The revelation that U.S. spies are able to monitor communications over Google, Facebook and other American web firms’ platforms will have a big impact overseas, and nowhere more so than in Europe.

PRISM spying screenshot

UPDATE: I’ll admit I am shocked to have received this response from the European Commission’s Home Affairs department to my request for comment, with particular regard to the impact on EU citizens’ privacy: “We do not have any comments. This is an internal U.S. matter.” For the reason behind my surprise, read on…

UPDATE 2: Less blasé reactions are now starting to roll in. That link will also take you to a revised statement from the European Commission, which now concedes this may not be just an internal U.S. matter.

This is a great day to be a conspiracy theorist. Vindication! The National Security Agency – part of the U.S. military – reportedly has a direct line into the systems of some of the world’s biggest web and tech companies, all of which are of course sited in the U.S.

The companies themselves – Google, Facebook, Apple, Yahoo and so on – have denied the existence of these backdoors, but the U.S. authorities have not. They have claimed there are unspecified inaccuracies in the reports carried by The Guardian and The Washington Post, but there has been no substantive denial, other than to say it’s all OK because only non-U.S. citizens outside the U.S. are being targeted.

That last part appears to be nonsense, hence the uproar within the U.S., but let’s for a moment take the Obama administration at its word and pretend it’s not spying on its own citizens. Even in this scenario, the fallout will be tremendous outside American borders.

Great timing

And nowhere more so than in Europe, which is already in the throes of a wide-ranging debate over data privacy. The EU’s new data protection laws are being formulated, with treats in store including enhanced responsibilities for non-EU cloud firms when it comes to protecting the privacy of European citizens. This has prompted a pretty shameless lobbying campaign by U.S. tech firms to see the new rules watered down. Activist members of the European Parliament (MEPs) such as Jan Philipp Albrecht have been fighting back.

Guess which side of this battle just got a boost?

Unsafe Harbor?

But what about the current EU data protection rules? Time for a quick primer: it is illegal for EU citizens’ personal data to be processed – that includes being hosted on servers — outside the EU, unless the company doing the processing/hosting is in a country that has data protection laws of as high a standard as you find in the EU. The U.S. does not conform to these standards, but of course most of the big web firms are American, so to get around this there is something called a Safe Harbor agreement between the U.S. and Europe.

The Safe Harbor scheme (not recognized by the Germans, incidentally) allows U.S. tech firms such as Google to self-certify, to say that they conform to EU-style data protection standards even if their country’s laws do not. It’s not quite that simple – these companies really do need to jump through some hoops before they claim compliance; just ask Heroku — but it does largely come down to trust.

EU data protection regulators have already called for the system to be toughened up through the introduction of third-party audits, but frankly it now looks like the whole system is in tatters. U.S. companies claiming Safe Harbor compliance include Google, Yahoo, Microsoft, Facebook and AOL, all of which now appear to be part (willingly or otherwise) of the NSA’s PRISM scheme.

As EU data protection rules don’t say it’s OK for foreign military units to record or monitor the communications of European citizens – heck, even local governments aren’t supposed to be doing that – the Safe Harbor program now looks questionable to say the least. A lot of people have already pointed to the U.S. Patriot Act as a threat, and now the effects of that legislation are plain to see.

Cloud impact

All of this is likely to prove very problematic indeed for U.S. cloud firms trying to push further into the European market.

Imagine you’re a European government wanting to move your IT systems into the cloud. For some, nationalism and protectionism already come into play at this point – witness the French (of course) and the two national clouds that they have under development.

Now imagine you’re a U.S. firm trying to drum up business in that context. You can say you have an EU data center and you’re even willing to set up a mini-cloud in the country, just to put everyone’s mind at rest. You can say it and you can mean it, but can you really be surprised when you get laughed at because everyone now sees U.S. internet companies as being in league with the NSA? Even if you’re Amazon, which isn’t part of PRISM, you have a problem.

But that’s just business. The NSA revelations will have a far worse impact than that.

Goodbye moral high ground

This is where it gets really depressing. It’s not like previous U.S. statements on internet freedom in places such as China and the Middle East have emerged without some pointing out the perceived hypocrisy of it all. But now those people, who may have seemed a tad on the paranoid side at the time, can slip into told-you-so mode.

Let’s be clear about this: the NSA’s PRISM program is not quite the same thing as what the Chinese have in place. We’re not talking about overt clamping-down on freedom of speech, or the blocking of certain terms on microblogs when anti-government stories are doing the rounds.

But whatever is happening with the data being collected, the very fact that it is being collected means governments doing much worse things can now turn around and call the U.S. a hypocrite every time it tries to criticize them. At the very least, the perception of U.S. online freedom will no longer be what it was earlier this week – but it is possible that these latest revelations will lead some authoritarian regimes to be a little less cautious with their own online crackdowns.

The PRISM leak is going to be damaging for U.S. firms and the country’s image abroad, but its long-term effects may be worse than that.

But hey, lemons to lemonade, right? If you’re a web firm – particularly one dealing in communications of any kind – based in a country with meaningful data protection rules and checks on governmental intrusion, you now have a pretty strong selling point that wasn’t so clear a few days ago. We’re still waiting for the official reaction to emanate from data protection authorities here in Europe, but there’s every chance that they will be giving their citizens a strong steer in that direction.

And while we’re trying to see the upside:

You’re subscribed! If you like, you can update your settings

  1. Like the US got trusted ever since the Patriot Act and other stuff that told the Europeans ‘Screw you, we’re going to spy on you and noone can do anything about it since your governments are brownnosing us anyway’.

  2. Thomas Denny Friday, June 7, 2013

    This is typical from the eu,of course it affects people in Europe,ie if you make a mobile phone call to the us then yes they would have your data, or Skype or many other apps the eu need to wake up or have they prior knowledge of this and secretly gave the thumbs up, this snooping is bad

  3. Reblogged this on SyesWorldView and commented:
    Tip toeing towards a Totalitarian state…looks like they’re running towards it

  4. Don’t forget Xbox One!

    An always on, always connected, hi-def camera and microphone in people’s front rooms is the NSA’s wet dream, especially considering Microsoft starting providing information to PRISM back in 2007….

    1. So…everyone who dont buy a XBOX one, is a potential threat to the goverment. I image a world with NSA Agent that are complaining about a “analog” surveillance mission…So far i understand Microsoft dont providing information that are on your home Systems.

      1. WOW REALLY ….U REALLY BELIEVE THAT ……CRAP STILL.See no matter what system u r under as long as it connected to a network;its supposed to spied upon so would be with BEN ON THIS POINT

    2. Tastygrooves Dave Friday, June 7, 2013

      You own a smartphone? Well, you don’t need Xbox one. Always connected, GPS enabled sensor array with HD camera and dual noise canceling mics. Soooooo easy to hack its silly. (Androids, at least… iPhones must be jail broken.)

      1. Well, surprise i dont have a smartphone. But i dont want to say thats all good, i can see a lag of social communication outside my WLAN. Yes i know its easy to hack smartphones but at least you have to hack it. Anywhy didnt the NSA have a survey programm also for Telephone data.

  5. A quote from the Guardian article has me concerned: “But the PRISM program renders that consent unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies’ servers.”

    It appears that the US software giants may not be actively participating or aware of how PRISM works.
    This part is conjecture on my part, but what if the hardware the servers are running (CPUs?) have been compromised with hidden code that allows for the transmission of raw data to the NSA through hidden means? The possibilities are endless, where is the back door? Hard drives? Switches? Routers? All of the above?
    In the past, my previous sentences would sound paranoid… not today.

  6. Reblogged this on Stuff and commented:
    Major, Major, Major fallout.

  7. SamuraiLink3 Friday, June 7, 2013

    David, the tweet you posted has been removed, grabbed a screencap for you: http://i.imgur.com/RtgGFIl.png

    Licensing nonsense: Totally public domain, use it however you want.

  8. “All your data are belong to us.” PRISM

  9. SamuraiLink3 Friday, June 7, 2013

    David, the tweet you link to had its account suspended, grabbed a screenie for you: http://i.imgur.com/RtgGFIl.png

    Licensing: Public Domain, use however you want.

  10. anoymousiePIEZ Friday, June 7, 2013

    With all of this talk about data mining done by the NSA, is there a way to overwhelm their storage with useless data (assuming that they have finite storage space)?
    I am hypothesizing that they have written a program(s) that search for specific words and a certain order of words (or in the case of voice recognition, words people say). Then what would happen if there were many bots (or just people) that searched for the same thing and would ‘saturate’ their sieves (programs or people that search for something) with so many people doing the same thing? I’m thinking…data b/0/3/flip_da_l3ft_part/b? Does that even exist? Wtf would happen if private correspondence was written entirely in captcha?
    Thought experiment: If on a certain date, every person with internet access would search for a term…say…the anarchist cookbook…what would happen? Instead of citizens striving for secrecy, what if we just gave ‘them’ (whomever they are, let’s be honest it’s probably bigger than the NSA) a bunch of useless information?
    inb4 poor prose, I am on my 5th cup of wine.
    USA great country of all time. I love big brother. War is peace, freedom is slavery.
    inb4 track me, betch im on a VPN + a few proxies (wine, sorry at this point)

    1. I don,t know why people and then companies do not care too much about encryption, peer to peer messaging clients, emails encrypted with 254 1024 or even bigger keys plus passw 1,000 chars long (copy-paste some texts) -yahoo messenger should implement this too i.e. . I mean given the dangers any serious company that pretend to defend the client,s interests should have this the number one priority when they design the software, but they do nothing. Please acknowledge also that companies usually finally do what their clients ask, when the request is being by many many people so it is more the problem of the population for not caring than the problem of the company. If you run on the street naked do not take it a surprise if anybody can see you, your government through other. I mean, when did the population trust their government and why should it anytime in history?

Comments have been disabled for this post