National Security

The Surveillance State Strikes Back

Why Edward Snowden just might turn out to be Big Brother's best friend.

When former National Security Agency contractor Ed Snowden exposed the inner workings of the country's biggest intelligence organization, he said he did so to roll back a spying apparatus that put the United States on the path to "turnkey tyranny."

But his revelations could end up having the opposite effect. Instead of declawing a single surveillance state, Snowden's leaks could ironically wind up enhancing government spying around the globe.

According to experts who are advising U.S. email, cloud data storage, and social media companies, executives are concerned that foreign governments -- particularly ones with fewer protections for personal privacy and free speech -- are already beginning to demand that U.S. tech companies relocate their servers and databases within their borders. Under normal circumstances, companies would rarely comply with those migration demands, especially if those countries have reputations for heavy-handed internal policing. But now that the United States is being seen as a global spying power, they may have little choice.

Other governments can make their relocation demands in the name of protecting citizens from the intrusive powers of the NSA. Then those regimes can use U.S. tech to make their own law enforcement and intelligence agencies more NSA-like.

"Despite Snowden's sensational revelations, data will not be better protected outside the U.S. in countries where privacy is aspirational at best," said Al Gidari, a lawyer with the firm Perkins Coie who represents companies on surveillance and communications law. "Data stored locally will be the fuel for corruption, abuse and repression in most of those countries, especially in those countries that are complaining the loudest about U.S. surveillance activities."

This week, Brazil's communications minister said that Internet service providers may now be required to store information locally following reports that NSA has spied on communications in Brazil and across Latin America.

"The ideal thing would be for these companies to keep their data in the country so it can be available should Brazil's justice system request it," Paulo Bernardo Silva said in an interview with a Brazilian newspaper. Silva described local control of data as a matter of national sovereignty.

Companies that provide cloud computing services are facing particular scrutiny abroad. Their business is to store large amounts of sensitive information about foreign individuals and companies on servers that are located in United States. And there is a growing perception that this infrastructure is firmly within the grip of the U.S. intelligence agencies, several experts said. That impression is not diminished when U.S. officials, attempting to mollify domestic critics, argue that the NSA is only interested in monitoring foreigners.

Over the past few years, overseas governments have increased pressure on marquee technology companies to hand over more data about their customers and to comply with official orders that would be deemed unconstitutional in the United States.

In 2011, Research In Motion, maker of the BlackBerry, gave the government of India access to its consumer and messaging services, in response to authorities' concerns that they would not be able to monitor criminals and other threats communicating over the company's networks. Officials had threatened to cut off access to the company's services inside their country if RIM didn't comply. The company ultimately agreed to allow India's security agencies to intercept emails and other messages.

Last year, the Google executive in charge of the company's business operations in Brazil was arrested after the company failed to comply with a government order to remove YouTube videos critical of a local mayoral candidate. Google, which owns YouTube, said it wasn't responsible for the content that users post to the video sharing network.

It wasn't the first time the company had run up against aggressive policing of information that would be protected under the First Amendment in the United States. In 2011, Google removed profiles from its Orkut social-networking system after a court order deemed them politically offensive. And another order told the company to take down thousands of photos from one of its sharing sites.

U.S. companies are required to abide by the surveillance laws in whatever country they operate. But under legal assistance treaties, foreign governments usually funnel their requests through official channels, and U.S. authorities deliver the requests to the American companies. That slows down the surveillance machine in those countries, and they've been looking for ways to speed up that process.  

Brazil may prove an early test case for the Snowden blowback effect. According to a report in the Brazilian newspaper Folha, the government will present a "formal condemnation of U.S. data collection techniques" to the United Nations Human Rights Council at its next meeting on September 9, in Geneva. Brazil has apparently had little luck attracting supporters to its attempt to politically embarrass the U.S. government -- only seven other countries on the 47-member commission have signed on.

But new information about NSA spying, disclosed by the director of the agency himself, may add some momentum to Brazil's efforts. At the Aspen Security Conference, Gen. Keith Alexander tipped his hand and revealed that the NSA is obtaining a huge amount of communications traffic from cables that come ashore in Brazil.

Brazil is in the espionage business, too, of course, as are most countries. But the NSA revelations have tended to obscure the obvious hypocrisy in one nation feigning outrage that another country is spying on it. In an interview with Folha, Brazilian Defense Minister Celso Amorim acknowledged that his fellow countrymen could be spied on via their connections to foreign social networks. (The implication was those in the United States.) But he said there was no evidence that the Brazilian government was using such a scheme to monitor its own citizens.

"What is known is more about the U.S. agencies," Celso said. "To my knowledge, nothing has come out about the Brazilian agencies. But Brazilians can be [monitored], yes. It is speculation."

Celso added that on two occasions, he believed his communications had been monitored by the United States, including while he lived in the country as Brazil's ambassador to the United Nations. "I was responsible for three committees on the issue of Iraq. My phone started making a very strange noise, and when the commission on Iraq ended, the noise did too. There was an obvious focus then."

U.S. technology companies' reputations are also taking hits in Europe. Vivane Reding, the European Union's Justice Minister, is reviewing the Safe Harbor Framework, which is intended to support transatlantic trade while also protecting European citizens' privacy. Redding has said the agreement could be used as a "loophole" to allow the transfer of personal data to the United States from European countries where privacy rules are stronger.

Companies based in Europe also believe that the NSA scandal could be a financial boon for them. Customers may start moving their data to facilities located in countries with stricter privacy regulations -- and away from American-based firms. "There's a perception, even if unfounded, that U.S. privacy protections are insufficient to protect the data which is stored either on U.S. soil or with U.S. companies," Justin Freeman, the corporate counsel for cloud computing provider Rackspace, told a House committee last year.

Snowden's revelations have cracked whatever veneer of deniability U.S. companies had that they weren't providing foreigners' personal data to American intelligence agencies. And considering that Congress this week put its stamp of approval on a key element of the NSA's surveillance architecture, companies may find it harder to persuade their foreign customers that the U.S. is still a safe place to keep their information.

But there may be a way, however unlikely, for U.S. companies to repair their international standing and keep their customers' information away from the NSA: They could move their own infrastructure overseas or become acquired by majority foreign owners.

According to a report in the Wall Street Journal, the wireless division of Verizon and T-Mobile have not been part of the spy agency's data collection regime because they're tied to foreign owners. Deutsche Telekom, of Germany, owns 74 percent of T-Mobile, and Vodafone Group, of the United Kingdom, owns 45 percent of Verizon Wireless in a joint-venture with its parent company.

Germany and England may seem a long way to go to relocate a business. But it could keep companies further from the long arm of the NSA.

Google

Report

The Supreme Court May Be the Best Hope to Stop the NSA

Congress couldn't draw back the surveillance dragnet. But the justices might.

Now that the House of Representatives has voted down an amendment that would have significantly restricted what information the National Security Agency can collect about Americans, the best hope of curtailing the spy agency's powers lies with the courts. And while NSA critics have failed to rein in the eavesdropping agency through legislative action, they may have more luck with the third branch of government -- thanks to a leaked classified document, a rare bit of good fortune for a leading civil liberties group, and a sympathetic justice of the Supreme Court.

The fact that more than 200 lawmakers voted against a key NSA collection program, and one authorized by the long-controversial Patriot Act, represents a victory of sorts for surveillance critics. There has rarely been such a pronounced opposition to surveillance authorities, and the fact that the Obama administration had to mount a full court press to preserve the program, and still only eked out a narrow win, may give opponents some hope that a legislative effort could be mounted again with a different result. But there is no clear next step legislatively. No bill or amendment on the table. Yet there is a path forward on the judicial front.

Challenges to the NSA's surveillance programs have historically failed in large part because no one has been able to prove he had his communications scooped up in the agency's electronic dragnets. That information is an official secret. The American Civil Liberties Union, one of the most stalwart opponents of the NSA's broad surveillance authorities, failed to challenge the agency's operations in the Supreme Court because of this Catch-22. It couldn't prove it had been spied upon, even though the government acknowledged -- generally -- that such spying does occur.

But now, classified documents released by the ex-NSA contractor Edward Snowden leave no doubt that at least one telecommunications company, Verizon Business Network Services, has handed over bulk telephone metadata to the NSA under a court order.

The key for a new challenge by the ACLU, which it filed last month, which it filed last month in U.S. District Court, is that it's a customer of Verizon Business Network Services. Not just Verizon, but this particular division of Verizon. This is the closest thing the group has had to a smoking gun, and conceivably it could be sufficient to establish legal standing to bring the lawsuit. The case could end up in the Supreme Court.

But to succeed, the ACLU -- or any challenger -- will have to convince jurists that the long-standing legal treatment of metadata is outdated and needs to be changed.

The NSA's collection of this data is enabled by a 1979 Supreme Court ruling that telephone numbers are not content, and therefore aren't protected by the Fourth Amendment's prohibition on unreasonable searches. A telephone customer willingly hands over his number to the service provider whenever he places a call, and therefore cannot expect that the information is private, the court found.

But at least one justice has indicated it may be time to rethink this analysis, in light of the fact that metadata is not only ubiquitous today, but can be exceptionally revealing of an individual's communications patterns, his social networks, and his movements.

"This approach is ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks," Justice Sonia Sotomayor wrote last year in concurrence with a ruling that said law enforcement agencies must obtain a warrant before placing a GPS tracker on a suspect's car. The question of metadata wasn't before the court, but the balance between privacy and security was.

"I, for one, doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year," Sotomayor wrote. "But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy."

The court may be primed for a reinterpretation of its own rulings on metadata, which can be even more revealing than content. But civil libertarians may not want to pop the champagne too quickly.

In that 2012 GPS case, the court also left the door open to allowing broad surveillance with a different kind of technology: drones.

The police may need a warrant to put a tracking device on a suspect's car. But it's not at all clear that they couldn't watch that individual walking down the street using a camera on a remotely piloted aircraft.

"It may be that achieving the same result through electronic means, without an accompanying trespass, is an unconstitutional invasion of privacy," Justice Antonin Scalia wrote in a majority opinion. But that wasn't the question before the court. The ruling left open the possibility that persistent aerial surveillance of public places may, indeed, be constitutional.

Congress has shown little appetite for clarifying these issues, and has reliably voted to expand, not limit, the surveillance powers of the executive branch. President Barack Obama's position on the issues is not only a continuation of his predecessor's, but a change from the views he held as a candidate.

In the summer of 2008, amid another debate over the proper limits of the NSA's spying powers, then-Sen. Obama voted in favor of a bill to allow the interception of phone calls and emails without individual warrants. He had initially opposed the changes, along with a provision that granted legal immunity to telecommunications companies that participated in government intelligence gathering. But as it became clearer that he would secure the Democratic nomination for president, Obama changed his stance.

"Given the legitimate threats we face, providing effective intelligence collection tools with appropriate safeguards is too important to delay," Obama said at the time, making "a firm pledge that as president, I will carefully monitor the program."

It's not clear how carefully Obama has monitored the NSA, but he and members of his administration have successfully, and vociferously, defended it in Congress. The third branch of the government is now the last, best chance for any attempt to reign in the intelligence agency and change the legal underpinnings of how it operates.

Win McNamee/Getty Images