Those who are best at tracking you have the most to gain commercially. Facebook may know your sexual orientation, but Google knows even more about you. As the Wall Street Journal has noted, "the breadth of Google's information gathering about Internet users rivals that of any single entity, government or corporate." It is helped in this endeavor by the fact that, as CNN reports, Google on average "accounts for about 25 percent of all consumer internet traffic running through North American ISPs."
Our cell phones can also reveal where we are at all times. Smartphones are equipped with GPS systems, and even with the GPS turned off, connecting to a cell tower still provides an approximation of a person's location. A study by MIT reveals that, with just four proximate locations, it's possible to identify an individual with 95-percent accuracy.
There are advantages to treating personal data as a commodity. Companies can provide remarkable services at no cost to the user. Google, Facebook, and similar companies could certainly command subscription fees if they chose that route, but the fact is that the companies make more money by getting to know their users -- understanding their interests, their aspirations, their likes and dislikes -- than they would by charging users twenty or thirty dollars a year. It's understandable that these companies would treat user data as a commodity, and no doubt many users would willingly sacrifice privacy for top-quality free services.
There are also disadvantages. When we think about the information we are disclosing, and the methods of data analysis now available, we are apt to grow uncomfortable with what these companies know about us -- our social networks, sexual predilections, voting preferences, and much more - and how they're sharing this information.
Our Response to Terrorism
Just as commercial providers have responded to market incentives, the NSA has responded to the incentives provided to it in a world of growing transnational threats. The threat of a terrorist attack is real, not a chimera, and the NSA after 9/11 was charged with sifting through electronic data to shake out the dangers. To accomplish this, the agency wanted a lot of data. As Deputy Attorney General James Cole has said, "If you're looking for the needle in a haystack, you have to have the haystack." This is not to say that we should accept the NSA's programs as they are -- hard questions have been raised about its broad collection of metadata and its internal safeguards against privacy violations -- but the present debate has taken on a Manichean quality in which the NSA is often portrayed as rapacious. It is in fact aggressively pursuing the mission with which it was charged -- of trying to prevent another attack on the homeland.
The NSA also undertook its surveillance efforts at a time when the meaning of privacy was shedding its old meaning due to the migration of our lives online, into an environment where --unlike in the offline world -- we are being constantly tracked and monitored, and everything we do is remembered.
So what does privacy mean now? The answer isn't entirely clear; but what is clear is that we need to have the right kind of discussion about it. Perhaps a good place to start is asking whether lawmakers should limit commercial entities' ability to retain user data indefinitely.
There is, of course, good reason for these entities to be able to track users. User data gives them a source of revenue, and they invested in their services with the expectation that their ability to profit from these services will continue. We are not arguing that the government should constrain the ability of these companies to generate revenue, but is very old data really essential -- or even relevant -- to their business efforts? Do commercial entities really need to know what websites you visited, and who you sent instant messages to, and the location of your cell phone, eight or ten years ago in order to understand your consumer preferences today? The government could require these entities to purge all digital user data (including messages sent, websites visited, records of individuals called, and geolocations) that is more than, say, five or seven years old if a) the user has tried to get rid of it by, for example, deleting the information; and b) there is no independent reason, such as ongoing litigation or national-security concerns, to retain it.
This would be an admittedly small step, but one in the right direction that could help kickstart a badly needed conversation on privacy. Contrary to the absolutist claims that have dominated the public debate on the issue, there is a complex balancing act at play. It involves not only liberty and security, but also commerce rights, Internet users' appetite for free and convenient services, and the desire for privacy not only from one's government but also one's neighbors. The right kind of privacy conversation would recognize this.
But given the way the surveillance debate has been proceeding so far -- focused exclusively on the government, lacking a concrete conception of what privacy means today, and framed in harsh Manichean terms -- we're unlikely to get there.