Two years before Snowden in 2011, Microsoft’s then Chief Privacy Officer Caspar Bowden tried to warn his company that any cloud computing solutions sold to foreign governments would mean unlimited mass surveillance on their clients by the NSA. Two months later Bowden was fired from Redmond.
Speaking at the 31st Chaos Computer Congress in Hamburg Bowden said that he warned 40 Microsoft National Technical Officers, effectively ambassadors of Microsoft, about the implication of US laws on privacy. The law underpinning PRISM, the NSA-GCHQ clandestine mass surveillance programme, was the 2008 Foreign Intelligence Surveillance Act Amendment Act (FISAAA). This law is about obtaining foreign intelligence, targeting non-US persons outside of the US, which is 95% of the world’s population.
Providers must provide government facilities to accomplish this action in secret.
Bowden said that the bottom line of FISAAA means that if you are not American, you cannot trust cryptographic services, or in general, software services provided by US companies. Even if that software is cryptographically sound to begin with, if you are not an American in the US, a software update can be pushed to subvert your security.
As Yahoo’s Marissa Mayer later pointed out, any company not complying would be found in contempt of court and potentially committing an offence under the espionage act liable to 20 years imprisonment or worse.
“It doesn’t have to be about criminality or national security. It can purely mean political surveillance in the political and economic interests of the United States. There is no constitutional protection for foreigners in foreign lands and the US congress was laughing, laughing that you have privacy rights” he said.
Bowden met a wall of indifference from journalists. Nobody at the Guardian, New York Times or Washington Post showed any interest; nor from mainstream European politicians who did not understand. “Of course, it’s encrypted isn’t it?” was the general response.
The issue is that most privacy laws were drafted to cover communications, not computing and that technically it is possible to encrypt data and store it securely in the cloud. However, that is not possible if one wants to compute with that data.
“You cannot protect data in cloud computing,” he said.
In recent years, Bowden has worked with those trying ways to make cloud computing contracts work, an act that is impossible, given the US constitution. Even if Congress were to pass a law that provided the protection desired, spying on foreigners in a foreign land is a presidential prerogative and the President cannot be restricted by congress.
Rather Bowden said the only way was for the European Union to withhold data flows to US based cloud computing providers, essentially engage in a trade war, until a desirable outcome is achieved.
The former Microsoft employee said that the only way to ensure privacy was to have free and open source software running on locally hosted data centres.
Ultimately the NSA’s surveillance is highly corrosive to democracy.
Bowden said most people do not think they have anything to hide, but people vote politicians and trust bureaucrats to take decisions fairly in the collective interest. The danger is that those politicians and officials may be influenced by fear of NSA spying on their own private life. Anyone with half a brain cell in public life knows their career can be ruined by one tabloid news story.
“The thoughts that Edward Snowden have put in the minds of the public cannot now be unthought,” he said.