A year after Edward Snowden exposed the National Security Agency’s mass surveillance programmes, the major US technology companies suffering from the fallout are uniting to shore up their defenses against government intrusion.
Instead of aggressively lobbying Washington for reform, Google Inc, Microsoft Corp and other tech companies have made security advancements their top priority, adopting tools that make blanket interception of internet activity more difficult.
“It’s of course important for companies to do the things under our own control, and what we have under our own control is our own technology practices,” Microsoft General Counsel Brad Smith told Reuters. “I don’t know that anyone believes that will be sufficient to allay everyone’s concerns. There is a need for reform of government practices, but those will take longer.”
As part of a “Reset the Net” campaign now reaching a mainstream audience, Google said that it was releasing a test version of a programme allowing Gmail users to keep email encrypted until it reaches other Gmail users, without the company decrypting it in transit to display advertising.
Google, Microsoft and Facebook Inc moved to encrypt internal traffic after revelations by Snowden, a former NSA contractor, that the spy agency hacked into their connections overseas. The companies have also smaller adjustments that together make sweeping collection more difficult.
“Anyone trying to perform mass surveillance is going to have a much harder job today than they would have even six months ago,” said Nate Cardozo, a staff attorney with the civil liberties group Electronic Frontier Foundation.
Cardozo said the most-improved major company was Yahoo Inc, which went from not encrypting email by default to having protection comparable to that of its peers.
The topic of boosting security has gained urgency after countries such as China faulted big tech companies as tools of a powerful US surveillance state, and threatened to curb purchases of American tech products.
Surveillance opponents say the companies could do much more than they have. An NSA slide released last month by journalist Glenn Greenwald, titled “NSA Strategic Partnerships,” touted “alliances with over 80 major global corporations” that supported the NSA’s cyber offensive and defensive missions.
The slide named 12 companies, including the largest US telecom carriers and Microsoft, Intel Corp, Hewlett-Packard Co and Cisco Systems Inc. None of those companies have renounced working with the agency or said that they would limit their cooperation to defensive measures.
All four of the tech companies in the group said they do not deliberately incorporate spying “back doors” into their products, but that leaves open a number of possibilities, including mandated or voluntary efforts to target individual customers or groups.
“Legally, the NSA can compel you to provide access to information,” said Ashkan Soltani, a privacy researcher in Washington DC. “The only way around this is to engineer systems to prevent access, or at least make it detectable.” Google’s new email tool is one example of that, and smaller companies are trying other formulas that retain little information about users.
Pressing for reforms
The tech companies see improving their defenses as only the first step. Microsoft and other companies are also pressing governments to negotiate limits on cyber-spying.
A group of nine major companies formed a group called Reform Government Surveillance, which recently took out newspaper advertisements urging the Senate to strengthen a House reform bill and ban bulk internet surveillance.
Both Cisco and Microsoft also have said US law should clearly protect data stored elsewhere. Smith said Microsoft would fight to overturn a recent federal magistrate’s ruling forcing it to produce customer information from Dublin.
If that fails, Smith said, there are other means to draw the line at the US border, including administration policy changes and new legislation.
Even if none of the three branches of government end up backing Microsoft’s position, Smith said the company can change its business processes, such as by using joint ventures instead of subsidiaries, or its technology, such as by giving only users the encryption keys to their data