Invasion of the Data Snatchers: Big Data and the Internet of Things Means the Surveillance of Everything
& Matthew Harwood, Managing Editor, ACLU
This piece originally ran at TomDispatch.com.
Estimates vary, but by 2020 there could be over 30 billion devices connected to the Internet. Once dumb, they will have smartened up thanks to sensors and other technologies embedded in them and, thanks to your machines, your life will quite literally have gone online.
The implications are revolutionary. Your smart refrigerator will keep an inventory of food items, noting when they go bad. Your smart thermostat will learn your habits and adjust the temperature to your liking. Smart lights will illuminate dangerous parking garages, even as they keep an "eye" out for suspicious activity.
Techno-evangelists have a nice catchphrase for this future utopia of machines and the never-ending stream of information, known as Big Data, it produces: the Internet of Things. So abstract. So inoffensive. Ultimately, so meaningless.
A future Internet of Things does have the potential to offer real benefits, but the dark side of that seemingly shiny coin is this: companies will increasingly know all there is to know about you. Most people are already aware that virtually everything a typical person does on the Internet is tracked. In the not-too-distant future, however, real space will be increasingly like cyberspace, thanks to our headlong rush toward that Internet of Things. With the rise of the networked device, what people do in their homes, in their cars, in stores, and within their communities will be monitored and analyzed in ever more intrusive ways by corporations and, by extension, the government.
And one more thing: in cyberspace it is at least theoretically possible to log off. In your own well-wired home, there will be no "opt out."
You can almost hear the ominous narrator's voice from an old "Twilight Zone" episode saying, "Soon the net will close around all of us. There will be no escape."
Except it's no longer science fiction. It's our barely distant present.
"[W]e estimate that only one percent of things that could have an IP address do have an IP address today, so we like to say that ninety-nine percent of the world is still asleep," Padmasree Warrior, Cisco's Chief Technology and Strategy Officer, told the Silicon Valley Summit in December. "It's up to our imaginations to figure out what will happen when the ninety-nine percent wakes up."
Yes, imagine it. Welcome to a world where everything you do is collected, stored, analyzed, and, more often than not, packaged and sold to strangers -- including government agencies.
In January, Google announced its $3.2 billion purchase of Nest, a company that manufactures intelligent smoke detectors and thermostats. The signal couldn't be clearer. Google believes Nest's vision of the "conscious home" will prove profitable indeed. And there's no denying how cool the technology is. Nest's smoke detector, for instance, can differentiate between burnt toast and true danger. In the wee hours, it will conveniently shine its nightlight as you groggily shuffle to the toilet. It speaks rather than beeps. If there's a problem, it can contact the fire department.
The fact that these technologies are so cool and potentially useful shouldn't, however, blind us to their invasiveness as they operate 24/7, silently gathering data on everything we do. Will companies even tell consumers what information they're gathering? Will consumers have the ability to determine what they're comfortable with? Will companies sell or share data gathered from your home to third parties? And how will companies protect that data from hackers and other miscreants?
The dangers aren't theoretical. In November, the British tech blogger Doctorbeet discovered that his new LG Smart TV was snooping on him. Every time he changed the channel, his activity was logged and transmitted unencrypted to LG. Doctorbeet checked the TV's option screen and found that the setting "collection of watching info" was turned on by default. Being a techie, he turned it off, but it didn't matter. The information continued to flow to the company anyway.
As more and more household devices -- your television, your thermostat, your refrigerator -- connect to the Internet, device manufacturers will undoubtedly follow a model of comprehensive data collection and possibly infinite storage. (And don't count on them offering you an opt-out either.) They have seen the giants of the online world -- the Googles, the Facebooks -- make money off their users' personal data and they want a cut of the spoils. Your home will know your secrets, and chances are it will have loose lips.
The result: more and more of what happens behind closed doors will be open to scrutiny by parties you would never invite into your home. After all, the Drug Enforcement Administration already subpoenas utility company records to determine if electricity consumption in specific homes is consistent with a marijuana-growing operation. What will come next? Will eating habits collected by smart fridges be repackaged and sold to healthcare or insurance companies as predictors of obesity or other health problems -- and so a reasonable basis for determining premiums? Will smart lights inform drug companies of insomniac owners?
Keep in mind that when such data flows are being scrutinized, you'll no longer be able to pull down the shades, not when the Peeping Toms of the twenty-first century come packaged in glossy, alluring boxes. Many people will just be doing what Americans have always done -- upgrading their appliances. It may not initially dawn on them that they are also installing surveillance equipment targeted at them. And companies have obvious incentives to obscure this fact as much as possible.
As the "conscious home" becomes a reality, we will all have to make a crucial and conscious decision for ourselves: Will I let this device into my home? Renters may not have that option. And eventually there may only be internet-enabled appliances.
The minute you leave your home, the ability to avoid surveillance technologies masquerading as something else will, if anything, lessen.
Physical sensors connected to the Internet are increasingly everywhere, ready to detect a unique identifier associated with you, usually one generated by your smartphone, then log what you do and leverage the data you generate for insight into your life. For instance, Apple introduced iBeacon last year. It's a service based on transmitters that employ Bluetooth technology to track where Apple users are in stores and restaurants. (The company conveniently turned onBluetooth by default via a software update it delivered to Apple iPhone owners.) Apps that use iBeacon harvest a user's data, including his or her location, and sometimes can even turn on a device's microphone to listen in on what's going on.
Another company, Turnstyle Solutions Inc., has placed sensors around Toronto that surreptitiously record signals emitted by WiFi-enabled devices and can track users' movements. Turnstyle can tell, for instance, when a person who visited a restaurant goes to a bar or a hotel. When people log-on to WiFi networks Turnstyle has installed at area restaurants or coffee shops and check Facebook, the company can go far beyond location, collecting "names, ages, genders, and social media profiles," according to the Wall Street Journal.
The rationale for apps that track where you are is that business owners can use the data to tailor the customer experience to your liking. If you're wandering around the male grooming section of a particular retailer, the store could shoot you a coupon to convince you to purchase that full body trimmer that promises a smooth shave every time. If customers enter Macy's and zig right more often than left, the store can strategically place what's popular or on sale in those high-traffic areas. This is basically what's happening online now, and brick and mortar stores want in so they can compete against the Amazons of the world.
Not so surprisingly, however, such handy technology has already led to discriminatory behavior by retailers. About a year ago, an investigationby the Wall Street Journal found that prices quoted by online retailers like Staples and Home Depot changed based on who the customer was. People who lived in higher-income areas generally received the best deals, which is a form of digital redlining. In the future, count on brick and mortar stores to do the same thing by identifying your phone, picking up data about you, and pricing items according to just how juicy a customer they think you may be.
To be able to do this, retailers need companies that can provide rich data about our lives. That's where a group of pioneering companies in the new universe of customer surveillance called data aggregators come in. Already a multibillion-dollar industry, aggregators like Acxiom, Experian, and Datalogix buy customer data from wherever they can -- banks, travel websites, retailers -- and turn it into Big Data. Then they analyze, package, and sell it to third parties. "Our digital reach," saidScott Howe, CEO of the largest data aggregator, Acxiom, "will soon approach nearly every Internet user in the U.S."
Last December, the Senate Commerce Committee investigated the business practices of the nine largest data aggregators: what information they collect, how they obtain it, their invasiveness, and who they sell it to. The committee found that these companies collect information ranging from the relatively mundane to the incredibly sensitive, including names and addresses, income levels, and medical histories. They then sell it off without giving serious consideration to what the buyers might do with it.
In the process, you could find yourself categorized as part of a group of "Mid-Life Strugglers: Families" or "Meager Metro Means" or "Oldies but Goodies," which aggregator InfoUSA described as "gullible" people who "want to believe their luck can change." Think of it as high-tech commercial profiling of the most exploitative sort.
The result is the creation of a twenty-first century permanent record of your very own, which you are unlikely to ever be able to see because, as the Senate report warned, the industry operates under "a veil of secrecy" with little or no regulation. "Three of the largest companies -- Acxiom, Experian, and Epsilon -- to date have been similarly secretive with the committee with respect to their practices, refusing to identify the specific sources of their data or the customers who purchase it."
Congress's watchdog, the Government Accountability Office, reviewed U.S. privacy law and found that citizens generally do not have the right to control the scope of information collected about them or limit its use, even when it pertains to their health or their finances. And if the information is incorrect -- something you might never find out -- there's no U.S. law that requires data aggregators to correct it.
Paul Ohm, a policy advisor to the Federal Trade Commission, calls these immense troves of personal information "databases of ruin." He worries that, over time, these databases will include new waves of data -- maybe from your conscious home or location information from commercial sensors -- and so become ever more consolidated. Soon, he fears, "these databases will grow to connect every individual to at least one closely guarded secret. This might be a secret about a medical condition, family history, or personal preference. It is a secret that, if revealed, would cause more than embarrassment or shame; it would lead to serious, concrete, devastating harm."
Sooner or later, with smart devices seamlessly using sensors and Big Data provided by data aggregators, it will be possible to pick you out of a crowd and identify you in complex ways in real time. If intelligent surveillance cameras armed with facial recognition technology have access to social media profiles as well as the information stored by data aggregators, a digital dossier of your life could be called up on-demand whenever your face is recognized. Imagine the power retailers and companies will exert over your life if they not only know who you are and where you are, but what your weaknesses are -- whether that's booze, cigarettes, or the appealing mortgage rate with the sketchy small print. Are we looking at a future where the car salesman really does know what he has to do to put us in that car?
Big Data is creating the possibility of a far more entrenched, class-based surveillance society that discriminates using our perceived successes and preys on our weaknesses.
The Great Outdoors
Recently, Newark Liberty International Airport upgraded lighting fixtures at one of its terminals to a more eco-friendly alternative known as LEDs. It turns out, however, that energy efficiency wasn't the only benefit of the purchase. The fixtures also double as a surveillance system of cameras and sensors that the Port Authority of New York and New Jersey is using to watch for long lines, identify license plates, and -- its officials claim -- spot suspicious behavior.
With all the spying going on these days, this may not seem particularly invasive, but don't worry, the manufacturers of such systems are thinking much bigger. "We see outdoor lighting as the perfect infrastructure to build a brand new network," said Hugh Martin, CEO of Sensity Systems, a Sunnyvale, California-based company interested in making lighting smart. "We felt what you'd want to use this network for is to gather information about people and the planet."
Pretty soon, just about anywhere you are, when you look up at that light pole, it is likely to be looking back down at you. Or into your home or car.
Other surveillance technologies are heading for the heavens. Persistent Surveillance Systems has developed a surveillance camera on steroids. When attached to small aircraft, the 192-megapixel cameras record the patterns of the planetary life they fly over for hours at a time. According to the Washington Post, this will give the police and other customers a "time machine" they can simply rewind when they need it. Placed strategically at the highest points of any town or city, these cameras could provide the sort of blanket surveillance that's hard to avoid. The inventor of the camera, a retired Air Force officer, helped create a similar system for the city of Fallujah, the site of two of the most violent battles of the U.S. occupation of Iraq. It's just one example of how wartime surveillance technologies are returning home for "civilian use."
Private surveillance technology is also destroying one of America's iconic freedoms: the open road. License plate readers are proliferating across America. These devices snap a picture of every passing car. One company, Vigilant Solutions, already holds 1.8 billion license plate records in its data warehouse, known as the National Vehicle Location Service (NVLS). Anyone with access to this information could easily find out where a person has driven simply by connecting the plate to the car owner. And keep in mind that it's up to the companies gathering them to determine just who can access the information -- data of immense interest to private investigators and anyone else curious to track another person's movements.
Like many businesses that trade in Big Data or construct massive databases, Vigilant is in regular contact with government agencies craving access to its meaty stores of information.
If You Build It, They Will Come
In February, the Department of Homeland Security's Immigration and Customs Enforcement (ICE) put out a solicitation to obtain access to a private license plate reader database for the purpose of "locating criminal aliens and absconders." ICE claims that it wants to enhance officer safety by making it easier to arrest suspects away from their homes. When the mainstream media took notice and privacy advocates like the ACLU objected, new Homeland Security Secretary Jeh Johnson pulled the plugon the project.
A big win? Don't count on it, because police departments already have easy access to commercial license plate repositories. In the past, Vigilant has, for instance, allowed ICE to test its service free of charge. Police often pony up the cash to access such databases. As a quick experiment, go to Vigilant's NVLS registration page, click on the drop-down menu beside "Agency name," and scroll down. Trust us, you'll get bored by the staggering list of police departments before you reach the bottom.
Which brings us to an axiom of our digital age: law enforcement will exploit any database built, if it makes it easier to figure out what the rest of us are up to. Lucky for them, there's a wealth of data out there and available. Experian, one of the largest data aggregators, told the Senate Commerce Committee that "government agencies" regularly purchase information from them.
Often, those agencies don't even have to pay for the privilege of accessing our data. In many cases, such an agency can simply issue its own subpoena (not seen by a judge) and compel companies to turn over our sensitive data. The culprit here is known as the "third party doctrine," which some courts have aggressively (and wrongly) interpreted to mean that any information disclosed to a third party isn't really private.
The danger of the rise of Big Data and the Internet of Things is straightforward enough. Whenever data is perpetually generated, collected, and stored, the result is going to be a virtual ATM of user information that government agencies can withdraw from with ease. Last year, for instance, local, state, and federal authorities issued 164,000 subpoenas to Verizon and more than 248,000 subpoenas to AT&T for user information, while issuing nearly 7,500 subpoenas to Google during the first half of 2013.
The Internet of Things means that, soon enough, the authorities will have yet more ways to learn yet more about us.
Big Data, Little Democracy?
Here are two obvious questions for our surveillance future: Who controls the data generated by our devices? Without doing anything except buying and installing them, do we somehow consent to having every piece of data they generate shared with Big Business and sometimes Big Brother? No one should have to isolate themselves from society and technology in the ascetic mold of Henry David Thoreau -- or more ominously, Ted Kaczynski -- to have some semblance of privacy.
In the future, even going all Jeremiah Johnson might not have the effect intended, since law enforcement could interpret your lack of a solid digital footprint as inherently suspicious. This would be like a police officer growing suspicious of a home just because it was all dark and locked up tight.
When everything is increasingly tracked and viewed through the lens of technological omniscience, what will the effect be on dissent and protest? Will security companies with risk assessment software troll through our data and crunch it to identify people they believe have the propensity to become criminals or troublemakers -- and then share that with law enforcement? (Something like it already seems to be happening inChicago, where police are using computer analytic programs to identify people at a greater risk of violent behavior.)
There's simply no way to forecast how these immense powers -- disproportionately accumulating in the hands of corporations seeking financial advantage and governments craving ever more control -- will be used. Chances are Big Data and the Internet of Things will make it harder for us to control our own lives, as we grow increasingly transparent to powerful corporations and government institutions that are becoming more opaque to us.