A few years back, I did a long newspaper story about the FBI snooping on the private records of ordinary citizens. As my old editor Michael Kinsley likes to say, the scandal is what’s legal. The Patriot Act unleashed the FBI to search your email, travel and credit records without even a suspicion of wrongdoing. The FBI was doing it, in secret, tens of thousands of times a year.
As I dug into the story, government officials kept telling me that law-abiding Americans have nothing to fear. Why object to surveillance if you have nothing to hide? Joseph Billy Jr., a top FBI supervisor for whom I had great respect, told me, “I’ve had people say, you know, ‘Hey, I don’t care, I’ve done nothing to be concerned about. You can have me in your files and that’s that.’ Some people take that approach.”
I’m not one of those people. CounterSpy is a new blog about privacy and security in our digital lives. I come to it by temperament and professional necessity. My principal work is investigative reporting, and efforts have spiked in recent years to find and punish my confidential sources. (Update Aug 3, 10:40pm: My son Michael points out that this link is broken and asks if that’s a joke about confidential sources. Um, no. Here’s the correct link.) I learned the technology and tradecraft of electronic security in self defense, with a lot of expert help.
If that sounds exotic, and you think you have nothing to hide, I invite you to reconsider. As Trotsky didn’t exactly say, you may not be interested in electronic snoops, but snoops are interested in you, whether or not you keep Coke’s secret recipe on your iPhone. Pay attention to security or you’ll let others make free with your medical records, those emails about your friend’s crumbling marriage, your gambling debts, the layoffs you’re planning, the job you’re thinking of jumping to, the cool idea you want to pitch, your candid thoughts about your boss, your forthcoming quarterly earnings or that embarrassing online purchase you made last month. You know which one I’m talking about.
Maybe you figure it’s hopeless. The other day I talked about CounterSpy’s launch with Karen Greenberg, who runs the Center on Law and Security. “What’s the point?” she asked. “There is no digital privacy and security.” That’s easy to say with equanimity in the abstract. Not so much when you start to think concretely. We kicked around a few examples, and soon she was insisting that something has to be done. This is an ambivalence that a lot of us feel on the subject.
Plenty of people will tell you that you don’t really care, or shouldn’t care, or needn’t bother caring, because the protected space of our personal lives disappeared in the olden days of the 1990s. These people do not have your interests at heart. They depend on the hope that you’ll forget about privacy the same way you forget about that camera in the elevator. Oracle’s Larry Ellison ( “the privacy you’re concerned about is largely an illusion“) is the guy who wants to supply software for a national ID system. Facebook’s Marc Zuckerberg (there’s no more “social norm” of privacy) owns a multibillion dollar business based on extracting your intimate details. (Here’s an illuminating graphic that shows how Facebook does it.) Google’s Eric Schmidt, whose company depends on promiscuous data collection, endorsed the FBI equation of secrecy with wrongdoing: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
Everyone has something to hide. Privacy is relational. It depends on the audience. You don’t want your employer to know you’re job hunting. You don’t spill all about your love life to your mom, or your kids. You don’t tell trade secrets to your rivals. We don’t expose ourselves indiscriminately, and we care enough about exposure to lie as a matter of course. Among upstanding citizens, researchers have consistently found that lying is “an everyday social interaction” (twice a day among college students, once a day in the Real World). Remember the disasters that befell Jim Carrey in that movie plot that left him magically unable to fib for even one day? Comprehensive transparency is a nightmare.
My favorite security blogger, Bruce Schneier, put it this way:
Privacy is about control. When your health records are sold to a pharmaceutical company without your permission; when a social-networking site changes your privacy settings to make what used to be visible only to your friends visible to everyone; when the NSA eavesdrops on everyone’s e-mail conversations — your loss of control over that information is the issue. We may not mind sharing our personal lives and thoughts, but we want to control how, where and with whom. A privacy failure is a control failure.
CounterSpy is about taking back a modicum of control. Self-protection is a powerful instinct — we try to safeguard our families, reputations and careers — but instinct alone won’t protect you in cyberspace. Digital security is full of trade-offs, a shifting balance of risk and cost and convenience. It takes effort to use encryption, or to choose a different, complex pass phrase for every online account. If you don’t want transponders to record every place and time you cross a toll, you have to give up EZPass and take the slower drive into the cash lane. It costs money to decide against joining shopper loyalty programs that track and sell lists of everything you buy. Your choices will depend on the stakes and threat as you see them. I expend a lot more resources protecting my reporter’s notes than my family vacation photos. But that’s just me. Your photos may be altogether different.