All Tech Considered
Mon February 24, 2014
If You Think You're Anonymous Online, Think Again
Originally published on Wed February 26, 2014 10:00 am
Investigative reporter Julia Angwin was curious what Google knew about her, so she asked the company for her search data. "It turns out I had been doing about 26,000 Google searches a month ... and I was amazed at how revealing they were," she tells Fresh Air's Dave Davies.
From NSA sweeps to commercial services scraping our Web browsing habits, to all kinds of people tracking us through our smartphones, Angwin says we've become a society where indiscriminate data-gathering has become the norm. Angwin has covered online privacy issues for years, and in her new book she describes what she did to try to escape the clutches of data scrapers, even to the point of creating a fake identity.
"I want all the benefits of the information society; all I was trying to do is mitigate some of the risk," she says.
Angwin's book is called Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance. She considers dragnets — which she describes as "indiscriminate" and "vast in scope" — the "most unfair type of surveillance."
On why "free" Wi-Fi might not really be free
I have a portable Wi-Fi device called a MiFi that I use in coffee shops and hotels and all the places that give you supposedly free Wi-Fi. The truth is, what we're learning in today's world is that nothing is free. If something is supposed to be free, then it really means they're taking your data. So what I've decided: I have to buy my way out of it. ... Privacy is becoming a luxury good.
On the illusion of anonymity on the Internet
A lot of the online tracking was originally justified as being completely anonymous and so we shouldn't worry about it because our names weren't in those databases — it's just cookie number "123456" went to these websites. But there's been a lot of research that shows that basically people's traces and actions are very unique and when you get a large set of data that has all these varied specific actions taken by people, that you can re-identify them. ...
What we're learning is that we can be re-identified and in fact, much of the tracking that's going on is becoming more identified — Facebook, Google, Twitter, they know who you are already, they know your name most likely, and they're tracking you across the Internet. So they also are blurring the line between the anonymous and the non-anonymous tracking.
On what Google knows about your search history
You can ask Google what do they have on you and they do actually provide a pretty comprehensive answer. I was able to see all of the Google searches I have conducted since 2006, which was a lot of Google searches. It turns out that I had been doing about 26,000 Google searches a month. So I could see them by day, I could sort them by type of search — shopping, maps — and I was amazed at how revealing they were. I could reconstruct all the crazy leaps that my mind makes on any given day where one minute I'm working on an article and the next minute I'm suddenly shopping for shoes for my daughter and a minute later I jump onto another topic. It was a little disturbing to see what my mind does.
On the way data brokers compile information
Data brokers began by compiling very simple information from the Yellow Pages, the White Pages and government directories. The property records in your state are publicly on file somewhere; the data brokers will go buy it and put it in their dossier. At the same time, your address is usually on file [in] many places with magazines or newspapers you subscribe to. ... Also the post office sells access to its change-of-address list.
What's happening now in the digital era is that they're adding to their files with all sorts of digital information, so they can find out about you, what you're doing online, what you're buying online. ... So now these records that they have are getting much more precise. They're no longer just being used to send you junk mail that you can throw away. Now they're being used online as well to help places figure out who you are as soon as you arrive at their website. They can make an instant assessment by matching your online stuff to some of the online data.
On what data brokers "know"
I found out there are a lot of data brokers out there. It took me almost a month to compile a list, because there's no real list of who they all are, and I was able to identify about 200 or so of them. Of those, very few were willing to let me see my data. It was about a dozen that would let me see my data: some of the bigger brokers, LexisNexis, Axium, and some very small outfits. ...
What was shocking about it was that it ranged from incredibly precise — every single address I'd ever lived at including the number on my dorm room in college, which I couldn't even remember ... to very imprecise, inaccurate things ... that were not at all true — that I was a single mother ... with no college education living in a place I didn't live.
On commercial databases
We've learned from [Edward] Snowden, for instance, that the NSA is getting data from Google and Facebook and Yahoo and all the big companies that are out there, and in fact, even from things that I wouldn't have thought were worth our time — like information that flows between an app you're playing like Angry Birds and an advertiser that might be trying to advertise within that app. And so we have seen that these commercial databases have so much data and [are] so granular and so enticing to the government that they come in either way.
On her own efforts to secure her data
I would say I probably protected myself at most 50 percent of what is possible. And that's because I wasn't willing to live in a cage, in a tin shed in the woods, because I wanted to live in the modern world and there's a price you pay for living in the modern world. And some of that has to do with — you have to share your data.
DAVE DAVIES, HOST:
This is FRESH AIR. I'm Dave Davies, in for Terry Gross, who's off this week. A survey a couple of years ago found that more than a third of us would rather clean a toilet bowl than create a new user name and password, which we're always being told we have to do to secure our online stuff. Our guest, investigative reporter Julia Angwin, went a lot farther than that to try and shield herself from what she says is now an oppressive blanket of electronic data surveillance.
From NSA sweeps to commercial services scraping our Web browsing habits, to all kinds of people tracking us through our smartphones, Angwinn says we've become a society where indiscriminate data gathering has become the norm. Angwin has covered online privacy issues for years, and in her new book she describes the lengths she went to to try and escape the clutches of data scrapers, even to the point of creating a fake identity.
Julia Angwin spent 13 years as a reporter for the Wall Street Journal. She now writes for the independent news organization ProPublica. Her book is called "Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance."
Well, Julia Angwin, welcome back to FRESH AIR. I thought we'd begin with a reading from your book "Dragnet Nation," and this is a moment in your journey when you've decided you're going to go buy a prepaid cell phone. Do you want to just set this up and give us this little moment?
JULIA ANGWIN: Yes, great, thanks for having me on. It's great to be here again. This is a moment in my book where I'm trying to buy a prepaid phone to use to protect my privacy.
The best practice when buying a burner phone is to pay cash and buy it at a store far from home. So I withdrew $200 in cash and went to a store in Midtown Manhattan, which seemed suitably anonymous, to buy the phone. The checkout clerk insisted that I click through a few screens on the credit card swipe machine, even though I was paying cash. Then she offered me a discounted warranty if I would enter my personal information onto the machine.
Then she offered me a discount on the phone as well, if I would enter the information. I respectfully declined. But being forced to repeatedly decline to identify myself made me feel like a criminal. By the time I left the store with my phone in a bag, I felt like I was carrying contraband. I looked up to see if I could spot surveillance cameras near the door. I wished I had worn a baseball cap.
DAVIES: And that is our guest, Julia Angwin. Before we talk about your efforts to protect your identity and your data, let's just talk a little bit about what led you to this. You say that in the book that we've sort of become a dragnet nation, a society of constant surveillance. And you cite a couple of compelling examples.
There's this couple, Sharon and Balal(ph). Tell us about that.
ANGWIN: So Sharon and Balal are an example of all the great things about the Internet. Sharon lives in the United States, is rather poor and lives in a very small town. Balal is wealthy, lives in Australia. They would never have met or had any reason to talk to each other, but they found each other on a message board for patients of people who are suffering from depression.
And they were both going through challenges in their life, and they found a real bond on this message board, where they shared their stories about how they were dealing with depression, what kind of medications they might be trying, and it felt like a safe space to them.
DAVIES: It was password protected? I mean, you had to log into it?
ANGWIN: Yes, it was - you had to log in and have an account. It wasn't just a post everywhere online. It was a patient's board, and you had to have an account. So it seemed like one of those nice corners of the Internet, which are increasingly hard to find, where you can really talk to people intimately without worrying that it's going to be picked up and show up in a Google search somewhere.
But it turns out that they were wrong about the privacy of this board. The owners of the board sent an email to all the members saying, look, we've just experienced a break-in, and we just want to let you know that a big social media monitoring firm had actually come and created a fake account, pretending to be a patient, and started scraping all the messages off the board in order to basically sell the information to pharmaceutical companies.
So Sharon and Balal were shocked by the break-in, but they were also shocked by the fact that the company also disclosed that it had a business of selling all the information about its members to pharmaceutical companies, obviously in aggregate and et cetera, you know, in some anonymized form, but basically their information was being shared in a way that they didn't understand.
So this was one of those classic situations of today's world, where, you know, the intruders are within and without, right? So not only was there a break-in, but it turns out the place that they thought was safe was also selling their information.
DAVIES: Right, and the outfit that had actually posed as another patient and had gotten in, did we ever figure out who that was?
ANGWIN: Yes, it was Nielson Media Research, which is - Nielson is the, you know, TV monitoring. They are one of the biggest media monitoring firms out there. And they - after this event happened, and after I wrote about it in the Wall Street Journal, they said they were sorry, they were going to change their policies and that they would no longer create fake accounts to break into private message boards.
DAVIES: You write that corporate and government dragnets are inextricably linked, that neither could live without the other. Explain what you mean.
ANGWIN: So the United States government, and all governments, actually, do try to collect data about their citizens for all sorts of good reasons, just to want to count them in the census or know who's flying overseas or crossing borders. But they don't have the capability to pick up everything.
And so what we've learned, particularly through the Snowden revelations, is how deeply they dip into the commercial databases that are being developed. So we've learned from Snowden, for instance, that the NSA is getting data from Google and Facebook and Yahoo! and all the big companies that are out there, and in fact even from things that I wouldn't have thought were worth their time, like information that flows between your - an app you're playing like "Angry Birds" and an advertiser that might be trying to advertise within that app.
And so we have seen that these commercial databases have so much data and so granular, are so enticing to the government that they come in either way. They - you know, the NSA has been coming to these companies with legal requests, but we've also seen evidence that they go and hack into their databases.
DAVIES: Why do they want to know who's advertising to me when I play a game?
ANGWIN: You know, the thing is that the intelligence community is in a difficult position. They've been told to prevent any future terrorist attack and that that's their mission. The problem is it's not really clear what is the way to prevent that. So they want to know everything about everyone to see if there's any indication you can learn about people who might be doing something here, and then it turns out that the algorithm shows that that's an indication that they might be doing a bad thing later.
And so they're trying to gather everything. And they also want a permanent record. So let's say now they've got a lead on somebody interesting. Then they can go back and look. They have it all stored there. What has he been doing for the past two years, what games he's been playing, who's he been calling. So they can reconstruct the history of a person.
You write, and it occurred to me as I was reading your book, that many of us have just given up and accepted that we're going to be monitored all day everywhere. But this is a book about your efforts to fight back and evade, you know, these dragnets. And before you - before we talk about the actual steps you took, tell us what your goals were. What did you hope to achieve?
Well, you know, I had been writing about privacy and surveillance for several years, investigating all the different ways that we are being tracked. And I was starting to feel hopeless. And I felt, you know, I wanted to do an investigation, actually, into whether there was any hope. So in some ways this was my investigation into can we find a way to control this data and have some semblance of control over all the information that's being gathered about us.
So I decided that I wasn't going to be able to control everything, obviously, but I wanted to focus on what I consider the most unfair type of surveillance, which is dragnets, which are indiscriminate, vast in scope, scoop up everything. Right, I'm not a suspect, I don't believe. I'm not necessarily a customer of any of the companies that are scooping up information about me.
And so I wanted to get myself out of just those dragnets.
DAVIES: And you weren't willing to be a hermit, right. I mean you're still going to have to communicate with people.
ANGWIN: Yeah, I also didn't want to do a sort of stunt book, where I go live in a cave for a week and, you know, say OK, you know, here's what it's like living in a cave. I wanted to have all the benefits of the modern world. I want to have a phone. I love using the Internet.
I'm a techie. I grew up in the Silicon Valley. I love technology. I've been a technology reporter most of my life. I want all the benefits of the information society. All I was trying to do was mitigate some of the risk.
DAVIES: So I think you started, you said, by essentially doing an audit. You wanted to find out, you know, what kind of data is out there on you. Tell us a little bit about that, like for example Google. Can you ask Google what do you have on me?
ANGWIN: You can ask Google what do they have on you, and they do actually provide a pretty comprehensive answer. I was able to see all the Google searches I have conducted since 2006, which was a lot of Google searches. It turns out that I had been doing about 26,000 Google searches a month. And so I could see them by day. I could sort them by type of search: shopping, maps.
And I was amazed at how revealing they were. I could reconstruct all the crazy leaps that my mind makes on any given day, where one minute I'm working on an article, and the next minute I'm suddenly shopping for shoes for my daughter. And then a minute later I jump onto another topic.
It was a little disturbing to see what my mind does.
DAVIES: Now, you also decided to contact data brokers, these people who kind of scoop up and then sell and market this data to find out what they had on you. What did you find?
ANGWIN: Well, first of all, I found out there were a lot of data brokers out there. It took me almost a month to compile a list because there's no real list of who are they all. And I found - I was able to identify about 200 or so of them. Of those, very few were willing to let me see my data, about a dozen that would let me see my data.
I obtained my data from some of the bigger brokers: LexisNexis, Axiom. And some very small outfits also were willing to let me see it. And what was shocking about it was it ranged from incredibly precise, every single address I'd ever lived at, including the number on my dorm room in college, which I couldn't even - hadn't remembered which exact number dorm room I lived in, to very imprecise, inaccurate things about - just that were not at all true, that I was a single mother living with no college education, living in a place I didn't live.
DAVIES: Who had that?
ANGWIN: So that one was actually from this company that is in a very strange corner of this world called alternative scoring. So essentially they want to come up with alternatives to the credit score and have - and score you on your data and give people who aren't the normal buyers of credit scores a way to assess you.
And I found this a little terrifying because their data was by far the worst that I'd seen about myself. And then they wanted to use it. You know, one of the uses that they describe, they wanted to apply to it, was hospitals could use this data to assess my ability to pay if I showed up in their emergency room and they don't know who I am.
And I thought, you know, I would like to have a little bit more control over that decision-making process and the hospital and particularly would like them to have the right data about me.
DAVIES: Wow, yeah. You know, it might be helpful to just explain what data brokers are and kind of where do they get all this stuff and then what do they do with it.
ANGWIN: So data brokers began by compiling very simple information from the yellow pages, the white pages and government directories. So, you know, the property records in your state are on public land file somewhere. The data brokers will go buy it and put it in their dossier. And then at the same time your address is usually on file many places with magazines or newspapers you subscribe to, but also the post office sells access to its change-of-address list.
So whenever you send in that little change-of-address card, your new address goes on the list. All these data brokers can buy your new address. That's why those catalogues follow you so quickly whenever you move. So that's how data brokers began.
What's happening now in the digital era is they're adding to their files with all sorts of digital information. So they can find out about you, what you're doing online, what you're buying online. My files from Axiom were disturbingly revealing about my online purchases. You know, they had some frequency metric of, like, how often I had bought underwear online, you know, which is very precise information about me.
ANGWIN: And so now these records that they have are getting much more precise. They're no longer just being used to send you junk mail that you can throw away. Now they're being used online as well to help places figure out who you are as soon as you arrive at their website. They can make an instant assessment by matching your online stuff to some of the offline data.
DAVIES: And I love this little detail that sometimes if you make a purchase or inquire about a price on something, there's some service that captures that fact and then auctions it in some automated, instantaneous way.
ANGWIN: Oh yeah, right. So anytime you land on a website, actually, you may well be being sold on auction right at that second. So what happens is you arrive, and the website - most websites contain invisible tracking technology from the website itself and also from up to a dozen, two dozen different advertising tracking companies.
At least one or two of those companies is likely noticing who you are. They see the little cookie ID, which says User Number 123456 has arrived. And they go onto the auction site. It's really sort of like the New York Stock Exchange except completely automated and happens in milliseconds. And they're like 123456 has arrived. We know he's a man, he's looking for shoes, he's really into skiing. And then there's a bunch of bidders.
And they have automated bidding, who's going to buy you, and then that actually can determine what ad appears. By the time the page loads, you've already been bought and sold, and that ad has arrived just for you.
DAVIES: Wow, and I assume that the purchase price is pennies or fractions of them?
ANGWIN: Fractions of pennies.
DAVIES: We're speaking with Julia Angwin. Her new book is "Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance." We'll talk more after a short break. This is FRESH AIR.
(SOUNDBITE OF MUSIC)
DAVIES: This is FRESH AIR, and if you're just joining us, our guest is investigative reporter Julia Angwin. Her book about her efforts to avoid surveillance is called "Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance."
All these firms that are scraping this data and storing it, they say, I guess that it's all anonymous, right, that it's just aggregate data, it's metadata. Can they identify us as people if they want to? And if they can't, should we worry about it?
ANGWIN: Well, that's a great question. So a lot of the online tracking was originally justified as being completely anonymous. And so we shouldn't worry about it because we're not - our names weren't in these databases, it was just Cookie Number 123456 went to these websites.
But there's been a lot of research that shows that basically people's traces and actions are very unique. And so when you get a large set of data that has all these very specific actions taken by people, that you can re-identify them. There was a study that really surprised me that showed that if you had four separate locations of a person, where they had been over a period of a day, you could uniquely identify them. There would be only one person who had been to those four places.
So what we're learning is that the - we can be re-identified. And in fact much of the tracking that's going on is becoming more identified: Facebook, Google, Twitter. They know who you are already. They know your name, most likely, and they are tracking you across the Internet. So they also are blurring the line between the anonymous and the non-anonymous tracking.
DAVIES: And to the extent that government acquires these databases, they can identify an individual if they need to because sometimes that's what they're trying to do.
ANGWIN: The government almost always is trying to identify individuals. So most of the data they collect is identified by name. Or if it isn't immediately identified by name, it can be identified.
DAVIES: All right, so you want to make your information profile more secure, and one of the first things you want to do is secure your computer. And we're always being told, you know, choose complicated passwords, change them frequently, which we hate to hear because then we can't remember the passwords. How did you deal with that? What did you do about password security on your computer?
ANGWIN: Yeah, passwords is such a Gordian knot because you're told to make them really hard to remember and not write them down and have different ones for every website, which is basically impossible. So then what everyone does is have the same password. So the most popular password, by far, is 123456. It's been the most popular password for a decade. It's a terrible password; you're going to get cracked and hacked.
But I myself was victim to this. It's very hard to think of new passwords. So essentially I realized I had to give up on trying to think of new passwords. I came up with two different strategies. One was I used a password manager to come up with the passwords for me. One Password, Last Pass, there's a whole bunch of them out there, and you can just have them generate a random string of numbers and letters to use for your passwords.
And so I did that for a vast majority of sites that I didn't care that much about. But for banking and email and actually my password to my password manager, I wanted something that I had made up myself, but I still didn't want to have to think of it. So I came up with this very interesting strategy, which is a system called Diceware.
It's basically a way to pick random words from the dictionary and string them together to make a very long, difficult-to-break password. The reason you have to pick random words from the dictionary is that if you pick words from your mind, they'll most likely be associated.
So as soon as you pick unicorn, you're probably going to pick fairy, and computers are very good at guessing what we think in our mind is going to random. So picking them truly randomly from the dictionary is a very good way to have an unbreakable password.
OK, so you have a password manager that generates a bunch of gobbledygook passwords for a bunch of sites that you don't use frequently. But then you need a password for your password manager, and you have this system for developing this kind of secure password. What do you do with that? Do you write it down? Do you put it on the cloud? Do you...
I do write my passwords down because those passwords, I only have about five to 10 that are super-long, and for my email and banking and password manager. They can be written down because I am not particularly worried about somebody breaking into my house, taking a piece of paper on which a random string of words is written and then trying to figure out what account I might have used that password for.
I feel like that is the threat I need to worry about least, and so I've decided that that's the best way for me to manage my passwords.
DAVIES: OK, but what do you do when you're at a different computer, at your friend's house or someplace else? Do you carry that piece of paper with you?
ANGWIN: I do. It's in my wallet. Don't tell anyone.
DAVIES: OK, good. Julia Angwin's book is "Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance." She'll be back in the second half of the show. I'm Dave Davies and this is FRESH AIR.
(SOUNDBITE OF MUSIC)
DAVIES: This is FRESH AIR. I'm Dave Davies, in for Terry Gross, who's off this week. We're speaking with investigative reporter Julia Angwin, who spent years covering online privacy issues. Angwin says we've become a society in which the government and private interests routinely conduct indiscriminate sweeps of our data. In her new book "Dragnet Nation," Angwin describes her personal campaign to protect her digital privacy, and as you'll hear, it wasn't easy. She spent a lot of time figuring out who was collecting data on her and how much they had. She went to great lengths to develop and hide secure passwords and much more.
You have another - several other steps that you do just to protect data like, you know, stuff in your wallet and on your computer and, you know. Do you want to go through some of those? Like Wi-Fi in coffee shops. I mean can you, do you sit down at a Starbucks and use its Wi-Fi freely and securely?
ANGWIN: Well, I've become, you know, what I like to call somewhat of a data survivalist, so I kind of like, bring my own Wi-Fi everywhere. I have a little portable Wi-Fi device called a MyFi that I use in coffee shops and hotels and other places that give you a totally free Wi-Fi. But the truth is what we're learning in today's world is nothing is free, right? If something is supposed to be free then it really means that they're taking your data. So what I've decided is you have to buy my way out of it so it's an expensive way to live. I have to carry this, you know, Wi-Fi device, which is expensive. I have a separate credit card with, not my name on it, that I use. I have two phones. I have this disposable prepaid phone and then my real phone. I have the password manager, which also I have to pay for, so it is an expensive way to live. And that's one thing I found, is that privacy is also becoming a luxury good.
DAVIES: Right. And I want to get to the phone in the moment. You have a special wallet?
ANGWIN: Oh, yes, my wallet is - my wallet is really heavy because it's lined with thin lining of metal, which sounds crazy but, in fact, hackers can skim the numbers off your credit card if they get sort of close enough to your wallet and it's not lined with metal. So this is not a threat that everyone needs to worry about, but I think in today's world with all the data breaches at Target and Neiman Marcus, actually some of those were kind of related in the sense that hackers figured out ways to get to the credit card numbers in physical locations.
DAVIES: Yeah. I mean this kind of creeps me out, but I mean credit cards actually contain, a little - what a little chip that emits a radio frequency?
ANGWIN: Yeah. They do emit some frequency. And if you get near enough and you have the right equipment, you can basically read it. That's what that magnetic stripe is doing, it's basically a reader. So if you come near it with something that can read from that, you can get the information.
DAVIES: OK. So we have a metal wallet and we have your own Wi-Fi. You have a chapter in the book called "Leaving Google," an astonishing thought. First of all, why would you want to leave Google?
ANGWIN: I love Google. I didn't really want to leave Google. All their services were working so well for me. But the fact is that they knew everything about me. And also, the government, as we have seen through the Snowden revelations, is very busy trying to get all that information from Google. So I just felt that from a risk management perspective I needed to spread my data around. I could have some Google services but I couldn't be using everything. I was using Maps, Gmail, Android phone, Google Search, you name it. They had it. There wasn't a minute in my day I wasn't connected to them, so I started slowly paring back. And the hardest part was Google Search.
ANGWIN: Because you know, Google Search is basically what you think of when you think of when you think of going to the Internet. You even use it as a verb, you know, I'm Googling something. So I wasn't even sure would I ever find anything again on the Internet if I quit Google Search. But I went and I found a privacy protecting search engine called DuckDuck Go. It has a little picture of a duck on the front with a bow tie and very cheerful looking and I taught myself how to use it. It was weird because I didn't think that there was a skill involved in searching. But what I hadn't realized was when you type something into Google you're not searching for what you typed in. Google is adding information. So if you type in museum, it already knows you're in New York. It probably already knows what kind of museums you've been to in the past. It's Google, they have all that information about you and so they kind of give you exactly what you want right away, which is great except for the fact I didn't want them to know all that about me. So with DuckDuck Go, I have to enter all the things - museums in New York, natural history and then they give me what I want because they don't know anything about me.
DAVIES: So DuckDuck Go, they advertise the fact that they don't store your data. Where do they come from? You got to meet the founders of it, right?
ANGWIN: Yeah, I went out to meet them because I was so curious about who were these guys and why would you even start a search engine to try to compete with Google in today's world? But they're out in Pennsylvania and they basically just have this quixotic vision that they want to have a privacy protecting search engine that is an alternative to Google. They don't store any of the data that - even the data that is automatically transmitted by your computer, they strip it out and delete it, they don't save any of the search queries and they just seem to be committed to it.
DAVIES: And so with some practice, you're quacking just fine, it works?
ANGWIN: Yes. And I actually convinced my children to use it as well because it was such a cute looking duck.
DAVIES: Cell phones is another issue. First of all, what kind of information are people getting from her cell phones?
ANGWIN: Everything you can get from her cell phones these days because we do everything on our cell phones, right? So first of all, we bring them in our room and sleep next to them, so our location is always being transmitted not just to the cell phone company, but to many of the apps, to the company that makes your phone and possibly advertisers who are inside the apps or inside the phone in other ways. And so there are a lot of people who are getting your location. And then they also - many of them can see what you're looking for, what you're searching for online or which apps you're using what time you set your alarm clock for. Basically anything you do on there is being transmitted to somebody.
DAVIES: So what did you decide to do about that?
ANGWIN: I tried two things. I tried having a burner phone, which basically was a phone not tied to my identity so that the very least, I could do all those things without it being tied to my identity. And I...
DAVIES: And that the prepaid disposable phone, right? You can - right.
ANGWIN: Yes. And I tried using a prepaid disposable phone to - for many of those things. I also installed all sorts of software to protect my privacy on the phone. So I had this thing called Tour that would route my Internet traffic through other places so it would look like I was in a different location than I really was. I installed some encryption software that would scramble my calls so they couldn't be listened to by anyone. And I installed that same encryption for texting. The problem with those was I had to convince other people on the other end to use the same software to communicate with me.
ANGWIN: So it was kind of a lonely existence.
DAVIES: Now you said that there's this software. I think it's called Tour, which will, when you execute an Internet search route it through different countries so it's harder to tell where you are, right?
ANGWIN: Yeah. I was sitting in a cafe in New York and Tour made it look like I was sitting in Amsterdam.
DAVIES: Right. Now does it slow down the searches?
ANGWIN: It's very slow.
ANGWIN: The problem is, you're sitting in a cafe in New York and you're running your searches out of Amsterdam.
ANGWIN: So it's, you know, so this is the problem, the price of privacy is rather high. So when I timed my searches on Tour, they took at lease double - many times four or five times longer than it would've taken not on Tour.
DAVIES: OK. And you write that when you were carrying your phone because it allows people to track where you are, you turn off the Wi-Fi for long periods of time. Is that right?
ANGWIN: Yeah. In fact, I don't ever turn on the Wi-Fi on my phone anymore because what's been happening recently is that there is an increasing number of entities - commercial entities mostly - but also some governmental that are using the Wi-Fi signal on your phone to identify you as you walk by wherever they are having their monitoring. So for instance, there's some shopping malls that are using Wi-Fi sniffing devices to see who was walking by what stores where and they use this to track where's the traffic, but they also use it to identify you individually because it says which phone is going by.
DAVIES: So when you turn it off that means you still have phone service but you don't have Internet service?
ANGWIN: Well, you can surf the Internet over your cell service, but it's slower. So everything that I did, by the way, made everything slower so all things were slow for me. In fact, I'm just living - maybe I should call it like the slow technology movement.
DAVIES: And at some point you wrap the phone in tinfoil, right?
ANGWIN: Yes. This was sort of a low moment in my journey where I wanted to just have my phone not connected to the - to anything for a period of time. And I was going to get a special bag to put it in called a Faraday cage, which is basically a bag lined with metal. But then a former CIA guy said, you know, you could just wrap it in tinfoil, it would do the same thing. So I spent a day with my phone wrapped in tinfoil just as an experiment. It did work but it was the most embarrassing thing ever, because I would get to a meeting and then I would sort of carefully unwrap it to check an email and then wrap it back up and then by the end of the day the tinfoil was sort of torn in many places and looked really like a old, crushed sandwich.
ANGWIN: And so then I realized I might as well just pay for the Faraday bag, which was rather expensive but now I throw my phone into that and it kind of blocks all signals so I can just take it out when I want to check something and then throw it back in.
DAVIES: Right. And you look hip and high-tech as opposed to somebody like carries tinfoil?
ANGWIN: Yes. Correct.
DAVIES: We're speaking with Julia Angwin. Her book is "Dragnet Nation" and we'll talk more after a short break. This is FRESH AIR.
(SOUNDBITE OF MUSIC)
DAVIES: This is FRESH AIR and if you're just joining us, our guest is investigative reporter Julia Angwin. She writes for ProPublica. Her new book is called "Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance." So I'm interested in kind of your reflections on this whole experience. How much were you able to protect yourself, do you know?
ANGWIN: I wasn't that successful. I mean I would say I probably protected myself, at most, 50 percent of what is possible. And that's because I wasn't willing to live in a cage in, you know, a tin shed in the woods, because I wanted to live in the modern world. And there's a price you pay for living in the modern world. And some of that has to do with - you have to share your data.
But I also felt that it didn't have to be that way. I would've been happy to buy some services - like email, and a better search engine and a cell phone that wouldn't track me and I wasn't able to buy those things. And so I felt that there was a lack of a market for privacy. I also felt there was a lack of laws because I felt it was unfair for these data brokers to hold all this information, not let me see it and not let me remove it.
DAVIES: You know, you've been writing about the privacy issues for a long time now. And you write that when you go to an airport you insist on - upon a pat down rather than go through the body scanner. Why?
ANGWIN: I want there to be metrics about the fact that people don't want this invasive dragnets. I mean the body scanners are essentially dragnets. They are indiscriminate surveillance. Everybody has to go through it and then it's data that's stored somewhere and kept forever. Like all of these dragnets, I'm concerned not only about the moment they're collected but the fact that they're going to live on. I don't want there to be an image of my naked body in some government database; they've already gotten enough about me. So I go for the pat down because I think there's no record of that. It's actually more evasive. They stick their hands in your pants, you know, it's no fun. But I allow myself half an hour every time because I want there to be a number out there which says people aren't choosing this and I actually felt good. The other day I was in an airport in Denver, I think, where there was a sign in the line at TSA and it said: 95 percent of people choose to go through the body scanner. And I thought ah-ha, I'm part of the five percent and I'm very proud of that.
DAVIES: So it's not just, you know, an act of resistance on principle. You think there is - you really don't like the fact - actually they didn't realize. I mean these images of our bodies when we put our hands over our heads are actually all stored somewhere?
ANGWIN: They are stored. By the way, TSA says they delete them after some short period of time. But I think what we have seen over and over again is that what people say is happening to data is often not what's really happening. We saw that with Snowden, right, there was all sorts of data that no one would have ever imagined the government was keeping. And so I admit I err on the other side of paranoid, but I just didn't want it out there even for whatever short period of time they say they store it for.
DAVIES: After you went through all this stuff, which of the various kind of lifestyle changes or equipment changes that you adopted, stuck? Which ones are your - which ones are you still using?
ANGWIN: Surprisingly, I feel like I'm still doing most everything, I kind of feel like I became a vegetarian. I changed my eating habits, you know, I changed the way I eat or consume technology. And so it's sort of like he wouldn't go back to meat again. And so I basically still do everything because it became my practice and my way of approaching technology.
DAVIES: So there's these slow searches and turning your phone off, you're just used to it, it works for you.
ANGWIN: I've gotten used to it and I also have convinced myself, possibly incorrectly, but I've convinced myself that there's a benefit to them. I see my slow searches as a triumph. I think I am getting -- this is so slow that it must be really private.
DAVIES: Some of the steps you've taken here, I mean creating a second identity and using tor and, you know, this other kind of software that's designed to kind of mask, you know, what you're up to are things that criminals, drug dealers, use too. And I wonder - are you concerned that you're going to make yourself a target or a suspect in the eyes of law enforcement with this?
ANGWIN: Yes, I was concerned about that. I - almost everything I did, I expect, would make me more likely to look suspicious, everything from opting out of the body scanners at the airport to using anonymizing software to using encryption. And the NSA - one of the documents that was revealed by Snowden showed that using encryption was something they considered suspicious and allowed them to override the rules and keep that data.
Just by the fact it was encrypted they could keep it. Normally they would try to throw away data of people who weren't suspected of anything. And so I know that a lot of these technologies would land me on the suspicious list but I think that is what I'm concerned about. It shouldn't be suspicious for me to want to have a conversation with my mother that no one else listens to, right, one of the standards we've set for suspicion.
And so I believe, actually, that part of what I'm doing here is challenging that standard and I think if we all challenge it we could maybe change it.
DAVIES: So you haven't been visited by guys in suits and sunglasses yet.
ANGWIN: Not yet but I'm ready.
DAVIES: It's interesting, you involved your kids in this in some way. I mean they knew what you were doing and you kind of had them help you generate passwords by rolling dice. I'm wondering what the impact was on them and was it good for them to see their mom adopting, like, a fake identity for example.
ANGWIN: My kids were the most surprising part of this. They started this whole thing thinking privacy was another way for mom to say no. Because privacy was what I told them when they said can we post this video on YouTube? And I said no because of privacy. Can we get an account on, you know, this kid's social network? No, because of privacy.
So as I was working on this project, though, I realized I needed to change it from a no to a yes. I needed to give them something to be excited about with privacy. So I started by getting my daughter into my password business. She learned how to make passwords. She got really into rolling dice and picking words out of the dictionary. And she actually started a business selling passwords for $1 each.
I was perfectly happy to buy them from her because I was getting tired of rolling dice myself and now she sells them to all of our friends and relatives.
ANGWIN: So I think that the financial incentive, actually, really helped her think, oh, privacy is cool because I can make money on it. And then from there she started to get interested in all the other stuff. She particularly liked having fake names so my kids both have set up their own fake names that they plan to use on all their online accounts. They're young so they don't have that many.
My daughter loved the encryption. She loved making secret phone calls tome on an encrypted line and sending me encrypted text messages. Because kids love privacy, actually, as long as it's their secret, right? What they don't want is someone inflicting it on them but anyone who's ever written a secret diary as a kid knows there's nothing better than that lock that you turn on the outside of the diary.
But I did worry that I'd gone too far when my daughter - when I was filling out a school form and I wrote down my daughter's Social Security number and she said Mom, you have to put a fake one there!
ANGWIN: And I thought uh-oh, the experiment has gone too far.
DAVIES: Well, Julia Angwin, thanks so much. It's been interesting.
ANGWIN: Thank you so much.
DAVIES: Julia Angwin writes for the independent news organization ProPublica. Her new book is "Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance." Coming up, Ken Tucker reviews the debut album of the Los Angeles duo Vertical Scratchers. This is FRESH AIR.
(SOUNDBITE OF MUSIC) Transcript provided by NPR, Copyright NPR.