July 29, 2014
It has been over a year since The Guardian reported the first story on the National Security Agency’s surveillance programs based on the leaks from former NSA contractor Edward Snowden, yet the national conversation remains largely mired in a simplistic debate over the tradeoffs between national security and individual privacy. It is time to start weighing the overall costs and benefits more broadly. While intelligence officials have vigorously defended the merits of the NSA programs, they have offered little hard evidence to prove their value—and some of the initial analysis actually suggests that the benefits of these programs are dubious. Three different studies—from the President’s Review Group on Intelligence and Communications Technologies, the Privacy and Civil Liberties Oversight Board, and the New America Foundation’s International Security Program—question the value of bulk collection programs in stopping terrorist plots and enhancing national security. Meanwhile, there has been little sustained discussion of the costs of the NSA programs beyond their impact on privacy and liberty, and in particular, how they affect the U.S. economy, American foreign policy, and the security of the Internet as a whole.
This paper attempts to quantify and categorize the costs of the NSA surveillance programs since the initial leaks were reported in June 2013. Our findings indicate that the NSA’s actions have already begun to, and will continue to, cause significant damage to the interests of the United States and the global Internet community. Specifically, we have observed the costs of NSA surveillance in the following four areas:
- Direct Economic Costs to U.S. Businesses: American companies have reported declining sales overseas and lost business opportunities, especially as foreign companies turn claims of products that can protect users from NSA spying into a competitive advantage. The cloud computing industry is particularly vulnerable and could lose billions of dollars in the next three to five years as a result of NSA surveillance.
- Potential Costs to U.S. Businesses and to the Openness of the Internet from the Rise of Data Localization and Data Protection Proposals: New proposals from foreign governments looking to implement data localization requirements or much stronger data protection laws could compound economic losses in the long term. These proposals could also force changes to the architecture of the global network itself, threatening free expression and privacy if they are implemented.
- Costs to U.S. Foreign Policy: Loss of credibility for the U.S. Internet Freedom agenda, as well as damage to broader bilateral and multilateral relations, threaten U.S. foreign policy interests. Revelations about the extent of NSA surveillance have already colored a number of critical interactions with nations such as Germany and Brazil in the past year.
- Costs to Cybersecurity: The NSA has done serious damage to Internet security through its weakening of key encryption standards, insertion of surveillance backdoors into widely-used hardware and software products, stockpiling rather than responsibly disclosing information about software security vulnerabilities, and a variety of offensive hacking operations undermining the overall security of the global Internet.
The U.S. government has already taken some limited steps to mitigate this damage and begin the slow, difficult process of rebuilding trust in the United States as a responsible steward of the Internet. But the reform efforts to date have been relatively narrow, focusing primarily on the surveillance programs’ impact on the rights of U.S. citizens. Based on our findings, we recommend that the U.S. government take the following steps to address the broader concern that the NSA’s programs are impacting our economy, our foreign relations, and our cybersecurity:
- Strengthen privacy protections for both Americans and non-Americans, within the United States and extraterritorially.
- Provide for increased transparency around government surveillance, both from the government and companies.
- Recommit to the Internet Freedom agenda in a way that directly addresses issues raised by NSA surveillance, including moving toward international human-rights based standards on surveillance.
- Begin the process of restoring trust in cryptography standards through the National Institute of Standards and Technology.
- Ensure that the U.S. government does not undermine cybersecurity by inserting surveillance backdoors into hardware or software products.
- Help to eliminate security vulnerabilities in software, rather than stockpile them.
- Develop clear policies about whether, when, and under what legal standards it is permissible for the government to secretly install malware on a computer or in a network.
- Separate the offensive and defensive functions of the NSA in order to minimize conflicts of interest.