By Geert Aalbers and Eben Kaplan
SAO PAULO – Across the world, governments and corporations have reacted furiously to revelations by the former US intelligence contractor Edward Snowden about the extent of American intelligence snooping on the data of its friends, foes and its own citizens. Much of this reaction amounts to diplomatic theater – protestations by national leaders whose own intelligence agencies do much the same thing, albeit with less success than the pervasive metadata vacuum wielded by the US National Security Agency.
As James Clapper, the US Director of National Intelligence memorably put it, these complaints are akin to the wily police Capt. Renault in the film Casablanca declaring he was “shocked, shocked that gambling is going on” in the casino where he regularly gambled.
Even if these foreign denunciations of US intelligence activities are motivated primarily by domestic political considerations, a deeper backlash is gathering pace. This is driven by corporate interests concerned about the compromise of their intellectual property, by governments eager to protect national secrets, and privacy advocates unwilling to cede further ground on principle.
Snowden’s actions had an immediate effect on parts of the technology industry, but the fallout will soon drift into other areas. These secondary effects will fall disproportionately in the global legal sector. Already, cyber-security issues pose a threat to attorney-client privilege, and new methods of communication have made electronic discovery and litigation support more complex. These challenges have caused law firms to seek out best practices to protect their clients’ sensitive data. But just as they have, a new, dynamic period of change and data protectionism is dawning.
Snowden’s portrayal of a US government tapping cell phones, cataloging call logs and hoovering up vast quantities of email and other data traffic has kicked legislative bodies into high gear. From the European Commission to the United Nations and national parliaments in Brazil, Germany, Japan and beyond, vast new cyber infrastructure and sweeping new laws are moving ahead – all aimed at bypassing routers, cables or other nodes vulnerable to the tentacles of the NSA. Not incidentally, these same actions will likely make data even more accessible to the intelligence and law enforcement agencies of the governments championing these changes. If you thought data protection laws lacked consistency before, just wait until the current Balkanization trend in global cyber infrastructure plays out.
The most dramatic manifestation of this took a big step forward last month when proposals for a new Europe-to-Brazil trans-Atlantic cable to avoid the current route through Miami dominated the normally commercial agenda of the annual EU-Brazil Summit. Brazilian President Dilma Rousseff and German Chancellor Angela Merkel, both of whom had their personal mobile phones tapped by NSA, support the proposal, and plans are in motion to finance it through a joint venture between Brazil’s Telebras and the Spanish firm IslaLink Submarine Cables.
Clearly, the Snowden fallout has moved well beyond political theater.
Beyond this sub-oceanic realm, though, lies a complex thicket of new legislation moving through a myriad of parliaments and government regulatory agencies around the world. Earlier this month, the European Parliament passed a non-binding resolution calling for the immediate suspension of the US-EU Safe Harbor framework that facilitates transatlantic data exchanges—particularly in legal cases. In India, Japan, Germany, Brazil, Russia and many other countries, laws are being drafted or amended to require that Internet servers be based on national territory, that data collection records are not removed from the country, and applications like Facebook, Twitter, LinkedIn and other social media have privacy controls that conform to local law rather that the global net ethos that prevailed before Snowden’s blizzard of leaks. Such restrictions would place such a burden on the compliance efforts of Internet companies, most of them US-based, that Google, Microsoft and others might pull up stakes rather than navigate new legal thickets. Non-compliance remains a likelier course of action than divestment for these companies, but either tack will come with a financial risk. Already US software firms stand to lose $35 billion in sales overseas through 2016, according to Information Technology & Innovation Foundation, a US-think tank, though Forrester research suggests losses could be five times that amount. Some of those revenues will go to non-US competitors, but in some industries, the idea of the “cloud” – with all its streamlined, cost saving efficiencies – could evaporate as security-conscious businesses revert to Earth-bound hardware.
Indeed, the ecosystem itself – governance of the Internet – is once more at issue. Again, Brazil and Germany are leading the charge, with German influence in the EU manifesting itself as a push to revive debates over the governance of the Internet. The basic standards of the Internet are currently controlled by the Los Angeles-based ICANN (Internet Corporation for Assigned Names and Numbers), an anachronism that animated some complaints but had seemed largely an issue for techies until the NSA scandal broke. An effort in the UN, largely by authoritarian countries, to displace ICANN in 2005 fizzled. But the Snowden controversy has revived the issue, with a host of Latin American countries issuing a so-called Montevideo declaration in October 2013 that “expressed strong concern over the undermining of the trust and confidence of Internet users globally due to recent revelations of pervasive monitoring and surveillance” and “called for accelerating the globalization of ICANN and IANA functions, towards an environment in which all stakeholders, including all governments, participate on an equal footing.” The Obama administration appears to have acquiesced, announcing this month that the US government would relinquish its oversight role of ICANN.
Jan Philipp Albrecht, a German member of the European Parliament, has pushed legislation attempting to unify the EU’s various national data protection and net neutrality laws around a single standard. He also offered a resolution to grant Snowden asylum in the EU which was voted down.
The EU lent its weight to the effort in February, with the European Commission – the EU’s executive body – due to debate the issue in March. Meanwhile, Brazil moved to call a summit on the issue, pressuring ICANN into convening a “multi-stakeholder” conference under Brazilian auspices on April 24-25 in Sao Paulo.
These efforts will inevitably complicate multijurisdictional discovery and litigation efforts and, if history is any guide, lead many companies who have spent tens of millions to cope with the complexities of the pre-Snowden world to run afoul of new laws.
In India, the country’s communications and technology minister, Milind Deora, declared on February 25 that the country was moving ahead with plans “to develop and offer internet services by having their servers located in India in order to protect the interests and secrecy of communication of Indian citizens.” This will no doubt be a boon to India’s IT sector, but for international law firms already confounded by the hodge-podge jurisdictional challenges of Indian federalism and bureaucracy, operational costs and risks will soar.
Amid all this, is the fact that Snowden leaks also upped the cyber-espionage arms race. Countries that didn’t even know certain capabilities existed are now trying to acquire new monitoring tools, while more cyber savvy nations may try to mimic the NSA’s tradecraft. This could have tremendous impact on multinationals that come under government scrutiny in other countries
In this world of data protectionism, each country could in effect have its own internet, the traffic of which might be stopped at national borders. Alternatively, it might cost money to cross borders – in effect, a world of internet tariffs and customs duties. The Balkanization of privacy laws is one thing, but the Balkanization of the Internet itself would constitute an even greater challenge.
Geert Aalbers is director of corporate investigations in Latin America and general manager for Brazil and Eben Kaplan a senior consultant at Control Risks. Control Risks is a business consultancy advising on political, integrity and security risk and providing litigation support and electronic discovery solutions through 34 offices around the globe.