Over Labor Day weekend, a trove of nude celebrity photos apparently stolen from Apple's iCloud—the company denies it was hacked, per se—spread across the internet, prompting titillation, denials, legal threats, and the now-familiar lament that nothing in life is private anymore. And on Tuesday, in ACLU v Clapper, three judges heard arguments in the first appellate-level challenge to the National Security Agency’s domestic metadata collection program.
To some hardcore privacy activists, there's not much daylight between these two stories—the only difference being that in one instance, the Peeping Tom also happens to be your Uncle Sam. But that would conflate the distinction between content and data, and thereby miss that the real danger to contemporary privacy isn’t government intrusion at all: It’s the weaknesses of private corporations.
The theft and publication of these actresses’ private photos are crimes. But these actions were also, to quote statements released by the victims, “outrageous” and “flagrant” violations of privacy. These photos were taken in private and stored in contexts that the actresses understood as safe and personal. When Mary E. Winstead emphasized that her photos were taken in her own home, it was clear that she didn’t view her decision to store them in the cloud (even temporarily) as detracting from the expectation of security and privacy we all rightly associate with our residences. If a woman’s home is her castle, so too, it seems, is her iCloud account. And a company's failure to protect such an account is not very different than the bank that allows its safe deposit boxes to be raided.
But the cloud is not quite our home, nor is it precisely analogous to a bank’s safe deposit box. No outside power enjoys unrestricted access to your home, and banks cannot go through your safe willy-nilly. But corporations like Google and Apple take a different approach. They don’t quite allow employees unrestricted access to your emails, phones, and documents, but they do frequently use computer programs to mine these materials for valuable metadata. This is, of course, the whole reason why private corporations provide cloud space at low cost or no cost at all. There still is a price; you just pay in personal information rather than cash. The cloud thus becomes a less private place; a home, perhaps, where the landlord has been given permission to peer through the window—but only while wearing special glasses that reveal only rough shapes and blurry outlines.
For the photos of Winstead, Jennifer Lawrence, Kate Upton et al, this distinction makes little difference. Not only was the person peeking through the window unauthorized, but he did so without the foggy glasses and published the images to a worldwide audience. It doesn’t matter what rights Apple might have to mine our accounts in a general sort of way. The hacking of those accounts and publication of these photos is both theft and a perverted form of pornographic abuse. But the ways in which corporations interact with our data does have major implications for distinguishing between the grotesque invasion of these women’s privacy and what NSA does as part of its intelligence efforts. That’s because of a concept called the “third party doctrine” and a famous 1979 case, Smith v. Maryland.
In Smith, the Supreme Court allowed local police to install a pen register at a phone company’s central office in order to determine, without a warrant, the numbers dialed by a suspect. Because records of these numbers is precisely the sort of thing telephone companies already hold and process, the Court ruled that these records weren’t “private” at all and didn’t require a warrant. Smith’s conviction was allowed to stand, becoming a central pillar of Fourth Amendment law, and the precedent is now one of the primary bases for NSA’s widespread collection of telephony metadata. If local police investigating a robbery can collect phone records without a warrant, surely our intelligence apparatus can do the same in interests of national security. Photos sitting in your bedroom are private; records to which your local Verizon clerk has easy access are not.
In today’s oral arguments before the 2nd Circuit, the lawyer for the Obama administration once again hammered home this difference between closely-held content and more general information already turned over to third parties. But the ACLU challenger emphasized the ways in which the sheer bulk and indefinite scope of the metadata collected by NSA made the distinction between the content and metadata irrelevant. If, in an age of big data, Target can predict a woman’s pregnancy earlier than her father, is collecting information on all phone calls meaningfully different than listening to the calls themselves?
The ACLU portrays a future where the government sweeps up enough data to piece together our most intimate secrets. Federal agents might never have legal access to our nude photos, but our medical conditions, IQ’s, and romantic lives are fast becoming an open book. All it would take would be another Nixon or Hoover to put this data to dastardly uses. Better to leave this data in the hands of the private sector, argue the privacy advocates. And already, the Obama administration seems to be going along, pushing to replace the government’s collection of telephony metadata with a mandate to phone companies to maintain their own extensive records.
But as this week’s photos scandal demonstrates, the threat to privacy comes from the private sector as much as from the government. Is another Nixon, and particularly one powerful enough to overcome layers of post-Watergate oversight and compliance mechanisms, really more likely than an iCloud or Gmail hacker? When corporations cannot even be relied upon to secure our content, it seems naïve to automatically entrust our privacy to the private sector rather than the government. And it seems odd to allow Verizon commercial access to the same information that we deny the NSA for the purpose of counterterrorism.
In the modern era, it is the large corporations that pose the greatest threat to privacy. Google, Amazon, and Facebook may know things about us that we have never written in an email or stored in a file. We may never even know what is included in the mosaics of our lives that corporations are already weaving. With the government, we can take comfort that layers of bureaucracy, minimization procedures, and oversight prevent tyranny and mitigates the damage from leaks. But with private corporations, we have no such assurances.