Users have a right to expect technology firms to safeguard their privacy from state spying. Fixes like encryption are not enough
Technology companies: now is the moment when you must answer for us, your users, whether you are collaborators in the US government's efforts to "collect it all"– our every move on the internet – or whether you, too, are victims of its overreach.
Every company named in Edward Snowden's revelations has said that it must comply with government demands, including requirements to keep secret court orders secret. True enough. But there's only so long they can hide behind that cloak before making it clear whether they are resisting government's demands or aiding in them. And now, the time has come to go farther: to use both technology and political capital to actively protect the public's privacy. Who will do that?
We now know, thanks to Snowden, of at least three tiers of technology companies enmeshed in the NSA's hoovering of our net activity (we don't yet know whether the NSA has co-opted companies from the financial, retail, data services, and other industries):
(1) Internet platforms that provide services directly to consumers, allowing government to demand access to signals about us: Google with search, mail, calendars, maps; Facebook with connections; Skype with conversations, and so on.
In its first Prism reporting, the Washington Post apparently unfairly fingered nine of these companies, accusing the NSA and FBI of "tapping directly into the central servers" that hold our "chats, photographs, e-mails, documents, and connection logs". Quickly, the companies repudiated that claim and sought the right to report at least how many secret demands are made. But there's more they can and should do.
(2) Communications brands with consumer relationships that hand over metadata and/or open taps on internet traffic for collection by the NSA and Britain's GCHQ, creating vast databases that can then be searched via XKeyscore. Verizon leads that list, and we know from the Süddeutsche Zeitung that it also includes BT and Vodafone.
(3) Bandwidth providers that enable the NSA and its international partners to snoop on the net, wholesale. The Süddeutsche lists the three telco brands above in addition to Level 3, Global Crossing, Viatel, and Interroute. Eric King, head of research for Privacy International, asked in the Guardian: "Were the companies strong-armed, or are they voluntary intercept partners?"
The bulk data carriers have no consumer brands or relationships and thus are probably the least likely to feel commercial pressure to protect the rights of the users at the edge. The telephone companies should care more but they operate as oligopolies with monopoly attitudes and rarely exhibit consumer empathy (which is a nice way of saying their business models are built on customer imprisonment).
A hodgepodge alliance of US legislators is finally waking up to the need and opportunity to stand up for citizens' rights, but they will be slow and, don't we know, ineffective and often uninformed. The courts will be slower and jealous of their power. Diplomacy's the slowest route to reform yet, dealing in meaningless symbolism.
So our strongest expectations must turn to the first tier above, the consumer internet platforms. They have the most to lose – in trust and thus value – in taking government's side against us.
At the Guardian Activate conference in London last month, I asked Vint Cerf, an architect of the net and evangelist for Google, about encrypting our communication as a defense against NSA spying. He suggested that communication should be encrypted into and out of internet companies' servers (thwarting, or so we'd hope, the eavesdropping on the net's every bit over telcos' fibre) – but should be decrypted inside the companies' servers so they could bring us added value based on the content: a boarding pass on our phone, a reminder from our calendar, an alert about a story we're following (not to mention a targeted ad).
Now, there are reports that Google is looking at encrypting at least documents stored in Google Drive. That is wise in any case, as often, these can contain users' sensitive company and personal information. I now think Google et al need to go farther and make encryption an option on any information. I don't want encryption to be the default because, in truth, most of my digital life is banal and I'd like to keep getting those handy calendar reminders. But technology companies need to put the option and power of data security directly into users' hands.
That also means that the technology companies have to reach out and work with each other to enable encryption and other protections across their services. I learned the hard way how difficult it is to get simple answers to questions about how to encrypt email. The industry should work hard to make that an option on every popular service.
But let's be clear that encryption is not the solution, probably only a speed bump to the NSA's omnivorous ingesting. At the Activate conference, Cerf was asked whether the solution in the end will be technical or institutional. No doubt, institutional, he answered. That means that companies and government agencies must operate under stated principles and clear laws with open oversight.
Before Snowden's leaks, technology CEOs would have had to balance co-operation and resistance, just as the nation supposedly balances security and privacy. But now, the tide of public opinion has clearly shifted – at least for now– and so this is the moment to grab control of the issue.
If they do not assert that clear control, these technology companies risk losing business– not only from skittish consumers, but also from corporate and foreign-government clients. The Cloud Security Alliance polled companies and found that 10% had canceled US cloud business and 56% were less likely to do business with US providers. "If businesses or governments think they might be spied on," said European Commission Vice President Neelie Kroes, "they will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out."
Besides taking action to secure technology and oversight within their companies and the industry, right-thinking technology companies also need to band together to use their political capital to lobby governments across the world to protect the rights of users and the freedom and sanctity of privacy and speech on the net. They must take bold and open stands.
To do that, they must first decide on the principles they should protect. In my book Public Parts, I proposed some principles to discuss, among them:
• the idea that if any bit on the net is stopped or detoured – or spied upon – then no bit and the net itself cannot be presumed to be free;
• that the net must remain open and distributed, commandeered and corrupted by no government;
• that citizens have a right to speak, assemble, and act online and thus have a right to connect without fear;
• that privacy is an ethic of knowing someone else's information and coming by it openly;
• and that government must become transparent by default and secret by necessity (there are necessary secrets). Edward Snowden has shown us all too clearly that the opposite is now true.
I also believe that we must see a discussion of principles and ethics from the technologists inside these companies. One reason I have given Google the benefit of the doubt – besides being an admirer– is that I believe the engineers I know inside Google would not stay if they saw it violating their ethics, even if under government order.
Yonathan Zunger, the chief architect of Google+, said this after the Guardian's and Glenn Greenwald's first revelations were published:
I can tell you that it is a point of pride, both for the company and for many of us, personally, that we stand up to governments that demand people's information … I can categorically state that nothing resembling the mass surveillance of individuals by governments within our systems has ever crossed my plate. If it had, even if I couldn't talk about it, in all likelihood I would no longer be working at Google.
In the end, it's neither technologies nor institutions that will secure us from the inexorable overreach of government curiosity in the face of technical capability. Responsibility for oversight and correction begins with individuals, whether whistleblowers or renegade politicians or employees of conscience who finally remind those in power:
Don't be evil.