Responses to surveillance – bad for business not to mention privacy protections

December 10, 2013 |

The ongoing revelations about the extent of official snooping by the US National Security Agency as well as security organs of other states has had a deep impact on the cyberspace community.  Not just the civil liberties issues, signficant thought they are.  There are more prosaic concerns which are much more significant for industry players.  The bottom line.  Users expect their ISPs, search engines and other service providers to have adequate security and proper encryption.  The expectation of private communications is an intrinsic part of many operators business model.

The New York Times reports in Internet Firms Step Up Efforts to Stop Spying that these revelations have prompted a major security upgrade in the industry.  Now private businesses are competing with the NSA to protect their integrity.

The article provides:

SAN FRANCISCO — When Marissa Mayer, Yahoo’s chief executive, recently announced the company’s biggest security overhaul in more than a decade, she did not exactly receive a standing ovation.

Ordinary users asked Ms. Mayer why Yahoo was not doing more. Privacy activists were more blunt. “Even after today’s announcement, Yahoo still lags far behind Google on web security,” said Christopher Soghoian, a technology analyst at the American Civil Liberties Union.

For big Internet outfits, it is no longer enough to have a fast-loading smartphone app or cool messaging service. In the era of Edward J. Snowden and his revelations of mass government surveillance, companies are competing to show users how well their data is protected from prying eyes, with billions of dollars in revenue hanging in the balance.

On Thursday, Microsoft will be the latest technology company to announce plans to shield its services from outside surveillance. It is in the process of adding state-of-the-art encryption features to various consumer services and internally at its data centers.

The announcement follows similar efforts by Google, Mozilla, Twitter, Facebook and Yahoo in what has effectively become a digital arms race with the National Security Agency as the companies react to what some have called the “Snowden Effect.”

While security has long simmered as a concern for users, many companies were reluctant to employ modern protections, worried that upgrades would slow down connections and add complexity to their networks.

But the issue boiled over six months ago, when documents leaked by Mr. Snowden described efforts by the N.S.A. and its intelligence partners to spy on millions of Internet users. More than half of Americans surveyed say N.S.A. surveillance has intruded on their personal privacy rights, according to a Washington Post-ABC News poll conducted in November.

The revelations also shook Internet companies, which have been trying to reassure customers that they are doing what they can to protect their data from spying. They have long complied with legal orders to hand over information, but were alarmed by more recent news that the N.S.A. was also accessing their data without their knowledge.

“We want to ensure that governments use legal process rather than technological brute force to obtain customer data — it’s as simple as that,” said Bradford L. Smith, Microsoft’s general counsel, in an interview.

Mr. Smith said his company would also open “transparency centers” where foreign governments can inspect the company’s code in an effort to assure them that it does not plant back doors for spy agencies in its products.

Already, the Snowden revelations threaten to erode the market share of American technology companies abroad.

In India, government officials are now barred from using email services that have servers located in the United States. In Brazil, lawmakers are pushing for laws that would force foreign companies to spend billions redesigning their systems — and possibly the entire Internet — to keep Brazilian data from leaving the country.

Forrester Research projected the fallout could cost the so-called cloud computing industry as much as $180 billion — a quarter of its revenue — by 2016.

“The world is quickly being divided into companies that are secure and companies that are not,” said Bhaskar Chakravorti, a dean of international business and finance at the Fletcher School at Tufts University.

One by one, technology companies have been scrambling to plug security holes.

The best defense, security experts say, is using Transport Layer Security, a type of encryption familiar to many through the “https” and padlock symbol at the beginning of Web addresses that use the technology. It uses a long sequence of numbers — a master key — that scrambles sensitive data like passwords, credit card details, intellectual property and personal information between a user and a website while in transit.

Banks and other financial sites have used such security for years, and Google and Twitter along with Microsoft’s email service made it standard long ago. Facebook adopted https systemwide this year. And Ms. Mayer said Yahoo would finally allow consumers to encrypt all their Yahoo data in January.

But as many sites move to https, security experts say more advanced security measures are needed. If a government can crack the master key — or obtain it through court orders — it could go back and decrypt past communications for millions of users.

That’s why companies like Google, Mozilla, Facebook and Twitter have added another layer of protection, called Perfect Forward Secrecy. That technology adds a second lock to each user’s transmissions, with the key changed frequently. Microsoft plans to add the encryption method next year, but Yahoo has not said whether it will add it.

“Perfect Forward Secrecy is a billion different secrets, and it’s not protected by one central secret,” said Scott Renfro, a Facebook software engineer who works on the company’s security infrastructure.

So even if an outsider obtained the master key, it would still have to crack the other keys, over and over again.

“This type of protection should have been engineered into all web systems and all Internet systems to begin with,” said Jacob Hoffman-Andrews, an engineer at Twitter.

The technology has existed for two decades, but companies were slow to adopt it because it added complexity and introduced a delay to Internet transactions, which can encourage impatient users to flee for faster sites. But many of those issues were resolved by Google when it applied Perfect Forward Secrecy in 2011, said Adam Langley, a software engineer at the company. Google shared its improvements with the broader tech community.

Still, technical solutions can be trumped by law. While https and Perfect Forward Secrecy protect the data transmission, law enforcement agencies can still compel companies to hand the data over from their servers, where it is stored.

So Internet companies are trying to ensure they are at least blocking unauthorized access by addressing other security issues, including a hole that leaves users vulnerable at the very beginning of a site visit. When users want to log into, say, Google’s Gmail, their Internet browser checks the site’s security certificate to make sure it’s not an impostor.

Some security experts believe that hackers are nearly capable of cracking the 1024-bit encryption keys that protect the certificates. But an industry standards group is requiring that, starting next year, all new and renewed certificate keys use 2048-bit encryption, which is far more difficult to break.

Ultimately, however, every security advance is met by new threats. “Attacks don’t get worse,” Mr. Langley said. “They only get better.”

Aol, Facebook (not one of the greatest respectors of privacy), Google (another frequent flyer in privacy interfering conduct), Linked In, Microsoft, Twitter and Yahoo have written a joint letter calling for reform of the current laws and practices of surveillance.  It is found here.

It provides:

The undersigned companies believe that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.

While the undersigned companies understand that governments need to take action to protect their citizens’ safety and security, we strongly believe that current laws and practices need to be reformed.

Consistent with established global norms of free expression and privacy and with the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight, we hereby call on governments to endorse the following principles and enact reforms that would put these principles into action.

The Principles

  1. Limiting Governments’ Authority to Collect Users’ Information
    Governments should codify sensible limitations on their ability to compel service providers to disclose user data that balance their need for the data in limited circumstances, users’ reasonable privacy interests, and the impact on trust in the Internet. In addition, governments should limit surveillance to specific, known users for lawful purposes, and should not undertake bulk data collection of Internet communications.




  • Oversight and Accountability
    Intelligence agencies seeking to collect or compel the production of information should do so under a clear legal framework in which executive powers are subject to strong checks and balances. Reviewing courts should be independent and include an adversarial process, and governments should allow important rulings of law to be made public in a timely manner so that the courts are accountable to an informed citizenry.
  • Transparency About Government Demands
    Transparency is essential to a debate over governments’ surveillance powers and the scope of programs that are administered under those powers. Governments should allow companies to publish the number and nature of government demands for user information. In addition, governments should also promptly disclose this data publicly.
  • Respecting the Free Flow of Information
    The ability of data to flow or be accessed across borders is essential to a robust 21st century global economy. Governments should permit the transfer of data and should not inhibit access by companies or individuals to lawfully available information that is stored outside of the country. Governments should not require service providers to locate infrastructure within a country’s borders or operate locally.
  • Avoiding Conflicts Among Governments
    In order to avoid conflicting laws, there should be a robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as improved mutual legal assistance treaty — or “MLAT” — processes. Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.


Voices For Reform

“AOL is committed to preserving the privacy of our customers’ information, while respecting the right of governments to request information on specific users for lawful purposes. AOL is proud to unite with other leading Internet companies to advocate on behalf of our consumers.” —Tim Armstrong, Chairman and CEO, AOL

“Reports about government surveillance have shown there is a real need for greater disclosure and new limits on how governments collect information. The US government should take this opportunity to lead this reform effort and make things right.” —Mark Zuckerberg, CEO, Facebook

“The security of users’ data is critical, which is why we’ve invested so much in encryption and fight for transparency around government requests for information. This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world. It’s time for reform and we urge the US government to lead the way.” —Larry Page, CEO, Google

“These principles embody LinkedIn’s fundamental commitment to transparency and ensuring appropriate government practices that are respectful of our members’ expectations.” —Erika Rottenberg, General Counsel, LinkedIn

“People won’t use technology they don’t trust. Governments have put this trust at risk, and governments need to help restore it.” —Brad Smith, General Counsel and Executive Vice President, Legal and Corporate Affairs, Microsoft

“Twitter is committed to defending and protecting the voice of our users. Unchecked, undisclosed government surveillance inhibits the free flow of information and restricts their voice. The principles we advance today would reform the current system to appropriately balance the needs of security and privacy while safeguarding the essential human right of free expression.” —Dick Costolo, CEO, Twitter

“Protecting the privacy of our users is incredibly important to Yahoo. Recent revelations about government surveillance activities have shaken the trust of our users, and it is time for the United States government to act to restore the confidence of citizens around the world. Today we join our colleagues in the tech industry calling on the United States Congress to change surveillance laws in order to ensure transparency and accountability for government actions.” —Marissa Mayer, CEO, Yahoo





An open letter to Washington

Dear Mr. President and Members of Congress,

We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.

For our part, we are focused on keeping users’ data secure — deploying the latest encryption technology to prevent unauthorized surveillance on our networks and by pushing back on government requests to ensure that they are legal and reasonable in scope.

We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight. To see the full set of principles we support, visit


AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, Yahoo

Insecure networks is harmful from a privacy law perspective.  It is bad for business.  It is disastrous for those earn a living from the use of the internet for any number of uses which provide the core business of Apple, Linked in et al.

Just to show the issue is rousing the real heavy hitters The SMH (Entertainment section) reports in Edward Snowden inspires Miles Franklin authors to join global spying petition that some of our literary luminaries have decided to take the gargantuan step of singing a petition against Mass Surveillance. That’ll learn the authorities! None of them have been agitating to further strengthen the Privacy Act, broadening its operation and removing many of the exemptions.  None of them have put in submissions in the recent ALRC inquiry into whether to recommend a statutory right to privacy.  Their signatures will, I am sure, have the same effect as the Israelites trumpets against Jericho. The walls will come tumbling down and governments around the world will see the errors of their wretched ways and change the law.  Of course not.  Change can take place, after a lot of hard work.

The article provides:

It is the stuff of books and now it has become very real, with Australian authors Anna Funder, Frank Moorhouse and David Malouf joining the fight to demand an end to mass surveillance.

The writers George Orwell and Ray Bradbury imagined a future of totalitarian censorship. HG Wells wrote of a “world brain” centralising all known knowledge while Margaret Atwood foresaw state control of women’s reproduction in The Handmaiden’s Tale.

Now a version of that future is here, says a number of high profile Australian authors who have joined hundreds of writers from around the world to demand an end to mass surveillance (code named PRISM) revealed by the former National Security Agency contractor and whistleblower Edward Snowden.

Miles Franklin award winners Anna Funder, Frank Moorhouse and David Malouf have joined Pulitzer Prize winners Jennifer Egan, Geraldine Brooks, Richard Ford, and Jane Smiley, and Man Booker Prize winners Julian Barnes and Ian McEwan in signing a petition, called Writers Against Mass Surveillance, urging world leaders to take a stand against cyber spying.

The global collective action challenges the power of intelligence services to eavesdrop on emails, conversations on mobile phones and collate data from internet searches.

The public have yet to grasp the worrying implications of Snowden’s disclosures, which reveal that security agencies have cracked the encryption codes for web and mobile phone services, says Moorhouse, and they do not understand that their everyday conversations can be tracked.

Under immediate threat is lawyer-client privilege, as evidenced by ASIO’s recent swoop on a Canberra lawyer involved in East Timor’s bid to scrap an oil treaty worth billions of dollars, itself a dispute brought on by spying claims, according to Moorhouse.

He says the collection of metadata also has all sorts of unintended consequences for Australians, including journalists confidential relationships with sources.

“There is a collapse of the traditional boundaries of personal privacy but also a collapse of the state to keep its secrets, which may be a good thing and a bad thing.”

Abuse of data collected from mobile devices, emails, social networks and via internet searches amounted to theft, and overturned the presumption of innocence, the global authors’ petition said.

The 500 writers want government leaders to explain how the data swept up by intelligence agencies is being kept and to give citizens access to it, and the right to correct it.

Last month American members of PEN, an activist group defending free expression, published a study showing writers there were self-censoring their work, curbing social media interactions and avoiding certain subjects because of surveillance concerns.

As a child growing up in Bulgaria, the German-based author and activist Ilija Trojanow’s flat was bugged. “As an adult I had the bizarre privilege of reading in the Secret Service files what my parents and other relatives were discussing then. It is remarkable that once the camera or the microphone is directed towards you, you can no longer be innocent. Any statement by them was construed and misconstrued as being proof of their subversive tendencies.”

This year, Trojanow was initially denied entry to the United States to attend a conference on surveillance. No reason was given by Homeland Security. “Imagine every budding thought, still vague and rough, immediately exposed to the limelight of an unforgiving public. It would shrivel and shrink. Before a text or any other creative expression is presented to the public it needs hours, weeks and months of intimacy. Investigative journalism for example would be impossible without the privacy of secured anonymity.”

Petitions have their place. But on their own they are just so much paper.

Leave a Reply