The chasm between technology and the law continues to widen. On one side are massive stores of personal data maintained by the Internet services we use and the sophisticated analysis tools the companies apply to monetize that data. On the other are privacy advocates groping for legal protections against misuse of that private data -- by government agencies and businesses alike.
Regardless of where you stand on the freedom vs. security debate, one fact is clear: The disclosure of U.S. government surveillance programs has destroyed any remaining expectation of online privacy.
Not to say that there was ever much of a reasonable expectation that our Internet activities are confidential. In her opening remarks at a symposium on Internet privacy held back in 2000, Privacy Rights Clearinghouse Director Beth Givens identified "large gaps" in legal protections for sensitive personal data.
Three critical issues identified by Givens more than 13 years ago have only become more serious as the Internet's role in our lives has grown: confusion about what information is and isn't protected; lack of disclosure about how organizations use the personal data they collect; and the free rein industry exercises over the use of consumer data.
The delicate balance between civil liberties and security
The results of a Pew Research survey on Internet privacy conducted earlier this month -- after the U.S. National Security Agency's PRISM surveillance program was revealed -- indicate a turning point in public sentiment about the government's snooping on its own citizens.
For the first time since the organization began asking the question in 2004, more respondents believe the government has gone too far in restricting civil liberties (47 percent) than believe the government hasn't done enough to protect the country from terrorism (35 percent). In October 2010, 47 percent of respondents indicated they felt the government hadn't done enough to fight terrorism and 32 percent reported the government had gone too far in restricting civil liberties.
However, half of the 1,480 U.S. citizens polled in the recent Pew Research survey approve of the government's surveillance of Internet and telephone data to combat terrorism, while 44 percent disapprove. At the same time, 70 percent of the respondents believe the government uses the data for more purposes than anti-terrorism.
Even before news of the government's telephone and Internet surveillance broke, most U.S. citizens thought their telephone calls, e-mails, and other Internet communications were available to government, business, and individuals to access without their consent. An Allstate/National Journal Heartland Monitor poll (PDF) conducted days before the government's surveillance program was disclosed found that 85 percent of respondents believe their communication history is accessed without their consent (58 percent "very likely" and 27 percent "somewhat likely").
The Heartland Monitor survey found that 48 percent of respondents have "some" or "a great deal" of trust in how the government uses their personal data; the same percentage trust the way their personal data is used by their cell phone service and Internet service provider.
When asked about the overall impact of personal data collection, 55 percent of respondents to the Heartland Monitor poll said the practice is "mostly negative," while 38 percent consider the data collection "mostly positive."
Internet communications and data fall outside Constitutional protections... maybe
By now, it is unreasonable for any Internet user to expect that their online activities are confidential. As long ago as May 2009 Internet security analyst Bruce Schneier explained that we have given up control over our personal data online to the Internet services we patronize.
Until the U.S. Supreme Court rules that reading a personal e-mail at an ISP is subject to the same Fourth Amendment warrant protections as tapping a telephone conversation at the telecom's switch, those messages are available on demand -- no warrant required.
(Whether Internet services acquiesce to warrantless requests for customers' personal data is anyone's guess. The Electronic Frontier Foundation's Who Has Your Back? scorecard lists the Internet services that go to bat for their customers when the users' privacy is threatened.)
Earlier this month, CNET's Charles Cooper reported on the request by Apple, Facebook, Google, Microsoft, Yahoo, and dozens of other tech companies, non-profits, and trade associations for more transparency in government national-security requests for personal data about the people using Web services.
Re-establish your expectation of Internet privacy
EFF's Surveillance Self-Defense project explains on its Reasonable Expectation of Privacy page that when you share personal information with a third party, you no longer have a reasonable expectation of privacy. So even if you make your Facebook profile private, for example, you've shared the information with Facebook and thus have waived your privacy expectation.
(For instructions on adjusting Facebook's privacy settings, see "Five-minute Facebook security checkup" from July 2012.)
The Privacy Rights Clearinghouse's extensive fact sheet on Internet privacy provides a soup-to-nuts look at Internet privacy threats and ways to avoid and overcome them. Of particular note are the page's explanation of the many loopholes in the Electronic Communications Privacy Act, and the power government agencies wield under the USA Patriot Act.
You may think that you have no choice but to expose your personal data by using the big-name Internet services that are known to supply the government with personal information about their users. With some effort, you can sign up for privacy-respecting alternatives to Google, Apple, Microsoft, Facebook, and Yahoo for e-mail, search, social networking, and other Web services.
The PRISM Break site describes companies that promise to secure your private data. Among the security-minded products and services listed are open-source operating systems, virtual environments, Web browsers, browser add-ons, search engines, maps, e-mail, messaging, cloud storage, social networks, VPN clients, collaboration services, online-transaction services, DNS providers, and Web servers.
The site's disclaimer states that using the services it lists is no guarantee that your data won't be shared without your consent or knowledge. In fact, there is no such guarantee anywhere on the Internet. The only way to ensure your private data will remain private is to keep it off the Internet, preferably encrypted on your home computer (where Fourth Amendment protections apply) or an external storage device over which you exercise complete control.
You can improve your privacy by encrypting your Internet connection via the free HTTPS Everywhere browser add-on from the Tor Project and the Electronic Frontier Foundation (available for Firefox and Google Chrome). However, the data you store on a Web service's servers may not be encrypted.
In a post from last May I described the free BoxCryptor service that encrypts files stored on Google Drive, SkyDrive, DropBox, and other cloud storage services. BoxCryptor is available for Windows, the Mac OS, Android, and iOS.
Earlier this month CNET's Declan McCullagh reported on Google's experimentation with encryption for its Google Drive service in response to attempts by U.S. and other governments to access users' files.
Even if the act of encrypting your e-mail, the files you store online, and other personal data doesn't prevent official snoops from accessing it, at least you've established an intent to protect your privacy. The alternative to encrypting your personal information is acknowledging that your online information and communications are subject to release on demand.