Tech Companies Fight Back Against Excessive Government Surveillance

Since Edward Snowden leaked information on the degree to which the NSA has been conducting surveillance on Americans it has often appeared that tech companies have given the government whatever access it wants to our personal information. An opinion piece at Wired suggests that tech companies are fighting back:

Everyone assumes that technology companies like Apple, Facebook, and Google don’t care that their customers are being spied on. I don’t believe that’s true.

On the very day the media dropped detailed documents on the NSA’s X-Keyscore collection program, the Facebook engineering team published a blog post stating that all access to Facebook via apps and web browsers was now SSL encrypted. Given X-Keyscore was a program primarily designed to intercept unencrypted internet traffic, you could be forgiven for interpreting Facebook’s post as a middle finger pointed in NSA’s direction. (Sources inside Facebook say it is a coincidence, and indeed the company had been in the process of enabling this across-the-board for years. But still. The timing.)

There are new interception hurdles everywhere you look. Even plain old SSL encryption is becoming more difficult to snoop on. Previously, governments could rely on complicit or compromised certificate authorities to provide them with the means to intercept encrypted traffic. Thanks to the Iranian government’s overly enthusiastic use of this technique, Google made changes to the Chrome browser to neuter the practice. Similar updates are expected soon in Internet Explorer. There goes another interception technique for law enforcement!

And it’s only going to get worse for the poor ole G-Men. Technology companies are enabling security features that make certain types of government surveillance extremely difficult, and it’s a trend that’s set to continue. That’s why the U.S. government has long wanted laws that force tech companies to make their products wiretap friendly…

Currently, there’s no law stopping companies like Apple, Facebook, and Google from introducing such security changes or forcing them to build in backdoors. Why would Apple want its users migrating to cross-platform, anti-snooping messaging apps like Hemlis (by the founders of The Pirate Bay)? Especially when the company could push itself out of the surveillance business with its own technical tweaks before federal regulations force them to become key players in warrant execution.

In fact, advancements in the usability of cryptographic protocols have made anti-surveillance features relatively simple for technology companies to bake into their communications products. And public demand for greater security and privacy in the wake of Edward Snowden’s revelations may make it virtually obligatory for them to do so before new wiretapping laws can be introduced.

It is increasingly looking like Edward Snowden’s release of information is as important in defending civil liberties (and understanding the threats) in the technological age as Daniel Ellsberg’s release of the Pentagon Papers were in spreading knowledge of how the government was lying about Viet Nam. Snowden’s actions have probably prevented the passage of new laws which would further enable organizations such as the NSA to violate our privacy rights:

Today, an attempt to introduce laws that would heavily fine software and internet companies for failing to make their products wiretap-friendly would be met by a full-scale revolt by the commentariat — and by the noisy political fringe on the left and the right.

President Obama was reportedly on the verge of backing the new wiretapping plan as recently as May this year. Only the “Snowden files” hit the press one month later, and surveillance became a hot-button issue. These laws seemingly dropped off the agenda.

For now.

Before Snowden, the proposed law would have been a mildly controversial but grudgingly accepted compliance regime for technology companies. The blowback might have been limited to a few angry Reddit threads and Anonymous denial-of-service attacks against government websites.

Now, it would become a serious political liability for the Obama administration — as well as a public relations and commercial disaster for the technology industry.

We are seeing an example of tech companies pushing back in this statement from Microsoft about a joint effort with Google to increase transparency. The Washington Post offers further background information as to why Microsoft and Google want to be able to discuss information beyond the government plans to  release annual reports on the government’s surveillance activity:

The company wants to be able to discuss just the court orders that it receives, rather than a larger bucket of reports that also includes demands made of other tech companies. Google has made a similar plea in a separate filing to the FISA court. It’s as much a public relations move as a bid for greater openness; by showing company-specific numbers, Microsoft and Google would be able to put distance between themselves and the Justice Department.

Microsoft goes one step further than Google, however. In accordance with the practices contained in its own transparency report, Microsoft said that the government should break down those numbers even more to distinguish requests for user metadata, such as IP addresses and e-mail header information, from demands for user content, which would expose personally identifiable information such as the actual text of e-mails to law enforcement.