Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

I worry more about being hacked than being tracked, and I am in the majority

I worry more about being hacked than being tracked, and I am in the majority

  • Comments 3

This is going to be a long post. Please read through the whole thing before you comment.

I have been following this NSA spy-story for several months now ever since Edward Snowden started revealing back in the summer that the US government was spying on everyone.

At the time, I wasn’t sure how I felt about it. Based upon what I was reading from security experts (and I am oversimplifying the discussion… sorry about that), I was supposed to (a) care a lot, and (b) be outraged.


When it comes to government accountability, I am not the most informed person. I do try to keep up with technology, policy and governance but I only have so much mental bandwidth. After work, I like to relax and rather than reading discussion forums and important articles, I frequently watch Netflix (I just made my way through Orange is the New Black, in case you are wondering). Sometimes I like to read books on my Kindle (I just finished You are now Less Dumb), or just doodle around on my iPad. I have read some stuff on spy-gate, but I don’t know all the nuances of the arguments for it on both sides.

Thus, when it comes to a complicated topic like NSA spying, I end up relying upon my gut instinct. This is a poor way to make decisions. But, in my defense, everyone uses gut instincts to make decisions most of the time. Us humans are subject to dozens and dozens of biases. Most of the time, we make snap decisions intuitively and then make up logic to rationalize why we think this way.

This is not how we think we make decisions but it is how we do it most of the time. And sometimes it works; back when the United States was talking about taking military action against Syria, I was strongly against it. I am not blasé about all things.

image 

When I hear people in my local social circles – the ones outside of security and even a few inside of it – talk about the NSA, most of them are a little surprised by the scope of it but don’t really give it much thought. Many joke about it.

Many references to it in pop culture are equally dismissive. The South Park episode Let Go, Let Gov parodies people who actually do care. Eric Cartman is outraged at the NSA spying scandal, so he infiltrates the NSA and exposes all of their hacking. Yet immediately afterwards, he is shocked by the amount of nonchalance everyone around him has. Indeed, he starts crying to his mother because he exposed everything they were doing, yet no one cared. He tries to push the NSA into violating his constitutional rights, but they dismiss him as “fat an uninteresting.”

I’m tempted to take this thinking as most people don’t care about NSA spying but this would make me guilty of the availability bias – the belief that since my immediate social circles think a certain way, that everyone thinks this way. Maybe only those around me don’t give it much thought. Or maybe people who matter think this is a big deal (i.e., people on Intelligence committees).

Yet the other day on All Things D, an article entitled People are More Freaked Out by Hacking than Tracking shows the following:

  • 75% of people surveyed were worried about hackers stealing their personal information. As if to underscore this, Target admitted it leaked 40 million credit and debit cards over the 2013 Thanksgiving weekend and now these are for sale on the black market.

  • 54% of people are worried about their browsing history are being tracked by advertisers.

  • Only 15% reported the top threat is government accessing people’s information.

image


After reading the article, I ran through my own mental processes – the things which I worry about online the most are those three things, in that exact order. I’m just like everyone else.

I check my credit card statements looking for possible fraud and I get angry when my credit card is leaked and I have to change it. I keep my anti-virus up-to-date and I have started using more unique passwords.

I delete my cookies regularly, clean my cache and sometimes use private browsing. I have adjusted the privacy settings on some websites I visit and I sometimes read privacy policies (parts of them, anyway).

As you can see, the two things that I think matter the most to me I have taken action to lower my risk.

By contrast, ever since the NSA story broke, I have changed nothing about my habits. Not one thing. Furthermore, I don’t worry about the NSA spying on me because in the back of my mind, my gut instinct says “You’re too boring for the NSA to care about.” I don’t worry about them stealing my credit card information, searching my browser history or tracking my online behavior. Maybe I should be worried, but I’m not.

So how come I’m not?

Like I said, this is a gut instinct (in Daniel Kahneman’s book Thinking Fast and Slow, this is called System 1 thinking; for a full explanation, read the Wikipedia summary). The threat from hackers is clear to me: they might steal my identity and I can see the fall out – they could steal money from my financial accounts, or they could degrade my credit, or they could infect my computer with malware. These are all real and tangible and I can see a direct link between hackers and bad things that come as a result of being hacked.

Privacy is a little tougher but I can still see the issue – online retailers, browsers, and large corporations are tracking everything I do and sending data back to a central processing unit and then sending me something based upon what I do. This “something” is usually advertising. I’m not quite sure how I feel about that targeted advertising since I use the Internet to do things I enjoy, and now that’s being used “against” me by private corporations for their own profit. A bit more blurry, this one.

But when it comes to NSA tracking, I have a very hard time seeing the fallout and that’s the problem. The cost is hard to see.

image

Defenders of the NSA spying program say that if you’re not doing anything wrong, you have nothing to worry about. My System 2 thinking – the part of my brain that is logical, reasonable and analytical – knows that this is true on some level, but it also knows that we are entitled to privacy rights. Yet it also doesn’t fully understand the arguments. My System 1, on the other hand, happily accepts this argument:

“The NSA is looking for criminals and terrorists. Since I am not one, I have nothing to fear and there’s way too much data they are collecting for this to be a problem since I can hide in my own obscurity. This is different than companies tracking me and selling my information or targeting me with ads. They are browsing my legal, normal behavior looking for patterns, whereas the NSA is looking for people with malicious intent; they are looking for illegal behavior.”

And you know what? It’s probably true. The NSA isn’t targeting ordinary Americans.

My System 2 has to fight to overcome this belief. This is difficult because System 1 is nearly automatic, and System 2 is lazy (this is true in all humans, even you). It frequently just goes along with what System 1 says. Did you ever wonder why sometimes you are tired after a long day of thinking? Because System 2 drains a lot of your physical energy.

Last week, General Keith Alexander appear on the TV show 60 Minutes to defend the NSA program, and The Guardian posted a rebuttal. They have the best summary I have seen about why the NSA program is wrong:

Very few people think the NSA is staffed by mustache-twirling villains who view the law as an obstacle to be overcome. The real concern is two-fold.

First, even if NSA doesn’t mean to break the law, the way its data dragnets work in practice incline toward over collection. During a damage-control conference call in August, an anonymous US intelligence official told reporters that the technical problem bothering Bates in 2011 persists today. The NSA even conceded to Walton in 2009 that “from a technical standpoint, there was no single person who had a complete understanding” of the technical “architecture” of NSA’s phone data collection.

They haven’t succeeded yet in convincing me why this is a problem, not enough to override my System 1.

Second, there is a fundamental discrepancy in power between the Fisa court and the NSA. The court’s judges have lamented that they possess an inability to independently determine how the NSA’s programs work, and if they’re in compliance with the limits the judges secretly impose. That leaves them at the mercy of NSA, the director of national intelligence, and the Justice Department to self-report violations. When the facts of the collection and the querying are sufficiently divergent from what the court understands – something the court only learns about when it is told – that can become a matter of law.

In other words, it can be simultaneously true that NSA doesn’t intend to break the law and that NSA’s significant technical capabilities break the law anyway. Malice isn’t the real issue. Overbroad tools are.

And therein lies the problem; in the United States, the government is built on a system of checks-and-balances. It seems like the government sometimes can never get anything done, but that’s because it’s supposed to be hard to get things done. With the NSA system, the courts say they can do X but there’s no way to make sure that’s all they are doing. We have to trust them to do what they say they are doing.

image

So you see, intellectually, I understand the issue (or rather, I understand what The Guardian is saying the problem is; you readers might have other issues like the government should straight up not be reading your email, ever). But even though I understand it, I still have trouble really caring about it.

In order to do this, I have to make it more emotional. Here’s the way I do it – the whole situation reminds me of an episode of The Simpsons, back when the show was funny. A cat burglar has plagued the city of Springfield so Homer forms a vigilante group and sets out to stop crimes. While he does succeed in stopping some crimes, he ends up causing others. For example, while underage drinking is down, sack beating with doorknobs is up. Homer’s task force is popular with the people because he has taken the law into his own hands, but the trouble is the city now has unabridged power without the checks and balances.

Homer is basking in his glory when Lisa asks him a question: “Dad, don’t you see? If you’re the police, who will police the police?”

Homer shrugs and flippantly responds “I don’t know. Coast Guard?”

image

 

It’s a very funny moment and it is the only argument I can think of that makes me think that the problem is not so much that I personally have nothing to hide so who cares, but rather, that an entity with unconstrained power has the ability to spiral out of control. This is not a linear relationship the way malware and hacking is. The reason I don’t care as much is because it requires my System 2, and System 2 doesn’t like to work.

I think that’s how I feel about the NSA scandal. To those of you who think I’m too flippant, sorry about that.

But it’s better than not caring at all.

Leave a Comment
  • Please add 4 and 1 and type the answer here:
  • Post
  • Hi, I've created a webpage designed to help us computer techs. The page has a list of links to direct download pages of popular anti-malware tools. Please take a look at this tool, like my Facebook page, and share the wealth!

    The page is new. I use it at my job now; I managed to get updated versions of all the anti-malware programs I use in about 20 seconds (Previously a 2-3 minute job). This also works wonders when I'm on-site, and need downloads to all my tools on the client's PC.

    www.antimalwarelinks.com

  • (Also read quite a few nsa documents a while ago)

    I do agree with most of your points as in the end I dont care that much.

    But when System 2 kicks in I get worried a lot more and I really start to understand Snowden when you see the final use.

    I will just list some points:

    Forcing companies to cooperate with court injunctions under Patriot Act. Only Microsoft and Skype (before the takeover) clearly listed. Core Switches fabricants mentionned but no name (guess it's Cisco, Juniper)

    Those court orders and/or new laws are not made public as made under the Patriot Act. This is such an anti democratic issue ... Coming for the US governement and what it always stand for: it is really scary.

    Project bullrun that took around 10 years to get rid of https issue from nsa point of view (geek side says: woooow)

    The different ways they address Tor network issue: when you see what happening on that secured network where you can buy AK47, rent virus blachole,... it must be addressed and they're simply up to the task.

    All in all I do understand what and why they do it. And then they go berzerk (or whatever you want to call it):

    Spying (deliberatley) on Germany's minister, Brazil's president, ... this is not about terrorism. This is about politics and financial power/advantage.

    and they hide behind that terrorism argument all along. Which you can't be against if you do care about your family, innocent peoples.

    cheers

  • My accounts have been hacked by unauthorized personnel at military installation near where I reside.  Please be informed this is USA military hacking, NOT windows.  Do not say orange.  This is a very serious matter and it is our own US soil hacking into private and business accounts for military pleasure which is NOT authorized.  Please update and inform your congressperson.  URGENT

Page 1 of 1 (3 items)