Leading tech firms seek stronger surveillance rules

Eight leading tech companies have joined together in asking governments worldwide to reform surveillance laws and practices in the wake of intelligence-gather leaks over the summer from former National Security Agency contractor Edward Snowden.

In an open letter to Congress and President Barack Obama, Google, Apple, Microsoft, Facebook, Twitter, Yahoo, AOL and LinkedIn ask the United States "to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight." The letter was posted on a new website called Reform Government Surveillance.

The group's effort reflects a growing concern among U.S. firms that their reputations are being undermined in the global marketplace by disclosures about bulk data collection by the NSA, efforts to limit the effectiveness of data encryption, and reports of interception of Internet traffic on networks between secure servers. By one estimate, disclosures of NSA surveillance could cost U.S. cloud providers between $22 billion and $35 billion over the next three years in global enterprise business.

"People won't use technology they don't trust. Governments have put this trust at risk, and governments need to help restore it," said Microsoft general counsel Brad Smith. On Dec. 4, Smith announced that Microsoft planned to take a more active role in disputing data requests from government entities made outside of established legal channels, and that the company would expand a program making source code available for review by government clients.

The eight companies are asking governments worldwide to write their rules for data collection into law, and be transparent about the extent to which they seek data from private firms. They want stricter oversight of the intelligence agencies charged with surveillance and data collection, and an "adversarial process" through which privacy advocates have a voice in court reviews of surveillance orders. Governments should "limit surveillance to specific, known users for lawful purposes," and should not "undertake bulk data collection of Internet communications."

While the request is an appeal to governments worldwide, these measures closely track with the proposed USA Freedom Act, sponsored by Rep. Jim Sensenbrenner (R-Wis.) in the House and Sen. Patrick Leahy (D-Vt.) in the Senate. The bill has yet to receive a committee vote in either chamber.

A competing measure, the FISA Improvements Act of 2013, maintains government authorization for bulk collection of email and telephonic metadata with a few restrictions such as renewing collection orders after 90 days, and more precise record keeping about who accesses such data at spy agencies. That measure was approved by the Senate Intelligence Committee by an 11-4 vote on Oct. 31.

The intelligence community and Obama are seeking to implement reforms administratively. "I'll be proposing some self-restraint on the NSA, to initiate some reforms that can give people some more confidence," Obama told MSNBC recently.

The eight tech firms are also seeking formal protection for the global cloud computing ecosystem by allowing for the free flow of information across borders.

"Governments should permit the transfer of data and should not inhibit access by companies or individuals to lawfully available information that is stored outside of the country. Governments should not require service providers to locate infrastructure within a country's borders or operate locally," they write. In addition, they're seeking a legal framework for governments to resolve disputes about data collection orders.

Building a legal protection framework into the architecture of the global Internet is a critical business issue for these eight companies, and for other U.S. firms who similarly stand to lose enterprise business to companies based in countries with stronger privacy regimes, notes Daniel Castro, an analyst at the Information Technology and Innovation Foundation.

A timely report titled "The False Promise of Data Nationalism," released Dec. 9, said the U.S. exports more than $350 billion in digitally enabled services annually, according to the U.S. International Trade Commission. In the report, Castro argues that a "Geneva Convention of the Status of Data" would create a set of predictable rules protecting business and personal data stored with cloud providers and other online services around the globe.

While such a regime might seem to target countries that routinely spy on citizens without even a fig leaf oversight or due process, clearly tech firms and experts are deeply concerned about the effect U.S. surveillance disclosures could have on business interests.

"Uncertainty surrounding the extent to which countries may be compelling the disclosure of confidential information further compounds this problem and limits the ability of companies in many countries to do business abroad," Castro writes.