Blog Post

NSA spying scandal fallout: Expect big impact in Europe and elsewhere (Updated)

Stay on Top of Emerging Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

UPDATE: I’ll admit I am shocked to have received this response from the European Commission’s Home Affairs department to my request for comment, with particular regard to the impact on EU citizens’ privacy: “We do not have any comments. This is an internal U.S. matter.” For the reason behind my surprise, read on…

UPDATE 2: Less blasé reactions are now starting to roll in. That link will also take you to a revised statement from the European Commission, which now concedes this may not be just an internal U.S. matter.

This is a great day to be a conspiracy theorist. Vindication! The National Security Agency – part of the U.S. military – reportedly has a direct line into the systems of some of the world’s biggest web and tech companies, all of which are of course sited in the U.S.

The companies themselves – Google(s goog), Facebook(s fb), Apple(s aapl), Yahoo(s yhoo) and so on – have denied the existence of these backdoors, but the U.S. authorities have not. They have claimed there are unspecified inaccuracies in the reports carried by The Guardian and The Washington Post, but there has been no substantive denial, other than to say it’s all OK because only non-U.S. citizens outside the U.S. are being targeted.

That last part appears to be nonsense, hence the uproar within the U.S., but let’s for a moment take the Obama administration at its word and pretend it’s not spying on its own citizens. Even in this scenario, the fallout will be tremendous outside American borders.

Great timing

And nowhere more so than in Europe, which is already in the throes of a wide-ranging debate over data privacy. The EU’s new data protection laws are being formulated, with treats in store including enhanced responsibilities for non-EU cloud firms when it comes to protecting the privacy of European citizens. This has prompted a pretty shameless lobbying campaign by U.S. tech firms to see the new rules watered down. Activist members of the European Parliament (MEPs) such as Jan Philipp Albrecht have been fighting back.

Guess which side of this battle just got a boost?

Unsafe Harbor?

But what about the current EU data protection rules? Time for a quick primer: it is illegal for EU citizens’ personal data to be processed – that includes being hosted on servers — outside the EU, unless the company doing the processing/hosting is in a country that has data protection laws of as high a standard as you find in the EU. The U.S. does not conform to these standards, but of course most of the big web firms are American, so to get around this there is something called a Safe Harbor agreement between the U.S. and Europe.

The Safe Harbor scheme (not recognized by the Germans, incidentally) allows U.S. tech firms such as Google to self-certify, to say that they conform to EU-style data protection standards even if their country’s laws do not. It’s not quite that simple – these companies really do need to jump through some hoops before they claim compliance; just ask Heroku — but it does largely come down to trust.

EU data protection regulators have already called for the system to be toughened up through the introduction of third-party audits, but frankly it now looks like the whole system is in tatters. U.S. companies claiming Safe Harbor compliance include Google, Yahoo, Microsoft(s msft), Facebook and AOL(s aol), all of which now appear to be part (willingly or otherwise) of the NSA’s PRISM scheme.

As EU data protection rules don’t say it’s OK for foreign military units to record or monitor the communications of European citizens – heck, even local governments aren’t supposed to be doing that – the Safe Harbor program now looks questionable to say the least. A lot of people have already pointed to the U.S. Patriot Act as a threat, and now the effects of that legislation are plain to see.

Cloud impact

All of this is likely to prove very problematic indeed for U.S. cloud firms trying to push further into the European market.

Imagine you’re a European government wanting to move your IT systems into the cloud. For some, nationalism and protectionism already come into play at this point – witness the French (of course) and the two national clouds that they have under development.

Now imagine you’re a U.S. firm trying to drum up business in that context. You can say you have an EU data center and you’re even willing to set up a mini-cloud in the country, just to put everyone’s mind at rest. You can say it and you can mean it, but can you really be surprised when you get laughed at because everyone now sees U.S. internet companies as being in league with the NSA? Even if you’re Amazon(s amzn), which isn’t part of PRISM, you have a problem.

But that’s just business. The NSA revelations will have a far worse impact than that.

Goodbye moral high ground

This is where it gets really depressing. It’s not like previous U.S. statements on internet freedom in places such as China and the Middle East have emerged without some pointing out the perceived hypocrisy of it all. But now those people, who may have seemed a tad on the paranoid side at the time, can slip into told-you-so mode.

Let’s be clear about this: the NSA’s PRISM program is not quite the same thing as what the Chinese have in place. We’re not talking about overt clamping-down on freedom of speech, or the blocking of certain terms on microblogs when anti-government stories are doing the rounds.

But whatever is happening with the data being collected, the very fact that it is being collected means governments doing much worse things can now turn around and call the U.S. a hypocrite every time it tries to criticize them. At the very least, the perception of U.S. online freedom will no longer be what it was earlier this week – but it is possible that these latest revelations will lead some authoritarian regimes to be a little less cautious with their own online crackdowns.

The PRISM leak is going to be damaging for U.S. firms and the country’s image abroad, but its long-term effects may be worse than that.

But hey, lemons to lemonade, right? If you’re a web firm – particularly one dealing in communications of any kind – based in a country with meaningful data protection rules and checks on governmental intrusion, you now have a pretty strong selling point that wasn’t so clear a few days ago. We’re still waiting for the official reaction to emanate from data protection authorities here in Europe, but there’s every chance that they will be giving their citizens a strong steer in that direction.

And while we’re trying to see the upside:

40 Responses to “NSA spying scandal fallout: Expect big impact in Europe and elsewhere (Updated)”

  1. Lullaby

    Wasn’t all this in Wikileaks which they tried to block and close??
    Toooo many stories of coverups & corruption especially over surveillance. Julian Assange was right all along and now they are trying to frame him like they did with Scott Ritter just before the Iraq War.

  2. John Doe

    Actually, I *do* seem to recall Facebook starting to censor anti-Obama messages and then stopping only when they got caught, and who knows how pervasive this still is, and given that the administration is also using the tax enforcement agency to target political adversaries and stifle free speech, responding in an overtly biased way to FOIA requests at the EPA, etc., it’s hard to see a cogent claim that the U.S. is much different than China at this point.

  3. This is all just a cover for Europe as well. Why does Europe have to do any spying when America does it for them. Why would Europe try and spy through American companies when it can just have America do it for them. You honestly think that Europe doesn’t have anything to do with this?

  4. I’m not sure why this is news (apart from the jihad journalists have declared because now “one of their own” has been burned by DoJ rather than one of the common rabble). . . Books have been written about the NSA, etc. for decades that have explicitly stated that we get spied on, it is in fact what the NSA *is for* to begin with vs the CIA (who is responsible for foreign espionage) — spying on social networks and the like is just the natural extension.

  5. Joe Onvious

    Now is the time to start replicating the American services in other nations… And it’s not as bad as it seems – our companies already avoid paying US taxes and hire offshore…. so, it’s not as if the tax revenue will be lost.

    Of course, American shareholders will be upset – but many of them are already Europeans to begin with.

  6. LoudMouse Radio

    We’ll be discussing this soon on our Podcast. The implications are far-reaching, and we believe we can provide a thorough and analytical response to these revelations.

  7. Guest

    Just thought you all might like to know that when I was working at Dell, we were contracted by the CIA to create a system whereby the CIA could post as millions of users with a single click of a button, thereby using social media to influence public opinion. It isn’t just the collecting of information that these bastards are after. Its continued control of the populace.

  8. anonymous

    First we need to clarify some recent (or not too recent) facts. The American Government doesn’t want to delegate the control of the Internet to independent organization such as the Union Nation and why? Second, what was discussed in that meeting in the first year of Obama’s mandate where many of the mentioned companies did part? Third, when WE AMERICANS will demand the end of the Patriot Act, that of patriotic has nothing?

  9. Ezekial Shake

    does this surprise anyone?

    remember the felon, Admiral John Poindexter, during the Iran-Contra hearings in the late 80s?

    he talked of implemented TIA (Total Information Awareness) back then … so you know what they do that is secret is beyond anything they discuss publicly

    complete monitoring is possible and it is likely all governments with the technical ability are doing it

    • William Hewitt

      Snowden should get the congressional medal of honor for exposing traitors Obama, Boehner, and Feinstein. Are we allowed to spit on Obama?

  10. MarkyMark

    The NSA is not part of the U.S. military; it’s a part of the Department of Defense. The Military (Army, Navy, Air Force, Marines) is a sub-component of the Department of Defense. Civilian agencies like NSA, NGA, DIA, etc. are all additional components of the DoD. Get your facts straight before you make idiotic statements.

  11. Khannea Suntzu

    I have a simple answer to this practice of spying on EU citizens – make it illegal, with prison sentences. And reward whistle blowers who provide evidence with money.

    Then sit back and wait. It won’t be long till the first whistleblower comes forward. Then investigate, call a few US intelligence people to a hearing. They won’t respond, so hold them in contempt of court and issue arrest warrants.

    Then after some time the EU courts find out who is *really* responsible. Then call for EU-wide and international interpol arrest warrants. The same day these people will be locked inside the US, for fear of being arrested, like *anywhere*. Keep doing this with anyone in the same agencies who take similar departments and chairs, until the EU receives a decent reply from the states.

    Take this far enough up the food chain and you can paralyze whole sections and departments and agencies because half their agents fear being arrested and questioned. Their faces on interpol “wanted” lists, etc. etc.

    • malebolgia

      EU would better declare war on the US them because it would mean the same thing. Tip: some 40 years after WWII the Russians left the EU, when did the Americans leave? They didn,t.

  12. anoymousiePIEZ

    With all of this talk about data mining done by the NSA, is there a way to overwhelm their storage with useless data (assuming that they have finite storage space)?
    I am hypothesizing that they have written a program(s) that search for specific words and a certain order of words (or in the case of voice recognition, words people say). Then what would happen if there were many bots (or just people) that searched for the same thing and would ‘saturate’ their sieves (programs or people that search for something) with so many people doing the same thing? I’m thinking…data b/0/3/flip_da_l3ft_part/b? Does that even exist? Wtf would happen if private correspondence was written entirely in captcha?
    Thought experiment: If on a certain date, every person with internet access would search for a term…say…the anarchist cookbook…what would happen? Instead of citizens striving for secrecy, what if we just gave ‘them’ (whomever they are, let’s be honest it’s probably bigger than the NSA) a bunch of useless information?
    inb4 poor prose, I am on my 5th cup of wine.
    USA great country of all time. I love big brother. War is peace, freedom is slavery.
    inb4 track me, betch im on a VPN + a few proxies (wine, sorry at this point)

    • malebolgia

      I don,t know why people and then companies do not care too much about encryption, peer to peer messaging clients, emails encrypted with 254 1024 or even bigger keys plus passw 1,000 chars long (copy-paste some texts) -yahoo messenger should implement this too i.e. . I mean given the dangers any serious company that pretend to defend the client,s interests should have this the number one priority when they design the software, but they do nothing. Please acknowledge also that companies usually finally do what their clients ask, when the request is being by many many people so it is more the problem of the population for not caring than the problem of the company. If you run on the street naked do not take it a surprise if anybody can see you, your government through other. I mean, when did the population trust their government and why should it anytime in history?

  13. Brent

    A quote from the Guardian article has me concerned: “But the PRISM program renders that consent unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies’ servers.”

    It appears that the US software giants may not be actively participating or aware of how PRISM works.
    This part is conjecture on my part, but what if the hardware the servers are running (CPUs?) have been compromised with hidden code that allows for the transmission of raw data to the NSA through hidden means? The possibilities are endless, where is the back door? Hard drives? Switches? Routers? All of the above?
    In the past, my previous sentences would sound paranoid… not today.

  14. Don’t forget Xbox One!

    An always on, always connected, hi-def camera and microphone in people’s front rooms is the NSA’s wet dream, especially considering Microsoft starting providing information to PRISM back in 2007….

    • Sensor

      So…everyone who dont buy a XBOX one, is a potential threat to the goverment. I image a world with NSA Agent that are complaining about a “analog” surveillance mission…So far i understand Microsoft dont providing information that are on your home Systems.

    • You own a smartphone? Well, you don’t need Xbox one. Always connected, GPS enabled sensor array with HD camera and dual noise canceling mics. Soooooo easy to hack its silly. (Androids, at least… iPhones must be jail broken.)

      • Sensor

        Well, surprise i dont have a smartphone. But i dont want to say thats all good, i can see a lag of social communication outside my WLAN. Yes i know its easy to hack smartphones but at least you have to hack it. Anywhy didnt the NSA have a survey programm also for Telephone data.

  15. Thomas Denny

    This is typical from the eu,of course it affects people in Europe,ie if you make a mobile phone call to the us then yes they would have your data, or Skype or many other apps the eu need to wake up or have they prior knowledge of this and secretly gave the thumbs up, this snooping is bad

  16. Like the US got trusted ever since the Patriot Act and other stuff that told the Europeans ‘Screw you, we’re going to spy on you and noone can do anything about it since your governments are brownnosing us anyway’.