Your browser is not supported. Please update it.

3 April 2014

Snowden fallout threatens chaos on Internet governance

The global impact of the Ed Snowden revelations, or ‘NSAgate’, is becoming clearer as a major summit hosted by Brazil on Internet governance approaches and US technology providers such as Cisco, Amazon and Microsoft report a discernable effect on their business in some overseas markets. But the long lasting affect is still unclear, not least because confusion reigns both inside the US and outside over what the response to NSAgate should be.

The US government has naturally been desperately seeking to limit damage both to the country’s reputation and commercial interests, with the most tangible outcome being publication by the Obama Administration in March 2014 of plans to relinquish the longstanding unilateral US oversight over ICANN (Internet Corporation for Assigned Names and Numbers), the non-profit private company that allocates names and IP addresses to individuals or entities wanting Internet websites. The hope was that by handing over regulatory power over issuing domain names and addresses, the federal government would assuage some of the concerns either raised or inflamed by NSAgate.

To some extent this announcement was a red herring, since ICANN was already on course for globalization and it did not take NSAgate to cause foreign governments to seek an end to US hegemony over the Internet. ICANN had already taken several significant steps during 2012 and 2013, before the Snowden revelations broke, to adopt a more global perspective and structure, ‘towards an environment in which all stakeholders, including all governments, participate on an equal footing’. This included giving more prominence to ICANN’s governmental advisory committee (GAC), a group of governments that issues non-binding communiques, as illustrated by its work regarding applications for new generic top-level domains like .com and .net. ICANN also split its headquarters, adding hubs in Turkey and Singapore in addition to its previous head office in Los Angeles.

But ICANN itself requires some oversight and this until now has remained the exclusive preserve of the US under a contract with the US Commerce Department. The plan now on the table is to hand this over to an international body, but this has provoked controversy over both the transition process and the wisdom of doing it at all. It comes at a time when ICANN is involved in the creation of additional domain names, like .army and more fundamentally the global transition from IPv4 to IPv6, the latest generation of the IP protocol increasing the address space and improving performance for real time services in particular.

The United Nations had been favorite to assume the role of ultimate domain name supremo, but the US has never really trusted that body and was determined at least to avoid that by insisting on the creation of an independent specialist agency that could it said, ‘have full trust of the international community’. Such an agency is unlikely to enjoy the full trust either of US politicians or among the Internet community, however it is constituted. Generally it is opposed by Republicans, with Newt Gingrich, former speaker of the House of Representatives, rather predictably calling it ‘very, very dangerous,’ adding that ‘every American should worry about Obama giving up control of the Internet to an undefined group.’

But this line was supported by a prominent democrat, Bill Clinton, as well as Wikipedia founder Jimmy Wales, who both highlighted concerns over Internet freedom to roam, warning that it would empower ‘governments that want to gag people and restrict access to the web.’ They pointed out quite correctly that while this idea of having a multi-stakeholder process was good in theory, many of these-stakeholders are governments intent on restricting Internet access, ironically including Turkey which now hosts one of the three global ICANN offices.

Clinton asserted that it was the US that had kept the Internet open.
In a sense this assertion highlights the tension between two different ‘freedoms’, freedom of access and privacy, and freedom from surveillance. This is evident in Brazil, which has taken a leading role post-Snowden in rallying international pressure to divert local Internet traffic from US soil but itself has a rather mixed record on Internet and media freedom. Like many governments, Brazil’s likes to curtail criticism when it can get away with it and did so during the last election campaign in 2010. Then the government’s judicial branch issued numerous injunctions to prevent media outlets from covering various stories, often involving politicians. A total of 21 censorship orders were made in the weeks up to the election from lawsuits filed by politicians.

Brazil was quick to respond to NSAgate in late 2013, driven partly by political opportunism as an election year began, with President Rousseff kicking off with a major speech attacking the US and cancelling a planned bilateral summit with President Obama, spurred by allegations that her own phone calls and emails had been tapped by the NSA. She announced there would be a global summit, excluding the US, to take place in April 2014 in Rio de Janeiro, to discuss how the make the Internet proof against surveillance.

At first Brazil’s campaign went well, even receiving endorsement from ICANN itself, whose CEO Fadi Chehade agreed to attend the summit. “The world listened to the Brazilian president, who spoke with deep conviction and courage, and expressed frustration that many people all over the world feel about the fact that the trust we had in the Internet was broken,’ said Chehade at the time.

Then over 50 countries enraged by the US covert spy program, particularly the NSA’s secret data mining project Prism, decided to join with Brazil in organizing the summit. The story of Prism is still unfolding, with researchers reporting only on April 1st that they had uncovered evidence suggesting the NSA had exploited a flaw in the commonly used RSA security algorithm to crack encryption keys significantly faster. The work was done at Johns Hopkins University, the University of Wisconsin, Eindhoven University of Technology, the University of Illinois and the University of California and reported in a paper On the Practical Exploitability of Dual EC in TLS Implementations.

Funnily enough that paper had been temporarily taken down from the website when we tried to take a look, although on whose instructions is unclear. That web site was set up specifically to cover the background of this attack, which exploits the implementation of the algorithm rather than its fundamental mathematical properties. RSA relies on the fact that it is trivial for a computer to multiply two large prime numbers (divisible only by one or themselves) together but much harder to reverse engineer what those numbers were when presented only with the product. We might return to this in a future issue.

As the Brazil-led campaign continued, it started to unravel and became increasingly shambolic as disagreements over tactics and strategy unfolded. To some extent the situation can be compared to NATO’s agonizing over how best to respond to Russia’s annexation of Crimea, as short term self-interests wrestle with principles and longer term considerations. In the case of the anti-US Internet campaign one of the sticking points was over representation on any committee, with the very absence of the US itself compromising the initiative, even though that was the whole point of it.

Firstly the meeting was postponed to May 2014. Then as that date approached countries backed down over the idea of actually compelling global ISPs from routing all local traffic through the countries concerned. Brazil finally caved in on this point in March 2014, dropping its provisional ruling that ISPs and major Internet players must store data pertaining to its citizens inside the country as protection from US spying. Instead, watered down legislation will insist only that the likes of Google and Facebook obey Brazilian laws in cases involving information on citizens, even if the data is stored abroad.

This climb down is merely an acknowledgement that it is impossible to change the structure of the Internet overnight. For the longer term Brazil is continuing its campaign to prize the global Internet away from US dominance, despite warnings this will have an impact on its own as well as the global economy, at least temporarily retarding the pace of innovation. Brazil is continuing with development of a secure national email service and seeking collaboration with other governments over bilateral data communications. This has also been echoed within the EU, which is considering how to restrict regional traffic within Europe’s borders, if not to the actual individual states. Brazil has also been discussing with the EU a possible undersea cable to transport data between them, rather than having to go via US managed cables as at present. That project though is bogged down over the issue of the payment split, given that Brazil wants it more than the Europeans, especially at a time when the Ukraine crisis has become a more pressing priority and has pushed the EU closer to the US.

However NSAgate plays out from now on there is no doubt it will hit the US economy and in particular its major IT players, including system makers such as Cisco, HP and IBM, software companies like Microsoft and service operations like Amazon. It could also have a dramatic effect on the course of IT by slowing down or even reversing the trend towards cloud computing, given that most of the major players such as Amazon, Google, IBM and Microsoft are US incorporated. Before NSAGate cloud computing was on course to becoming a $200 billion industry by 2016 with US companies taking well over half of that.

One of the first studies to seriously assess the impact has just been published by the Information Technology and Innovation Foundation (ITIF), which sought first to determine how much trust in US cloud computing providers had been lost and then to quantify this. The data on trust was obtained by the Cloud Security Alliance in June and July 2013 just after NSAgate broke, from a survey of the organization’s members around the world. It found that among members outside the US, 10% had already cancelled a project with a US based cloud computing provider, while 56% said they would be less likely to use a US based cloud computing service. Correspondingly, more than a third of US based members indicated that the NSA leaks made it more difficult for them to do business outside the country.

Whether this was a knee jerk reaction or on the other hand just the start of a strengthening drift away from US based suppliers is unclear. But the ITIF noted that if US cloud providers lose just 10% of their foreign business over the next three years, which looks a conservative estimate, it would cost $21.5 billion.

A more recent survey by Forrester Research suggests that the ITIF estimate was conservative, indicating that the toll of NSAgate on cloud computing providers will be as high as 25% of the business. It is worth noting that there are huge discrepancies between estimates of the global cloud computing market size, depending on what’s included, but there is little doubt that over the short to medium term at least the impact on US business will run into 10s of billions of dollars. Apart from cloud computing, other US technology firms are affected, with HP and Cisco both reporting loss of business in emerging markets over the last nine months.

ITIF notes correctly that the ultimate cost of NSAgate and also the timing of any recovery will be determined by how the US government responds, as well as by whether rival countries move from “stoking fear and uncertainty about the US Patriot Act to actively enacting protectionist trade barriers.” Germany and Brazil, both of whose presidents were targets of US surveillance as revealed by Snowden, did seem bent on a tough line but have recently drawn back slightly for differing reasons. But the problem for the Patriot Act, identified as the source of NSAgate, is that it is not actually that draconian and yet is seen as the great villain around the world.

The USA Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) was one of the first responses to 9/11, signed into law by President George Bush on October 26, 2001. Almost a decade later in May 2011, President Obama extended by four years three key provisions of the Act, roving wiretaps, searches of business records (the so called “library records provision”), and conducting surveillance of “lone wolves”‘individuals suspected of terrorist-related activities not linked to terrorist groups. The Act therefore still stands, but is not of itself very different from what other countries have done. ITIF contends that data stored in the US is generally better protected than in most European countries, in particular the UK. It notes that Germany, which wanted to suspend data transfers to the US in the wake of NSAgate, has an act called G10 enabling German intelligence officials powers to monitor telecommunications without even a court order.

The point is it is not the legislation that has provoked concern, but the extent of the US actions, at least as perceived and promulgated by Snowden. As always in such cases there is a lot of hypocrisy flying around and opportunism being taken. It leaves the US having to tread an even more delicate balancing act between surveillance and privacy than before, with the future of the Internet at stake, or at least its next chapter.