New Pew Research Report on Americans' Attitudes on Privacy, Security, and Surveillance

This is interesting:

The surveys find that Americans feel privacy is important in their daily lives in a number of essential ways. Yet, they have a pervasive sense that they are under surveillance when in public and very few feel they have a great deal of control over the data that is collected about them and how it is used. Adding to earlier Pew Research reports that have documented low levels of trust in sectors that Americans associate with data collection and monitoring, the new findings show Americans also have exceedingly low levels of confidence in the privacy and security of the records that are maintained by a variety of institutions in the digital age.

While some Americans have taken modest steps to stem the tide of data collection, few have adopted advanced privacy-enhancing measures. However, majorities of Americans expect that a wide array of organizations should have limits on the length of time that they can retain records of their activities and communications. At the same time, Americans continue to express the belief that there should be greater limits on government surveillance programs. Additionally, they say it is important to preserve the ability to be anonymous for certain online activities.

Lots of detail in the reports.

Posted on May 21, 2015 at 1:05 PM • 28 Comments

Comments

mike deckerMay 21, 2015 2:00 PM

sounds like a majority see things pretty spot on... and just when i think nobody is paying attention!

GregMay 21, 2015 2:02 PM

This reminds me of research findings I read about recently that stated that what the American public wants is of little concern to Congress. The vast majority of the "wants" Congress responds to are almost exclusively confined to multinational corporations and billionaires.

Matthew KearnsMay 21, 2015 2:09 PM

Lots of people know they're being screwed, but no one seems to really do much of anything about it.

I wish that people would stop expecting their elected representatives to do everything for them, because it's really not going to happen. If you're not getting up and doing something about it for yourself, you will be found and tracked for all the data that can be milked.

Benjamin DoverMay 21, 2015 2:28 PM

@Matthew Kearns:

Of course the people know they're being screwed. The also know that there's damned little that they can do about it under the current system where law and enforcement is for sale to the highest bidder.

It should not have to be a full time job to avoid being tracked.

DuderMay 21, 2015 3:20 PM

Two years ago, no one I knew wanted to hear or talk about surveillance. It was easier to bury their heads in the sand. Now, two years later, when I talk about it I am continually prompted for more and more information.

My perspective on the topic is this: It moves like a loaded train, it takes a massive amount of energy, and a long time to build enough useful momentum, but once it's moving, it wont stop easily.

DanielMay 21, 2015 5:01 PM

What Americans say they support and what they vote to support are two different things.

Anonymous CowMay 21, 2015 5:30 PM

While everybody is rightly concerned with government surveillance and data retention these same surveys only touch on private data collectors/miners and their activities. The credit reporting bureaus are not the only ones doing this, but at least you can get copies from them to see what info's there and protest any mistake. Not so with other companies.

Jim LippardMay 21, 2015 5:42 PM

"few have adopted advanced privacy-enhancing measures"

If they have, they may not be willing to (accurately) answer personal survey questions from strangers about their privacy habits.

AniraMay 21, 2015 7:09 PM

@Daniel

We have a choice between two packages of policies, package D and package R. We need to reduce a wide range of policy decisions to a binary choice, so that means we prioritize on what is the most important. So you can't really say that Americans voted for any specific policy. In this case, however, package R and package D both include mass surveillance of the public to complement their identical imperialistic foreign policy.

Bob S.May 21, 2015 9:25 PM

In my view the concept of "domestic mass surveillance" is relatively new to the American vocabulary and culture. We simply did not think anything like that could happen in the USA let alone was well underway. Ed Snowden turned on the lights decisively.

In times past some brave souls tried to tell us what was happening, but we simply were in a state of denial. In America, the government doesn't spy on us like the STASI or KGB, right? Corporations play fair and by the rules, right?

We have found out how wrong we were.

There are many defenders of police state mass surveillance. My experience is the vast majority, and especially the more vocal supporters, are involved in the surveillance industry to one degree or another. In short, they get paid to shill for government or corporate spies. Some are merely trolls looking for attention.

It's good to know more and more Americans are aware of the vast government and corporate intrusions into our formerly private lives. It's good to know people are worried about it, and want changes.

For awhile, I thought technology could overcome the onslaught. But, there are simply too many people and too much money involved for a few smart guys to unwind the whole thing with some trick hardware or software. Whatever defense is created, also creates a massive counter attack.

I used to think our elected officials would come to their senses, maybe take a minute to read the Bill of Rights again, listen to some experts or even a few of their constituents about oppressive intrusion. But, of course most all of them are only interested in is getting elected, or re-elected and where the bankroll is coming from for the next campaign. Meanwhile, the surveillance lobby has deep pockets. We can't expect much from the crooks and liars we elect anymore.

In the end, it will be the people themselves who take back their rights and freedom. It will take a long time, maybe decades now because it has gone on so far and is so deeply ingrained into our lives.

Everyone needs to stick together on this. What the government and corporations are doing is simply not right. We all know that. We can put a stop to it, too.

United we stand. Divided we fall.

Build unity!

ThothMay 21, 2015 10:35 PM

@Bob S
We nneed three things to reset the derailed path that the politicians have taken in a global fashion.

- Power. Someone or some of us with power and resources to propagate and influence decisions back.

- Knowledge. Without knowledge, we have no idea what is hitting us.

- Correct Motivation. Without motivation, nothing can move.

I did suggest this three points of approach before in my past posts some time ago. Knowledge and Motivation are already in our hands. We have smart people working on projects to protect personal privacy and personal security. What we lack is political power on our end to influence changes.

We can always be in our labs experimenting and publishing results and open designs and coding some softwares or attempting to sell more secured and assured hardware but the politicos would always find a way to attempt to disrupt, cease and desist and discourage truthful and open researches, publications, implementations, inventions and such ...

Political power backed by correct motive and knowledge is needed to counter-balance the corrupted political powers.

One of the first step I have mentioned is to educate knowledge and make available open source modules and designs of somewhat more assured and more secured hardware and software and also to make these sales as cheap as possible so that it becomes a lower hindering factor and lesser excuse NOT TO USE these cheaply available or freely available open modules and designs.

Wide spread easy to use security is what many of us are trying to do these days after the episode of Ed Snowden trying to teach Glenn Greenwald to properly operate GPG encryption and signing that was initially hard.

Mailpile email client entered Beta which helps putting GPG/PGP into emails in an easier to use fashion.

I am currently working on MailCard to put a very basic Email client engine with very restrictive set of TLS cipher suites into high powered smart card (https://github.com/ASKGLab/MailCard) which is coming up along the way. It is under construction and not usable yet.

There are other new projects out there trying to make security usable and easy.

Besides providing these secured and assured products with proper education, politicos who are personal privacy and security orientated could also benefit from more support, knowledge and funding to help overwrite bad policies.

rgaffMay 21, 2015 10:37 PM

@Bob S

Good speech.

One way we all can help is demand from vendors that our private data always be kept under our physical control whenever technically possible, and never be carted off into the cloud when technically unnecessary. This doesn't stop all our devices from being terrifically weak, but it drastically reduces the mass spying on the backbone. It's not the solution to everything but it's a really big start. And lots of "cloud services" violate this principle when there's no need to.

JustinMay 22, 2015 1:19 AM

"One way we all can help is demand from vendors that our private data..."

Yeah. Well, most of us are in no position to demand anything whatsoever from these vendors. It's not "our" private data, either. It's _their_ data on us, and we don't get to tell them what to do with it.

rgaffMay 22, 2015 2:57 AM

@Justin

I wasn't talking about things like banks and public surveillance cameras that we have to interact with if we use money and go outside... I'm talking about more optional things.

Money talks. I can say to a vendor, "do it this way, or I'm going to a competitor or simply doing without your gizmo until I find one that does".... and that's that. End of story. You do not need that latest phone that sends everything you say and your fingerprints off somewhere or thermostat that stores whether you are home or not in the cloud... these are dangerous, and TOTALLY OPTIONAL! So... opt out. And tell the vendors why you're opting out. Send them mails, they have contact forms on their web sites. They need to know that there really is a resistance to their bad practices, and there's no excuse, they could simply do things differently and it wouldn't be a problem.

Of course hardware still needs hardening in other ways, but that's a different rant. One at a time. For this rant just keep stuff off the cloud when you can.

rgaffMay 22, 2015 3:17 AM

I've done this before. Sending vendors explanations as to why I could not use their products, because it stored all my personal data in the cloud, which is not safe.... when they could have designed their product differently to keep it local and within my possession. I generally get one of the following kinds of responses:

1) Sympathetic. They agree with me. But, you know, takes time and effort and money to turn this train. Maybe a future product. As bad as it is, this is actually a positive interaction.

2) Callous. Canned response. Probably deathly afraid of saying the wrong thing and the press jumping down their throats. Sometimes these are rejecting what I'm saying outright, but often they are trying to erroneously claim they already do what I ask, or spin it into a positive, or make excuses, etc. This is a negative outcome, no heart, no soul, no realism.

3) Nothing. No response at all. Maybe they think I'm some nutjob and not even worthy of a canned rejection?

Regardless of the outcome, they need to hear the roar of people being dissatisfied with them. They need to know that the people who pay their bills think they suck, and hear it politely ringing in their ears frequently. This is a long term psychological warfare tactic. It may not look like much yet, but it does show results over time.

cinnamonblueMay 22, 2015 3:33 AM

Hi everyone - I'm not a big tecchie so I don't come here often but I had a couple of things on my mind and wow - I think one dovetails with this thread somethat. First, a few replies:
@Peter Kronenberghs - thanks for that link; it is an issue to be quite concerned about.

@Greg - I agree 100% - Gilens & Page and Monsieur Piketty support you.

@Matthew Kearns - I am with @Benjamin Dover on this. I'm not sure what I can reasonably do. For example, even encrypting e-mail when none of my family does and most of my e-mails come from either family of a couple of e-mail lists.

@Bob S. - I am TOTALLY with you on unity. I started signing off on Intercept comments with: "Divided = Conquered, But United = Empowered!"

But what was really on my mind was this: I went to sign in to Google yesterday (I have blogs with Blogger)and it turns out they have this new two step sign-in system. That in itself may not be all bad but the way they've structured the thing, it was horrible. After you put in your e-mail, your full name and e-mail address was displayed on the screen and THEN you put in your password. I was really taken aback. My first thought was that if I were doing this in a public place I wouldn't want screen. Gov't notwithstanding, I would be very concerned that some cybercrook could look and get the paired name and e-mail address. Didn't make me feel secure at all and I only log into Google from home!

So you good folks are probably wondering why I even want to deal with Google at all. Well, I have 2 blogs and one was originally on WordPress. But I became increasingly dissatisfied with WordPress and have found the Blogger community to be much more helpful and friendly if I have a problem. The other reason is related to searching. I have tried both duckduckgo and startpage and found their results to be pretty poor. I used to like the Yahoo search but it's not nearly as good as it used to be, in my opinion.

So I ask - is there ANY wan to "pressure" Google to change their login procedure? Would a phone call even be worth it (I did call today but the wait to talk to a human was 20 minutes and I didn't have the time then to wait.

Well, I guess that's enough rambling for now. Would love to hear some thoughts from you folks...

Clive RobinsonMay 22, 2015 4:53 AM

@ Bob.S,

In times past some brave souls tried to tell us what was happening, but we simply were in a state of denial. In America, the government doesn't spy on us like the STASI or KGB, right? Corporations play fair and by the rules, right?

If you go back on this blog you will see the denial happening in the ITSec community as well.

Search back to pages on "BRUSA" or "UKUSA" and you will find people stating that the IC especially 5Eye had a policy of spying on each other and then handing over the details, so that Politicos could be told and thus repeate "We do not spy on our own people", along with other choice snipits. And you will always find people there responding saying "no that can not be so, they would not do that they've said the don't/won't"...

Even our host Bruce took a long long time coming around to the notion of "because it's possible they will", further like most the assumption was it would be "targeted" not "wholesale industrial". Have a look back on the discussions about storing voice data at the NSA hole in the ground in Bluffdale.

Bruce's original assumption was it was not possible or to difficult, then a few technical techniques were discussed and a lot of people started to realise that not only was it possible, it was comparatively trivial technically, it was just the industrial logistics of physical construction that appeared hard...

As for the TAO catalog people were saying it was a hoax etc, or some kind of magic, even when it was pointed out that many of the techniques were "common knowledge" and had been "public knowledge" for over thirty years...

The problem is people's thinking involves "hills and valleys" and tends to gravitate downwards to a comfortable position that just "goes with the flow" of other peoples thinking. In part because they don't want "to be seen to be different", also in part because "independent thought involes effort", as well as the big inhibitor of "accepting the responsability of acting upon the knowledge when you do know"...

However when people do realise they have been misslead, they make the effort and climb the hill, and as they go they get to see more of the landscape that has been hidden from them. And quite rightly they get upset and want to jump down on the heads and backs of those that have conned them and made them look like fools.

This can have consequences for those in power, and what they do next defines how much blood will be spilled... this is what history has taught us, oppression always gets overthrown one way or another, the only questions are "how" and "howlong"...

As I've pointed out in the past one of the most powerful tools against oppression is laughter, it's fine when people are laughing with you but disasterous when they are laughing at you. Because people in power crave dignity and respect, and you don't have that if people think you are at best a joke. Further those who support power don't want to be seen associating with a fool, so the fool loses their powerbase and resources. And if lucky the fool suffers only ignominy at worst they have an untimely for them demise.

JaysonMay 22, 2015 10:36 AM

It's puzzling to me how these large stores of private data (like the aforementioned Penn State) can exist, be poorly protected and then breached and there is absolutely zero liability for those who hold the data. In many cases, late or no information is given to those whose privacy was violated.

I wonder why they are not liable for not only loss of data, but every subsequent use of the data (eg. years of email phishing and identity theft attempts).

WmMay 22, 2015 4:20 PM

Be careful to say nothing to anyone about anything personal. I happened to mention a medical procedure I had had that was on topic with the conversation we were having. I saw her immediately go over to my chart and write the information it down.

WmMay 22, 2015 4:22 PM

Left something out:

Be careful to say nothing to anyone about anything personal. I happened to mention a medical procedure I had had that was on topic with the conversation I was having with my dental hygentist. I saw her immediately go over to my chart and write the information it down.

Coyne TibbetsMay 24, 2015 4:44 AM

I think people have a fatalistic view of security. It's one thing to suggest these "advanced privacy-enhancing measures" (and, I'm sure, so many others). It is entirely a different thing to have the time, money, and fortitude to carry them out. The worst is, as I discussed above, most of them are easily breached by companies or the government anyway.

Those things that are practical for the average person to do, those so-called "modest steps," accomplish almost nothing.

For examples: in my obtuseness, I refuse to accept loyalty cards or to give companies email addresses...and I know that really makes no difference because they track me by my delivery address, phone number, and credit cards. I use throw away email addresses (Spamgourmet and my own service) and it doesn't really matter because I still have had to give emails to dozens of companies and they're all trivially traceable to me. (At least I don't get much spam.)

It's all fine to knowingly say, "Everyone is aware they're being tracked, and they wouldn't have to be if they would just move into Little House on the Prarie."

But (in the vein of that study that claimed men could live longer by getting castrated) it's like producing a study that concludes men seem to want to live longer and being bemused that most men won't take the "advanced castration steps."

Clive RobinsonMay 24, 2015 8:01 AM

@ Coyne Tibbets,

)... it's like producing a study that concludes men seem to want to live longer and being bemused that most men won't take the "advanced castration steps."

There are a couple of asspects to this,

Firstly as you indicate there is a trade off between current and future which is the same as "current utility -v- future security" which we quite clearly see in big business where current short term stock holder wishes take priority over longterm growth and stability for workers etc. That is in general unless regulated "utility" is a short term race for the bottom that longterm benifits nobody.

But there is also the "pressure of society". To use the same "male fertility" example, in the UK for instance a man might decide to take responsability for "birth control" and future liability and thus decide the "snip" is a sensible measure and his choice to make. Not so WASP&CC society thinks this is either "irrational" or against "God's wishes" and therefor the man has to undergo counciling and evaluation, prior to being considered for what is almost a ten minute minor surgical proceedure (the effects of which are reversable in a number of ways).

We glibly call this "peer pressure" but rarely consider it's effects in the here and now let alone what effects it will have on our futures. Most especialy a future with "perfect recall" at the touch of a button for those who have unfettered access to those information time machines. One effect we do know that usually "peer preasure" is seldom anything other than lowest common denominator, we see the bad effects all around us every day, in part because peer preasure panders to the lazy or those with little or no ethics or morals.

From the societal aspect of security, in living memory people who practiced even a little security were regarded as at best "odd" ranging through untrustworthy because of "having something to hide", simply because they "locked their doors" when not in... These days in quite a few places you would be considered at best stupid if not mad for not having your door fully locked even when in.

At best societies view can be seen through current utility -v- future security and moves slowly from various drivers such as crime. The problem society is now having since Ed Snowden made it clear that the NSA are building "information time machines" is what you do today which would otherwise be forgotton is now kept for an opportune time for embarrassment in the future. That is information is becoming "a future assasins" tool of choice. Blood is not let but the effect is for the individual worse than an instant cessation of existance.

Thus the equation now needs to be re-evaluated, "future security" does not exist if we follow "current utility", we have to consider that every word and deed of today will be sought out and used by those who intend us harm in a future we can not yet see even though it looks like paranoia. Worse what is acceptable to society in the current time where an activity might at worse get a "so what reaction" might be considered a real evil in the future and thus the reaction would be "hang em high" in ten or twenty years. To see this consider what is happening to those who "smoke", where currently pictures of the famous from fifty years ago are having cigarettes etc air brushed out so that todays young will not be in danger of thinking smoking is glamorous.

Thus some folks "pre-snowden" who looked like security / conspiracy nuts, are now "post-snowden" seen as prescient to those in the security industry. Thus the utility of "easy Email" is looking questionable, likewise "easy browsing", the untopian ideal that an "Open Internet" will "unstopably set us free" is now begining to apear as a road to hell. Thus change all be it slow is happening in society (increased use of https for instance).

The problem is as George Orwell predicted is that those who seak power have been corrupted by it and through various agents have perverted open ideals and poisoned them at a fundemental level (as seen with CAs / OpenSSL / dual eliptic / etc, and currently the likes of logjam).

Thus we are in the unenviable position of early Victorian artificers, having to make our current health hazardous systems safe. Unfortunatly we are finding as they did that "bolting on" is not a viable option to fixing an originally ill thought out system. But we cannot aford to stop and replace "installing for all" is not an option we have to instill little by little with fingers crossed.

But that "information time machine" is ticking and storing and every slip is being recorded to use as a lever no matter how small to drive open any crack in security, of which there are myriads of which only a handfull are known...

These are not concepts most "common clay" can see let alone start to think about, the technology is but sparks of a magician's fingers to them. Worse neither can the rich and powerfull, they only see an increase in their status, not realising or even wanting to see that they are buying the chains that will enslave them as well.

We know society changes, but how far can it actually change before we nolonger consider it a society we "know" or "want"?

Arguably we are beyond the tipping point and there may be no nice way back...

Lessthan16to20May 25, 2015 9:20 AM

"Worse neither can the rich and powerfull, they only see an increase in their status, not realising or even wanting to see that they are buying the chains that will enslave them as well."

I have often wondered why legislators aren't *leading* the charge for improved cybersecurity when, surely, they would want their data and communications secure against their political competitors (which might include an executive branch led by the opposing party). I mean, we ought to be able to count on politicians to protect themselves, right? Do they have cybersecurity tools that we don't? Are they being blackmailed somehow to force their support of executive branch security programs?

YYMay 26, 2015 7:26 PM

I'm not aiming to become a resident cold shower, however let's sum things up a bit from what little we know and what people here have thought and debated.

Unity? A lovely sentiment but a dangerous one. Let's not all jump into the same basket. In fact doing so is step one on the slippery slope, the same slippery slope the NSA and the rest have been rushing down.

I am of the belief that very few yet realize how bad things are, the primary support for this belief is the continued prevalence of and reliance upon assumptions, assumptions that make things look far better than they are.

Here are a few easy ones that might help get more people going:

- Snowden did not fully realize what he had. This should be somewhat easy to spot both by looking at developments over the past year or so and by watching the movie Citizen Four repeatedly until you get it.

- Snowden was not and is still not in a good position to understand his own material. He was an analyst but his job was not to analyze his employers, it was to analyze their targets.

- Snowden did not have access to the entirety of all intelligence agencies within the system (I've seen 68 countries mentioned as being part of the structure here before). Snowden did not even have full access to everything in the NSA. There is an awful lot that Snowden did not have access to.

- The NSA is on public record in front of congress —and before Snowden decided to call the alarm— about having scooped, cracked, circumvented, or significantly weakened all public encryption standards yet nearly everyone including Snowden pretends encryption works if implemented properly, which —given the revelations of the documents from Snowden and others so far— seems like a completely impossible task if based on COTS i.e. commercial hardware as neither any of the endpoints nor the transmission medium would be secure. At best it seems encryption might last until noticed or deemed interesting enough.

We lack an awful lot of information. We lack an awful lot of knowledge.

We know the systems as described are huge. We know that a lot of the information is easily attained but there is a lot of information hat should not be as simple to attain so we also know that there are flows of data which are not being detected or noticed.

We need to start assuming the negatives rather than the positives.

We need to assume that there are significant side channels we are unaware of. I for one would love to get a much better idea about the capabilities of radio astronomy: we can map the microwave background radiation from the big bang at 13 billion light years away or more but how about when we turn that technology and slightly better and map a relatively tiny volume of space? Shouldn't everyone assume that SIGINT/ELINT satellites can read the functioning of individual processors from space? Why would that be an outlandish suggestion? As long as noise can be mapped it ceases to be noise.

We need to assume there are significant weaknesses in every technology and encryption we know of.

We need to assume the surveillance is more advanced than we know of.

We need to stop reducing the revelations to the lowest known factor in order to feel good about ourselves.

Spoofing is a great example as it is not actually a sensible position to claim that the NSA would be particularly worried or inconvenienced if they were caught spoofing packets, So lets not fool ourselves into pretending that something like that would be a reason for concern on their part.

I'm a nobody and maybe it's because I'm a nobody I can say these things. Maybe my take on the issues is wrong but I certainly don't see a reason to think so thus far.

solarisMay 27, 2015 12:34 PM

@rgaff
"Likening privacy to castration isn't a little fatalistic!"

true, that.

Although it does not surprise me that it's frequently heard. For one thing some companies revenues, and through that their stock market valuation and employees bonuses, are tied in with a lack of privacy.

Consequently we have articles like this on a site that provides investment advice:

Google Ought To Work With Carriers To Slow Down The Growth Of Adblock Browser For Android
http://seekingalpha.com/article/3207396-google-ought-to-work-with-carriers-to-slow-down-the-growth-of-adblock-browser-for-android


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.