The movie Terms and Conditions May Apply takes a hard look at personal privacy in the Internet age. The movie explores many controversial areas of privacy like erosion of corporate privacy policies and laws, monetization of personal information, and continued indifference by governments to defend citizen privacy. Additionally, a number of important but perhaps lesser known concerns like disposition of personal subscriber information after corporate closures and acquisitions are covered.
The documentary alternates between expert interviews following with commentary to navigate viewers through the rich maze of subject matter. The movie illuminates shared electronic information addictions of corporations and governments. A soft point made by the movie is that nothing is “free”. To service consumers with free products they desire, corporations monetized personal information and traded it like a commodity. Also post 9/11 era the trend with nation states, increased Internet surveillance provides valuable intelligence for preventing terrorist attacks and crime. The line between government and corporations grows more fuzzy as governments desire to extend their reach into corporate information stores, private VOIP phone conversations, text messages, email, etc. An analog is drawn by the documentary with one of my favorite science fiction movies, Minority Report. In Minority Report, Tom Cruise leads a law enforcement Pre-Crime Unit. The main goal of the Pre-Crime Unit is to prevent crimes before they occur. While the technologies in the Minority Report movie and today’s Internet surveillance are different, and I will not spoil the movie, the goals are ironically similar.
“So while it may be an acceptable form of civil disobedience to burn an American flag on the White House lawn, typing *bomb* in a Facebook post may result in a SWAT team visit to your home.”
The movie elevates awareness to concerns like, Third Party Doctrine. In Third Party Doctrine individuals abdicate their privacy rights upon disclosure of their personal information to third parties like Facebook, Pinterest, or other such Internet service providers. Confiscating your personal diary with your most sensitive thoughts and feelings from your nightstand drawer requires authorities submit to various checks and balances like search warrants. However, obtaining the very same sensitive information and opinions expressed on Facebook or other sites requires no public checks and balances. And in fact, information requests are often accompanied by gag orders prohibiting service providers from publicly disclosing requests made by authorities. At issue, 4th Amendment constitutional rights do not apply broadly to personal information and their is a rift in privacy expectations between those that use Internet services, companies, and governments.
The movie wraps up with some specific cases where individuals have been “red flagged” by government agencies, detained, and interviewed. So while it may be an acceptable form of civil disobedience to burn an American flag on the White House lawn, typing *bomb* in a Facebook post may result in a SWAT team visit to your home. The reaction seems somewhat inconsistent. The movie interviews a few individuals with interesting stories to share about their experiences with authorities. I find it interesting law enforcement agencies believe what they read on the Internet at all. Knowing communications are actively monitored provides a powerful advantage to influence the thoughts or actions of adversaries to desired outcomes. Earlier this year Brian Krebs described his SWATing experience in his Black Hat session, Spy Jacking the Booters around 11:25 minute mark. Influencing authorities to shake down or otherwise inconvenience targets of interest is the modern pranky equivalent to doorbell ringing when I was a kid. But it proves information is a powerful tool to manipulate advisory behavior. Perhaps this is nothing new for governments but the power of the Internet has given this attack a whole new life and perhaps broadened the pool benefactors.
Several experts are interviewed throughout the movie. Most noteworthy, famous entrepreneur and technologist Ray Kurzweil, singer/musician Moby, and previous Facebook and Google employees are interviewed. Perhaps a criticism is that is easy for movie viewers to get lost in the details and miss the larger points and challenges in the domain of privacy. Nevertheless, Terms and Conditions May Apply is a great movie to raise your privacy IQ. For those knowledgeable in privacy, the movie provides some details regarding specific surveillance tools (Carrier IQ, FinFisher/FinSpy, Kapow, and more), cases, techniques and capabilities used by nation states (Spyfiles) across the globe.
Personally, I’m unconvinced increasingly broad Internet surveillance is a valuable tool to prevent attacks, crime, or it provides more good than harm. Irregardless of anyone’s opinion, it’s certainly the trend. My opinion, I’m an optimist, I think the rift between our privacy and our expectations of privacy will close in the not so distant future. Not necessarily because citizens desire better privacy but because it’s more prosperous for society at large. See my previous post, A Crisis of Confidence Costs Real Money.
If you have any personal experiences in these areas (privacy incursions, swatted, or otherwise) or know about some great security/privacy movies feel free to send me a note. Love to hear about this stuff. Thanks!