In general, I’m not all that interested in conspiracy theories, but there does come a point at which the pieces of a larger puzzle come together and, as the old saying goes, where there’s smoke, there’s fire. By now, pretty much the entire world is aware of the Edward Snowden saga, but it is the latest revelations from his treasure trove that could have a chilling effect on technology companies based in the United States, particularly those that provide US-based cloud services.
In recent days, Microsoft has come under increasing scrutiny as allegations of deep ties with the NSA grow louder. The UK’s The Guardian is reporting that:
- Microsoft’s new Outlook.com is accessible to NSA officials.
- Skype is under regular surveillance. “In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism.”
- SkyDrive accounts are under regular surveillance.
There are also rumors that this activity has been going on for at least three years, with some arguing that such activities could go back even further – all the way to the days of Windows 2000. To be sure, if reports are true, the activity seems to have become modus operandi for Microsoft.
Microsoft is not alone
Other US-based tech companies, including Apple, Google, and Facebook, have also been identified as companies with varying degrees of ties to the NSA, most notably being accused of providing direct lines into their data centers. All of the companies, however, have publicly responded with information regarding the kinds of requests received by the NSA (in broad terms) as well as the volume of such requests. They all indicate that the media coverage is inaccurate as well.
However, the companies also indicated that the government does not allow these companies to release detailed information about the activities that are being discussed in the press, leaving the companies to provide simply broad ranges and broad details about the activities. Some of them are requesting that the government allow additional disclosure.
Unfortunately, as things stand right now, it’s very difficult to prove or disprove what is being released, particularly with the named companies effectively under a gag order from the NSA. Some of the companies are requesting to be allowed additional transparency to the public about NSA requests, but these requests so far are only that… requests. The Foreign Intelligence Surveillance Act court does not allow contents of their requests to be made public.
The major concerns from foreign countries really began when the Patriot Act itself was passed and, due to that act, some foreign entities will not procure certain services from U.S.-based companies. I’ve personally seen even Canadian organizations avoid U.S.-based services out of fear of the Patriot Act.
The primary [commercial risks in the current situation focus on trust and transparency. At best, the inability for these organizations to provide complete transparency into their activities leaves customers – especially foreign ones – at risk of the U.S. government obtaining trade secrets, governmental information, and personal information about foreign citizens. At worst, foreign organizations could simply stop using services from U.S.-based companies. That said, the NSA reportedly has agreements with major foreign telecommunications companies, so attempting to avoid the U.S. dragnet may be impossible. Further, some reports say that the NSA continually spies on European allies and “snoops through approximately 20-60 million German phone connections, and 10 million Internet data sets a day… All in all, the NSA combs through around half a billion German phone calls, emails and text messages on a monthly basis.”
It’s obvious why foreign companies would be hesitant to deal with U.S.-based providers after these recent revelations, but what’s even more concerning is the potential for U.S.-based customers to move their business to potentially more secure foreign (Swiss, to be exact) cloud providers in an effort to protect their businesses.
If enough customers seek such alternatives, the long-term success of America’s technology sector is far from certain. These kinds of services are based on extremely high levels of trust and, as things currently stand, there are too many secret activities taking place in the name of fighting terrorism for the public and for foreign organizations to have any faith whatsoever that their intellectual property, business methods, contract details, and sensitive personal user information can be adequately protected.
A slippery slope
Perhaps most concerning is how U.S. laws originally passed in the wake of 9/11 have been expanded to cover other criminal activities interpreted by the NSA. In the NSA original “fact sheet”, which has since been pulled from the NSA site, this is cited: “The dissemination of any information about U.S. persons is expressly prohibited unless it is necessary to understand foreign intelligence or asses its importance; is evidence of a crime; or indicates a threat of death or serious bodily harm.”
Under the Fourth Amendment, which reads “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized” it seems that the NSA program should not be allowed to be used to gather “evidence of a crime,” since the original intent of the program was to combat terrorism.
In addition to the obvious points already outlined above, what appears to be the slippery slope nature of how some of the gathered information is used will likely give organizations pause as they move forward with their cloud deployment plans. It can also affect how organizations use even long-standing services, including email.
Action Item: As organizations make their way into the cloud, careful consideration needs to be paid to the potential for potential fallout should corporate information make its way into the hands of spy agencies. Portions of the U.S. government have proven beyond a doubt that they are willing to move forward in prosecuting people based on out-of-context statements made in public forums, it it might not seem much of a surprise to see other spurious connections made based on the treasure trove of information at the government’s disposal. In a perfect world, the public could have complete trust in officials to use information responsibly, in-context, and for its original purpose. But as history has taught us, information is power, and, when in the wrong hands, the damage can be considerable. US-based technology companies – and the American public – need to demand concrete answers and actions based on these revelations to ensure to the world, and to American companies, that the United States is open for business in a way that is transparent and trustworthy.
Of course, this is about more than just the cloud. The activities that have been identified could have a chilling effect on traditional services and products as well. Until questions are answered, expect more caution, especially from foreign buyers, as people re-evaluate their strategies to determine the overall security posture.