In 2013, after the National Security Agency contractor Edward Snowden released thousands of top-secret documents, the U.S. government scrambled to justify its far-reaching surveillance programs. In an effort to make these data-collection programs more transparent and legitimate, the Obama administration established a special review group, revived a dormant privacy oversight board, and issued an executive order pledging to respect the privacy rights of noncitizens abroad. U.S. technology and telecommunications companies—whose complicity Snowden’s documents had exposed—moved into a defensive crouch. In order to maintain their international customer base, they sought to explain away their past cooperation and distanced themselves from the government. In 2015, the U.S. Congress entered the fray, reining in the so-called telephony metadata program, the NSA’s bulk collection of the phone numbers of incoming and outgoing calls, which can be used to draw a map of a person’s associations.
The British, with their own set of sophisticated intelligence capabilities, have been grappling with many of the same concerns. In the fall of 2016, Parliament passed the Investigatory Powers Act—which opponents call “the snoopers charter,” but which defenders portray as an overdue piece of legislation that sets the parameters on what the government can do when it comes to surveillance. As with most controversies, there is an element of truth to both sides of the debate. The statute gives the intelligence services the right to collect large quantities of information with a single warrant, and it allows courts to compel private companies to help decrypt communications (a development that raises concerns about both privacy and network security). But it also adds checks and protections where there were none before. For the first time in the United Kingdom’s history, warrants to intercept communications are subject to judicial review; previously, the executive branch could execute these on its own say-so.
Rhodri Jeffreys-Jones’ comprehensive new book, We Know All About You, puts these contemporary debates over surveillance—which he defines as “spying on a mass scale”—in historical and comparative context. Jeffreys-Jones ably tells the story of surveillance in the United States and the United Kingdom from its beginnings in the eighteenth century to today. But what makes the book unique is not its description of government surveillance, about which much has been written; instead, it is its emphasis on the role that private companies play in it.
As Jeffreys-Jones details, surveillance is the prerogative not just of governments. It is something that was developed, relied on, and institutionalized by private actors as well. In the American South before the Civil War, plantation owners hired white men to monitor the movements of slaves and collect intelligence about possible uprisings. Further north, a merchant in New York named Lewis Tappan started what was essentially the first credit bureau in 1841. To determine customers’ creditworthiness, the company built a database of their ethnicity, age, business history, drunkenness, and even sexual proclivities.
With the rise of manufacturing, private companies turned to surveillance as a union-busting tactic. Jeffreys-Jones tells chilling stories of U.S. and British companies hiring private detectives to spy on workers and keep tabs on labor organizers. Once identified as subversive, individuals lost everything: they were fired from their jobs and put on blacklists that made them unemployable elsewhere. In the 1950s, Hollywood studios facilitated McCarthyism by informing government investigators of alleged Communist subversives, ruining the careers of countless screenwriters, directors, and actors.
Even the press has gotten in on the surveillance game. Jeffreys-Jones tells the story of News of the World, a British tabloid that hounded a family looking for their missing daughter in 2002. The paper surreptitiously tracked the family’s movements, photographed their grieving faces, and illegally hacked the missing child’s voice mail. “In terms of the harm done to people on a daily basis,” Jeffreys-Jones concludes, “private surveillance outperforms its public counterpart.”
But although Jeffreys-Jones documents a great deal of damage inflicted by private actors, it’s a stretch to claim that private surveillance causes more harm than government snooping. After all, only the state can use information gained through surveillance to incarcerate people or even lawfully kill them. At any rate, which actor is worse is beside the point. What really matters is the fact of public and private surveillance, the risk of abuse by both the government and the private sector, and the interplay between the two.
Surveillance is the prerogative not just of governments. It is something that was developed, relied on, and institutionalized by private actors as well.
Indeed, the decisions of the private sector have an enormous impact on the scope of government surveillance. Every day, companies make choices about what to collect, where to store data, whether and what to encrypt, and how, whether, and when to accede to or resist the government’s demands for information. These decisions, in turn, shape what information is available for the government to collect.
Moreover, as Jeffreys-Jones shows, the revolving door between the public and private sectors allows the two sides to trade techniques. In the late nineteenth century, for example, Ralph Van Deman, a U.S. Army officer stationed in the Philippines, developed an indexing and classification system that U.S. commanders could use to identify insurgents in the field. After leaving government, he used his skills to keep tabs on union workers on behalf of California industrialists, sometimes sending confederates into union meetings to spy on workers and report back. By the time Van Deman died, in 1952, his list of alleged subversives numbered more than 125,000.
Then there is the story of William Reginald Hall, a British intelligence officer who ran a code-breaking unit in World War I. After being booted from government, he created a group that became known as the Economic League. A powerful and murky association of industrialists, the Economic League tracked and blacklisted union activists on behalf of the private sector. Untold numbers of workers lost or were denied jobs as a result.
Jeffreys-Jones also reminds readers of the ebb and flow of public-private partnerships. In 1919, Western Union initially refused to grant permission to the Black Chamber—the U.S. government’s code-breaking agency and the predecessor to the NSA—to access sought-after telegraph messages as they crossed the Atlantic Ocean. By the end of the year, however, the government had sufficiently laid out its case, and Western Union and other telegraph services assented to the surveillance scheme. Temporarily paused between the two world wars, cooperation began again in the 1940s—leading to what was known as Project SHAMROCK. Under this program, the U.S. government was able to read, without a warrant, hundreds of thousands of telegraph messages between U.S. residents and international recipients. Project SHAMROCK lasted for decades; the NSA shut it down only after the Church Committee exposed it in the 1970s. The episode foreshadowed the private sector’s relationship to government surveillance after 9/11: companies provided expansive cooperation at first, only to backtrack after the Snowden revelations.
RISK AND REWARD
Jeffreys-Jones does a good job cataloging government and private-sector surveillance. What’s missing from his account, however, is an assessment of what kind of surveillance is justified and what kind is not and how to make that determination in an increasingly digitized and interconnected world—one in which just about all of a person’s movements, interactions, and interests are known to the cell phone providers, social media companies, and search engines that make modern life possible.
To be fair, these kind of normative judgments are not the goal of his book. But someone does have to make them. In that regard, Jeffreys-Jones is correct when he notes that “the adoption of the Fourth Amendment did not settle the surveillance debate.” That, of course, should come as no surprise, since the Fourth Amendment was never meant to serve as a bulwark against government surveillance (and doesn’t even address private-sector surveillance). Rather, it was intended to ensure that the government’s searching and seizing is “reasonable”—a pragmatic and malleable concept that takes into account both the government’s need for information to fight crime and provide security and the risks of overreach. Put simply, sometimes government surveillance is reasonable, and sometimes it is not. Drawing the line between what is and what is not reasonable is the hard part.
This, in fact, is the exact task that U.S. legislators now face as Congress takes up Section 702 of the Foreign Intelligence Surveillance Act, which is set to expire in December. Authorized by Congress in 2008, the Section 702 program allows the NSA to collect the e-mails and other communications of foreigners located outside the United States without getting a warrant. The NSA can collect data only for the purposes of gathering “foreign intelligence information,” and the general targeting procedures must be approved by the Foreign Intelligence Surveillance Court, a special panel of federal judges. But the specific decisions of who and what to target are left to the executive branch and require little more than a finding that the target is a foreign national who possesses sought-after intelligence. Even by conservative estimates, every year, the government collects hundreds of millions of communications under the Section 702 program.
Sometimes government surveillance is reasonable, and sometimes it is not. Drawing the line between what is and what is not reasonable is the hard part.
The government has argued that the program has helped protect the United States from various terrorist threats, a claim supported by two independent review groups set up by the Obama administration. But the Section 702 program has also come under heavy criticism for sweeping in millions of communications of innocent U.S. citizens and residents who happen to be talking with a targeted foreigner. Ordinarily, after all, the government can intercept the communications of U.S. citizens and residents only when authorities have a warrant based on probable cause. Under the Section 702 program, once information is obtained, intelligence agencies can look at it for various purposes, and the FBI can examine it in support of criminal investigations.
The upcoming reauthorization debate provides a chance to reform this program, and there are a number of options on the table. Some argue that all searches of U.S citizens’ and residents’ information must be supported by a warrant based on probable cause. Others claim that only searches of actual content require that protection, whereas searches of metadata (such as the “to” and “from” lines on e-mails) can be accessed without judicial approval. Still others contend that the FBI’s warrantless querying of databases is fine so long as the investigations concern national security or espionage rather than other crimes.
In my view, the FBI should, at a minimum, be required to get a warrant based on probable cause when searching the data of U.S. citizens and residents in the course of a criminal investigation, regardless of the type of crime being investigated. After all, that is what investigators would have to do if they were seeking that information directly from the suspect or from the private entity that manages the suspect’s data. The law should put in place some emergency exceptions, but the default rule should be that investigators need a warrant when seeking the content of a U.S. person’s communications. If the government wants metadata, it should have to document a reasonable suspicion. As of now, there is no such requirement in place.
Wherever one comes down on these issues, the interests on both sides need to be taken into account. Intelligence and law enforcement agencies need to access information to keep people safe. But at the same time, as the United States’ founders wisely recognized, there is a real risk that security will trump all other concerns. That’s why procedural and substantive safeguards are needed to ensure that government surveillance remains reasonable.
The same goes for the private sector. Although companies do not have the authority to incarcerate people, they can, as Jeffreys-Jones documents, use information to wreak havoc on individuals’ lives. And as everything from televisions to thermostats stores digital data, the amount of personal information private companies have access to will only grow. Their decisions about what to retain, access, and share will increasingly influence how much both the private sector and the government know about all of us.
And so one is left with a lot of hard questions about how to respect privacy, provide security, and protect against abuse in the modern, digitally connected world. In focusing on the threat to privacy and the history of abuse, Jeffreys-Jones’ book highlights one set of critical concerns to take into account. It is now up to the rest of us to reconcile those risks with the government’s legitimate need to access information that keeps us safe.