Extended Mass Surveillance Increases Pressure to Keep Data Comms Private

Congress has approved a six-year extension of Section 702 of the U.S. surveillance law.

This means the continuation of PRISM, the controversial mass surveillance program first exposed by Edward Snowden in 2013, for the foreseeable future. The program allows the U.S. government to routinely monitor and analyze the data of private individuals using the services of certain major U.S. companies. 

Most Americans are unhappy that what they do online may be watched but passively accept it as the price of security. However, it is foreign intelligence that the U.S. authorities are mainly interested in.

This is likely to prove a major bone of contention with foreign powers, particularly the EU whose regulation for protecting the data of its citizens comes into force on May 25, 2018.

Companies wanting to preserve the integrity of confidential data communications in this time of uncertainty may want to think seriously about adopting a virtual private network (VPN) strategy to make sure they retain control over the privacy of sensitive business information.

Mass Surveillance Goes On

U.S. Congress has voted to extend its controversial mass surveillance program.

Under Section 702 of the law, the National Security Agency (NSA) is able to use PRISM to collect and analyze the emails, phone calls, SMS and other private messages of non-US citizens from American companies like AT&T, Google, Facebook and Microsoft – even if the communications are with American nationals.

The justification for the controversial scheme is national security - protection against terrorism in particular.

In practice, it’s a bit like the tale of The Emperor with No Clothes in reverse. The Emperor says he has given everyone a fine cloak of security to wear, fooling us into letting him see absolutely everything.

Public Opinion Divided

In 2015, following the original PRISM scandal, the Pew Research Center asked members of the American public about their attitudes to privacy.

In the study, 93 percent thought having control over who sees their information is important, while 90 percent said they would like control of what information is collected about them. Furthermore, 88 percent thought it important no one could watch or eavesdrop on them without their permission.

Since then the dominant mood has been one of quiet apathy.

It’s unlikely this will change unless a respected champion such as one of the major technology companies steps forward to defend customers’ privacy rights. Someone needs to step up to show how it is questionable that a complete lack of privacy on the Internet is desirable or even secure.

Mutually Assured Disharmony

Presently, the most likely challenge to the U.S. government’s position on mass surveillance will come from the EU.

When the European Court of Justice (CJEU) last reviewed U.S. privacy policy in 2015 they determined that mass surveillance was neither necessary nor proportionate. They were particularly concerned that foreign surveillance victims had no right to challenge instances of data abuse. They concluded US law was insufficient to protect Europeans.

This ultimately proved to be a critical factor in the breakdown of the EU-US Data Protection Safe Harbor accord - later scrapped and replaced with the current Privacy Shield agreement.

Meanwhile, another court case currently before the CJEU could stop Facebook importing EU citizens’ personal data from the EU to the U.S.

It is fair to say that attitudes to Internet privacy in the EU and the U.S. could not be more different.

In the short term, it remains a political fault-line that the two continents will continue to rub against. The situation is likely to come to a head in May when EU General Data Protection Regulation (GDPR) comes into force.

Long-term resolution will only be possible once U.S. law grants non-Americans the same rights that European courts and international human rights laws grant them.

U.S. Business Response

Despite all the uncertainty, U.S. businesses are doing their best to chart a way forward.

According to PwC, 32% are planning to cut back their EU presence as a result of the GDPR. However, the majority (64%) plan to establish a centralized data center in Europe as a potential solution.

In many cases, businesses are simply expanding their use of encryption technologies such as VPN to protect the privacy of sensitive data communications.

With VPN personal data in emails, mobile apps, cloud-based systems and machine-to-machine communications is automatically shielded from surveillance.  There are many types of VPN but businesses can gain added benefits from selecting a professional one.

Professional VPNs support IPSec and SSL encryption protocols as well as seamless encryption between data networks and Wi-Fi. A professional VPN also provides IT support staff the ability to control the system’s clients and components remotely from a central management console.

In summary, extension to U.S. surveillance law looks almost certain to conflict with European attitudes to data privacy and with EU GDPR in particular. 

In the current climate, it has never been more important for U.S. business to demonstrate they can be trusted to keep customer data communications private.

A combination of VPN technology and European-based data centers are the best proof short-term that U.S. companies can be trusted to keep customer confidential information, particularly of non-U.S. citizens, safe from  unwelcome state scrutiny.