Exploring the surveillance partnership between the government and data brokers

Avatar

The Office of the Director of National Intelligence acknowledged last year that commercially available data about individual people allows the government to compile information “of a type and level of sensitivity that historically could have been obtained, if at all, only through targeted (and predicated) collection.” 

That commercially available information — captured and packaged by companies called data brokers — extends to places most Americans would never imagine, according to longtime investigative reporter Byron Tau, who dives into the data broker industry in his new book, “Means of Control: How the Hidden Alliance of Tech and Government is Creating a New American Surveillance State.”

For example, Tau discovered that in order to detect tire pressure, wheels have sensors that rely on an insecure wireless connection with the car’s central computer, providing a means to track a person’s whereabouts. And potentially helpful software also can feed the machine: The government buys datasets from location apps like Drunk Mode, which a college undergrad started to help people reconstruct where they had been the night before. 

In the halls of government, Tau also describes how national security officials scrambled when they discovered that Grindr and other apps could geofence intelligence agencies and unintentionally track the precise location of U.S. personnel.

Recorded Future News spoke with him about his findings. This interview has been edited for length and clarity.

RECORDED FUTURE NEWS: I was struck by a line in the book comparing the American government’s use of data to surveil citizens to what goes on in China, which we think of in America as an Orwellian techno-totalitarian society. You wrote that in China the state wants you to know you’re being watched and, in America, the success lies in the secrecy. Is our government watching us as closely as the Chinese monitor their people?

BYRON TAU: The long and short answer is no, not quite. I would say that the data that exists in China on every citizen probably also exists in the United States. The biggest difference is that the U.S. government hasn’t yet taken the step of weaving all this corporate and government data together and pushing that data down to the level of individuals. In America, data is scattered in a wide variety of corporate and government databases, some of which are available for sale, but many of which are proprietary or belong to corporations or are government databases so we haven’t quite weaved it all together. 

I think the state in China uses surveillance in some ways as a means of social control and wants people to know that they’re being observed, that the state knows what they’re doing. In the United States, we have a much more libertarian society that’s a little bit more skeptical of government power and as such, I think, in general, government agencies and data brokers that cater to them really don’t want to talk about these capabilities, and that, in many ways, is what drove me to write the book. Because I don’t think in a democratic society, where people in their roles as voters, or as consumers who pay for technology, really should be in the dark about what their government or their tech services are doing. 

RFN: How has what you call the hidden alliance of tech and government to create mass surveillance of Americans developed in the post-9/11 era? What has the trajectory been over time? 

BT: I go through about a 20-25 year history that starts right after 9/11 with some very early experiments and bringing data brokers like Acxiom, LexisNexis and a number of others into these government programs and the data that they had largely derived from things like mailing lists, or public records and just corporate data on either consumer preferences, where consumers lived, who they were related to, what their phone numbers were. Basic early data broker information. There was this push to try to bring it into government after 9/11 because, the 9/11 attacks, much of the story can be told through travel records, through rental car records, through hotel records.

The FBI did this extremely long chronology after 9/11 that basically relied on a whole bunch of corporate data to tell the story of the hijackers. So there was a sense after 9/11 that there were these odd patterns. There was odd behavior by many of the hijackers. [There was a feeling that] if somebody was just paying attention to these large repositories of corporate information, and combining it with the government’s classified intelligence and weaving it together in a picture that could offer intelligence analysts a more holistic view of what’s going on, that potentially the attacks could have been stopped. 

Data brokers were brought into these early government efforts. There was the Total Information Awareness program, there were a number of others. The FBI was using corporate data from data brokers and some programs to identify people with possible connections to terrorism. But over time the kind of data that data brokers had changed because social norms were changing. There ended up being a whole second generation of data brokers that were springing up to monitor the conversations in places like Facebook or Twitter or Instagram, these early social networking sites. Government agencies found that terrorists were on these sites, criminals were on the sites and so, increasingly, those kinds of data brokers were pulled into government programs. 

A couple years later as mobile phones really took off and as advertisers were trying to understand the data that comes off mobile phones, data brokers sprung up to try to track the location of phones as drawn from GPS. Like when you install a weather app, the consumer grants permission to that app to monitor location, data brokers spring up to collect that information. So governments then figure out that that kind of data is very useful.  Because mobile phones are a proxy for a person, and they show connections and they show where people go and they show their behaviors and their patterns. So that kind of data becomes part of government programs. 

Finally, there’s this weird, esoteric world of wireless signals. So our WiFi base stations give off a signal that can be picked up, our Bluetooth headphones give off these signals. Increasingly, everything has these weird wireless signals that if you have the right kind of radio you can listen to — car tires or toll transponders and our smartwatches. Data brokers have sprung up to collect that information, sometimes for commercial purposes. I’ve gotten indications that you can potentially survey the wireless environment and see whether the number of Fitbits is going up or going down. That also has interesting cybersecurity tracking potential. So, of course, those datasets ended up in government hands. The book really at its core is a story of how different datasets became available to the government and were integrated into whatever mission was important at the time.

RFN: What do you consider to be the single scariest data point or example of government surveillance that you uncovered while reporting this book? 

BT: I think location tracking in general is pretty invasive because the vendors, in many cases, they’re making claims to both the consumers and the regulators that this data is, in their words, anonymized so there’s no names or phone numbers attached to these geolocation datasets. They’re just little ant trails of a phone moving around the world. But the problem with that is that it’s very, very difficult to anonymize your movements to the world. 

I live here in D.C. on Capitol Hill. I go to an office in Georgetown three or four days a week. I ride my bike down the mall most days and I’m the only person in Washington that’s probably doing that. So even if you don’t have my name attached to a geographical data set, it’s not that difficult to figure out who Byron Tau is in that data set. For geolocation in particular, it’s not something a lot of people think about or realize when they’re clicking “I accept” on the Weather Channel or whatever app is collecting their location. But it really does reveal a tremendous amount about them, about their patterns and their habits in the world. And the vendors aren’t being honest when they say that these datasets are anonymized. 

Beyond that I’d also just say that it’s not just one data set that scares me the most, it’s the ability to take large amounts of data, both that are unclassified — so like the commercial datasets I write about — and then combine them in ways to get a tremendously detailed picture. And that is really where China is right now. And what’s concerning about them is they weave all of the data they have on an individual together in one profile whereas America still hasn’t quite gotten to that point. I think the really alarming thing is this data fusion and trying to build detailed portraits of people based on multiple datasets. 

RFN: You wrote about one government surveillance partnership that helped the Department of Homeland Security use geolocation data to find a drug tunnel located on the Mexican border. Do you think about the tradeoffs between good versus bad uses of this data?

BT: I certainly think there are benefits to the government’s use of data. I mostly focus on the agencies inside the government that can [have] the most consequences on citizens. So I focus a lot on the intelligence community, the military and the police who in general can put handcuffs on you, target you for very invasive surveillance, or, in the case of the military operating abroad, potentially kill you in a lethal strike. So I focus a lot on those entities and their access to data. 

But it’s important to say that also transportation departments use a lot of data and they too are government entities. Public health is an area that I don’t really focus on, but where data can be valuable and potentially provide benefits to citizens. And so I do think it is a balance and that not every government use of data is nefarious or poses these sorts of existential threats to civil liberties and privacy. 

I would say that when it comes to the Department of Homeland Security using these phone tracking tools, the problem is that they’re using it in a criminal context. And traditionally speaking in criminal context, normally when we’re charged with crimes, when there’s a court case against us, we get to see a lot of the evidence against us, we get to understand what the government did, how it reached certain conclusions, what tools it used. We do allow some things to be withheld. If there’s an informant inside a gang, we generally don’t put their names in the court records. But by and large, most things in the criminal justice system are disclosed to the defendant.

In the case of many of the tools that DHS was using that I wrote about and in that particular border tunnel case, these things really weren’t being made clear to the defense attorneys, to the defendants, so the government had built this very quiet system, this program that would monitor the movement of hundreds of millions of phones, many belonging to Americans, and was sort of very reluctant to reveal what it was doing in court. And so I think that’s where the real challenge is — a lot of these capabilities, the government wanted to keep them quiet and in many ways that’s understandable that they don’t want people to change their behavior or to not click yes on certain apps. But I do think that really poses quite a dilemma, because, in theory, we as consumers should know what our technology does, and we should also know what tools and techniques the government is using in unclassified surveillance in the criminal justice context. 

RFN: Do you think that as this problem increasingly comes to light, reform will follow? Where do you see change coming from, if at all?

BT: It’s a great question. I certainly do think there are a lot of people in civil society and in the legislature that are uncomfortable with the idea that the government can buy its way around traditional constitutional protections. I think there’s also an increasing awareness that commercially available data on American citizens can easily be purchased not just by our government, but by foreign governments with much more nefarious intentions than just doing public safety or intelligence and [that] could potentially lead to things like transnational repression or cracking down on dissidents abroad. 

I think that’s why you see an interest in things like the Biden administration’s [data privacy] executive order, but I do think fundamentally until the root cause of the issue is addressed — which is this unrestrained data collection on the global population with very minimal rules on what happens to it and where it can be transferred to — it’s very hard to stop the government and just the government from having access to it. 

Because once these datasets are compiled, intelligence agencies and the police have a pretty decent argument, which is, “Well look, Walmart or Home Depot, they can all buy the same data to do ad targeting and our mission is much more important than selling toys or patio furniture and so when you’re passing certain laws, you’re just stopping us from acquiring this data, but you’re not stopping corporations from using it. You’re not stopping private investigators or nonprofits or journalists from using it.” So it’s hard to unwind this system of data collection and advertising. If it is unwound, it will be a project of pretty significant proportions.

RFN:  You wrote in the book about how even our car tires emit radio signals that anybody with an antenna can listen into. Can you talk about the data privacy threats posed by connected cars and the lack of transparency around what is being collected and sold and perhaps how the government is using that information as well?

BT: This is sort of the frontier of geolocation datasets because I think we all understand phones pretty well and I do think the tech companies under pressure from regulators and consumers have actually made it possible to curb some of this data collection, but cars, cars are manufactured by companies with very little experience designing privacy into their products. Until fairly recently, cars didn’t normally have to think about privacy or the version of a car’s privacy was tinted windows and license plate covers. Today they’re basically computers on wheels. The problem is they’re computers that don’t have tremendous safeguards and were designed by non computer companies. There’s many vectors for this data to go from the consumer to many parties unknown. 

I talk in the book about how during the pandemic, I was in the market for a new car and I went to a dealership and even trying to get the dealer to explain to me things about data transmission and how I could opt out of certain things was very difficult. The dealer had really never encountered someone who had asked these questions and the car’s privacy policy is not very clear. And so it’s really, really hard for the average consumer, and even sophisticated consumers who know what questions to ask, to really understand where data is collected and where it’s going. 

There’s all sorts of vectors for data to leave cars. There’s the connected car and telematics services, a lot of new cars have apps that you can open your car or track your car or do things with your car and those apps have embedded software and then they connect to a server that the manufacturer or contractors run in many cases. So it’s hard to know who’s getting your data there.

Car tires, the way they know their tire pressure, is they have a little sensor in there that says ‘I’m Acura tire 35252’ or whatever and “my pressure is 42 PSI” and that’s a unsecure wireless transmission between the tire and the car’s central computer. Now these car companies never probably envisioned that someone would be so clever as to develop little sensors that could track and read the car tire transmissions, but I’m here to tell you that clever government intelligence agencies and private companies have done just that, which is build these sensors. 

I don’t know to what extent this is an actual mass surveillance system, but it’s certainly a capability that the government is aware of, that there are tools to use and vacuum them up. And it’s possible to track people by their car tires because car companies in general have given very, very little thought to privacy and until they’re forced to by consumers or regulators. I don’t really think they will.

Beyond that, obviously automobiles drive on public roadways and public roadways are subject to all sorts of monitoring in their own ways. And so private companies have sprung up to run toll systems or put license plate readers in garages or there’s even a private company that puts license plate readers in tow trucks and garbage trucks as they move around cities in order to see where cars are, see where cars are going and take snapshots of them. 

RFN: If data brokers are severely constrained by state or federal legislation, how much will that impact government surveillance?

BT: I think at the highest levels that if you give consumers real meaningful choice and an easy way to exercise it, they, generally speaking, tend to opt out of very invasive forms of data collection. So I’m thinking of the fact that early on in the invention of the iPhone and the Android ecosystem, it was fairly easy for developers to monitor location and Google and Apple were not doing much to stop these developers. 

But starting three or four years ago, Apple and increasingly Google have made it much harder, or at the very least, they’ve made the notifications to the consumer, that the phone may be collecting their location or some app may be collecting their location and it’s doing it hundreds of times a day. By and large consumers opt out of those things. So if you make the notice very prominent, and then you make the opt out really easy, you get a dramatic reduction in the amount of data that flows to entities from consumers’ devices. 

I do think if a law were to give consumers legitimate choice and data brokers weren’t doing things that were underhanded and sneaky to avoid compliance with that law that you could potentially see meaningful consumer opt-outs of some of these invasive tracking technologies, some of these data brokers. I think, increasingly there is a deep awareness of the amount of data that data brokers have, and many consumers are turning to services like DeleteMe and their competitors to try to opt out of this kind of collection, especially consumers who are tech savvy, who often are wealthier, people like journalists or others in civil society, they’ve started to take matters into their own hands. And I think if there were stronger laws or stronger opt out mechanisms, I think many other consumers would take advantage of that as well. And yeah, it probably would have a trickle down effect on these various government programs that rely on corporate data to do things like track people.

RFN: Your book talks a lot about inside-the-Beltway private contractors who are helping the government mount and improve their surveillance programs. Who are these contractors and why are they important?

BT: There have definitely been well known data brokers that take government contracts, so I think Thomson Reuters, LexisNexis, Acxiom and others they have government divisions, they sell to the government, they do business with the government, but by and large, the ones that I really focus on in the book are not household names. They’re not even names that most reporters who cover Washington and tech in Washington might recognize. They’re very, very small companies, often a couple of dozen employees, if not less. They tend to be scattered around the D.C. area. Sometimes they partner with larger defense contractors, but by and large, they exist to procure either tools for the government, or often raw datasets. 

Some of them do fascinating things like set up marketing companies that seem to be shells for government data acquisition. Others really just build tools and sell them through government contracts. But by and large, this ecosystem has sprung up. They’re ever changing. It’s a very, very dynamic market. 

But at the highest level, the important takeaway is that there is this world of contractors, mostly in the D.C. area, but not exclusively, that exist to funnel data to government entities. It’s a business and sometimes it’s a pretty lucrative business and the government is a very, very interested buyer for datasets that exist commercially and these contractors exist to mediate between either the collectors of it or the aggregators of it and they exist to be a funnel and an entryway for this data to come into government.

PrivacyTechnologyInterviewsNewsPeopleGovernmentIndustry
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Apparel giant VF sends out breach letters to millions following 2023 cyberattack

Next Post

Chinese government hacker exploiting ScreenConnect, F5 bugs to attack defense and government entities

Related Posts

MITRE Unveils EMB3D: A Threat-Modeling Framework for Embedded Devices

The MITRE Corporation has officially made available a new threat-modeling framework called EMB3D for makers of embedded devices used in critical infrastructure environments. "The model provides a cultivated knowledge base of cyber threats to embedded devices, providing a common understanding of these threats with the security mechanisms required to mitigate them," the non-profit said
Avatar
Read More