The NSA and Internet balkanization

Kevin Drum argues, contra John Naughton and James Fallows, that the NSA program won’t cause an ‘international uprising.’

it’s really not clear to me that broad public reaction is going to be very strong. Will Danish users stop using Facebook until some Danish company creates an alternate social networking platform? Probably not. The fear of NSA spying is simply nowhere near as compelling as the huge inconvenience of everyone being on a different platform and being unable to chat and share pictures with their friends in other countries. As for businesses, they’re probably less interested in avoiding NSA spying than they are in staying ahead of hackers and concealing their more dubious dealings from ordinary law enforcement agencies. Using a non-U.S. platform won’t do them any good on either of these scores. We’ll see, of course. Maybe this is the beginning of a long decline in U.S. information services, as overseas users start to move to other platforms. It’s possible. Unfortunately, I sort of doubt it. At most, I suspect we’ll start to see a bit more nationalistic reliance on domestic network infrastructure, but that’s something that’s always been likely anyway. Beyond that, people will just keep on doing what they’ve been doing.

I think that Kevin seriously underestimates the extent to which privacy and surveillance are important issues in countries like Germany. But the more important issue is that a strong European reaction does not require a mass public revolt. All it requires are more forceful actions by European officials who will have every incentive to make a fuss – specialized privacy commissioners, or, as they are called in Europe, data protection authorities.

Each European member state has a data protection authority (DPA) – an independent watchdog with powers to require corrective action from private companies, or to fine them. To date, these fines have been relatively small scale. Under new legislation in the pipeline, DPAs may be able to fine companies like Google or Microsoft 2% of their annual turnover, if they are found to have breached the privacy of European citizens. Up to the Snowden scandal, it looked likely that this legislation would have a carveout for FISA type requests from the US (the US has been quietly and intensively lobbying for this). No longer. It is clear that no carve out has any chance of making it through the European Parliament.

Furthermore, European politicians are responding to pressure over the NSA by trying to beef up European privacy law still further. One of the reasons that companies like Google and Microsoft have based themselves in Ireland is because the Irish DPA is … more understanding of their needs … than many of his counterparts on the continent. Germany is now pushing to eliminate this national level flexibility in interpretation.

The results are clear. Cooperation with the NSA is probably illegal under European law as it stands, and the law as it is likely to be amended. Big US firms like Google, Microsoft and Facebook may find themselves in the unappealing position of facing hefty European fines if they continue to cooperate with the NSA, and legal difficulties in the US if they stop cooperating. They are unsurprisingly quite unhappy with this turn of events. They are likely to be more unhappy still if (as is entirely likely) DPAs threaten action against European firms who outsource, say, email services to Google. And this is not to get into questions of government procurement (where national IT firms are likely to see a big boost in business thanks to security fears – if Microsoft is cooperating with the US government, do you really want to have it running your internal servers).

The simple lesson here is that it doesn’t take mass public defections to make life difficult for US cloud providers. All one needs is action by the relevant regulators. This kind of politics should also prompt political scientists to pay much more attention to interactions between national regulators than they do, as this is where much of the interesting political action is taking place between countries with low tariff barriers and increasingly interdependent economies (again, Abe Newman and I make this argument at greater length in a forthcoming piece in World Politics).

3 Responses to The NSA and Internet balkanization

  1. Dale July 30, 2013 at 4:02 pm #

    If you distrust, for example, Google, to handle your email, you have alternatives. Other email providers, or running your own email servers.

    If you distrust Facebook though, you’re screwed.

    The difference between email and Facebook is that email is a public, standard, decentralized protocol. If European nations are truly distrustful of the NSA and Facebook, the first thing they need to do is create a public, standard, decentralized protocol for social networking. Create it, and then give it away.

    There is precedent. Google killed AIM’s grip on instant messaging by using the open XMPP protocol (and now, in victory, have shuttered their use of XMPP, but that’s another story…) Diaspora began a project like this, but collapsed for internal reasons. I think the EU can get further than a team of four programmers.

  2. Rah August 2, 2013 at 1:46 am #

    Several things complicate this quite a bit.

    1) If you want your information secure from US spying agencies, it turns out that one of the safest places to keep the data is probably the US, not Europe.

    2) European nations depend on US intelligence quite a bit to deal with their own terror problem. They can’t actually sever ties as you describe without effectively blinding themselves.

    3) Most European law enforcement agencies all have their own domestic surveillance programs that aren’t much less invasive than the US domestic surveillance programs (pretty much any country with a budget does this, it’s common sense that you monitor metadata).

    • Grimaud August 24, 2013 at 4:19 pm #

      1) If you take a look at the various email/sms encryption services, you’ll notice that they’ve all had a surge in subscribers post Snowden, whilst “private cloud” software (e.g. “ownCloud”) that lets you synch your iPhone/Android with a server under your own control, rather than Apple or Google’s clouds. One wag recently opined that the kind of surveillance Snowden confirmed has only two possible uses: Insider trading and blackmail. Arguably, private servers running VPNs, disk encryption, and all that grisly stuff, are far more of a threat than large, but unaligned, service providers, and they cost very little to set up.

      2) What terror problem? I currently reside in the UK, and we don’t have one. The same seems to be true of all other European countries. Last year, the English had approximately 70 times the chance of being killed by their bathwater being too hot than by terrorist action.

      3. Precisely. Reread my point 1).