From Google to the government to data brokers, why your privacy is now a thing of the past
Last year, in response to revelations about NSA surveillance, some of tech’s biggest names got together and formed an organization dedicated to promoting government surveillance reform. The charade should have been laughed at and mocked— after all, these same companies feed on privacy for profit, and unfettered surveillance is their stock and trade. Silicon Valley runs on for-profit surveillance, and it dwarfs anything being run by the NSA.
Technologies championed by privacy groups such as the Electronic Frontier Foundation offer little protection. For example, the anonymizing network Tor—used by pedophiles, drug dealers, tax cheats, jihadis and everyday porn consumers—may turn out to be a government-sponsored honey pot, an inadvertent consequence of the need to cloak its own spying activities.
Google runs the largest private surveillance operation in the history of mankind. The company has a de facto monopoly on much of the digital ecosystem: search, email, browsers, digital advertising, smartphones, tablets. Google is a global for-profit surveillance behemoth that makes billions in profits a year. Its purpose: to track, analyze and profile us as deeply as possible—who we are, what we do, where we go, who we talk to, what we think about—and then constantly figure out ways to monetize that intelligence.
What kind of info does Google collect? The company is very secretive about that. But here are a few data points that could go into its user profiles, gleaned from two patents Google filed a decade ago, prior to launching its Gmail service:
- Concepts and topics discussed in email, as well as email attachments
- The content of websites that users have visited
- Demographic information—in- cluding income, sex, race, marital status
- Geographic information
- Psychographic information—personality type, values, attitudes, interests
- Previous searches users have made
- Information about documents users viewed and edited
- Browsing activity
- Previous purchases
Google might be making money off advertising now, but the big question is: How will it use all this data in the future? Five years from now? Ten years from now? Data has a way of never fully disappearing or dying. Will it be passed around, re-analyzed, bought and sold for ever and ever? And what guarantee do we have that this info won’t end up down the line in the hands of the U.S. government… or in the hands of repressive totalitarian regimes?
And if that wasn’t enough surveillance for you, then there’s the uncomfortable ties between Google and the U.S. military-surveillance com- plex—a collaboration that’s been going on for so long that it’s sometimes hard to discern where Google ends and the NatSec apparatus begins.
Over the years, Google’s worked to enhance the surveillance capabilities of the biggest intel agencies in the world: the NSA, FBI, CIA, DEA, NGA and just about every wing of the DoD. Google’s DC office is staffed by former spooks, high-level intelligence officials and revolving-door military contractors: U.S. Army, Air Force Intelligence, Central Intelligence Agency, Director of National Intelligence, USAID, SAIC, Lockheed.
The Tor browser and network has been touted as a scrappy but extremely effective grassroots technology that can protect journalists, dissidents and whistleblowers from powerful government forces that want to track their every move online. But according to a recent exposé, Tor provides the opposite of anonymity: it singles out users for total NSA surveillance, potentially sucking up and recording everything they do online.
The Tor Network was developed, built and financed by the U.S. military and surveillance establishments, and continues to be funded by Department of Defense grants routed through entities such as the Menlo Park nonprofit SRI (formerly Stanford Research Institute). Government-originated funding dramatically increased in 2012.
Tor’s original—and current— purpose is to cloak the online identity of government agents and informants while they are in the field. Just everybody involved in developing Tor technology has been and/or still is funded by the Pentagon or related arm of the U.S. government. Tor is still very much in active use by the U.S. government for intelligence-gathering activities.
Tor’s origins go back to 1995, when military scientists at the Naval Research Laboratory began developing cloaking technology that would prevent someone’s activity on the Internet from being traced back to them. The technology was funded by the Office of Naval Research and DARPA. The original goal of what’s called “onion routing” was to allow intelligence and military personnel to work online undercover without fear of being unmasked by someone monitoring their Internet activity.
In the ’90s, as public Internet use and infrastructure grew and multiplied, spooks needed to figure out a way to hide their identity in plain sight online. An undercover spook sitting in a hotel room in a hostile country somewhere couldn’t simply dial up CIA.gov on his browser and log in — anyone sniffing his connection would know who he was. Nor could a military intel agent infiltrate a potential terrorist group masquerading as an online animal rights forum if he had to create an ac- count and log in from an army base IP address. As Michael Reed, one of the inventors of onion routing, explains:
The *PURPOSE* was for DoD/ Intelligence usage (open source intelligence gathering, covering of forward deployed assets, whatever). Not helping dissidents in repressive countries. Not assisting criminals in covering their electronic tracks. Not helping bit-torrent users avoid MPAA/RIAA prosecution. Not giving a 10 year old away to bypass an anti-porn filter. Of course, we knew those would be other unavoidable uses for the technology, but that was immaterial to the problem at hand we were trying to solve (and if those uses were going to give us more cover traffic to better hide what we wanted to use the network for, all the better…I once told a flag officer that much to his chagrin).
Very early on, researchers understood that just designing a system that only technically anonymizes traffic is not enough—not if the system is used exclusively by military and intelligence. In order to cloak spooks better, Tor needed to be used by a diverse group of people: Activists, students, corporate researchers, soccer moms, journalists, drug dealers, hackers, child pornographers, foreign agents, terrorists—the more diverse the group that spooks could hide in the crowd in plain sight.
Tor also needed to be moved off site and disassociated from Naval research. As Syverson told Bloomberg in January 2014: “If you have a system that’s only a Navy system, anything popping out of it is obviously from the Navy. You need to have a network that carries traffic for other people as well.”
Tor co-founder Roger Dingledine said the same thing at a conference in 2004: “The United States government can’t simply run an anonymity system for everybody and then use it themselves only. Because then every time a connection came from it people would say, ‘Oh, it’s another CIA agent.’ If those are the only people using the network.”
In 2007, 22-year-old Swedish hacker/researcher Dan Egerstad told Sydney Morning Herald that he thinks many of the major Tor nodes are being run by intelligence agencies or other parties interested in listening in on Tor communication. Egerstad had managed to capture a trove of passwords and other sensitive information by monitoring Tor traffic on five servers he had installed. He can’t help but speculate who’s behind other Tor servers. “If you actually look into where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they’re using lots of bandwidth, they’re heavy-duty servers and so on,” Egerstad says. “Who would pay for this and be anonymous? For example, five of six of them are in Washington D.C.”
Edward Snowden’s leaks clearly showed the NSA and GCHQ run Tor nodes, and are interested in running more. And running 50 Tor nodes doesn’t seem like it would be too difficult for any of the world’s intelligence agencies—whether American, German, British, Russian, Chinese or Iranian. Hell, if you’re an intelligence agency, there’s no reason not to run a Tor node.
In 2012, Dingledine revealed that the Tor Network is configured to prioritize speed and route traffic through the fastest servers/nodes available. Dingledine was criticized by the Tor community for the obvious reason that funneling traffic through a handful of fast nodes made surveilling and subverting Tor much easier. In 2013, the Washington Post revealed that the NSA had figured out various ways of unmasking and penetrating the anonymity of the Tor Network.
In 2009, Jacob Appelbaum came on board as one of five salaried employees of the Tor Network, earning a salary of $96,000 as a developer. About 90 percent of Tor’s funds that year came from federal grants, mostly from the State Department and the CIA-spinoff International Broadcasting Bureau (IBB). Appelbaum’s Tor gig has continued uninterrupted ever since, netting him somewhere around a half-million dollars. Not a bad haul.
Yet in 2010, right in the midst of him being funded by intel grants, Appelbaum emerged as an important Wikileaks volunteer. He used his celebrity status in the hacker world to promote the organization, helped secure Wikileaks’ servers with Tor technology and even bailed Julian Assange out of public speaking gigs when the heat from U.S. authorities got too hot.
Data Brokers We can get a sense of the kind of info that Google and other Surveillance Valley megacorps compile on us, and the ways in which that intel might be used and abused, by looking at the business practices of the “data broker” industry.
Thanks to a series of Senate hear- ings, the business of data brokerage is finally being understood by consumers, but the industry got its start back in the 1970s. The early operations pulled in information from any source they could get their hands on—voter registration, credit card transactions, product warranty information, donations to political campaigns and nonprofits, court records— storing it in master databases and then analyzing it in all sorts of ways that could be useful to direct-mailing and telemarketing outfits. It wasn’t long before data brokers realized that this information could be used beyond telemarketing, and quickly evolved into a global for-profit intelligence business that serves every conceivable data and intelligence need.
Today, the industry churns out somewhere around $200 billion in revenue annually. There are up to 4,000 data broker companies—some of the biggest are publicly traded—and together, they have detailed information on just about every adult in the western world.
No source of information is sacred: transaction records are bought in bulk from stores, retailers and merchants; magazine subscriptions are recorded; food and restaurant preferences are noted; public records and social networks are scoured and scraped. What kind of prescription drugs did you buy? What kind of books are you interested in? Are you a registered voter? To what nonprofits do you donate? What movies do you watch? Political documentaries? Hunting reality TV shows? That info is combined and kept up-to-date with address, payroll information, phone numbers, email accounts, social security numbers, vehicle registration and financial history. And all that is sliced, isolated, analyzed and mined for data about you and your habits in a million different ways.
The dossiers are not restricted to generic market segmenting categories like “Young Literati” or “Shotguns and Pickups” or “Kids & Cul-de-Sacs,” but often contain the most private and intimate details about a person’s life, all of it packaged and sold over and over again to anyone willing to pay.
Take MEDbase200, a boutique for-profit intel outfit that specializes in selling health-related consumer data. Well, until recently, the company offered its clients a list of rape victims (or “rape sufferers,” as the company calls them) at the low price of $79 per thousand. The company claims to have segmented this data set into hundreds of different categories, including stuff like the ailments they suffer, prescription drugs they take and their ethnicity:
These rape sufferers are family members who have reported, or have been identified as individuals affected by specific illnesses, conditions or ailments relating to rape. Medbase200 is the owner of this list. Select from families affected by over 500 different ailments, and/or who are consumers of over 200 different Rx medications. Lists can be further selected on the basis of lifestyle, ethnicity, geo, gender and much more. Inquire today for more information.
MEDbase promptly took its “rape sufferers” list off line last week after its existence was revealed in a Senate investigation into the activities of the data-broker industry. The company pretended like the list was a huge mistake. A MEDbase rep tried convincing a Wall Street Journal reporter that its rape dossiers were just a “hypothetical list of health conditions/ailments.” The rep promised it was never sold to anyone. Yep, it was a big mistake. We can all rest easy now. Thankfully, MEDbase has hundreds of other similar dossier collections, hawking the most private medical information.
For instance, if lists of rape victims aren’t your thing, MEDbase can sell dossiers on people suffering from anorexia, substance abuse, AIDS and HIV, Alzheimer’s disease, Asperger’s syndrome, attention deficit hyperactivity disorder, bedwetting (enuresis), binge eating, depression, fetal alcohol syndrome, genital herpes, genital warts, gonorrhea, homelessness, infertility, syphilis … the list goes on and on.
Normally, such detailed health information would fall under federal law and could not be disclosed or sold without consent. But because these data harvesters rely on indirect sources of information instead of medical records, they’re able to sidestep regulations put in place to protect the privacy of people’s health data.
MEDbase isn’t the only company exploiting these loopholes. By the industry’s own estimates, there are something like 4,000 for-profit intel companies operating in the United States. Many of them sell information that would normally be restricted under federal law. They offer all sorts of targeted dossier collections on every population segments of our society, from the affluent to the extremely vulnerable:
- people with drug addictions
- detailed personal info on police officers and other government employees
- people with bad credit/bankruptcies
- minorities who’ve used payday loan services
- domestic violence shelter locations (normally these addresses would be shielded by law)
- elderly gamblers
If you want to see how this kind of profile data can be used to scam unsuspecting individuals, look no further than Richard Guthrie, an Iowa retiree who had his life savings siphoned out of his bank account. Their weapon of choice: databases bought from large for-profit data brokers listing retirees who entered sweep- stakes and bought lottery tickets.
Here’s a 2007 New York Times story describing the racket:
Mr. Guthrie, who lives in Iowa, had entered a few sweepstakes that caused his name to appear in a database advertised by infoUSA, one of the largest compilers of consumer information. InfoUSA sold his name, and data on scores of other elderly Americans, to known lawbreakers, regulators say.
InfoUSA advertised lists of “Elderly Opportunity Seekers,” 3.3 million older people “looking for ways to make money,” and “Suffering Seniors,” 4.7 million people with cancer or Alzheimer’s disease. “Oldies but Goodies” contained 500,000 gamblers over 55 years old, for 8.5 cents apiece. One list said: “These people are gullible. They want to believe that their luck can change.”
Data brokers argue that cases like Guthrie are an anomaly—a once-in-a-blue-moon tragedy in an industry that takes privacy and legal conduct seriously. But cases of identity thieves and sophistical con-rings obtaining data from for-profit intel businesses abound.
Scammers are a lucrative source of revenue. Their money is just as good as anyone else’s. And some of the profile “products” offered by the industry seem tailored specifically to fraud use.
However, InfoUSA is not some fringe or shady outfit, but a hugely profitable, politically connected company. InfoUSA was started by
Vin Gupta in the 1970s as a basement operation hawking detailed lists of RV and mobile home dealers. The company quickly expanded into other areas and began providing business intel services to thousands of businesses. By the early 2000s, the company raised more than $30 million in venture capital funding, including $10 million from Palo Alto’s Trident Capital, $10 million from Draper Fisher Jurvetson’s MeVC fund and a strategic investment from Yahoo, Inc.
By then, InfoUSA boasted of having information on 230 million consumers. A few years later, InfoUSA counted the biggest valley companies as its clients, including Google, Yahoo, Microsoft and AOL. It got involved not only in raw data and dossiers, but moved into payroll and financial, conducted polling and opinion research, partnered with CNN, vetted employees and provided customized services for law enforcement and all sorts of federal and government agencies: processing government payments, helping states locate tax cheats and even administrating President Bill Clinton’s “Welfare to Work” program. Which is not surprising, as Vin Gupta is a major and close political supporter of Bill and Hillary Clinton.
As big as Infogroup is, there are dozens of other for-profit intelligence businesses that are even bigger: massive multi-national intel con-
glomerates with revenues in the billions of dollars. Some of them, like LexisNexis and Experian, are well known, but mostly these are outfits that few Americans have heard of, with names like Epsilon, Altegrity and Acxiom.
These for-profit intel behemoths are involved in everything from debt collection to credit reports to consumer tracking to healthcare analysis, and provide all manner of tailored services to government and law enforcement around the world. For instance, Acxiom has done business with most major corporations and boasts of intel on “500 million active consumers worldwide, with about 1,500 data points per person. That includes a majority of adults in the United States,” according to the New York Times.
This data is analyzed and sliced in increasingly sophisticated and intrusive ways to profile and predict behavior. Merchants are using it customize shopping experience— Target launched a program to figure out if a woman shopper was pregnant and when the baby would be born, “even if she didn’t want us to know.” Life insurance companies are experimenting with predictive consumer intel to estimate life expectancy and determine eligibility for life insurance policies. Meanwhile, health insurance companies are raking over this data in order to deny and challenge the medical claims of their policyholders.
For the past year, Chairman John D. (Jay) Rockefeller IV has been conducting a Senate Commerce Committee investigation of the data broker indus- try and how it affects consumers. The committee finished its investigation recently without reaching any real conclusions, but issued a report warning about the dangers posed by the for-profit intel industry and the need for further action by lawmakers. The report noted with concern that many of these firms failed to cooperate with the investigation into their business practices:
Data brokers operate behind a veil of secrecy. Three of the largest companies–Acxiom, Experian, and Epsilon–to date have been similarly secretive with the Committee with respect to their practices, refusing to identify the specific sources of their data or the customers who purchase it. … The refusal by several major data broker companies to provide the Committee complete responses regarding data sources and customers only reinforces the aura of secrecy surrounding the industry.
Rockefeller’s investigation was an important first step breaking open this secretive industry, but it was missing one notable element. Despite its focus on companies that feed on people’s personal data, the investigation did not include Google or the other big Surveillance Valley data munchers. And that’s too bad. Because if anything, the investigation into data brokers only highlighted the danger posed by the consumer-facing data companies like Google, Facebook, Yahoo and Apple.
As intrusive as data brokers are, the level of detail in the information they compile on Americans pales to what can be vacuumed up by a company like Google. To compile their dossiers, traditional data brokers rely on mostly indirect intel: what people buy, where they vacation, what websites they visit. Google, on the other hand, has access to the raw uncensored contents of your inner life: personal emails, chats, the diary entries and medical records that we store in the cloud, our personal communication with doctors, lawyers, psychologists, friends. Data brokers know us through our spending habits. Google accesses the unfiltered details of our personal lives.
A recent study showed that Americans are overwhelmingly opposed to having their online activity tracked and analyzed. Seventy-three percent of people polled for the Pew Internet & American Life Project viewed the tracking of their search history as an invasion of privacy, while 68 percent were against targeted advertising, replying: “I don’t like having my online behavior tracked and analyzed.”
This isn’t news to companies like Google, which last year warned shareholders: “Privacy concerns relating to our technology could damage our reputation and deter current and potential users from using our products and services.”
Little wonder then that Google, and the rest of Surveillance Valley, is terrified that the conversation about surveillance could soon broaden to include not only government espionage, but for-profit spying as well.
Portions of this story appeared in PandoDaily.
Yasha Levine will be a featured speaker at C2SV Discussions. Thu, Sep 11, 4:30pm, Zero1 Garage, San Jose. Free with pre-registration at C2SV.com.