NOTE: this post was published in June of 2016, but it was gone from my post listings when I went looking for it to optimize it. Fortunately, my RSS feed had published it in its entirety. The content is still timely.
I recently read a suggestion that if we have nothing to hide, we have nothing to fear. To put it another way, if we’re not doing anything wrong, we shouldn’t have a problem with government surveillance. I’d like to offer the following rebuttals in response. I don’t have citations immediately available, because this material that I present has been accumulated from many sources over the years. Some came from academic research in the course of my career studies, some from podcasts regarding liberty and public policy, and some from general technology news.
The government really hates the use of encryption for any purpose other than government use. Government agents have categorically stated that the use of encryption automatically casts a cloak of suspicion over a user of it. However, encryption is necessary for security. Without encryption, no online transactions would be safe to use. You couldn’t access your bank accounts at their websites, you couldn’t perform any commerce transactions. You couldn’t apply for a job online. Well, let me correct that: you COULD, but you would be exposing an awful lot of information to anyone who was able to grab it, and without encryption, anyone could grab it. That means your credit card information would travel across the internet in easy-to-read plain text. Your social security number in an online job application would be available to anyone to see. These are things you DON’T want just anyone to see.
So why would anyone use encryption for any other purpose? Well, the United States federal government considers you to be a suspect if you fall into any of the following categories:
1. Those that talk about “individual liberties”
2. Those that advocate for states’ rights
24. Anyone that is opposed to Agenda 21
41. “General right-wing extremist”
55. Anyone that is “anti-abortion”
72. Those that store food beyond two weeks’ worth.
That is an intimidating list! Notice that very few of these groups of people have much, if anything, to do with radical Islamists. If the surveillance agencies collect enough material, eventually nearly everyone could fall into at least one of these categories, and if material (emails, texts, letters, phone conversations) were collected that “proved” that you fall into more than one of the categories listed above, you could end up on the no-fly list, you could lose a security clearance if you have one, your identity could be flagged and you could be prevented from certain types of work, you could be followed. I don’t care if you have nothing to hide, if you get followed enough, you begin to hate it.
Mass surveillance is ineffective in keeping us secure. Surveillance of individual targets is incredibly effective in garnering useful information. Groups of data sets can provide trends and help connect the dots in some amazing ways. But when larger and larger data sets are gathered, even the best software loses effectiveness in drawing lines and connecting trends. The more records there are collected, after a point, the less valuable each record becomes as a piece of security information. The security agencies have justified mass surveillance by saying that they want these records on hand in case they need them. But projects like Prism and KeyScore are collecting so much data–in the case of Prism, ALL OF AT&T DATA NETWORK TRAFFIC–that finding anything of value among all those records would be exactly as easy as finding a needle in the proverbial haystack. So if they were to look for keywords, which keywords should they look for? “Bomb?” If you were actually going to bomb a target, would you really put it into an email? Even an encrypted email? Not likely. If the agencies do a massive record search on the word “bomb,” what they’d likely come up with is references to a new song being “da bomb” or a movie that bombed at the box office. And searching that level of record storage, even with a huge computer processing center, would still be so laboriously slow that by the time they found anything they could actually use to build any sort of accurate picture, whatever it was that was happening, would already be past.
Government doesn’t always get it right. So supposing in several different emails, to different people, maybe several years apart, the agency found an email that confirmed an order for fertilizer, because it’s gardening season. And another time they found a record of a van rental because you were taking a bunch of kids on a field trip. and another time they found a search engine record showing that someone at your house seem extremely interested in a particular historical landmark, because your son was doing a report on that landmark. Prior to the bombing of the Murrah building in Oklahoma City, they wouldn’t have made anything of it. Since that incident, however, surveillance revealing a fertilizer-van rental-landmark connection might send a signal to the agents that you were planning to pull a McVeigh.
But this example is conjecture. There are documented examples of agents using surveillance and putting the wrong pieces of the puzzle together and coming up with a picture that “almost” makes sense, but which was totally incorrect. The E-Verify system of verifying employment eligibility is a prime example of what should be a slam-dunk great system to make sure that only eligible people get to work in America. But there have been many–way too many–false positives on American citizens, who have to spend their own money proving not only that they are American citizens, but that the E-Verify system has falsely flagged the as ineligible to work in the country. And after that happens, there is no recourse for them; the government accepts no responsibility for getting it wrong. Can you not see how objectionable this is?
And here’s another reason we don’t need to trust the government with all our data: The OPM data breach. The Office of Personnel Management suffered the largest data breach of any government agency last year. Millions of records of people directly and indirectly employed in government service had their personally identifiable information compromised. I don’t work for the government, I am employed by a technology services contractor, but my services are leased to the US Army. I had a background check in preparation for this job. So this exposure affects me, AND my husband, AND my kids. So because the OPM didn’t take the proper security precautions (and they have admitted this), millions of records of employees AND their family members have been compromised.
So I’m not guilty of anything; I just know how these pieces get put together, I know where the surveillance security holes are, and I know that there are way too many things that the government considers fodder for the Enemy List. It’s not that I have anything to hide from the government. The government has taught us through its actions not to trust it with our individual security, and now they’re wondering why we don’t.