Freedom Act Leaves IT Sector at Risk for Spy Program Costs
If passed, Sen. Leahy's USA Freedom Act would curb NSA activities. However, there is a significant amount of unfinished business in the area of federal IT surveillance reform, according to BSA's Tim Molino. "We need to enact meaningful policy reforms that restore trust and confidence in the underpinnings of the digital economy," he said, and implementing such changes should be prioritized.
08/14/14 7:11 AM PT
A recent proposal in the U.S. Senate to curb the impact of electronic surveillance conducted by the National Security Agency could enhance privacy for citizens and benefit businesses as well. However, major information technology companies that help the government collect telecom and Internet data still will be vulnerable to the substantial costs of working with the NSA, even if the proposed bill becomes law.
The Senate initiative, called the "USA Freedom Act," was introduced by Sen. Patrick Leahy, D-Vt., on July 29. The bill significantly revamps and enhances a measure of the same name that earlier gained approval in the U.S House of Representatives.
However, revelations about the role of U.S. information technology providers supporting the NSA program already have taken a financial toll on these companies, and the Senate bill does not go far enough in protecting them from substantial further harm, according to a recent report.
"We are looking at billions of dollars of potential losses for U.S. companies as individuals, businesses, and foreign governments turn away from American companies because of concerns about NSA's surveillance programs," Danielle Kehl, a policy analyst at the Open Technology Institute (OTI), told the E-Commerce Times.
"For example, Servint, a Virginia-based Web-hosting company, reported in June that its international business has been cut in half in the past year, and both Boeing and Verizon lost contracts with foreign governments as part of the backlash," Kehl said.
Referring to disclosures about NSA's program by former government contractor Edward Snowden, Rep. Robert Goodlatte, R-Va., said "last year's national security leaks have also had a commercial and financial impact on American technology companies that have provided these records."
U.S. companies "have experienced backlash from both American and foreign consumers and have had their competitive standing in the global marketplace damaged," said Goodlatte, who chairs the House Judiciary Committee.
Loss of Trust Could Be Costly
OTI, an affiliate of the New America Foundation, in July issued a report that outlines the financial and market impact of the NSA surveillance program, stemming from the lack of trust of U.S.-based companies that provide data collection services to NSA.
Citing reports from the Information Technology and Information Institute, the R-Street Foundation, and Forrester, OTI presented cost estimates ranging from US$22 billion to $180 billion over the next three years to U.S. cloud industry providers alone.
"Without meaningful government reform and better oversight, concerns about the breadth of NSA surveillance could lead to permanent shifts in the global technology market and do lasting damage to the U.S. economy," the report says.
The Leahy bill is simply a starting point for broader reforms that could reduce the commercial backlash against the IT sector, said OTI, which endorsed the bill, as did several tech sector trade groups.
"This legislation is an important step toward restoring public trust in the underpinnings of the digital economy," said Victoria Espinel, president of the Business Software Alliance (BSA).
"It significantly improves privacy protections for the public by ending bulk collection of telephone and Internet metadata, improving transparency, and allowing for greater oversight when the government accesses personal data for national security purposes," she added.
The bill "provides meaningful reform of the U.S. surveillance laws," noted Ken Wasch, president of the Software and Information Industry Association (SIIA), who urged Congress to "act in an expeditious, bipartisan manner to enact it."
Among the chief provisions of the bill:
- Prohibits the bulk collection of phone and Internet data by requiring the government to narrowly limit the scope of its collection, and makes clear that the government may not collect all information relating to a particular service provider or to a broad geographic region, such as a city, ZIP code or area code;
- Replaces bulk collection with a provision that allows "two hops of call data" on a daily basis, if the government can demonstrate sufficient connection to a foreign terrorist organization;
- Requires the government to provide reports on the collection of data from individuals;
- Allows private companies four options for reporting public information about the number of Foreign Intelligence Surveillance Act orders and national security letters they receive.
Tech Sector Risk Remains
Tech companies are still vulnerable to financial and market setbacks for surveillance services they provide to NSA that are not covered by the Leahy proposal. One element beyond the scope of the Leahy bill is a section of FISA known as "702," which authorizes the collection of electronic communications, including telephone calls and emails, when the target is reasonably believed to be a non-U.S. person located outside the United States.
Another mechanism that needs attention is a 1981 executive order, which OTI claims "is the authority under which the bulk of the NSA's surveillance occurs." The order allows the collection of content information as well as metadata.
Loss of market share is a direct and obvious cost to the U.S. tech companies that are commercially penalized by their surveillance assistance to NSA -- but indirect costs also are involved.
Such costs are "very likely, particularly based on what we know about how the NSA is trying to weaken Internet security to make spying easier," said Kehl.
"For example, we learned that NSA has a program where it tries to leverage private relationships with companies to convince them to insert 'back doors' into their products -- which would add complexity to the software development process and could require devoting additional resources to meet the NSA's request," she added.
The back door technique involves the use of indirect person identifiers -- similar to using a reverse white pages telephone directory. Such tools enable NSA to sweep up information on U.S. citizens while conducting investigations of foreign persons, according to the Electronic Freedom Foundation.
More Reform Is Needed
There is a significant amount of unfinished business in the area of reforming federal IT surveillance operations, but implementing such changes should be prioritized, said Tim Molino, director of government relations at BSA.
"We need to enact meaningful policy reforms that restore trust and confidence in the underpinnings of the digital economy," he told the E-Commerce Times.
"The intelligence community has a legitimate need to use these authorities in a narrowly tailored way, and the purpose of the USA Freedom Act is to provide assurance that they won't be misinterpreted or misused," Molino pointed out. "Once these reforms are enacted, Congress should turn its attention to Section 702 and other reforms that can help restore public trust and confidence over the long term."
The need to work out the proper relationship of IT companies with governments conducting legitimate surveillance activities goes beyond the U.S., according to David LeDuc, senior director for public policy at SIIA.
Beyond the Leahy proposal, "we are not seeking any further changes to U.S. surveillance laws," he told the E-Commerce Times.
"However, since introducing a set of global principles in January, SIIA has been calling for enhanced multinational dialogue among all governments engaged in surveillance activities," LeDuc noted.
"While reform of U.S. surveillance laws is a critical step," he acknowledged, "it is only one step at a time when governments around the world have strong national security interests and are seeking to effectively balance those interests with critical privacy protections."