Surveillance has been defined as focused, systematic, and routine attempts to gain access to personal data with the intent of influencing, management, protection, or direction. This definition strives to take into account the historical underpinnings of surveillance and how the technique was utilized historically as a way of maintaining societal cohesion. Researchers have identified digital surveillance as significant for two primary reasons. First, the use of digital technology for surveillance purposes allows for monitoring, prioritization, and judgment to occur across vast geographic distances with little time delay. Second, digital technologies provide for the automated observation of various individuals or groups on a continuous real-time basis without the need for human engagement. This changes the role of the human investigators from primary agents to designers, programmers, and custodians of these automated digital technologies.
Surveillance can encompass a variety of law enforcement activities. >From police officers sitting in patrol cars outside a suspect’s home to modern computer specialists monitoring computer traffic, surveillance is a time-honored method of intelligence gathering, crime prevention, and criminal investigation. Some within the world of academia have argued that computer technology has become a major player in social policy and the policy-making processes. Michel Foucault devised the concept of panopticism, which is the tendency toward a system based on direct surveillance in which individual behavior would be ascertained and judged based on the outcomes of digital information obtained through authoritative surveillance. Contemporary academicians have broadened Foucault’s panopticism to a more encompassing conceptualization referred to as a superpanopticon, which essentially constitutes a system of surveillance without the need for human guards or borders. Governmental surveillance ends up creating a generalized sense of being watched, resulting in people policing themselves through informal means of social control. This serves the government well because additional funds do not have to be spent on increased surveillance efforts as the public slowly becomes a self-policing entity.
After the terrorist attacks of September 11, 2001 (9/11), surveillance operations in the United States became much broader in scope than had been typical in previous years. With the passage of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, or the PATRIOT Act, surveillance procedures for federal and local law enforcement authorities were broadened considerably. While the existing Computer Fraud and Abuse Act laws were expanded following the attacks of 9/11, the PATRIOT Act strengthened the existing laws to include any computer anywhere in the world so long as it is being used in a manner that affects interstate or foreign commerce or communications of the United States. Provisions within the PATRIOT Act enable law enforcement agencies within the United States to conduct surveillance operations and investigations in foreign nations as long as such activity is recognized as legitimate by that respective nation.
Large-scale surveillance situations, typically referred to as dragnet operations, capture intelligence from the digital communications of a large group of individuals with no front-end acknowledgment of whether the information obtained will be worthwhile. However, such surveillance projects are not always simple undertakings. Despite the popular notion of a highly decentralized Internet, the online environment can be described as polycentric. The backbone core of the Internet that carries the vast majority of digital traffic is owned by a relatively small number of carriers. As a result, large-scale surveillance efforts are made considerably more efficient and effective as most of the Internet activity of interest can be obtained by listening at the points of exchange between these carriers. It is possible for law enforcement surveillance efforts to capture most of the world’s digital communications from a few key locations. However, for the larger Internet sites, such as Google, Facebook, and Netflix, surveillance efforts at these points of exchange are less fruitful due to the fact that these sites have installed content delivery networks inside the already existing networks of the large Internet service providers. As a result of the subnetworks residing within the larger nodes of the Internet, surveillance of these subnetworks becomes more difficult to monitor.
As law enforcement authorities undertake various surveillance efforts, there are several different routes investigators might take. The identity or association of the perpetrator matters little due to the fact that computer breaches share numerous common features.
Probably, the easiest method of surveillance, and the one with which most people are familiar, is the use of closed-circuit television, or CCTV. Numerous cities worldwide make use of CCTV in efforts to maintain order, keep the peace, establish safer public areas, and monitor for known fugitives or terror suspects. There are various forms of CCTV, with some requiring monitoring by a human operator while others simply record and upload their contents to Internet storage servers. Some camera systems are operated and maintained by governmental authorities, while others remain under the control of private corporations or organizations.
As technology continues to improve, biometric screening and surveillance have left the realm of science fiction and become the stuff of contemporary law enforcement and governmental surveillance. Biometric surveillance consists of having technology turn biological characteristics into quantifiable data. Examples of biometric surveillance include having one’s fingerprints, DNA, facial characteristics, or voice pattern recorded and measured by biometric technology and quantified for use as recognition efforts at a later date. Facial recognition scanning technology is now being used by the U.S. military in Afghanistan to check images of detainees against those of known terrorists. The Seattle Police Department is also using facial recognition technology to identify suspects on video footage.
Other forms of digital surveillance that have the potential to affect everyday citizens are automatic license plate readers, stingrays, and automated electronic toll readers. Although automatic license plate readers are still controversial, numerous cities across the country utilize such devices to apprehend traffic offenders, check license plates for wanted fugitives, and maintain safety. A stingray, also commonly referred to as a cell-set simulator or an international mobile subscriber identity catcher, is used to mimic a cell phone communications tower, causing the cell phone to communicate with it. This enables the stingray to track the location of the user and intercept communications.
Computer systems can also be surveilled by the authorities via physical compromise. To physically compromise a computer or network device, all that is needed is the installation of a piece of high-tech equipment that will allow interested parties to eavesdrop. Physical compromise of a computer is quite inexpensive and difficult to detect. It is possible for law enforcement to install a USB device into a computer that records the key strokes made by the user. This technique is effective, efficient, and inexpensive.
Another technique that can be utilized in surveillance efforts are remote exploit tactics. Due to the fact that software tends to contain many unknown security vulnerabilities, attackers are able to take advantage of such weaknesses. In the vast majority of instances, software designers are notified of a vulnerability, and a fix is created as a patch. Attackers are able to exploit the time gap between the occurrence of a vulnerability and the time required for software engineers to develop a patch. This lag time is referred to as a 0-day, because zero days have elapsed since the vulnerability has been communicated to the software designers.
Law enforcement investigators have been known to use social engineering as a tool in surveillance operations. Often the police can misdirect human targets, rather than the computer system, yet still be able to acquire the information needed in an investigation. There have been research projects in which random USB drives were scattered in various locations. People who discovered these devices invariably plugged them into their home computers or their organizations’ corporate systems. Such recklessness can provide an easy opening for viruses or surveillance efforts.
Governmental or law enforcement agencies can also exploit software updates in efforts to track or surveil people. The authorities simply make use of the software update system intended to install security patches into a device as a means of delivery for surveillance codes. A related method of surveillance is the third-party compromise. As an increasing number of individuals and organizations, including government agencies, are making use of cloud computing, the reliance on third-party systems has multiplied considerably. In recent years, third-party vendors have begun to consolidate their caches of information, thereby lowering the total number of third-party data holders. The result of a smaller number of third-party vendors holding larger amounts of data is a more centralized source for surveillance efforts. The security of information is only as good as the security protocols of the third-party systems.
Despite the popular belief that Trojans are viruses used only by those with nefarious intentions, such devices can also be a means of surveillance by governmental and law enforcement authorities. A Trojan is a virus disguised as a normal computer program. It can be hidden inside a modified application or exist as a stand-alone, independent virus. In uses by law enforcement or governmental agencies, a Trojan is typically installed surreptitiously in a device when it is out of possession of the owner or during an MiTM attack.
A final style of attack used by legal authorities in surveillance operations is usability error. This technique is most often utilized with software that allows users to communicate with external parties. Such software applications tend to be highly sensitive to misconfiguration and provide a host of opportunities for attack. A skilled attacker can readily exploit the connections between the user and the server. Few individuals outside of formal computer circles have an adequate grasp of security protocol for chat-style applications. As a result, attackers can easily infiltrate a conversation.
However, despite such concerns over the storage of surveillance intelligence and networking systems to effect the comparison of data, there are those who maintain that the world of digital surveillance might enhance the role of the police in contemporary society. As some forms of surveillance, such as facial recognition software, become automated, the risks associated with wrongful arrests and discriminatory policing are virtually eliminated as the system software is capable of categorically determining if a certain individual is wanted for criminal behavior. In addition, such automation also enables the authorities to determine if certain persons are connected to terrorist or other criminal organizations.
As a result of digital surveillance efforts, definitions of acceptable behavior within various social contexts have become increasingly automated. In many ways, the role of the police in contemporary society is rapidly evolving, with many aspects of behavior policed by an assemblage of networked computers and digital programming, which are less beholden to the mores of human discretion. This raises some salient concerns and questions pertaining to privacy and the rights of the individual within the greater society.
In the wake of the 9/11 terrorist attacks, the U.S. government justified increased surveillance on private citizens in the name of national security. Numerous agencies operating under the umbrella of the federal government, including the National Security Agency, the Federal Bureau of Investigation, the Department of Homeland Security, and state and local law enforcement departments began to amass vast data storehouses of information on cellular telephone conversations, Internet search histories, and any other intelligence related to suspicious activity. Initially, such surveillance efforts were deemed necessary for maintaining the security and sanctity of the United States. However, as time elapsed and fear waned, concerns regarding personal privacy, liberty, and freedom began to be raised.
While digital surveillance proponents have applauded the use of newly developed technology to help the authorities maintain public safety and weed out terrorist or other criminal elements, concerns over individual privacy have been raised. People are ready to acknowledge the fact that a trade-off between security and privacy must occur for the authorities to enhance safety. However, there is little consensus on precisely how such a balance should occur.
The American Civil Liberties Union decried the collection of sensitive information by government and law enforcement agencies. Apart from worries over the collection of sensitive information, concerns were also expressed about the use and potential abuse of the collected information. Instances of innocuous information being included in watch lists have at times proved to be inconvenient and detrimental to individual citizens who had committed no crime nor engaged in any nefarious activity. Cases of people not being able to board airplanes or gain access to personal banking accounts, being detained for questioning, or discovering that they are barred from engaging in certain types of employment began to raise the proverbial red flag for civil libertarians, liberals, and other citizen watch groups nationwide. According to the American Civil Liberties Union the U.S. democratic system of government necessitates governmental transparency and accountability to citizens.
Measures used to prevent surveillance efforts are known as countersurveillance. Attempts to disguise an Internet search by erasing digital footprints left behind, sweeping a room or location for electronic surveillance devices, or removing the inner workings of a cell phone to prevent it from being tracked are techniques often used by those engaging in countersurveillance.
Wendy L. Hicks
See also Aerial Reconnaissance and Surveillance ; Biometrics ; Biosurveillance ; Cell Phone Tracking ; Computer Surveillance ; Electronic Surveillance ; Law and Digital Technology ; PATRIOT Act
Brenner, Susan. Defining Cybercrime: The Emerging Fault Lines of the Nation State. New York, NY: Oxford University Press, 2011.
Dinev, Tamara, et al. “Internet Privacy Concerns and Beliefs About Government Surveillance: An Empirical Investigation.” Journal of Strategic Information Systems, v.17 (2008).
Hampton, Brittany. “From Smartphones to Stingrays: Can the Fourth Amendment Keep Up With the Twenty-First Century.” University of Louisville Law Review, v.51/1 (2012).
Henman, Paul. “Computer Technology: A Political Player in Social Policy Processes.” Journal of Social Policy, v.26/3 (1997).
Holt, Thomas. Cybercrime and Digital Forensics. New York, NY: Routledge, 2015.
Lyon, David. Surveillance Studies: An Overview. Cambridge, England: Polity Press, 2007.
Poster, Mark. The Mode of Information. Cambridge, England: Polity Press, 1990.
Simon, Bart. “The Return of Panopticism: Supervision, Subjection and the New Surveillance.” Surveillance & Society, v.3/1 (2005).