In the Privacy Soapbox, we give the stage to privacy professionals, guest writers, and opinionated industry members to share their unique points of view, stories, and insights about data privacy. Authors contribute to these articles in their personal capacity. The views expressed are their own and do not necessarily represent the views of Didomi.
Do you have something to share and want to take over the privacy soapbox? Get in touch at email@example.com.
Note: This article was originally published on June 6, 2023, on the Yes We Trust blog.
There’s an elephant in the room of the privacy community, and our failure to recognize it undermines discussions about why U.S. federal privacy law efforts have to date come up short.
That “elephant” isn’t the Republican Party. While Democrat-sponsored bills comprise the bulk of federal privacy legislation introduced last Congress, and Republicans historically have backed more business-friendly provisions in privacy laws, such as not allowing a private right of action and opposing certain restrictions on businesses’ access to data, recent compromises in the American Data Privacy and Protection Act show increasingly bipartisan support for data privacy.
Nor is it a purposely slow and difficult legislative process that, elsewhere, I’ve described as a feature, not a bug, of U.S. politics, that is holding back a privacy deal. Factionalism, such as that from California Democrats, who have said they won’t vote for a bill that doesn’t provide protections at least as strong as those in California’s strongest-in-the-nation laws, certainly plays a role in the stalled legislative process. But political tribalism, on either side, is hardly ignored or underdiscussed.
The elephant in the room also isn’t Big Tech companies and their advertising partners, which are in favor of uniform, nationwide privacy regulations that would be easier for them to navigate than a patchwork of state laws. Surveillance capitalism gets plenty of oxygen in the federal privacy debate. If anything, it is growing weariness of tech companies tracking everything we do online that is driving the debate.
No, it isn’t Big Government or Big Business that most privacy professionals refuse to acknowledge, at least publicly, is hampering a federal privacy bill. It’s Big Brother.
Evidence suggests that the U.S. intelligence community may play a significant role in blocking the passage of a federal privacy law. Putting an end to surveillance capitalism is a main driver of the data privacy movement. But that movement threatens to undermine an unchecked intelligence surveillance apparatus that may be working behind the scenes to block the passage of comprehensive federal data privacy legislation.
Extensive surveillance programs
One of the primary indicators that U.S. intelligence may be blocking a federal privacy law lies in the existence of sweeping surveillance programs.
Since the first Edward Snowden leak reported in The Guardian in June 2013, thousands of top-secret documents have been published, revealing, among other shocking practices, that the government was collecting and monitoring citizen text and phone records and collecting data through backdoors into tech companies like Apple, Facebook, and Google.
It is not my intention here to rehash the depth and breadth of government surveillance capabilities, or to discuss related concerns about the erosion of privacy rights. But in light of programs like the NSA’s ”PRISM” and “Upstream,” which are presumably ongoing, in one form or another, it is plausible to assume that intelligence agencies may perceive federal privacy legislation as a hindrance to their surveillance efforts, potentially leading them to resist or influence the passage of such laws.
National security pretext
It’s been ten years since Snowden revealed to Americans that their government was spying on them, ostensibly in the name of national security, using the Patriot Act and Section 702 of the Foreign Surveillance Intelligence Act as legal pretexts.
The intelligence agencies at the time dismissed claims that such practices undermined democracy in a digital age. They said their programs were constitutional, subject to oversight, and necessary to protect us from terrorist attacks in the wake of 9/11.
But more than 20 years after 9/11 and a decade after Snowden’s revelations, government surveillance has become normalized and memory-holed. Congress and the courts have placed only minimal restraints on the government’s ability to spy on American citizens and others, while the technological capacity to collect data on us has grown exponentially. On the 10th anniversary of his whistleblowing, Snowden recently said that 2013 surveillance technology is “child’s play” compared to what governments possess today.
The argument frequently put forth by intelligence agencies is that strong privacy laws could undermine national security efforts. They claim that access to personal data is crucial for uncovering potential threats and preventing terrorist activities. In other words, to find the needle in the haystack, the NSA argues, they need to access the whole haystack.
Again, striking a balance between privacy and national security is not a debate I wish to undertake in the parameters of this article. Whichever side of the debate you’re on, plenty of arguments can be made for and against your position.
However, I will point out that Islamist terror attacks, the original justification for mass surveillance, have been on the decline for years. The privacy vs. security debate can today be reframed in terms of domestic violent extremism, cybersecurity, foreign election interference, health emergencies, or any number of other threats—real or imagined.
Suffice it to say that, whether the intelligence community is genuinely concerned about protecting the American people, or merely protecting their interests and power, the national security rationale for surveillance is likely to remain.
Big Tech and Big Brother are bad enough on their own in terms of privacy deprivations. Put them together and what do you get? A chimeric surveillance apparatus in which one hand washes the other and both hands are turned against the American people.
It is no secret, thanks to Snowden, that intelligence agencies rely heavily on data collected by technology companies for surveillance purposes. The NSA’s PRISM program has direct access to servers from the world’s largest tech companies, Snowden showed. Through the program, NSA officials can collect data related to search history, email content, file transfers, and chat.
PRISM in the form that Snowden revealed probably no longer exists, although the NSA is still reportedly collecting private data from tech companies on an as-needed basis (much the same way the Patriot Act technically ended, but federal law enforcement agencies retain most of the authorities established by the Act).
In addition, according to The Intercept, the same tech companies involved in PRISM are now helping China’s authoritarian government conduct mass surveillance against its people through a nonprofit called the OpenPower Foundation. At home, Amazon Web Services-administered intelligence community cloud computing should be no less worrying.
Based on anecdotal and hard evidence of the corporate-bureaucratic fusion taking place in the U.S., it is highly plausible that, whatever information tech companies collect on you, U.S. intelligence has access to it as well. This symbiotic relationship creates a mutual interest in maintaining the status quo, where the collection and sharing of user data continue with minimal legal constraints.
It may be that the profusion of commercially available information generated from internet-connected devices and sold by data brokers has rendered programs like PRISM obsolete. A newly declassified Office of the Director of National Intelligence (ODNI) report confirms that U.S. intelligence and other agencies buy huge amounts of personal data, enabling them to track Americans’ phones and locations without a warrant.
The report admits that the purchased data “clearly provides intelligence value” yet also “raises significant issues related to privacy and civil liberties.” It recommends putting “guardrails around government purchases” but conspicuously does not mention a federal data privacy law that would prohibit the selling of device geolocation data as one such “guardrail.”
ODNI’s report is the latest indication that, whatever information private companies collect on you, U.S. intelligence has access to it as well. This corporate-bureaucratic fusion taking place in the U.S. creates a mutual interest in maintaining the status quo, where the collection and sharing of user data continue with minimal legal constraints.
The alignment of interests between Big Tech and Big Brother in the U.S. into a China-style social credit system—what some have referred to as the Surveillance State and might easily be called techno-fascism—could be a significant factor impeding the passage of a comprehensive privacy law.
The view from Europe
Barring another intelligence document leak like Snowden’s, we are largely left to read between the lines when assessing ongoing intelligence community surveillance activities. For some of the most compelling evidence that mass data collection is alive and well, we can turn to Europe.
Last year, President Biden signed an executive order related to EU-U.S. data transfers. It was a significant step toward establishing a data flow mechanism that has been missing between the two entities since 2020, when the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield agreement over concerns about U.S. government surveillance activities.
CJEU took issue with the access U.S. surveillance agencies have to the personal data of European citizens. The July 2020 Schrems II decision held that Privacy Shield was invalid under the EU’s General Data Protection Regulation because it did not adequately protect EU data subject privacy rights.
Max Schrems, the man behind the lawsuit that challenged Privacy Shield and led to the CJEU ruling, said that the new proposed EU-U.S. data privacy framework does not fix the fundamental problem of U.S. surveillance. According to Schrems, so-called “’bulk surveillance’ will continue under the new Executive Order and any data sent to US providers will still end up in programs like PRISM or Upstream.”
“Bulk surveillance” refers to the large-scale and indiscriminate collection, retention, and analysis of communications data. Bulk surveillance practices are an integral feature of the modern state surveillance apparatus uncovered by Snowden.
Schrem’s comments may be as good of evidence as we have that U.S. intelligence has not backed off its post-9/11 data hoovering. Indeed, a precursor executive order to the data privacy framework that established rules for “signals intelligence activities” expressly permits bulk electronic surveillance for foreign intelligence purposes. This is a problem for Americans, too, who sometimes get caught up in foreign intelligence surveillance. Critics allege that federal agencies receiving Section 702 data have FISA-court approved procedures in place allowing them to access the phone calls, text messages, and emails of Americans, in violation of statutory and court-ordered limits.
The EU-U.S. data privacy framework would bring bulk surveillance protections for EU citizens more on par with those that exist for U.S. persons. Considering our nation’s history of abusing its surveillance authorities, and the secrecy surrounding its surveillance programs, it’s no wonder some Europeans aren’t placated by executive assurances about greater transparency.
Under such circumstances, in which the American security apparatus can engage in the mass surveillance of our phone calls, text messages, emails, and other digital communications without our consent, a court order, and in many cases, even our knowledge, the very notion of “transparency”—or indeed of “privacy”—stretch credulity.
In Schrem’s view, the Fourth Amendment to the U.S. Constitution, which enshrines a right to privacy, does not apply to EU citizens, whereas the EU views privacy as a human right that applies to all persons.
However, given the bulk surveillance practices that appear to be alive and well in this country, it’s worth asking if the Fourth Amendment—not to mention federal data privacy—is a dead letter. Because bulk data surveillance and privacy rights are simply incompatible.
Conclusion: to name a thing is to acknowledge its existence
The apparent reluctance to pass federal privacy legislation raises suspicions about the involvement of U.S. intelligence agencies. Signs such as extensive surveillance programs, national security pretexts, government-industry collaboration, and GDPR privacy concerns indicate these agencies’ potential role in undermining a comprehensive federal data privacy law.
FISA Section 702 is set to expire at the end of 2023. It could be that Section 702 will be permitted to die a natural death, paving the way for heretofore elusive privacy legislation to follow. But in a further sign the government intends to retain its expanded post-9/11 national security powers, the Biden Administration is seeking renewal of the authority that allows for mass, warrantless surveillance of U.S. citizens and is completely at odds with meaningful data protection policy.
An honest conversation about the future of federal data privacy is not possible without acknowledging the massive powers of the intelligence community and how those powers affect the privacy movement. Until the privacy community acknowledges the elephant in the room, narratives surrounding failed federal privacy bills will be circling the obvious, afraid to name a thing, and therefore incapable of addressing it.
Not that I can really blame anyone for not wanting to disturb this particular elephant. After all, Big Brother is watching. And listening.