2016 will go down in history as the year that many Americans learned the meaning of words like “encryption” and “metadata.” It was a year of government spying, corporate lurking and software-powered eyes (and ears) snooping into our real lives. As it gets easier to follow people around, privacy becomes more salient.
Does the ability to keep your personal businesses (where you’ve been, whom you’ve spoken to) ensure a free and fair democracy by ensuring that minority voices can formulate criticisms and find allies? Or does it threaten public safety by masking the intentions of terrorists and criminals until it’s too late? This is the debate we live in. What follows are the top events that have shaped it.
As 2015 came to a close, Hillary Clinton called for a Manhattan Project to break encryption—the use of incredibly large numbers to mask the content of messages so that no one but intended recipients can read them. In that world, no one could ever securely share a private thought again. It would set a tone for a debate that would continue through an election year. Activists would become more concerned about surveillance by state level actors, while technologists would sound the alarm about how much shadowy companies with code hidden on every website already know about us.
In that spirit, here is a countdown of 13 of the most defining privacy stories of the year:
⓭ Reddit’s 2015 Transparency Report lacks a warrant canary. Many requests for information from national security agencies forbid companies from notifying users that such a request has been made. One way to work around this is by making regular transparency reports in which organizations write that they have never received a letter from federal law enforcement requesting user information. Called a “warrant canary,” Canary Watch tracks services that have published such notices. In Reddit’s 2014 Transparency Report, it said, “As of January 29, 2015, Reddit has never received a National Security Letter.” However, this language did not appear in 2015’s report. An email service popular with activists, RiseUp, also failed to publish its quarterly warrant canary in November, as ZDNet reported.
⓬ The IRS asks Coinbase for a huge list of users. After finding a (very) few tax dodgers who used the leading bitcoin wallet, the revenue authority asked for all its user records from 2013 to 2015. It’s doubtful the agency actually expects to get all that it has asked for, but cryptocurrency enthusiasts will be watching closely to see what Coinbase does. Jerry Brito, director of the digital currency think tank Coin Center, wrote in American Banker that the request sets a dangerous precedent. As we’ve previously reported, bitcoin buyers don’t owe any taxes until the digital currency gets turned back into dollars, but once it does investors have to pay up if they make money, just as they would if they sold equities at a profit.
⓫ Millions of consumers pay money to bug their homes. Somehow, the most unlikable fake family in product launch video history made the Amazon Echo into the must have home gadget of 2016. And now Google has a knockoff device, Google Home. Look, we don’t know that these devices actually record when they haven’t been given a command. Nevertheless, these are giant, super sophisticated microphones that people spend over $100 to have shipped to them. Spies used to have to sneak around for this kind of access. At least some companies actually pay people to let them listen to everything they say and do. Speaking of which, people are literally lining up to buy cameras that go on their faces which share video exclusively with an app that is not end-to-end encrypted. Discretion, it seems, has become quaint.
➓ The rise of facial recognition as a commercial category. We spoke to N-Tech Lab, which hopes one day to place cameras inside retail stores that identify visitors in order to target them for sales later. Google experimented with using faces with its payment system. In China, Baidu is all in on using faces for ticketing events. Facebook has been acquiring companies with expertise in this field, and it’s hard to believe their only motivation is adding zany new features. Meanwhile, facial tech is old news for law enforcement (but still very big).
➒ Normalizing terrorist watch lists. After the shooting in Orlando, both major presidential candidates called for expanding terrorist watch lists in order to prevent lone wolf attacks, as NPR reported. The so called “no-fly list” became a hot topic, particularly as Congressional Democrats pushed to ban listed individuals from buying guns, but political cartoonist Jen Sorensen did a comic for the ACLU about what it’s like to be on that list, which amounts to a form of punishment without any trial or appeal. Security researcher Chris Vickery found an old version of another, private list kept by Thomson Reuters of potentially risky people. Inclusion in the list could prevent individuals from closing contracts or getting jobs, and they might never know why. This spring, the US government’s top privacy watchdog charged with overseeing the pursuit of terrorist suspects prematurely resigned.
➑ Windows gets nosy with its 10th version. The software giant has been sharing telemetry data with third parties, for example, but don’t worry: the company was very careful. Its Cortana functions are all built to answer questions before users have to ask, but to do so it needs to get permission to create a profile of the person by tracking their behavior. It’s very similar to the sorts of surprising insights that Android users find on Google Now.
➐ Regulating Internet Service Providers, the most important boring companies online. A new UK law requires ISPs to keep records of sites people visit. Here in the US, we basically assume that the NSA has already been logging data like that, but—thanks to the FCC—at least ISPs can’t sell your browsing data. We’ve also reported on an unknown wireless carrier selling location data of its customers to SAP.
➏ Linking names with behavior, for Google users (that is, everyone). Google erased its commitment not to share personally identifiable information, as ProPublica reported. Now, Google has permitted itself to link what it knows about a user on email to what it knows from watching them search around the web. In other words, it can pretty much build a complete profile, linked to a name. Any company in a position to gather almost any data at all can probably figure out who someone is, anyway, but the search giant has given itself permission to eliminate any internal friction.
➎ Tracking activism. Color of Change filed suit against FBI and DHS over surveillance of peaceful protesters participating in the Movement for Black Lives. The nature of the case is that we don’t know what they know. The Intercept confirmed last year that everything from fairly dull events to major protests get followed by DHS. The organization and its partners followed up by making another Freedom of Information Act request for more details and got met with a wall of silence. Many civil liberties advocates argue that surveillance can have a chilling effect on speech and assembly. Americans have already seen this movie.
➍ Google plays hall monitor on securing connections. Google is a weird company. Sometimes it seems hell-bent on wrecking privacy. Other times it goes way out of its way to defend it. If there’s one way Google has been on the side of truth and justice, it’s HTTPS, the software that connects a website securely to your browser. HTTPS ensures that criminals or spies don’t serve web users phony or malicious content. In 2014, it started lowering SEO scores for sites that didn’t implement the secure protocol. We reported on one of the few adult sites that has. In September, it announced that it would soon make sites look scary in Chrome should they fail to get on board with security. Time to get religion, slowpokes. Visit Let’s Encrypt to get started.
➌ Unbreakable encryption reaches 14 percent of humanity. Statista estimates that a billion people use WhatsApp, the messaging app. In April, it completed migrating all users to Open Whisper Systems’ standard-setting encryption. Boom! Whether they knew it or not, a major portion of the world started messaging privately—not even the service’s developers could read users’ messages. It’s ironic because WhatsApp is owned by Facebook, whose founder famously once said privacy was no longer a “social norm.” As Bruce Schneier has written, even if you have nothing to hide, there are those that do, and every encrypted message helps protect them (such as the folks two stories above). By the way, the United States has so many vague computer laws that almost anyone could be prosecuted as a felon if the cops were determined to do so.
➋ Confirmation that the Feds read our email. Yahoo scanned piles of emails at the behest of federal law enforcement, Reuters reported. The Intercept reached out to a number of other email providers to ask if they had been met with a comparable request. Under U.S. law, any information a person shares with a third party is fair game for government search, though Justice Sonia Sotomayor has argued that this third-party doctrine should be revisited in a connected world. A Verizon lawyer agrees.
➊ Apple v. the Feds. The number one privacy story of the year had everything: a Silicon Valley titan, terrorism, the globe’s favorite gadget and G-Men galore. On December 2, 2015, Syed Rizwan Farook and Tashfeen Malik went on a shooting rampage in San Bernardino, California, that left 14 people dead. The FBI subsequently recovered an iPhone held by Farook, but it could not access any of its data because it had been encrypted with a lock screen. Cupertino refused to find a way to break encryption on the device because it would have created a backdoor that cybercriminals would have promptly found a way to exploit. In the end, the FBI was able to get into the phone without Apple’s help. Local law enforcement has plenty of locked iPhones that they would also like a look into, if the FBI would be willing to show them their one simple trick.
Ω
We reached out to a number of contacts in the privacy and security world in order to check our blind spots as we made this list. Anyone who thinks this is in the wrong order or missed a huge story, please weigh in. No one expects a list like this to be definitive.
Astute readers may notice a distinct lack of one kind of story: breaches. The initial draft included one of the year’s biggest stories—period: The Panama Papers. Various contacts also suggested including stories like the DNC email breach and Wikileaks’ publication of what it called the “Erdogan Emails.” Somehow, it didn’t seem like these fit as privacy stories, because they didn’t reflect a systematic program either to keep secrets or to uncover them. They are important stories, but they didn’t seem right here. Those who disagree should please say say so.
We expect privacy to become more important as we head into 2017. For example, the blockchain could make it possible to use online services without giving them intellectual property forever. Meanwhile, the quantum age of computing will either make everything secure or nothing. And, unfortunately, the new year will almost certainly bring more tragedies to investigate and technologies to scapegoat.
It will probably be even tougher to keep next year’s list to a reasonable length.
