by Marc Goodman
Increasingly, more and more teachers and school districts are demanding this information from students as well, without warrant of course. That’s what happened to a twelve-year-old Minnesota middle school girl who was accused of posting “inappropriate comments” on her Facebook account. The student at the Minnewaska Area Middle School had posted that she “hated” a particular school official who was “always mean to her.” The girl was summoned to the principal’s office, where administrators, a school counselor, and a deputy sheriff were waiting for her and demanded that she divulge her Facebook password so that they could review all of her postings. Yes, of course a lawsuit is pending, but the growing number of egregious cases shows your children are leaking data that can come back and bite them as well.
Even college athletes at schools like the University of North Carolina and the University of Oklahoma are being required to provide their passwords on social media sites to their coaches as a condition of playing sports at the schools. Some college athletes have also been compelled to install monitoring software on their personal computers and phones from companies such as UDiligence, which tracks in real time the students’ activities to ensure “that collegiate athletic departments protect against damaging posts made by student-athletes.”
Governments are also getting in on the action. A survey by the International Association of Chiefs of Police of more than five hundred law enforcement organizations revealed that 86.1 percent of police departments now routinely include social media searches as part of their criminal investigations. The IRS too began training its investigators on how to use social networks to investigate taxpayers back in 2009, and Homeland Security’s Citizenship and Immigration Service instructed its agents in 2010 to use social media sites to “observe the daily life of petitioners and beneficiaries suspected of fraud.”
Federal agents can readily access your social data through a variety of means, by serving subpoenas, national security letters, and other administrative orders on your service providers, who under the third-party doctrine exception to the Fourth Amendment needn’t even notify you of the request. For example, AT&T revealed that in 2013 it received more than 300,000 requests for data relating to both civil and criminal cases. The demands for information came from state, federal, and local authorities and included nearly “248,000 subpoenas, nearly 37,000 court orders and more than 16,000 search warrants.” In 2009, Sprint disclosed that it had even created a law-enforcement-only portal that gave police the ability to “ping” (without warrant) any one of Sprint’s mobile phones in order to geo-locate users in real time—a feature that was used more than eight million times by police in a one-year period.
What data of yours the government doesn’t subpoena, it just buys. The NSA and other government agencies didn’t build their global eavesdropping and data-siphoning network from scratch; they purchased or otherwise obtained a complete copy of what the corporate world was already collecting. It makes perfect sense: Why build what they can just buy? ChoicePoint, now owned by Reed Elsevier, maintains seventeen billion records on businesses and individuals that it resells to its 100,000 clients, including to 7,000 federal, state, and local law enforcement agencies. Revelations from Edward Snowden alleged the Central Intelligence Agency pays AT&T $10 million a year for its call data and suggested Verizon too supplies data to the U.S. government. Commercial data brokers have lost no time in offering their paid subscription services to government agents, serving up the streams of information you have freely provided across your social networks.
A brilliant parody on the comedic Onion News Network lampooned the current state of affairs in a fake evening news report:
Congress today reauthorized funding for Facebook, the massive online surveillance program run by the CIA. According to reports, Facebook has replaced almost every other CIA information-gathering program since it was launched in 2004. [A mock CIA official noted,] “After years of secretly monitoring the public, we were astounded so many people would willingly publicize where they live, their religious and political views, an alphabetized list of all their friends, personal e-mail addresses, phone numbers, hundreds of photos of themselves, and even status updates about what they were doing moment to moment. It is truly a dream come true for the CIA. Much of the credit belongs to CIA agent Mark Zuckerberg, who runs the day-to-day Facebook operation for the agency.”
As hilarious and spot-on as the faux news report was, the leakage of our personal information to both shadowy data brokers and government agencies is no joking matter. The cost of the surveillance economy, owing to great advances in technology, is dropping exponentially. Gone is the need for vast teams of special agents to follow you around, tailing you on foot and in vehicles as you traverse a city. Instead, one study has estimated that by using proxy surveillance technologies such as mobile phones, online activity, social data, GPS information, and financial transactions, the government now spends just “$574 per taxpayer, a paltry 6.5 cents an hour,” to track each and every American.
Upon learning the true extent of the NSA’s domestic and international spying prowess, the former head of the East German Stasi Wolfgang Schmidt admitted publicly that such a system “would have been a dream come true.” Schmidt noted that during his reign as head of the much-feared secret police service of the former German Democratic Republic, the Stasi could tap only forty telephones nationwide at a time, but clearly now technology had made it possible to monitor all calls and Internet data at all times. He cautioned, “It is the height of naivete to think that once collected this information won’t be used … This is the nature of secret government organizations. The only way to protect the people’s privacy is not to allow the government to collect their information in the first place.”
Knowledge Is Power, Code Is King, and Orwell Was Right
In George Orwell’s dystopian novel 1984, he depicted an omnipotent government surveillance state controlled by a privileged few elite who persecuted independent thinking as “thought crimes.” Though Orwell clearly would have foreseen the NSA debacle, it’s less clear he might have predicted Acxiom, Facebook, and Google. To that point, in those cases it wasn’t Big Brother government that “did something to us,” but rather we who did something to ourselves. We allowed ourselves to become monetized and productized on the cheap, giving away billions of dollars of our personal data to new classes of elite who saw an opportunity and seized it. We accepted all their one-sided ToS without ever reading them, and they maximized their profits, unencumbered by regulation or oversight. To be sure, we got some pretty cool products out of the deal, and Angry Birds is really fun. But now that we’ve given all these data away, we find ourselves at the mercy of powerful data behemoths with near-government-level power who do as they please with our information and our lives.
In his 1999 book Code and Other Laws of Cyberspace, the Harvard Law School professor Lawrence Lessig insightfully demonstrated that the instructions encoded in any software program, app, or platform shape and constrain the Internet, just as laws and regulations do. Thus, when Facebook or Google unilaterally changes its terms of service to allow your news feeds to become public or your photographs to be used in advertisements against your will, it is as if a new “law” has been passed. Code, is in effect, law.
Perhaps then the only way to opt out of such a system would be to close one’s account or never create one in the first place? Unfortunately, both approaches are problematic and increasingly impossible. A New York Times article previously noted that Facebook keeps all your data even after you’ve closed your account. Even if you chose not to participate in an online social network, your friends would continue to tag you in pictures, the GPS in your car would still track your location, and Target would track all of your purchases.
The unprecedented volumes of data about ourselves that we have entrusted to private companies are up for grabs, and once the genie is out of the bottle, there’s no putting it back in. The troika of opportunity created by our online data exhaust, ridic
ulous terms of service, and little or no regulation means that modern data brokers can surveil us with better-than-government-grade surveillance capabilities, capturing our every thought, photograph, and location and subjecting them to big-data analytics. As Mat Honan, Bilal Ahmed, Mike Seay, Bobbi Duncan, Leigh Van Bryan, and Emily Bunting all learned firsthand, there are social costs and risks associated with our continued data leakage. But privacy implications are just one of the great threats resulting from the exponential growth in data.
Hackers are hard at work stealing all of the social data you have dutifully reported on yourself and are successfully breaking into the computers of data brokers and Internet giants responsible for storing it all. As Sony, Target, and even the Department of Defense have learned, data stored in insecure information systems are data waiting to be taken. As such, all data gathered will eventually leak, with potent implications for our personal and professional lives and even for our safety and security.
The problem with our being the product as opposed to the customer of massive data brokers is that we are not in control of our data and thus not in control of our destiny. The continued aggregation of this information, unregulated and insecure, sits as a ticking time bomb, with our every thought and deed available for the picking by a new and emerging class of bad actors whose intents are far worse than selling us discounted diapers and adjusting our insurance rates. International organized crime groups, rogue governments, and even terrorists are rapidly establishing their own data brokerages and bolstering their analytic capabilities in order to take full advantage of the single largest bonanza that has ever come their way, with frightening implications for us all.
CHAPTER 6
Big Data, Big Risk
Our technological powers increase, but the side effects and potential hazards also escalate.
ALVIN TOFFLER
On the evening of November 26, 2008, a sixty-nine-year-old man checked into room 632 at the luxurious Taj Mahal Palace hotel in Mumbai, India. The guest, K. R. Ramamoorthy, was visiting from Bangalore on a routine business trip. Little did he know that his life was about to change forever.
At about 11:00 p.m., Ramamoorthy heard a brief commotion outside his door, then suddenly a knock. “Room service,” a voice said. Ramamoorthy knew he had not ordered any food and sensed something was gravely wrong. He attempted a retreat to the bathroom, accidentally bumping into the door. The noise gave away his presence inside the hotel room. The response was swift: a hail of bullets came flying through the door, obliterating the lock separating the businessman from the world outside.
Two heavily armed men forced their way into Ramamoorthy’s room, and in the blink of an eye he was beaten, stripped naked, and tied up in what would become the most terrifying night of his life. The men were from a Pakistani-based al-Qaeda-affiliated terrorist organization known as Lashkar-e-Taiba (LeT), and Ramamoorthy had unfortunately found himself at the center of the deadly 2008 terrorist siege on the city of Mumbai.
“Who are you, and what are you doing here?” his LeT captors demanded of him. “I’m just an innocent schoolteacher,” Ramamoorthy replied. Of course, the terrorists knew that no Indian schoolteacher could afford to stay in a suite at the city’s most opulent hotel. The terrorists located their hostage’s identification card on his bedside table and now had his true name, which they called in to their terrorist commanders on the satellite phone they had brought with them.
The LeT ops center receiving the call resembled any modern military command-and-control facility. From across the border in Pakistan, terrorist cell leaders tracked the progress of their attack on the people of Mumbai. They had carefully selected their targets, including two luxury hotels, a busy railway station, a Jewish community center, a popular tourist café, and even a women and children’s hospital. On the ground in Mumbai, terrorist operatives ruthlessly threw hand grenades at innocent people as they sat eating in cafés and gunned down unarmed civilians waiting to catch trains on their way home from work.
As the attacks unfolded, LeT commanders in Pakistan used their war room to carefully monitor the BBC, Al Jazeera, CNN, and local Indian TV stations to learn as much as possible about the progress of their operatives and the response of the Indian government. Regrettably, the terrorists did not limit their information-gathering operations to broadcast media; they also mined the Internet and social media in real time, to deadly effect.
When the terrorists holding Ramamoorthy phoned in his name to their Pakistani base, the ops center deftly conducted an Internet search on their hostage. Moments later, they had his photograph. Then his place of work. They learned Ramamoorthy was not an innocent schoolteacher as he claimed when pleading for his life but rather the chairman of one of India’s largest banks, ING Vysya. Based on the image they had found online, the terrorist commanders asked their operatives at the Taj Mahal Palace to compare the man before them with the photograph of the bank chairman located online:
Your hostage, is he heavyset?
Yes.
Is he bald in front?
Yes.
Does he wear glasses?
Yes.
“What shall we do with him?” asked Ramamoorthy’s captors. Moments later, the terrorist war room gave its reply. Kill him.
In an instant, a simple Internet search was all the terrorists needed to decide the elderly man’s fate. Though we may worry about advertisers and data brokers abusing our privacy settings on Facebook, the fact of the matter is that our openness can be used against us in ways worse than we had ever imagined. When we leak data, it’s not just captured by corporations or governments. Criminals and terrorists have access to our social data as well, and they are leveraging it with killer precision. In today’s world, a search engine can literally determine who shall live and who shall die.
The men who carried out that attack on Mumbai were armed with AK-47s and RDX explosives. Guns and bombs are nothing new in terrorist operations, but these LeT operatives represented a deeply disturbing new breed of terrorist. They had seen the future and leveraged modern information technologies every step of the way throughout their assault to locate additional victims and slaughter them.
When the attackers set out to sea from Pakistan under cover of darkness, they wore night-vision goggles and navigated to Mumbai using GPS handsets. They carried BlackBerrys containing PDF files of the hotel floor plans and used Google Earth to explore 3-D models of target venues to determine optimal entry and exit points. During the melee, LeT assassins used satellite phones, GSM handsets, and Skype to coordinate with their Pakistan-based command center, which monitored broadcast news, the Internet, and social media to provide real-time tactical direction to its ground assault team.
When a bystander tweeted a photograph of police commandos rappelling from a helicopter onto the roof of the besieged Jewish community building, the terrorist ops center intercepted the photograph, alerted its attackers, and directed them to a stairwell leading to the roof. The police, who had hoped to surprise the terrorists, instead found themselves ambushed inside the stairwell the moment they opened the door. When the BBC mentioned on air that witnesses had reported the terrorists were hiding in room 360 or 361, their war room phoned them immediately and told them to reposition themselves to avoid capture.
At every point during the siege, the LeT attackers exploited readily available technology to gain situational awareness and maintain tactical advantage over police and the government. They monitored the Internet and social media, gathered all available open-source data, and even mounted a sophisticated online counterintelligence operation to protect their operatives. Throughout their assault on Mumbai, the terrorists were so dependent on technology that numerous witnesses reported seeing LeT operatives shooting hostages with the guns in their right hands while simultaneously checking BlackBerry messages with their left.
Not only was technology crucial to the operational success of the siege, but as we learned in chapter 2, criminal abuse of technology also funded the a
ttack. It was a Filipino hacking cell working on behalf of the al-Qaeda affiliate Jamaah Islamiyah that committed extensive cyber crime and online fraud to bankroll the LeT operation in India. The hackers funneled their millions in ill-gotten cyber gains back to their handlers in Saudi Arabia, who in turn laundered the funds and forwarded them to the Lashkar-e-Taiba team responsible for the brutal onslaught against the people of Mumbai.
In the end, it took police sixty-eight hours to end the siege on the city of Mumbai. Counterassault teams eventually killed nine of the terrorists and arrested the tenth. Shockingly, one of the innocents to survive the attack was K. R. Ramamoorthy. At the very moment the LeT command center had given the order to kill him, there was an explosion in the Taj Mahal Palace, which his attackers thought was the police closing in. As the terrorists ran to investigate, they gave Ramamoorthy the brief moment in time he needed to free himself and escape. Not so lucky were the 166 men, women, and children who lost their lives that day, as well as the hundreds more who were gravely wounded as a result of the carnage.
