The Public-Private Surveillance Partnership
By Bruce Schneier
July 31, 2013
Imagine the government passed a law requiring all citizens to carry a tracking device. Such a law would immediately be found unconstitutional. Yet we all carry mobile phones.
If the National Security Agency required us to notify it whenever we made a new friend, the nation would rebel. Yet we notify Facebook Inc. (FB) If the Federal Bureau of Investigation demanded copies of all our conversations and correspondence, it would be laughed at. Yet we provide copies of our e-mail to Google Inc. (GOOG), Microsoft Corp. (MSFT) or whoever our mail host is; we provide copies of our text messages to Verizon Communications Inc. (VZ), AT&T Inc. (T) and Sprint Corp. (S); and we provide copies of other conversations to Twitter Inc., Facebook, LinkedIn (LNKD) Corp. or whatever other site is hosting them.
The primary business model of the Internet is built on mass surveillance, and our government's intelligence-gathering agencies have become addicted to that data. Understanding how we got here is critical to understanding how we undo the damage.
Computers and networks inherently produce data, and our constant interactions with them allow corporations to collect an enormous amount of intensely personal data about us as we go about our daily lives. Sometimes we produce this data inadvertently simply by using our phones, credit cards, computers and other devices. Sometimes we give corporations this data directly on Google, Facebook, Apple Inc.'s iCloud and so on in exchange for whatever free or cheap service we receive from the Internet in return.
The NSA is also in the business of spying on everyone, and it has realized it's far easier to collect all the data from these corporations rather than from us directly. In some cases, the NSA asks for this data nicely. In other cases, it makes use of subtle threats or overt pressure. If that doesn't work, it uses tools like national security letters.
The result is a corporate-government surveillance partnership, one that allows both the government and corporations to get away with things they couldn't otherwise.
There are two types of laws in the U.S., each designed to constrain a different type of power: constitutional law, which places limitations on government, and regulatory law, which constrains corporations. Historically, these two areas have largely remained separate, but today each group has learned how to use the other's laws to bypass their own restrictions. The government uses corporations to get around its limits, and corporations use the government to get around their limits.
This partnership manifests itself in various ways. The government uses corporations to circumvent its prohibitions against eavesdropping domestically on its citizens. Corporations rely on the government to ensure that they have unfettered use of the data they collect.
Here's an example: It would be reasonable for our government to debate the circumstances under which corporations can collect and use our data, and to provide for protections against misuse. But if the government is using that very data for its own surveillance purposes, it has an incentive to oppose any laws to limit data collection. And because corporations see no need to give consumers any choice in this matter—because it would only reduce their profits—the market isn't going to protect consumers, either.
Our elected officials are often supported, endorsed and funded by these corporations as well, setting up an incestuous relationship between corporations, lawmakers and the intelligence community.
The losers are us, the people, who are left with no one to stand up for our interests. Our elected government, which is supposed to be responsible to us, is not. And corporations, which in a market economy are supposed to be responsive to our needs, are not. What we have now is death to privacy—and that's very dangerous to democracy and liberty.
The simple answer is to blame consumers, who shouldn't use mobile phones, credit cards, banks or the Internet if they don't want to be tracked. But that argument deliberately ignores the reality of today's world. Everything we do involves computers, even if we're not using them directly. And by their nature, computers produce tracking data. We can't go back to a world where we don't use computers, the Internet or social networking. We have no choice but to share our personal information with these corporations, because that's how our world works today.
Curbing the power of the corporate-private surveillance partnership requires limitations on both what corporations can do with the data we choose to give them and restrictions on how and when the government can demand access to that data. Because both of these changes go against the interests of corporations and the government, we have to demand them as citizens and voters. We can lobby our government to operate more transparently—disclosing the opinions of the Foreign Intelligence Surveillance Court would be a good start—and hold our lawmakers accountable when it doesn't. But it's not going to be easy. There are strong interests doing their best to ensure that the steady stream of data keeps flowing.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..