Rally in Washington DC Against Mass Surveillance. Susan Melkisethian. Some rights reserved.In recent weeks, two events have deviled the digital-privacy community and online commentariat. In March, Wikileaks released Vault7, a series of leaks detailing the CIA’s comprehensive program to surveil American citizens through such devices as smart TVs, Web browsers, and operating systems. Later that month, Congress voted in favor of S.J. Res. 34, a bill repudiating the late-Obama-era regulations of surreptitious user-data collection by internet service providers (ISPs) for commercial gain. In the wake of these developments, the matter of online privacy has reached the forefront of political discourse, lightly evoking the fevered concerns of Edward Snowden’s 2013 NSA revelations.

What can explain this dissonance between Americans’ supposed apathy toward online privacy and security, versus their actual, documented concerns about it?

Of course, it isn’t always this way. Discussions of online privacy within mainstream media occur periodically, following Congress’s lists of priorities. In the cybersecurity off-season, when no leaks have occurred within the last two weeks, and the House of Representatives has no privacy bill on which to vote any time soon, the notion of digital protection is relegated to a vaguely dystopian unpleasantry lying latent in the political conscious.

Since Snowden’s leaks surfaced, Americans have learned that use of the 21st-century internet poses a continuous, tacit threat: an ISP like Verizon, AT&T, or Comcast has a tremendous capacity to deliver user information and browsing habits to governments and advertisers alike. Websites like Google or Facebook, so-called “edge providers”, can do the same, but only--ostensibly, at least--when users are logged into their services. Yet most of the instances in which users are explicitly reminded of this threat are reactionary: the data exploitation they learn of is either long-established, or, in the case of S.J. Res. 34, conditions surrounding said exploitation have suddenly grown worse.

Who cares?

It’s easy, then, to dismiss the issue of online privacy as one that simply flies under most Americans’ proverbial radars. The Next Web did so in 2011 in an article entitled “Do we really care about our online privacy?” (Based on the content of the article, Betteridge’s Law applies.) Business Insider followed suit with 2012’s hot take “THE TRUTH ABOUT ONLINE PRIVACY: Who Cares?,” as did Forbes in a post-Snowden 2014 with “Let’s Face It, We Don’t Really Care About Privacy.” The central conceit: Americans are more than willing to relinquish their personal data in exchange for the conveniences of photo storage, auto-populated search, and artificial-intelligence “assistants” like Siri or Amazon Echo. And because there are often no perceived tangible consequences, they’re not motivated to care.

Though the theory may seem valid anecdotally, it’s not airtight. According to Pew research from late 2014, 46% of the 607 adults surveyed felt insecure sharing private information over their cell phones, 58% felt insecure texting private information, and 81% felt “not very” or “not at all secure” using social media to share private information. “Most say they want to do more to protect their privacy, but many believe it is not possible to be anonymous online,” the center concluded. A subsequent survey found that 90% of polled Americans valued controlling what information is collected about them, while 93% said being in control of who has access to their information is “important.” Echoing its 2014 conclusion, Pew noted, “Few feel they have ‘a lot’ of control over how much information is collected about them in daily life and how it is used.”

What, then, can explain this dissonance between Americans’ supposed apathy toward online privacy and security, versus their actual, documented concerns about it?

What citizens can and can't do

If civilians don't seem concerned about their digital security, it's because what's at stake... isn't made apparent to them.

If civilians don't seem concerned about their digital security, it's because what's at stake, and how to protect themselves, aren't made apparent to them. To state the obvious: the internet is an invisible, nonphysical entity. Users can’t see the mechanisms that spy on them, and most can’t escape them. Those who enjoy high levels of technological literacy--whether from a university education or a penchant for autodidacticism--may use their knowledge for greater protections, but for the layperson, cybersecurity is likely to be opaque and labyrinthine.

Consider, for example, Google’s ad and user-tracking settings. By default, users’ activity across all Google applications--Gmail, YouTube, Google Chrome, Google Maps, and of course, the search engine--is tracked, soon metamorphosing into targeted advertising. In order not to see personalized ads, or to delete location history, or to clear YouTube search history, a user must navigate through a series of steps in their account settings to opt out. For many, this is neither instinctive nor urgent. (Navigating to, say, the DAA’s Consumer Choice page to opt out of personalized ads within a browser is, to be generous, unintuitive.) Similarly, users must sift through fine print to understand the security benefits an iOS software update confers or to decipher the latest change to Facebook’s privacy policy.

When users don’t know the internal contours of surveillance and data-harvesting campaigns, they won’t know how to obstruct them.

While these measures are within a user’s control, it’s hard not to suspect that their convoluted nature is by design. It’s this type of confusing framework that governments and advertisers can so easily capitalize on; when users don’t know the internal contours of surveillance and data-harvesting campaigns, they won’t know how to obstruct them.

It’s this type of confusing framework that governments and advertisers can so easily capitalize on; when users don’t know the internal contours of surveillance and data-harvesting campaigns, they won’t know how to obstruct them.

Increasing user protections on an individual basis is at least a temporary solution to this problem. A number of digital-rights organizations have sought to address the issue. The Tor Project offers an encrypted operating system, Tails, and the web browser Tor, among other services, to aid online anonymity. Last year, the nonprofit HACK*BLOSSOM released the “DIY Guide to Feminist Cybersecurity,” which outlines strategies to avoid attacks ranging from harassment to phishing. Even Mozilla, the corporation behind the Firefox browser, has hopped on the cybersecurity-education bandwagon.

Government efforts and policy

While these efforts are of monumental importance, they’re merely Band-Aids covering the wounds of privatization. Even before Trump’s ascent to the presidency, the nature of internet oversight was historically laissez-faire, rendering the web an often predatory place ripe for commercial takeover. Governments have failed to regulate the internet as a public utility, furnishing it with unchecked invasive potential.

Though the Federal Communications Commission (FCC) technically classified internet as a utility in 2015, it wasn’t until late 2016 that the government barred ISPs from collecting such sensitive data as social-security numbers and healthcare information without explicit user consent--a law Americans now won’t see come to fruition any time in the near future. The loss of such regulation is foreboding: these requirements were protocol for a communications utility; were a phone company to eavesdrop on a user’s call without that person’s knowledge, it would be violating the law. Now, however, such strictures don’t apply to internet providers.

Historically, these companies’ unfettered powers have behooved governmental bodies pushing forward mass-surveillance programs. As the aforementioned leaks have demonstrated, federal agencies have colluded with talent from the privatized internet’s most powerful data beneficiaries--Google, Facebook, and the liketo clandestinely monitor their constituents’ activity. The executive branch’s prodigious surveillance powers, bolstered in large part thanks to the Obama administration, have ushered users into an era of unparalleled digital fragility.

The burden of establishing online privacy has fallen on the individual civilian.

And yet, ever since internet use became a staple of daily life, the burden of establishing online privacy has fallen on the individual civilian. Internet corporations justify their mass data acquisition with meticulously PR-veiled jargon about making the user experience “relevant” and “personal.” Similarly, governments do so with “anti-terrorism” propaganda, suggesting no real threat is posed if a citizen has “nothing to hide.” Both forces present themselves as serving the best interests of a public of law-abiding consumers; what they do is legitimate, worthy of being the default, they contend, and users who don’t accept that can fend for themselves.

The narrative of privacy apathy furthers this notion, betraying the idea that intrusive digital paradigms aren’t ultimately that bad, that the stakes aren’t actually that high, that there are no real, palpable effects to fear. Far too many Americans, however, can’t afford to feel this way. Poor populations living in food deserts are marketed soda and cigarettes online. Law enforcement disrupts protests based on social-media updates. Domestic-violence survivors are stalked by abusers who can use the internet to find their locations. The suggestion that users simply disregard the concept of online privacy ignores the ills created by powerful circles, both public and private, and the people who are most vulnerable to them.

The broadband-privacy regulations instituted last year were a glimmer of hope for ethical internet policy. In requiring ISPs to receive express user consent before collecting highly personal data and allowing them to opt out of less “sensitive” data collection, the FCC acknowledged the need to transparently present users with the risks they incur whenever they go online. It placed the burden on companies, not individuals, to prevent sub rosa data collection and protect user privacy.

It’s time for this to continue, for the onus to shift from the individuals who “don’t care” to the behemoths that deliberately confuse and prey upon them. Only then will the internet begin to have any semblance of the democracy we once expected of it.