As security agencies digitize, oversight must keep up

There appears no limit to Americans’ readiness to invite digital technologies into every aspect of our lives, revealing to companies sensitive data about how we think and act. The challenge to consumer privacy is apparent, but information collected by the private sector can have a less-visible second life: Customer data can hold immense value for government agencies involved in intelligence, law enforcement and homeland security.

Our agency, the Privacy and Civil Liberties Oversight Board, was created by Congress to oversee the enhanced powers granted to the federal government in response to the 9/11 attacks. Increasingly, effective oversight means ensuring that agencies use digital technologies only for lawful and appropriate purposes. As with consumer protections, however, technology threatens to overtake analog-era constraints on national-security programs.

One reason is that digital technologies are rapidly eroding once-insuperable practical constraints on governments’ ability to monitor their citizens—for example, the impossibility, in an analog world, of collecting and retaining the massive volumes of seemingly trivial information that might one day prove useful to security agencies. Today, companies have powerful economic incentives, and near-limitless ability, to collect and store that data for their own business purposes. Recording even a single person’s location once required round-the-clock, shoe-leather surveillance by a team of gumshoes; now, police can obtain detailed location information on anyone who carries a smartphone, with comparatively little effort or expense. Email, text messages, internet searches, shopping habits, names and photos of family and associates, questions posed to a smart speaker, images from doorbells and other smart-home devices, and much else: Once data is retained by a private company, it becomes theoretically accessible to government agencies with the requisite legal authority.

Government access to private-sector information isn’t new, of course; the government could always subpoena a suspect’s bank transactions or phone records. What’s novel is the comprehensive portrait of each person that emerges from the data as ever more aspects of our lives are digitized and ever more powerful algorithms are mining the data. And so the present debate over digital privacy is also, albeit indirectly, a debate over how much the state can learn about us.

The glut of data produced by a digitized society will require legislators and oversight bodies to re-think, or at least supplement, the law’s traditional focus on limits to the government’s ability to acquire information. To be sure, such limits are vital and have a venerable pedigree grounded in the Constitution’s Fourth Amendment. Yet it is unclear that they can serve as a sufficient check on governments that may in theory be able to derive detailed portraits about their citizens from datasets that are publicly available, purchased, or voluntarily provided by companies. (The Supreme Court’s widely noted 2018 Carpenter decision held that the government must obtain a warrant before compelling a wireless carrier to turn over detailed cell-site location information, but did not address publicly available or voluntarily provided information.)

Legislators and oversight entities, therefore, must take stock of the full life cycle of data gathered by the government, examine how agencies use the data they have in addition to confirming that it was lawfully acquired. Who will have access to a dataset once it is collected by an agency?  For what purposes?  How will the data be tagged, and what access controls or other security measures will be in place to prevent unauthorized use or disclosure?  How long will the data be retained?  Can the data be shared outside the agency? With whom, and for what uses? Are artificial intelligence or other advanced analytic tools being applied to the data? The last question becomes increasingly relevant as powerful analytics mean that seemingly innocuous data can yield revealing conclusions; witness the creepily prescient insights that data-rich companies derive about their users.

Legislators and oversight entities should also ask whether the same technologies capable of diminishing privacy can also help protect it. For example, as technology advances, artificial intelligence may be able to flag potential misuse of sensitive datasets by government analysts, augmenting the capabilities of auditors, lawyers, and other oversight personnel. Software used by analysts and investigators could be designed to automatically record each query of sensitive datasets, enabling AI and human auditors to verify that those entrusted with sensitive information about their fellow citizens use it appropriately.

The twist, of course, is that intelligence activities must take place largely in secret. It thus falls to oversight bodies like Congress, the Foreign Intelligence Surveillance Court, and our agency to pose questions like these as proxies for the public. Most importantly, oversight bodies and agency leaders must ensure that the government’s collection and use of data comports with the expectations and values of the American people.

The good news is that the United States is as well positioned as any country to reconcile digital-age surveillance with the rule of law. Since the late-1970s, Congress and the executive branch have erected a detailed legal framework for domestic surveillance and an oversight architecture spanning all three branches of government. Agencies within the intelligence community now include oversight and compliance offices that, while not a substitute for independent oversight, reflect concern for complying with the law and retaining public trust. These institutions are not perfect, and our Board will continue to advocate for greater accountability and transparency. But they are cause for tentative optimism.

And yet. Even with strong institutions and the best intentions, digital technologies challenge the expectation of personal privacy that Americans have long held sacred against their government. What is true in the debate over consumer data applies equally to government surveillance: the laws and institutions that we erect around digital technologies will determine whether we can harvest their promise without reaping their peril.

Adam Klein is chairman of the Privacy and Civil Liberties Oversight Board, an independent, bipartisan agency within the executive branch. Edward Felten and Jane Nitze are members of the Board.