Five months into the deluge of leaked documents from Edward Snowden, the Washington Post reported that the NSA was tapping into Google and Yahoo’s fiber overseas. That disclosure – perhaps more than any save the revelation that NSA works to weaken encryption standards to make its job easier – may be the signature Snowden story going forward. How will an increasingly adversarial relationship between Google and the U.S. government play out? How will America’s place in the world change given that adversarial relationship? Will those claiming to oversee the NSA start to address the legal issues raised by its data grabs overseas?
As Julian Sanchez laid out, the main disclosures affecting Americans domestically – the phone dragnet, authorized under Section 215 of the USA-PATRIOT Act, and the content collection, including unwarranted back door searches on content from U.S. persons, under Section 702 of the FISA Amendments Act – are only now leading to badly diluted reform of just the phone dragnet. It is even possible that this reform will lead more Americans’ phone records to be scrutinized, in part because more phone records will be included among the chaining, in part because the bill permits chaining on “connections” in addition to actual calls.
And aside from the President’s weak and unenforceable promises to limit spying on foreigners, there has been no consideration of protections for those overseas.
This leaves one central drama to play out, in which Google and other tech companies (and to a much lesser extent, a few telecoms) begin to push back against the NSA’s overreach. It’s not just that U.S. cloud (and other tech) companies stand to lose billions as their clients choose to store data locally rather than expose it easily to the NSA. It’s also that the NSA violated several aspects of the deal the Executive Branch made six years ago with the passage of the FISA Amendments Act (FAA), Section 702 of which authorizes the PRISM program and domestic upstream collection.
Congress passed the FISA Amendments Act several years after the New York Times’ exposure of the illegal wiretap program, ostensibly to address a technical problem used to justify that program. Technology had changed since the analog and radio world in place when FISA was first passed in 1978. Now, much of the world’s communications – including those of extremists who were targeting America – were sitting in Google’s and Yahoo’s and Microsoft’s servers within the United States. So Congress authorized the NSA to conduct collection inside the United States on targets located outside of the country (which swept up those who communicated with those targets, wherever they were located). In exchange, the government and its supporters promised, it would extend protections to Americans who were overseas.
Yahoo and Google played by the rules, as the PRISM slide released last June revealed. The data of both Yahoo and Google have been readily available for any of the broad uses permitted by the law since January 2009. Yet, in spite of the fact that the NSA has a legal way to obtain this Internet data inside the United States using PRISM, the government also broke in to steal from Yahoo and Google fiber overseas.
That’s an important implication of Sanchez’ point that “modern communications networks obliterate many of the assumptions about the importance of geography.” American tech companies now store data overseas, as well as in the United States. Americans’ data is mixed in with foreigners’ data overseas. Many of the more stunning programs described by Snowden’s documents – the collection of 5 billion records a day showing cell location, NSA partner GCHQ’s collection of millions of people’s intimate webcam images, and, of course, the theft of data from Google and Yahoo’s servers – may suck up Americans’ records too.
Plus there’s evidence the NSA is accessing U.S. person data overseas. The agency permits specially trained analysts to conduct Internet metadata contact chaining including the records of Americans from data collected overseas. And in a Senate Intelligence Committee hearing earlier this year, Colorado Senator Mark Udall asked hypothetically what would happen with a “a vast trove of U.S. person information” collected overseas; the answer was such data would not get FISA protection (California Senator Dianne Feinstein, the Intelligence Committee Chair, asked an even more oblique question on the topic).
Udall and Feinstein’s questions show that a lot of this spying does not undergo the oversight Benjamin Wittes and Carrie Cordero point to. Last year, Feinstein admitted her committee gets less reporting on such spying. Even for programs overseen by FISA, the NSA has consistently refused to provide even its oversight committees and the FISA Court real numbers on how many Americans get sucked into various NSA dragnets.
Moreover, the government’s threat to tech companies exists not just overseas. When a group of tech companies withdrew their support for the USA Freedom Act, they argued the bill could permit the resumption of bulk collection of Internet users’ data domestically. In the past, that has always meant telecoms copying Internet metadata at telecom switches, another outside entity compromising tech companies’ services. As with the data stolen overseas, Internet metadata is available to the government legally under PRISM.
In response to the news that the government at times bypasses the legal means it has to access Google’s clients’ data, the tech giant and others have found new ways to protect their customers. That consists of the new encryption Sanchez described – both of that fiber compromised overseas and of emails sent using Google – but also the right to publish how much data the government collects. Even within the criminal context, tech companies (including telecoms Verizon and AT&T) are challenging the U.S. government’s efforts to use tech companies’ presence in the United States to get easy access to customers’ data overseas.
The conflict between Google and its home country embodies another trend that has accelerated since the start of the Snowden leaks. As the President of the Computer & Communications Industry Association, Edward Black, testified before the Senate last year, the disclosure of NSA overreach did not just damage some of America’s most successful companies, it also undermined the key role the Internet plays in America’s soft power projection around the world: as the leader in Internet governance, and as the forum for open speech and exchange once associated so positively with the United States.
The U.S. response to Snowden’s leaks has, to a significant degree, been to double down on hard power, on the imperative to “collect it all” and the insistence that the best cyberdefense is an aggressive cyberoffense. While President Obama paid lip service to stopping short of spying “because we can,” the Executive Branch has refused to do anything – especially legislatively – that would impose real controls on the surveillance system that undergirds raw power.
And that will likely bring additional costs, not just to America’s economic position in the world, but in the need to invest in programs to maintain that raw power advantage. Particularly given the paltry results the NSA has to show for its domestic phone dragnet – the single Somali taxi driver donating to al-Shabaab that Sanchez described. It’s not clear that the additional costs from doubling down on hard power bring the United States any greater security.
Google and the rest of the tech industry probably will continue to be – but should not be – the leading edge of the response to the NSA’s spying. As Sanchez noted, Google’s strategy is largely the same as the NSA’s, to collect vast amount of data on its users; Google only intends to keep its customers’ data private from others, not from its own use. Moreover, Google will continue to keep its data in a relatively centralized location, concentrating the benefits and risks of big data.
But Google and other tech companies will lead the response, both in potentially providing enough heft to make legislative changes, but also in the only response that can ensure greater privacy: to raise the costs on the NSA’s spying by encrypting data, whether via a company like Google, or individually.