Security

Roundup: IT pros debate impact of tech alliance for NSA reform

TechRepublic's roundtable of IT experts share thoughts on NSA reform in light of the newly formed Global Government Surveillance Reform alliance of eight leading technology companies.

snowden.jpeg

Privacy issues and the freedom of the people are at the helm of the push for National Security Agency (NSA) reform. Eight companies – Google, Apple, Facebook, Twitter, AOL, Microsoft, Yahoo and LinkedIn – have formed the Global Government Surveillance Reform group. As reported on ZDNet, these companies, usually fierce competitors, have banded together and formally requested "wide-scale changes" to the NSA regime after the U.S. government's spying programs were brought to light by former NSA contractor Edward Snowden.

govt reform image.jpg

As TechRepublic's Global Editor in Chief Jason Hiner reported on ZDNet, the technology story likely to have the biggest long-term impact is the Snowden revelations of the startling NSA digital surveillance programs. 

Opinions vary among tech and business professionals vary on the potential for reform. TechRepublic talked to several IT experts and technology journalists to find out more on the impact, with the discussion touching upon subjects including the cloud, data security and enterprise scrutiny.

Participating in the TechRepublic roundtable were:

  • Jason Hiner, global editor in chief for TechRepublic
  • Mary Shacklett, president of Transworld Data and frequent contributor to TechRepublic
  • Patrick Gray,  Technology Strategy consultant at a large global firm and frequent contributor to TechRepublic
  • Michael P. Kassner, technology writer and frequent contributor to TechRepublic
  • Ethan Oberman, CEO and founder of SpiderOak
  • Eric Dynowski, CEO and co-founder of Turing Group
  • Stephen Cobb, Senior Security Researcher, ESET North America

Hiner: "I appreciate the fact that these eight companies have come together to stand up for the rights of citizens and warn against the dangers of over-reaching surveillance programs. Kudos to them for their spirit of unity in this. It's also important to remember that the actions of the U.S. government have hurt the global credibility and competitiveness of these U.S. companies since there's now a perception that the NSA has easier access to them and their customer data. This has the potential to hurt their business, especially with international companies, organizations, and governments. So, this move is also about them trying to recover some reputation points."

Shacklett: "The ‘trust' impact of what appears to be over-reaching government surveillance on major technology purveyers like Microsoft, Google, and others can submit these companies to increased consumer and enterprise scrutiny - especially when surveillance issues are combined with reliability and outage issues that these cloud service providers are already contending with at a time when more enterprises would like to move to the cloud. Naturally, these same companies would be concerned about a potential over-reaching of surveillance. They also have a responsibility to their clients to protect the data that is entrusted to them.

On the enterprise side of the surveillance discussion, there are other challenges in the area of governance. How long do you retain your data? What levels of guarantee can you provide your customers, your auditors and your examiners that the data is protected?

Finally, there are the insurers. How far will they be willing to go to indemnify companies and pay claims from clients when data protections are breached that enterprises and cloud providers have no control over?" 

Gray: "This is a challenging issue for businesses on a couple of levels. First of all, much of the surveillance from organizations like the NSA was extra legal, at least in the U.S. This begs the question that if the NSA skirted the law, what will passing more laws accomplish? The second challenge is that the companies like Google and Facebook pushing for surveillance reform use many similar (or in some cases the same) technologies to gather data and behavioral patterns about their customers. Rather than purportedly looking for terrorists, they're looking for marketing and revenue opportunities by gathering this information. Can these companies express indignation at various governments when they're performing similar activities for arguably less noble reasons?

At the individual professional level, I've already noticed clients are asking about privacy and data security more frequently than they used to. Cloud computing used to be seen as a low-risk opportunity for many companies, and NSA surveillance has now put a damper on the enthusiasm many in IT had about the cloud. Some countries are even generating legislation forcing companies to keep data geographically local, potentially undoing years of data center consolidation and globalized IT infrastructure. These are interesting and complex topics IT and business professionals will need to consider and address.

On a personal level, I find the NSA's activities abhorrent, and as a citizen of the U.S., anathema to the principles that have shaped this country. I'm personally not willing to tolerate extensive surveillance and violations of privacy, even if lives might be saved. As citizens, it's worth considering how you feel about these policies, and what level of freedom you're willing to exchange for assurances of safety. I don't believe the Googles and Facebooks of the world will be able to fundamentally reshape these policies, rather it will be citizens demanding change or allowing these activities to continue by turning a blind eye."

Kassner: "When asked for my opinion on how the Global Government Surveillance Reform initiative will affect tech and business professionals; the first thing that came to mind was trust. Do you trust that governments are doing the right thing to protect their citizens? Do you trust the companies wanting reform, to have the interest of their members, and those who use their services first and foremost?

The Electronic Frontier Foundation, an organization concerned about citizens and our digital rights, considers this to be a good thing: ‘This is a victory for users—with the companies taking a giant step forward in supporting their customers' rights.'

As for me, it's a start. Hopefully, something becomes of it."

Oberman: "Post-Snowden, these collective companies have to rebuild trust with not just U.S. citizens, but users around the world. This reestablishment of trust is critical to maintaining continued growth based on the business model of monetizing collected data. It is not surprising that they are doing whatever they can to now show fight for their users. Whereas they have a bit less leverage than had they spoken out prior to being complicit, banding together to impact change is an important move, and there is no downside by doing so."

Dynowski: "Companies using the cloud and concerned about government snooping should first determine what cloud means to them. If the cloud means Gmail, Basecamp or Office 365, then they have cause to be concerned about government snooping. When a company uses these kinds of services, they are inherently giving the provider access to their information. However, this does not mean that the government accessing a company's private data is inevitable. 

However, if cloud computing means a company is using Amazon Web Services, Rackspace, GoGrid, Azure or Google, then there are viable options for ensuring privacy from the government in the cloud.

Think about data security from the ground up. It's up to the company to build an app or product that's already safe from government surveillance.

In addition to designing with security in mind, there are several ways a company can keep their information safe in the cloud. First, data in transit should always, always be encrypted. This avoids issues of wire and fiber taps. Similarly data not in transit and stored on cloud provider storage should also be stored using encryption. This avoids issues with requests a government might make of your cloud provider.

Hire a security audit firm to review your current operations and identify data leakage. And, most importantly, create a formal policy that describes the fact you store and transmit data in a way that is secure from prying eyes. This will give you legal ground to explain yourself.

If a company is extra concerned, then they can encrypt data in a way that only their clients can decrypt it. Then even if they demand data, the company can say they don't have access to it."

Cobb: "Technology and business professionals who have been increasingly concerned about excessive government surveillance will welcome this initiative for the way it legitimizes those concerns, and supports efforts to address them. We already know this initiative makes economic sense for the companies behind it. Our survey of 360 American adults in September found that 74 percent of them said they would admire a company, ‘that took a stand against unlimited government access to my personal information.' That's the good news for tech companies and their employees. The bad news? The same survey also found that, even before we heard about the NSA taps on data centers used by Google and Yahoo, a solid 50 percent of people already said they were ‘now less trusting of technology companies, such as Internet service providers and software companies.'

With one in five people doing less online banking in the wake of the Snowden revelations, and a similar number saying they were now less inclined to use email, the implication for tech and business professionals is clear. We need to be seen doing something to rein in nation state surveillance before the Internet economy experiences its first-ever recession. This new initiative looks like a good step in the right direction."

About

Teena Maddox is a Senior Editor at TechRepublic. She's an award-winning journalist and specializes in business and lifestyle features. She has also worked at People magazine, W magazine and Women's Wear Daily.

Editor's Picks