Maybe I shouldn’t have had my isesk in front of this window, I thought. The space from here across the tracks was open. What if there was a sniper hiding in those trees across the way?
Not long ago—in 2012, say—thinking that unseen, malevolent forces were targeting you was a sure sign of psychosis, or of overheated fiction.
But the passage above didn’t come from the diary of a person having a schizophrenic break, or a spy novel. It appears on page 122 of Hacks, Donna Brazile’s memoir about the 2016 election, released late last year. Brazile, a veteran political operative, ran the Democratic National Committee last fall, and Hacks has won attention for her denunciations of the Clinton campaign.
Yet the non-political part of the book—in which Brazile discusses Russian government’s information warfare against the committee, and the crisis it provoked both for the Democratic party and her personally—may ultimately prove far more consequential. It suggests how slim the firewall between our on- and offline words has become, and how democratic nations are almost without noticing slipping into a crisis of privacy and paranoia without precedent outside of totalitarian states.
Much has been written recently about the way the Internet feeds paranoia, pulling people into a web of conspiracy theories, forged documents and farfetched connections. But the opposite is also true. The rise of massively connected systems and centralized databases has filled honeypots for hackers and created vulnerabilities that never existed before.
As a former investigative reporter, and a novelist who now makes his living crafting tales about the Central Intelligence Agency, I’ve spent a lot of time thinking about these trends. But reading Brazile’s book spurred me to write, because her experience so illustrates the dangers all of us face.
In the physical world, unearthing secrets—spying—is risky, difficult, and prohibitively expensive, the provenance of governments, law-enforcement agencies, and the occasional multinational corporation or Hollywood mogul. Tracking people requires teams of watchers, or devices that emit recognizable signals and can usually be found without too much trouble if someone checks. Similarly, intercepting landline phone conversations requires physical equipment that is hard to install and easy to find.
Elaborate face-to-face efforts to steal information, or plant disinformation, are even harder to pull off, and often fail spectacularly. I could only smile at Ronan Farrow’s description in The New Yorker of the bungled attempts by Harvey Weinstein’s corporate spies from Kroll Associates and an Israeli intelligence firm to stop his reporting on Weinstein’s sexual misconduct.
Even paranoids have enemies, maybe, but in the real world no one spies on nobodies. Our secrets are not worth the trouble and expense. We rightly dismiss as psychotic anyone who believes he is being watched.
But not on the Internet. Make no mistake, information theft over computer networks is spying; but it has fundamentally changed spying’s cost-benefit analysis. It is far cheaper, easier, and less risky for the perpetrators than traditional methods, because it can be done from a safe distance and its tools are almost infinitely replicable. Once a piece of malware has been created to attack one computer or database, it can be used against almost any other, for any reason. That flexibility erases the distinction between attacks by government-controlled espionage agencies and private criminal networks. Further, once it hides itself deep inside computer operating systems, the malware is hard to find and even harder to uproot.
We are vulnerable at every point in the chain. We store libraries of personal information—photos and emails, mortgage applications, weight-loss apps—on our phones and computers. Nearly everyone knows those devices are vulnerable. How vulnerable? In June 2016, a photo of Mark Zuckerberg gained attention; Zuckerberg, standing in an office, his laptop visible to his right. The laptop’s camera and microphone jack were taped over. The billionaire founder of one the world’s most powerful technology companies had resorted to the crudest of solutions to keep himself safe.
Yet even people who are careful never to download suspicious programs and limit what they store on their own devices cannot escape the risks. Government agencies and corporations—not just technology companies, but financial institutions, health care providers, and retailers—vacuum data to build their own mega-libraries. Those now contain unthinkable amounts of personal information: search histories, financial records, medical test results, tax and insurance forms. We call them databases. Really they are virtual vaults, privately owned Fort Knoxes. Only their treasures can be stolen in silence without trucks or masked attackers.
The companies insist that these banks are unbreachable. They have proven again and again to be wrong. Last year, hackers broke into Equifax, a credit reporting company that sells identity theft prevention services, and stole the personal data of 145 million people. Even the National Security Agency cannot keep its own hacking tools—its most valuable assets—from being taken and offered for sale on the dark Web. That breach has received some attention, including a recent front-page article in The New York Times, but it deserves more; imagine if the Air Force allowed a squadron of F-15s to be stolen and could not get them back.
In between are medium-sized companies and charities that conduct much of their business over email and solicit credit card and personal information over the Internet—like the Democratic National Committee. Those enterprises may be the most vulnerable, big enough to have their own important business secrets and valuable information on hundreds of thousands of people, too small to have top-level protection.
So far the sheer volume of stolen data has been its own best defense. Hackers are too busy taking it to figure out which email accounts have information that owners would pay to keep private, which credit card accounts might prove really valuable. They have also largely kept out of the physical world. Diabolical schemes like taking over an Internet-enabled oven and using it to burn down a house, taking control of a car through its entertainment system, or emailing a child through a hacked parental account and telling her to go somewhere so she can be kidnapped mostly remain fictional.So far the sheer volume of stolen data has been its own best defense.
But there’s no reason to believe that hackers won’t ultimately try to integrate on-and off-line criminality, especially with the rise of Bitcoin and other crypto-currencies, which give them an untraceable way to get paid for kidnapping and blackmail—a major hurdle until now. Anyway, the worlds online and off are connected so closely that they have done plenty of damage already.
As Donna Brazile knows.
Of course, the DNC was not selected randomly. Our intelligence agencies say the Russian government directed hackers to attack it as part of an effort to undermine confidence in the 2016 election. The hackers had little trouble infiltrating the committee’s servers. Still, there is no evidence that anyone engaged in any real-world spying on the DNC. The Russian efforts appear to have been limited to what their hackers could steal from the committee’s files.
Yet by her own account, Brazile—who took over in July 2016, after the first big leak of stolen emails—grew increasingly paranoid as the election approached and the leaks continued. She swept her house for bugs and installed motion detectors and security cameras—despite the irony that they were Internet-connected and thus might be hacked. She grew hyper-vigilant when a cleaning person she did not know watered plants at DNC headquarters. Though the offices had already been swept, she insisted a technician sweep them again and had trouble believing him when he told her he hadn’t found anything. She made crude efforts at counter-surveillance when she drove, taking different routes to and from her home. She worried the Russians had killed Seth Rich, a junior DNC employee.
In other words, Brazile began to behave almost as though she were suffering a psychotic break, a separation from reality.
We shouldn’t be surprised. Owning and controlling secrets is essential to human identity. We all want walls between our public and private selves. One of George Orwell’s great insights in 1984 was that totalitarian societies create profound helplessness in their citizens by destroying that zone of privacy and making sure that people can never let down their guard even if they have no reason to believe they are being targeted. A strain of what can only be described as irritable paranoia runs through 1984.
The same paranoia is creeping into our lives. With every data dump, every posting of a celebrity’s hacked photos, every report on the vulnerabilities of Internet-enabled devices, the risks we face become more apparent. When the tools of spying are nearly free, we are all targets. Our lives online and off are so entwined that losing control of our secrets in the former inevitably breeds our fears in the latter.
So far, Apple, Google, and Amazon, the most crucial technology companies, seem to have avoided serious breaches. (I don’t include Facebook because its business model more or less consists of legally stealing people’s privacy.)
But the day that malware locks down a billion iPhones simultaneously or hackers dump billions of Gmail passwords on the dark Web—much less the day that they gleefully report they have stolen every test result from Quest Diagnostics or insurance record from United Healthcare—will be the day that we realize that we were not too paranoid but not paranoid enough.
Before that moment comes, we must demand stronger protections. Maybe the solution is a National Privacy Safety Board, charged with investigating major hacks and recommending or mandating new rules that companies would have to follow. Maybe we need federal security standards for commercial databases, with special protections required for the largest and most important—those too big to fail. The answers will be complex, and they will not entirely solve the problem.
But to do nothing is consign ourselves to a world in which privacy dies a painful death, and we all wind up seeing snipers in the trees.