Hey netizens, doing some research, and I'd like to ask you a few questions.
What do you consider to be the biggest threats to online privacy in the world today?
If there were one thing you could have visibility into the practices of, what would it be?
@thegibson for fear of getting yelled at in the menchies, I'll just say "faang and company"
@thegibson uh, yeah, one did not already have visibility into privacy threats
"Big Tech"/"Big Data" collection, and the credit/insurance data collection that came before them.
And they're only aiding & abetting the above...
@thegibson The entralization of data in privately-owned clouds.
Social credit scores, and corporate/government overlap.
The insecurity and obsolescence of many healthcare data systems.
Voice assistants and the ubiquity of microphones.
@TheGibson convenience ... and digital illiteracy
@TheGibson privacy is under attack from so many fronts now days that trying to isolate the biggest threat would be a folly.
abuse of infrastructure
nothing don't care
Your questions are too open
They are that way on purpose.
@thegibson Short of "capitalism" as one other response gave.
1) The entire business model of gifting some service to a consumer in hopes that you can than monetize them through data extraction/influencing (or also by extracting VC funding until FAANG buys you to get your data... but that's the same thing). This business model should be as illegal as running a pyramid scheme.
2) Not sure, because I don't really have the time to sit around and audit what every company is doing with my data. I'd like to see privacy policies that accurately describe the exact usage of any data I provide to a company, and I would like to see an independent entity audit these companies to confirm that the data is being used according to the policy and in no other way and suitably ring the alarms when a company isn't or won't give them sufficient access to prove this case. This would be particularly hard, since we also need to trust that the auditor themselves isn't using the audit to extract data for nefarious means -- somehow needs to be a firewall between them and the state without making the auditor toothless.
If I delete my post, I want all ML models derived from it by anybody gone, too. I want to be able to define bulk data revocation at any level of granularity, from broad time ranges and categories down to elaborate transitive queries in a well supported language such as GraphQL.
@thegibson 1) State actors, from least oversight to greatest. 2) Corporate actors, from least oversight to greatest, with probably some overlap with number one. 3) Criminal actors, generally because of access to information from items 1 and 2.
As regards visibility: I hold government actors should be utterly transparent, save that citizen information should not be shared as part of that.
I hold that corporations should be *nearly* as transparent, but need to figure a way to better articulate, "GM (random frx here) doesn't necessarily need to share it's complete assembly line instructions, but does need to permit repair, and needs to be transparent about safety, data usage, worker and civilian privacy, etc."
I'd probably also include as a privacy threat: Taking anything that was public and rendering it private for profit. Or for other means, but *shrugs* stuff like JSTOR snaffling historical research journals and then charging access... Yeah, that's a privacy/public issue in some form?
I see a lot of government presented as, "That specific government, right there," But generally find that most governments/agencies/etc. are invasive to the extent of their capacity/ability to get away with, so *shrugs* pointing at a specific nation, even when one's done really nasty things this particular year, seems too narrow a focus.
@thegibson Oh. Number items are from greatest to least severity. Plus grains of salt everywhere as the sleep dep has me?
@thegibson Advertisers, nation states, and platform corporations.
@TheGibson Telcos. And their terrible security practices. The ability to easily SIM swap. The ability to pilfer information on someone's current location and sell it to the highest bidder. The fact that most aspects of cell communications are outsourced to 3rd party contractors and retailers who have even poorer security practices.
@TheGibson The most common threat to online privacy is the complex of marketing and "data broker" organizations that track users across the net, often without their knowledge, "re-targeting" them, and building & selling profiles on them to anyone who will pay -- even when users actively try to opt out or block that behavior.
@TheGibson That's like trying to pick your favorite child: there's just so many bad actors that it's simpler (though not easier) to pick out the companies that aren't being complete privacy terrors.
@thegibson commercial social media
@thegibson regulators being too soft... Maybe they suffer incompetence, negligence, corruption, starvation of resources or a misplaced focus on privacy only being an issue when financial damages can be identified. Whatever the case, their low activity means not only bad privacy, but the normalisation of unlawful corporate behaviour in any industry that can leverage misuse of personal data to develop an unfair market advantage (advertising, publishing, retail, software, ...)
@thegibson I'd break the question into a few parts:
- WHO or WHAT represents a threat? Actors.
- What MECHANISMS does that threat manifest as?
- What ACTIVITIES contribute to this?
- What specific RISKS are prresented?
Possibly a few others, though I'll try to hit on these points.
@thegibson I'd also like to take a stab at how privacy and surveillence are related.
Confirming against the OED, though my use differs somewhat.
"Private" and "public" are essentially opposites. Public is "of the people as a whole", whilst "private" is "not public" or "specific to an individual or group".
"Surveillance" is interesting, and I quote: "Watch or guard kept over a person, especially over a suspected person, a prisoner, or the like."
@thegibson The working definition I've had of "privacy" as a capacity or power doesn't seem widely used, though it's generally conformant with usage:
"The ability to define and enforce limits on the sharing or distribution of information, secrets, or data."
I'm working with that as a foundation, in case anything that follows isn't clear.
@thegibson As to _why_ privacy matters, I'll borrow from Paul Baran in 1966:
"Privacy is really the right to be wrong, then go on and live the rest of your life, without having it mark you forever"
Baran is one of the inventors of packet-based switching, the foundation of the Internet, and worked at RAND in the 1960s. His writings there are freely available online, many address social concerns of computer networks:
@thegibson There's also the relationship between _stress_ (and all its consequences), and _agency_:
the ability to perceive and to change the environment of the agent, but crucially, it also entails intentionality to represent the goal-state in the future, equifinal variability to be able to achieve the intended goal-state with different actions in different contexts, and rationality of actions in relation to their goal to produce the most efficient action available.
@thegibson I'm going to hand-wave a bit and say that privacy is a key component of agency. If anyone has issues with that, hit me with a question and I'll try explaining in more depth.
There are also notions of _vigilance_ and _alertness_, and of _harassment_, "to vex by repeated attacks"
Simply being under observation, _especially_ by a potentially threatening adversary, is a form of harassment and intimidation.
There's Bentham's Panopticon, a literal prison.
@dredmorbius I have not yet disagreed with any of your assertions. Agency does require privacy.
@thegibson There's also the notion that information overload is a form of attack. I'm going to build off my earlier comments and claim it is an attack on _agency_. Specifically, it confounds (and overloads) the ability to perceive the environment.
Alvin Toffler's "Future Shock" explores many of the dynamics of this, in 1970, and is surprisingly prescient.
Awareness of surveillance is a form of information overload, especially of _unseen_ surveillance, or surveillance one cannot avoid.
@dredmorbius causes social chilling... just ask the East Germans.
@thegibson Das Leben Der Anderen.
@dredmorbius Es ist eine gut film.
@thegibson So one effect of surveillance is simply on individual behaviours.
And of course, group behaviours are aggregated (and emergent) individual behaviours. So: surveillance also affects group behaviours.
This is before considering the _actions enabled_ based on surveillance. Call it the observer effect: if you watch people, or animals, their behaviour changes. Again, Bentham's Panopticon is predicated on this.
Small animals, birds, reptiles, and fish will scatter.
@thegibson Then there's what information does for the surveillor.
I'd like to address a common and ancient myth: knowledge is not power.
Knowledge is a power *multiplier*.
If you have no power to act in a situation, then more knowledge does _not_ give any advantage.
If I tell you that the Sun will go nova tomorrow, there is nothing you can do to save yourself or stop it. (Though suicide might be an option.) There is no other potential for human action even collectively.
@thegibson For any given entity -- a person, organisation, government, firm, group, mob -- information can inform about the environment, express desire, and provide feedback.
*Information guides intent.*
The first widely used computer systems were used for government census and military fire control. The first acquires information on a dispersed envrionment, the second focuses intent, literally.
Business accounting and modelling were other early uses, both again informational.
@thegibson Just to round out cases: you can use computers for control systems (industrial processes, remote control, guidance systems), for communications (e.g., Mastodon), for sensing, for _processing_ received data, and for detection -- spotting incoming threats and taking action.
Communications -- well, just read Sun Tzu on the Use of Spies. You can both receive _and_ transmmit information, to your advantage.
@dredmorbius oh, I know these methods well.
@thegibson All of which has been a bunch of stage-setting to get to this point:
The more capable, powerful, flexible entity will, in general, gain a larger benefit even under _equal_ informational access.
They've got more means to attack, distract, deflect, confuse, and predict. If information is equal, _their_ power is magnified more than _yours_ is.
Yonatan Zunger, chief architect of Google Plus made this point some years back (not sure if archived). That's stuck with me.
@thegibson And of course, information _isn't_ equal -- your more-powerful adversary is also going to have a vastly superior information gathering and processing capability.
They are also very likely to have something you don't have: immunity or impunity.
Impunity is the ability to act without regard for harm, though not necessarily without risk.
Immunity is freedom from risk, often by a legal shield, though various forms of distance can apply.
The powerful write law in their favour.
@thegibson There are some potential levellers of these risks.
Highly-organised, complex, and multi-party entities (states, businesses) can be strong but brittle, and be highly loss-averse.
Loosely-organised, simple, and collective entities (mobs, the public, irregular military forces) may be relatively weak, but resiliant against attack, and more able to face risks.
So David occasionally trumps Goliath.
Enhancements in ranged and automated attack systems makes that increasingly costly.
@thegibson The actors in surveillance are generally: individuals and the public, against an array of surveillance threats: state (domestic and foreign, allied and opposed), corporate, non-state, criminal, and private actors.
Keep in mind that the powerful themselves are affected by this: governments, government agencies (US State Dept, NSA, GSA), companies (Sony, TJ Maxx, Equifax, .... basically every data breach evar), generals, presidential candidates, congressmembers, judges ...
@thegibson ... Jamal Khashoggi, Jeff Fucking Bezos ... have all had data breached.
The Panama Papers, Mossack Fonseca, Paradise Papers, Implant Files, etc., etc.
Not as devastating as many may have hoped, but painful all the same.
But yes: The Powerful and The Establishment are getting their buts kicked and are paranoid.
And The World's Richest Man can't keep his smartphone secure.
Just ponder that for a few minutes.
Getting their butts kicked? They're get more rich and more powerful, every yearly stat shows it. That is *despite* whatever leak and 'scandal'. No consequence came out of the revealing of their crimes. Also, Vladimir Putin is the richest man on the planet and it seems he kept his shit protected and mostly secret until now.
@zeh Butts kicked in the sense that they cannot control access to devices or exposure of data.
They're susceptible as anyone, largely.
Yes, that may be, but the larger point is that they may be technically vulnerable but not otherwise, not in terms of power. Exposure is not significant to rich people because of their power, they are not impacted much, they do not suffer consequences.
@thegibson But generally, the powerful have, well, _power_:
- Financial wealth that can be deployed on short notice. 40% of Americans can't cover a $400 emergency expense. Facebook's purchase of WhatsApp for $19 billion *in cash* compares against 40 million Californians * $400 or $16 billion. One person controls more purchasing power than 40 millions of the public.
- Political clout. "Wealth, as Mr Hobbes says, is power", wrote Adam Smith in 1776. It's not a direct conversion, ...
@thegibson ... but money buys representation, laws, treaties, embassadorships, and occasionally favours, court cases, and other elements.
- Though state and business power are often portrayed as independents, sometimes opposites, the truth is that they often work together.
There are companies with, or at times (Academi, formerly Xi, formerly Blackwater) _as_ military forces. Companies can drive prosecutions (Aaron Swartz, Jackson Games). They have greater access to courts.
@thegibson And often can bypass courts entirely through binding arbitration "agreements" (take-it-or-leave-it conditions, changed at will).
And they've got computers.
Their unit for computing power is the acre (or hectare).
You have a smartphone. Facebook has at least a dozen datacentres, totalling over 15 million square feet (344 acres, 140 hectares, 1.4 km^2, over half a square mile).
Google has 19, with over 2.5 million servers (2016).
Amazon: 22 regions, 69 availability zones.
@dredmorbius @thegibson However they are also in possession of the lie that predictive models can encapsulate all of human behavior, and that 'big data' can substitute for sociology, psychology, history, tactical thought, and generally the entire of human tradition. Mere computation power can only undo human power if humans are willing to remain predictable.
A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.