Your data, the U.S. government and the 'new American surveillance state'

Your exact location, what apps you use, the last thing you bought online.

Your data is for sale – and the U.S. government is buying it.

Today, On Point: What you need to know about the shadowy world of data collection.

Byron Tau, journalist. Author of “Means of Control: How the Hidden Alliance of Tech and Government is Creating a New American Surveillance State." Currently works at the Albritton Journalism Institute.

Part I

DEBORAH BECKER: Many of us have probably had an experience similar to that of On Point listener Christina Hoffman, who lives in California.

CHRISTINA HOFFMAN: So one day I'm listening to music via Alexa Echo and a song came on and I said, "Oh, I love this song. I would have this play at the memorial service for me." And my daughter says, "Oh, wow.

Yeah. You got to let us know." I'm young and not dying anytime soon, but we were just chatting. I like to plan all sorts of parties and to the music. The next day, I'm getting ads on Facebook and other things about funeral homes.

BECKER: And Christina says she was freaked out.

CHRISTINA HOFFMAN: I'd never searched anything online about that.

That was just from a conversation in my kitchen. And I didn't say, "Hey, Alexa, look up funeral homes." I didn't even ask for that. It was while music was playing, very strange.

BECKER: And On Point listener Reginal Jaramillo also in California recently learned that the TV streaming company Roku collects and sells information about him.

REGINAL JARAMILLO: The surveillance is ridiculous. I don't feel like I have anything to hide, but it frustrates me that corporations are able to profit off of our information and that they're willing to pay basically anyone, but the people themselves for that information. I accidentally bumped into the service and terms agreement of my Roku device.

It's upsetting me so much when I found out that anytime you plug in a USB device into the Roku, they get access, they get to know what you're watching and they get ownership of it, in a way. So to some degree, we know we're being watched, but what most of us don't know is what happens with our personal data.

BECKER: Maybe we realize some information is being sold to people who will then try to sell us products through targeted ads. But our guest on the show today says our digital footprints are very attractive to the U.S. government, which is buying our data for surveillance. Journalist Byron Tau traces this alliance between government and corporations for our data in his new book titled, "Means of Control: How the Hidden Alliance of Tech and Government is Creating a New American Surveillance State."

And he joins us now. Byron, welcome to On Point.

BYRON TAU: Thanks so much for having me.

BECKER: So let's dig in a little bit into this sort of opaque world of data brokering first. Can you describe how our information is being collected? How much of it is there?

TAU: Sure. So it depends on what type of data broker we're talking about, but broadly speaking, corporations collect a lot of data on the global population.

That can be everything from address history, to employment to things like marriage records. Those are traditional data broker records. But in recent years, companies have sprung up to scrape social media posts and resell that to companies and governments who are interested in investing in insight about what's being said on social media. Phones and cars broadcast things like their GPS location.

And there are data brokers that specialize in that. And increasingly today we have this weird world of wireless data. Our Bluetooth headphones emit wireless data. Even our car tires emit wireless data. And believe it or not, there are these data brokers that set up things to collect strange wireless information from devices as they move around the world.

BECKER: So there's no sort of central repository or anything. Each of these particular brokers might be able to say, that's the piece I'm looking at and I can resell to this group. And it's a bunch of different organizations and corporations doing this.

TAU: That's right. The data broker ecosystem is massive. It includes billion-dollar companies that are sort of household names, companies like Thomson Reuters or LexisNexis. Things that people who have worked in information or in research or in law might have heard of. And then it stretches to small, tiny companies in the D.C. area or in New York City or in San Francisco that broker very esoteric, strange data sets. So it's a mix of companies of all different sizes and there are hundreds, if not thousands of them.

BECKER: You can certainly understand how this information might be attractive to a corporation. Why is it so attractive to the government, especially because it has all these potential legal pitfalls?

TAU: Sure. So corporations collect this information, because they're trying to understand the world. They're trying to understand something better about their consumers. They're trying to target them a little bit better. They're trying to identify people who might be interested in their product. And government has a lot of the same drives, right?

Governments, too, want to understand the world. They want to track people who are late on payments, to child support payments. They want to identify people who are criminals. And in the case of intelligence agencies in the military, they may want to do other kinds of targeting.

So governments, like all organizations, are interested in trying to better understand the world around them. And corporate data is a very attractive way to do that. Because by and large it has fewer restrictions on it than when you do something like get a search warrant or when you engage in very intrusive surveillance, you go to a secret court and apply for a spy warrant on someone.

That's a lot of paperwork. If you buy the data commercially, there's a lot less privacy restrictions on it and there's a lot less rules about how you can use it internally inside government.

BECKER: In your book, you quote the work of retired Harvard University professor Shoshana Zuboff, who coined the term surveillance capitalism, the practice of tech companies profiting from data.

So yes, understanding the world, but there's a lot of money to be made here. Let's listen to a little bit of what Professor Zuboff says.

SHOSHANA ZUBOFF: They understood right from the start, and I mean from the start, going back to the very early 2000s, that as soon as people find out about what's really going on, they hate it.

They rebel. They resist. They want to hide. They want an alternative. But what's happened over these past 20 years is those alternatives have disappeared. And so now we find ourselves pretty much trapped. Every internet interface is now a data supply chain.

BECKER: So Byron Tau, is everything a data supply chain?

Is this just another example of capitalism here and really profiting from data?

TAU: I think that's exactly right. It's no exaggeration to say that trillions of dollars in corporate wealth are tied up in data collection from big, giant companies like Google and Meta and Apple, to these tiny data brokers that I'm talking about, who cater to the government. Data is huge business and corporations and consumers all participate in this system that underpins a lot of what we do online.

It pays for a lot of what we do online. It is the way we get news, in a lot of cases. It's the way we get entertaining apps. It's what pays for our weather app. And it really is a trillion-dollar project to unwind it. If people don't like this world we're living in.

BECKER: Yeah. But of course, the question, is it legal?

And is it legal because of that 200-page term, terms of use or agreement that we checked the box on? And does that make it okay?

TAU: Yeah, it's a great question. So by and large, when governments buy data on citizens, and I'm talking about the U.S. government, but by and large, this reporting that I've done applies broadly, it applies to other governments like Russia and China, they also buy data.

But speaking about the rules, when the U.S. government buys data, when we click on some terms of service or we click, I accept when we download an app, we have essentially consented to consumer data collection. And lawyers inside the government have taken the position that if this is data that's available for sale and that people have agreed to share it with a corporation and then that corporation lawfully makes it available for purchase, then that by and large is legal for the government.

That doesn't mean the government can do whatever it wants with it. So there are rules on government use of data. And when I say government, I'm speaking broadly, there's lots of different kinds of government agencies that use this data. But by and large, you're not supposed to look up your neighbor or your spouse or the person you're going on a Tinder date with next week.

But by and large, if the government has a lawful mission and it's purchased data, lawyers have, generally speaking, concluded that this is okay.

BECKER: Basically, I have no expectation of privacy from that data, of my data once I click that box.

TAU: If you've shared it with a corporation and that corporation is making it available as part of a commercial transaction and the government is the buyer, then yes, that is the conclusion that a lot of these government lawyers have reached when they've looked at questions about whether government agencies can buy data on the population.

BECKER: One of the things that came out in your book that was so surprising to me, one of many, was when you talked about the monitoring of our cars, tire pressure sensors, and you actually tried to buy a car that wouldn't be monitored. Can you describe that process? Because I thought that was an amazing story.

TAU: Yeah, the Hyundai dealership I walked into had no idea what they were in for when they got me as a customer.

BECKER: (LAUGHS) I bet.

TAU: I was very interested in car privacy because I was in the middle of doing the reporting for this book. And one of the things I had learned was that cars emit radio signals.

Some of those radio signals come from things like your Bluetooth, the thing you pair your phone with, so the infotainment system, that emits a radio signal. But another thing that most people don't realize is that their car tires actually have a little wireless sensor in them. And that's the way that your car, when you start it up in the morning, knows what the tire pressure is. And might tell you, "Hey, it's cold today. Your tire pressure is low."

That's actually a radio signal that can be intercepted if you know where and how to listen for it. So very clever government intelligence agencies have developed these sensors that do it. There are companies that actually take advantage of this technology to monitor traffic flows through construction zones, so cars can be tracked through these wireless emissions in their car tires. And cars can be tracked through the wireless emissions that come off the entertainment system.

And in addition, cars, as the New York Times recently reported, are also collecting a lot of GPS data through the infotainment system, that the car salesman tries to upsell you on when you're in the dealership. And that information is often available for sale. In fact, General Motors was making it available to certain data brokers who were then making it available to insurance companies.

And then people's rates got jacked, because their car was monitoring how they drove. And so cars are one of many technologies today that emits all sorts of data. And data brokers or government agencies, or the right kind of sensor can pick up that data as you move around the world.

BECKER: And so were you able to get a car that wouldn't track you?

TAU: I was able to get a car without the infotainment system that has the GPS or the roadside assistance, but you really can't get a car, a reputable dealership will not rip out the infotainment system or rip the tire pressure sensors off your car. Because they're a safety mechanism.

Part II

BECKER: In the first part of the show so far, I think we've established there's a huge amount of data about all of us. It's out there. It's electronic. People can easily monitor a lot of our activities. And some of that's being shared with the government. In your book, you quoted a technology consultant who works on projects for the U.S. government saying, quote, "The advertising technology ecosystem is the largest information gathering enterprise ever conceived by man. And it wasn't built by the government." And yet the government wants this information, right?

TAU: That's right. The way that large corporations have figured out to deliver targeted ads to people, that basically connects every smartphone and computer on earth that gets targeted ads.

And I think we all get targeted ads, just by virtue of what we put on our phones and computers today. That connects them with these servers where thousands and thousands of companies are all trying to bid on ad space for billions of people around the world, and governments or their contractors or their proxies are lurking in these ad networks, trying to extract information about these billions of devices. Because some of it has useful GPS information.

Some of it has useful cyber security information, like IP addresses. Because every time you see a targeted ad, you actually need to share something back to the company that's trying to serve it to you, in order that they know who you are. And an information collection system that powerful was bound to attract the attention of governments around the world who are very hungry for data, trying to do their missions, their public safety mission, their national security mission, their military missions.

It's a huge repository of data, and it's a very attractive target for government entities.

BECKER: Yeah, what about, before we get into some of the history of this, what about, what's that worth? What are we talking about in terms of an industry? How much money?

TAU: So it's funny, because on the consumer side your data is probably worth a few dollars to these companies.

But when you aggregate billions and billions of devices, and billions of people browsing the web, you're talking about real money. And so again this is probably, targeted advertising is probably close to a trillion-dollar industry. The tech companies that don't necessarily do targeted advertising as their primary business, but it's a secondary effect of the service.

So think Facebook, think Google, they are primarily consumer facing companies that want users to use their platforms, but they make their money off of targeted ads, and those are trillion-dollar companies. And so there's a lot of money tied up in all of this.

BECKER: And this basically, it became attractive.

The data became attractive to the government. And this idea of using some advertising data, really started as a public safety campaign. It really has its roots in 9/11. We have a piece of tape here from former President George Bush in October of 2001 signing the Patriot Act.

And of course, that measure gave the U.S. government permission to surveil Americans who were suspected of terrorism or having links to terrorism. Let's listen.

GEORGE BUSH: Countering and investigating terrorist activity is the number one priority for both law enforcement and intelligence agencies. Surveillance of communications is another essential tool to pursue and stop terrorists.

Existing law was written in the era of rotary telephones. This new law that I sign today will allow surveillance of all communications used by terrorists, including emails, the internet, and cell phones.

BECKER: That was former President George Bush talking about the Patriot Act. So I wonder, Byron, can you tell us, how did this get the ball rolling on really what we're talking about here, surveillance of all communications, as Bush said?

TAU: So going back before 9/11, the primary mission of say, the military or the intelligence community, was to try to understand the intentions of foreign states. So our primary rival, the Soviet Union, but of course the U.S. government was also trying to understand other countries. After 9/11, the mission suddenly changed, to trying to identify people embedded within larger populations who meant to do harm.

And that meant that the kinds of information that was interesting to government agencies changed as well. There's an amazing document I found while doing this research. It's an FBI document from shortly after 9/11. I think it was compiled as part of the 9/11 commission report. But it basically tells the story of the 9/11 attacks primarily through commercial transactions, right?

It talks about the rental cars that the hijackers would rent. It talks about what gym memberships they got. It talked about what airline trips they would take to scout and understand the vulnerabilities in our airline system. And it was after 9/11 that governments realized that it wasn't just their sort of secret intercept data or their human agents providing reports back to government that might have value, that corporations were collecting a huge amount of data about how people moved around, what they were buying, where they were living.

In some cases, you could get insight into who they were associated with. And that information had real, true investigative value when it came to trying to understand who people are and who they're associated with. And so that began a years-long experiment in trying to bring in more commercial data sources and developing partnerships with data brokers. And in figuring out if government could use data computers and advanced technology to sort through large piles of corporate data and secret data, merge them together and look for things like patterns or outliers or strange behaviors in the population.

And so that's how this all got started.

BECKER: I wonder though, in hindsight, yes. Look at all this data that may have been available online had we been able to connect the dots, right? But how accurate is that if you don't know exactly what you're looking for first? Those of us in Boston also are keenly aware that there were a lot of data points online.

And even warnings to officials about the Boston Marathon bombers and those warnings were never heeded, obviously. So we don't know if something doesn't happen, but we don't know what may have been prevented by government's use of this information, do we? So how accurate might it be?

What do we know about it really being a strong public safety, preventative public safety tool?

TAU: Yeah. As you say, the government gets plenty of warnings about events that later turn out to be quite tragic and it probably gets an even huger volume of things that never turn out to be anything at all.

And so sorting through that pile of tips and leads and people who seem suspicious is a very difficult task. And it's always been a very difficult task. And when you acquire huge amounts of data, it actually sometimes makes it more difficult, right? Because you have to sort through it, you have to process it, you have to try to identify the signal from the noise.

And that remains a huge challenge for government entities. It was a challenge in the run up to the 9/11 attacks, and it's been a challenge in a number of other tragedies and mass shootings and attacks ever since, including the Boston marathon bombing. But governments are very interested in doing things like experimenting and as to whether they can take a large-scale data set on the whole population and see if you can identify strange patterns of behavior in it.

There was a program called Total Information Awareness that came up after 9/11 and they were trying to study do this very thing, to sort through large volumes of information, some of which they knew was inaccurate or out of date or false.

But they hope to get enough of it and to meld it with their sort of classified information and then do pattern matching. Look for people, say, just hypothetically, who rented a truck, and then also bought a lot of fertilizer, and then also booked a number of hotels along a certain route, right? Each one of those things individually is not suspicious, but when you combine them in a single person, perhaps that's a pattern that could indicate behavior that's abnormal.

Now this was just an experimental program. It never really got off the ground, but this is the kind of stuff that government agencies have been trying to do with large volumes of data for the past 25 years.

BECKER: But it never got off the ground because of privacy concerns.

TAU: That's right. Yes.

BECKER: But it's still there, just by a different name. Good to explain.

TAU: Yeah. The Total Information Awareness Program was founded after 9/11, and it was trying to do exactly that. Look for patterns in large volumes of datasets and to acquire both large amounts of commercial data from companies like data brokers and travel companies and airlines and hotels, and then meld that with the government's secret data.

And it was an example of one post 9/11 program that a lot of members of Congress felt actually went too far. And in the middle of a truly bipartisan outcry over what the program was proposing to do, and it was a Pentagon run program, Congress actually defunded it. But the research on basically the basic ideas that these researchers were working on, that never went away.

That continues to this day. That is part of operational programs that the U.S. Government runs. And so the lesson that the intelligence community took from that in many ways was that this was poor branding, or it was a little too public or the public got wind of it and shut it down when it could have been a very useful program.

And so research like that program has continued right up to the present day.

BECKER: I wonder if you can explain with a very concrete story about the use of some of this data and what it has resulted in. Perhaps, you tell us the story of a gentleman by the name of Ivan Lopez.

He was arrested in 2018. He was identified by Ad tech data and you say in the book his lawyers didn't even know about the warrantless surveillance that was used to identify him. Why don't you tell us the story and explain this relationship between data and the agencies involved in overseeing public safety?

TAU: Sure. So Ivan Lopez was an American citizen. He lived in a small border town in Arizona called San Luis. If you go down there, and I have, he owns a KFC or what was a KFC restaurant, now since abandoned. And it was even abandoned when he owned it. And it's basically the last building in America.

If you stand at this KFC, you can see the U.S.-Mexico border wall that separates San Luis from its Mexican sister city. And what the government found out in purchasing large amounts of mobile phone information from data brokers. And this is information that comes off of things like apps or targeted advertising.

We agree to share our GPS location with the app, or a game and these data brokers get that GPS location, and they can see where millions, if not billions of phones are at any given time. So what the government was purchasing this, the entity in this case was the department of Homeland Security and was looking for crossings where there is no port of crossing.

And they saw that phones seemed to be moving across the U.S.-Mexico border and ending up in Ivan Lopez's old, abandoned Kentucky Fried Chicken. And that was strange and suspicious. And so they put him under physical surveillance. They put cameras up. And at one point, he was doing some work in his restaurant in the summer of 2018.

And the police followed him from the restaurant. They pulled him over on the highway, a few miles away from his restaurant. And they had a drug sniffing dog, and they found narcotics in the bed of his truck. And he pleaded guilty later to a bunch of violations. And what they also found was that there was a border tunnel between his KFC and a house on the Mexico side of the border.

And what was happening was that narco traffickers were using, had dug this tunnel and were using the KFC as an exit point to smuggle narcotics across the U.S. border. Now that's all well and good. And that may be what we want the government to do in terms of stopping cartels and narco traffickers, but he was wrapped up in a warrantless surveillance program that was never disclosed to the public.

And it wasn't even disclosed to his lawyers. They found out when I called him and said this is what I understand to have happened. Do you think this is legal? Do you think this is acceptable? And that is how he found out. And there are real examples of people who have been ensnared in these warrantless surveillance programs, and there are probably many more whose names we don't know and who are harder to identify.

In fact, DHS was using it as a way to round up people who skipped out on their immigration hearings for a while. This data can be used against U.S. citizens in things that will put you in jail, or will really affect your life. And a lot of these programs are being run with scant public notice and very little discussion or debate.

BECKER: And I wonder, a lot of folks may think it's okay for military uses or counterterrorism purposes, perhaps I could accept this collection of my data and use of it in aggregation of it or whatever.

But when does it pass down to local law enforcement? And how does that all work? If the data brokers are selling this information to the government and who gets access to it, who determines that.

TAU: It's a great question. So a lot of these very specialized data sets or tools were actually first developed for the military and the intelligence community.

And these are entities that genuinely do operate with a ton of oversight. Government lawyers keep very close tabs on what the intelligence community is doing, what the military is doing. And there are a ton of rules around accessing data, especially on the U.S. population. In many cases, it's lawful for them to acquire it, but it's very difficult for them to get permission to actually look at it.

And those are entities that actually do take their responsibility to minimize. This is what they're looking at inside the United States, and to broadly focus their attentions abroad. But these data brokers that sell, that develop these tools for the military and for the intelligence community, to them, it's just data. And to them, the state police or the local police are just another customer.

And so eventually, like as these tools come into use, as governments find them useful, as data brokers and these intelligence companies, these open-source intelligence companies. That's what they call themselves in a lot of cases need to make their quarterly sales numbers, then they start selling the same tool to the local police departments.

And local police departments have a lot less restriction on what they can do with information that they buy a license to. Generally speaking, there are not Supreme Court precedents that say cops can't monitor social media or that they can't look at the U.S. population. If anything, their mission is focused. These tools that were first developed for special forces units or intelligence agencies have come down to the local police, where they're now being used to investigate crimes and to target American citizens. And this, in many cases, is being done with not a ton of public insight or oversight or input into how communities want these tools used and what the rules of the department using them should be.

BECKER: And just briefly, before we have to go to a break, what does the government say now about these data collection practices?

TAU: There's a big debate inside government I think people do understand that large volumes of data on the U.S. population do pose a privacy threat. We saw the Biden administration actually take some action to crack down on Chinese acquisition of data. And there's a debate in the U.S. Congress about whether Congress should do the same thing in the United States and stop police and government agencies from buying data.

Part III

BECKER: We were talking about privacy concerns, increasing privacy concerns about how advertising technology is gathering folks' personal information and then selling it, especially to the U.S. government. And we heard from a lot of On Point listeners who are very concerned about this practice. Chris is a listener in California, and he says he tries to protect his data using a password manager called KeePass and a website called You've been owned. And that site tells you if your email address has appeared on the dark web, let's listen.

CHRIS: Protecting your personal data is like auto repair. You either know enough to do it yourself competently or you pay someone else to do it. Unfortunately, the attacks are always evolving. The real trick is to be a low value, low profile target. The higher your profile, the higher your value, the more you're going to be a target.

And given enough time and resources, they're going to get you, especially if it's a state sponsored actor. Or someone with similar resources.

BECKER: Also, we heard from Matt Hernandez, who lives in Colorado. He says he stopped using Facebook. But he admits that it's hard to know where to draw the line.

MATT HERNANDEZ: I think there's a level of expectation that your data is going to be collected no matter what you're doing or what the service is. So I just accept that. With all this data collection that everybody is doing, standard practice. Shouldn't I get paid for that instead of that money going from advertisers to the like Facebook or something like that?  

BECKER: (LAUGHS) And journalist Byron Tau, who's written about our data and government selling our data. I'm wondering, are we hearing, we certainly heard here on On Point from a lot of listeners about this. Are we hearing enough consumer complaints that tech companies are actually taking steps to perhaps protect some of that data?

TAU: It's a great question. I think all consumer tech companies say stuff like, "We value your privacy." And they usually are saying that as they're collecting large amounts of data that power their products.

BECKER: (LAUGHS)

TAU: By and large, I do think in general, there is a lot of nihilism and cynicism among people in the population.

And I think in a lot of ways, as one of your callers expressed, a lot of people don't really feel like they know how to take back control. They are very unsure of how to do. It's not easy, and the caller who compared it to auto repair. That's a a very good metaphor. Because it takes a little bit of technical know-how to really get a lot of online privacy.

And most of the time, people throw up their hands and they give up. But I do think the tide is changing a little bit. I think among regulators, there certainly is increased focus on privacy, especially in terms of trying to crack down on foreign governments, getting data on Americans.

But I think we've also seen attention from agencies like the FTC who are going after companies that they allege are engaged in unfair deceptive practices around data handling or data collection. And I do think increasingly, this is something that Congress is discussing, and that civil society is paying a lot of attention to right now.

BECKER: We'll take some of those in, dig into them a bit, but first I wonder, what advice would you give to folks to protect their privacy? We heard from some of our listeners, yes, it's like auto repair, do you buy certain password managers, or what steps can you take?

What do you do, Byron? As a journalist and someone who has spent years researching this and writing a book about it. What do you do to try to protect your information?

TAU: That's a great question, and I think my needs are going to be a little different than your average listener, because, I have a lot of sensitive data and notes from my sources that I don't necessarily want out there.

So I might take some extra precautions that most people don't take. But I think that everybody can do a few basic things. First, when you download an app, often it will ask for things like your permissions, it will want to access your calendar, it will want to access your contacts, it will want to access your GPS location.

And that is, in many ways, the ways that data brokers collect information from consumers. They get permission to get this access to their data and then they take it and they take it because it's right there in the terms of service on page 205. And you agreed to it by downloading the app.

So you can say no, you can say, I don't want to let this app have access to my calendar. I don't want to let it have access to my GPS location. That even works with things like weather apps where you might want access to the GPS. You can click on an iPhone, I think on an Android too, you can say allow when using, or allow once, not allow 24/7.

So that's one thing I would say. The other thing I'd say is that in general, services that you pay for, that you exchange money for, and you get a service back, tend to be more privacy protecting than things that you get for free. And so I would say just broadly and philosophically to consumers who are feeling down on privacy or don't like the world that tech companies are creating, that one of the things you can do is actually pay money for services. Because that actually returns the basic business model, returns it to regular capitalism as opposed to surveillance capitalism, right?

Because now you're paying money to the developer in exchange for a product that you get value from, and that developer can rely on money from the public for their efforts. And apps aren't free to code, right? Apps take, they take coding talent. You need to rent server space. You often need to have the basic business infrastructure in place to run a small business.

So that's accountants and HR and health care for your employees. So it's really not free to make software most of the time. And when the public won't pay 99 cents or $1.99 for an app, that's really when developers turn to monetizing users. And they rely on people's laziness and their cheapness and their ignorance of what is happening and what the true value of the economic exchange is. So I would actually say the most basic thing people can do if they don't like this world that we're living in, is to return us to a world in which you pay money and get a digital service in exchange.

BECKER: What about on our ubiquitous phones?

Is there something simple that folks can do to, maybe it's not huge, but maybe protect some of their privacy. Don't turn off location settings or something along those lines, that can keep some of that data anyway, away from ad tech companies.

TAU: Yeah, I would. Apple has actually made it quite user friendly to shut down some of this data going to third parties. So there's a setting on Apple devices called something like cross app tracking or something along those lines. And it's actually pretty prominent in the privacy menu. You can turn that off and that will actually break some of the advertising tracking.

I would also certainly pay very close attention to your permissions. I would not let anything have access to my calendar, to my contact list, to my photo roll and I would let anything that needs my GPS location, have it only in very brief windows of time. While I'm using the app, or ask every time I open the app if it wants my GPS location, or better yet, just type in the location you are, next time you order a rideshare app or open your weather app.

You don't necessarily need to give this thing fine grained GPS data all the time. So those are some things that consumers who are concerned about privacy can do on their own devices.

BECKER: And as we mentioned at the beginning of the show, this is legal, correct? Are there legal challenges pending right now that might change some of this and prompt different regulations?

TAU: The nation's primary privacy regulator, the Federal Trade Commission, has actually been pretty aggressive in bringing enforcement actions against companies recently, especially over data handling and data collection. And in some cases, they've said that, Hey, even if you put some something in a privacy policy that might not be enough to justify data collection. And so there have been some aggressive enforcement actions by the FTC that may be changing the privacy calculus around large scale collections of consumer data.

And there certainly is a push in civil society to rethink some of the basic underpinnings of what privacy law is and have pushed the courts to develop a new interpretation of how they think of large amounts of data. Because some of these doctrines around privacy and around the Fourth Amendment and around government access to some of this data.

Those were in a world in the 1970s or the 1960s, where we weren't nearly generating as much data as we are today. And maybe some of those doctrines, these legal principles are a little bit out of date. And so there certainly is a lot of debate, within the halls of government and within academia and within civil society and within the law, about whether the rules of the road in terms of both corporate and government access to a lot of this data really do need to change to underscore the fact that in the 21st century, we do basically everything on our phones.

We share data about almost everything, including very intimate things like things we tell our doctors, or people go to therapy on the Internet these days. And it's impossible to really participate in modern life in many ways without sharing some kind of data, and maybe our social norms, our corporate norms, and our legal structures around who has privacy protections you're entitled to, maybe those are a little bit out of date.

BECKER: Yeah. We have had some legislation passed. There's EU, there are laws in Europe regarding data privacy. There's a California privacy law that you actually tested out. We have some things pending in Congress at the moment, but let's talk about the state effort in California. It hasn't worked out so well.

TAU: I think it's an open question. When I tested it, I tested a very specific provision of it, which was essentially the right to access data that I generated under this law. And some of these data brokers refused to cooperate with these requests under California law. Now, things have changed in the past few years since I tried this experiment.

California now has a genuine enforcement authority that's trying to stand up and enforce this law. I think it's passed a couple of revisions to it to make it a little bit stronger. It's possible that things will change, but I think what is true is that neither the law in Europe nor the law in California has really broken the business model of targeted advertising and delivering content through the web by basically advertising and data collection. That continues, right?

Because as we talked about earlier, there's a ton of money wrapped up in these companies. And there's very powerful entities in our society that employ a lot of people, including in California, and deliver a lot of services to billions of people around the world.

And so getting the balance right has been tricky and getting the enforcement right has also been tricky. So it's early days yet, but it hasn't fundamentally changed the business model of the Internet. That's for sure.

BECKER: And then in Washington, there's the American Privacy Rights Act of 2024.

And we spoke with Washington Post tech policy reporter Cristiano Lima-Strong, who's been covering this bill. And apparently it aims to give Americans more say over how their data are collected. And Lima-Strong says previous privacy rights legislation failed. So if this one passes, it would be a big deal.

Let's listen.

CRISTIANO LIMA-STRONG: For a long time, the two biggest sticking points have been whether a federal law should override state laws. And whether consumers should have the ability to bring their own lawsuits against companies that violate their privacy, Republicans for a long time have said that if you're going to set a federal standard, that it should override states. And Democrats have long insisted that consumers should be able to bring their own lawsuits in case enforcers don't pick up a case or they're being more lax in their enforcement.

BECKER: And so that is Washington Tech Policy reporter Cristiano Lima-Strong. I'm wondering, Byron Tau, what do you think of the American Privacy Rights Act of 2024? And of course, perhaps using the tool of consumer lawsuits in that regard. Do you think that this might change things?

TAU: It's certainly an interesting proposal. I think what's happening is that so many states now have passed privacy laws, and some of them are quite different, that actually tech companies now want a unified standard, and that's why we are seeing a lot more movement in Washington, D.C. to try to get a law that will get one unified national standard and have it actually be close to something like what is in place in Europe, as well.

And it's an interesting idea. I do think eventually Congress will have to do something as more and more states pass privacy laws. But again, I think it would give Americans a lot more visibility into how data is collected. That is balanced by lawmakers' desire not to truly break the internet and break this business model.

So I think there's a lot of open questions about how it would function in practice and what it would functionally mean for the world in which corporations rely on collecting large amounts of data from people in exchange for free or discounted content and services.

BECKER: And yet guardrails would be needed, you would say, right?

Guardrails perhaps not through legislation, but some type of guardrails, perhaps through litigation to make sure that information is handled responsibly.

TAU: Yeah, I think the law would empower the FTC to do a lot more in terms of being a privacy regulator and give them a lot more responsibilities in terms of regulating data brokers.

And yeah, I think one of the guardrails that lawmakers are thinking about is this idea that consumers themselves, if they discover a privacy harm or they discover a violation, could go to court and force these companies to change their practices. And that, in and of itself, could be a powerful guardrail, and it's actually something that big tech companies are quite worried about and are lobbying furiously against.

So we'll see how it all shakes out.

BECKER: Yeah, just briefly, I hear from many folks who say, this is the way it is. Yes, we're being followed. But I'm not doing anything wrong. I don't need to worry about it. What's the problem? Do you think that there's a lot of concern, or not all that much concern from consumers about these privacy issues.

TAU: I think it comes in fits and starts and depends on what is going on. And in some cases, it depends on who is in power. I think after the Dobbs decision in 2022, when a lot of states were moving towards criminalizing the abortion procedure, that a lot of people who had never thought about data collection and lived in a state that was moving towards criminalizing abortion, and that they feared could even criminalize traveling out of state for an abortion, suddenly started to worry about data in a way that they hadn't previously.

I think there was a lot of concern in the summer of 2020 about the government when Donald Trump was in power, surveilling protesters who took to the streets during the Black Lives Matter movement. And then six months later when January 6th happened. The politics of it reversed.