Personal Information, Government, and the Not-So-Private Sector

by Paul R. Pillar

Though fully justified, the sudden attention paid to the exploitation, including for political purposes, of information on millions of Facebook users in ways that ought to make those users uncomfortable—and to how Facebook does not seem to have cared about such abuses—has been tardy and myopic. It took the story about Cambridge Analytica’s mining of Facebook data to get that attention, even though the probability of such unwelcome exploitation of personal information has existed since the dawn of social media.

Few discussions of the current issue involving Facebook have put that issue in a broader context, which would provide perspective to similar questions of privacy and big data that have aroused controversy in the past. Specifically, commentary and reporting on the Facebook matter have made almost no reference to what was a headline item not long ago: collection of information on Americans as a by-product of foreign intelligence collection by governmental organizations such as the National Security Agency. This collection has involved bulk “metadata” on telephone calls that include the timing of calls and the phone numbers of participants but not the content of conversations. A related matter has been the intercepting of conversations that, although the target is a foreigner, involve a U.S. person on the other end of the line.

Similarly, when news stories and congressional hearings focused on these NSA activities just a couple of years ago, the coverage and commentary generally did not provide the perspective that would have come from comparing these activities with commercial collection of data on Americans. Only a few lonely voices like myself pointed out that Americans have more to fear from commercial enterprises exploiting personal information about them than from anything a government agency might do in this regard.

The government activity is subject to numerous checks and controls, whereas the commercial activity is subject to almost none. What the NSA does with either metadata or intercepted content—besides being an object of congressional oversight—takes place under extremely strict controls internal to the agency or the executive branch that limit the officials who have access to such data in addition to limiting the use that can be made of it, even inside the intelligence community. Contrast that with the telecommunications companies, which have direct access to everything the NSA could ever hope to acquire about the telephone calls of Americans. But Americans aren’t given even the faintest idea of how the companies handle the data or who inside the companies has access to it. With the burgeoning of social media, the personal data at stake goes far beyond telephone calls.

The Profit Motive

Another difference involves the very raison d’être of the organizations involved. The intelligence agencies exist to perform a foreign intelligence mission. They are judged to be successes or failures according to how well they perform that mission. Tightly controlling and keeping secret the material they handle is important to accomplishing that mission.

In contrast, the commercial enterprises exist to make a profit. Their incentives regarding handling of the data they collect run in the opposite direction from the intelligence agencies’ incentives. Facebook’s business model centers on making personal information about its users available to advertisers and others willing to pay to exploit the data. (Remember, if you think you are using a product for free, then you are the product.) “There’s a sort of intrinsic problem with having for-profit entities with this business model in this position of so much public trust,” observes Tim Wu, formerly with the Federal Trade Commission and now a law professor at Columbia. “They’re always at the edge because their profitability depends on it.”

The customary arguments that there is more basis for worry about government collection of data than commercial collection have always been weak. The government is fundamentally different, we are told. “The phone company can’t arrest you.” Well, neither can the NSA. Government involves an element of compulsion, we are told, that does not exist in the private sector. But if you want telephone service, you necessarily have to surrender all of the information about all of your phone conversations to the company that provides that service.

With regard to social media, there is an element of addiction, as reflected in apt comments today about how difficult it will be for many heavy users of Facebook to give it up even if they are upset about the privacy issue. This should place social media in some of the same conversations about government regulation as tobacco or opiates. As for commercial services requiring permission from their users before making use of their data, this is a joke. Almost all users click the “accept” box without wading through the legalese in the terms of service. Also, as Wu points out, Facebook’s privacy settings have been in large part a sham that do not prevent the sort of exploitation of data that is now an issue.

An irony about the government-vs-private sector dimension of data exploitation involves one bit of exploitation by former Trump political adviser Steve Bannon. He used Cambridge Analytica, which in turn was using Facebook data, to test how some themes would play with voters in the 2016 election. One of those themes was the notion of a “deep state.” Thus, while a governmental deep state that supposedly uses all its ample information to do whatever it wants is a fiction, non-governmental collection of personal information has helped to sustain that fiction in the minds of Americans.

Private Data Applied to Government

The government-nongovernment dimension in exploiting data has come full circle in other ways. The personal information on Facebook users that Cambridge Analytica exploited helped to elect Donald Trump—with everything that election implies for how a Trump-led government touches those users’ lives, no matter how strongly opposed to Trump many of them may have been.

Now Trump has named as national security advisor John Bolton, whose political action committee also was an early user of Cambridge Analytica’s operation. And related to those past controversies involving the NSA, Bolton—although he was a loud complainer about requests from Susan Rice when she was Barack Obama’s national security advisor, to “unmask” the identities of U.S. persons in intercepted communications—was himself one of the most prolific unmaskers. It is hard to imagine how Bolton, as an undersecretary of state for arms control, would have had as much legitimate reason for such unmasking as did a national security advisor looking at Russian interference in U.S. elections. Possibly Bolton’s requests had more to do with his well-established proclivity for trying to expel from the bureaucracy anyone whose views differ from his own. Fortunately there are checks in government on such abuses, although one has to wonder what will become of such checks with Bolton in charge of the national security policymaking apparatus.

The well-entrenched attitude that Americans have more to fear from what government does with their personal data than what commercial enterprises do with it is ultimately based not on an understanding of actual hazards but instead on the crude ideology of “government bad, private sector good.” Perhaps the understandable uproar over Facebook’s practices will start to change that attitude, but don’t count on it.

Paul Pillar

Paul R. Pillar is Non-resident Senior Fellow at the Center for Security Studies of Georgetown University and an Associate Fellow of the Geneva Center for Security Policy. He retired in 2005 from a 28-year career in the U.S. intelligence community. His senior positions included National Intelligence Officer for the Near East and South Asia, Deputy Chief of the DCI Counterterrorist Center, and Executive Assistant to the Director of Central Intelligence. He is a Vietnam War veteran and a retired officer in the U.S. Army Reserve. Dr. Pillar's degrees are from Dartmouth College, Oxford University, and Princeton University. His books include Negotiating Peace (1983), Terrorism and U.S. Foreign Policy (2001), Intelligence and U.S. Foreign Policy (2011), and Why America Misunderstands the World (2016).

SHOW 1 COMMENTS

One Comment

  1. The respectable author of the post , is really wrong . For too many reasons , but two right now :

    First , fines and sanctions are sometimes huge ( for breaching privacy of data ) . It is typically , calculated so , that sanctions would exceed , any motivation for making profits . That is to say , that it would be unworthy , unprofitable , to breach and violate regulations have to do with guarding privacy , simply because of the huge amount of money lost , compared to profits made from such data of course .

    Second , one needs to look , at the transfer or crossing of data, between governmental agencies .Typically , a commercial company , would seek , specific niche or group or area , like : food , cars , traveling / tourism and alike . But , when dealing with governmental agencies , we deal with potential endless transfers and crossing and comparing all kind of private data , like :

    offshore bank accounts , which may be compared with travels to certain states , further to family connections abroad , business abroad , tax information whether national or International and so forth …. Endless areas V. very narrow niches typically in commercial terms . So it is forming so : coherent and comprehensive profiles of residents . That is a hell of game changer of course !!

    Here for example, really negligible fine for negligible breach relatively ( let alone for google ) :

    ” The Guardian ” ( online ) bearing the title :

    ” Google ‘faces $22.5m fine over Safari privacy breach'”

    Thanks

Comments are closed.