On several occasions during his campaign, US president-elect Donald Trump alluded to the idea of building a database of Muslims in the US. His position has veered between tracking refugees (nearly half of those admitted to the US this year are Muslim, according to the Pew Research Center) to considering proposals to register America’s own Muslim citizens. He has always been cryptic about the details. But on Dec. 21, Trump reaffirmed his intention to do something when asked, after terrorist attacks in Germany and Turkey, if he planned to create a registry. “You’ve known my plans all along,” he told reporters.
Meanwhile, Trump’s calls for a “deportation force” have on their own sparked fears of persecution of America’s religious and racial minorities, if not outright fascism—a fear stoked by a member of Trump’s own camp who compared the registry (favorably) with the World War II internment of Japanese-Americans.
When considering who could quickly and effectively assemble such a list, the attention turns to those with the most data about our personal lives—the tech giants of Silicon Valley. Companies from Google and Twitter to Microsoft and Facebook, prodded by the Intercept, have issued statements opposing the creation of a Muslim registry.
But focusing on who might or might not build a list of minorities is dangerously misleading. It applies a 20th-century logic to a 21st-century reality. If such targeting were to reemerge in the US, it is unlikely to march up in a WWII uniform to declare itself.
The US government will never need to ask anyone to build Muslim registries, because tech companies have already built them. Dozens of times, as it turns out. And there is little to keep them out of the hands of the government, although some plans are taking shape as companies confront this threat.
Every major US technology company that tracks customers’ behavior (and that is most of them) is already a registry, and not just for Muslims. Data warehoused by Google, Twitter, Facebook, Verizon, AT&T, Visa, ad networks and others are capable of pinpointing minorities, as well as those with dissident views, says the advocacy group Electronic Frontier Foundation (EFF).
“It’s absolutely the case that the data can be used in ways that identify and target minorities,” says Cindy Cohn, executive director of EFF. “It won’t be perfect, but it doesn’t have to be perfect to be problematic. The human rights costs are huge whether it’s perfect or not.”
It’s remarkably easy to conduct such targeting today as an advertiser. An experienced marketer wishing to identify Muslims could assemble millions of likely customers in a day. “I think they could have an audience of several million US citizens with a high propensity for the Islamic faith, as well as those who read Arabic, in 24 hours,” says Rob Shavell, the co-founder of the online privacy company Abine. Connecting those profiles with phone numbers, addresses, as well as more precise biographical data would be a relatively straightforward process.
These commercial databases are even likely to outperform domestic spying operations of the National Security Agency (NSA). Searches, emails, messages, transactions, browsing history, and millions of other data points the tech giants store can pinpoint millions of American’s identities with unrivaled precision.
The US, along with any sufficiently-connected country, is now only a few court directives, or a state-sponsored hack, away from an active surveillance state (check out China to see one in action). The deportation force envisioned by Trump, targeted with court-released Facebook data, is a legal possibility. “We’ve built the mechanism to enable a police state,” says Bruce Schneier, a cybersecurity expert from Harvard University’s Berkman Center for Internet and Society. “We live in an era of surveillance capitalism. … The notion that the government doesn’t have this data is a complete fantasy. All they have to get is a court order for Google to turn over a list of every Muslim, and who they are talking to.”
For many security professionals, that makes the US government a central adversary when they assess potential risks. Technologists are already devising defenses specifically designed to counter the US government’s attempts to compromise their systems, legally or illegally. “There is a non-partisan desire among pretty much everyone in technology not to have the government reaching into the databases of Google, Facebook, and companies like that,” says Thomas Ptacek, a cybersecurity expert and co-founder of security firm Latacora. “The need to treat government as enemies or attackers to be defended against has been pretty pervasive for a while now.”
As companies are unlikely to resist a lawful court order to disclose data, security experts are exploring a second option to restrict outside access to data. Technology researchers have begun work on redesigning databases to make identifiable non-business related queries difficult, even for governments. “The idea is you want to build systems that are good at answering business questions and bad at answering every other question,” said Ptacek, who added such databases are technically possible, but have not been a priority for the industry.
Changing how decisions to hand over data are made is another avenue. Companies’ security teams are “increasing the surface area” of critical security decision making. Yahoo’s decision last year, under the direction of CEO Marissa Mayer and Yahoo lawyers, to bypass the company’s security team and give the federal government custom software to covertly search all customers’ incoming emails was a wakeup call. Senior executives, including Yahoo’s chief information security officer, left as a result. “There is at least one large tech company that is reorganizing its process to maximize the number of people who would have to know about [government] requests just to satisfy it,” says Ptacek.
Finally, there is the idea, unlikely to appeal to Silicon Valley, of blowing up the internet’s advertising business model altogether. The most extreme version is deleting the data itself: Imagine if Uber, Google, and Facebook agreed to wipe their databases every 10 minutes. “We should disarm companies and destroy those databases,” Harvard’s Schneier says. “We need something better than surveillance as a business model.”
For now, beyond public outcry and protests, the only action seems to be a last-ditch effort by the Obama administration to remove administrative tools by which the Trump administration itself could conceivably resurrect a Muslim database in the US. The now-defunct National Security Entry-Exit Registration System, used by the George W. Bush administration in 2002 and 2003, in the wake of the 9/11 terrorist attacks, to track male foreigners over 16 from Muslim-majority countries and North Korea, was scheduled for formal removal on Dec. 23 by the US Department of Homeland Security, which itself calls the rules “obsolete” and “inefficient.”
That, of course, will not change the US government’s authority to delve into public, and private, records for its purposes—some of which are outside judicial reviews such as orders in National Security Letters. Google reports the US government requested data on about 60,000 user accounts last year, with Facebook reporting a similar number.
Ultimately, says Maciej Ceglowski, an organizer of a pledge among Silicon Valley tech workers to not cooperate with the US government on “mass deportations,” the only real change may come from those who have the most leverage over these companies: the employees. “A lot of people feel they have a moral responsibility because they built all the surveillance tools, it’s up to us to make it safe for people,” says Ceglowski. “It’s a horribly dangerous situation. The best point of pressure right now is employees’ collective action.”