Dutch Fishing Boats in a Storm, JMW Turner

Several years ago, I wrote that the Snowden revelations changed the way I understood the internet.

I wrote then, that,

I spend a large majority of my day swimming in the sea of data online. I go to Facebook, Twitter, email, weather, this blog, and everywhere else. In the past, I’ve considered this world mine, safe and managed by me, as long as I was smart and sensible.

The story of PRISM knocked the wind out of me. The idea that there is an analyst somewhere poring over a chat I had with my husband last week about whether he should have gone to his dentist appointment evokes a feeling I’ve never had before: the feeling of being watched, constantly, and monitored for any deviations outside the norm.

This feeling of constant surveillance, of a tension always in the background, has been with me for the past five years.

The mainstream media has finally started to pick up on the trend and, ironically, drive it to its logical conclusion for clickbait optimization, to the point where anything remotely controversial having to do with data makes the front page news.

To me, this is an good sign. If the problem has gotten as far as even the media (a lagging indicator of importance), then we are finally going to make progress on excessive data collection, retention, and security as a society. But each report has only made me feel a sort of numbness to what our society has become and my powerlesness against the tsunami of my own data crashing down and eventually, somehow, destroying me.

But, this week, for the first time, I began to see a kind of strange light at the end of the tunnel, when I read about the Strava exercise activity heatmap potentially leaking the locations of undisclosed military bases.

Because, if highly-trained military organizations, whose bread and butter depends on being discrete, don’t understand all the ways opsec can be undermined by a simple fitness app looking to monetize people’s GPS data, how can regular people be expected to deal with it?

If politicians at the highest levels of government are dealing with email breaches, if celebrities are not safe on Instagram, if Equifax can’t secure social security numbers, if Yahoo has not been hacked once, but twice, if every company from Deloitte, to the NSA - the NSA - can’t keep their data secure, then how can we?

How are we as consumers, who are not paid hundreds of thousands of dollars to do engineering and cybersecurity on a daily basis, expected to deal with any of this? How are we supposed to prepare for chat apps, that promised us security, to leak? How can we even begin to understand the implications of Spectre for our personal files, particularly when companies that make money on secure, stable computers don’t understand them?

Before, my mental model of data collection was that of normal people against intelligence agencies and companies that bested them. Misaligned incentives meant that normal people wanted as little data collection as possible, while companies wanted to get as much as possible with dark patterns and squirrely EULAs.

I understand now that this is not the case.

We are now, for better or worse, all in the same exact boat in the data lake.

We all have an incentive to be smarter about the data we give up, and consequently the data we collect, whether we are a person who doesn’t want Facebook to serve them ads, a company who doesn’t want lawsuits based on PII exposure, or an intelligence agency who doesn’t want its tools leaked.

Developers, spies, celebrities, politicians, people taking laps around classified military bases in the Middle East, and the people reading about all of this in the news, are all bound together by our precious and dangerous data, flooding, leaking, pouring through holes in the boat society has built.

Better late than never, but our incentives are finally aligned. Finally, we all have a common shared goal, and it’s in our best interest to collectively get some buckets, some caulk, and start plugging away.