How digital surveillance thrived in the 20 years since 9/11

The Patriot Act, passed in 2001 and followed by additional legislation, gave authorities wide-ranging surveillance powers. In exchange for giving up their privacy, people would be better protected from future terrorist attacks, the government promised.

The result: Absolute privacy largely evaporated. Whether you’re online or on the phone, you should now assume that you can be or are being monitored, privacy advocates say. “If you’re communicating with anybody abroad, whether they’re a target or not, your communications are being surveilled,” said Cindy Cohn, executive director of digital rights group Electronic Frontier Foundation (EFF). 

Meanwhile, since 9/11, the commercial Internet has experienced breathtaking growth, expanding surveillance deeper into everyone’s lives. Companies like Google and Facebook suck up increasing amounts of data about their users, to help target online ads and build more compelling smartphone apps. 

And as more Internet services grow dependent on personal data, it’s become harder for consumers to opt out of being tracked. In the same way that the U.S. government pitched its new surveillance powers as a tradeoff of privacy for security, corporations ask people to trade their privacy for convenience and better features.

For Cohn, both of these propositions—trading privacy for security or convenience—are mirages. “I think that now that we’re 20 years in, we really do see that that was an empty promise that you give up your privacy and you get more safety,” Cohn said. As for corporate surveillance, she added, “I think we’re all starting to wake up to the fact that that wasn’t a very good deal, and it wasn’t necessary.”

How 9/11 changed everything

During the 1990s, Congress debated whether the U.S. needed new privacy laws to keep up with the early but fast-growing Internet, said David O’Brien, a fellow at Harvard University’s Berkman Klein Center for Internet and Society. Web pages were becoming more interactive, and new technologies like cookies, which let companies track users across websites, helped birth the online ad industry.

Ultimately, the government decided to let the industry self-regulate without creating new agencies to oversee it, O’Brien said. The Federal Trade Commission ended up as the go-to agency to deal with any potential privacy problems, even though it wasn’t designed to oversee technology. 

After 9/11, government officials desperately wanted to determine how the attack happened, O’Brien said. Lawmakers authorized agencies to monitor foreigners more easily and access any information about them held by local law enforcement, thus breaking down a “wall” between domestic and international surveillance, he explained. 

The Bush administration also authorized the National Security Agency (NSA) to spy on the phone calls and emails of Americans without court-approved warrants. Critics said it violated the public’s Fourth Amendment rights that protect against unreasonable searches.

The government’s warrantless surveillance powers were further extended with the Foreign Intelligence Surveillance Act of 2008, better known as the FISA Amendments Act of 2008, noted American Civil Liberties Union​ staff attorney Ashley Gorski. The law gave the Bush administration legal authorization for the spying it was already doing. “I think the privacy and civil liberties community understood as soon as the law was enacted that this was a watershed moment and this was a very problematic law,” she said.

Edward Snowden’s revelations

A turning point for privacy came in 2013 when whistleblower Edward Snowden leaked a trove of confidential documents showing the extent of the NSA’s spying powers. It confirmed the worst fears of privacy advocates, who had suspected the government was surveilling millions of private citizens, but lacked evidence. “When you talked about government surveillance before Snowden, you got a lot of tinfoil hat responses,” said Jennifer King, a privacy and data policy fellow at Stanford University’s Institute for Human-Centered Artificial Intelligence.

The Snowden revelations also raised tensions between corporate America and the federal government, by showing that the government had tapped into the Internet’s backbone at key junctions, such as an AT&T building in downtown San Francisco, and siphoned people’s communications for analysis. Although experts knew that the U.S. government would occasionally obtain information from telecommunication companies for their investigations, the Snowden revelations showed that the practice was more common than what many technologists and experts had assumed.

One of the most brazen spying techniques revealed by Snowden was that the NSA had also secretly tapped into the fiber-optic cables that connect Google’s overseas servers, a move that was akin to a “nuclear bomb” for the search giant, O’Brien, said. “The tech companies were pissed is the easiest way to put it. I had the pleasure back then of talking with a number of senior executives, and it was palpable; they were just absolutely livid.”

The leaks would end up hurting the business of several tech companies like Cisco because countries including China became convinced that tech companies were letting the U.S. government use their products as spying tools, he explained. One encouraging result from the Snowden revelations, Cohn noted, was that they prompted tech companies including Google to strengthen the encryption that scrambles communications from third parties. “So as you surf around on the web, there’s a whole lot more security than there was before 9/11, and that’s due to the work of EFF and many others, including people at the companies,” Cohn said.

Big Tech vs. Big Government

Personal privacy was further tested in 2016 when the FBI wanted Apple to help it crack into the iPhone of a suspect involved in a high-profile terrorist shooting in San Bernardino, Calif. Apple, with support from other companies like Microsoft, Facebook, and AT&T, refused, saying that breaking into an iPhone would weaken the company’s overall cybersecurity and therefore risk the privacy of its consumers. 

Eventually, the FBI said it had found another way to break into the suspect’s iPhone. Still, the episode showed that tech companies could unite in protecting the rights of their users. It also raised hopes that if the U.S. government or law enforcement couldn’t be trusted, perhaps the tech companies, in some cases, could. But soon after, those hopes evaporated.

Facebook’s biggest data privacy blunder 

Facebook’s 2018 Cambridge Analytica scandal, in which an academic improperly obtained and sold Facebook user data to a political consulting firm, was a watershed moment for digital privacy. Before 2018, big tech companies would occasionally be swatted by the FTC for data privacy blunders. But the Cambridge Analytica incident seemed to turn public opinion against Facebook and, by extension, the tech industry, O’Brien noted. “That does seem to be the moment when people really snapped,” he said. 

While Cambridge Analytica was likely selling “snake oil” in pitching its ability to analyze personal information to manipulate voters, O’Brien noted, the public were upset. People tolerated having their Internet use tracked so that companies could show them personalized shoe ads. But the realization that businesses could use personal data to try to influence their politics took this idea of predictive analytics, the use of algorithms to infer people’s actions based on their history, to a new level.

The fallout of Cambridge Analytica coincided with the 2018 rollout of the European Union’s tough privacy rules, known as GDPR, that limit how companies can track users and collect personally identifiable information. Meanwhile, several states in the U.S., including California, passed their own privacy laws, limiting some of the information that online advertisers collected. “People will give up privacy when it’s really valuable to them in shopping environments and the things that they value,” said Grant McDougall, CEO of marketing tech firm BlueOcean. “When it’s clearly just to the betterment of the companies that sell products, they’ll push back on it, which means we will have to change the way that we engage people.”

Where privacy stands today

The recent rise of data-hungryartificial intelligence technologies has only added to the demand for digital data. In some cases, companies don’t even need personal information like full names and Social Security numbers to identify users online.

At the same time, many government spy programs remain shrouded in secrecy, which leaves Americans unaware of the extent to which their personal privacy may be compromised, Cohn explained. “The government has been highly successful at using things like state secrets privilege and confidentiality and other limitations on its transparency to keep the rest of us largely in the dark,” she said.

Stanford’s King, however, is optimistic, noting that people’s attitudes have shifted about data privacy and surveillance. The public are more willing to criticize companies for privacy violations than they have been previously. And recent reports that suggest many iPhone users are choosing to block smartphone apps from tracking them through a recent Apple feature show that consumers are more unwilling to hand their data over to companies than before.

“I think it’s becoming more widely understood just how good these tools are for perpetuating surveillance,” King said.

The backlash against Apple’s decision to scan customer iPhones for images of child sexual abuse is another example of growing concerns over privacy. Normally, efforts to combat child abuse imagery online has widespread support. But as Snowden recently tweeted, “if they can scan for kiddie porn today, they can scan for anything tomorrow.” Apple ultimately decided to pause the scanning feature’s debut while it conducts a review.

As Cohn explained, the public can’t depend on tech companies to protect them. Nor can the public depend on the government either.

“We have rights and values, and we shouldn’t actually have to depend on companies stepping up,” Cohn said. “We should be protected by the law and we should be protected by this technology.”