The Open Technology Institute has put together a thorough paper detailing the many adverse effects the NSA disclosures have had, both on American businesses inside and outside of the tech sector, as well as on Americans themselves.
The Open Technology Institute is no stranger to the adverse side effects of the NSA's pervasive surveillance. Its own open-source mesh network project (Commotion) was accompanied by this warning, prompted by the revelations of the Snowden leaks.
Cannot hide your identity
Does not prevent monitoring of internet traffic
Does not provide strong security against monitoring over the mesh
Can be jammed with radio/data-interference
So, how much will the NSA leaks cost American businesses? It's tough to say. Although the OTI has done an incredible amount of research, it's difficult to pin down exact losses. Any time an American company has its bid denied by a foreign country, the NSA's actions have likely played some role. But this will very rarely be stated explicitly. This leads to a rather open-ended estimate of lost sales.
Nearly 50 percent of worldwide cloud computing revenue comes from the United States, and the domestic market more than tripled in value from 2008 to 2014. However, within weeks of the first revelation, reports began to emerge that American cloud computing companies like Dropbox and Amazon Web Services were losing business to overseas competitors. The NSA’s PRISM program is predicted to cost the cloud computing industry from $22 to $180 billion over the next three years.
Cloud services aren't the only victims of NSA overreach. Hardware manufacturers are also seeing losses. Cisco, one of the first to complain
about sales losses due to NSA leaks, was also the only company to have its logo splashed all over the internet when a leaked presentation contained a photo
of NSA agents opening one of its boxes from an intercepted shipment. The NSA's Tailored Access Operations
(TAO) has subverted any number of companies' products and Qualcomm, Microsoft and Hewlett-Packard have all reported dropping sales, according to OTI's research.
Other direct effects are being felt as well. Germany is ending
its long-running contract with Verizon and German companies are specifically excluding American businesses when seeking bids. The blowback from the NSA's spying on Brazilian president Dilma Roussef cost Boeing a $4.5 billion contract
for new jet fighters. (The contract went to Saab.)
Also directly affecting US companies is a future full of increased compliance costs as countries move towards data sovereignty. This means tech companies like Facebook and Google will need to build local data centers if they wish to keep citizens in affected countries as users. The European Parliament's new data protection law
could easily result in massive fines for US companies.
In March 2014, members of the European Parliament passed the Data Protection Regulation and Directive, which imposes strict limitations on the handling of EU citizens’ data. The rules, which apply to the processing of EU citizens’ data no matter where it is located, require individuals to consent to having their personal data processed, and retain the right to withdraw their consent once given. The deterrent fines are significant: violators face a maximum penalty of up to five percent of revenues, which could translate to billions of dollars for large tech companies.
Companies from outside of the tech sector are also facing downturns, thanks to the NSA's activities. The cheapest and most convenient way for companies to reach customers (and vice versa) is taking a hit as wary citizens take steps to avoid leaving as large a digital footprint.
According to an April 2014 Harris poll, nearly half of the 2000 respondents (47 percent) have changed their online behavior since the NSA leaks, paying closer attention not only to the sites they visit but also to what they say and do on the Internet. In particular, 26 percent indicated that they are now doing less online shopping and banking since learning the extent of government surveillance programs.
The most harmful indirect side effect of the NSA leaks is a move towards Balkanization of the internet, an outcome that threatens both the structural integrity of the web as well as the public itself.
Data localization proposals also threaten the functioning of the Internet, which was built on protocols that send packets over the fastest and most efficient route possible, regardless of physical location. Finally, the localization of Internet traffic may have significant ancillary impacts on privacy and human rights by making it easier for countries to engage in national surveillance, censorship, and persecution of online dissidents.
It's not just tech companies that are the collateral damage of the NSA's programs. It's also the American government itself. The entity that gave its official blessing for widespread, untargeted surveillance in the wake of the 9/11 attacks is now paying the price for its audacity. Not only did this negatively affect the US's nominal position as the "head" of the open internet, but it's also completely eroded
the high ground on human rights the country held for so many years.
The damaged perception of the United States as a leader on Internet Freedom and its diminished ability to legitimately criticize other countries for censorship and surveillance allows foreign leaders to justify and even expand their own efforts. The long-term implications of destroying trust in the Internet through the hypocrisy of its greatest champion are detrimental to the interests of all democratic nations. Foreign governments and their populations are now wary not just of the United States government and companies, but of technology more generally.
It is apparent that the negative side effects of the NSA's power and reach were never considered by anyone with the power to rein it in. Now that these programs have been exposed, the damage control has backfired, relying both on "it's completely legal" (which implicates the US government and its oversight policies) and the always-vaguely-stated "terrorism threat" (which paints the agency and its supporters as disconnected fearmongerers). Now, the US is paying the price, with most of it being paid by those outside of any government.
The OTI suggests several remedies, most of which the NSA (and the administration) would likely fight every step of the way. Strengthening data protections (and extending those protections to foreign citizens) would be portrayed as allowing terrorists to escape detection and surveillance. Increased transparency is also suggested, but that hasn't been welcomed
by anyone at the administration level for the past 13 years. There's no reason to believe a sea change is just over the horizon.
Also suggested is restoring trust in the NIST's encryption standards
and forbidding the NSA from installing hardware and software backdoors. The former is a long shot, but doable. Restoring trust always takes much, much longer than destroying it. On the latter, there's no way the NSA will give up this surveillance tool without a (long) fight and there's hardly any reason to believe it will ever
give it up completely. After all, despite all the forced transparency, it still operates mostly in the dark.
OTI also calls for the NSA to stop making internet use more dangerous
than it already is.
Secret stockpiling of previously unknown flaws irresponsibly leaves users open to attack from anyone who discovers the weakness. Consistent with the Review Group’s Recommendation, the U.S. government should establish and adhere to a clear policy to disclose vulnerabilities to vendors by default, and only withhold that information in the narrowest circumstances and for the shortest period of time possible—if at all.
As has been noted, this is a worldwide problem, greatly exacerbated by a number of private security firms which stockpile vulnerabilities
to sell to intelligence and law enforcement entities (while at the same time selling protection against their stockpile of undisclosed exploits to other private companies). Stopping the NSA from doing this is only a small part of the problem. Governing the actions of private companies worldwide will be a much more difficult task.
The repercussions of the NSA's programs will be felt for years. The cost to the United States' reputation is already being felt. It can't be quantified, but it is very noticeable. The final cost to American companies will undoubtedly be in the hundreds of billions. Destroyed trust takes a long time to rebuild and every day that passes without the NSA being seriously reined in (the USA Freedom Act
, Dianne Feinstein's Fake Fix
) just makes it longer. Lost sales are hard to quantify, but there can be no doubt this will harm the US -- on both a private and public level -- for years to come.