01/07/2014 08:42 pm ET Updated Mar 09, 2014

Locking Internet Firms' "Back Door" to Keep out the NSA

Although America may be more divided, more politically and ideologically polarized, than at any time in the last 50 years, on at least one issue -- the National Security Agency's surveillance of phone and internet communications -- there appears to be a near consensus of disapprobation.

Everyone distrusts the NSA and wants to see its activities curbed. Democrats and Republicans, liberals and conservatives, nerds and Luddites, all share a high level of discomfort about the federal government gaining access to their personal information stored on the servers of Google, Facebook, Yahoo and others.

But here's the question: If we object to NSA's use of our metadata -- revealing our whereabouts, relationships, preferences and more -- why is it okay for Google, Facebook et al to possess the same information? Or to put it another way: If tech companies are free to use our voluminous personal data to sell advertising, why are we so offended by NSA's use of the same information to fight terrorism?

This question is at the heart of the debate over U.S. government surveillance programs.

American tech companies have much to lose from Edward Snowden's revelations about NSA. Google, Facebook et al have thrived by convincing billions of customers (literally) that they can be trusted to protect users' privacy. Customers are told that their Internet searches and browsing histories, their use of email and cloud-based storage, and their sharing of information, photos etc. on social media, will not be compromised.

Customers believe those assurances. They do so not because they think the tech companies are a new species of corporation, different from traditional businesses in their focus on profits and growth. On the contrary, they trust Google, Facebook et al because, when it comes to privacy, they understand that their interests and the tech companies' interests are aligned.

Central to the tech companies' business models is the safeguarding of users' anonymity. Although customer information may be shared with advertisers, customers' identities are not shared (not intentionally, at least). Even subpoenas and other official demands for identifying information are resisted (when the relevant laws afford a basis for doing so). This is true of routine requests in litigation, as well as orders from the secret FISA Court, acting on petitions from NSA and the Justice Department.

The tech companies are threatened because Snowden's leaked documents confirm their worst fears that, without the companies' knowledge, NSA has had secret "back door" access to their users' emails and other information. As first reported by The Washington Post, NSA exploited unprotected gaps in communication links between data centers in Europe operated by Google, as well as others across the world owned by Yahoo. NSA had access to the full flow of user data passing unencrypted across these links.

While NSA's secret harvesting of this data was very likely legal, the revelations nonetheless were seen by tech companies as a casus belli. Google's board chairman Eric Schmidt called NSA's actions "outrageous," which is not the sort of language one often hears from top corporate execs discussing government policy. Google -- as well as Yahoo and other affected companies -- were angry and fearful because, contrary to their promises, they had failed to protect users' privacy.

The companies understood that the data breach would undermine users' trust -- so essential to their continued growth. They have been particularly concerned about the impact on foreign markets (where US legal protections are weak or inapplicable). More than half of Google's gmail subscribers reside outside the US. And virtually all of the anticipated growth in Google's and Facebook's business is projected to occur abroad.

Overseas users, the companies worry, will opt for indigenous alternatives to Google, Yahoo and Facebook, avoiding the American firms in order to steer clear of NSA snooping.

These concerns are legitimate. But the tech companies, in planning how to respond to NSA's overreaching, find themselves in the quandary discussed above. Any strategy that depends on building public support for legislation to reform NSA runs the risk of morphing into a broader measure that would also regulate the tech companies.

It's hard to imagine federal legislation that would limit NSA's access to the mountains of user data collected by Google and Facebook -- yet leave Google's and Facebook's collection, analysis and use of that same data completely intact. For the tech companies, the one thing worse than unchecked NSA spying would be unchecked regulation by the Federal Trade Commission.

In the end, the tech companies' best defense against the threat posed by NSA surveillance may lie not in politics or public policy, but in technology. Google and Facebook, with their legions of world-class engineers, should develop and deploy technical defenses that will beat NSA at its own game.

A successful defense would block NSA's secret access through the "back door," forcing the agency to announce itself and to use legal procedures, courts and lawyers instead of high-tech stealth. 

This outcome may not be a complete victory, but it will allow us all to sleep better at night.
Peter Scheer, a lawyer and journalist,  is executive director of the First Amendment Coalition. This article does not necessarily reflect the views of FAC's Board of Directors.