Surveillance State 2.0: Beta-Tested in China, Coming Soon to…?


Ryan J. Mitchell

Can Sun

Looking back one day, we may find that one of the great stories of the ‘Teens was the dawning recognition that a new kind of surveillance state was emerging, not just nationally, but globally. [1]

In remarks published on April 12, 2012, Ninth Circuit Chief Judge Alex Kozinski predicted that “[s]omeday soon they’ll decide it’s easier to watch all of us, all the time.”[2] Just a year and a half ago, this was still before “NSA disclosure” became a household phrase.[3] If you asked him today, would he change the tense of his statement?

Kozinski makes several other observations that are due sustained reflection. First, in the vast majority of cases, law does not (and often cannot) protect “privacy”—it protects only the “legitimate expectation of privacy.”[4] In other words, privacy as understood by that fiction of litigation, a Reasonable Person (RP). Modern “expectation of privacy” doctrine goes throughKatz v. United States, 389 U.S. 347(1967) (protecting privacy of telephone communications). But “how [would] the Katz case [ ] have come out if it had been decided in 2011 rather than 1967[?]”[5] Given that “[a] great deal of our loss of privacy is entirely consensual[,]” socially accepted uses for new technologies have eroded privacy standards to the point that, arguably, RP may not mind having the most intimate details of his life disseminated to an audience of millions. Why should he care about having his phone tracked?[6]

 The upshot is that “[i]f we the people don’t consider our own privacy terribly valuable, we cannot count on government […] to guard it for us.”[7] This is valuable insight as far as it goes. But, just briefly, Judge Kozinski mentions something else that should be at the forefront of any conversation about eroding privacy standards: the fact that “China has taken this to another level[.]” The context for this statement was a 2011 municipal plan to monitor Beijing residents’ movements – at all times – via cell phone tracking.[8]

Though identifying China as a worrying example and potential source of precedent for privacy erosion in the U.S., this offhand mention doesn’t do justice to the realstory of how tomorrow’s surveillance state has been built up around the alleyways, office buildings, and detention centers of China’s capital and other large cities. The chief problem is that mentions like the one by Judge Kozinski still seem to point to a disturbing, yet essentially foreign example, and say “there but for the grace of RP go we.” But the truth is somewhat different, and so is the legal framework.

Recent mention has been made on these pages of the “deeply problematic” pattern whereby “the United States pressur[es] private actors to take actions that the government itself may not be able to constitutionally take.”[9] This is the kind of “extralegal partnership with [ ] private infrastructure providers” that can escape or weaken constitutional review[10] and, simultaneously, gradually establish the sort of norms that Kozinski warns of in his article. 

Moreover, the private actors bowing to U.S. government pressure often do the same in response to pressure abroad. The whole process by which the modern Chinese surveillance state has been erected, extending from the creation of China’s “Great Firewall”, to the development of personal tracking systems, total access to email communications, and even technology facilitating detainee abuse, has been carried out with the indispensable assistance of private U.S. corporations. A 2008 Senate hearing hashed out a few of these issues, with a handful of the major players.[11] At that hearing, Cisco – whose involvement was as substantial or more so than any other corporation – claimed, on record, that the company “does not customize or develop specialized or unique filtering capabilities in order to enable different regimes to block access to information.”

In fact, Cisco has led the way in the creation of cutting edge, first-of-their-kind surveillance, tracking, and even torture-facilitating tools, along with other related features, used by Chinese security forces. A recent report by the Global Internet Freedom Consortium (GIFC), a group that analyzes China’s “Great Firewall”, “Golden Shield”, and other privacy-invading network technology systems, outlines a disturbing account of corporate boosterism for overseas repression.[12]

In brief, the report details how Cisco’s designs for the Golden Shield network system focusedon providing Chinese security forces with all of the tools they needed to identify, target, apprehend, detain, and further “deal with” specific targets of repression. Given that the Chinese Communist Party crackdown on the Falun Gong religious movement had been launched at the same time that Cisco was seeking to enter the Chinese security market, this was a major focus of their strategy. The Golden Shield’s features included designs specifically for the “identification” of Falun Gong adherents across China based on their religious or speech activities.  These features included the use of a specially developed “signature” library to identify patterns of Falun Gong Internet use and match them to individuals to be targeted by security forces. These “signatures” included “recognition patterns” reflecting such data as “image components, words, and other electronic data” to be subjected to sophisticated analysis in order to detect Falun Gong content.

The report goes on to detail a number of other features included in the Golden Shield: e.g. a “Falun Gong Web Announcement Server” and the “National Falun Gong Key Personnel Information System”, all used by security forces to apprehend and detain Falun Gong adherents, and then to subject them to ideological “reeducation” via physical and mental abuse. According to the GIFC report, the Golden Shield was custom-designed to provide officers with data, making possible the use of “individualized conversion techniques […] based on individual susceptibility to various forced conversion measures” – in other words, the system was tailored to be used as a crucial tool in the process of coercing Falun Gong to repudiate their religious identities.[13] Moreover, targeted individuals were kept in the system in order to track the effectiveness of their “reeducation,” and the chances of recidivism. This would all be hard to believe if it wasn’t reprising a story that has been exposed, in the context of various repressive regimes, ever since Nuremberg.[14]

As recently as 2011, Cisco was still intensifying its involvement in the Chinese security line of business. One example is a massive project to build “a network of over 500,000 cameras designed for massive video surveillance” in the city of Chongqing.[15] This project was in the midst of what has been called a particularly “brutal” crackdown on dissidents and personal enemies by then-Chongqing Communist Party Secretary Bo Xilai.[16] Since then, Bo has been expelled from the Party and tried for involvement in corruption and murder. Judicial reforms aimed in the direction of the rule of law are seen as being on the upswing, as part of the rise to power of a different Party faction.[17] Those 2011 plans for cellphone tracking in Beijing and video surveillance in Chongqing have disappeared without a trace. At the same time, Cisco’s business in China has taken a massive nosedive.[18]

Cisco CEO John Chambers has blamed the company’s terrible performance on Chinese concerns over NSA spying.[19] This is a convenient, no-fault explanation for the company. But is it possible instead that some reasonable persons in the Chinese Communist Party have decided to draw the line on a set of business ventures implicating warrantless surveillance, summary detention, and torture?[20] At the very least, they might prefer it to be done by their own companies. Privacy invasion often leads to a backlash – though in this case after more than a decade of eager profit-grabbing. Yet the Golden Shield itself has yet to be dismantled, and while intensification of the overall system of privacy invasion may have stalled, it has not backtracked.

The main problem for those concerned about domestic privacy, however, is that changes in one market – in China, or even in the U.S. itself – can’t put a stop to global trends. Companies like Cisco make deals and succumb to (or invite) “pressure” in markets around the world. By doing this, they establish competencies, develop technological “solutions,” and establish global norms. By the time invasive practices like those featured in the Golden Shield are sufficiently widespread, they may constitute a “norm” without ever having had much input from any RP, in any jurisdiction. Technology developed in China can, when the profits dry up, be moved to the Middle East or anywhere else extreme surveillance capabilities are in demand[21] – even the U.S.A.

Decisions like Katz,[22] Kyllo v. United States,[23] and United States v. Jones[24] offer substantial protections against invasions of privacy. Indeed, each of these cases stands for a specific form of protection that would make illegal any attempt by U.S. agents to carry out the kinds of surveillance, tracking, and capture that Cisco has made possible in China via the Golden Shield. Most recently, the D.C. district court has used the expectation of privacy doctrine to rule unconstitutional (in the context of a limited, immediately appealable preliminary injunction) the NSA’s vast “PRISM” program collecting telephony metadata.[25] In short, Katz and its progeny continue to make a program like the Golden Shield – as it exists in China – unthinkable in the U.S. When the ultra vires abuses associated with the program are taken into account, e.g. torture and crimes against humanity affecting a targeted religious population, the scenario appears even more distant and unrelatable to the vigilant rule of law protections enjoyed by U.S. citizens.

However, this is not to say that Cisco’s innovative privacy-invading technology poses no threat to U.S. citizens. As noted, the company avidly seeks out markets for its security services.[26] Further, the above Katz case law does not cover many forms of public-private coordination, while various forms of state surveillance and pressure can increasingly be conducted largely or entirely through private intermediaries. Yochai Benkler points to, e.g., “the resort to an extralegal public-private partnership [ ] used as a means to circumvent constitutional privacy protections […] in Hepting v. AT&T[, 539 F.3d 1197 (9th Cir. 2008).]”[27] These privacy-eroding “extralegal partnership[s] with [ ] private infrastructure providers”[28] are tied in with other trends, e.g. the “walled garden” technology model that Jonathan Zittrain has inveighed against,[29] and Judge Kozinski’s warnings about privacy standards deteriorating largely due to private consumer choices. Yet privacy-intruding corporations also participate in a globalmarket for security technology, in which the consumers are states or state-like entities including [].[30]

Though the U.S. is certainly not about to launch a Chinese Communist Party-style repressive crackdown aiming to wipe out any particular dissident political or religious group, perceived security threats and “emergencies” always put rights, viz. privacy, to the test.[31] States of emergency will always challenge constitutional protections, produce “demonologies” of groups and individuals to be targeted with especially invasive or aggressive state treatment,[32] and contribute to “growing convergence between military and civilian sectors, resulting, inter alia, in the adoption of similar structural and operational modes as well as social norms.”[33]

At the same time, non-state actors can increasingly contribute to privacy invasions in a spectrum of ways ranging from citizens’ collection and dissemination of cellphone video or Twitter-based vigilantism,[34] to Hepting-esque corporate volunteerism in anti-terror efforts,[35] to the more extreme (and thankfully still unthinkable in the U.S.) proactive erection of a total-immersion surveillance state like that carried out by Cisco in its Golden Shield project. Any “demonology”, past or future, could find uses for an omnipresent and omniscient databasecum surveillance network like the Golden Shield. U.S. law still prevents this from coming to pass as it has in China, but that may not prevent individual features from slipping through the cracks.

Individual consumer choices are part of the problem but, as we have seen, only a part. Correspondingly, they can’t serve as a comprehensive solution. Companies that engage in invasions of privacy have other, more powerful customers for the information they can obtain: in some cases foreign or local government entities, and in some cases other companies. These markets are global and growing. They are producing extralegal norms with more input from, e.g., Syrian commanders[36] and Chinese security committees than from individual U.S. buyers. Bit by bit, market by market, privacy is being redefined. RP doesn’t stand a chance.

 Ryan J. Mitchell, J.D., Harvard Law School

  Can Sun, J.D., Yale Law School, Ph.D., Princeton University

[1] Cf. Josh Blackman and Lisa McElroy, The National Surveillance State 2.0, The Huffington Post, May 1, 2013,…. (“With the democratization and twitterization of the Boston Marathon investigation, the future of the national security state is here – for better, and worse.”). Like Blackman and McElroy, we see major new challenges in the legal and practical framework of privacy in situations of mass surveillance. This article, however, asks whether developments abroad, and global patterns of corporate behavior, might portend even more extreme non- or quasi-state privacy invasions.

[2] Alex Kozinski, “The Dead Past”, 64 Stan. L. Rev. Online 117 (2012).

[3] See, e.g.,Barton Gellman and Ashkan Soltani, NSA tracking cellphone locations worldwide, Snowden documents show, The Washington Post, December 4, 2013,….

[4] Kozinski, supra note 2.

[5] Id.

[6] Of course, RP’s less extroverted friends may disagree, albeit in vain. In various other contexts, reasonable person doctrine has come under fire for excusing objectionable or invasive acts made “reasonable” by circumstances utterly out of the control of the individuals being targeted for such treament. See, e.g., Robert V. Ward, Consenting to a Search and Seizure in Poor and Minority Neighborhoods: No Place for a Reasonable Person, 36 Howard L.J. 239 (1993); but see infra note 24 for a recent decision saying that RP likely does mind having his phone tracked.

[7] Kozinski, supra note 2.

[8] For more on that specific program, see Stephen Chen, Beijing to track all mobile phone users’ movements, S. China Morning Post, March 3, 2011,….

[9] Wanling Su, Who Will Control The Internet?, Yale J.L. & Tech. Blog, February 25, 2013.

[10] Working Draft: Yochai Benkler, “A Free Irresponsible Press”, forthcoming Harvard Civil Rights-Civil Liberties Law Review (cited in Su, supra note 9).

[11] See Global Internet Freedom: Corporate Responsibility and the Rule of Law, Hearing Before the Subcomm. on Human Rights and the Law of the U.S. Sen. Comm. on the Judiciary, 110th Cong., S. Hrg. 110-643 (May 20, 2008), Statement of Hon. Richard J. Durbin (“U.S. technology companies face difficult challenges when dealing with repressive governments, but these companies also have a moral obligation to protect freedom of expression…And there is no question that some have fallen short of the mark on more than one occasion.”); Id., Statement of Tom Coburn (“This is just another opportunity to lead by example, which is what I hope American Internet companies doing business in places like China will also choose to do. Their presence in these places is important, and it is crucial that they operate on the side of those seeking freedom rather than oppression.”).

[12] Peter Li, Cisco’s Customization of the Golden Shield to Suppress Falun Gong, Global Internet Freedom Consortium (Dec. 18, 2013), available at

[13] See id. at 11; for other sources on Chinese Communist Party reeducation or “thought reform” of detained political or religious dissidents, see, e.g. Hu Ping, The Thought Remolding Campaign of the Chinese Communist Party-State, (Amsterdam University Press, 2012); Robert Jay Lifton, Thought Reform and the Psychology of Totalism: A Study of “Brainwashing” in China, (University of North Carolina Press, 1989).

[14] For just one such story, see Edwin Black,IBM and the Holocaust (Three Rivers Press, 2002).

[15] Loretta Chao and Don Clark, Cisco Poised to Help China Build Surveillance Project, Wall St. J., July 5, 2011,….

[16] See, e.g. Gideon Rachman, Bo Xilai’s real sin, Financial Times, April 17, 2012,

[17] See “Judicial reform: Court orders”, The Economist, December 7, 2013,….

[18] See, e.g. Jeff Morganteen, Cramer: ‘Open rebellion’ among Cisco investors, CNBC, November 14, 2013,

[19] See Cisco Systems Inc, Q1 2014 Earnings Call Transcript, November 13, 2013, available at

[20] There are reasons to believe that this is the case. Roughly corresponding to the ouster of Bo and the ascent of a more “liberal” faction of the Party, former (reformist) Party security chief Qiao Shi released a book entitled “Qiao Shi on Democracy and the Rule of Law”. In the year and a half since, drastic judicial reforms have included, e.g.: 1) Expelling the much-criticized “Politics and Law Committee” from the Party’s top body; 2) abolishing the “Re-education Through Labor”(laojiao) system due to its summary character and due process violations; and 3) announcing the intent to eliminate the use of torture to obtain confessions.See, e.g. The Economist, supra note 14; Carrie Huang, “The black-collar class ruling the law”, S. China Morning Post, June 29, 2012, Liu Dong, “Reeducation without labor”, Global Times, December 4, 2013, (“The abolition of laojiao is seen as a major part of the country’s efforts to protect human rights.”).

[21] See Zack Whittaker, Surveillance and censorship: Inside Syria’s Internet, CBS News, December 12, 2013 (“Two sources with knowledge of the Syrian Internet independently claimed the Assad regime was also using equipment sold by networking giant Cisco to run ‘scans’ of the country’s network.”); see also, e.g. Juliette Garside, Vodafone under fire for bowing to Egyptian pressure, The Guardian, July 26, 2011,….

[22] 389 U.S. 347(1967). See supra at 1.

[23] 533 U.S. 27 (2001) (deploying thermal imaging “device that is not in general public use, to explore details of a private home” presumptively unreasonable without a warrant).

[24] 132 S.Ct. 945, 565 U.S., (2012) (“attachment of [ ] GPS device to the vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a search”).

[25] Klayman v. Obama, 1:13-cv-00851-RJL, Memorandum Opinion, December 16, 2013 [Dkt. # 13], at 55 (D.C., 2013) (arguing that “[w]hereas some may assume that these cultural changes will force people to ‘reconcile themselves’ to an ‘inevitable’ ‘diminution of privacy that new technology entails,’ […] I think it is more likely that these trends have resulted in agreater expectation of privacy”) (quoting Jones, 132 S. Ct. at 962 (Alito, J., concurring)).

[26] See, e.g. supra note 19; Bruno Fonseca, Jessica Mota, Luiza Bodenmüler and Natalia Viana, IBM, Cisco Supply Brazil with Surveillance Tools, Global Voices, September 28 2013;see also Ethan Gutmann, Losing the New China: A Story of American Commerce, Desire and Betrayal, at 169 (Encounter Books, 2004) (Cisco’s marketing brochures in China touted its “new mobile router […] [and showed it being used in] a main battle tank (presumably to help China win its wars). The Chinese caption next to the tank stated that this was the same technology used by the Department of Defense, NATO, and the United Kingdom […] The Cisco salesman pointed out that the 3200 Series Mobile Access Router was specifically designed to be sturdy enough to be installed in a tank.”).

[27] See Yochai Benkler, supra note 10. “Where customers [so far unsuccessfully] sued AT&T over its collaboration with the federal government in implementing illegal wiretaps” (obviously, only after the confidential wiretaps had been exposed). See also Hepting v. AT&T, THE ELECTRONIC FRONTIER FOUNDATION: 

[28] Id.

[29] Jonathan Zittrain, The Future of the Internet: and How to Stop It (2009) (describing how power over technology usage, and the resulting data produced by users, is increasingly in the hands of unaccountable corporations).

[30] See, e.g. Victor D. Cha, “Globalization and the Study of International Security”, 37 J. Peace Research 3, 391-403 (2000) (“globalization puts unprecedented bureaucratic innovation pressures on governments in their search for security, and creates multilateralist pressures to cooperate with substate and transnational partners […] globalization [also] compels contemplation of new modes of fighting [perceived security threats]”).

[31] Cf. Cindy Cohn, Lawless Surveillance, Warrantless Rationales, J. Telecomm. & High Tech. L. 8, 351 at 356 (2010) (“[T]he core constitutional crisis caused by the domestic surveillance programs remains.”)

[32] See Bruce Ackerman, The Emergency Constitution, 113 Yale L.J. 1029, 1049 (2004) (“Each terrorist wave will generate a distinctive demonology […] [e]ach demonology will mark out segments of the population as peculiarly appropriate targets for emergency measures[.]”)

[33] Oren Gross, The Normless and Exceptionless Exception: Carl Schmitt’s Theory of Emergency Powers and the Norm-Exception Dichotomy, 21 Cardozo L. Rev. 1825, 1865 (2000);see also National Research Council, Protecting Individual Privacy in the Struggle Against Terrorists - A Framework for Program Assessment 52 (National Academies Press, 2008) (reactions to terrorism risk “creating a race to the bottom—in which the public begins to accept uses of personal data only because the law permits them.”).

[34] See supra note 1.

[35] See supra note 26.

[36] See supra note 20.