Credit: Reuters/Jason Lee
For many of us, Edward Snowden is a hero, a whistleblower who could not be silent about a government abusing citizens' rights, even in the name of a good cause like fighting terrorists -- especially when they apparently included the leaders of Germany and Brazil, former girlfriends and boyfriends of NSA employees, and anyone using encryption or the Internet. Whether or not you believe the former National Securirty Agency contractor is a criminal leaker of necessary police tactics, you have to admit that his revelations have changed the digital context we operate in, and they may change our expectations for it.
That's because we know now that all communication is subject to monitoring, both with and without providers' complicity and even when thought to be protected -- and it's not just the Chinese seeking access to corporate neworks. Our government does it or enlists allies to do it so as to get around pesky laws. These allies in turn use us the same way.
The truth is that Snowden's revelations will have both positive and negative consequences, as they unmask the true accessibility of digital communications and services, and how they're used for purposes we didn't really know. The period of pretense is over.
On the positive side, the citizens of the United States and Europe at least have a chance at an open dialog about what sort of government spying -- and to what degree -- is reasonable in the name of combating crime and terrorism, a debate that has been kept behind closed doors since those terrible days of the 9/11 attacks. (A federal court ruled on Dec. 16 that spying involving the mass collection of phone records, at least, is not reasonable or even constitutional.)
On the negative side, the arms race among technologists to strengthen encryption will protect not only the privacy of individual citizens and businesses, it will give criminals and terrorists more safe space in which to operate. The focus on the efforts of governments to spy on people and businesses may distract people from the extensive spying built into many companies' offerings, such as those involving credit cards, online shopping, cloud services, and social networking -- for which there are few rules and little accountability, much less redress for mistakes. There are no congressional oversight committees for Google, Experian, Amazon.com, and so on; there's little appetite for "strong government"; and as the financial meltdown showed, any justice for wrongdoing is long delayed and often weak.
Awareness is the first step for change, and thanks to Snowden we now have that. Some in Congress are beginning to ask questions, judges not sitting in secret courts are finally being asked to weigh in, and even Silicon Valley -- which owes much of its existence to military and spy-agency funding -- is beginning to wonder if its silent partnership with the government to facilitate spying has gone too far. After all, many American tech and telecom companies have blasted China's Huawei and ZTE for being a backdoor conduit for the Chinese government, only to be exposed as doing the same for the U.S. government; European companies such as BT also have been shown equally complicit with their governments in opening their records to mass analysis.
Your own government is an advanced persistent threat
Right after Snowden's revelations about the NSA's PRISM program, we saw clues that the brouhaha over data security was causing American cloud providers to lose business, but six months later there are signs that's not happening. It makes sense, because cloud providers in any country are likely to be spied on -- willingly or not -- by their own government. Thanks to Snowden, we've learned that the United States, Great Britain, Canada, New Zealand, and Australia all spy on each other and exchange the results, bypassing laws about spying on their own citizens and companies. Although the relationships aren't quite as cozy, France, Germany, Israel, Saudi Arabia, Jordan, Turkey, Japan, and other countries work closely with us and each other to share their findings. In other words, it doesn't matter where the cloud provider operates; it will be spied on and its data shared.
The same is true for any company that matters; the NSA and others are spying on their networks. Yes, the focus of the Snowden revelations has been about spying on individuals' communication patterns -- even in virtual worlds -- to determine who should get more deeply spied on (their calls, emails, chats, and other content examined). But the spying clearly includes industrial and political espionage, as Snowden's revelations around U.S. spying on European leaders and the United Nations showed. You just know it's also happening to corporations. As NSA chief Keith Alexander told CBS's "60 Minutes" program on Dec. 15, the NSA spies on whomever the FBI, CIA, and others ask it to.
In other words, to use the words of Microsoft's chief lawyer, the federal government -- or a proxy government -- is an advanced persistent threat in your network. That surely should cause a rethink of corporate security and data management, especially for companies that operate in multiple nations and could be used as inadvertent pawns in the secret cyber wars being waged.