Until recently, most Americans have understood that the biggest threats to their privacy came from their own government. The FBI can compel internet companies to provide it with almost anyone's search history; the National Security Agency can tap into the backbone of the world's fiber-optic network. For several decades now, Big Brother has flown an American flag.
Now, with reports that the U.S. believes China is behind the breach of the Marriott Corp.'s customer database, this paradigm is beginning to change.
China's hack of Marriott is part of a larger project. To understand it, go back to 2014, when the Marriott operation is alleged to have begun. That's the same year China is alleged to have hacked the government's Office of Personnel Management database, giving its intelligence ministry access to extensive files on every U.S. official with a security clearance. In early 2015 there was the Anthem insurance breach, which reportedly gave China the Social Security numbers of 80 million Americans. Now add Marriott to the list, with its database of millions of hotel guests, including credit card and passport information.
These hacks provide raw data for China's Ministry of State Security to build "data sets on U.S. and other citizens that have been amassed for years," one U.S. official told the Washington Post. I talked to a senior U.S. national security official who concurred, noting that China now can not only build dossiers on U.S. citizens of interest, but can also spoof their identities in cyberspace.
Some of this can be chalked up to standard espionage between foreign rivals. The U.S. also tries to build up dossiers on some foreign officials its spies seek to recruit. The U.S. also hacks foreign databases and monitors the communications of its rivals and friends.
There are differences, though. First, the sheer amount of data on an individual is huge and constantly growing. Then there is the speed at which this data can be compiled.
The other difference is that the U.S. government has not created the kind of database China is now amassing on millions of U.S. citizens. When the Defense Advanced Research Projects Agency attempted such a thing in the early 2000s (a prototype to achieve "Total Information Awareness"), Congress intervened and stopped it.
None of this is to say that U.S. intelligence agencies do not pose threats to the privacy of Americans. As the former NSA contractor Edward Snowden disclosed in his own leaks of NSA files, that agency had received secret warrants to collect and store the phone records of millions of Americans. Former Director of National Intelligence James Clapper told me in 2014 that it was a mistake to keep that program secret for so long. What's more, China cannot use the data it has amassed on Americans to physically search their homes or as evidence to detain them, as U.S. agencies could.
That said, the Chinese state has other options to make all of this data operational. It could blackmail corporate executives. It could take a page from the Russian playbook and leak personal details of political figures in an attempt to influence the outcome of an election or a public debate.
There is an irony in all of this. In 2013, when Snowden stopped in Hong Kong on the way to Russia with his files, one of the first interviews he gave was to the South China Morning Post. He provided the paper with documents that provided details on Chinese machines and networks the NSA was monitoring from afar, including one at one of China's most prestigious universities. At the time, that interview was drowned out by juicy details about domestic espionage that Snowden's leaks had revealed.
In hindsight, it's clear that this leak caused great damage. Snowden hindered the NSA's ability to spy on Chinese computer networks, which helps companies such as Anthem and Marriott learn of digital intrusions. At the very least, this kind of quiet surveillance helps with attribution of hacks after the fact, which acts as a deterrence. Is it any wonder that China's megahacks began a year after Snowden landed in Hong Kong?