oti – Techdirt (original) (raw)
Report Says Backlash From NSA's Surveillance Programs Will Cost Private Sector Billions Of Dollars
from the screwed-by-the-government-even-as-it-screws-itself dept
The Open Technology Institute has put together a thorough paper detailing the many adverse effects the NSA disclosures have had, both on American businesses inside and outside of the tech sector, as well as on Americans themselves.
The Open Technology Institute is no stranger to the adverse side effects of the NSA’s pervasive surveillance. Its own open-source mesh network project (Commotion) was accompanied by this warning, prompted by the revelations of the Snowden leaks.
Commotion
Cannot hide your identity Does not prevent monitoring of internet traffic Does not provide strong security against monitoring over the mesh Can be jammed with radio/data-interference
So, how much will the NSA leaks cost American businesses? It’s tough to say. Although the OTI has done an incredible amount of research, it’s difficult to pin down exact losses. Any time an American company has its bid denied by a foreign country, the NSA’s actions have likely played some role. But this will very rarely be stated explicitly. This leads to a rather open-ended estimate of lost sales.
Nearly 50 percent of worldwide cloud computing revenue comes from the United States, and the domestic market more than tripled in value from 2008 to 2014. However, within weeks of the first revelation, reports began to emerge that American cloud computing companies like Dropbox and Amazon Web Services were losing business to overseas competitors. The NSA’s PRISM program is predicted to cost the cloud computing industry from 22to22 to 22to180 billion over the next three years.
Cloud services aren’t the only victims of NSA overreach. Hardware manufacturers are also seeing losses. Cisco, one of the first to complain about sales losses due to NSA leaks, was also the only company to have its logo splashed all over the internet when a leaked presentation contained a photo of NSA agents opening one of its boxes from an intercepted shipment. The NSA’s Tailored Access Operations (TAO) has subverted any number of companies’ products and Qualcomm, Microsoft and Hewlett-Packard have all reported dropping sales, according to OTI’s research.
Other direct effects are being felt as well. Germany is ending its long-running contract with Verizon and German companies are specifically excluding American businesses when seeking bids. The blowback from the NSA’s spying on Brazilian president Dilma Roussef cost Boeing a $4.5 billion contract for new jet fighters. (The contract went to Saab.)
Also directly affecting US companies is a future full of increased compliance costs as countries move towards data sovereignty. This means tech companies like Facebook and Google will need to build local data centers if they wish to keep citizens in affected countries as users. The European Parliament’s new data protection law could easily result in massive fines for US companies.
In March 2014, members of the European Parliament passed the Data Protection Regulation and Directive, which imposes strict limitations on the handling of EU citizens’ data. The rules, which apply to the processing of EU citizens’ data no matter where it is located, require individuals to consent to having their personal data processed, and retain the right to withdraw their consent once given. The deterrent fines are significant: violators face a maximum penalty of up to five percent of revenues, which could translate to billions of dollars for large tech companies.
Companies from outside of the tech sector are also facing downturns, thanks to the NSA’s activities. The cheapest and most convenient way for companies to reach customers (and vice versa) is taking a hit as wary citizens take steps to avoid leaving as large a digital footprint.
According to an April 2014 Harris poll, nearly half of the 2000 respondents (47 percent) have changed their online behavior since the NSA leaks, paying closer attention not only to the sites they visit but also to what they say and do on the Internet. In particular, 26 percent indicated that they are now doing less online shopping and banking since learning the extent of government surveillance programs.
The most harmful indirect side effect of the NSA leaks is a move towards Balkanization of the internet, an outcome that threatens both the structural integrity of the web as well as the public itself.
Data localization proposals also threaten the functioning of the Internet, which was built on protocols that send packets over the fastest and most efficient route possible, regardless of physical location. Finally, the localization of Internet traffic may have significant ancillary impacts on privacy and human rights by making it easier for countries to engage in national surveillance, censorship, and persecution of online dissidents.
It’s not just tech companies that are the collateral damage of the NSA’s programs. It’s also the American government itself. The entity that gave its official blessing for widespread, untargeted surveillance in the wake of the 9/11 attacks is now paying the price for its audacity. Not only did this negatively affect the US’s nominal position as the “head” of the open internet, but it’s also completely eroded the high ground on human rights the country held for so many years.
The damaged perception of the United States as a leader on Internet Freedom and its diminished ability to legitimately criticize other countries for censorship and surveillance allows foreign leaders to justify and even expand their own efforts. The long-term implications of destroying trust in the Internet through the hypocrisy of its greatest champion are detrimental to the interests of all democratic nations. Foreign governments and their populations are now wary not just of the United States government and companies, but of technology more generally.
It is apparent that the negative side effects of the NSA’s power and reach were never considered by anyone with the power to rein it in. Now that these programs have been exposed, the damage control has backfired, relying both on “it’s completely legal” (which implicates the US government and its oversight policies) and the always-vaguely-stated “terrorism threat” (which paints the agency and its supporters as disconnected fearmongerers). Now, the US is paying the price, with most of it being paid by those outside of any government.
The OTI suggests several remedies, most of which the NSA (and the administration) would likely fight every step of the way. Strengthening data protections (and extending those protections to foreign citizens) would be portrayed as allowing terrorists to escape detection and surveillance. Increased transparency is also suggested, but that hasn’t been welcomed by anyone at the administration level for the past 13 years. There’s no reason to believe a sea change is just over the horizon.
Also suggested is restoring trust in the NIST’s encryption standards and forbidding the NSA from installing hardware and software backdoors. The former is a long shot, but doable. Restoring trust always takes much, much longer than destroying it. On the latter, there’s no way the NSA will give up this surveillance tool without a (long) fight and there’s hardly any reason to believe it will ever give it up completely. After all, despite all the forced transparency, it still operates mostly in the dark.
OTI also calls for the NSA to stop making internet use more dangerous than it already is.
Secret stockpiling of previously unknown flaws irresponsibly leaves users open to attack from anyone who discovers the weakness. Consistent with the Review Group’s Recommendation, the U.S. government should establish and adhere to a clear policy to disclose vulnerabilities to vendors by default, and only withhold that information in the narrowest circumstances and for the shortest period of time possible—if at all.
As has been noted, this is a worldwide problem, greatly exacerbated by a number of private security firms which stockpile vulnerabilities to sell to intelligence and law enforcement entities (while at the same time selling protection against their stockpile of undisclosed exploits to other private companies). Stopping the NSA from doing this is only a small part of the problem. Governing the actions of private companies worldwide will be a much more difficult task.
The repercussions of the NSA’s programs will be felt for years. The cost to the United States’ reputation is already being felt. It can’t be quantified, but it is very noticeable. The final cost to American companies will undoubtedly be in the hundreds of billions. Destroyed trust takes a long time to rebuild and every day that passes without the NSA being seriously reined in (the USA Freedom Act, Dianne Feinstein’s Fake Fix) just makes it longer. Lost sales are hard to quantify, but there can be no doubt this will harm the US — on both a private and public level — for years to come.
Filed Under: costs, nsa, private sector, surveillance
Companies: open technology institute, oti
As Feared: House Guts USA Freedom Act, Every Civil Liberties Organization Pulls Their Support
from the tragic dept
As we feared would happen, the House, under pressure from the White House, has completely watered down the USA FREEDOM Act. After a long (and, we’ve heard, contentious) battle among the different players, the bill that’s moving to the floor tomorrow is even less useful than the already weakened version that passed out of both the House Judiciary and Intelligence Committees. Following the revelation of the new version of the bill late Tuesday, basically every civil liberties organization pulled their support for the bill.
- EFF: Since the introduction of the USA FREEDOM Act, a bill that has over 140 cosponsors, Congress has been clear about its intent: ending the mass collection of Americans’ calling records. Many members of Congress, the President’s own review group on NSA activities, and the Privacy and Civil Liberties Oversight Board all agree that the use of Section 215 to collect Americans’ calling records must stop. Earlier today, House Leadership reached an agreement to amend the bipartisan USA FREEDOM Act in ways that severely weaken the bill, potentially allowing bulk surveillance of records to continue. The Electronic Frontier Foundation cannot support a bill that doesn’t achieve the goal of ending mass spying. We urge Congress to support uncompromising NSA reform and we look forward to working on the Senate’s bipartisan version of the USA FREEDOM Act.
- CDT: Today, the Leadership of the House of Representatives gave the green light to an amendment to the USA FREEDOM Act that would significantly weaken the bill’s ban on the government’s bulk collection of data, despite the broader consensus that bulk collection must end. The Center for Democracy & Technology (CDT) and other civil liberties groups long supported the USA FREEDOM Act, but have withdrawn their support for the House version of the bill.
“This legislation was designed to prohibit bulk collection, but has been made so weak that it fails to adequately protect against mass, untargeted collection of Americans’ private information. The bill now offers only mild reform and goes against the overwhelming support for definitively ending bulk collection,” said CDT President and CEO Nuala O’Connor. - Open Technology Institute: “House leaders should have allowed a vote on the compromise version of the USA FREEDOM Act that was already agreed to, rather than undermining their own members and caving in to the intelligence community’s demands. We recognize the need for the USA FREEDOM Act to move forward now, in order to avoid a worse bill or no bill at all. However, we cannot in good conscience support this weakened version of the bill, where key reforms — especially those intended to end bulk collection and increase transparency — have been substantially watered down. We’re gravely disappointed that rather than respecting the wishes of the unanimous Judiciary and Intelligence Committees, the House leadership and the Obama Administration have chosen to disrupt the hard-fought compromise that so many of us were willing to support just two weeks ago.
“The original USA FREEDOM Act was a great leap forward on surveillance reform, and the compromise version of two weeks ago was still a big step forward, but today’s version is merely leaning in the right direction. Much of what has been weakened in the House version of USA FREEDOM will have to be restored in the Senate before the privacy and civil liberties community will be willing to support this bill again.” - Access: Today, the U.S. House of Representatives’ Rules Committee reported a dramatically different version of the USA FREEDOM Act meant to reform NSA surveillance activities than what was unanimously approved by both the House Judiciary and Intelligence Committees two weeks ago.
Yesterday, Access expressed its concern after learning that House leaders and Obama administration met over the weekend to negotiate the bill and commented, “The version we fear could now be negotiated in secret and introduced on the House floor may not move us forward on NSA reform.”
“It’s greatly disappointing to witness House leaders succumb to the pressure applied by the Obama administration and others, turning its back on the compromise version of USA Freedom that so many supported just two weeks ago. The USA FREEDOM Act had previously passed through two committees before being secretly watered down behind closed doors. Access is forced to withdraw our support of the USA FREEDOM Act,” said Amie Stepanovich, Senior Policy Counsel at Access.
This is unfortunate on many, many levels. I know many who are more cynical will suggest that this was the inevitable end to the process, but that’s not true. A much stronger bill had the opportunity to move forward, but the White House — despite President Obama’s own promises — put pressure on the House to change the bill and significantly weaken it. Basically, the White House has now made it clear that for all its talk about respecting the constitution and civil liberties, when it comes time to actually show real leadership, it won’t do it, and instead will back efforts that make a mockery of basic civil liberties.
Filed Under: congress, nsa, privacy, surveillance, usa freedom act
Companies: access, cdt, eff, oti
US Promoting Mesh Networks; Reporters Misleadingly Think They Somehow Stop Digital Spying
from the not-the-same-thing dept
A recent article in the NY Times talked about how the US State Department is behind a project to build up mesh networks that can be used in countries with authoritarian governments, helping citizens of those places access an internet that is often greatly limited. This isn’t actually new. In fact, three years ago we wrote about another NY Times article about the State Department funding these kinds of projects. Nor is the specific project in the latest NYT article new. A few months back, we had covered an important milestone with Commotion, the mesh networking project coming out of New America Foundation’s Open Technology Institute (OTI).
But the latest NYT article is especially odd, not because it repeats old news, but because it tries to build a narrative that Commotion and other such projects funded by the State Department are somehow awkward because they could be used to fight back against government surveillance, such as those of the NSA. The problem is that the issues are unrelated, and nothing in mesh networking deals with stopping surveillance. As Ed Felten notes, the Times reporters appear to be confusing things greatly:
There’s only one problem: mesh networks don’t do much to protect you from surveillance. They’re useful, but not for that purpose.
A mesh network is constructed from a bunch of nodes that connect to each other opportunistically and figure out how to forward packets of data among themselves. This is in constrast to the hub-and-spoke model common on most networks.
The big advantage of mesh networks is availability: set up nodes wherever you can, and they’ll find other nearby nodes and self-organize to route data. It’s not always the most efficient way to move data, but it is resilient and can provide working connectivity in difficult places and conditions. This alone makes mesh networks worth pursing.
But what mesh networks don’t do is protect your privacy. As soon as an adversary connects to your network, or your network links up to the Internet, you’re dealing with the same security and privacy problems you would have had with an ordinary connection.
The whole point of Commotion and other mesh networks is availability, not privacy. The target use is for places where governments are seeking to shut down internet access, not surveil on them. Yes, there is a case where if you could set up a mesh network that then routed around government surveillance points you could circumvent some level of surveillance, but the networks themselves are not designed to be surveillance proof. In fact, back in January when we wrote about Commotion, we pointed out directly that the folks behind the project themselves are pretty explicit that Commotion is not about hiding your identity or preventing monitoring of internet traffic.
Could a mesh network also be combined with stronger privacy and security protections? Yes, but that’s different than just assuming that mesh networking takes on that problem by itself. It doesn’t — and it’s misleading for the NYT to suggest otherwise.
Filed Under: access, commotion, mesh networks, privacy, security, state department
Companies: new america foundation, oti
Wireless Mesh Networks, The NSA, And Re-building The Internet
from the exploring-all-the-avenues dept
One of the bitter lessons we learned from Snowden’s leaks is that the Internet has been compromised by the NSA (with some help from GCHQ) at just about every level, from our personal software and hardware, through ISPs to major online services. That has prompted some in the Internet engineering community to begin thinking about how to put back as much of the lost security as possible. But even if that’s feasible, it’s clearly going to take many years to make major changes to something as big and complex as the Net.
However, there’s an alternative approach to digital connectivity that has been around for a while, and that’s already being used around the world. Wireless meshes allow ad-hoc networks to be set up independently of the Internet’s main wiring by hooking together a local collection of suitable devices. Mesh networks can be thrown up and torn down quickly; devices can join and leave them dynamically; and they can recover from breaks in the wireless links by setting up alternative paths. They can either be run as local area networks, disconnected from the Internet, or hooked into it, allowing single or multiple links to be shared by the entire mesh.
One such wireless mesh comes from The New America Foundation’s Open Technology Institute, which describes itself as follows:
> The Open Technology Institute formulates policy and regulatory reforms to support open architectures and open source innovations and facilitates the development and implementation of open technologies and communications networks. OTI promotes affordable, universal, and ubiquitous communications networks through partnerships with communities, researchers, industry, and public interest groups and is committed to maximizing the potentials of innovative open technologies by studying their social and economic impacts – particularly for poor, rural, and other underserved constituencies. OTI provides in-depth, objective research, analysis, and findings for policy decision-makers and the general public.
Its Commotion project has just reached an important milestone:
> Open Technology Institute (OTI) announced today that it has completed Beta testing and upgrades of its groundbreaking mesh networking toolkit, and is launching Commotion 1.0 in time for the new year. The launch represents the first full iteration of the technology, which makes it possible for communities to build and own their communications infrastructure using “mesh” networking. In mesh networks, users connect their devices to each other without having to route through traditional major infrastructure. > > Commotion 1.0 is an open-source toolkit that provides users software and training materials to adapt mobile phones, computers, and other wireless devices to create decentralized mesh networks so they can connect and share local services. A mesh network can function locally as an Intranet, but when one user connects to the Internet, all users will have access to it as well.
Of course, neither Commotion nor other wireless meshes are proof against the NSA’s huge array of tricks and tools that we have recently found out about. Indeed, OTI provides an explicit “warning label” for its mesh:
> Commotion > > Cannot hide your identity > Does not prevent monitoring of internet traffic > Does not provide strong security against monitoring over the mesh > Can be jammed with radio/data-interference
But it’s important to remember that Commotion and the other wireless mesh systems were designed in a more innocent time, before we knew the extent to which we were being spied upon, and how much the basic protocols of the Internet had been compromised. Now that we’ve learnt about all those things, it would be good to use that knowledge to spur the creation of the next generation of wireless mesh systems with high levels of security and privacy, so that we can add them to our own collection of tools and tricks in the fight to build a surveillance-resistant Net.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: commotion, infrastructure, mesh networks, privacy, security, wireless, wireless mesh networks
Companies: open technology institute, oti