Laura Donohue, High Technology, Consumer Privacy, and U.S. National Security

4 Am. U. Bus. L. Rev. 11-48 (2015)

 

Abstract:

“Documents released over the past year detailing the National Security Agency’s (“NSA”) telephony metadata collection program and interception of international content under the Foreign Intelligence Surveillance Act (FISA) implicated U.S. high technology companies in government surveillance. The result was an immediate, and detrimental, impact on U.S. corporations, the economy, and U.S. national security.

The first Snowden documents, printed on June 5, 2013, revealed that the government had served orders on Verizon, directing the company to turn over telephony metadata under Section 215 of the USA PATRIOT Act. The following day, The Guardian published classified slides detailing how the NSA had intercepted international content under Section 702 of the FISA Amendments Act. The type of information obtained ranged from E-mail, video and voice chat, videos, photos, and stored data, to Voice over Internet Protocol, file transfers, video conferencing, notifications of target activity, and online social networking. The companies involved read like a who’s who of U.S. Internet giants: Microsoft, Yahoo, Google, Facebook, PalTalk, YouTube, Skype, AOL, and Apple.

More articles highlighting the extent to which the NSA had become embedded in the U.S. high tech industry followed. In September 2013 ProPublica and the New York Times revealed that the NSA had enjoyed considerable success in cracking commonly used cryptography. The following month the Washington Post reported that the NSA, without the consent of the companies involved, had obtained millions of customers’ address book data. In one day alone, some 444,743 email addresses from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail, and 22,881 from other providers.

The extent of upstream collection stunned the public, as did slides demonstrating how the NSA had bypassed the companies’ encryption, intercepting data as it transferred between the public Internet and the Google cloud. Documents further suggested that the NSA had helped to promote encryption standards for which it already held the key or whose vulnerabilities the agency understood but had not taken steps to address.

Beyond this, press reports indicated that the NSA had at times posed as U.S. companies—without their knowledge—in order to gain access to foreign targets. In November 2013 Der Spiegel reported that the NSA and the United Kingdom’s Government Communications Headquarters (“GCHQ”) had created bogus versions of Slashdot and LinkedIn, so that when employees from the telecommunications firm Belgacom tried to access the sites from corporate computers, their requests were diverted to the replica sites that then injected malware into their machines.

As a result of the growing public awareness of these programs, U.S. companies have lost revenues, even as non-U.S. firms have benefited. In addition, numerous countries, concerned about consumer privacy as well as the penetration of U.S. surveillance efforts in the economic and political spheres, have accelerated data localization initiatives, begun restricting U.S. companies’ access to local markets, and introduced new privacy protections, with implications for the future of Internet governance and U.S. economic growth. These effects raise attendant concerns about U.S. national security.

It could be argued that some of these effects, such as data localization initiatives, are merely opportunistic—i.e., other countries are merely using the NSA revelations to advance national commercial and political interests. Even if true, however, the NSA programs provide other countries with an opportunity. They have weakened the U.S. hand in the international arena.

Congress has the ability to redress the current situation. First, and most importantly, reform of the Foreign Intelligence Surveillance Act would provide for greater restrictions on NSA surveillance. Second, new domestic legislation could extend better protections to consumer privacy. These shifts would allow U.S. industry legitimately to claim a change in circumstance, which would help them to gain competitive ground. Third, the integration of economic concerns at a programmatic level within the national security infrastructure would help to ensure that economic matters remain central to national security determinations in the future.”

The full text is available at http://scholarship.law.georgetown.edu/facpub/1457/