July 15, 2013
Companies should press for meaningful disclosure about the scope and scale of government surveillance and their role in it. They also need to support laws and policies, including changes to surveillance laws, to protect their customers’ privacy. Ultimately, they need to show how they actually protect users from government spying.

The National Security Agency (NSA) surveillance scandal has been devastating to the U.S. government’s credibility as an advocate for Internet freedom. But as the EU-U.S. trade talks began last week, the impact on U.S. technology companies and a fragile American economy may be even greater.

Every new revelation suggests far more surveillance than imagined and more involvement by telephone and Internet companies, with much still unknown. One of the most troubling aspects of this spying is that foreign nationals abroad have no privacy rights under U.S. law. Foreigners using the services of global companies are fair game. (There is also a certain irony to the revelations considering that some European governments such as Germany and the Netherlands are strong U.S. allies on Internet freedom but may simultaneously be targets of U.S. surveillance online). 

A July 1 report by Der Spiegel on the NSA spying on European officials infuriated governments a week before negotiations started on a massive U.S.-EU trade agreement that could be worth almost $272 billion for their economies and 2 million new jobs. Officials throughout Europe, most notably French President Francois Hollande, said that NSA spying threatens trade talks. 

The French government unsuccessfully called for a two week postponement of the trade talks. The next day it had to address allegations in Le Monde of its own domestic mass surveillance program.

For the Internet companies named in reports on NSA surveillance, their bottom line is at risk because European markets are crucial for them. It is too early assess the impact on them, but the stakes are huge. For example, Facebook has about 261 million active monthly European users compared to about 195 million in the U.S. and Canada, and 22 percent of Apple’s net income came from Europe in the first quarter of 2013. 

Europe was primed for a backlash against NSA spying because people care deeply about privacy after their experience of state intrusion in Nazi Germany and Communist Eastern Europe. And U.S. spying on Europeans via companies had been a simmering problem since at least 2011.

In June 2011, Microsoft admitted that the United States could bypass EU privacy regulations to get vast amounts of cloud data from their European Customers. Six months later, U.K.-based BAE Systems stopped using the company’s cloud services because of this issue.

A major 2011 European Union survey released that June found that “[t]hree out of four Europeans accept that revealing personal data is part of everyday life, but they are also worried about how companies – including search engines and social networks – use their information.” Only 22 percent trusted e-mail, social networking, and search companies with their data.

Then the European Parliament issued a report on privacy in October 2012 confirming Microsoft’s claim and urging new privacy protections between the EU and the United States. The EU tried, but the Financial Times reported that senior Obama administration officials and tech industry representatives successfully lobbied against it.

The NSA scandal has brought tensions over spying to a boil. German prosecutors may open a criminal investigation into NSA spying. On July 3, Germany’s Interior Minister said that people should stop using companies like Google and Facebook if they fear the U.S. is intercepting their data. On July 4, the European Parliament condemned spying on Europeans and ordered an investigation into mass surveillance. The same day, Neelie Kroes, the EU’s chief telecom and Internet official, warned of “multi-billion euro consequences for American companies” because of U.S. spying in the cloud.

The companies have belatedly distanced themselves from the NSA and called for more transparency. Google, Microsoft, Yahoo! and Facebook, are in a particularly tough spot as members of the Global Network Initiative, a group (including Human Rights Watch) formed to verify whether companies respect freedom of expression and privacy online.

Their role in NSA surveillance raises serious questions about whether they have done their utmost to protect billions of people’s privacy or whether it is even possible to know since virtually everything is classified. Yahoo! unsuccessfully challenged a Foreign Intelligence Surveillance Act request in 2008, the New York Times reported and the company is trying to publicly release its petition to the government. But on July 11, The Guardian reported that Microsoft helped the NSA and FBI bypass its own encryption to access its users’ data, based on documents from Edward Snowden.

Transparency is an important first step. Its absence only exacerbates a trust deficit that companies already had in Europe. And trust is crucial. Google’s chief legal officer recognized this on June 19 when he said, “Our business depends on the trust of our users,” during a web chat about the NSA scandal. Some companies have been aggressive in trying to disclose more, and others have not. But unless the U.S. government loosens strictures and allows greater disclosure, all U.S. companies are likely to suffer the backlash.

Since the story broke, the United States has allowed companies to disclose the number of FISA requests they receive, but only combined with all law enforcement requests in ranges of 1,000. So the exact number is impossible to determine.

Google has been the most aggressive, including by petitioning the FISA court. Microsoft has followed. Apple, Yahoo!, and Facebook are starting to report aggregate data in the wake of the NSA fallout.

Companies should press for meaningful disclosure about the scope and scale of government surveillance and their role in it. They also need to support laws and policies, including changes to surveillance laws, to protect their customers’ privacy. Ultimately, they need to show how they actually protect users from government spying.

The Obama administration needs to recognize and mitigate the serious economic risks of spying while trying to rebuild its credibility on Internet freedom. The July 9 hearing of the Privacy and Civil Liberties Oversight Board is a start, but much more is needed. More disclosure about the surveillance programs, more oversight, better laws, and a process to work with allied governments to increase privacy protections would be a start.

The European customers of Internet companies are not all al Qaeda or criminals, but that is essentially how U.S. surveillance efforts treat them. If this isn’t fixed, this may be the beginning of a very costly battle pitting U.S. surveillance against European business, trade, and human rights.