chevron-down Created with Sketch Beta.
May 01, 2013

The Business of Surveillance

by Heidi Boghosian

It is at once revealing and disturbing that the American retailing company Target can learn of a teenager’s pregnancy before the family she lives with does. An angry father near Minneapolis found this out firsthand, as reported in the New York Times, revealing a modern-day quandary: Communications and information technology have advanced with such speed that privacy safeguards lag far behind. Retailers accumulate and store vast amounts of personal data, and telecommunications and other corporations frequently share this information with government intelligence agencies. Such practices invade privacy and, absent careful interpretation, threaten to render the First Amendment inadequate to protect traditional liberty interests.

U.S. investigators advocating a robust antiterrorism agenda have pressed communications companies to store and, in many cases, turn over an unprecedented amount of information about citizens’ telephone calls, Internet communications, and daily movements. Internationally recognized standards of human rights are imperiled by the dual interests of a private sector intent on maximizing profits and a government fixated on preventing future terrorist attacks.

In addition to engaging in data mining, multinational companies are employing sophisticated technology, such as radio frequency identification (RFID) chips, semiconductors, and chips that can be configured to allow law enforcement “back door” access to monitor communications, or that enable location-based services to track citizens’ whereabouts. One need only watch an episode of NCISCSI, or any other police procedural to get an idea of how intrusive such equipment can be. Surveillance has become mainstream as Americans’ lives are data driven and uploaded to the Internet, transformed into digital packets, and bared publicly on social media sites. In striving for efficiency and instantaneous communication, consumers have unwittingly impelled retailers and data-mining companies to compete in capturing and reselling shopping habits and related personal information.

Computer Matching—Building Blocks of Mass Surveillance

As the Target example shows, mass surveillance is accomplished in large part by computer matching, the integration and comparing of electronic data records from two or more sources. Software enables computer searches and record-linking based on a configuration of common elements and patterns such as names, addresses, or Social Security numbers.

Target devised a pregnancy prediction score to entice prospective parents to become loyal consumers. As Charles Duhigg reported in the New York Times, shoppers receive a guest ID number linked to their credit card, name, or e-mail address that retains buying history and demographic information that Target collects or buys from other sources. A Target statistician analyzes purchasing data for women who signed up for Target baby registries for patterns such as unscented lotion purchases, which typically happen around the second trimester. After estimating delivery dates, Target sent coupons tailored to women’s different stages of pregnancy. The teenager’s father who confronted management at the Target store near Minneapolis did so after receiving coupons for baby clothes.

For decades, the government has labored to reconcile competing interests of law enforcement and privacy in the field of computer matching. After a government program, Project Match, got under way in the 1970s to determine if government employees were inappropriately receiving public benefits, the Carter administration conducted a Privacy Initiative prohibiting the government from gathering information for one purpose and using it for another.

Around that same time the Law Enforcement Assistance Administration of the Department of Justice commissioned the Private Security Advisory Council to study the relationship between private security systems and public law enforcement to create programs and policies concerning private security “consistent with the public interest.” A multifaceted working relationship between public and private policing grew over succeeding decades.

Despite early attempts to safeguard individuals’ privacy, the executive branch, regardless of the party in power, has asserted that the government has an interest in unfettered access to information in the federal domain. This contention, coupled with national security concerns raised in the aftermath of 9/11, has lessened the protections of private information. Under the Patriot Act, a host of personal records—from medical to magazine subscriptions—are available to the FBI if an agent claims they are sought for an “authorized investigation” related to international terrorism. Since the advent of the Total Information Awareness program, data mining has been the go-to method of domestic spying. In contracting with government agencies, the private sector provides a way for the Department of Justice and the FBI to access a treasure trove of personal information on Americans not suspected of any wrongdoing.

Nearly 2,000 private security companies and over 1,200 government organizations engage in counterterrorism intelligence gathering, according to a two-year Washington Postinvestigation. In exchange for government contracts and funding, corporations amass and store a wealth of personal information on individuals easily retrievable by law enforcement agencies. While data aggregators aggressively collect personal data from hundreds of sources to sell to third parties such as financial services, direct marketing, technology, telecommunications, insurance, retail, health care, and travel companies, the U.S. government is an important client.

ChoicePoint, for example, boasts that it has contracts with at least thirty-five government agencies. An $8 million contract with the Justice Department permits FBI agents to access the company’s database of personal information on individuals, as do contracts with the Drug Enforcement Administration, the U.S. Marshals Service, the IRS, the Bureau of Citizenship and Immigration Services, and the Bureau of Alcohol, Tobacco and Firearms.

Several members of Congress have expressed concern that government intelligence agencies are reading the Patriot Act too broadly in permitting vast surveillance of Americans’ personal communications. And, in 2012, eight members of Congress called for a wide-ranging investigation of data brokers, seeking information from nine top industry companies—Acxiom, Experian, Equifax, Transunion, Epsilon, Reed Elsevier (Lexis-Nexis), Datalogix, Rapleaf, and Spokeo—about how they amass and sell personal data. Two years earlier the Federal Trade Commission launched an investigation into the practices of more than a dozen data brokers. Spokeo later entered into a settlement over violating federal law by selling consumers’ personal information for employment screening. Enforcement actions against several other data brokers are pending. Despite having compiled dossiers on an estimated 500 million individuals, as of late 2012, the companies refused to provide names of data sources to Congress.

Storing aggregated electronic data heightens the potential to compromise individuals’ identity and privacy. While the United States has no mandatory data retention law, if providers of public electronic communications or remote computing services store electronic communications or communications records, under the Stored Communications Act (SCA), the government can obtain access. The SCA was enacted as part of the ironically named Electronic Communications Privacy Act in 1986 and requires mandatory data preservation for up to 180 days if the government asks.

The government has applied pressure to lengthen the time data are stored. FBI Director Robert Mueller III and then Attorney General Alberto Gonzales met with industry representatives in 2006 to urge them to keep subscriber and network data for two years, claiming that retention was needed for child pornography and terrorism cases. The United States has also pushed to hold service providers responsible for restructuring systems to allow state agents a way to monitor electronic communications; since 1994, landline phone companies are required to design equipment according to FBI specifications, enabling law enforcement to better wiretap customer communications. The Federal Communications Commission succumbed to pressure from the Department of Justice, the FBI, and the Drug Enforcement Administration and enacted a regulation expanding the Communications Assistance for Law Enforcement Act to build in the ability to conduct surveillance on broadband Internet access services and interconnected voice over Internet protocol (VoIP) providers.

A Potent Partnership Imperils First Amendment-Protected Activities

Surveillance by corporations in the form of obtaining e-mails and phone records not only violates privacy but also dampens First Amendment- protected activities. Corporate spying on reporters who expose government injustices or corporate wrongdoing to uncover confidential sources threatens whistleblowers and the notion of a free press.

The practice of corporate spying was exposed when technology giant Hewlett-Packard (HP) contracted with independent security experts from 2005–06 to investigate journalists to find the source of an information leak. Investigators engaged in pretexting, a spying technique by which company personnel impersonated nine journalists, purportedly from theNew York Times, the Wall Street Journal, and other outlets, to obtain the reporters’ telephone records, Social Security numbers, call logs, billing records, dates of birth, and subscriber information—all to determine the reporters’ sources.

After learning of HP’s use of pretexting, the U.S. House Committee on Energy and Commerce in 2006 announced it was investigating Internet-based data brokers allegedly using fraud and deception to acquire personal information, and allowing anyone who pays a fee to acquire itemized call logs for cellular, VoIP, landline, and unpublished numbers.

The right to free speech and association are affected by the very existence of a wiretapping program, aided by communications companies, in the case of attorneys concerned that their communications may be under surveillance. The American Civil Liberties Union filed a lawsuit in 2006 on behalf of journalists, scholars, attorneys, and nonprofit organizations that communicate by phone and e-mail with people in the Middle East. Suspecting that their communications were intercepted by the National Security Agency (NSA), the plaintiffs claimed this disrupted their ability to advise clients, locate witnesses, conduct scholarship, and engage in advocacy. After the Sixth Circuit Court of Appeals dismissed the case, the Supreme Court declined to hear it.

In a similar case a year later, the Center for Constitutional Rights sued on behalf of twenty-four attorneys representing Guantanamo detainees to find out if the NSA intercepted their attorney-client communications. Several incidents led the lawyers to believe the government had eavesdropped on privileged communications. Tom Wilner, the lead plaintiff in the case, noted: “I have been informed on two occasions by government officials, on the condition that I not disclose their names, that I am probably the subject of government surveillance and should be careful in my electronic communications with others.”

Not surprisingly, the NSA and the Department of Justice refused to turn over relevant records and refused to confirm or deny whether the plaintiffs had been subject to surveillance, saying that doing so would compromise the methods of U.S. intelligence communities. It’s worth noting that wiretapping also has a chilling effect when lawyers consider the repercussions of taking on national security–related cases.

In addition to targeting members of the media and certain attorneys, corporations regularly spy on activists or individuals with dissenting viewpoints. Especially vulnerable to the dual threat of high-tech spying and surveillance are social justice movements. Surveillance, and infiltration that frequently accompanies it, impedes airing legitimate and important political grievances.

Before 9/11, the United States spent about $500 million annually in counterterrorism research and development. This sum exploded after the attacks to $4.4 billion in 2006. Surveillance projects, including the Terrorism (Total) Information Awareness System (TIA), MATRIX, and Secure Flight programs, created vast business opportunities for technology corporations. Before Congress halted development of the TIA system in 2003, the Defense Advanced Research Projects Agency was in charge of an approximately $2 billion budget. Total government contracts to data-aggregator companies, including Booz Allen Hamilton Inc., Lockheed Martin, Schafer Corporation, Adroit Systems, CACI Dynamic Systems, Syntek Technologies, ASI International, and SRS Technologies, equaled $88 million from years 1997 through 2002.

It is well known that private “risk mitigation” companies, which help other businesses identify threats to profits, regularly monitor political activists. In 2010, Jeremy Scahill of The Nation wrote that biotech giant Monsanto hired subsidiaries of the mercenary firm Blackwater to spy on and infiltrate activists organizing against company practices. Through its Total Intelligence and the Terrorism Research Center, Blackwater served as Monsanto’s “acting intel arm” in 2008 and 2009, earning between $100,000 and $500,000.

Another partnership between a corporation and investigative firm came to light after Greenpeace USA filed a lawsuit in 2010 against Dow Chemical and Sasol; their public relations firms, Dezenhall Resources and Ketchum; and Beckett Brown International (BBI). The lawsuit alleged that between 1998 and 2000 these companies conducted surveillance on Greenpeace to thwart its anti-chemical pollution environmental campaigns, relying on subcontractors to access thousands of internal documents, including donor lists, financial reports, campaign strategy memos, personal credit card information, bank statements, and Social Security numbers of agency employees. A federal judge dismissed the suit in 2011, ruling that Greenpeace failed to show injuries or establish a direct connection between corporate espionage and civil racketeering allegations.

Corporations routinely and readily hand over customers’ private personal data, absent warrants, to government agencies often without legal justification or beyond what was requested. The NSA has collected records of phone calls of millions of individuals with data provided by AT&T, Verizon, and BellSouth. Despite reports citing abuses of the Patriot Act from the Justice Department Office of the Inspector General, such data collection is authorized by legislation signed by Presidents Bush and Obama. Bush issued an executive order authorizing the NSA to monitor phone calls, e-mails, Internet activity, text messaging, and other communication involving any party believed by the NSA to be outside the United States, even if the other end of the communication lies within the United States, without a warrant or other express approval. This executive order was issued pursuant to congressional passage of the Authorization for Use of Military Force, presumably on the grounds that if the president can order targeted assassinations, there is no reason why lesser intrusions should be limited.

Several former officials and telecommunications workers have indicated that the NSA program extends beyond the surveillance of those suspected to be linked to foreign terrorists. A significant disclosure came in 2005 when former technician Mark Klein revealed that AT&T was cooperating with the NSA. The firm had installed a fiber optic splitter at a San Francisco facility that made copies of Internet traffic to and from AT&T customers, and gave them to the NSA.

In light of Klein’s disclosure, the Electronic Frontier Foundation (EFF) filed two lawsuits alleging that the NSA, in violation of federal law and with support from agencies such as AT&T, intercepted the communications and obtained communications records of millions of Americans. Hepting v. AT&T was filed in 2006 alleging that AT&T allowed and assisted the NSA in unlawfully monitoring communications of AT&T customers, businesses, and third parties whose communications were routed through the AT&T network and whose VoIP calls were routed through the Internet. The U.S. District Court for the Northern District of California rejected the government’s motion to dismiss the case on grounds of state secrets privilege. Hepting was appealed to the Ninth Circuit and dismissed in June 2009. The U.S. Supreme Court in 2009 declined to review Hepting.

Jewel v. NSA was filed in 2008 on behalf of AT&T customers to stop the NSA and other government agencies from conducting warrantless surveillance of their communications and communications records. A year later, the Obama administration moved to dismiss Jewel, again invoking the state secrets privilege. The court dismissed the case on standing grounds, but in December 2011, the Ninth U.S. Circuit Court of Appeals ruled that Jewel could proceed in district court. In July 2012, EFF moved to have the court declare that the Foreign Intelligence Surveillance Act (FISA), rather than the state secrets privilege, applied. In September 2012, the government renewed its state secrets claim and the federal district court in San Francisco heard the case in December 2012.

Location-Based Tracking Systems

In addition to being subject to invasion of records privacy, anyone who has cruised through the EZ Pass lane of a toll booth, used a monthly subway swipe card, or searched for locations on a cell phone should know that all movements may be potentially recorded for use by a third party at a later date. Global positioning system (GPS) devices violate what is known as location privacy, the ability to move in public without being tracked or monitored. Associational information, such as establishments visited, can be stored to create a dossier of interactions and personal habits.

RFID chips use electromagnetic energy in the form of radio waves to communicate information from a distance such as with EZ Pass and keyless remote systems for cars and garage door openers. Active tags are read remotely as vehicles drive through toll booths, and the information deducts the toll amount from prepaid accounts. Benefits include increasing the speed with which traffic passes through toll plazas; a downside is the recording of drivers’ date and time of travel. Initially invented for retail inventory purposes, the RFID chips are embedded in many articles of clothing.

The Federal Highway Administration hopes to embed RFIDs into all American-manufactured cars, installing a global positioning transmitter that can track vehicles by satellite and a wireless device that uploads location as it passes certain hotspots. Texas students were issued chip-embedded identification cards in 2012 to track their movements on campus. Corporations eager to offer chips for monitoring include AT&T, whose advertising materials say that homeroom teachers no longer need to call roll but can just read the embedded tags.

Many nightclubs use ID scanners to verify patrons’ ages. Software on bouncers’ smartphones reads information from driver’s license barcodes or magnetic strips to extract gender, age, zip code, and time of entry. The information goes to the company’s database for aggregation and analysis and is available to bars and marketers. While scanning itself may not pose a problem, record retention implicates privacy concerns. Police in San Francisco, for example, are urging that establishments be required to store information for a period of time so it can be available upon request to aid in crime solving.

GPS is a government-maintained, space-based satellite navigation system that provides information about location and time from any place on earth to anyone with a GPS receiver where an unobstructed line of sight exists to four or more satellites. Most cellular phones are equipped with GPS-receiving capability. Unless the power is turned off, a mobile phone stays in constant communication with the nearest cell towers even when not being used for a call. Information processed by the cells can be used to precisely locate or track the movements of a phone user.

Some employers use GPS-enabled phones to monitor employees’ locations. Other locator phones provide GPS coordinates and can even dial emergency numbers; third parties such as family members or caregivers can track the phone’s location and receive alerts when the phone leaves a specified area.

Conclusion

Cloaked in the name of convenience and expediency, electronic technology is literally embedded in most aspects of modern-daily life. But for every way in which these systems improve life in our society, more sinister applications undermine privacy and threaten human rights, specifically privacy and First Amendment–protected activities. The impending ubiquity of such devices, irrespective of their original purpose, erodes privacy and endangers a robust participatory democracy: The more we grow to accept that all kinds of information will be transmitted about us in everyday life, the more we accede to the potential abuses of this information. In George Orwell’s 1984, the all-seeing state was represented by a two-way television set. In a more modern adaptation, it would be represented by the devices we carry in our pockets and the very clothes we wear on our backs.

Heidi Boghosian

Heidi Boghosian is the executive director of the National Lawyers Guild and co-host of the civil liberties radio show Law and Disorder. She is the author of Spying on Democracy: Government Surveillance, Corporate Power, and the Public Interest (City Lights Books 2013).