Tech Pressure on Privacy: National Security Requires a Fuller View of Corporate Social Responsibility

The corporate world and the U.S. national security apparatus increasingly find themselves in conflict over technology and expertise, with implications for the effectiveness of U.S. intelligence and law enforcement. The clashes, from the 1990s telecom-privacy debates to today’s confrontations over access to iPhones and social media infiltration, are more than just occasional spats between the private and public sectors. To navigate this new environment, companies need to examine their role as corporate citizens, while the U.S. government needs to assess how to achieve the outcome it wants, through market-based incentives.

During the past several decades, the concept of corporate social responsibility (CSR) has become commonplace across industries. Starting in the early 1990s, CSR began to evolve from a means of brand defense against external criticism, disconnected from a company’s strategy, to a framework for strategically organizing a company’s operations to improve competitive advantage. Notably, CSR has informed the concept of “triple bottom-line accounting,” which measures social, environmental, and financial outcomes. CSR has become so widely accepted that multiple, major companies now have chief CSR officers. However, CSR is not altruistic philanthropy; it is meant to enhance a company’s bottom line by appealing to consumers and by attracting human capital.

But a fully-fleshed-out CSR paradigm needs to include considerations of national security. One aspect of CSR is ensuring that a company’s engagement in politics and public policy is legitimate, non-corrupt, and transparent. This objective is consistent with the government’s efforts to strengthen respect for the rule-of-law and for transparency in political systems. To preserve these values, a country must have the necessary intelligence and security resources to identify and disrupt threat actors seeking to corrode these attributes, whether through spying or terrorism. But multiple companies, including two ranked among the top 10 firms in 2017 for their CSR reputations – Google and Microsoft — have made decisions in recent years that indicate they have a limited view of CSR that produces unintended national-security consequences.

Independent and Irresponsible

The changing dynamics of U.S. government relationships with the private sector since the end of the Cold War has made CSR a factor in American national security. Throughout the Cold War, the government was the engine for U.S. technological innovation.

This began to shift in the 1990s, once the Cold War concluded. U.S. government participation in research and development declined, and private industry pursued technologies on its own that nonetheless remained significant to maintaining U.S. elements of national power.

An early indication of the tensions that have become prominent in recent years appeared during the 1990s, in the debate between the government and industry over encryption. The McGuffin at the center of this storm was known as a “clipper chip.” This device — advocated by both the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) — would have provided national security and law-enforcement entities a guaranteed “back door” to encrypted communications. Industry representatives aligned with civil liberties groups to oppose the introduction of this capability. The Clinton administration ultimately abandoned the proposal.

Two decades after the clipper chip showdown, similar tensions re-emerged over privately-developed technological advances. They centered around two primary issues. The first was, again, U.S. government access to encrypted communications. This was inevitable, given that the previous round of discussions had become a war of attrition that ultimately wore down an administration’s resolve, rather than a cooperative, collaborative effort to reach a satisfactory solution to a national-security dilemma. The second issue was the role that social media platforms played in facilitating terrorist ideologies and, more recently, foreign-sponsored influence campaigns directed at disrupting the American political process.

The federal government made several efforts, in the mid-2010s, to address these issues. The FBI raised the issue in 2014, saying terrorist groups and criminal actors were making increasing use of encryption, which created a problem that then-FBI Director James Comey referred to as “going dark.” The bureau, arguing the urgency of the issue, initially claimed that it had warrants to access more than 7,000 devices but could not do so successfully due to encryption. The FBI acknowledged this year that an error in its methodology had produced an inflated number and, according to the Washington Post, there might have been as few as 1,000 instances. Even that reduced figure still represents 1,000 too many instances of judicial process being obstructed.

In early 2016, the White House met with technology industry executives about countering the exploitation of social media by militant groups. This confab clearly failed to anticipate or develop effective measures against threat actors’ use of social media platforms against the United States, as Russia’s efforts to disrupt the 2016 elections would disastrously demonstrate.

These conversations about encryption and social media were not only ineffective in their own right, but also failed to pre-empt new troubles in the public-private sector relationship. The most high-profile escalation was the 2016 stand-off between the FBI and Apple over unlocking an iPhone that one of the San Bernardino, California, shooters had used. This apparently was not due to a lack of capacity on Apple’s part since the company had reportedly unlocked phones for authorities on at least 70 occasions since 2008. While the Apple case grabbed headlines, U.S. authorities also were encountering similar resistance from WhatsApp.

Violent and criminal non-state actors were not the only entities exploiting the new technologies that the private sector developed and controlled. Social media allowed Russia-driven disinformation to run rampant. Facebook, in 2017 for instance, acknowledged that 126 million users may have seen inflammatory ads that a Kremlin-linked company had purchased.

Uncertain Partnerships

Since the end of the Cold War, the U.S. government has relied increasingly on the private sector for advancements in technology. Multiple agencies have established entities meant to adopt and adapt industry-driven innovation. For instance, in 1999, In-Q-Tel (initially known as In-Q-It) formed, as an independent non-profit corporation, to ensure that the Central Intelligence Agency (CIA) could obtain cutting-edge technologies. More recently, both the Department of Defense (DoD) and the Department of Homeland Security (DHS) have established Silicon Valley offices that resemble venture capital firms to support private-sector innovation. DoD established the Defense Innovation Unit Experimental (DIUx) in 2015 and announced in 2016 that it would open a second office in Boston, Massachusetts. The Department of Homeland Security (DHS) also announced in 2015 that it planned to open a Silicon Valley office.

Despite these efforts, social media and other technology companies have proved to be unreliable partners in providing services to the U.S. government. Twitter, for instance, as of mid-2016, had cut off U.S. intelligence from an analytics service that monitored and sorted tweets in real time. Such information could help identify the emergence of trends in sentiment that might indicate upticks in radicalization or the spread of hostile influence campaigns. Twitter’s decision was particularly confounding since it continued to sell data to Russia, a country that, by 2016, had taken a decidedly adversarial posture toward the United States. More recently, tech companies have demonstrated similar unreliability. In 2017, Google signed a contract with DoD to provide artificial intelligence services to analyze military imagery. But after thousands of Google employees protested the company’s work, Google opted this year not to renew its DoD contract.

U.S. policy on immigration has ignited controversy within other companies that might thwart the provision of services to the U.S. government. Amazon employees have opposed their company’s sale of facial recognition software to law enforcement and its provision of services to entities that work with the DHS’s Immigration and Customs Enforcement (ICE). Similarly, Microsoft employees recently planned to pressure the company over its ICE contracts. The employees of both Amazon and Microsoft seem to lack an understanding that ICE does not make policy; it is merely an implementer.

CSR Begins at Home

The concept of CSR came into vogue with the multi-nationalization of companies. But industry needs to do some soul-searching about the implications of its sometimes-capricious decisions for the United States. Actions that may seem ideologically pure to companies and their employees inflict unintended consequences on the American political system. The rule of law and political transparency may be degraded by the tech sector’s decisions about how to interact with government.

When companies such as Apple and WhatsApp dig in their heels and fight for encryption, they are undermining the rule-of-law. By denying assistance to government agencies that have legitimately obtained court-issued warrants, these companies flout the intent of the judicial branch of the government and give cover to criminals trying to hide illicit activity behind indecipherable communications.

Relatedly, in acting as unreliable partners, companies that refuse to do business with government agencies decrease the efficacy of the civil service, which has no control over the decision-making of politicians. In an overheated climate of populist rhetoric, inefficiencies of government agencies created by a lack of appropriate resources such as private-sector technological assistance can embolden political demagogues to attack the supposed “deep state.” That further damages the institutions that serve as checks and balances to runaway politicization of government.

Political transparency is also an unintended victim of the tech sector’s misplaced indignation. Whether companies like it or not, politicians are put in office by the electorate and make policies in response to that electorate. When employees of a Google, Amazon, or Microsoft refuse to facilitate the efficient implementation of those policies, they are, in effect, second-guessing the policymaking process and taking upon themselves the power of a fourth branch of government. Furthermore, when social media companies facilitate the proliferation of disinformation, whether intentionally or not, they introduce unnecessary opacity to the political process.

A New Public-Private Balance

The U.S. government will never reclaim its position as the engine of innovation that it held during the Cold War. Instead, it must become a compelling consumer, providing incentives for U.S. companies to respond. The alternative — imposing new regulations that dictate additional obligations — has the potential to create its own unintended consequences, including chilling innovation, that will not be easy to reverse. However, the private sector needs to fully accept the responsibilities to the rule-of-law and transparent governance that a fully-elaborated interpretation of CSR requires. Internal and external stakeholders should demand nothing less than that industries uphold the same principles at home as they claim to support abroad.

The views expressed in this essay are entirely those of the author and do not represent the views of any U.S. government entity.

Photo by Justin Sullivan/Getty Images

 

About the Author(s)

Darren E. Tromblay

Intelligence analyst for more than a decade in U.S. Intelligence Community