The Third Front in the Surveillance "War"

The other day, I blogged about what can happen when we turn over our privacy to government for (ha ha) our "security."

This implies a sort of contractual relationship between citizens and government, analogous (say) to the contract we enter into regarding tax payments. We make something of ours available to the government, in exchange for which the government provides us (or so we trust) with certain services which we can't accomplish on our own, as individuals.

When it comes to Federal income taxes, we ourselves, by and large, do not do all the hard work of figuring out how much we owe, and then actually paying taxes. This is inevitable, I guess, given the complexities of the tax code(s). Instead we turn over responsibility for those two activities to outside parties:

• Our employers do automatic tax withholding through their payroll systems, based on information we provide them about marital status, dependents, whatever.
• If we prepare our own tax returns, we purchase tax-preparation software (e.g. TurboTax and its ilk) in whose development we ourselves played no part.
• And of course, we can simply punt, turning the tax-return preparation over to individual or corporate tax professionals (e.g., CPAs, H&R Block).

Something similar happens with our privacy: very few of us run our own mail servers or host our own Internet domain. Instead, we turn over those activities to paid professionals -- ISPs -- who in exchange for our monthly payments, agree to keep us as anonymous as we want.

(Note, too, that even those who maintain their own servers and/or domains aren't wholly exempt from this network of trust. By definition, if they choose to participate in the public Internet they will be using infrastructure -- cable, routers, NAPs, satellites -- provided by someone, somewhere along the line, in a position to intercept their online communications.)

Just about every ISP, though, includes a disclaimer in their contracts, providing for exceptions in law-enforcement cases. Even if they agree not to turn our transactions over to legal authorities without a warrant, when presented with a warrant they will pretty much* all roll over and comply.

An article in today's New York Times describes what can happen, all too easily, as a result of an ISP's "compliance" with a criminal investigation's requirements:

A technical glitch gave the F.B.I. access to the e-mail messages from an entire computer network — perhaps hundreds of accounts or more — instead of simply the lone e-mail address that was approved by a secret intelligence court as part of a national security investigation, according to an internal report of the 2006 episode.

F.B.I. officials blamed an “apparent miscommunication” with the unnamed Internet provider, which mistakenly turned over all the e-mail from a small e-mail domain for which it served as host. The records were ultimately destroyed, officials said.

Bureau officials noticed a “surge” in the e-mail activity they were monitoring and realized that the provider had mistakenly set its filtering equipment to trap far more data than a judge had actually authorized.

...an intelligence official, who spoke on condition of anonymity because surveillance operations are classified, said: “It’s inevitable that these things will happen. It’s not weekly, but it’s common.”

Let's set aside for a moment all the conspiracy-theory musings on whether or not "the records were ultimately [actually] destroyed." Even if the FBI or other agencies are utterly blameless in this regard, the problem remains the same: your information online is never -- can never be -- entirely yours, end to end. You can take various precautions, depending on your level of paranoia and technical acumen and on how much convenience you're willing to give up. You can use overseas anonymizers; you can encrypt everything; you can run anti-keyboard-sniffing utilities; you can employ all sorts of even more exotic countermeasures, like steganography, to keep your information from being readily useful to unknown third parties (including government) should it fall into their hands by accident or intention.

But you cannot stop it from falling into their hands. If you don't want anyone else -- or even a particular someone else -- to know what you're doing online, the only measure you can take with 100% confidence it will work is... don't do it online.


* I myself don't know of any exceptions, at least for domestic ISPs. The "pretty much" is thus just a CYA qualifier.