Personal Privacy Is Only One of the Costs of NSA Surveillance

There is no doubt the integrity of our communications and the privacy of our online activities have been the biggest casualty of the NSA’s unfettered surveillance of our digital lives. But the ongoing revelations of government eavesdropping have had a profound impact on the economy, the security of the internet and the credibility of the […]
ffnsadatacenterf
Photo: Name Withheld; Digital Manipulation: Jesse Lenz

There is no doubt the integrity of our communications and the privacy of our online activities have been the biggest casualty of the NSA's unfettered surveillance of our digital lives. But the ongoing revelations of government eavesdropping have had a profound impact on the economy, the security of the internet and the credibility of the U.S. government's leadership when it comes to online governance.

These are among the many serious costs and consequences the NSA and those who sanctioned its activities---including the White House, the Justice Department and lawmakers like Sen. Dianne Feinstein---apparently have not considered, or acknowledged, according to a report by the New America Foundation's Open Technology Institute.

"Too often, we have discussed the National Security Agency's surveillance programs through the distorting lens of a simplistic 'security versus privacy' narrative," said Danielle Kehl, policy analyst at the Open Technology Institute and primary author of the report. "But if you look closer, the more accurate story is that in the name of security, we're trading away not only privacy, but also the U.S. tech economy, internet openness, America's foreign policy interests and cybersecurity."

Over the last year, documents leaked by NSA whistleblower Edward Snowden, have disclosed numerous NSA spy operations that have gone beyond what many considered acceptable surveillance activity. These included infecting the computers of network administrators working for a Belgian telecom in order to undermine the company's routers and siphon mobile traffic; working with companies to install backdoors in their products or network infrastructure or to devise ways to undermine encryption; intercepting products that U.S. companies send to customers overseas to install spy equipment in them before they reach customers.

The Foundation's report, released today, outlines some of the collateral damage of NSA surveillance in several areas, including:

  • Economic losses to US businesses due to lost sales and declining customer trust.
  • The deterioration of internet security as a result of the NSA stockpiling zero-day vulnerabilities, undermining encryption and installing backdoors in software and hardware products.
  • Undermining the government's credibility and leadership on "internet freedom" and governance issues such as censorship.
Economic Costs to U.S. Business

The economic costs of NSA surveillance can be difficult to gauge, given that it can be hard to know when the erosion of a company's business is due solely to anger over government spying. Sometimes, there is little more than anecdotal evidence to go on. But when the German government, for example, specifically cites NSA surveillance as the reason it canceled a lucrative network contract with Verizon, there is little doubt that U.S. spying policies are having a negative impact on business.

"[T]he ties revealed between foreign intelligence agencies and firms in the wake of the U.S. National Security Agency (NSA) affair show that the German government needs a very high level of security for its critical networks," Germany's Interior Ministry said in a statement over the canceled contract.

Could the German government simply be leveraging the surveillance revelations to get a better contract or to put the US on the defensive in foreign policy negotiations? Sure. That may also be part of the agenda behind data localization proposals in Germany and elsewhere that would force telecoms and internet service providers to route and store the data of their citizens locally, rather than let it pass through the U.S.

But, as the report points out, the Germans have not been alone in making business decisions based on NSA spying. Brazil reportedly scuttled a $4.5 billion fighter jet contract with Boeing and gave it to Saab instead. Sources told Bloomberg News “[t]he NSA problem ruined it” for the US defense contractor.

Governments aren't the only ones shunning US businesses. American firms in the cloud computing sector are feeling the pressure as consumers and corporate clients reconsider using third-party storage companies in the U.S. for their data. Companies like Dropbox and Amazon Web Services reportedly have lost business to overseas competitors like Artmotion, a Swiss hosting provider. The CEO of the European firm reported that within a month after the first revelations of NSA spying went public, his company’s business jumped 45 percent. Similarly, 25 percent of respondents in a survey of 300 British and Canadian businesses earlier this year said they were moving their data outside the US as a result of NSA spying.

The Information Technology and Innovation Foundation has estimated that repercussions from the spying could cost the U.S. cloud computing industry some $22 to $35 billion over the next few years in lost business.

Will the NSA spying revelations have long-term effects? Or will customers return to U.S. companies once the news fades into the background? It's hard to tell.

But German chancellor Angela Merkel has suggested that Europe build a separate permanent internet to keep data local and prevent it from traversing networks the NSA can more easily monitor. Germany also has instituted new data rules that prohibit any company from obtaining a federal contract unless it can guarantee that it will protect data stored in Germany from foreign authorities. These kinds of policies and infrastructure changes tend to remain long after the circumstances that spawned them have passed.

Deterioration of Cybersecurity

Out of all the revelations to come to light in the past year, the most shocking may well be the NSA's persistent campaign to undermine encryption, install backdoors in hardware and software and amass a stockpile of zero-day vulnerabilities and exploits.

“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” according to a 2010 memo from Government Communications Headquarters, the NSA's counterpart in the UK, leaked by Edward Snowden.

Furthermore, a story from Pro Publica noted, the NSA “actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs" to make them more amenable to the NSA's data collection programs and more susceptible to exploitation by the spy agency.

The NSA, with help from the CIA and FBI, also has intercepted network routers from US manufacturers like Cisco to install spy tools before they're shipped to overseas buyers, further undermining customer trust in US companies. Cisco senior vice president Mark Chandler wrote in a company blog post that his and other companies ought to be able to count on the government not interfering "with the lawful delivery of our products in the form in which we have manufactured them. To do otherwise, and to violate legitimate privacy rights of individuals and institutions around the world, undermines confidence in our industry."

All of these activities are at direct odds with the Obama administration's stated goal of securing the internet and critical infrastructure and undermine global trust in the internet and the safety of communications. The actions are particularly troubling because the insertion of backdoors and vulnerabilities in systems doesn't just undermine them for exploitation by the NSA but makes them more susceptible for exploitation by other governments as well as by criminal hackers.

"The existence of these programs, in addition to undermining confidence in the internet industry, creates real security concerns," the authors of the report note.

Undermining U.S. Support for Internet Freedom

Finally, the NSA's spying activities have greatly undermined the government's policies in support of internet freedom around the world and its work in advocating for freedom of expression and combating censorship and oppression.

“As the birthplace for so many of these technologies, including the internet itself, we have a responsibility to see them used for good," then-Secretary of State Hillary Clinton said in a 2010 speech launching a campaign in support of internet freedom. But while "the US government promotes free expression abroad and aims to prevent repressive governments from monitoring and censoring their citizens," the New American report notes, it is "simultaneously supporting domestic laws that authorize surveillance and bulk data collection." The widespread collection of data, which has a chilling effect on freedom of expression, is precisely the kind of activity for which the U.S. condemns other countries.

This hypocrisy has opened a door for repressive regimes to question the US role in internet governance bodies and has allowed them to argue in favor of their own governments having greater control over the internet. At the UN Human Rights Council in September 2013, the report notes, a representative from Pakistan---speaking on behalf of Cuba, Iran, China and other countries---said the surveillance programs highlighted the need for their nations to have a greater role in governing the internet.

The report makes a number of recommendations to address the problems the NSA's spying has created. These include strengthening privacy protections for Americans and non-Americans, developing clear policies about whether and under what legal standards it is permissible for the government to secretly install malware on a computer or network, and working to restore trust encryption systems and standards.