Today, three stories on surveillance:
1. The Path Forward Is CLEAR
Two weeks ago, I wrote about the complicated relationship between corporate and government surveillance. I used Amazon’s recent product offerings to point out the dangers of compiling a large amount of user data under one corporate umbrella. Well maybe I should have waited, because an even better example was revealed in an enlightening investigation by OneZero this week: identity verification company CLEAR. The difference between Amazon and Clear is that Clear explicitly wants to be a corporation that serves as the holistic identity & health status clearing house.[1]
You probably know Clear as a service that operates much like TSA PreCheck, allowing faster passage through security at airports. The company has expanded to providing expedited access through security at sports arenas but has its eyes on any interaction that requires an identity check.
“We believe any place that you are whipping out your wallet and taking out a card to prove that you are you is a place where Clear has big opportunities,” Seidman-Becker told CNBC in May 2019. “Think about the age validation for e-cigarettes, beer, and online gaming.”[2]
A famous business school quote instructs us to “never let a crisis go to waste.”[3] Indeed, Clear was born to ride the wave the post-9/11 government grants. Clear has now taken advantage of the coronavirus pandemic to link health information with the concept personal security. The model is enticing. In a United States that refuses to treat coronavirus as a societal problem, we can imagine a negative test being necessary to accessing all forms of public life – employment at an Amazon warehouse, attending a professional sporting event as a fan, even drinks at a national chain restaurant. The post-COVID world available, for a price.
We’re now promised a pitch perfect GATTACA future where health data is required to ensure access to the public sphere, all in the hands of a private company funded by government grants selling services back to the government. When I wrote about Amazon I suggested the new dynamics of market capitalism had pushed the company towards capturing ever more user data – but of course this comes as the result of Amazon providing valuable services to the customer. Clear is taking a totally different tact. They explicitly want biometric and health information, for the purpose of regulating access. Unlike Amazon, which collects data as a consequence of providing services (such as voice recordings, for the purpose of the Amazon Halo’s tone judgment), Clear wants valuable biometric data and needs it to run its business.
***
2. Are Five Eyes Better Than None?
Over the weekend the Five Eyes alliance called on tech companies to build in encryption back doors for end-to-end encrypted communications.[4] Five Eyes is an intelligence alliance of the English-speaking former colonies (UK, US, CAN, AUS, NZ) that these days likely exists mostly to circumvent national laws by spying on the citizens of member countries and then sharing that data.[5] End-to-end encryption, or E2EE, has become a popular focus of conflict between private companies providing messaging and governments. Many communication apps have or are planning to institute E2EE, in the name of privacy and protecting their users.[6] Governments do not like this development, because it limits the extent law enforcement can access private communications. Law enforcement argues encryption fosters cesspools of crime and exploitation free from prying eyes, and advocates argue encryption is necessary to protect dissidents and citizens from the intrusive activity that Five Eyes nations have been accused of in the past.
You might look at this statement and ask, like me, “who is in charge here?” Instinctively it is strange that five powerful nations, including the nation that is home to nearly all companies targeted by the statement, are reduced to stern, pleading press releases – for the third year in a row.
The mere presence of the statement reveals a strange rift in the world of surveillance. Usually when we talk about government invasions of privacy, we are talking about law enforcement and the Fourth Amendment. Observers and citizens become aware of practices that infringe on privacy because they are presented in a court of law to support a conviction, and these practices are challenged for their Fourth Amendment constitutionality. I’ll call this surveillance at the local level. On top of this, with different objectives, is national/international surveillance. Particularly in post-9/11 America this surveillance machine, characterized by the NSA, is focused on large scale surveillance to fight organized terror. Like other organizations in the “national security” apparatus, activities at this level are purposefully opaque and removed from the public eye. Presumably, the reason for this is a mix of “our practices are too sensitive to reveal to our enemies” and “our practices are illegal and shock standards of common decency.” Consequently, it puts these intelligence agencies in a bind. They can’t tell Facebook to stop encrypting communications because it will limit their egregious screening of all private communications, because, well, we aren’t supposed to know they’re doing that. Without a politically expedient crisis to push this policy through Congress, they’re limited to sitting on a Trojan high horse, begging companies to comply with them.
***
3. Thieves Like Having Things Too
If I were attempting to be a bizfluencer (business influencer) I would say sage things like: The sun rises in the east and sets in the west. This is a fact of life, but if you want to understand what the technologies of today will look like tomorrow, a wise American would turn to China. Well, a wise American will learn from China that utterly predictable things happen when you make lots of small businesses use biometrics:
“Personal data leaks related to facial recognition are common, and China is one of the
worst countries at protecting biometric data, according to some research. Images of faces, national ID numbers and phone numbers have repeatedly been found for sale online at alarmingly low prices. Xinhua reported in July that some online vendors were selling facial data for just 0.5 yuan (7 US cents) per face. State broadcaster CCTV also reported last December
that a bundle of 5,000 images of people showing various facial expressions was being sold for 10 yuan. Even images of people wearing masks were traded online after systems were updated this year to account for the new reality under the pandemic.”[7]
This is alarming. The article describes a trend in China where neighborhoods have been switching to facial recognition for security, leaving residents little recourse to ensure their data is properly protected. Think of the worst landlord you have ever had. Now imagine they’re in charge of protection your biometric security – choosing the correct vendor, setting up the systems, adequately responding to breaches. From a security perspective, one of the great advantages of an offline world is disintegration. Your landlord has access to certain information, your bank others, your video store others, your doctor others. While this may be inconvenient (for serving you ads), it means that any breach is cabined to the information held by that company. With the internet, and the world promised by regimes in China and companies like Clear, the disintegration becomes integrated, and any breach becomes catastrophic.
Mark my words: at some point in the future, I can 100% guarantee there will be a data breach at Clear. Some of their customers’ extremely valuable and personal information will be compromised. I say this not as a judge of the company or its practices, but as a fact of life. Companies that use technology, particularly internet facilitated database services, are vulnerable to attack. Cybersecurity is a constant battle between hackers and security specialists, and hackers inevitably will obtain the upper hand at some point. Right now, identity theft can be an incredibly difficult scourge, requiring on average 6 months and 100-200 hours of work to overcome.[8] Imagine if that hack also discloses biometric information? As a professor once told me, you can change your password, but you can never change your fingerprints.
As the Five Eyes statement shows, private companies in some ways are endowed with the power to protect our privacy and the simultaneous ability to degrade it. Clear’s goal, as a business, is to become the interface that allows citizens access to public life. They have the responsibility to protect this valuable data. Any negligence in security could destroy the lives of those affected. If ever there were a case for intense scrutiny of a private corporation and the legal system that allows that company to collect data, Clear is that case.
[1] https://onezero.medium.com/clear-conquered-u-s-airports-now-it-wants-to-own-your-entire-digital-identity-15d61076e44d
[2] Id.
[3] I have seen this quote attributed to both Rahm Emmanuel, former Obama Chief of Staff and Chicago Mayor, and Winston Churchill, patron saint of history dads.
[4] https://www.zdnet.com/article/five-eyes-governments-india-and-japan-make-new-call-for-encryption-backdoors/. As the article notes its really seven eyes with the addition of India and Japan. Does each nation only have one eye? Wouldn’t ten eyes make more sense?
[5] https://en.wikipedia.org/wiki/Five_Eyes. Can I add that Five Eyes is an incredibly ominous name for an intelligence organization?
[6] Facebook notably has promised, as part of integrating messaging across its properties, to institute E2EE.
[7] https://www.scmp.com/abacus/tech/article/3104512/facial-recognition-data-leaks-rampant-across-china-covid-19-pushes
[8] https://www.identityforce.com/blog/how-much-time-does-identity-theft-recovery-take
Dumb Privacy Guy 