Love him or hate him, Edward Snowden has changed the world. Time will be the only determining factor of if that change was for good or for ill. However, will the revelations from the leaked NSA documents, and the public's perception of them, change how business is done in the future?
I'm not sure, but a blog post by Denim Group's John Dickson got me thinking about it. He makes some interesting points.
The post focuses on six changes that are likely to happen because of the Snowden leaks. I'd welcome a discussion on the topic. I've listed the projected changes below, along with Mr. Dickson's thoughts, and added my own comments. Feel free to leave your own thoughts in the comments below, or email me directly.Companies will be more wary to cooperate with governments.
Where some companies strived to cooperate beyond the letter of the law, now the opposite will be the case. Instead, corporate counsels across the country are more likely to push back more vigorously against requests that appear to be too broad and overreaching and in its place, define these requests in the narrowest terms possible.
I agree. They may be more likely to challenge law enforcement requests and court orders. However, I don't see that having the slightest impact. In fact, unless the laws change, businesses are compelled to comply with the courts. They may "fight back" and say so publicly – it's good PR after all – but the government will get its records by the end of the day.
While there have been a handful of challenges [see some examples here], and firms such as Facebook, Yahoo, AT&T, Verizon, Google, and Apple are issuing transparency reports, they're not completely transparent, because by law that level of disclosure is forbidden.
Today we have secret courts, that issue secret orders, and firms are prohibited from speaking fully about them. These orders were a problem before, but now that it's known the NSA took a Pokémon approach to records (gotta catch 'em all!), the level of secrecy makes the issue a hot topic, almost as bad a politics in general. To me it seems that there are two sides to the debate, you're either for mass collection, or you're against it. Oversight doesn't seem to work anymore, otherwise, how did things get this bad?Tighter cooperation between security, privacy and corporate counsel will occur.
In most large companies, departments exist that manage security, privacy, and legal matters within the organization... Most of these departments don’t typically work closely together on a day-to-day basis, but that is changing due to the Snowden revelations. Where these disparate corporate functions worked together on a case-by-case and event-driven basis, they will now be forced to coordinate more closely and will be more likely to regularly meet with each other...
I agree with this completely, and I believe this was happening long before the Snowden leaks, due to the number of governance and compliance issues that businesses face. Today's market isn't compartmentalized, legal has to know what IT is doing; and within IT, security people need to talk with infrastructure people. While all of this happens, the C-Levels are kept in the loop. Problems, it seems, happen due to communication breakdowns.Companies will review and update their public privacy statements.
As an outgrowth of the aforementioned tighter cooperation, companies are adjusting their privacy statements so they are more inline with their internal practices. The perception from Snowden – correct or incorrect – is that most corporate privacy statements didn’t accurately reflect a company’s true practices concerning complying with government requests. As a result, the public now thinks that many companies gushed publicly about how they guarded and protected customer data while ,in fact, they were handing over the keys to the kingdom to law enforcement and the NSA...
Like Dickson, I disagree with the notion that a company who was forced by the government to share information, and forced to remain silent about it, violated customer trust. However, that's a fine line to walk. Consumers expect a certain level of privacy, and if they wish to remain operating, businesses have to meet or exceed this expectation.
All a company can do (in my opinion), is align their privacy policies with what the law allows and spell this out to the customer. Be honest.
If you might be compelled to give out X, Y, and Z, information, tell me so, clearly and in language that makes sense. Don't say you "won't share anything" unless compelled by a court, because that doesn't tell me what you're actually sharing. Such bland legal statements lead me to believe you're sharing far more information than what's actually going out. The problem with my ideas though is trust. It seems to me that businesses don't trust their customers, and assume if they admit to anything, we'll stop trusting them, and they'll lose us forever. It's not true.CEOs will question why companies keep certain sensitive customer data at all.
The norm was truly “the more, the better” and almost always was driven by marketing departments. That has certainly changed post-Snowden. Going forward, collecting privacy information electronically will more likely infer that a company will provide some modicum of protection. I remember not too long ago getting asked for my driver's license number for a trial gym membership. Why? More leaders will ask the same question.
This has been proposed before, and as mentioned, it is usually the marketing department and sales that drives the data collection. Why? Because businesses are out to make money and data is how money is made. In fact, if there is a good case to be made to collect information, such as a boost to the bottom line, business leaders aren't likely to say no on moral grounds. But I can agree that there's plenty of over-collecting going on. For example, you still need to use your Social Security Number in the U.S. for things that are not income related, such as those discount cards at the supermarket.Legislation to cooperate with the US Federal Government on Information Sharing is likely dead.
The conventional wisdom in D.C. was that in spite of a poisoned political environment, some type of information sharing legislation would be passed in 2013. That did not happen, and we can likely thank Mr. Snowden for sowing the seeds of distrust in corporate America that hastened the death of information sharing this past year. No doubt, everyone took a step back after Snowden and is now looking for a real business justification that makes it worth working with government in this manner...
To be fair, there were plenty of other political issues that moved the information sharing debate off the table. I think that Snowden – if he played any role at all – was only a minor part of the reason such initiatives were left dead in the water. However, if the issue was raised today, it's a good bet Snowden would be used as an example somewhere in the process. Dickson also makes a valid point, that while broader sharing initiatives were pushed aside, ISACs have remained a steady resource for information sharing between sectors and the government.International clients will ask American IT companies tougher questions.
In discussions with colleagues involved in the hosting industry, the questions are particularly blunt. If your company handles sensitive information from international clients, you need to be ready to answer questions about your organization’s cooperation with US law enforcement and government organizations and how that may affect their business, especially cloud providers. In fact, I’d suggest that you think through these issues now and reach out to your international clients prior to them asking the question.
This issue will tie into observation #1 and #3, because in the end it will come down to trust and transparency. The only thing a business can do when it comes to international clients is to remain honest and clearly explain the legal requirements of operation.
So what are your thoughts? Am I way off base here, or not seeing the bigger picture? Feel free to comment either way. I'm looking forward to additional insight.