Offshoring Data Won’t Protect It From The NSA

The United States is the physical hub of the global Internet.  Data from around the globe crosses gateways and servers in the United States.  This basic fact, obscured by hazy visions of a borderless Internet cloud, is part of what accounts for global dismay at the revelations of extensive spying by the National Security Agency.

The natural reaction of many citizens, companies and governments is to try to get their data out of the United States and out of the hands of American companies.  The idea is a seductive one, even for Americans.  Offshoring money has been a popular strategy for tax avoidance.  Why not offshore data to a foreign company?

This offshoring of data to avoid surveillance is not just an idle notion.  As a privacy lawyer with experience in the intelligence community and the Obama White House, technology companies have asked me how they might pursue such a strategy.  It turns out that shifting user data abroad or into the hands of foreign companies is a very poor way to combat American surveillance.

The Justice Department may put a lot of pressure on Swiss banks, but it doesn’t hack into offshore accounts to recover ill-gotten gains.  By contrast, intelligence agencies are not known for scrupulously observing the laws of foreign countries in which they operate, even when (as in the United States) they are subject to a system of domestic legal oversight.

NSA directors have stated quite openly their desire to collect everything American law permits.  However, what the law allows the NSA to do varies starkly depending on where data is collected.  Under the Foreign Intelligence Surveillance Act, the rules that apply to data collected from a switch, wire, or server in the United States are stricter than the safeguards that apply to data collected overseas.

FISA requires an order from a federal court, albeit a special one that operates mainly in secret.  By contrast, the NSA’s rules for collecting data from switches and servers overseas are governed not by a law, but by an executive order.  There is no court oversight and far less intensive review.  Many of the Snowden revelations have concerned this kind of overseas collection.  Shifting data away from the United States actually makes it more vulnerable to these broader forms of collection.

Of course, NSA intelligence operations overseas may be riskier than secret court procedures in the United States, so perhaps the data will not be collected at all.  Nevertheless, a company that shifts its data abroad should consider whether it is confident there is no way the world’s most sophisticated intelligence agency – employing thousands of computer scientists – would gain access to its data, at rest or in transit.

Even if the United States lacks that ability, one of its partners might.  The NSA has a deep historical relationship with the other “five eyes” nations – United Kingdom, Canada, Australia and New Zealand – and with many other countries around the globe.

Finally, storing data outside the United States does nothing to protect it against the world’s other major intelligence powers, such as China and Russia, or the myriad of criminal groups and hackers.  There is no controversy concerning the adequacy of their court oversight or privacy safeguards for intelligence surveillance.  They have none.

Far more important than where data is held is how it is secured.  The answer, for too many companies and individuals, is that it is not secured at all, despite the availability of strong encryption.  However, the technology industry is starting to change that.

Apple’s new smart phone offers standard encryption features that allow users to keep stored data private – both from Apple and from the government.  Other companies are watching as Apple squares off against complaints from the FBI and the United Kingdom’s intelligence services that their encryption goes too far.

For data in transit – such as e-mail – users must still set up dual-key cryptosystems (such as PGP) that can be tough for all but the most dedicated to manage, or rely on new secure messaging companies to provide them with some assistance.  Companies like Silent Circle and Wickr have published guidelines describing their policies for providing the very limited data they have to law enforcement.

Companies like Virtru and AppRiver offer a secure e-mail service, and Virtru  promises to fight broad government demands for any assistance in court.  The new secure messaging companies are working to limit the data they have for reasons of both security and privacy.  Keeping that data in the United States provides greater legal protection than offshoring it.

For good and for ill, there is only one global network.  Isolating data from the United States is technically difficult — if not impossible — and counterproductive if the goal is to protect privacy.  Reforming global surveillance will require major shifts towards transparency, accountability, and better privacy rules for the NSA and its partners.

The world’s citizens, companies and governments should continue to press the United States to reform its spying practices.  Keeping data out of the United States is no answer.  There is no easy substitute for reforming government surveillance.

Editor’s NoteTim Edgar is a visiting fellow at Brown University.  He served in the Obama White House as the first-ever Director of Privacy and Civil Liberties for the National Security Staff and has been a privacy lawyer for the Director of National Intelligence and the American Civil Liberties Union.  He advises technology start-ups including Virtru.