Online Firms Blast NSA's Tactics

Companies Call for 5-Point Surveillance Reform
Online Firms Blast NSA's Tactics

A letter from eight prominent online companies to President Obama and Congress calls for reform of government surveillance programs, outlining concerns about the way the National Security Agency monitors online and telephone communications.

See Also: Secure Access in a Hybrid IT World

The companies - AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo - sent the letter this week, urging the federal government to institute reforms that ensure government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight.

"The tech giants' message couldn't be any clearer or more welcome - the government's massive spying authorities must be reined in immediately," says Michelle Richardson, legislative counsel at the American Civil Liberties Union's Washington legislative office. "Widespread support for reform will only continue to grow until Congress and the administration deal with out-of-control spying head on by prohibiting indiscriminate surveillance."

Fueling concerns about NSA activities are what seem to be never-ending leaks from former NSA contractor Edward Snowden. Among the latest was a Dec. 4 Washington Post report that the agency is gathering nearly 5 billion records a day on the whereabouts of cellphones around the world, which allows it to track the movements of individuals - and map their relationships - in ways that would have been previously unimaginable.

Shaken Trust

Revelations about NSA surveillance activities have shaken the trust of Yahoo customers, CEO Marissa Mayer says. "It is time for the United States government to act to restore the confidence of citizens around the world," she says.

Mayer and her colleagues at the seven other companies have a legitimate gripe primarily because of the impact on their reputations and profitability, says Jacob Olcott, cybersecurity principal at the security advisory firm Good Harbor Consulting. "The U.S. government needs to recognize and account for the deep harm that it is likely inflicting on American businesses because of these surveillance efforts," Olcott says. "Today, that conversation appears one-sided."

Allan Friedman, a Brookings Institution fellow who focuses on cybersecurity's impact on the economy, says the technology companies raise a series of important concerns about NSA practices, ranging from the long-established processes of requesting specific records to the newer ones involving wholesale data collection.

Because the NSA collects so much data from American firms, "the foreign press and even sophisticated policymakers have combined or conflated many of these concerns and come to the conclusion that American firms can't be trusted," says Friedman, co-author of the forthcoming book Cybersecurity and Cyberwar: What Everyone Needs to Know to be published by Oxford University Press early next year.

"In in the short-run, the adverse publicity will have at least some small effect on their bottom line," he says. "If they can't win back the trust of foreign consumers and governments, then the long-run outcome might be policies that promote national or regional businesses to take their place."

Google CEO Larry Page, in a statement accompanying the letter announcing the launch of a website - Reform Government Surveillance - to promote the companies' cause, says NSA efforts have thwarted steps companies like Google have taken to protect privacy, such as investing in encryption. "This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world," Page says. "It's time for reform, and we urge the U.S. government to lead the way."

Five Principles

The companies list five principles directed at all governments, not just the U.S., that are designed to balance protecting a nation's security with individual rights:

  1. Limiting Governments' Authority to Collect Users' Information: Governments should codify sensible limitations on their ability to compel service providers to disclose user data that balance their need for the data in limited circumstances, users' reasonable privacy interests and the impact on trust in the Internet. Governments also should limit surveillance to specific, known users for lawful purposes and should not undertake bulk data collection of Internet communications.
  2. Oversight and Accountability: Intelligence agencies seeking to collect or compel the production of information should do so under a clear legal framework in which executive powers are subject to strong checks and balances. Reviewing courts should be independent and include an adversarial process, and governments should allow important rulings of law to be made public in a timely manner so that the courts are accountable to an informed citizenry.
  3. Transparency About Government Demands: Transparency is essential to a debate over governments' surveillance powers and the scope of programs that are administered under those powers. Governments should allow companies to publish the number and nature of government demands for user information. In addition, governments should also promptly disclose this data publicly.
  4. Respecting the Free Flow of Information: The ability of data to flow or be accessed across borders is essential to a robust 21st century global economy. Governments should permit the transfer of data and should not inhibit access by companies or individuals to lawfully available information that is stored outside of the country. Governments should not require service providers to locate infrastructure within a country's borders or operate locally.
  5. Avoiding Conflicts Among Governments: To avoid conflicting laws, there should be a robust, principled and transparent framework to govern lawful requests for data across jurisdictions, such as improved mutual legal assistance treaty processes. Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.

Restoring Government Trust

"People won't use technology they don't trust," Microsoft General Counsel Brad Smith says. "Governments have put this trust at risk, and governments need to help restore it."

Bruce McConnell, a former top policymaker at the Department of Homeland Security, says he believes such reforms are doable. "Reform is never a pipedream, says McConnell, who earlier this year joined the global security think tank EastWest Institute as a senior vice president. "The dance between technology's power and human dignity continues. We will get this right; it just takes time."

In a statement, National Security Council spokeswoman Caitlin Hayden says the White House appreciates the concerns expressed by the eight companies, pointing out that the president had directed a review of the government's surveillance capabilities and programs a few months ago (see President Orders Panel to Assess Tech's Role on Leaks).

"Through the coming weeks, we will be actively considering these companies' concerns and other issues raised by the stakeholders we have met with over the last few months, as well as the input of the president's review group," Hayden says.

But another administration intelligence official says reforming the way the agency conducts surveillance won't be easy.

"The intelligence community is not designed and built for transparency; we're designed and built for the opposite," Alexander Joel, civil liberties protection officer at the Office of the Director of National Intelligence, said at a Brown University forum held days before the letter was issued.

"When it comes to transparency, that is a culture shift for us, it's a skillset shift for us, and it's been hard for us," Joel says. "People are working very hard to do this, and it's going to take time for us to [change] the way the community operates."

About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network