The founder of Yale’s Privacy Lab is worried by the coming age of surveillance and facial recognition

Privacy news
10 mins
Sean O’Brien founder of Yale’s Privacy Lab.

Editor’s note: This post was originally published on January 14, 2020. Sean O’Brien later joined us as Principal Researcher to establish our new Digital Security Lab, focusing on high-quality, original research in the areas of digital privacy, cybersecurity, access to knowledge, and information flows. O’Brien has since moved on from ExpressVPN. Learn more about the ExpressVPN Digital Security Lab.

Sean O’Brien is a lecturer in cybersecurity at Yale Law School and the founder of the Yale Privacy Lab. He’s also the CEO of PrivacySafe, which builds secure, enterprise-grade IoT appliances and consults for organizations in privacy-conscious industries.

By his own admission, Sean has been deeply passionate about online privacy, anonymity, and cybersecurity since he was a teenager. He’s now made that into a lifetime project, with his work and side interests deeply rooted in promoting digital freedom and access to information.

We had the chance to talk to Sean about his work with the Yale Privacy Lab and his views on the future of online privacy. Here’s what he had to say.

[Want more interviews with prominent privacy advocates? Sign up for the ExpressVPN newsletter.]

Answers are edited for brevity and clarity.

Can you describe your work with the Yale Privacy Lab and discuss the impact the lab has had on internet privacy and security?

Yale Privacy Lab is an initiative of the Information Society Project at Yale Law School, a relationship that puts us squarely within debates about privacy, security, and access to information. I’m deeply concerned about digital freedom, or rather the lack of it, and Yale Privacy Lab reflects that.

We built our reputation via digital self-defense workshops, what people used to call “crypto parties,” where we teach people how to use tech like Tor and encrypted messaging. We also analyze Android and iOS apps for privacy leakage, focusing on trackers that are delivered in these apps as software libraries or SDKs.

Our biggest impact has certainly been digging into trackers and revealing how polluted the mobile ecosystem is

In the past, we’ve also done fun activities, like taking photos of outdoor cameras and other surveillance devices and mapping them for civic transparency. So we are concerned with surveillance creep in general, away from the keyboard and phone.

Our biggest impact has certainly been digging into trackers and revealing how polluted the mobile ecosystem is—work that relies upon the invaluable software developed by Exodus Privacy and a team of global volunteers. Nearly all apps have Google, Facebook, or other third-party tracking in them, and I’m proud of having worked on that since 2017, before privacy awareness hit the mainstream. In 2020 we’ll be expanding on that theme and doing lots more work in mobile computing. As I often say, stay tuned.

When did you first become interested in internet privacy and security? What made you want to pursue a career in this field?

I had a blue EFF ribbon on my first website when I was 14, so I guess I’ve had an interest in digital rights as long as I’ve been on the Web. My concerns about surveillance, and what we can do about it as empowered users, definitely grew from those early days on the Internet.

I didn’t start thinking strongly about security until I started working as a Web developer and sysadmin, […]I’d say that, starting around 2008ish, my work became a lot more difficult and the Web started to become a much more hostile place. I started having to defend against constant DDoS attacks, patching tons of vulnerabilities in Content Management Systems, etc.

When Snowden hit the press in 2013, I was in the right place at the right time, and I was already giving community workshops as part of a “free skool” in New Haven. The workshop attendance and general interest really skyrocketed. I think that was a watershed moment, and another one was the Vault 7 releases by Wikileaks, that really pointed to the strength and capability of intelligence agencies to undermine global privacy and security.

What do you think about the future of internet privacy and security, given the repeal of net neutrality and further attacks on anonymity in the West?

Well I mentioned Snowden and Wikileaks, and I think there’s a lot to be said about U.S. intelligence and the Five Eyes and their role in undermining not just our privacy, but also the fundamental security of the ground we stand on, so to speak.

But what’s also become really apparent in the past decade is the power of private companies. Big tech players like Amazon and Google and Facebook dominate our digital lives by intermediating every aspect of our communication with surveillance software. And that software is being delivered via IoT hardware in more and more private spaces, with Alexa and Ring and Nest and Portal devices in our homes.

As the spy things continue to creep into every corner of our world, they’re also being boosted by the dismantling of any concept of net neutrality.

There’s a lot to be said about U.S. intelligence and the Five Eyes and their role in undermining not just our privacy, but also the fundamental security of the ground we stand on

When you not only have physical controls at every access point to the public Internet, but you also have network controls that throttle and discriminate against certain types of traffic, and there aren’t even laws and regulations to hinder that, then we’ve really lost the battle for digital freedom. And that not only strangles competition and innovation, but it tears apart our social fabric and buries fundamental aspects of what makes us human. I think the fact that “anonymity” is a dirty word in the U.S., UK, and Europe is a symptom that we’re in the middle of a totalitarian shift that could result in total control of our lives, our most private thoughts, and aspirations. And that’s why it’s so important to keep fighting for true anonymity online.

How can citizens claim back their rights online? Are we destined for internet models such as those in China (walled-off, heavily restricted?)

What people in China have been dealing with for years we’re now starting to see in the U.S. and elsewhere, places like Australia where strong encryption is illegal. And citizens who care about their privacy, as well as their fundamental rights as humans, are facing surveillance creep from all directions.

IoT is moving in a scary direction that we have to stop in its tracks. But we also need to reverse course with the devices in our pockets, where the most-installed apps of the last ten years are all owned by perhaps the worst privacy offender, Zuckerberg (Facebook, Facebook Messenger, WhatsApp, and Instagram).

We’ve been dealing with walled prisons since the rise of AOL, maybe earlier, and thankfully we do still have VPNs

For years, scholars have been worried, quite correctly, about the so-called “balkanization” of the Internet, or “splinternet,” where access is increasingly divided along nationalist lines. As well as, potentially, even political and religious ones. But we’ve been dealing with walled prisons since the rise of AOL, maybe earlier, and thankfully we do still have VPNs and the Tor network, emerging networks like I2P, and so on.

As long as we can keep supporting these existing technologies and developing new ones, such as the 3NWeb protocols that PrivacySafe uses, we will have some measure of freedom. But the China example shows that this tech can be heavily policed and tied to a social credit score, a reality that may not be too far off in my backyard. And in the Global South, it’s a reality as well, places like the poorest townships in South Africa.

People who care about digital freedom, which now means freedom in every aspect of life, need to do what we’ve always done—build new defensive technology, strengthen existing safeguards, and show everyone we know how to do the same (and why it’s so important). We’re talking about really powerful and unpredictable systems when we talk about global networks.

As intimidating as the challenges may seem, it’s possible to have a huge impact that’s wildly effective, even though each individual action may look small at the time. Snowden’s impact is proof of that, as is the impact of many others.

Access to free apps and ad-driven internet businesses is an everyday reality and might foster internet inclusion, particularly in the global south. For you, what’s a happy medium between the need to monetize and individual privacy?

I actually don’t believe in the power of the ad-driven Internet. There’s a tendency to throw more and more money into advertising in an attempt to reach more eyeballs or, conversely, to drastically reduce or give up on traditional advertising altogether. This was accelerated by the Web, where banner popup ads created a “race to the bottom.” Ad space was being devalued as more consumers spent time staring at screens, and there was, so to speak, increasing ad real estate that became increasingly cheap.

Google cleverly turned this into an opportunity, flipping the script on banner ads by championing toned down, mostly inoffensive text-based ads. They placed themselves at the center of this new marketplace, as both the merchant selling ads and the auditor determining their worth.

And that has made Google incredibly rich and powerful, allowing them to explore side-projects galore and try to open up new markets while the nuclear reactor of ad-driven search pays the bills. Facebook is also a huge player in this space, perhaps even more effective at channeling ad cash into its coffers.

With these two players in place, and the creation of app markets on iOS and Android, I will agree that ad-driven businesses are a reality. But I do think the ground under them is shaky. And I would caution that any ad-driven software business, perhaps especially startups, are likely to gather a huge amount of data on their users.

The app economy fully relies upon this, both because you can’t make much money on selling apps directly, a race-to-the-bottom again where you’re fighting for 99 cents, and because investors often see the value of the data collected by businesses as more valuable than the business itself.

So, what’s the alternative? For one, we can embrace Free and Open-Source Software via privacy-respecting app stores like F-Droid and social media like Mastodon and Minds. But in the U.S., where Silicon Valley is extremely powerful, we can also start rejecting ad-driven, surveillance-based business models and instead buck the trend.

Why did you start PrivacySafe? What problem does it tackle?

PrivacySafe is born from ideas that have been gestating in my mind for a very long time, and I’ve been working with single-board computers and mini-servers, what used to be called “plug computers,” since they started appearing a decade ago.

We’re trying to bring the cloud back home, while still giving people strong privacy, security, and sharing features.

PrivacySafe was launched this past September, to bring portable and secure IoT appliances to homes and enterprises. PrivacySafe appliances are small, trustworthy devices that connect to your network and allow you to share files, anonymously if you wish, to nearly anyone in the world. We also provide automatic scanning for malware and ransomware, as well as cool features like a password vault. We’re trying to bring the cloud back home, while still giving people strong privacy, security, and sharing features.

We’re building different editions of our appliances for different settings, starting with the Maker Edition, which is a development kit that starts shipping in February 2020. It has software for connecting with 3D printers and controlling IoT devices on-board, in addition to the sharing and security features I just mentioned.

Other editions will focus on healthcare, Bitcoin, and Monero payment processing. We also deploy custom solutions for enterprise that utilize our appliances. For example, we set up kiosks and endpoint security and have even done privacy-respecting crowd counting for events. In 2020, we’ll be expanding on those and also making a push into education, delivering privacy and cybersecurity curriculum via our Maker Edition.

What are you most worried/concerned about internet privacy in the next 3-4 years?

I vary each morning in my optimism or pessimism, so it’s a tough question. What we used to call social networks have morphed into a privacy-eating goliath that will be very difficult to dismantle. But there’s also the issue of Amazon and extreme centralization of infrastructure, both the thing we call the cloud and the hardware that runs it.

I bring up Amazon in this context because it’s fresh in my mind this holiday season, and the tons of extra cash the company has in its war chest can be turned once again toward domination of the Internet. But I suppose intelligence agency snooping, which will, of course, work closely with private actors, is still my number one worry. Coupled with ubiquitous video surveillance and facial recognition, it’s very scary. So, let’s try to put a wrench in the works while we still can.

Read more: Interview: Encryption expert Riana Pfefferkorn on the erosion of online free speech

I like to think about the impact that the internet has on humanity. In my free time, I'm wolfing down pasta.