Home > News > The NSA and Internet balkanization
190 views 6 min 0 Comment

The NSA and Internet balkanization

- July 30, 2013

Kevin Drum “argues”:http://www.motherjones.com/kevin-drum/2013/07/nsa-surveillance-foreign, _contra_ John Naughton and James Fallows, that the NSA program won’t cause an ‘international uprising.’

bq. it’s really not clear to me that broad public reaction is going to be very strong. Will Danish users stop using Facebook until some Danish company creates an alternate social networking platform? Probably not. The fear of NSA spying is simply nowhere near as compelling as the huge inconvenience of everyone being on a different platform and being unable to chat and share pictures with their friends in other countries. As for businesses, they’re probably less interested in avoiding NSA spying than they are in staying ahead of hackers and concealing their more dubious dealings from ordinary law enforcement agencies. Using a non-U.S. platform won’t do them any good on either of these scores. We’ll see, of course. Maybe this is the beginning of a long decline in U.S. information services, as overseas users start to move to other platforms. It’s possible. Unfortunately, I sort of doubt it. At most, I suspect we’ll start to see a bit more nationalistic reliance on domestic network infrastructure, but that’s something that’s always been likely anyway. Beyond that, people will just keep on doing what they’ve been doing.

I think that Kevin seriously underestimates the extent to which privacy and surveillance are important issues in “countries like Germany”:http://www.spiegel.de/international/germany/accusations-fly-in-german-campaign-over-nsa-spying-affair-a-911190.html#ref=rss. But the more important issue is that a strong European reaction does not require a mass public revolt. All it requires are more forceful actions by European officials who will have every incentive to make a fuss – specialized privacy commissioners, or, as they are called in Europe, data protection authorities.

Each European member state has a data protection authority (DPA) – an independent watchdog with powers to require corrective action from private companies, or to fine them. To date, these fines have been relatively small scale. Under new legislation in the pipeline, DPAs may be able to fine companies like Google or Microsoft 2% of their annual turnover, if they are found to have breached the privacy of European citizens. Up to the Snowden scandal, it looked likely that this legislation would have a carveout for FISA type requests from the US (the US has been quietly and intensively lobbying for this). No longer. It is clear that no carve out has any chance of making it through the European Parliament.

Furthermore, European politicians are responding to pressure over the NSA by trying to “beef up European privacy law still further”:http://www.ft.com/intl/cms/s/0/7a4b26d8-eca6-11e2-a0a4-00144feabdc0.html#axzz2Z3WAFhvC. One of the reasons that companies like Google and Microsoft have based themselves in Ireland is because the Irish DPA is … more understanding of their needs … than many of his counterparts on the continent. Germany is now pushing to eliminate this national level flexibility in interpretation.

The results are clear. Cooperation with the NSA is probably illegal under European law as it stands, and the law as it is likely to be amended. Big US firms like Google, Microsoft and Facebook may find themselves in the unappealing position of facing hefty European fines if they continue to cooperate with the NSA, and legal difficulties in the US if they stop cooperating. They are unsurprisingly quite unhappy with this turn of events. They are likely to be more unhappy still if (as is entirely likely) DPAs threaten action against European firms who outsource, say, email services to Google. And this is not to get into questions of government procurement (where national IT firms are likely to see a big boost in business thanks to security fears – if Microsoft is cooperating with the US government, do you really want to have it running your internal servers).

The simple lesson here is that it doesn’t take mass public defections to make life difficult for US cloud providers. All one needs is action by the relevant regulators. This kind of politics should also prompt political scientists to pay _much_ more attention to interactions between national regulators than they do, as this is where much of the interesting political action is taking place between countries with low tariff barriers and increasingly interdependent economies (again, “Abe Newman and I”:http://henryfarrell.net/wp/wp-content/uploads/2013/04/New_Interdependence.pdf make this argument at greater length in a forthcoming piece in _World Politics_).