NSA Surveillance Costs and the Crypto Debate

While surveillance reform efforts in Congress are on pause until lawmakers return from the campaign trail in November, the costs of the NSA’s bulk collection and monitoring programs continue to pile up. And now — to the chagrin of some law enforcement officials — companies are responding by competing over security improvements to their products.

Last week, Senator Ron Wyden (D-OR) hosted a roundtable in Silicon Valley with the leaders of several major tech companies to discuss the “Impact of U.S. Mass Surveillance on the Digital Economy.” As Chairman of the Senate Finance Committee and a longtime advocate for surveillance reform, Wyden has been one of the leading voices in the Senate calling for an end to bulk collection and other mass surveillance practices. In assessing how the events of the past year have hurt our high-tech economy with Google CEO Eric Schmidt and executives from Microsoft, Dropbox, and Facebook, Wyden stated point-blank: “This is going to cost jobs. Good-paying American jobs.”

The impact on the U.S. tech sector was one of several key themes that emerged during the discussion in Palo Alto, the heart of Silicon Valley. All of the panelists agreed that the loss of trust as a result of NSA surveillance is damaging U.S. business interests, both at home and abroad. One big concern is the risk of Internet fragmentation because of data localization proposals that have emerged in a number of foreign governments, including Germany, Brazil, and India. Schmidt warned that if these proposals move forward, “the simplest outcome is we’re going to end up breaking the Internet.” Passing the USA FREEDOM Act, increasing transparency around government requests for information, and promoting the use of encryption are immediate steps that can help mitigate the situation, but panelists emphasized that truly repairing the damage will take broader, long term reform efforts.

The statements of major tech leaders at the Wyden hearing are just the latest in a steady stream of evidence that the costs of NSA surveillance continue to increase. In July, we released a comprehensive study that assessed the economic and political fallout in the first year after Snowden, chronicling the existing and projected future losses for the U.S. cloud computing industry, the decline in technology sales overseas, and the potential impact of data localization and local storage proposals on American business interests. Practically every week, new information comes to light that adds weight to our case.

In August, the Wall Street Journal reported that foreign privacy startups are seeing a post-Snowden boom. “Since news broke that former U.S. National Security Agency contractor Edward Snowden disclosed alleged U.S. government surveillance methods worldwide,” the Journal wrote, “secure messaging and so-called ‘NSA-proof’ products and companies have sprouted across Germany and Switzerland, two countries who take their privacy laws very seriously.” The rise of “Snowden marketing” as a strategy to poach American business is serious — in the current environment, even the perception that a foreign company may offer users more security and protection from government overreach (regardless of whether their products are actually more secure) can be enough for customers to sever existing relationships with U.S. companies. In some cases, it’s individual customers who are flocking to companies like Runbox, a small Norwegian provider offering secure email service that reported a significant jump in customers since June 2013. But we’ve also seen governments pull major contracts, such as Germany’s announcement that it intends to end its relationship with Verizon in 2015.

As another news story described last month, it increasingly seems like the government is putting Silicon Valley in a “no-win” situation. On the one hand, the NSA compels companies to hand over troves of information on their users or face stiff fines, while at the same time preventing them from being transparent with their shareholders or users about the overall scope or cost of the surveillance. Several major Internet companies responded by suing the government in the secretive Foreign Surveillance Court, ultimately obtaining a deal in January with the Justice Department allowing them to publish some basic numbers about the national security requests they receive. And just last week, Twitter filed a lawsuit in federal court in California for the right to publish a more detailed transparency report than what the deal with the DOJ allows.

In addition to advocating for greater transparency and broader surveillance reform, many U.S. companies are also starting to respond by improving the security of their products. Last month, both Apple and Google announced that they’re moving toward full smartphone encryption by default, which means that all of the data on their phones will be protected from the prying eyes of the government, criminals, and the companies themselves (who could previously bypass most of a device’s security features when the government asked). The added protection is intended to appease not only to Americans who are concerned about NSA snooping, but also customers in foreign markets like China that have long been concerned about government-mandated security vulnerabilities in American products. As the Washington Post declared, “Privacy is tech’s latest marketing strategy.”

Unfortunately, Apple’s attempts to close what cryptography expert Bruce Schneier called “a serious security vulnerability in the iPhone” and hand some control back over to its customers has prompted a serious backlash from the law enforcement community here in the United States. FBI Director James Comey has argued that the feature will “allow people to place themselves beyond the law” and that default encryption could seriously hinder criminal investigations, an argument that he repeated yesterday at the Brookings Institute. The Editorial Board of the Washington Post suggested that perhaps Apple and Google should use their “wizardry” to create a “secure golden key” that would only be used to access information stored on a device once a warrant had been obtained.

The strong negative reaction from law enforcement and the Washington Post to these new improvements in smartphone encryption is off-base for several reasons. For starters, the claim that improved smartphone security could somehow make us less safe has been thoroughly rebutted by experts who have explained how better encryption helps protect against individual criminal threats as well as larger cybersecurity threats. And suggesting that companies should build “backdoors” in their security systems to enable law enforcement access simply does not make sense from both a security and an individual liberty perspective. We already fought this battle once, in the so called “Crypto Wars” of the 1990s, when proposals to mandate that U.S. technology companies adopt a technology called the “Clipper Chip,” giving the government the ability to decrypt private communications, were rebuffed after robust public debate on the issue. Twenty years ago, lawmakers, technologists and privacy advocates all ultimately concluded that such backdoors are not only bad for privacy, but also for our overall information security and America’s competitiveness in the information economy. That was true then, and it’s true today. The U.S. government should not compound the growing costs of the NSA programs with a misguided push for the weakening of smartphone security, but if it insists on sparking another round of Crypto Wars, we look forward to the fight.