Surveillance
What state and corporate surveillance actually does in 2026. The biometric infrastructure, the algorithmic monitoring, and the merger of state and platform data that most readers do not see.
(IHS Markit / Comparitech estimates; ~half are in China; rapid growth in India and other regions)
(reduces low-effort interception; raises the value of endpoint and metadata surveillance)
(Citizen Lab and Amnesty International records; the actual number is likely higher)
A note on framing. "Surveillance" gets used to mean several quite different things: targeted intelligence collection, mass metadata gathering, biometric identity systems, commercial data brokerage, social-media monitoring, and the algorithmic profiling that powers most of the modern internet. This page tries to walk through what each actually is, who is doing it, and where the structural picture is stable enough to describe with confidence. The goal is not alarm or reassurance; it is to make a force most readers cannot see directly more legible.
What surveillance actually means now
The image of "surveillance" is often a wiretap or a tail. The reality is mostly automated, mostly metadata-driven, and mostly operated through layers of legal-looking data flow that ordinary citizens authorise without realising. Distinguishing the actual mechanisms helps with thinking clearly about what each is doing.
Targeted state intelligence. The traditional category. Specific persons or organisations are watched by an intelligence service through human informants, communications interception, and physical observation. This still happens; it has been substantially expanded by digital tools but has not been replaced by them. The Snowden disclosures (2013), the Pegasus disclosures (2021-22), and continued exposures of commercial spyware deployments document how broadly this has been used, including against journalists, activists, and political opposition figures inside democracies.
Mass metadata collection. Phone records, internet connection logs, location pings, payment metadata, and communication patterns gathered at scale rather than targeted at specific individuals. The post-9/11 expansion of US programmes (NSA bulk collection, PRISM, XKeyscore), the equivalent UK GCHQ programmes, and the more direct Russian SORM and Chinese systems all operate at this layer. Metadata is often legally treated as less sensitive than content, but in practice it can reveal who you talk to, where you go, what you buy, and what you read in detail that content interception rarely matches.
Biometric identity infrastructure. National ID systems, immigration checkpoints, airport face-matching, and increasingly day-to-day commercial use. India's Aadhaar (1.4 billion enrolments), China's resident identification system tied to every digital service, the UK's pilots of biometric services, US TSA face-matching at airports, and similar systems elsewhere. The systems were built for legitimate purposes and produce real benefits; they also produce a permanent identity-linked record of physical movement that did not previously exist at this scale.
Commercial surveillance. The advertising-driven internet, where every visit, click, app interaction, and purchase is recorded, profiled, and traded between data brokers, advertisers, and analytics firms. Most people sign up for this when they accept terms of service that they do not read. The data is then bought by other parties including, frequently, governments through commercial-data acquisition programmes that bypass the warrant requirements that would apply to direct collection.
Algorithmic decision-making. Welfare eligibility, criminal sentencing risk scores, immigration pre-screening, employment screening, credit decisions, and increasingly health-care prioritisation are made by automated systems trained on historical data. These systems are surveillance in a specific sense: they depend on accumulated personal data about populations, and they make consequential decisions based on that data, often with limited transparency or appeal.
Workplace surveillance. Email monitoring, keystroke logging, screenshot capture, productivity software, and the rise of remote-work monitoring. The COVID-era acceleration in remote-work tools normalised surveillance practices that had previously been confined to specific high-risk roles.
The Chinese model
China has built the most extensive integrated surveillance system any modern state has constructed. The system has been substantially documented by Western researchers and journalists; the structural picture is now stable enough to describe.
The components include comprehensive CCTV with face-matching coverage in major cities; digital identity tied to nearly every online interaction; the Great Firewall filtering and logging international internet traffic; payment systems (Alipay, WeChat Pay) that record nearly all transactions; the social-credit framework, which is more fragmented than Western coverage often suggests but does involve real consequences for specific kinds of conduct; and the deep monitoring of specific populations (notably Uyghurs in Xinjiang, where the surveillance is intensive, integrated, and explicitly designed to constrain ethnic and religious identity).
Two things are worth holding simultaneously. First, the Chinese system is qualitatively different from Western surveillance in scope and integration; treating them as the same understates what is being built. Second, much of what makes the Chinese system possible is technology developed in or copied from Western companies: chip designs, computer-vision algorithms, biometric matching systems, network infrastructure. The line between "Chinese surveillance" and "Western technology applied with different political constraints" is thinner than the geopolitical narrative suggests.
The export of Chinese surveillance technology to other authoritarian and semi-democratic states - Huawei safe-city installations across Africa, Asia, and Latin America, ZTE camera systems, dahua and Hikvision exports to dozens of countries - has been one of the more underappreciated dimensions of the broader Chinese geopolitical project. Whether this represents ideological export, commercial export, or both is contested, but the result is a global infrastructure surveillance market that did not exist twenty years ago.
The Western state-corporate fusion
Western liberal democracies have built a surveillance system that is structurally different from the Chinese model but produces overlapping capability through different mechanisms. Understanding the difference matters for thinking clearly about both.
The Western system is built on commercial data accumulation supplemented by government access through purchase, legal process, and direct collection. Major platforms (Google, Meta, Amazon, Apple, Microsoft) collect detailed behavioural data as part of their normal business. This data is then made available to government agencies through several channels: court orders and warrants for specific cases, broader programmes like FISA Section 702 that allow bulk collection on non-US persons whose data passes through US infrastructure, commercial purchase from data brokers (which sidesteps warrant requirements), and informal cooperation between platforms and security services that has been documented in various contexts and disputed in others.
What this produces in practice is a state surveillance capability without a centralised state surveillance apparatus. The data exists; the legal-and-political constraints determine when and how government agencies access it. Constraints have been weaker than the public conversation usually conveys; they have been stronger than the most alarmed reading suggests. The 2013 Snowden disclosures revealed substantial bulk-collection programmes that had been operated without effective public oversight; subsequent reforms (USA Freedom Act, others) addressed some specific abuses while leaving the broader architecture in place.
Specific Western tools have been controversial. The use of commercial spyware (NSO Group's Pegasus, Candiru, FinFisher) by Western and Western-allied governments, including against journalists and dissidents, has been documented by Citizen Lab, Amnesty International, and the consortium of journalists who broke the Pegasus Project disclosures. The deployment of these tools in nominally democratic countries (Spain against Catalan independence figures, Hungary, Poland, Greece, others) has produced real political and legal consequences but has not stopped the broader trade.
Where the technology is going
Several technical trajectories are reshaping what surveillance can do, in ways that policy debates have not fully caught up with.
Face recognition at scale. Real-time face matching against large databases is now commercially available and has been deployed in airports, retail, sports venues, and city CCTV networks. Accuracy has improved substantially, though disparities by demographic group persist in many systems. Several jurisdictions have imposed limits (EU AI Act has specific provisions, several US cities have banned police use); enforcement is uneven.
Pattern-of-life analysis. The combination of location data, communication metadata, and consumer transaction records allows reconstruction of an individual's daily patterns with high fidelity. Where you sleep, work, shop, exercise, worship, and socialise can be reconstructed from data that no single party "owns" but that aggregates across data brokers, advertisers, and platforms.
AI-assisted analysis at scale. Older surveillance was constrained by the ratio of analysts to data. AI lifts that constraint substantially, enabling analysis of voice, video, and text at volumes that human analysts could not handle. The combination of cheap data collection and cheap AI analysis is the structural shift of the past five years.
Predictive systems. Pre-crime risk scoring, predictive policing, automated welfare-fraud detection, and similar systems are deployed unevenly across democracies. Where they have been audited carefully, accuracy has often been poor and disparate-impact problems have been persistent. The deployment has frequently outpaced the audit.
End-to-end encryption. The widespread deployment of end-to-end encrypted messaging (Signal, WhatsApp, iMessage, others) constrains content interception substantially. Governments have responded with three pressures: legal mandates for "lawful access" backdoors (UK Online Safety Act, EU Chat Control proposals, US repeated proposals), targeted endpoint compromise via spyware, and metadata-based surveillance that does not require content access. The encryption-vs-access tension is one of the most consequential active policy debates.
Quantum-resistant cryptography. The ongoing migration to post-quantum cryptographic standards will eventually make currently-encrypted traffic unreadable to future quantum decryption. The "harvest now, decrypt later" threat is real for sensitive long-term data and is shaping migration timelines.
The paths from here
Continued expansion within current frameworks
The aggregate volume of surveillance grows steadily. Specific abuses produce specific reforms. The structural picture - state capability built on commercial data accumulation in democracies, integrated systems in authoritarian states - continues to widen its reach. This is the current trajectory.
Substantial democratic pushback
A high-profile scandal (mass abuse of biometric system, large-scale misuse of platform-state data sharing, electoral consequences of AI-driven targeting) produces sustained reform: stronger data-protection law, hard limits on biometric deployment, real oversight of intelligence-agency commercial purchases. The EU AI Act, GDPR, and similar frameworks are extended and tightened.
Authoritarian consolidation accelerates
Existing authoritarian systems become more comprehensive. Several democracies that have drifted toward illiberalism adopt elements of the integrated-surveillance model. The line between authoritarian and democratic surveillance narrows in concerning ways. This is partly happening in specific countries already.
Encryption becomes the principal battleground
The ongoing pressure to weaken end-to-end encryption produces a major fight. The outcome shapes whether widely accessible private communication continues to exist for ordinary users. Different jurisdictions land in different places; the result is an uneven global picture in which encrypted communication is normal in some countries and constrained in others.
Decentralised technology produces marginal pushback
Privacy-focused tools (encrypted messengers, privacy browsers, end-to-end encrypted email, decentralised social platforms, on-device AI rather than cloud AI, federated identity systems) gain mainstream adoption among a minority of users. Aggregate surveillance still grows but a privacy-engaged minority of the population maintains real protection.
Major platforms shift business models
Apple's expanded privacy positioning has pulled others. Continued pressure from regulators, advertisers, and users leads to broader shifts toward subscription rather than advertising-funded models, on-device rather than cloud processing, and reduced data retention. The structural incentive that drives commercial surveillance partially weakens.
Where serious analysts disagree
Surveillance is the central political question of our time
The accumulated capability of state and corporate surveillance has reached levels that are qualitatively new and politically decisive. The traditional liberal-democratic settlement assumed that ordinary citizens were largely unobservable to the state; that assumption no longer holds in either direction. Without serious structural reform, the long-run political consequences will be substantial.
Held by: Shoshana Zuboff ("The Age of Surveillance Capitalism"), Bruce Schneier, Edward Snowden's policy advocacy, the Electronic Frontier Foundation, Privacy International, and the broader digital-rights community. The case has empirical support and political marginality in roughly equal measure.
Surveillance concerns are overstated relative to security benefits
Modern intelligence-and-security capabilities have produced documented benefits: thwarted terrorist plots, criminal investigations, child-protection cases, financial-crime enforcement. Privacy advocates underweight these benefits and overstate the actual harms. The democratic safeguards that exist are more substantial than the alarmed reading conveys.
Held by: parts of the security and law-enforcement community, Stewart Baker (formerly NSA general counsel), and a strand of intelligence-policy thinking. The case has institutional weight; the empirical claim about benefit-vs-harm tradeoffs is contested in specific cases.
The commercial layer is the underweighted variable
Public attention focuses on state surveillance. The commercial layer (advertising data, data brokers, platform analytics) is larger, less regulated, and increasingly indistinguishable from state surveillance because of the data-purchase pipeline. Reform that addresses state surveillance without addressing the commercial substrate misses the structural picture.
Held by: Cory Doctorow, Maciej Ceglowski, Julia Angwin, parts of the privacy-researcher community. The case has been substantially supported by post-Cambridge Analytica disclosures and by recent research on government commercial-data purchases.
Authoritarian and democratic surveillance are categorically different
Treating Chinese, Russian, and Iranian surveillance as morally equivalent to Western surveillance flattens distinctions that matter. The deployment of surveillance tools to suppress religious minorities, jail journalists, or maintain single-party control is a different kind of harm than commercial advertising or even Western intelligence-agency abuses. Critique should distinguish accordingly.
Held by: the human-rights and democracy-monitoring community, parts of Western foreign-policy thinking, and dissidents-in-exile from authoritarian states. The case is morally compelling and politically uncomfortable when applied carefully to Western practices that have been used against political opposition.
Surveillance backlash will be technical, not legal
Legal protection has been chronically slow and uneven. Technical protection - end-to-end encryption, on-device processing, federated and decentralised systems, privacy-preserving cryptography - has produced more durable change. The future of meaningful privacy is more about whether the technical tools are widely available and used than about whether legal frameworks improve.
Held by: parts of the cryptography research community, several major end-to-end encryption advocates, and a strand of technical-libertarian thinking. The case has been supported by the actual record of which protections have proven durable.
None of these readings is fully right or wrong. What can be said from the available evidence: surveillance capability has expanded substantially in the past two decades through both authoritarian-state and Western-democratic-corporate channels; the legal-and-political constraints have not kept pace with the technical capacity; the commercial layer is structurally important and under-regulated; the categorical differences between authoritarian and democratic systems are real but the line is thinner than democratic-state spokespeople usually claim; and the most consequential variables shaping the next decade will be encryption policy, data-broker reform, and the specific scope of AI-driven analysis on accumulated data.
What this means for you
Practical privacy hygiene
Most ordinary surveillance exposure is reduced substantially by a small set of practices: use end-to-end encrypted messaging (Signal, WhatsApp, iMessage where appropriate); use a privacy-respecting browser (Brave, Firefox with privacy settings, DuckDuckGo); use a password manager with unique passwords; review app permissions periodically; use privacy-focused alternatives where possible (DuckDuckGo for search, Proton or similar for sensitive email). These do not protect against targeted state surveillance; they substantially reduce ordinary commercial and ambient exposure.
If you face a heightened threat profile
Journalists, activists, dissidents, abuse survivors, lawyers handling sensitive cases, and others at heightened risk have access to specialised resources. Citizen Lab's Security Planner, Access Now's helpline, the Electronic Frontier Foundation's Surveillance Self-Defense, and threat-modelling consultations from organisations focused on this work make a real difference. Generic privacy advice is inadequate at this level; threat-specific guidance is.
If you make consumer technology choices
The privacy properties of different platforms now differ substantially enough to be a meaningful factor in choices. Apple's privacy positioning is partly marketing and partly real; Google's and Meta's data-collection are extensive; Microsoft is somewhere in the middle. End-to-end encrypted services are more numerous than in 2015 and increasingly mainstream. Practical privacy is now more achievable than it was, for users willing to invest moderate effort.
If you read coverage of surveillance issues
Specialised reporting (Lawfare, the Electronic Frontier Foundation, the Citizen Lab, Privacy International, Access Now, several country-specific digital-rights NGOs) is consistently more accurate than general-interest coverage on these topics. The technical complexity of the issues makes mainstream coverage frequently misleading; the specialised community has been right substantially more often.
If you vote on surveillance-related policy
The most consequential current questions are encryption policy (whether end-to-end encryption is preserved or weakened by mandate), data-broker reform (whether commercial data acquisition by government continues to bypass warrant requirements), AI-system regulation (specifically high-impact use cases), and intelligence-agency oversight reform (whether independent oversight is real or nominal). These are unglamorous and consequential; political engagement that is informed by the technical specifics is more useful than rhetoric in either direction.
