Q&A: Journalist Byron Tau Uncovers How the U.S. Created a Surveillance State in Our Smartphones
And how you can protect your phone and Internet browsing.
Byron Tau is an investigative and enterprise journalist who specializes in law, courts, and national security. He is the author of a new book, Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State. In the book, he reports how the U.S. government built an alliance with a network of data brokers, tech companies, and advertisers. These companies vacuum up data using technologies like banner ads and location tracking -- familiar to anyone with a smartphone or who browses the Internet. Tau reports for and teaches at the Allbritton Journalism Institute, a Washington-based journalism nonprofit launched in 2023 that trains and mentors early-career reporters. He previously worked at The Wall Street Journal and Politico. We spoke last week over Zoom. Our conversation follows, condensed and edited for clarity.
Luke Johnson: Why did you decide to write the book?
Byron Tau: I got a tip in 2018. The tip described that the Pentagon or a Pentagon-linked contractor was buying large amounts of data that was coming off of mobile apps. I was a little bit shocked. I consider myself pretty tech-savvy, but this wasn't a vector that I had considered for government surveillance. I think it was being hidden by both the tech companies, and the government, because they thought it was clever that they could buy all this geolocation data on phones. They were worried that if people understood what they were doing, that they might ditch the apps. I started digging into it, and I realized that it was a phenomenon that was larger than just geolocation. It was something that governments had been doing in partnership with corporations, and it was being done sneakily.
LJ: What do you mean by the 'means of control'?
BT: The means of control is a line from Gravity's Rainbow by Thomas Pynchon. I liked the quote, because it talks about how freedom is dependent on a certain amount of space. Pynchon says that once the technical means of control have reached a certain size, the chances for freedom are over for good.
I thought that the quote reflected this idea of the amount of the social, political and technological space that is under surveillance by forces beyond our control. I don't mean to suggest that these technologies are necessarily being repurposed for nefarious ends. But I wanted to spark a debate in civil society, journalism, and in Congress about exactly what we want out of our technologies and our government.
LJ: Is the government buying this data? Or is it one of the many contractors that you describe in your book that are located in office parks around Washington?
BT: It's sometimes a bit of both. But more often, I found that these contractors spring up either as middlemen between data brokers and the government, or the contractors are data brokers, and they have relationships with other data brokers, and they resell to the government. No matter how you break it down, the government is getting data somewhere along the line, often through relationships with current contractors and some very complicated relationships with contractors. I would say that at the highest levels, if there are commercial datasets for sale -- and there are tremendous numbers of commercial datasets out there for sale -- the government is buying it for some purpose through some mechanism.
LJ: Is there one of these companies that you find especially noteworthy?
BT: One of the ones that illustrates the weirdness of this contracting world is a small company called X-Mode social, which sprung up on the University of Virginia campus as an app called Drunk Mode.
The app was trying to help college students avoid embarrassing themselves when they're drinking. It had a feature that would stop you from texting your ex; it would help you reconstruct what you did the night before; it had geolocation that would show you where you went; it had a feature where you could share your location with a trusted friend to make sure you got home safe.
It was started by a UVA undergraduate, and he tried to monetize it. First, he tries to charge 99 cents, and then he makes it free and puts advertising in it. At some point, he thinks that the data collected from the users of this app is probably way more valuable than whatever advertising or what they're going to get from 99 cents.
He pivots the company to become more of a location company. His aim is to help other novelty apps that might have access to phone GPS help them collect information from their users. He'll pay them for this [location] data. He thought there could be advertising and analytics uses for this data. What he found out is that there's government interest in this data. He starts getting approached by government contractors. He eventually agrees to this arrangement with another government contractor called Signal Frame, which wants to put this little code in apps. [Signal Frame] wants to piggyback on the hundreds of apps he has relationships with and start collecting all the Bluetooth devices around the phone.
I jokingly call it the weapon from "The Dark Knight," where Batman uses a computer virus to turn on the microphones of all the phones and send out sonar pulses. That's basically what this was doing, except it was using Bluetooth sensors on your phone as a way to scan the signal environment and map out where all the Wi-Fi base stations are, the Bluetooth headphones, the Fitbits, or cars broadcasting Bluetooth signals. The intelligence community wanted something with this.
I never quite figured out what the government wanted with this data. It certainly was a very interesting, clever, and also terrifying experiment that they were running with millions of phones scattered around the world whose users had no idea that they were gathering data for government contractors.
LJ: Compare China's surveillance state with the ad-hoc surveillance state that you report about.
BT: Without drawing any moral comparisons, the amount of data on the average Chinese citizen and the average American is probably not dissimilar. The difference is that we have not weaved it all together in some grand holistic database like China has, and especially in regions like Xinjiang. Even in mainland China, there's a lot of data on citizens, but it's being deployed more towards smart cities and public safety.
America has all this data, but it still has not taken the step of fusing it all together and giving your average local police officer a 360-degree view of everything every citizen is doing at once. Lots of this data is locked away in corporate data banks and government data banks, but they don't share; they don't merge your IRS data, utilities data, and your driver's license record.
Culturally, the United States still has a deep distrust in government. I don't think the average American citizen would not tolerate that kind of data fusion. But I do think we're stumbling backwards into it in some way.
LJ: Stumbling backwards?
BT: I quote a national security official saying, what the U.S. government is doing on the data collection front is "lawful, but not very thoughtful." I think that's what I found. The U.S. government and corporations are just hoping the public will click 'accept' on whatever user license agreement that pops up on their screen and give them whatever permissions they want.
I think government agencies are hoping nobody looks too deeply at these relationships with contractors because they find it useful that people are ignorant about how much data they're generating. Even though government agencies have found clever uses for this data, they haven't really thought through the broader social implications of buying huge amounts of data on the American -- or global -- population.
LJ: You write, "National security officials remain so concerned about TikTok because the United States engages in the same practice: collecting data through apps at scale to project national power." What's your reaction to House lawmakers banning the app this [past] week?
BT: I think if you really dig down on what the U.S. concerns are, there's the data privacy issue, the potential that TikTok data can be used to train the next generation of AI algorithms, and the propaganda issue.
On data privacy, I'm skeptical that it will do a tremendous amount because there's so much other information available commercially about Americans. Governments don't seem to have any problem scraping social media that's open. I don't think it will affect AI training concerns.
I do think it would potentially address concerns about the propaganda value. Forcing a sale to a Western company could alleviate some of the concerns among lawmakers. However, I've done a lot of reporting on this. I've tried to get people to show me any actual abuses. It seems like they can only point to hypotheticals.
LJ: What is some data that is collected without safeguards that readers might not be aware of?
BT: Cars make a lot of data available, some of which is available commercially. Phones and apps make a ton of data, through GPS location tracking, and just moving around the web generates internet logs. They're not necessarily linked to you by your name, but they might be linked to your IP address, or they might be traceable back to you. Increasingly, wireless headphones, toll transponders, and even tires [make data]. Your license plate has all sorts of interesting data that corporations can just take. There's examples of toll transponders being read at places where there aren't tolls, tire-pressure sensors trying to license plate readers -- all of that is not just collected by the government, it's collected by private companies, sometimes with a relationship with government entities. All of our consumer histories are made available, every time we sign up for a corporate loyalty card, we switch addresses, or get a credit card. Everything you say on social media has probably been scraped by some company somewhere. The social media companies have tried to stop it, but there's not a ton they could do.
LJ: Should I stop clicking "I accept" on all the web pages that I visit?
BT: Depends what webpages you're visiting, Luke! I certainly think this is fake consent. This is how lawyers have architected the modern internet. I sometimes am cranky, and will go start toggling off all the things except limited cookies. Sometimes I'm tired like the rest of us, and just give up and click 'accept.' You can withdraw your consent.
LJ: How can readers protect themselves from digital tracking?
BT: Most apps these days are pretty customizable. I think Apple and increasingly Google have made it more clear and easy to stop certain apps from having permissions. I'd certainly not grant apps permission to have your location, I'd also watch your contact settings and your camera roll. At the very least, don't let them have 24/7 information, click the setting that allows [access] when open.
If you want to protect the contents of your communications, there are many consumer-friendly, privacy-oriented messaging services. Apple's iMessage is well-encrypted. WhatsApp and Signal are fine, and WhatsApp collects a lot of metadata, but the content of your messages is still secure. On the email side, there is Protonmail, Tuta, and a few other encrypted email providers. You could use a virtual private network (VPN) though, of course, you have to trust the VPN.
Philosophically, I would encourage everybody to return to the basics of capitalism in the digital sphere. A lot of people are very reluctant to pay for apps. I think that this entire world is built on consumer reluctance to pay for things. Apps aren't free to make: you have to pay coders, you have to rent server space, you have to hire a lawyer to draw up the Terms of Service and Privacy Policy.
When developers can't count on money from the public, that is when they turn to do these sneaky things. That is where this data market sprung up. I would very strongly encourage people to be more mindful of the fact that free is not free, and that they will be monetized if they're unwilling to pay. I think that the Internet is healthier when people are willing to pay for content and developers get paid directly from the consumer, instead of turning the consumer into the product.