Two years after Edward Snowden’s revelations about the National Security Agency’s surveillance overreach, American tech companies are still counting the cost of the damage.
When I wrote, at the end of 2013, that there was “a real, measurable economic cost to the NSA’s actions,” we were only beginning to get a sense of what that cost might entail. A couple of years later, we have a better idea, as non-American customers continue to shy away under the not-unfounded suspicion that their privacy cannot be guaranteed. For Europeans, especially, the risks of using American services seem to have begun to outweigh the benefits.
Earlier this month, the European Union’s top court invalidated a 15-year-old deal that allowed companies to transfer data pertaining to EU citizens to servers located elsewhere without breaching the relatively strict European regulations regarding privacy. The “Safe Harbor” pact allowed big U.S. companies like Google (GOOG), Amazon (AMZN) and Microsoft (MSFT) to serve EU customers as long as they pledged to abide by a particular set of principles. Perhaps more importantly, it also benefitted thousands of smaller non-European firms that lack the resources to serve the continent locally.
In the wake of the NSA scandal, however, it was only a matter of time before European courts said that such an agreement wasn’t good enough. After all, if the U.S. government can get through or go around companies’ safeguards, their agreement to abide by even the strictest of standards only goes so far.
The ruling does not mean that all data transfers between the EU and the U.S. must cease immediately. In fact, some big players like Facebook and Netflix have already said they have alternate arrangements in place to legally transfer data. Such options include “model contracts” that use language approved by European officials, as well as appeals to individual national regulators. These options are cumbersome, but the big players in tech can handle them. Where losing Safe Harbor will hurt the most is smaller companies and startups hoping to crack the European market. Though the EU and the U.S. have been working to reach an updated data agreement, the U.S. surveillance state has put European privacy advocates on high alert.
Meanwhile, here at home, companies have won at least one victory in the struggle against government reach. Last year, FBI Director James Comey denounced Apple’s new, more comprehensive encryption system, pushing for Apple and other tech companies to build in “back door” access so the government can obtain encrypted data without the device owner’s cooperation. Last week, however, the Obama administration backed away from this stance, citing the risk that cybercriminals and foreign powers could exploit such workarounds.
The FBI and some allies continue to argue that its inability to break into encrypted devices will hinder efforts to fight crime. A recent Wall Street Journal article described 16 district attorneys who wrote to the Senate Judiciary Committee calling for such access, citing homicide and other investigations where locked phones were roadblocks. But as I wrote a year ago, this stance is missing the point, which is that builders – whether of houses or phones – have no responsibility to install flimsy doors or keep spare keys so investigators can gain access without owners’ permission. What’s more, as Wired reported, encryption comes into play much less often than law enforcement has suggested. Using an iPhone as an example, police can still subpoena Apple for data stored in the cloud, which is much of a phone’s data by default. If law enforcement has a warrant that includes a user’s laptop, they may also be able to access unencrypted phone backups there.
The administration’s decision not to press for legislation to mandate back doors is a positive step – but it may be too little too late, as far as reassuring the rest of the world that they can trust their data to American companies. Consider the Justice Department’s ongoing effort to force Microsoft to turn over data stored in Ireland, notwithstanding the administration’s new stance on encryption. According to Bloomberg, government attorneys claim to be seeking evidence linked to a narcotics case; Microsoft has argued that the consequences of losing the case could be profound and far-reaching.
Part of the issue is that the era of cloud computing has resulted in a data load spread widely, often across national borders. Bloomberg posited a Skype call between users in the U.S. and Germany, the data from which is stored on a South African server and requested by Singapore’s government. Whose laws must Microsoft prioritize in this case? As Nuala O’Connor, head of the Center for Democracy and Technology in Washington, observed, “These are the most far-fetched law school hypotheticals you could ever come up with. Except they are coming true.”
The U.S. government, unsurprisingly, thinks its laws should apply everywhere, all the time. Microsoft’s attempt to push back has not gone well so far; it has already lost two lower-court decisions. The company has said it will appeal to the Supreme Court if it loses again, which is unsurprising, given the international business it and other tech companies stand to lose – an estimated $35 billion in sales, according to a June report by the Information Technology and Innovation Foundation. Those sales will likely go to foreign competitors who are not exposed to the claim that American companies owe fealty to the U.S. government, rather than their foreign customers or shareholders.
I observed, almost from the start of Snowden’s revelations, that the reckless conduct of the surveillance community would inevitably jeopardize a thriving American industry. Now it has.
I also observed that law-abiding Europeans have just as much expectation of freedom from unreasonable search as Americans expect under the Fourth Amendment. It was never sensible to suggest that U.S. intelligence should have an unfettered right to monitor, say, every German up to and including the chancellor.
And I observed that what the intelligence community does, law enforcement inevitably wants to do, as we have seen in the case of cell-site simulators. Now decrypting phones is no longer a matter of national security; your local sheriff wants to be able to decrypt everything on your phone (provided he gets a warrant from his fishing buddy, the local judge) in search of the nearest meth lab.
These were the foreseeable consequences of the recklessness with which the surveillance community pursued its goals without any consideration of the costs against the perceived benefits. And all of that surveillance did not stop the Boston Marathon bombings, two attacks at Fort Hood, and an attempted bomb in Times Square. Granted, we do not know everything that it did stop. But we do know that Europeans don’t like being spied upon, and they don’t think they deserve it. In that, they are right.