Everyday Eavesdropping: How Pervasive Is Digital Big Brother?
When we visited Shanghai last year, we tried Googling "Falun Gong" from our hotel room. The practice of Falun Gong is banned in China, and we were curious to see what information we might get back. The answer: no information at all. We just lost our Internet connection, as though lightning had struck a control box somewhere. But this was no random accident. The Chinese watched what we were saying on the Internet, and filtered what information we could receive. The "Falun Gong" query was evidently in a special category of offensiveness. Doubtless our hotel room number was recorded somewhere, just in case our mischief persisted.
In anticipation of the arrival of large numbers of Western visitors for the Olympics this summer, the Chinese government has asked hotels to increase their level of surveillance. Whatever we might hope about the free flow of information in China, we should not be surprised that enlightened policies about information freedom are not arriving along with the marvelous new sports arenas.
What is surprising to many is the level of Internet eavesdropping happening in the U.S. Under the USA PATRIOT Act, bits crossing the U.S. border in a fiber-optic cable are treated the same as papers carried in a briefcase. The electronic U.S. "border officials" are entitled to scan the bits, whether they consist of email, spreadsheets, or pictures. This U.S. policy has some unexpected consequences. Canadian companies using Google Docs to share spreadsheets and draft reports between their Toronto and Vancouver offices have to expect that Uncle Sam will look at those corporate documents every time the bits cross the border on their way to and from Google's disks.
Even more surprising is the extent to which private U.S. companies monitor their employees. We were recently on a consulting job in an office of a large corporate client—a financial services company. We needed to go online to gather some information, and we enlisted the help of one of the company's information technology staff members to get access.
The first thing we did was to check our email. We use Google's Gmail when we check mail on the Web. No luck! We entered www.gmail.com and received a giant red warning: "You are trying to access a site that is FORBIDDEN!" What? Gmail is hardly an adult-oriented service of the kind that responsible businesses might find offensive! The friendly staff person said, "Oh, I forgot to tell you, we monitor every single thing that you do when you're on the Web. We control what you can see, what you can't see. We read all your email. We're watching."
If we'd picked up the phone to make a call, we could probably be confident that no one was listening. Not so in the land of bits. Bits are much easier to snoop, and the company's network had been configured to force us to use their email software, which they could monitor easily.
Little Brother is alive and well. You no longer need to be a government to impose surveillance—and, by extension, thought control. In fact, voice recognition is now good enough that digital telephone conversations can be monitored automatically for distinctive words—and within the walls of a private company, that isn't necessarily an illegal wiretap.
This client is no mom-and-pop operation. The assets it handles exceed the gross domestic product of most nations. It may well think of itself as a government, even a totalitarian one. Financial services companies are saddled with federal regulations about data retention. Post-Enron, they want to be able to check, years later, if anyone tipped their grandmother about a securities transaction. The intent is understandable. Nonetheless, we found it creepy that they were watching our every move, controlling the websites we could access, and reading our email.
The Gmail-blocking ploy is the sort of thing that might please auditors but has little real security value. If we wanted to get a secret out, we could have used a personal Blackberry, taken a personal laptop to Starbucks on lunch break, or simply used a web browser to get to an email service less well-known than Gmail. Neither government nor private policies can keep the bits within the corporate walls if someone is determined to get them out.
Still, the incident was a reminder that technology and regulation are not moving in lockstep. When telephones arrived, we instituted legal protections for the privacy of our communications. With bits, eavesdropping is still clumsy but is rapidly becoming routine and unsurprising. In the near future, it will either have to become far more pervasive in order to be effective, or will have to be reined in by privacy legislation to protect civil liberties. Which do we want? Which world do we want to live in?