U.S. openness, restraint could lessen fallout from NSA surveillance

With $35 billion in lost revenue to overeas companies expected following the leak, it's up to the U.S. to be more open about the program, experts say


Clear restrictions on electronic surveillance by the National Security Agency is the best way to avoid economic damage to U.S. tech companies tainted by revelations of massive data collection on U.S. and foreign citizens, experts say.

The fallout from NSA activity, revealed through the release of classified documents by former agency contractor Edward Snowden, could include as much as $35 billion in lost business to U.S. cloud service providers over the next three years, according to a recent study by The Information Technology and Innovation Foundation. Most of that business would go to foreign rivals.

U.S.-based encrypted email services are also feeling the pain. Two providers, Lavabit and Silent Circle, shutdown their services this week, saying that under current U.S. law governing the NSA they could not provide the level of secrecy their clients demand.

"Over the long run I fear that Mr. Snowden has not only done irreparable harm to U.S. intelligence gathering capabilities, but also to the competitiveness of the U.S. IT industry," said Al Pascual, a senior analyst for Javelin Strategy and Research.

When it comes to collecting electronic data to combat terrorism and criminal activity, the U.S. government is no different than its counterparts in Europe, where companies are using the NSA revelations for competitive advantage, experts say.

The difference is U.S. activity, which included siphoning call data from Verizon and user information from Google, Facebook, Microsoft and other Internet companies, was exposed.

As a result, the U.S. is in a public relations mess that foreign cloud service providers can take advantage of, particular since the data collection revolved around finding possible terrorists overseas.

[Also see: NSA snooping bolsters opponents of U.S. Internet control]

"There's a lot of showboating going on here by some foreign officials," said Adam Thierer, a senior research fellow at the Mercatus Center in George Mason University.

The grandstanding, from Europe, was cited in the ITIF report. Jean-Francois Audenard, the cloud security adviser for France Telecom, was quoted as saying, "It's extremely important to have the governments of Europe take care of this issue because if all the data of enterprises were going to be under the control of the U.S., it's not really good for the future of the European people."

There is no evidence that the NSA is gathering sensitive information from European companies, but its mandate to operate in secrecy prevents the spy agency from disclosing exactly what it gathers and how it uses it.

That means it is up to the U.S. government to take away the ammunition of critics overseas by becoming far more open about what the surveillance programs do, how far their reach is in and outside the U.S., and what the restrictions are to limit the impact on the privacy of innocent people, Thierer said. This greater transparency must be coupled with demonstrated restraint in data gathering.

"All the transparency in the world isn't necessarily going to limit the potential damage here in terms of privacy and/or credibility of the U.S. government, if they're engaged in sordid forms of dragnet surveillance in service of policing terrorism across the globe," Thierer said by email.

In addition, international agreements on what data related to terrorism or criminal activity can be divulged and shared would also help moot the arguments of U.S. critics.

On Friday, President Barack Obama conceded to reporters in Washington, D.C., that more openness and safeguards were needed in U.S. surveillance efforts, The New York Times reported. Steps to be taken included the creation of a high-level task force of outside intelligence, and civil liberties experts to advise the government on balancing national security with privacy.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)