Transcriber: Mohand Habchi
Reviewer: Denise RQ My name is Christopher Soghoian,
and I'm a privacy researcher. In particular, I study the surveillance state
that we now live in. Not exactly the theme
that's happened today. If you look in Hollywood movies,
cop shows on TV, we see a single vision of surveillance. We see surveillance
as a labor-intensive task for the police. So imagine a police officer
climbing a telephone pole to attach a couple of wires to get to intercept
a particular phone line. Or you know, the image of an FBI agent
hunched over a pair of headphones, in an unmarked van
parked outside someone's home, listening to the conversations
that are occurring inside. And certainly, that did happen
a few years back, but that's not the way
the modern surveillance works. Modern surveillance, for the most part, now occurs in the comfort
of an air conditioned room, at a comfy desk, a nice chair, and the surveillance itself is performed
with the few keystrokes, someone is typing away at a keyboard. Whose fingers are behind the keyboard? It's not the police. In fact, it's employees
working for the companies to whom we entrust our private data: Search engines, social networking sites,
and telephone companies whose products we keep
in our pockets at all times. These companies have teams that do nothing but respond
to government surveillance requests. Sprint, the third largest
telephone company in the United States, has more than 110 employees, who do nothing than respond
to surveillance requests. Facebook has 25 employees. The Senate Select Committee
on Intelligence, in 2007, said that electronic surveillance
depends in great part on the cooperation
of the private companies that operate the Nation's
telecommunication system. Our modern surveillance state
wouldn't be possible without the willing assistance
of these companies. We are spied on because they help. The Seventh Circuit Court of Appeals
noted just a few years ago, that technological progress
poses a threat to privacy, by enabling an extent of surveillance that in earlier times,
would have been prohibitively expensive. What does this mean? 10 to 15 years ago, if the FBI had wanted to tail someone, had to watch where
they're going 24 hours a day, they would have needed
a team of 10, 15, 20 agents. The person who is driving
around their car, you need a few vehicles, with a few agents
to each one, tailing the suspects. Every few minutes,
the vehicles have to change, so that when you're looking
in the rear-view mirror, you don't notice the same vehicle
following you at all times. 24 hour surveillance requires
24 hour surveillance teams. That's a lot of agents,
that's a lot of salaries. And the FBI has limited resources. And so in the days
of scarce surveillance resources, the government had to figure out
who was a high priority for surveillance. That's not longer the case. Modern surveillance
is cheaper and more efficient. And why not, technology companies make everything
more efficient and everything cheaper. Now, today, a police officer
from the comfort of his desk, can monitor 200 or 300 individuals'
location, in real time, with services provided
by the communications companies. Sprint, for example, offers a website where law enforcement can log in
and pay 30 dollars a month for unlimited access to an individual's
real time GPS location information. In 2009, Sprint revealed that in the one year
since the website has been set up, it's been used 8 million times. So Verizon, a large telephone company,
one of the largest ones in the country, they revealed in 2007 that they get 80,000 requests a year
from law enforcement agencies. But most companies
actually don't provide any data. Verizon wrote this
in a letter to Congress. Google is probably the most transparent
company in the industry, and for that we should thank Google. So when you get home to your computers,
look for Google's transparency report, it's a website that they've set up that
provides aggregate detail information, breaking down surveillance
requests every six months, showing how many they get from
law enforcement and different countries, which requests they turn down or approve. So Google is great. So we know from this that they get
about 12,000 requests a year in the US. But most companies
don't provide this level of data, or in fact, any data at all. And because of this, most surveillance
occurs below the radar. We simply have no idea
how much is occurring, although, experts estimate that there are at least a few hundred thousand requests
a year made in the United States. One thing you really need to understand
is that the way the US law is written, companies cannot refuse to comply
with a surveillance request. If the request is valid, if it's a valid court order,
if it's a valid subpoena, companies must give your data
to the government. There's nothing they can do. Now, some companies lean more
towards protecting users' privacy, and some companies
lean more towards providing loyal assistance to the government. But all companies must hand
your data over to the government. When the request comes in,
the data goes out. But companies
do have flexibility in other areas. So they have to respond to the requests, but the kinds of data that they keep
and the other things that they do are things that they control. And so, some companies in fact,
have very different practices, with regard to the way in which they protect your privacy
or don't protect your privacy. Unfortunately, you won't find this out
by visiting the companies' websites. There're big differences between the telephone companies,
between the search engines, between the email services,
and the social networks, and they don't compete
on their privacy practices. One of the best ways
the companies can protect their users is through transparency. So while companies are obligated to give your data to the government
when the government asks, they have the freedom to tell you about
many of the requests that they get. Not all companies tell users. In fact the norm in the industry is to not tell users
about requests for their data. Twitter and Google, in this regard,
are actually unique. Both companies have established policies
that whenever possible, whenever they're permitted
to do so by law, they will tell their users about requests, oftentimes, before they hand
the data over to the government, thus giving the user the opportunity to hire a lawyer
and try to contest the order, if they think that maybe
it's inappropriate. Most companies don't have these policies, and for this, we should thank
Google and Twitter. Because they're really doing something
that is not required to them by law. In January of 2011, the media reported that Twitter had received
the requests for information about three individuals associated
with the Wiki Leaks organization. For those of us who study surveillance
and are interested in this topic, the fact that Twitter
is receiving requests isn't news. This company receives hundreds
if not thousands of requests a year from law enforcement agencies
around the world. What was interesting here
is that the request was sealed. The judge who had issued
the order to Twitter, had sealed it. Which meant that Twitter was prohibited
from telling the users about the request. In this case, Twitter hired
a very expensive outside counsel, and got the lawyers to ask
the government to unseal the order. The lawyers made a convincing case,
the order was unsealed by the judge, and then Twitter was free to tell
the 3 Wiki Leaks associated individuals. Those people themselves hired lawyers, tried to fight the request,
and that matter is ongoing. In October of 2011, we also learned that Google
and a small California ISP named Sonic, a provider of broadband service, had also received requests, court orders,
as part of the same investigation. Now the details were a little bit unclear, but it seems like Google also asked
the government to unseal the order, but in Google's case, they were not able to convince
the government or the judge. So that order remain sealed. In fact, the only reason
we know about these orders is because of anonymous sources who provided information
to the Wall Street Journal. So, most companies do not tell users about government requests
for their users' data. They could, but they choose to not do so. I think some would think
that it might alarm users, it might give consumers a reason to not
trust the companies with their data. And after all, maybe we shouldn't,
maybe we shouldn't trust these companies, if there's nothing they can do to stop our data from ending up
in the government's hands. And so in this regard, Google
and Twitter are transparency leaders. They're going beyond the call of duty. They're doing far more
than is required of them by law. But even in these cases,
the government still gets the data. Even though Google can tell you
about the requests they receive, they're still forced to hand
the data over after they tell you. In the case of the Wiki Leaks order
and Twitter, the individuals information eventually made it into the hands
of the Department of Justice. No number of lawyers could shield
the data from the government's fingers. There are ways to protect users, more comprehensive ways
to protect users, and the best way to protect users is
to not keep the data in the first place. Companies that do not keep data
have nothing to hand over when the government comes
asking for it later. The most companies keep users' data. Most companies keep
huge amount of users' data. In fact, the trend in Silicon Valley
is to keep as much data as possible, just in case you can figure out
how to monetize it later. So Google keeps detailed records
of who you are, what you're searching for,
and where you're searching from. And they keep that information
for 18 months at the bare minimum, and then they modify some portions of it, and then keep the remaining bits
for a much greater periods of time. Bing, which is Microsoft search engine, keep that same data
for at least six months. Twitter keeps records
of where you're tweeting from, for a period of up of 18 months. Now the company is a little vague
with their actual data retention period. I think it's a few months, but in their privacy policy,
they set it up to 18 months. And Facebook is entirely vague
about what they keep. Probably they keep it
for a significant period of time. But these companies keep our private data that will eventually make its way
into the government's hands. Why? Because the dominant
business model in Silicon Valley is to provide free services to consumers in exchange for their personal
and private information. These companies give us
fantastic social networking services, free email, web browsers,
and other software, and in exchange, they collect
our data, and they monetize it. They have these black boxes,
whether it's behavior advertising, whether it's detailed dossiers
on individual consumers, whether it's analytics, the dominant model in Silicon Valley is
user's data goes in, profits go out. This is the norm. Most big companies have adopted this, and many startups
think this is the way forward. These business models, at their very core,
are fundamentally incompatible with strong privacy protections
from the government. If you keep data for proposes
of data mining and analytics, there's nothing you can do to stop when the government
comes and ask for it later. so companies have to choose. They have to choose privacy
or the business model. Google has made this choice. And does this mean that Google evil? Google has chosen keeping, monetizing,
and mining user data over privacy. I don't think this makes Google evil. But I do think we have to acknowledge
that they've made a conscious choice, and that their business model won out. This isn't the only business model though. Other business models
can protect user privacy. This is a photo of a street
in my town in Washington DC, this is just a few blocks away from me, and this is a storefront
run by a phone company called Cricket. Cricket is a prepaid provider
of telephone service that targets largely urban markets. they target people
who don't have credit histories, who just want telephone service
without any surprises. I don't work for Cricket, and the reason
I'm even mentioning them is that the American Civil Liberties Union just got 5,000 pages of documents back,
from a Freedom of Information Act request - actually several requests - detailing the surveillance
practices of many forms. And the information provided by Cricket
was really eye-opening. Cricket keeps no records
about the numbers that you dial, or the numbers of people who call you. Cricket keeps no information
about the text messages that you send, or at least the content
of the text messages that you send. And Cricket keeps no records
of the IP address is given to you that would detail what you do online and allow others to link your activities
on the web to your mobile phone. Cricket keeps the bare minimum necessary
to provide you with telephone service. Now this is not the norm. The norm in the telephone industry
is to keep lots and lots of data. So as an example, AT&T keeps records
of who you call and who calls you for between five and seven years. Many telephone companies also keep
detailed records of where you've been. Historical location information about
the towers that your phone connected to for a period of several years. And so the norm in the telephone industry
is to keep data, but they don't need to. In fact, when you pay
for service with money, that company doesn't need to go
and find other ways to pay their bills. When you pay 50 dollars a month,
or 100 dollars a month, that service doesn't need
to engage in data mining, they don't need to engage in analytics, their bills are paid,
they can pay their employees, they can return a profit
to their shareholders. The monthly bill that you pay them, enables them to protect
your privacy if they wish to do so. Now, of course, this doesn't mean that paying for a service
automatically leads to privacy protection. After all, AT&T famously illegally shared
its customers' information with the National Security Agency, as part of the warrantless
wiretapping program. Many phone companies
are truly in bed with the government. And so just because you pay
a monthly telephone bill, doesn't mean you get privacy protections. But paying for a service can enable
a company to protect your privacy if they wish to do so. With free services, the ad supported services,
the data mining supported services, there will always at the end of the day, be a clash between privacy
and the business model. And privacy never wins. If we want privacy from these companies,
we have to start paying for it. Thank you very much. (Applause)
