Published June 11, 2013
That the U.S. government continually taps the records of millions of phone calls and has virtually unlimited access to the Internet habits of netizens, at least those in the U.S. is one of the worst kept secrets in the digital security business. But it has Silicon Valley's top tech companies wringing their hands and the government assuring citizens that all this surveillance is for the common good.
But no matter where the debate about freedom, democracy and the Constitution goes from here, the leaked information concerning the National Security Agency's various secret surveillance programs including Prism is going to have some immediate fallout.
Many of the U.S. companies who are under secret court orders to relinquish this surveillance information (while denying they are doing so) are likely to lose credibility and get a chillier reception abroad. Meanwhile, government legislation that proponents have argued is needed to fight terrorism--online and off--may get dropped into the deep freeze.
The Silicon Valley credibility gap yawned when Facebook CEO Mark Zuckerberg and others deigned to post brief denials that they voluntarily work with the U.S. government and allow direct access to their computers. (Actually, there's nothing voluntary about this surveillance--it's according to court order--and direct access isn't required.) Such sudden squeamishness about sharing information seemed incredible given that these are businesses predicated on the idea of tracking you, squeezing as much personal information out of you as possible--and then selling it to any company willing to pay.
The IRS and human resources departments across the country habitually use personal Facebook postings to support audits or rejections for employment, for example. So sudden qualms about the government wanting some of that information seem, well, quaint: "I'm shocked, shocked to find gambling going on in here."
An extremely similar dismissive missive was posted by Google CEO Larry Page and David Drummond, the company's chief legal officer. Critics have expressed skepticism, pointing out that Google is in the business of information triangulation and datamining, and its own chairman, Eric Schmidt, is infamous for mocking privacy concerns: "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
While the leaks about the NSA aren't in and of themselves earth-shattering, it does put U.S. tech companies in a tricky position regarding foreign users--the users the NSA is very explicitly allowed to spy on. Internet companies need the global marketplace to grow, but now that the data's out of the bag, will, say, French users still want to join Facebook when they know all of their postings and movements are being watched by American spies? Perhaps they will choose to join a domestic social networking site instead, such as a Trombi or Copains d'Avant.
On the U.S. government side, there's a much criticized bill that recently passed the House of Representatives called CISPA or the the Cyber Intelligence Sharing and Protection Act, H.R. 624. It's a wide-ranging bill with endless provisions, but its primary purpose is to allow the government and private companies to share sensitive private information when an imminent threat to network security is detected. It would, in such an event, allow the parties to share information secretly and without the need for messy legal entanglements.
In light of recent revelations, CIPSA looks designed to provide more legal cover for covert digital operations, rather than help contend with cyber attacks, as its backers contend. Either way, its chances of passing the Senate now are substantially diminished (never mind the threat of Presidential veto).
Similarly, the FBI has been lobbying to update the 1994 Communications Assistance for Law Enforcement Act (CALEA). The old wiretapping law requires that telephone networks provide technology that allows eavesdropping, but newer digital forms of communication over the Web are under no such constraints. The FBI wants to level the playing field, forcing companies to create backdoors for situations when the authorities need to listen in to encrypted online chats and video calls. The FBI lobbying could face more resistance now as well. But there may be a silver lining.
"By designing the infrastructure in a way to allow interception, service providers could end up facilitating hacker intrusions," says Catalin Cosoi, chief security researcher at Bitdefender, echoing the concerns of many in the security community trying to thwart cyber attacks and hackers.
In other words, the more access that technology and communications firms provide to the government, the less inherently secure those systems become, laying open the possibility of more hacker attacks--which is what they were trying to prevent in the first place.
There is no doubt the threats are real. Hackers of every stripe--foreign governments, criminals, and terrorists--are continually attempting to steal everything from sophisticated weapons secrets to financial data to infrastructure control that could disable a power grid. However, the methods used by the NSA aren't secret, secure or effective if everyone in the security business and the criminals they work against already know about them. So if that's the case, why should we have to relinquish privacy and freedom for superfluous technological convenience.
It's a lesson reminiscent of the so-called Bork rule. During Robert Bork's contentious and unsuccessful Supreme Court nomination his video rental history was paraded before the public (it subsequently led to the Video Privacy Protection Act of 1988). Would you like to to be judged for a job opening based on the movies you've watched? (Too religious? Too violent?)
The only difference today is that the government is gathering up personal data -- and it's not about your Blockbuster rentals, it's about your FB friends and family.