This month “Snowden,” Oliver Stone’s movie about NSA whistleblower Edward Snowden, opens in theaters around the country. It’s as good an occasion as any to look back at what’s changed in the three and a half years since this computer prodigy leaked information about global surveillance programs, shaking up political alliances and business relationships, and reigniting a very contentious data privacy debate.
Beginning in May 2013, Snowden’s disclosures to the media revealed that intelligence agencies were broadly monitoring the communications of ordinary citizens, not just suspected terrorists. “When Edward Snowden took four laptops and got on a plane, the world started to change,” said Brad Smith, president and chief legal counsel for Microsoft. “We started to learn things we didn’t know and ask questions we were not asking.”
As a result of the Snowden disclosures, the world has changed in these ways:
- Intelligence agencies were asked to defend their practices.
In the US, leaders in the intelligence community were called to testify before Congress. And because the Snowden documents revealed that NSA surveillance often involved the participation of other members of the “Five Eyes” alliance (Australia, Canada, Great Britain, New Zealand, and the US), those countries, too, demanded answers.
- Some foreign governments and businesses shunned US technology.
Recognizing that US tech companies and service providers were compelled to cooperate with the government’s mass surveillance activities, several foreign governments and many foreign enterprises canceled contracts with US-based companies and switched to non-US vendors. Verizon, Cisco, Google and even Boeing, among many other businesses, were impacted. The exact amount of lost revenue is difficult to quantify, but one industry analyst estimated that between 2013 and 2016, the US tech sector could lose up to $35 billion because of the sudden but profound distrust of US companies.
- Cloud computing projects embraced data sovereignty.
Instead of uploading data to cloud services that shuffled data among virtual machines and data centers automatically to optimize performance and cost savings, organizations began requiring that data be stored locally so that it remained subject to local laws. Enterprises and technology providers such as IBM began investing heavily in local data centers to maximize control over data privacy and moving data into regions under the jurisdiction of the US.
- Courts ruled that some aspects of the surveillance programs were illegal, leading governments to make adjustments.
In February 2015, the Investigatory Powers Tribunal (IPT), which oversees Britain’s intelligence agencies, ruled that the joint bulk data collection and sharing between the UK and the US breached human rights law. In May 2015, a US federal appeals court in New York ruled that the NSA’s bulk collection of US citizens’ phone records was also illegal. The following month, Congress passed the USA Freedom Act, which renewed authorization for most surveillance provisions established in the USA Patriot Act, while imposing some limited restrictions on bulk data collection.
- International treaties were renegotiated.
In October, 2015, the European Court of Justice, the highest court in the EU, ruled that US mass surveillance practices violated EU privacy laws, nullifying the Safe Harbor Agreement and, in doing so, making the flow of EU personal data to US companies and to data centers in US territories for fifteen years now illegal. US and EU officials worked quickly to establish a new agreement, Privacy Shield, which gives EU citizens the right to question how their data is being used. Whether the new agreement can withstand legal challenges about privacy violations remains to be seen.
- IT vendors began advocating for customers’ right to privacy.
Recognizing that customers no longer trusted them keeping personal data private, IT vendors began advocating for privacy. Facebook, Google, and other leading tech companies formed an alliance called Reform Government Surveillance. Apple and Microsoft argued forcefully against weakening security features to create “backdoors” to aid in government surveillance. Companies also argued for more transparency about security requests and subpoenas. This advocacy is ongoing.
- Enterprises re-assessed the security of their IT solutions and services.
“The Snowden stories raised enough concerns about US government spying…that it became a smart business decision for companies with a global customer base to increase the use of encryption,” wrote Orin Kerr, a professor at George Washington University Law School. Indeed, the Ponemon Institute has found that while interest in encryption technology has been growing worldwide, it just experienced in largest growth in the past year. Some of that growth may be in response to the increasing frequency of data breaches, but some of it is also likely due to concern about intelligence agencies and nation states generally poring through data.
Looking Ahead: What Enterprises Should Expect
Given all these changes, what should enterprises do, going forward?
- Assume that intelligence agencies are still interested in collecting data.
It’s true that the USA Freedom Act curtailed the NSA’s bulk collection of telephony metadata, but other intelligence agencies remain interested in collecting vast amounts of data about ordinary citizens. For example, in the UK, the Data Retention and Investigatory Powers Act of 2014 requires telecommunications companies and ISPs to store email and telephone contact information for 12 months. The Investigatory Powers Bill (also known as the “Snooper’s Charter”) would expand the types of data stored to include records of websites visited. It would also require ISPs in the UK, upon legal request, to remove any encryption provided by their services to the data of specific users.
- Be wary of vendor technology that accommodates governments but creates new vulnerabilities.
Several governments have requested that Apple and other technology vendors include “backdoors” in their products that would allow intelligence agencies and law enforcement agencies to access what would otherwise be protected data. Most technology companies have balked at this idea, in part because they fear that once a backdoor is created, it could be exploited not just by legal authorities but also by criminal syndicates and other nation states. While the Apple/FBI saga earlier this year pertained to accessing data stored on a mobile device, the crux of the debate was whether technology companies should engineer backdoor access for law enforcement.
- Pay attention to data sovereignty—IT support for data sovereignty will likely be critical for years to come.
The nullification of the Safe Harbor Agreement called attention to the importance of data sovereignty and the location of data centers. Nations outside the EU, such as Canada and Russia, are drafting or have already passed their own data sovereignty laws. IT strategies and cloud architectures need to take into account that in a growing number of cases, PII will need to be stored locally and managed to accommodate the data privacy rights and laws of local citizens and governments, respectively.
How kiteworks by Accellion Can Help
Accellion's kiteworks content collaboration platform helps enterprises secure critical content, including PII, while making it easy for authorized users to access and share content securely from any type of device. Designed to support the content security and productivity needs of global enterprises, kiteworks features a highly scalable, flexible tiered architecture that enables enterprises to protect content while adhering to local data sovereignty requirements.
An important differentiator with kiteworks and its private cloud, on-premises deployment is the fact that customers maintain sole ownership of encryption keys. If a government agency contacts Accellion seeking access to a customer’s data, Accellion is unable to decrypt those files. All files are encrypted with 128‐bit or 256‐bit SSL to protect data in transit and secured with 256‐bit AES encryption while at rest. In addition, all data transactions are also logged by user/IP address and significant metadata is captured for each transaction.
To learn more about how kiteworks helps with data security and data governance, please contact us.