what happens when we forget who should own the data: PRISM

Heard about PRISM? Supposedly, the NSA has direct access to servers at major Internet companies. This has happened before, e.g. when Sprint provided law enforcement a simple data portal they could use at any time. They used it 8 million times in a year. That said, the scale of this new claim is a bit staggering. If the NSA has access to these 9 companies’ data, it has access to every American Citizen’s complete life.

what’s really happening?

I think we don’t know yet what’s happening.

I’m dubious that NSA has direct access to servers at Google, Facebook, Apple, etc. Those companies have strongly denied the claim, and I have trouble believing this happened on a large scale for years without someone at those companies leaking the information.

Might NSA be tapping all network traffic? Yeah, that’s probable. Might NSA have the facility to decrypt the encrypted traffic? For targeted searches, yeah, I believe that. For broad-scale searching across all traffic? I’m not so sure. It could be happening, but that would be tremendous, hard-to-fathom news.

I could be wrong here. Companies might be cooperating and lying about it. NSA might be eons ahead of what we expect in terms of computing capability and cryptographic breakthroughs. This is just my gut instinct.

is this okay?

So, let’s assume it is happening. Is it okay? Hell no it isn’t. There is no doubt in my mind that user data, whether stored in a lockbox in my home or on a server in Oregon, should first and foremost belong to me, and be covered by the same Constitutional protections as my home and private belongings. It is high time for the law to catch up, for a digital due process. Blanket surveillance, warrantless private data capture or seizure, are unacceptable, and should be revolting to anyone who cares about freedom and democracy.

lessons for technologists

I deeply believe that one should first look at one’s own actions before blaming others. And I think we, technologists, have some blame to shoulder.

We’ve let our guard down when it comes to user data ownership. We’ve made it increasingly acceptable to collect user data and make decisions about how best to use it without involving the user much. We’ve often allowed the definition of “using data for the user’s benefit” to loosen.

In other words, where user data ownership in the cloud was murky to begin with, we’ve made it murkier.

Unlike some of my colleagues, I don’t believe we can simply forgo the Cloud or use end-to-end encryption. Encryption cannot be layered on without consequences. You cannot provide the value that users want without some centralization of data and services.

But we can take a stronger stance against companies that abuse users’ trust and treat the data as their own rather than the user’s. We can set an example. We can state clearly that when we collect data, we do it with care, we do it for a clear purpose, and we allow the user to leave as easily as possible, removing traces of their data as best we can.

We can set the example that the user’s data, whatever server it’s on, belongs, by principle, to the user. And then we can and should ask our government to live up to the same standard.