Surveillance & Privacy

Tracing the Origins of a ‘New American Surveillance State’

Sarah Lamdan
Friday, May 9, 2025, 1:00 PM

A review of Byron Tau, "Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State" (Crown, 2024).

Woman with white hair standing in TSA line at airport
A Transportation Security Administration checkpoint, March 11, 2019. (Michael Ball, https://commons.wikimedia.org/wiki/File:Transportation_Security_Administration_Checkpoint_at_John_Glenn_Columbus_International_Airport.jpg, Public Domain)

Published by The Lawfare Institute
in Cooperation With
Brookings

I was at the airport last week, headed home from a work trip. A few families filed through security as I fished around in my bag for my own driver’s license. They approached the makeshift wall of acrylic windows and metal, stopping to engage in the air travel security ritual. Each traveler held their tickets above the laser barcode readers. They showed their photo IDs to the Transportation Security Administration (TSA) agents. This airport was outfitted with Credential Authentication Technology (CAT), tablet screens that enable facial matching by snapping a photo of each person who passes through and comparing it to the image on their ID. The CAT system is meant to improve efficiency and accuracy. As one TSA executive explained, “People are not good at matching faces,” adding “[m]achines don’t get tired.” Who wouldn’t trade a quick photo to shorten the wait in that security line purgatory between the ticket counter and their gate? 

Not everyone, it turns out. The traveler in front of me ground the TSA process to a halt. He had an animated conversation with the TSA agent through the plexiglass, gesturing at the camera and shaking his head. Perhaps he was concerned about how his data might be collected, or even misidentified. Fears about the invasiveness and error-prone nature of these facial recognition systems are certainly not unfounded. Civil rights groups have raised concerns about both of these issues. 

The agent became exasperated, pointing at the tablet, directing the passenger to stand in front of it. Finally, he grudgingly allowed the traveler to exercise his right to opt out of the CAT verification. When I approached the agent’s kiosk, he smiled apologetically and said, “Some people are so scared of nothing. It’s just a picture!” as if we were kindred spirits. I didn’t respond, not because I agreed with the agent’s sentiment, but because I knew that trying to avoid the government’s surveillance systems is an exercise in futility. The passenger who resisted the camera was already known by the TSA, the FBI, the IRS, the local police department—an alphabet soup of federal, state, and local enforcement agencies. 

You don’t know which airport I was at, but the government does. The U.S. government has access to vast quantities of information about us, billions of bits of data supplied by thousands of sources, updated in real time. With or without authentication technology, government agents could ascertain who I am, what times I passed through the airport, what I’d paid for my tickets, when I’d bought them, and where I’d travelled during my visit. Without too much effort, they could probably figure out the reason I’d visited as well. Federal, state, and local governments use the most robust surveillance systems in history, virtual fire hoses pumping billions of units of information about all of us into searchable databases, data analytics systems, and potentially generative artificial intelligence

How did we get here, to a place where a facial recognition system run as a collaboration between government and private tech companies is a routine part of travel in the United States? Twenty years ago, such technology was science fiction in films like “Minority Report.” Byron Tau’s “Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State” describes how we ended up with the data-infused surveillance systems we have today. He describes the partnerships between an array of government agencies and a slew of commercial data providers that enable a daunting array of surveillance systems in the United States—the nation’s top spies and most powerful, consequential private eyes. Agencies ranging from oversight agencies, to programmatic and administrative agencies, and, most consequentially, law enforcement agencies rely on data broker products to identify and track people and, in some cases, to sort them by how likely they are to commit a crime or to label them as criminals.

Much of the scholarship and reporting on data surveillance critique its shortcomings. Academics and journalists have written hundreds of articles showing how everything from predictive policing algorithms to facial recognition software risks people’s civil liberties. The research describes how algorithmic biases and faulty datasets lead to erroneous identifications, with harmful consequences such as losing vital Social Security assistance, experiencing unwarranted interventions from children’s welfare agencies, and even being subject to illegal detentions and wrongful arrests. But that’s not where Tau starts his book. Instead, he begins by demonstrating the utility of data surveillance in the wake of the Sept. 11, 2001, terror attacks. He tells the harrowing story of how foreign nationals slipped through numerous intelligence safeguards to ultimately perpetrate the largest terror attack on U.S. soil. Twenty years ago, the government’s surveillance systems simply weren’t up to the task of tracking terrorists. Various agencies had stores of information, but it was disparate, dissociated, and disorganized. The government had a smattering of siloed records systems that could pick up vague and nonspecific warnings, but it did not have enough informational power to be precise. When the 9/11 Commission convened to figure out what had gone wrong, it concluded that U.S. intelligence was outmoded, “built in a different era to confront different dangers.”

The commission’s report led to calls for an overhaul: The U.S. needed more effective and information-rich intelligence in order to prevent future attacks. In the months after 9/11, consumer data brokers, including Acxiom and Seisint, were invited to demonstrate their data-sifting tools for the White House and gained support from members of Congress eager to identify terrorists. The companies swooped in to offer their wares to the government—data-sorting systems that could sift through public records databases and identify potential threats.

In its efforts to prevent terrorism and fight crime, the government looked not to its own technological innovations, but to the tools already developed to serve America’s consumer economy. Commercial data companies could supply information about how people were communicating, planning, training, and traveling. They could also sift through that data to expose patterns and flag unusual activities. After 9/11, with the help of commercial data providers, the FBI was able to gather thousands of data points, including travel records, credit card transactions, and even gym check-ins to retrace the hijackers’ steps. Before 9/11, the companies focused on using their data services mostly for commercial enterprises—targeted marketing and identifying consumer habits—dabbling in limited government initiatives and focused missions such as a particular child trafficking initiative or a specific military program. The government’s desire for more robust surveillance in the wake of the terror attacks expanded opportunities for data brokers to work with the government. In partnership with private-sector contractors, the FBI and other federal, state, and local law enforcement agencies could avail themselves of services like the “Bad Guys Database,” a data broker creation that amounted to racial profiling of young Arab Muslims. 

From the initial meetings between data brokers and government officials, Tau follows the growth of the tech industry and the government surveillance programs that flourished alongside it. The technological boom of the subsequent decades would turn everything from watches to refrigerators into data-sucking devices. It would also provide data-sorting systems that could organize people’s data into mosaics reflecting their daily lives and even predict what they might do next. Every new data source and system created opportunities to identify and track people, and data companies were eager to help the government fight crime and protect national security. Tau aptly describes today’s government intelligence systems as ones “built by corporate America and blessed by government lawyers.” 

Although the trajectory of data surveillance that Tau depicts is an upward arc, it isn’t smooth. Instead of a singular surveillance system, he describes various companies, ranging from data brokers specializing in public records databases to social media corporations, working with various government agencies on different projects. FBI programs to foil domestic terrorist plots were boosted with data brokers’ services. Scientists helping tsunami victims at the National Geo-Spatial Intelligence Agency used Twitter tags to find people in need of aid. Today, agencies from the IRS to the Department of Veterans Affairs subscribe to data brokers’ data collection and data analytics platforms and services to track potential fraud and identify risks. 

What is clear throughout the book is that data is useful, it’s for sale, and the government’s buying. Tau describes the tension between a government eager to reap the benefits of data brokers’ tools and civil rights advocates alarmed by how invasive these tools are. 

There were, and continue to be, few legal safeguards to quell civil rights concerns. The Privacy Act of 1974 was supposed to prevent the government from misusing people’s data. It requires government agencies collecting people’s data to follow procedures, including notifying the public before creating a new system of records, providing plans limiting how long data will be used, and ensuring that it will be used only for its stated mission. But when Congress envisioned the future of government surveillance, it anticipated that the government would collect its own data and manage it internally. Lawmakers did not foresee a future in which the government would partner with private companies, purchasing subscriptions to data services that look more like research platforms and less like the systems of records that are within the act’s purview. 

The Fourth Amendment’s warrant requirements, which are meant to protect people from government intrusion, also fail to safeguard people’s rights when it comes to data-fueled surveillance. In Smith v. Maryland, the Supreme Court decided that using a pen register (a device that records numbers dialed on a phone) does not require a warrant. The Court theorized that, when a person dials a phone number, they consensually share that information with a third party: the phone company. It surmised that people waive their expectations of privacy when they share data with a third party. While the Court has limited the third-party doctrine in the context of digital data, holding in Carpenter v. United States that historical cell site location data is protected by the Fourth Amendment, the doctrine has not been wholly rejected, despite the fact that modern data collection is so ubiquitous that we shed data exhaust whenever we are online.

Both the Privacy Act of 1974 and the third-party doctrine are vestiges of pre-internet, pre-data broker law. Data companies like the ones Tau describes in his book help government agencies buy their way around these outmoded laws. Lawmakers have tried to close warrant loopholes with legislation like the Fourth Amendment Is Not For Sale Act, but it has yet to pass. 

“Means of Control” chronicles the surveillance infrastructure government agencies have built in partnership with tech companies but pays less attention to how it feels to be subject to that infrastructure. The dearth of up-to-date data privacy safeguards has led people to share a sense of futility about invasive data surveillance. Tau shows that secret surveillance programs that were shunned for being too invasive in the early aughts seem quaint compared with the ones openly operating today. How does that softening of privacy expectations affect the populace whose data is subject to invasive tracking practices? That is a topic worth exploring in the future.

Researchers and advocates have spent years attempting to cobble together a more complete picture of the government’s surveillance programs, which often operate out of public awareness and out of reach of open records requests. Slicing away at thickets of secrecy, GLOMAR responses, and nondisclosure agreements, unraveling this world can feel impossible. Thankfully, Byron Tau painstakingly does this work for us all, giving us a precious glimpse into the facts of data surveillance. He cuts through the layers of secrecy to reveal the networks of agencies and companies that operate with little government oversight and fewer legal safeguards. Tau could have kept writing this book forever—tech industry growth, and new surveillance opportunities, seem infinite. “Minority Report”-styled data surveillance is no longer science fiction. It’s here, and we have to decide if, and how, to deploy it.


Sarah Lamdan is a lawyer and librarian. Her research on data privacy and data brokers has been featured in Government Information Quarterly, Library Quarterly, and Georgetown Law Technology Review. She is the author of “Data Cartels: The Companies That Control and Monopolize Our Information” (Stanford University Press, 2022).
}

Subscribe to Lawfare