Modern field guide to security and privacy

Opinion: The reasonable expectation fallacy

The ability to delete yourself from the Web doesn't really matter. What really matters in the age of advanced surveillance is the right to not be correlated. Technology is always watching and capturing you, but the correlation is where the danger lies. Laws can change that, but only if enacted soon.


If I take your picture on the public street, I do not need to give you any notice – and you have no basis to complain about it. If there's visible light, your image is fair game.

My porch light has a motion sensor that can see as far as the public sidewalk. If you walk by, it will light up – and you have no basis to complain that it captured your movement. If there's infrared light, you are fair game.

Even your heart emits unique electromagnetic pulses. What if I can detect and capture those signals? If there are microwaves, you are fair game.
If you have a new car, it broadcasts several unique Bluetooth signals. High-frequency radio? You're fair game.

The inexpensive Wi-Fi router in your home continuously advertises its name – the service set identifier – that was probably selected by you. That information is being broadcast on a 2.4GHz radio band through the air – and, so, that information is fair game.

Let's be rational and thus concrete: Wavelength does not matter. What is fair game to observe is independent of wavelength – I have the right to capture what you emanate.

Even just in visible light, the technology is readily available today to capture and recognize your iris – increasingly used in security systems – from a distance of 50 yards. Facial recognition is feasible at 500 yards. The unique pattern of your gait can be detected in just 10 paces. Again, being concrete, does my right to look at you – and capture your identity and identifiers – depend on what I'm looking for? Hardly.

Most privacy laws exist to block government actions. A few exist to block private institutional actions. But none exist to block individuals' actions.

In the Supreme Court case Kyllo v. US, defendant Danny Lee Kyllo, a marijuana grower, argued that police use of a thermal imager to discover the high-intensity lights growing marijuana in his garage constituted a search for which a warrant was necessary.

The Court held: "Where, as here, the Government uses a device that is not in general public use, to explore details of a private home that would previously have been unknowable without physical intrusion, the surveillance is a Fourth Amendment 'search,' and is presumptively unreasonable without a warrant."

Read that carefully – the requirement for a warrant exists solely where the device to be used to gather photons is "not in general public use."

As anyone knows, what the government and only the government has today, the rich will have tomorrow. What the rich have tomorrow the lumpen proletariat will have it the day after tomorrow – it is general public use that removes any prohibitions on use by government or other institutions.

Now consider the thermal imager. Fifteen years ago when Kyllo was decided, the devices were not in general use. Now, they are readily available. One ad reads: "Multispectral imaging – maximizes details and image sharpness, adds GPS location to images, self-calibrates for optimum image and accurate temperature calculation, combines infrared with visual input, records audio with the video which is directly stored in the iPhone photo gallery."

That description begins with "multispectral," meaning that it combines multiple wavelengths – visible light, infrared light, and GPS radio. The number of emanations that are capturable by devices that are in general public use is large and growing. You tell me, what does "appearing in public" mean as that variety grows? That multiple spectra are correlatable is hardly a surprise, but does your intuition tell you that the net effect is additive, that each new correlation adds "1" to some pre-existing sum?  Or is the power of correlation such that each new one added does not increase a sum through addition but a product through multiplication like a compound interest sort of calculation?

This is the point: No society, no people need rules against things that are impossible. If your personal "expectation of privacy" is based on the impossibility of observability or even the impossibility of identifiability, then your logic, like that of the Supreme Court, is temporary and weak. A long view in the face of rapid technologic change is far harder.

In past months, well-informed individuals have warned about advances in artificial intelligence as being likely to introduce irreversible unintended effects that are permanently incompatible with fundamental values. In past months, well-informed individuals have warned about advances in genetic engineering as being likely to introduce irreversible unintended effects that are permanently incompatible with fundamental values. I am here to say that I side with those well-informed individuals in both cases, and hope that they, and you, side with me that advances in observability are introducing irreversible and unintended effects that are permanently incompatible with fundamental values.

It is easy to drift toward "making the best be the enemy of the good." Baking radio frequency identity tags in your microwave does not, in the end, do anything if your cellphone, Bluetooth gizmos, iris, and auto registration are each collected and then correlated. We cannot – nor should we waste political capital trying to – serially forbid collections by name or by type or by wavelength.

We can only sabotage use. We must change liability law so thoroughly and so substantially that data acquisition is no different from stockpiling combinations of lethal chemicals that grow increasingly dangerous as their varieties increase. There is no mechanistic difference whatsoever between personalization and targeting save for the intent of the analyst. To believe otherwise is to believe in the Tooth Fairy. To not care is to abandon your duty.

Dan Geer is the chief information security officer for In-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the Central Intelligence Agency and the broader US intelligence community.



We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.