Microsoft’s onetime Chief Privacy Advisor, Caspar Bowden, has come out with a vote of no-confidence in the company’s long-term privacy measures and ability or interest to secure user data in the wake of the NSA’s PRISM program. From 2002 – 2011, Bowden was in charge of privacy at Microsoft, and oversaw the company’s efforts in that area in more than 40 countries, but claims to have been unaware of the PRISM program’s existence while he worked at the company. In the two years since leaving Microsoft, Bowden has ceased carrying a cell phone and become a staunch open source user, claiming that he no longer trusts a program unless he can see the source.
“The public now has to think about the fact that anybody in public life, or person in a position of influence in government, business or bureaucracy, now is thinking about what the NSA knows about them. So how can we trust that the decisions that they make are objective and that they aren’t changing the decisions that they make to protect their career? That strikes at any system of representative government.”
As Bowden goes on to point out, if you aren’t a US citizen, you have no protection whatsoever from PRISM.
This is a point that has real potential consequences for any international company. The NSA claims that there are protections that keep the data of ordinary US citizens out of abusive hands, and that we should trust them with this information. Some people agree with that. Some people don’t. But what no one disagrees with is the fact that foreign companies, governments, and citizens have no protections of any kind. To the contrary, some of the NSA’s documentation explicitly plays up the fact that huge amounts of foreign traffic travels through the United States on a regular basis.
Much of the NSA’s work is devoted to snooping on this foreign traffic to monitor and record what various groups are up to. And these groups have no protection whatsoever under US law. The bigger problem here is that due to the way the Internet routes traffic, there’s no guarantee that a message from Point to Point B doesn’t travel over US networks. Obviously that’s not going to happen if you’re sending data from one small town to another in Europe, but a message from, say, Brazil to Canada almost certainly passes through the United States. A message from South or Central America to Europe or China? Same deal.
This is a fundamental problem for nations that aren’t interested in exposing their traffic to American observation, whether they’re engaged in nefarious activities or not. Long term, the problem could lead to the construction of digital firewalls, in which the United States is effectively isolated behind protective nodes built by local governments to scrub and redirect traffic away from potential capture points. This is directly in opposition to the central concept of the Internet, which is a dynamic structure capable of responding to outages or damage by routing around the problem.
Traffic flows, however, can be rerouted.
It’s not that Microsoft is unique, here. In fact, the situation would be simpler to solve if they were. The problem is that the access the NSA has crafted for itself applies to all companies equally. Microsoft, Yahoo, Google, Apple — your data is as secure as the NSA decides it is, and not one jot more.