Why Edward Snowden just might turn out to be Big Brother's best friend.
- By Shane Harris
Shane Harris is a senior staff writer at Foreign Policy, covering intelligence and cyber security. He is the author of The Watchers: The Rise of America's Surveillance State, which chronicles the creation of a vast national security apparatus and the rise of surveillance in America. The Watchers won the New York Public Library’s Helen Bernstein Book Award for Excellence in Journalism, and the Economist named it one of the best books of 2010. Shane is the winner of the Gerald R. Ford Prize for Distinguished Reporting on National Defense. He has four times been named a finalist for the Livingston Awards for Young Journalists, which honor the best journalists in America under the age of 35. Prior to joining Foreign Policy, he was the senior writer for The Washingtonian and a staff correspondent at National Journal.
When former National Security Agency contractor Ed Snowden exposed the inner workings of the country’s biggest intelligence organization, he said he did so to roll back a spying apparatus that put the United States on the path to "turnkey tyranny."
But his revelations could end up having the opposite effect. Instead of declawing a single surveillance state, Snowden’s leaks could ironically wind up enhancing government spying around the globe.
According to experts who are advising U.S. email, cloud data storage, and social media companies, executives are concerned that foreign governments — particularly ones with fewer protections for personal privacy and free speech — are already beginning to demand that U.S. tech companies relocate their servers and databases within their borders. Under normal circumstances, companies would rarely comply with those migration demands, especially if those countries have reputations for heavy-handed internal policing. But now that the United States is being seen as a global spying power, they may have little choice.
Other governments can make their relocation demands in the name of protecting citizens from the intrusive powers of the NSA. Then those regimes can use U.S. tech to make their own law enforcement and intelligence agencies more NSA-like.
"Despite Snowden’s sensational revelations, data will not be better protected outside the U.S. in countries where privacy is aspirational at best," said Al Gidari, a lawyer with the firm Perkins Coie who represents companies on surveillance and communications law. "Data stored locally will be the fuel for corruption, abuse and repression in most of those countries, especially in those countries that are complaining the loudest about U.S. surveillance activities."
This week, Brazil’s communications minister said that Internet service providers may now be required to store information locally following reports that NSA has spied on communications in Brazil and across Latin America.
"The ideal thing would be for these companies to keep their data in the country so it can be available should Brazil’s justice system request it," Paulo Bernardo Silva said in an interview with a Brazilian newspaper. Silva described local control of data as a matter of national sovereignty.
Companies that provide cloud computing services are facing particular scrutiny abroad. Their business is to store large amounts of sensitive information about foreign individuals and companies on servers that are located in United States. And there is a growing perception that this infrastructure is firmly within the grip of the U.S. intelligence agencies, several experts said. That impression is not diminished when U.S. officials, attempting to mollify domestic critics, argue that the NSA is only interested in monitoring foreigners.
Over the past few years, overseas governments have increased pressure on marquee technology companies to hand over more data about their customers and to comply with official orders that would be deemed unconstitutional in the United States.
In 2011, Research In Motion, maker of the BlackBerry, gave the government of India access to its consumer and messaging services, in response to authorities’ concerns that they would not be able to monitor criminals and other threats communicating over the company’s networks. Officials had threatened to cut off access to the company’s services inside their country if RIM didn’t comply. The company ultimately agreed to allow India’s security agencies to intercept emails and other messages.
Last year, the Google executive in charge of the company’s business operations in Brazil was arrested after the company failed to comply with a government order to remove YouTube videos critical of a local mayoral candidate. Google, which owns YouTube, said it wasn’t responsible for the content that users post to the video sharing network.
It wasn’t the first time the company had run up against aggressive policing of information that would be protected under the First Amendment in the United States. In 2011, Google removed profiles from its Orkut social-networking system after a court order deemed them politically offensive. And another order told the company to take down thousands of photos from one of its sharing sites.
U.S. companies are required to abide by the surveillance laws in whatever country they operate. But under legal assistance treaties, foreign governments usually funnel their requests through official channels, and U.S. authorities deliver the requests to the American companies. That slows down the surveillance machine in those countries, and they’ve been looking for ways to speed up that process.
Brazil may prove an early test case for the Snowden blowback effect. According to a report in the Brazilian newspaper Folha, the government will present a "formal condemnation of U.S. data collection techniques" to the United Nations Human Rights Council at its next meeting on September 9, in Geneva. Brazil has apparently had little luck attracting supporters to its attempt to politically embarrass the U.S. government — only seven other countries on the 47-member commission have signed on.
But new information about NSA spying, disclosed by the director of the agency himself, may add some momentum to Brazil’s efforts. At the Aspen Security Conference, Gen. Keith Alexander tipped his hand and revealed that the NSA is obtaining a huge amount of communications traffic from cables that come ashore in Brazil.
Brazil is in the espionage business, too, of course, as are most countries. But the NSA revelations have tended to obscure the obvious hypocrisy in one nation feigning outrage that another country is spying on it. In an interview with Folha, Brazilian Defense Minister Celso Amorim acknowledged that his fellow countrymen could be spied on via their connections to foreign social networks. (The implication was those in the United States.) But he said there was no evidence that the Brazilian government was using such a scheme to monitor its own citizens.
"What is known is more about the U.S. agencies," Celso said. "To my knowledge, nothing has come out about the Brazilian agencies. But Brazilians can be [monitored], yes. It is speculation."
Celso added that on two occasions, he believed his communications had been monitored by the United States, including while he lived in the country as Brazil’s ambassador to the United Nations. "I was responsible for three committees on the issue of Iraq. My phone started making a very strange noise, and when the commission on Iraq ended, the noise did too. There was an obvious focus then."
U.S. technology companies’ reputations are also taking hits in Europe. Vivane Reding, the European Union’s Justice Minister, is reviewing the Safe Harbor Framework, which is intended to support transatlantic trade while also protecting European citizens’ privacy. Redding has said the agreement could be used as a "loophole" to allow the transfer of personal data to the United States from European countries where privacy rules are stronger.
Companies based in Europe also believe that the NSA scandal could be a financial boon for them. Customers may start moving their data to facilities located in countries with stricter privacy regulations — and away from American-based firms. "There’s a perception, even if unfounded, that U.S. privacy protections are insufficient to protect the data which is stored either on U.S. soil or with U.S. companies," Justin Freeman, the corporate counsel for cloud computing provider Rackspace, told a House committee last year.
Snowden’s revelations have cracked whatever veneer of deniability U.S. companies had that they weren’t providing foreigners’ personal data to American intelligence agencies. And considering that Congress this week put its stamp of approval on a key element of the NSA’s surveillance architecture, companies may find it harder to persuade their foreign customers that the U.S. is still a safe place to keep their information.
But there may be a way, however unlikely, for U.S. companies to repair their international standing and keep their customers’ information away from the NSA: They could move their own infrastructure overseas or become acquired by majority foreign owners.
According to a report in the Wall Street Journal, the wireless division of Verizon and T-Mobile have not been part of the spy agency’s data collection regime because they’re tied to foreign owners. Deutsche Telekom, of Germany, owns 74 percent of T-Mobile, and Vodafone Group, of the United Kingdom, owns 45 percent of Verizon Wireless in a joint-venture with its parent company.
Germany and England may seem a long way to go to relocate a business. But it could keep companies further from the long arm of the NSA.