Can Microsoft Outwit the NSA?
Last year, Edward Snowden pretty much turned the way the world views data security on its head. By leaking a series of classified documents to the press, Snowden revealed that government security agencies — and, in particular, the U.S. National Security Agency — had obtained a previously unimaginable level of access to the data collected and stored by companies such as Google (NASDAQ:GOOG), Apple (NASDAQ:AAPL), Yahoo (NASDAQ:YHOO), and Microsoft (NASDAQ:MSFT).
The revelations created a stink for the U.S. technology industry that will be hard to wash away. It has become painfully apparent to both the American people and the world that the U.S. Department of Defense, under whose umbrella the NSA falls, has been engaged in what many consider extreme security measures whose cost (real or perceived) has been privacy. Consumers, unsurprisingly, don’t want to pay this cost. Sensitive to privacy concerns, consumers — and, in some cases, governments — have advocated for a boycott of U.S. Internet and technology companies whose security networks are suspected to be compromised by the NSA.
Having the NSA’s nose in its servers is, quite fundamentally, bad for business. Google, Apple, Yahoo, Microsoft, and most other Internet companies can only operate within a context of some reasonable degree of information security. People would not use Gmail if they felt it was vulnerable to snooping, people would not use Google Documents if they felt their files were unsafe, etc.
Perhaps the most visible example of a business that has been harmed by the NSA snafu is Lavabit, an encrypted email service used by Snowden that chose to shut down operations instead of comply with requests from the government.
Lavabit owner and operator Ladar Levison left a message on his company’s website that concluded, “This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”
This view was echoed by German Interior Minister Hans-Peter Friedrich, who said, “whoever fears their communication is being intercepted in any way should use services that don’t go through American servers.” German Justice Minister Jörg-Uwe Hahn has called for a boycott of American tech companies. The German minister has directly referenced Google as an American company to avoid, but any company that processes data in the U.S. — such as Yahoo, Apple, and Microsoft — is now suspect.
In turn, U.S. tech companies have begun doing damage control. Most recently, Microsoft announced that it will begin allowing foreign customers to choose to store their data on servers outside of the U.S. As Microsoft general council Brad Smith told the Financial Times, “People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.”
However, data-policy experts suggest that Microsoft’s plan may not actually solve the problem at hand. As Chris Soghoian, a privacy researcher at the American Civil Liberties Union, told the Wall Street Journal that, “What matters more than where the data is, is where the system administrators are and who can order them to do things. As long as (a company) has a presence, the data is vulnerable.”