Surveillance Intermediaries.

• Author: Rozenshtein, Alan Z.

Table of Contents Introduction I. Rise of the Surveillance Intermediaries II. Techniques of Resistance A. Proceduralism and Litigiousness B. Technological Unilateralism C. Policy Mobilization III. Surveillance Separation of Powers A. Interbranch Checks 1. Congress 2. Courts B. Intrabranch and Intra-agency Checks IV. Surveillance Frontiers A. Frontier Construction B. Frontier Choice 1. Surveillance self-government defended 2. Surveillance intermediaries' effects on surveillance self-government 3. Curbing technological unilateralism. Conclusion Introduction

On December 2, 2015, Syed Rizwan Farook and Tashfeen Malik attacked a suburban office park in San Bernardino, California. (1) Swearing allegiance to the so-called Islamic State, they murdered fourteen people and injured more than twenty before dying in a police shootout. (2) It was the deadliest act of terrorism on U.S. soil since 9/11. (3)

The Federal Bureau of Investigation (FBI) recovered Farook's iPhone but couldn't access it; the phone was locked and ran a version of iOS (Apple's operating system) that the company had recently hardened against third-party access, including access by Apple itself. (4) When the FBI served Apple with a court order to disable some of the iPhone's security features, (5) the company refused, arguing that the government lacked the necessary legal authority and that the order would harm its users' security and impose "unreasonabl[e] burden[s]" on Apple. (6) Apple CEO Tim Cook posted an open letter on his company's website, condemning the attacks but criticizing the FBI's request as "undermin[ing] the very freedoms and liberty our government is meant to protect." (7) Through months of litigation, and despite not contesting that it had the technical means to comply with the government's order, Apple refused to help unlock the iPhone. (8)

How could a consumer electronics company beat the government in a high-profile national security investigation? And why did almost half of Americans take its side? (9) After all, this wasn't a secret investigation by a rogue agent into a minor offense. A federal judge issued a court order for the government to search an undeniably relevant piece of evidence: a phone used by a known terrorist. Imagine if a telephone company had so publicly resisted a similar request after 9/11 or at the height of the Cold War, arguing that its customers expected it to do "everything in [its] power to protect their personal information," (10) including by keeping that information from federal agents bearing court orders. The result would likely have been congressional denunciations, consumer boycotts, and a hasty surrender.

Apple's surprise victory was striking for another reason: It flew in the face of the conventional wisdom about government surveillance in the digital age. Scholars have long worried about a handful of giant companies dominating digital communications, in part because they fear that such centralization would increase the government's ability to conduct electronic surveillance, which in turn would erode accountability and civil liberties. (11) Scholars have argued that the government can more easily control a few large companies than a sea of users and small providers (12) and that such companies have good reasons to cooperate with the government: to comply with the law, (13) feel good about helping the government fight threats to public safety and national security, (14) curry favor with regulators, (15) or sell data and services to law enforcement and foreign-intelligence agencies. (16) These scholars have suggested that because so many technology companies profit from collecting user data, they naturally undervalue their users' privacy and thus too readily cooperate with government surveillance. (17) And they've lamented privacy law's impotence to check these dynamics. On the statutory side, the government skirts legal constraints through informal public-private partnerships. (18) And on the constitutional side, the third-party doctrine strips Fourth Amendment protections from the "digital dossiers" that companies create out of user data. (19)

To these scholars, the years since 9/11 have been a boom time for the "surveillance-industrial Internet complex" (20) and a dark one for privacy and civil liberties. They point to the "handshake agreements" (21) by which telecoms like AT&T and Verizon abetted the U.S. government's warrantless surveillance program, a program whose shaky legal foundations became a defining constitutional scandal of the War on Terror. (22) In the wake of the (2013) Snowden disclosures, they point to Silicon Valley allowing the government to stockpile emails, messages, and browser records, (23) and they argue that the secrecy surrounding government surveillance leads technology companies to acquiesce to "regime[s] of automatic compliance." (24) They criticize the courts for crippling the Fourth Amendment through the third-party doctrine and miserly standing rights, thereby forcing us to accept Silicon Valley as our "corporate avatars," even though the technology industry has neither the will nor the means to effectively challenge government snooping. (25) And they worry about what's to come, sometimes in dystopian terms. For example, Bernard Harcourt rejects the distinction between government and corporate surveillance as one without a difference. (26) Instead he conjures a nightmarish vision of our new reality: a "large oligopolistic octopus" (27) that transcends the public-private divide and threatens our freedom with its "tenticular oligarchy." (28)

How do we reconcile the conventional wisdom with recent history? How do we account for Apple's victory, and should we treat it as a one-off exception or as a sign of things to come? The answer, as this Article tries to show, is that the conventional wisdom is incomplete and must adapt to a new reality. Although the digital age has broadened the horizons of government surveillance, it has also imposed constraints on account of its political economy: the technological, commercial, political, and cultural arrangement of our digital infrastructure. By entrusting our data processing and communications to a handful of giant technology companies, we've created a new generation of surveillance intermediaries: large, powerful companies that stand between the government and our data and, in the process, help constrain government surveillance. Far from an anomaly, the fight over the San Bernardino iPhone previews the likely new normal: a contentious relationship between the companies that manage our digital bodies and the government that protects our physical ones. Surveillance intermediaries like Apple (and Google and Facebook and Microsoft) have the incentives and means to meaningfully constrain government surveillance. They do so both by their own lights and by subjecting government surveillance to greater checks from within the government itself.

Although commentators have begun to recognize that technology companies might constrain government surveillance, (29) they have not systematically investigated this possibility. As Samuel Rascoff observes in the context of foreign intelligence (though the observation applies equally to domestic law enforcement): "A critically important--and thus far, largely unheralded (at least by scholars)--feature of the new intelligence oversight ecosystem is the role of American technology and telecommunications firms." (30) By setting forth a comprehensive analysis of the incentives, activities, and effects of surveillance intermediaries, this Article tries to fill that gap.

This gap is important to fill because we can't accurately analyze government surveillance without a proper model of how surveillance intermediaries constrain, not just enable, government surveillance. We need such a model to constructively advance many of the highest-profile debates in electronic privacy and cybersecurity, including end-to-end encryption and other technical impediments to law enforcement investigations; (31) offshore data storage and cross-border data access; (32) privacy protections for the Internet of Things; (33) and the future of electronic foreign intelligence surveillance. (34) If we don't accurately trace the behavior of surveillance intermediaries, including both the positive and negative consequences of that behavior, our policy may fail to accomplish the desired results, or even backfire.

An accurate model of surveillance intermediaries can also contribute to the ongoing scholarly debate over what sort of institutional design--"not simply what the limits on communications surveillance should be, but who should set them" (35)--will best promote surveillance governance, the regulation and oversight of government surveillance. The "new administrativist[s]" (36)--part of the broader movement to apply institutional design principles to the criminal justice system (37)--have applied the lessons of administrative law to surveillance governance, (38) recognizing the importance of focusing on oversight of surveillance programs rather than individual activities. (39) Other scholars, drawing on a tradition favoring increased presidential control over the federal bureaucracy, (40) advocate a "presidential intelligence" that would give the White House more control over foreign surveillance. (41) Still others, focusing on law enforcement, urge a renewed emphasis on judicial oversight. (42) Whichever of these approaches (or combinations of approaches) is correct, we must first understand how surveillance intermediaries constrain government surveillance--both directly and by augmenting the ability of other government actors to check the executive branch's surveillance activities. Only then can we make informed choices about how best to design our institutions.

More broadly, scholars increasingly recognize that to fully understand the separation of powers we must look to factors beyond the internal...