting a particular search.
But similar information about anyone can be found for a small lookup fee. And it’s perfectly legal.
Have you ever filled out an online form, submitted information to a school or organization that puts its information online, or had a legal case posted to the Internet? If so, you have volunteered personal information to a third party that may do with the information what it pleases. Chances are that some—if not all—of that data is now online and available to companies that make it their business to collect every bit of personal information off the Internet. The Privacy Rights Clearinghouse lists more than 130 companies that collect personal information (whether or not it’s accurate) about you.3
And then there’s the data that you don’t volunteer online but that is nonetheless being harvested by corporations and governments—information about whom we e-mail, text, and call; what we search for online; what we buy, either in a brick-and-mortar or an online store; and where we travel, on foot or by car. The volume of data collected about each and every one of us is growing exponentially each day.
You may think you don’t need to worry about this. Trust me: you do. I hope that by the end of this book you will be both well-informed and prepared enough to do something about it.
The fact is that we live with an illusion of privacy, and we probably have been living this way for decades.
At a certain point, we might find ourselves uncomfortable with how much access our government, our employers, our bosses, our teachers, and our parents have into our personal lives. But since that access has been gained gradually, since we’ve embraced each small digital convenience without resisting its impact on our privacy, it becomes increasingly hard to turn back the clock. Besides, who among us wants to give up our toys?
The danger of living within a digital surveillance state isn’t so much that the data is being collected (there’s little we can do about that) but what is done with the data once it is collected.
Imagine what an overzealous prosecutor could do with the large dossier of raw data points available on you, perhaps going back several years. Data today, sometimes collected out of context, will live forever. Even US Supreme Court justice Stephen Breyer agrees that it is “difficult for anyone to know, in advance, just when a particular set of statements might later appear (to a prosecutor) to be relevant to some such investigation.”4 In other words, a picture of you drunk that someone posted on Facebook might be the least of your concerns.
You may think you have nothing to hide, but do you know that for sure? In a well-argued opinion piece in Wired, respected security researcher Moxie Marlinspike points out that something as simple as being in possession of a small lobster is actually a federal crime in the United States.5 “It doesn’t matter if you bought it at a grocery store, if someone else gave it to you, if it’s dead or alive, if you found it after it died of natural causes, or even if you killed it while acting in self-defense. You can go to jail because of a lobster.”6 The point here is there are many minor, unenforced laws that you could be breaking without knowing it. Except now there’s a data trail to prove it just a few taps away, available to any person who wants it.
Privacy is complex. It is not a one-size-fits-all proposition. We all have different reasons for sharing some information about ourselves freely with strangers and keeping other parts of our lives private. Maybe you simply don’t want your significant other reading your personal stuff. Maybe you don’t want your employer to know about your private life. Or maybe you really do fear that a government agency is spying on you.
These are very different scenarios, so no one recommendation offered here is going to fit them all. Because we hold complicated and therefore very different attitudes toward privacy, I’ll guide you through what’s important—what’s happening today with surreptitious data collection—and let you decide what works for your own life.
If anything, this book will make you aware of ways to be private within the digital world and offer solutions that you may or may not choose to adopt. Since privacy is a personal choice, degrees of invisibility, too, will vary by individual.
In this book I’ll make the case that each and every one of us is being watched, at home and out in the world—as you walk down the street, sit at a café, or drive down the highway. Your computer, your phone, your car, your home alarm system, even your refrigerator are all potential points of access into your private life.
The good news is, in addition to scaring you, I’m also going to show you what to do about the lack of privacy—a situation that has become the norm.
In this book, you’ll learn how to:
encrypt and send a secure e-mail
protect your data with good password management
hide your true IP address from places you visit
obscure your computer from being tracked
defend your anonymity
and much more
Now, get ready to master the art of invisibility.