Reification technologies: Web bugs, beacons and trackers

The notion of using time for the collection of data and representing it back to the user was originally an idea from David Gelernter and Eric Freeman in the 1990s (Freeman 1997; Gelernter 2010) which they called a lifestream,

a time-ordered stream of documents that functions as a diary of your electronic life; every document you create and every document other people send you is stored in your lifestream.

Gelernter originally described these ‘chronicle streams' (Gelernter 1994), highlighting both their narrative and temporal dimensions related to the storage of documentation and texts. Today we are more likely to think of them as ‘real-time streams' (Berry 2011) and the timeline functions offered by systems like Twitter, Facebook and Google+ (see Bucher 2012, for a discussion of the EdgeRank algorithm, for example). This is increasingly the model of interface design that is driving the innovation in computation, especially in mobile and locative technologies. However, in contrast to the document-centric model that Gelernter and Freeman were describing, there are also the micro-streams of short updates, epitomized by Twitter, which has short text message sized 140 character updates.

So email is one kind of data I've systematically archived. And there's a huge amount that can be learned from that. Another kind of data that I've been collecting is keystrokes. For many years, I've captured every keystroke I've typed—now more than 100 million of them. (Wolfram 2012)

This kind of self-collection of data is certainly becoming more prevalent, and in the context of reflexivity and self-knowledge, it raises interesting questions. The scale of data that is collected can also be relatively large and unstructured.² Nonetheless, better data management and techniques for searching and surfacing information from unstructured or semi-structured data will no doubt be revealing about our everyday patterns in the future.³

It is clear too, for example, that the growing phenomena of what are called ‘web bugs' (also known as ‘web beacons') that are covertly collecting data and information about us is becoming more contentious while it also becomes ubiquitous. These ‘web bugs' are computer algorithms that are embedded in seemingly benign computal surfaces but which collect data relentlessly.⁴ As Madrigal (2012) explains:

This morning, if you opened your browser and went to NYTimes.com, an amazing thing happened in the milliseconds between your click and when the news about North Korea and James Murdoch appeared on your screen. Data from this single visit was sent to 10 different companies, including Microsoft and Google subsidiaries, a gaggle of traffic-logging sites, and other, smaller ad firms. Nearly instantaneously, these companies can log your visit, place ads tailored for your eyes specifically, and add to the ever-growing online file about you...

My complete list includes 105 companies, and there are dozens more than that in existence. (Madrigal 2012)

Web bugs are automated data collection agents that are secretly included in the web pages that we browse. Often held within a tiny one-pixel frame or image, which is therefore far too small for the naked eye to see, they execute code to secrete cookies onto your computer so that they can track user behaviour, and send various information about the user back to their servers. Web bugs can be thought of as reification technologies, that is, they convert social relations, experience and activities into relations between objects. Here, the objects are code objects, but nonetheless they function in similar ways to everyday objects, in as much as they are understood to have properties and remain rela­tively stable and therefore in some sense persistent. They are also a product of capitalism both in terms of their function as providing means for the creation and maintenance of exchange, and in terms of generating consumer feedback and generating desire as part of a system of advertising and marketing.

Originally designed as ‘HTTP state management mechanisms' in the early 1990s, these data storage processes were designed to enable webpages and sites to store the current collection of data about a user, or what is called 'State' in computer science, known as 'web bugs for web 1.0' (Dobias 2010: 245).They were aimed at allowing website designers to implement some memory of a user, such as a current shopping basket, preferences or username. It was a small step for companies to see the potential of monitoring user behaviour by leaving tracking information about browsing, purchasing and clicking behaviour through the use of these early 'cookies'.⁵ The ability of algorithms to track behaviour, collect data and information about users raises important privacy implications but also facilitates the rise of so-called behaviour marketing and nudges (see Eyal 2012 for a behaviourist approach).

Fortunately, we are seeing the creation of a number of useful software projects to allow us to track the trackers, such as, Collusion, Foxtracks and Ghostery.⁶ For example, if we look at the Betaware ChartBeat web bug, a key company in the collection of this form of data, the Ghostery log for the Betaware ChartBeat company describes it as providing real-time analytics via an interface that tracks visitors, load times and referring sites on a minute-by- minute basis. This therefore allows real-time tracking and monitoring of users (Ghostery 2012b).⁷

These trackers are used to collect and aggregate user data, in effect they attempt to identify either the user or the type of user. For website owners, especially those interested in using behavioural nudges and other persuasive techniques, customizing the website pages that are served up to the user according to their profile vastly improves the ‘stickiness' of the website, but also its profitability. Web bugs perform these analytics by running code run in the browser without the knowledge of the user, and which if it should be observed, looks extremely opaque.⁸

It is noticeable, however, that newer web bugs are complicated and difficult to understand, even for experienced computer programmers. They are larger, more complex in their processing capabilities and far more intrusive in the data they attempt to collect. Indeed, one suspects an element of obfuscation, a programming technique to reduce the readability of the code and which is used to essentially shield the company from observation.

In essence, [the NAI] argued that users do not have the right to not be tracked. “We've long recognized that consumers should be provided a choice about whether data about their likely interests can be used to make their ads more relevant,” [they] wrote. “But the NAI code also recognizes that companies sometimes need to continue to collect data for operational reasons that are separate from ad targeting based on a user's online behavior”... Companies “need to continue to collect data” but that contrasts directly with users desire “not to be tracked” (Madrigal 2012)

These web bugs, beacons, pixels and tags, as they are variously called, form part of the dark-net surveillance network that users rarely see even though it is profoundly changing their experience of the internet in real time by attempting to second guess, tempt, direct and nudge behaviour in particular directions.⁹ Google is clearly the biggest player in the area of the collection of user data and statistics but other companies are aggressively moving into this area.

Where companies are more explicitly collecting data and information they often have in place data collection and privacy policies, for example, see Facebook (2012) or Google (2012a). An analysis by Cranor and McDonald (2008) found that it would take on average 201 hours per year to read the privacy policies that users find in connection with their everyday use of the internet and which are extremely complicated legal documents. Unsurprisingly, few read them. Users are therefore often agreeing to certain data usage, collection, reselling and aggregation without explicitly being aware of it. For example, while you are logged in, Facebook collects,

a timestamped list of the URLs you visit and pair it with your name, list of friends, Facebook preferences, email address, IP address, screen resolution, operating system and browser. When you're logged out, it captures everything except your name, list of friends, and Facebook preferences. Instead, it uses a unique alphanumeric identifier to track you (Love 2012).

Of course, all of these web bugs are active in some level of user surveillance, and indeed it is no surprise that web bugs perform part of the tracking technologies used by companies to monitor staff. For example, in 2006, Hewlett Packard used web bugs from readnotify.com to trace insider leaks to the journalist Dawn Kawamoto and later confirmed in testimony to a U.S. House of Representatives subcommittee that it's ‘still company practice to use e-mail bugs in certain cases' (Evers 2006; Fried 2006).

This is an extremely textured environment that currently offers little in terms of diagnosis or even warnings to the user. The industry itself, which prefers the term ‘clear GIF' to web bug, certainly is keen to avoid regulation and keeps itself very much to itself in order to avoid raising too much unwarranted attention. Some of the current discussions over the direction of regulation on this issue have focused on the ‘do not track' flag, which would signal a user's opt-out preference within an HTTP header. Unfortunately, very few companies respect the ‘do not track header' and there is currently no legal requirement that they do so in the United States, or elsewhere (W3C 2012). There have been some moves towards self-regulation in the technology industry with a recent report from the US Federal Trade Commission (Tsukayama 2012). Although, see the current debate over the EU ePrivacy Directive, where the Article 29 Working Party (A29 WP) has stated that ‘voluntary plans drawn up by Europe's digital advertising industry representatives, the European Advertising Standards Alliance and IAB Europe, do not meet the consent and information requirements of the recently revised ePrivacy Directive' (Baker 2012). Legislation may therefore be introduced into the European Union before elsewhere - indeed in the United Kingdom the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations (PECR) 2011 has already come into force and covers all website owners with a UK presence, who are now required to obtain informed consent from website users and subscribers in order to store information on their devices, although this is often merely a warning that the web site uses ‘cookies', which is meaningless to most members of the public (see ICO 2012).

With the greater use of computational networked devices in everyday life, from mobile phones to GPS systems, these forms of tracking systems will only become more invasive and more aggressive in collecting data from our everyday life and encounters. There is growing concern by users and the media itself about what they should do to protect themselves against this growing web-bug surveillance industry. Indeed, it is unsurprising to find that Americans, for example, are not comfortable with the growth in use of these tracker technologies, Pew (2012) found,

that 73 percent of Americans said they would “not be okay” with being tracked (because it would be an invasion of privacy).... Only 23 percent said they'd be “okay” with tracking (because it would lead to better and more personalized search results).... Despite all those high-percentage objections to the idea of being tracked, less than half of the people surveyed - 38 percent - said they knew of ways to control the data collected about them (Garber 2012; Pew 2012).

The ability of these computational systems to supply a service commodity to the user, while needing to raise income through the harvesting of data, which is sold to advertisers and marketing companies, shows that this is a potentially conflictual situation. It also serves to demonstrate the extent to which users are just not aware of the subterranean depths of their computational devices and the ability for these general computing platforms to disconnect the user interface from the actual intentions or functioning of the device, while giving the impression to the user that they remain fully in control of the computer. As Garber observes, ‘underground network, surface illusion.... How much do we actually want to know about this stuff? Do we truly want to understand the intricacies of data-collection and personalization and all the behind-the- screen work that creates the easy, breezy experience of search... or would we, on some level, prefer that it remain as magic?' (Garber 2012). Indeed, as Aron (2012) reports, ‘up to 75 per cent of the energy used by free versions of Android apps is spent serving up ads or tracking and uploading user data.' That is, on free versions of popular apps most of the processing work in the app is spent in monitoring user activities and reporting that data back home to servers (see also Pathak et al. 2012). This ability for code/software to monitor the user covertly and even obscure its processing activities will undoubtedly become a growing political and economic as well as technical issue (see some examples from Goodale 2012).¹⁰

In terms of covert code objects acting or obscuring their activities, Stuxnet, a computer worm, is a fascinating example.¹¹ Experts now believe that Stuxnet was aimed at the Iranian uranium-enrichment facility at Natanz, Iran.¹² The Stuxnet worm, a subclass of computer virus, copied itself repeatedly across computer systems until it found the host that met its ‘strike conditions', that is, the location it was designed to attack, and activated its ‘digital warhead', which could monitor, damage or even destroy its target. The name, ‘Stuxnet', is ‘derived from some of the filename/strings in the malware - mrxcls.sys, mrxnet.sys', the first part, ‘stu', comes from the (.stub) file, mrxcls.sys; and the second part, ‘xnet', comes from mrxnet.sys (Kruszelnicki 2011; mmpc2 2010). Due to the sophistication of the programming involved, this worm is considered to have reached a new level in cyberwarfare. Stuxnet has been called the first ‘weaponized' computer virus, and it would have required huge resources, like a test facility to model a nuclear plant, to create and launch it (Cherry 2010). As Liam O'Murchu, an operations manager for Symantec, explained,

Unlike the millions of worms and viruses that turn up on the Internet every year, this one was not trying to steal passwords, identities or money. Stuxnet appeared to be crawling around the world, computer by computer, looking for some sort of industrial operation that was using a specific piece of equipment, a Siemens S7-300 programmable logic controller. (60minutes 2012b)

The Stuxnet worm works by undertaking a very complex stealth infection and covers its tracks by recording data from the nuclear processing system which it then plays back to the operators to disguise that it is actually gently causing the centrifuges to fail. This is known as a ‘man-in-the-middle attack', because it fakes industrial process control sensor signals so an infected system does not exhibit abnormal behaviour and therefore raise alarm. Cleverly, the faults created in the plant are likely to occur weeks after the sabotaged effort, and in a targeted way, through the fatiguing of the motors - making it look like a standard failure rather than an attack. Indeed, Iran later confirmed that a number of its centrifuges had been affected by an attack (CBSNews 2010). Later, a ‘senior Iranian intelligence official said an estimated 16,000 computers were infected by the Stuxnet virus' (AP 2012). The Stuxnet worm is also interesting because it also has built-in sunset code that causes the worm to erase itself (in this case after 24 June 2012), and hence hide its tracks. As Zett (2011) explains:

once the code infects a system, it searches for the presence of two kinds of frequency converters made by the Iranian firm Fararo Paya and the Finnish company Vacon, making it clear that the code has a precise target in its sights.... Stuxnet begins with a nominal frequency of 1,064 Hz... then reduces the frequency for a short while before returning it back to 1,064 Hz.... Stuxnet [then] instructs the speed to increase to 1,410 Hz, which is “very close to the maximum speed the spinning aluminum IR-1 rotor can withstand mechanically,”... [but] before the rotor reaches the tangential speed at which it would break apart... within 15 minutes after instructing the frequency to increase, Stuxnet returns the frequency to its nominal 1,064 Hz level. Nothing else happens for 27 days, at which point a second attack sequence kicks in that reduces the frequency to 2 Hz, which lasts for 50 minutes before the frequency is restored to 1,064 Hz. Another 27 days pass, and the first attack sequence launches again, increasing the frequency to 1,410 Hz, followed 27 days later by a reduction to 2 Hz. (Zetter 2011)

Stuxnet disguises all of this activity by overriding the data control systems and sending commands to disable warning and safety controls that would normally alert plant operators to these dangerous frequency changes. Stuxnet is interesting because it is not a general purpose attack, but designed to unload its digital warheads under specific conditions against a specific threat target. It is also remarkable in the way in which it disengages the interface, the screen for the user, from the underlying logic and performance of the machine.

Due to the complexities involved in being able to test such a worm before releasing it into the wild, there has been a great deal of speculation about whether a state would have been required to develop it (Markoff and Sanger 2010). Richard Clarke, the former chief of counter-terrorism under Presidents Clinton and Bush, argues that the built-in fail-safes are an important clue to Stuxnet's source and that they point to the kinds of procedures found in a Western government. Clarke stated, ‘if a [Western] government were going to do something like this... then it would have to go through a bureaucracy, a clearance process, [and] somewhere along the line, lawyers would say, “We have to prevent collateral damage,” and the programmers would go back and add features that normally you don't see in the hacks. And there are several of them in Stuxnet' (Gross 2011). Indeed, the complexities and structure of the worm mean that estimates are that at least 30 people would have been working on it simultaneously to build such a worm (Zetter 2010). Especially one that launched a so-called ‘zero-day attack', that is, using a set of techniques that are not public nor known by the developer of the attacked system, in this case Microsoft and Siemens - in actuality it was remarkable for exploiting four different zero-day vulnerabilities (Gross 2011). There is now a large and growing secondary market for these kinds of exploits with prices ranged between $50,000 and $100,000 (Naraine 2012a). Indeed,

[these] customers... don't aim to fix Google's security bugs or those of any other commercial software vendor. They're government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the explicit intention of invading or disrupting the computers and phones of crime suspects and intelligence targets. In that shady but legal market for security vulnerabilities, a zero- day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret. (Greenberg 2012)

Companies that specialize in the trade in cybersecurity information and technology vulnerabilities have been described as ‘modern-day merchant[s] of death,' selling ‘the bullets for cyberwar' (Greenberg 2012). Combined together into cleverly written code digital warheads these vulnerabilities can be exploited to create serious attacks on infrastructure and technical equipment, although the skills to do this would require a sophisticated project team. Indeed, with Stuxnet the layered approach to its attack and application of multiple vulnerabilities, combined with the detailed knowledge required of Microsoft Windows, supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs) systems, this would have been a very large project to develop and launch. Indeed, Eric Byres, chief technology officer for Byres Security, has stated: ‘we're talking man-months, if not years, of coding to make it work the way it did' (Zetter 2010). The ‘weaponization' of code vulnerabilities is a growing problem as Brad Arkin argues, ‘I'm not saying we should outlaw offensive research. However, it's clear that these [intellectual] offensive advances very much change the game. Once something gets published, it's only a matter of time before real-world bad guys put them into their operations' (Naraine 2012b).¹3 In order to counter the anarchy of a free market in zero-day vulnerabilities, some Western governments are pushing for ‘designed exploits' to be built into their systems, as Morozov (2012a) explains,

[The] surveillance business keeps booming. The FBI [has made] attempts to convince Internet companies to build secret back doors into their services.... At the same time... developing countries—and especially Russia, China, and Iran—have begun making efforts to limit their dependence on American technology, in part because they feel it may contain secret back doors or be strategically exploited to foment unrest. (Morozov 2012)

Indeed, these security concerns are shown to have some truth in relation to Stuxnet, whose two chief capabilities are: (1) to identify its target precisely using a number of software-based markers that give the physical identity of the geographic location away. Indeed, ‘attackers [had] full, and I mean this literally, full tactical knowledge of every damn detail of [the Natanz] plant' (60minutes 2012b) and (2) the capability to disengage control systems from physical systems and to provide a stealth infection into the computers that would fool the operators of the plant (a ‘man-in-the-middle attack'). This was achieved through the use of two ‘digital warheads', called 417 and 315. The smaller, (315), was designed to slowly reduce the speed of rotors leading to cracks and failures, and the second larger warhead, (417), manipulated valves in the centrifuge and faking industrial process control sensor signals by modelling the centrifuges which were grouped into 164 cascades (Langner 2011). Indeed, Langner (2011) described this evocatively as ‘two shooters from different angles'. The Stuxnet worm was launched some time in 2009/2010 and shortly afterwards,¹⁴

the all-important centrifuges at Iran's nuclear fuel enrichment facility at Natanz began failing at a suspicious rate. Iran eventually admitted that computer code created problems for their centrifuges, but downplayed any lasting damage. Computer security experts now agree that code was a sophisticated computer worm dubbed Stuxnet, and that it destroyed more than 1,000 centrifuges. (60minutes 2012a)

The origin of the name Stuxnet is hypothesized from an analysis of the approximately 15,000 lines of programming code in the worm. Langner undertook a close reading and reconstruction of the programming logic by taking the machine code, disassembling it and then attempting to convert it into the C programming language. The code could then be analysed for system function calls, timers and data structures, in order to try to understand what the code was doing (Langner 2011). As part of this process, a reference to 'Myrtus' was discovered, and the link made to 'Myrtus as an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively' (Markoff and Sanger 2010).¹⁵ While no actor has claimed responsibility for Stuxnet, there is a strong suspicion that either the United States or Israel had to be involved in the creation of such a sophisticated attack virus. Its attack appears to have been concentrated on a number of selected areas, with Iran at the centre.

Clearly, this kind of attack could be mobilized at targets other than nuclear enrichment facilities, and indeed the stealth and care with which it attempts to fool the operators of the plants shows that computational devices will undoubtedly be targets for monitoring, surveillance, control and so forth in the future. Of course, once the code for undertaking this kind of sophisticated cyberattack is out in the wild, it is relatively trivial to decode the computer code and learn techniques that would have taken many years of development in a very short time. As Sean McGurk explains, 'you can download the actual source code of Stuxnet now and you can repurpose it and repackage it and then, you know, point it back towards wherever it came from' (60minutes 2012b). Indeed, a different worm, called Duqu, has already been discovered, albeit with purposes linked to the collection of the data on industrial control systems and structures, a so-called 'Trojan' (Hopkins 2011).¹⁶ As Alexander Gostev, reports,

There were a number of projects involving programs based on the "Tilded" [i.e. Stuxnet] platform throughout the period 2007-2011. Stuxnet and Duqu are two of them - there could have been others, which for now remain unknown. The platform continues to develop, which can only mean one thing - we're likely to see more modifications in the future (Gostev 2012).¹⁷

The increased ability of software and code to covertly monitor, control and mediate, both positively and negatively, is not just a case of interventions for deceiving the human and non-human actors that make up part of these assemblages. However, below, I want to look at the willing compliance with data collection, indeed, the enthusiastic contribution of real-time data to computal systems as part of the notion of lifestreams, and more particularly the quantified self-movement - what Searls (2013) has called 'life management platforms'.

The growth in the use of self-monitoring technologies often called lifestreaming, or the notion of the quantified self, is rapidly expanding as the public has become more comfortable with the computational monitoring possible with intimate computational devices.¹⁸ These technologies have expanded in recent years as the ‘real-time streams' like Twitter and Facebook platforms have expanded, enabling users to upload and share their data and statistics. Indeed, some argue that ‘we're finally in a position where people volunteer information about their specific activities, often their location, who they're with, what they're doing, how they feel about what they're doing, what they're talking about.... We've never had data like that before, at least not at that level of granularity' (Rieland 2012). Indeed the Economist argues that the,

idea of measuring things to chart progress towards a goal is commonplace in large organisations. Governments tot up trade figures, hospital waiting times and exam results; companies measure their turnover, profits and inventory. But the use of metrics by individuals is rather less widespread, with the notable exceptions of people who are trying to lose weight or improve their fitness.... But some people are doing just these things. They are an eclectic mix of early adopters, fitness freaks, technology evangelists, personal-development junkies, hackers and patients suffering from a wide variety of health problems. What they share is a belief that gathering and analysing data about their everyday activities can help them improve their lives—an approach known as "self-tracking',' “body hacking” or "self-quantifying” (Economist 2012)

This phenomenon of using computational devices to monitor health signals and to feed them back into calculative interfaces, data visualizations, real­time streams, etc. is the next step in social media. This closes the loop of personal information online, which, although it remains notionally private, is stored and accessed by corporations who wish to use this biodata for data mining and innovation surfacing. For example, The Zeo (headband) has already generated the largest-ever database on sleep stages, which apparently reveals gender differences in REM-sleep quantity; Asthmapolis which hopes to pool aggregated data from thousands of inhalers fitted with its Spiroscout (asthma inhaler) sensor in an effort to improve the management of asthma; and data from the Boozerlyzer (alcohol counting) app which investigates the variation in people's response to alcohol, while collecting data about these drinking habits (Economist 2012).

This way of collecting and sending data has been accelerated by the use of mobile ‘apps', which are small, relatively contained applications that usually perform a single specific function. For example, the Twitter app on the iPhone allows the user to send updates to their timeline, but also search other timelines, check out profiles, streams and so on. When created as apps, however, they are also able to use the power of the local device, especially if it contains the kinds of sophisticated sensory circuitry that is common in smartphones, to log GPS geographic location, direction, etc. This is when lifestreaming becomes increasingly similar to the activity of web bugs in monitoring and collecting data on the users that are active on the network (Hill 2011).¹⁹ Indeed, activity streams have become a standard which is increasingly being incorporated into software across a number of media and software practices (see ActivityStreams n.d.). An activity stream essentially encodes a user event or activity into a form that can be computationally transmitted and later aggregated, searched and processed,

In its simplest form, an activity consists of an actor, a verb, an object, and a target. It tells the story of a person performing an action on or with an object - “Geraldine posted a photo to her album” or “John shared a video” In most cases these components will be explicit, but they may also be implied. (ActivityStreamsWG 2011, original emphasis)

This data and activity collection is only part of the picture, however. In order to become reflexive data it must be computationally processed from its raw state, which may be structured, unstructured or a combination of the two. At this point it is common for the data to be visualized, usually through a graph or timeline, but there are also techniques such as heat maps, graph theory and so forth that enable the data to be processed and reprocessed to tease out patterns in the underlying data set. In both the individual and aggregative use cases, in other words for the individual user (or lifestreamer) or organization (such as Facebook), the key is to pattern match and compare details of the data, such as against a norm, a historical data set, or against a population, group, or class or others.²⁰

The patterned usage is therefore a dynamic real-time feedback mechanism in terms of providing steers for behaviour, norms and so forth, but it is also offering a documentary narcissism that appears to give the user an existential confirmation and status.²¹ Even in its so-called gamification forms, the awarding of competitive points, badges, honours and positional goods more generally is the construction of a hierarchical social structure within the group of users, for example, Foursquare. It also encourages the users to think of themselves as a set of partial objects, fragmented dividuals or loosely connected properties, collected as a time series of data points and subject to intervention and control. This can be thought of as a computational care of the self, facilitated by an army of oligopticans (Latour 2005) in the wider computational environment that observe and store behavioural and affective data. However, this self is reconciled through the code and software that visualizes the data so that it makes sense. The code and software are therefore responsible for creating and maintaining the meaning and narratives through a stabilization of the web of meaning for the actor.²²

One of the most interesting aspects of these systems is that users are actively downloading apps that advertise the fact that they collect this data and seem to genuinely find existential relief or recognition in their movements being recorded and available for later playback or analysis. Indeed, web bugs are in many ways themselves facilitating life streams, albeit life streams that have not been authorized by the user whom they are monitoring.This collection of what we might call compactants is designed to passive-aggressively record data.²³ It is this passive-aggressive feature of computational agents - that is, collecting information, both in terms of their passive quality of being under the surface, relatively benign and silent, and in terms of the aggressiveness in their hoarding of data by monitoring behavioural signals, activity streams, affectivity streams, social signal data and so forth.²⁴

Interestingly, compactants are structured in such a way that they can be understood as having a dichotomous structure of data collection/visualization, each of which is a specific mode of operation. Naturally, due to the huge quantities of data that is often generated, the computational processing and aggregation is often offloaded to the 'cloud', or server computers designed specifically for the task, and accessed via networks. Indeed, many viruses, for example, often seek to 'call home' to report their status, upload data or offer the chance of being updated, perhaps to a more aggressive version of themselves or to correct bugs.

There is also a telos within these wider computational systems made up of arrays or networks of compactants, which in many cases is a future user, or an ideal version of the present user. It also raises the problem of what we might call, the cognitive capture of the user (or institution) whereby algorithmic systems, with their speed and breadth of information analysis, present us with suggestions that we accept because we are not in a position to cognitively check that the proposal proffered is the best one. Within the quantified self-movement there is an explicit recognition that the 'future self' will be required to undo bad habits and behaviours of the present self (see Hill 2011). There is an explicit normative context to a future self, who you, as the present self may be treating unfairly, immorally or without due regard to, what has been described as 'future self continuity' and who can speak to the present through algorithms (Tugend 2012). This inbuilt tendency towards the futural is a fascinating reflection of the internal temporal representation of time within computational systems, that is, time-series structured streams of real-time data, often organized as lists.

Therefore, the past (as stored data), present (as current data collection, or processed archival data) and future (as both the ethical addressee of the system and potential provider of data and usage) are often deeply embedded in the code that runs these systems. In some cases the future also has an objective existence as a probabilistic projection, literally a code object, which is updated in real time and which contains the major features of the future state represented as a model; computational weather prediction systems and climate change models are both examples of this. This code object (or perhaps better, code-subject) may be better placed to work out what is best for its user than the users themselves, as proposed with software-based personal assistants, such that ‘it understands you so well, that it can make really good suggestions to make your life much better' (Mac 2012). Although these compactant systems also raise concerns, such as ‘the inability for consumers to anticipate how their information is being used, [there is] a potential chilling effect on personal behavior that comes with monitoring and the possibility of the government using [this] data' (Mac 2012).²5

Indeed, recent revelations about the comprehensive collection of data by the US NSA and the UK GCHQ demonstrate the extent to which everyday life is now reified into computational systems creating a kind of quantified public. Indeed, ‘[Edward] Snowden, the former NSA contractor, among other things revealed a secret order from the surveillance court directing Verizon Business Services Inc. to turn over “comprehensive communications routing information” to the NSA (Valentino-Devries and Gorman 2013). This forms part of a collection strategy that essentially hoovers up all information that passes over the internet, for example, ‘Britain's Government Communications Headquarters (GCHQ) [uses a system called] Tempora [which] is the signal intelligence community's first “full-take Internet buffer," meaning that it saves all of the data passing through the country' (Spiegel 2013). Indeed, the fact that so much of our data is sent via the internet in the ‘clear', that is as easily readable textual information, has led Assange (2013) and others to claim ‘strong cryptography is a vital tool in fighting state oppression', indeed, he argues,

cryptography can protect not just the civil liberties and rights of individuals, but the sovereignty and independence of whole countries, solidarity between groups with common cause, and the project of global emancipation. (Assange 2013)

Even so, within institutional contexts, code/software is still being fully incorporated into the specific logics of these systems, and in many ways may undermine these structural and institutional forms.²⁶ We must remain attentive to the fact that software engineering is a relatively recent discipline and its efforts at systematization and rationalization are piecemeal and incomplete, as the many hugely expensive software system failures attest. Code/software design and implementation is not easy, many techniques needed are still in their relative infancy, and while it is clear that these large surveillance systems are being built, their efficacy still remains to be shown although there is a clear and present danger to democratic life. But this should give hope and direction to the critical theorists, both of the present looking to provide critique and counterfactuals, but also ofthe future, as code/software is a particularly rich site for intervention, contestation and the unbuilding of code/software systems.²⁷ Indeed, I tentatively suggest that a future critical theory of code and software is committed to unbuilding, disassembling and deformation of existing code/ software systems, together with leaking, glitching and overloading these systems. But additionally, it requires a necessary intervention in terms of a positive moment, such as the Turkopticon project which allows workers to ‘create and use reviews of employers when choosing employers on Amazon Mechanical Turk... as an example of systems design incorporating feminist analysis and reflexivity... a system to make worker-employer relations visible and to provoke ethical and political debate' (Irani and Silberman 2013). But also needed are the formation and composition of future and alternative systems, using civil society movements, public encryption, the democratization of cryptography, megaleaks and the education of citizens about these systems and the dangers of massive data archives, whether in the hands of companies or governments.

148