GettyThe recent Customers and Border Protection subcontractor breach reminds us just how much of the modern digital surveillance state is actually outsourced to private companies. From acquiring and managing the vast datasets recording our daily lives to providing analytic software and services on top of that data, much of what we think of as government surveillance is actually performed by private companies on its behalf, often with far fewer privacy safeguards or cyber protections. While Hollywood typically portrays government intelligence agencies as all-powerful entities exclusively relying on government lifers, the reality is that modern digital intelligence collection relies heavily on private companies. The datasets of greatest interest to intelligence agencies are no longer government-owned or produced. They are created and owned by private companies and must be purchased, hacked or legally compelled. Look closely at the Edward Snowden disclosures and a great deal of the NSA’s global monitoring intake originates within the data centers and telecommunications networks of the world’s private corporations.
Indeed, in its letter responding to our FOIA request, the FBI said that simply acknowledging its use of social media surveillance would “risk circumvention of the law.” The bureau seems to be saying that if people knew that the government is monitoring what they’re saying on social media, they’d be less likely to say it.
Yet rather than exclusively use federal employees to acquire this content, the government relies heavily on outsourcing its collection efforts to federal contractors. These can range from quasi-employees that sit side-by-side with government employees at desks in government buildings on through staffers working in remote modern state-of-the-art office buildings compared with their colleagues in buildings that can often resemble prisons.
Most importantly, these contractors are frequently bound by different rules than their federal colleagues when it comes to digital acquisition. For example, federal agencies that are more heavily restricted in their lawful ability to collect social media, data broker files and other open sources have historically turned to private companies to conduct that surveillance on their behalf, legally laundering the results. As social media companies have increasingly passed new policies prohibiting the use of their data feeds by the intelligence community, the use of such contractors to launder surveillance needs, including geographic profiling, has only increased.
All of this collected data must be stored somewhere. While federally-owned data centers are frequently the canonical repository, those data centers may be managed by contractors working for private companies. More often, unclassified collection like social media streams are archived directly by contractors on their own systems.
Once collected, the data must be analyzed. The bespoke analytic software environments used by intelligence agencies are almost exclusively built by contractors who increasingly lease that software via subscription, rather than transfer perpetual rights to the government. In order to fine tune that software, contractors are frequently given direct access to surveillance data collected by the government and other contractors to improve their algorithms or train new deep learning models.
Although many of the newly released opinions appear to be decisions approving surveillance and searches of particular individuals, several raise questions about how well equipped FISC judges are to protect individuals’ statutory and constitutional rights when the government is less than candid with the court, underscoring EFF’s concerns with the FISC’s ability to safeguard individual privacy and free expression.
A private US company might thus be granted access to an EU citizen’s private data collected by another contractor in order to build a deep learning model to better flag a certain kind of suspicious activity and then have the right to resell that model to other law enforcement and allied governments, including that EU citizen’s own government, which might otherwise face restrictions in using its citizens’ data to build surveillance deep learning models.
Increasingly, at least when it comes to digital data streams like social media, the entire process, from initial data acquisition to final analytic outputs, is overseen by private companies with large portions of the analytic pipeline occurring within their own data centers with little oversight by the federal government.
In fact, historically the government largely outsourced the collection and analysis pipelines of social media streams like Twitter entirely to commercial social analytics companies.
The dangers as government increasingly outsources digital surveillance to private companies is that those companies may not have the same cyber investments as the government enforces at its data centers. Even if data is properly secured, these private companies are frequently granted the right to resell their software and services to others, having improved them by incorporating lessons and even data from government surveillance, such as through their machine learning models.
Putting this all together, the increasing outsourcing of the nation’s digital surveillance to private companies creates newfound cyber and privacy risks. Most importantly, it increasingly commercializes the surveillance state, blending the monetization and manipulation of the digital sphere with the kinetically-enforced surveillance of the physical sphere. The future is looking ever more like 1984.