For my parents, Marilyn and Varujan Boghosian, with love CONTENTS Introduction PART ONE: PERSONAL AND NATIONAL SECURITY MYTH 1 “Smart homes are more secure” MYTH 2 “I have nothing to hide, so I have nothing to fear” MYTH 3 “Encryption and anonymity tools—those are for terrorists!” MYTH 4 “We should worry about government, not corporate, surveillance” MYTH 5 “The USA doesn’t have national ID numbers” MYTH 6 “Surveillance drones are just for war” MYTH 7 “Surveillance makes the nation safer” PART TWO: PROTECTIONS AND IMMUNITIES MYTH 8 “No one wants to spy on kids” MYTH 9 “Police don’t monitor social media” MYTH 10 “Biometrics technologies are foolproof” MYTH 11 “Metadata doesn’t reveal much about me” MYTH 12 “The Constitution protects reporters and their sources” MYTH 13 “The attorney–client privilege is sacrosanct” MYTH 14 “They can’t design devices and platforms for privacy” MYTH 15 “Congress and courts protect us from surveillance” PART THREE: IMPACT ON AUTONOMY, COMMUNITY, AND SOCIETY MYTH 16 “Surveillance doesn’t influence how I act” MYTH 17 “Teenagers don’t care about privacy” MYTH 18 “Surveillance affects everyone equally” MYTH 19 “‘If You See Something, Say Something’ is a civic duty” MYTH 20 “Surveillance can’t predict future behavior” MYTH 21 “There’s nothing I can do to stop surveillance” Surveillance and Privacy Timeline Acknowledgments Notes INTRODUCTION Do you know where your data is? Most of us do not. It’s astounding how we’ve embraced the digital age without such an awareness. Late-night television news watchers from the late 1960s through the 1980s remember what became a parodied catchphrase: “It’s 10 p.m. Do you know where your children are?” Celebrities like Andy Warhol and Grace Jones even appeared on screen to invoke the public service announcement mantra, urging parents to keep track of their kids. Fast forward to the electronic age. Youngsters—the so-called iGeneration—spend hours online each day. Virtual forays can be as sinister as walking unattended in the streets after dark. A public service warning about the perils of electronic mass surveillance is long overdue. That’s because most Americans are unfit as digital parents. They let the family’s personal information roam far and wide, through electronic devices and social media platforms. Hundreds of data trails remain, like breadcrumbs in a forest. In this epoch of data-as- commodity, these crumbs give strangers—commercial data aggregators who mine and analyze our habits—a means to monitor us 24/7 and to influence our thinking. When we don’t take precautions to secure our personal information, such intruder entities exercise more and more control over our lives. When third parties control our information, we are vulnerable to discrimination by landlords, employers, or service providers based on age, race, disease and mental health history, and other qualities. Autonomy and personal freedoms perish when private data is up for grabs. Gone is the option of being anonymous when we want to voice an unpopular opinion or share a tip about fraud. Also harmed is freedom of expression and personal agency over our thoughts, actions, and self-perception. And that’s why we must demand to know where our data is and how it serves as the keystone of the surveillance state. WHO’S GUARDING THE CROWN JEWELS? Northridge, a data analytics firm, suggests that in the “data economy,” data is more valuable than oil. “Like oil, raw data’s value comes from its potential to be refined into an essential commodity.”1 And what is the refinement process for our data? It is the linking of different information sets to create dossiers on every American to sell to third parties. The US data brokerage industry is estimated to be worth over $200 billion, while the European Commission, as of 2020, estimated the European data market to be worth £106.8 billion.2 Mining, summarizing, and analyzing data are also politically useful. The British firm Cambridge Analytica (CA) is a case in point. During its brief life, from 2013 to 2018, the conservative political consulting group claimed it had amassed enough data points on American voters to construct targeted political ads and influence elections.3 The firm paid Dr. Aleksandr Kogan of Cambridge University to develop a personality quiz app, “thisis yourdigitallife.” Touted as being for academic use, the app scraped data from Facebook users’ friends, without the social network’s knowledge. Algorithms then combined this data, according to former CA staffer Christopher Wylie, “with other sources such as voter records to create a superior set of records . . . with hundreds of data points per person.”4 The firm also purchased data from giant aggregator firms such as Acxiom, Experian, and Infogroup. It was then easy to personalize direct political advertising to unsuspecting individuals. Disinformation and fear-based messaging were sent to people whom CA identified as emotionally unstable or who might make snap decisions, to dissuade them from voting, according to whistleblower and former CA staffer Brittany Kaiser. Kaiser says there are hundreds of other “Cambridge Analyticas” out there.5 Despite practices like this, Madison Avenue advertisers aren’t creating PSAs urging data protection. Slogans like “If You See Something, Say Something,” addressed later in this book, in Myth 19, convince civilians that spying on one another is a civic duty. Apps like Neighbors and Nextdoor are popular vehicles to share information about home repair recommendations, attempted auto thefts, or suspicious activity. And for $2,000 a year, Flock Safety will install a private license plate reader on a pole to track the comings and goings of all cars on your street. These apps, cameras, and social media platforms influence profit and politics, while marketing a false sense of benign community. The prevailing message is clear: share your personal information for convenience and total connectivity. Tech companies market the tools of electronic surveillance as our friends, while disguising the lucrative business of gathering and selling personal data as essential for security: “Smart” homes are more secure. Biometrics are unhackable. Surveillance makes the nation safer. And so on. Preferences expressed on Facebook, as the Cambridge Analytica scandal shows, purportedly enliven exchanges with friends but can also reflect, and affect, our choices in the voting booth. The masters of the surveillance state—marketers, contractors, and government agencies—make it easy to enlist but quite difficult to get answers about what they do with our information. That’s like stashing the crown jewels in a motel room safe, and then leaving the code on a Post-it. Yet we do it daily. TECH ILLITERATES ON HIGH Every two seconds a new victim of identity theft is born in the United States. Experian estimates that more than 30 percent of data breach victims will have their identity stolen.6 Why is that? Once they amass our information, aren’t big corporations and the government safeguarding it in their databases? Lawmakers aren’t doing enough to learn about cybersecurity and hold large database managers accountable for data breaches. Sloppy security practices—both by corporations and government agencies—expose wide swaths of credit card numbers, social security numbers, passwords, and other personal information to hackers. Another reason identity theft is an epidemic in the US is that federal law enforcement agencies (the FBI, NSA, and others) handle data under the illusion that they are computer geeks, super sleuths able to avert threats to national security with the press of a computer key. In fact, the entire government suffers from tech illiteracy that was exposed when the FBI tried to force Apple to provide access to a terror suspect’s iPhone in 2016. A 2020 audit of the FBI’s information security program and practices identified weaknesses or “control deficiencies, in five of the eight domain areas that need strengthening to ensure adequate protection of the Bureau’s information systems and data.”7 As Emily Dreyfuss noted in Wired: “Digital illiteracy at every level of government endangers the security of the nation and the functioning of democracy.”8 Errors abound, corrupting the dossiers held on millions of Americans. The mundane task of entering data incorrectly can be life altering. That happened to Muslim graduate student Rahinah Ibrahim. She was stranded in Malaysia for nine years after the United States barred her reentry in 2005. An FBI agent had mistakenly added her to a terror watch list by checking the wrong box on a form.9 The National Crime Information Center (NCIC) database has also been susceptible to errors in profiles of individuals. This database is a central resource for more than eighty thousand law enforcement agencies. Defying common sense, the FBI, in 2019, exempted the NCIC database from provisions of the Privacy Act of 1974’s mandate that federal agencies keep all records used by the agency accurate, relevant, and complete.10 This means that more than thirty-nine million NCIC records, relied on by law enforcement, may include errors. Each day new privacy intrusions come to light. During the upsurge in online learning due to the 2020 COVID-19 pandemic, hackers set their sights on e-learning portals such as Unacademy. More than sixteen billion sensitive records were exposed in data breaches between 2019 and the summer of 2020, according to the blockchain startup SelfKey.11 The company claims that the first quarter of 2020