Below is a guest post by Karen Kornbluh, Senior Fellow for Digital Policy.
Debate in the United States regarding the Snowden revelations of National Security Agency (NSA) surveillance has focused on the privacy implications for U.S. citizens. However, the fallout is much greater: NSA revelations threw a lit match onto a number of combustible global disputes that threaten the openness of the Internet itself.
In recent years foreign governments have been threatening to Balkanize the Internet and create what would be, in effect, national mini-Internets (or as Richard Salgado, Google’s law enforcement and information security director termed it, a “splinter net”). If this comes to pass, the United States has a lot to lose. President Obama delivers a speech today about reforms to the NSA’s surveillance, but the administration should also move to contain the international fallout of the NSA’s activities, by designing a coherent Foreign Policy of the Internet.
The Internet is the most powerful driver of commerce and innovation since the invention of the steam engine. According to the National Foreign Trade Council, goods, services, and content flowing through the Internet were responsible for 15 percent of U.S. GDP growth from 2007 to 2012.
Already, in response to the exposure of the NSA’s surveillance, many foreign governments are making it more difficult for U.S. communications and tech companies to conduct business abroad. Just a few examples:
- After learning that the NSA listened in on her phone calls and read her emails, and in frustration with U.S. reluctance to share law enforcement data, Brazilian president Rouseff is working with Brazilian legislators to draft a bill that would force many providers to store and process data about Brazilian citizens in the country. Building data centers in Brazil would prove to be costly for U.S. companies and their Brazilian customers.
- In Europe, following news of NSA spying on German chancellor Angela Merkel and on the EU Competition Commissioner, the Commission’s November report on the U.S.-EU Safe Harbor agreement calls for major changes in U.S. rules as a condition for continuing that accord. The Safe Harbor agreement enables transatlantic flows of personal data without bureaucratic delays and filing requirements that would ordinarily apply. The revelations fueled support for proposals to protect a “European Cloud,” from U.S. competition. U.S. Internet companies have reason for concern: their sales to Europe are double those to the rest of the world combined.
- A number of rising economic powers–Malaysia, Indonesia, South Korea, and Vietnam–have either put in place or are actively considering requirements that companies keep their citizens’ data in their respective countries.
- Cyber-autocracies, like China and Russia, continue to press for national governments to gain more sovereign control of networks through the United Nations–claiming the U.S. dominates the current “multistakeholder” governance bodies (such as ICANN, the Internet Engineering Task Force, the Internet Architecture Board, the World Wide Web Consortium, and the Internet Society). These groups, fearing that NSA revelations would give more developing countries cause to support UN control, issued in October a joint call for the “internationalization” of the multistakeholder Internet governance system. A panel meeting in Brazil this spring will issue recommendations on how to proceed.
For those wondering if this sturm und drang really amounts to much, there is already evidence of lost U.S. business: Cisco’s orders in China fell 18 percent in the three months ending in October; Brazil awarded a $4.5 billion contract to Saab AB rather than Boeing (until recently the favorite), and U.S. firms that collect personal data—from credit card companies to cloud-computing providers—have been exploring building or expanding data centers in Europe in case their ability to send data home is restricted. Such restrictions would drive up the cost of doing business to rates that would be prohibitive for young start-ups to reach international markets. Estimates of potential revenue losses range from $35-$180 billion through 2016.
President Obama’s reforms must be part of a broader Foreign Policy of the Internet, in which the United States builds support for norms that allow countries to protect domestic policy and security priorities without impinging on the openness of the Internet. If we are going to protect this precious platform, the Internet, the United States must:
- Eliminate China’s ability to accuse the United States of conducting economic espionage by exempting economic espionage unrelated to national security from nondisclosable surveillance requests for information stored with U.S. companies.
- Go beyond this with a small number of carefully chosen friendly governments to agree to bilateral surveillance standards for eavesdropping on each other’s citizens and create a new process that requires high-level approval of intelligence gathering on foreign leaders of friendly nations.
- Support greater law enforcement cooperation, through an improved Mutual Legal Assistance Treaty (MLAT) process, to reduce foreign country frustration at being unable to obtain data requests by law enforcement authorities to pursue activities occurring in their countries, consistent with human rights and due process considerations.
- Promote the importance of the free flow of information by persuading more countries to accede to the inclusive OECD Policymaking Principles and Privacy Guidelines (or similar instruments) through which countries agree that when they create national policies relating to the Internet — on privacy, intellectual property, law enforcement, etc.–they will respect the free flow of information. Promote restrictions on the free flow of information as a trade issue–like protectionism.
- Support the growth of the Internet in developing countries and help them build capacity to participate more fully in and gain solutions to their challenges from the Internet governance organizations.