This is a challenging time for U.S. companies and the U.S. government. As a result of Edward Snowden's disclosures that started over a year ago, U.S. companies have been wrongly suffering commercial reprisals by some governments. Reaction to the disclosures, conflating the acts of the National Security Agency (NSA) with other government agencies, has also potentially harmed legitimate government activities. It is time for a more considered approach.
With the publication of Glen Greenwald's book No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State, there are going to be reams more written on the astonishing acts of electronic surveillance primarily undertaken by the NSA. We will undoubtedly read the description attributed to the NSA "sniff it all, collect it all, know it all, exploit it all" scores more times.
One illustrative Snowden disclosure found in Mr. Greenwald's book shows that the NSA has been intercepting in transit and modifying servers and routers to provide NSA access without the knowledge of the companies that make those devices. If true, it is evidence of how far beyond the control or even awareness of American companies the NSA's behavior actually is.
Whether these characterizations are accurate or not, Snowden's actions have changed the security and privacy landscape and peeled away the blinkers of those previously neglectful, or unquestioning, about cyber security. However, anger deeply felt about these activities has been unfairly directed at U.S. companies irrespective of the market or whether in IT or airplane manufacture, who are victims too - government leaders are behaving like Don Quixote spoiling to fight windmills rather than turning his attention to the real enemies of justice.
As a result of phone-tapping revelations, Germany's Angela Merkel has publicly questioned Europe's reliance on data flows through U.S. territory. Brazil's Dilma Rousseff has been speaking out vehemently against buying from U.S. companies, going so far as to block a purchase of aircraft from Boeing and asking Brazil's legislature for a law requiring data on Brazilian citizens remain within Brazil to effectively keep U.S. IT companies out of Brazil's market.
The response to early disclosures were not targeted at the particular U.S. agency, but rather, at the U.S. IT industry, based on assertions that they were willing collaborators with the U.S. government. There has been little talk of addressing the primary and singular issue, the over-reaching of the NSA. Rather, a curtain dropped for governments; severing, at least for public viewing, relations with the U.S. intelligence and law enforcement communities.
Isolationism Misses the Point
It is not only America's NSA that have been engaged in extreme Internet espionage. Although the U.S. may be the most capable, the reality is most governments, particularly those in the top half of the OECD, have both an overt and covert signals intelligence capability and benefit from and contribute to the NSA's vast capabilities. Even the German intelligence apparatus contributes to NSA's data consumption according to documents released by Snowden. So the focus on the U.S. companies is, to say the least, misguided.
Politically, two issues have been conflated. Germany's Chancellor knows that intercepts of her cell phone have nothing to do with NSA's wholesale Internet privacy invasions. Keeping Germany's data within Germany, Brazilian data inside Brazil or even channeled along a separate EU-Brazil pipeline will neither make it safer technically than the current data flows across global networks, nor improve safety from a national security point of view. Snowden's revelations have shown governments will go to great lengths to access data regardless whose pipe or where the data resides, even working within the target countries. The Google and Yahoo! datacenter eavesdropping occurred in Europe, after all.
The revelations have had another effect, as well. They have provided a trade sanction smoke screen to enable at least one government, that of Brazil, to put energy behind a long pursued strategy in support of an indigenous IT industry, that of pushing out foreign competition. Fortunately, Brazil's lower house revealed a better understanding of the Internet than President Rousseff when it passed privacy legislation that did not include a provision sought by the president that would have required all data on Brazil's citizens be kept within it's borders.
Is the goal for these governments to cut their population off from the reach of the global Internet in the interest of protecting privacy and national security? If so, how will an information based economy flourish when cut off from the web? How, in a truly isolated technical environment, can a domestic technology industry flourish? How will citizens feel when they can't post in Facebook? Or communicate on Skype or Twitter? Or purchase from Amazon? Or get their news from the New York Times, the Guardian or Huffington Post? They may have privacy from the outside world, but what of the benefits of global inter-connectivity?
This is not only about the success of U.S. companies; in this regard, it is about the social values that underpin the transformative open Internet.
If Berlin, Brussels and Brasilia set their own rules, then what is to stop Beijing, Bangkok or Beirut from doing the same? The social and economic benefits of the open Internet as we know it will be tragically undermined. Better we take actions that create the legal framework to harmonize, not Balkanize, the Internet; lest we turn the potential for the benefits of innovations such as cloud computing to mist.
The fact is, these isolationist strategies are superficial responses to a systemic failure. Very simply, the reaction has spurred actions that don't address the real issue: Government information gathering in the 21st Century requires 21st Century rules.
The Wrong Enemy No. 1: The US I.T. Industry
The U.S. IT industry has long railed against perceived government overreaching for access to data. Since the passage of the PATRIOT Act, most have expressed their views in public, to government, and even in the courts, opposing government information gathering tactics they believe unconstitutional and contrary to globally acceptable practices.
Licking their wounds from betrayal exposed by Snowden's documents, these IT companies reacted to what they learned from the string of disclosures by fixing technical gaps and driving public debate on surveillance, calling for stricter laws and greater transparency to protect customer privacy. Few would have anticipated how vocal those companies would be, but they reacted as anyone who finds another rifling through their private stuff uninvited.
Furthermore, these are publicly listed companies, and as such, must answer to the market, which demands profit; in the modern economy meeting market expectations requires an accepting global marketplace. The NSA story has shaken global trust and American IT companies will seek to restore it. They will aggressively (and if history teaches, sometimes viciously) compete with each other, and when greater data security is a differentiator, they will differentiate.
Already, U.S. technology companies published what they are doing from engineering and legal perspectives to fight U.S. (and other) government surveillance. Some of the most talented technical minds in IT are now - perhaps belatedly - focused on better securing customer and corporate data. Improved security measures include ensuring effective encryption of data, at rest and in transit, especially between their data centers irrespective of location and working with overseas governments to prove there are no U.S.-government back doors in their products.
In the past few months, Apple and Google successfully challenged the secrecy of government search orders in courts in Washington, D.C. and California; judges in a new "Magistrate's Rebellion" are willing to limit secrecy orders on constitutional grounds. Microsoft has brought legal action more broadly - challenging government demands for data maintained entirely on foreign soil, asking the court to clarify that the government's reach extends only to U.S. borders, as is the case for physical search. These actions are not merely cosmetic, but paradigm shifting demands to constrain government actions.
In light of the extent to which the intelligence community appears to have succumbed to 'dataholism' - a thirst for and addiction to information - the industry is responding aggressively to protect it's systems and it's users from those dataholics.
The security of global information technologies should be beyond reproach, and that's not the case at the moment. Government actions have broken the trust these companies have built over decades.
Revelations show us that all in the IT business, whether in the U.S. or elsewhere, need to more vigorously protect the Internet from unauthorized intruders, whether government or criminal. Indeed, the Snowden revelations illustrate that it is not only the U.S., but these same governments that are now critical of the U.S. that engage in similar egregious acts and indeed benefit from the information accessed by the U.S. government. Ultimately, it is the security of the Internet, globally, that is at risk.
Someone needs to be talking about real, properly targeted solutions
We hope that as Don Quixote realized the truth about windmills, foreign governments quickly learn the U.S. companies are not themselves the threat, but beneficial to the domestic economies and to global innovation. And that not all U.S. government agencies are engaged in questionable activities.
Efforts are better placed in ensuring behavior is lawful in the future, whether that of the U.S. or other governments, subject to greater oversight, transparency and scrutiny, and that there are clear lines between what is acceptable government access to data, and what is not. Indeed, there is a dataholic, which needs rehabilitation. We need the equivalent of a 12-step program that should focus on directly reforming the rules by which that dataholic must abide, and ensure through more robust oversight that new laws are complied with.
We should look, too, at the laws, regulations and mechanisms that allow law enforcement and regulatory agencies to gather and share information domestically and internationally to make sure they are both effective and limited. What are legitimate information gathering procedures? What should be curtailed? When data is stored off-shore, what grounds would legitimize access? A "break glass" provision, if you will.
Law enforcement agencies around the world would contend that existing overseas evidence gathering arrangements have not kept pace with demands placed on them by the global information age. And, of course, technological developments have challenged governments, by both the opportunity to acquire information and the need to consider these new channels of communication as useful to criminals to undertake illegal activities. It is time to reevaluate the balance between government's ability to access; and privacy protections that are of growing import as the Internet develops.
There should be 21st-century rules for legitimate law enforcement information requests, including an update to the implementation of Mutual Legal Assistant Treaties that enable law enforcement agencies in one jurisdiction to enlist the help of law enforcement agencies in another jurisdiction. Recognizing that due process remains a cornerstone of successful law enforcement and the protection of civil societies, there should be no doubt that all law enforcement access to data is pursuant to legal process that protects the rights of individuals. Equally necessary are rules that enable highly desirable oversight of regulated industries, particularly where data crosses borders.
Law enforcement and government regulation aside, the gathering of foreign intelligence is also legitimate (and inevitable), but we need clearer rules and judicial and legislative oversight that cut across geographies. With the Internet celebrating its 25th birthday and in light of the revelations disclosed by Snowden, Greenwald and others, the time has come to address the dataholics among us - to develop principles by which information is managed and accessed in a way that protects privacy, respects the rule of law and keeps civil societies safe.
These principles can only come about through international, multilateral and bilateral agreements. Such agreements addressing privacy, information access and "data sovereignty" require a level of commitment that will sustain a multi-year process. A parallel can be drawn with nuclear arms agreements. The world acknowledged that the threat of a nuclear war could lead only to greater geopolitical challenges in the future. Governments recognized the need to build trust. Parties must be ready to consider 'baby steps,' initially focusing on the most pressing issues. We know our governments need to and will continue to gather information on each other, but we need principles by which we all can live, principles that accomplish our fundamental mission of protecting our populations, and yet, protect from dataholism.
Principles To Live By
Each, the intelligence community, law enforcement and government regulators need principles to guide their thinking about access to information on the Internet. The principles may be defined by asking the most pertinent questions:
• What type of information is being sought?
• What entity is asking for the information?
• What is the purpose for their asking?
• What will the information be used for?
• What is the process for asking and obtaining the information?
• What are the safeguards to avoid wrongful access?
• What are the cost and benefit trade-offs for society?
The principles, articulated in terms of now long familiar privacy rights, privileges and expectations, due process and oversight, must embody appropriate transparency to rebuild the trust and confidence that victims of dataholic abuse - U.S. companies in general and more particularly, the IT companies whom have wrongly been blamed for the overreaching of government - now suffer. These principles will differentiate the types of information, needs of each - and proper due process procedures for - intelligence, law enforcement and regulators. They will make clear the rules for circumstances when data in the digital realm is being sought and most importantly, identify when it is appropriate to 'break glass in case of emergency,' and access data that otherwise should remain private.
And there is a practical place to start: reviewing the existing international legal regimes used to support cross border law enforcement information access, moving them from the age of the steam engine to the age of the search engine: make it more transparent, faster, and - yes - easier, for cooperating governments to share information and assist each other via these structured channels to reduce the urge to steal it.
Government leaders need to stand down, take a breath, look at the facts and respectfully and responsibly work together to better balance the need for governments to have to access data made abundant by the Internet, and the privacy rights of the public. It is time to turn foreign governments tilting at windmills to taking on solutions to the real problem of government dataholism in the 21st Century.
Co-authored by Alastair MacGibbon.
Mr. MacGibbon is a Director of the Centre for Internet Safety at the University of Canberra and was previously the Director of the Australian High Tech Crime Centre and an Agent with the Australian Federal Police.