BOB GARFIELD:  From WNYC in New York, this is On the Media. I’m Bob Garfield.

BROOKE GLADSTONE:  And I'm Brooke Gladstone. At no point in history have civilians been more vulnerable to government surveillance or prying by private companies. And what a curious trio of factors have brought us here. Fear of terrorism, on the one hand, the profit motive on the other, and on both hands the fun and convenience of life online. Whether for utility or security, loss of privacy is a tradeoff, sometimes conscious and sometimes not, and perhaps the defining bargain of our times.

BOB GARFIELD:  But is it a bargain as in a good deal or a bargain as in Faustian? We’re devoting this hour to considering the issues of privacy and surveillance. We’ll review some of the latest refinements in snooping online, on the phone and even on the road, but we’ll begin by examining our own illusions. In the next report, OTM Producer Sarah Abdurrahman may be telling the savvier among us what we already know, but most of us still cling to the notion that we, with a few simple precautions, can handle our own security when we venture online.

  [MUSIC UP AND UNDER]

MAN:  In response to the new Facebook guidelines, I hereby declare that my copyright is attached to all of my personal details, illustrations, graphics, comics, paintings, photos and videos. Anyone can copy this text and paste it on their Facebook Wall. This will place them under the protection of copyright laws.

SARAH ABDURRAHMAN:  If you’re on Facebook, chances are that you’ve recently seen that statement on the Walls of your Facebook friends. You might have even copied and posted it yourself. It went viral. But as the Electronic Frontier Foundation’s Eva Galperin observes, it was all a hoax.

EVA GALPERIN:  This sort of wishful thinking that really powers this hoax is if you do this fairly simple thing, you will not have to do the hard work of protecting your privacy or protecting your data. Often it stems from a misunderstanding about how the Internet works or how privacy works.

SARAH ABDURRAHMAN:  A lot of our behavior springs from that  misunderstanding. We take some measures to protect our data but they're often the wrong measures. It's like ordering a Big Mac, large fries, and a Diet Coke. The intentions might be good but we won't get the results we’re looking for - same with that viral Facebook meme. Within hours, countless people wasted time posting it to their walls. But according to Sarah Feinberg, director of policy communications at Facebook, when they actually offered their users a real chance to vote on how the site is governed:

SARAH FEINBERG:  Very few users were engaged in the vote, far less than 1% of users. My sense is that many more people were focused on the copyright meme.

ALESSANDRO ACQUISTI:  Our privacy attitudes and our behavior are much less rational and stable than what we may like to believe.

SARAH ABDURRAHMAN:  Alessandro Acquisti co-directs the Center for Behavioral Decision Research at Carnegie Mellon University. He says the more you believe yourself to be in control, the more likely you are to act. The people who posted that bogus copyright notice on their Facebook Wall felt like they were in control.

ALESSANDRO ACQUISTI:  On the other hand, at the Facebook election, I can express my preferences but really I have no guarantee that these preferences will be satisfied.

SARAH ABDURRAHMAN:  Of course, it’s not just Facebook. Anytime you use a service from what’s known as a “third party provider,” you are subject to its terms, and that usually means it owns your data and can do what it wants with it.

EVA GALPERIN:  So if you're using Gmail, your mail essentially belongs to Google and Google can decide what they want to do with it. Google has a Terms of Service and a privacy policy that says they will not give it up. But they’re not required to do so.

SARAH ABDURRAHMAN:  Galperin says people don't really grasp the lowly legal status of their e-mails.

EVA GALPERIN:  And they don't have the same Fourth Amendment protections that they would if the mail was sitting in their house, and governments and law enforcement agencies, even people involved in civil cases, could possibly come to the webmail provider and get that information with a warrant.

SARAH ABDURRAHMAN:  In fact, even without a warrant, if your e-mail is older than six months. Ryan Singel, former editor of  Wired.com's Threat Level blog, says that’s a byproduct of an outdated law.

RYAN SINGEL:  When they originally set up electronic privacy law in the 1980s, everybody always downloaded their e-mail. You didn’t leave it on the server, so anything over six months was considered abandoned, whereas these days you leave stuff up on the Internet forever in your accounts.

SARAH ABDURRAHMAN:  But what if you don't actually send your electronic correspondence? Remember that affair between General David Petraeus and Paula Broadwell? The couple reportedly used a tactic favored by terrorists and teenagers to keep their communications secret. They left their messages as drafts in a shared e-mail account.

RYAN SINGEL:  Well, the idea is that if you write a draft to someone and you leave it there, the e-mail never gets sent to that person, right? So there’s one less hop, which means like one less place for somebody to see something.

SARAH ABDURRAHMAN:  But Petraeus and his mistress were found out, so a perfect plan it is not. And if the director of the CIA can’t cover his tracks online, what hope is there for the rest of us?

RYAN SINGEL:  People often think if they throw something in the trash and delete it that it’s therefore off of their computer. That is not the case. People think that if they erase their browser history that nobody’s gonna be able to figure out where they went online. It does make it a lot harder, but it's not impossible to get. Skype is one. People think things are encrypted. It is encrypted but most of the time Skype saves chats on your computer. People make mistakes about using open Wi-Fi or neighbors’ Wi-Fi to do things that aren't legal.

The other one I love is that businesses put those little disclaimers down at the bottom of their e-mails that, you know, this e-mail is only intended for the intended recipient and you can’t forward it on. That has absolutely no meaning whatsoever.

SARAH ABDURRAHMAN:  So why do people do it?

RYAN SINGEL:  Because it can’t hurt to add it and it might scare people, but every lawyer I talked to has said, no, that’s not true. So if you get an e-mail that’s not intended for you and it's got some crazy secret, send it on to the New York Times. You’re not gonna get prosecuted. You want to say something to someone that’s very personal, pick up the phone and call them or say it in person.

The Internet is a giant copy machine. Anything you put on the Internet can be copied and sent around. I just hope you have nice friends. [LAUGHS]

SARAH ABDURRAHMAN:  The reality is that once you release an e-mail into the world or post a Facebook status or even send an off-the-record chat, you have no control over what happens to it on the other end. And even though many companies that you store private information with online promise not to disclose any of it -

JACOB APPELBAUM:  Those promises are no good when the rule of law comes into play.

SARAH ABDURRAHMAN:  Computer Security Researcher Jacob Appelbaum says even the most well-intentioned company has to comply with the law.

JACOB APPELBAUM:  That’s happened to me with my Gmail account. The US government took my Gmail with less probable cause than a search warrant would have required, by far. That is an example where the privacy by policy was an utter failure. SARAH ABDURRAHMAN:  He says the only way to keep companies from divulging your personal information is to encrypt it, all of it, so they can’t collect it, in the first place.

JACOB APPELBAUM:  The trick is to change it from a dynamic where you basically say, please promise not to take this data, please promise not to exploit me, but they do anyway, or they’ve been compromised so they don’t know they’re doing it, and takes it to a place where they can log it all they want, but whatever they log is worthless, ‘cause it’s encrypted.

SARAH ABDURRAHMAN:  So now it's on you. What a pain! You might think, who cares if my information isn’t private, I've got nothing to hide.

JACOB APPELBAUM:  So does it matter if Google knows that you’re gay? Well, I don’t know. Do they have any homophobic engineers with access to that database? For example, in Uganda right now they’re trying to pass what people call the “Kill the Gaze Bill.” And that is a great example where today the information about you, which can be found by your social network, that’s a life or death issue.

SARAH ABDURRAHMAN:  Your online life can be targeted for any number of unexpected reasons. Just ask Wired Magazine writer Mat Honan, who recently had his whole digital life destroyed by hackers. They wanted something he had.

MAT HONAN:  They had gone after me because they saw that I had a three-character Twitter handle, which was sort of valuable real estate. So everything they did was all kind of collateral damage to get that Twitter account.

SARAH ABDURRAHMAN:  Collateral damage, including wiping away years of messages, documents, and every photo he'd ever taken of his 18-month-old daughter. Honan’s sobering experience taught him that the one thing we all use every day to shield ourselves online, the thing that makes us feel protected and in control, the password, is actually a dangerous illusion.

MAT HONAN:  A password is just a string of data, and there are all kinds of ways to either get around it, or get it and copy it.

SARAH ABDURRAHMAN:  Honan says a password is especially vulnerable because it is a singular point of entry that can be attacked from multiple fronts, through malware on your devices, large password dumps online, fishing, brute force or the strategy used to get into Honan’s stuff, password resets. And a person trying to break into your online accounts can often reset your password, using information already available online.

MAT HONAN:  If I call up tech support and I happen to know, say, your mother’s maiden name, which I’ve gotten from Ancestry, or your high school mascot that I’ve gotten from classmates, or your date of birth that I’ve gotten from Facebook, I’m most of the way there to getting a password reset.

SARAH ABDURRAHMAN:  And you know that password trick we’re always told to use, replacing letters with other symbols?

MAT HONAN:  A 5 for an S, a $ sign for an S, a 4 for an A - if you can think of it, there’s a computer program that can do it.

SARAH ABDURRAHMAN:  And go ahead, keep trying to make your passwords longer and more complicated. There are computer programs that can figure those out too.

MAT HONAN:  It's an arms race between how many characters you're willing to enter in and how good our computers are - and the problems we run on them are gonna get.

SARAH ABDURRAHMAN:  And, of course, we all know we’re not supposed to reuse passwords in multiple places, but repeating password patterns is no no good either.

MAT HONAN:  Some people will do this thing where they’ll have a password that could be say, 123-Google and will think, okay,  well, if that's my Google password and my Facebook password is 123-Facebook and so it's totally different. But it's not. People reuse passwords ‘cause they don't know how else to remember a good password. This has been the longtime problem of security. People won't take steps to secure their information, unless it's convenient.

SARAH ABDURRAHMAN:  It's precisely that trade-off of convenience over security that keeps people online.

MAN:  We can walk down the street and ask Google what's the best place for sushi within three blocks. Facebook has been really great at keeping people connected. If you want to have a party and you want to invite people or share photos with all of your friends, like that’s really pretty cool, actually. So it's hard when you kind of balance the things that you get with it with the things that you don't want, like you don't know if you put that picture up –

  [MUSIC UP AND UNDER]

- who’s gonna see it and, you know how do you keep a stalker from coming after you or how do you keep an ex-boyfriend from keeping tabs on you on Twitter?

MAN:  Anyone can copy this text and paste it on their Facebook Wall. This will place them under the protection of copyright laws.

SARAH ABDURRAHMAN:  I, for one, did not post that Facebook disclaimer on my Wall because I don't have a Facebook Wall. Staying off the social networking site is my way of asserting control over my digital identity. But then again, I'm also guilty of using a Diet Coke to wash down my metaphorical Big Mac. I may be off Facebook but I use Gmail, have a smart phone, communicate over Skype, pay bills online. [SIGHS] It's all just too convenient. For On the Media, I’m Sarah Abdurrahman.