Two of the most common responses from people (often in the press) who want to minimize the importance and the impact of the Snowden revelations about NSA surveillance are that (1) "there's nothing new" or "people knew this already" and (2) "everyone spies on everyone -- what's the big deal?" The latter one got some new life recently after it was revealed that Brazil had spied on US diplomats in the past. As you may remember, Brazil has been acting outraged in response to the revelations of US spying on Brazilians and Brazilian companies. However, both responses are simply not accurate.

Zeynep Tufekci recently wrote a great piece over at Medium, in which she debunks these weak excuses, by pointing out that (1) while some people claim to have known, tons of people didn't -- and that's what's important and (2) the scale here is well beyond what was done in the past.

To start with, it does not matter much whether knowledgeable people should have guessed the scale of NSA spying or not. That is probably the least relevant question one can ask about all this. It relies on an old and outdated understanding of a world that is simply no more.

Repeating the mantra “this is nothing new, all governments spy” may make the mostly DC-insider chorus who cling to it ever more tightly with each new leak feel better, and entrench their self-image as insiders. There are certainly psychological and financial rewards to acting and feeling like insiders. But it does nothing to change the fact that this chorus has completely missed the point of the tectonic shifts affecting them, and all governance: They aren’t the only insiders anymore.

The “nothing new here” people aren’t fully correct, even in the technical details. It’s true: spying by governments, including on their own citizens and on other governments, be they enemies, allies or frenenemies, is not new. It’s even expected. However, the scale of the spying, enabled by the shift to digital infrastructure, is certainly novel.

As we discussed recently, the real "danger" of these leaks is that the US government can't get away with its hypocritical positions so easily any more, because the public (especially the non-US public) is demanding a response. And that makes a huge difference.

Furthermore, she points out, the most amazing thing in all of this is that the NSA appears to have no plan at all in place for how to deal with this situation. It's as if they just assumed that everything they did would remain secret. Basically, Tufekci points out, the NSA relied on the idea that some "insiders" might know about this, but the great unwashed "outsiders" would never know.

But that's changed. In a big way -- and that matters, because the "context collapse" can have massive implications:

Context collapse is everywhere. It’s not just teenagers on Facebook whose ordinary adolescent boundary-testing actions are viewed by finger-wagging adults; it’s not just a variety of institutions that have found their internal communications meant for friendly eyes are exposed to the world; it’s not just academics whose scholarly studies are being dug up by various constituencies as fodder for outrage. It’s everywhere.

The outsiders are peeking in and moving in, and they are here to stay. If, as an institution, keeping your balance relies on outsiders staying outside while you talk in jargon and acronyms with your fellow insiders, it’s time to look for a safety net and a harness. A fall is coming, sooner or later. In this world, “this is what we have always done” is not going to cut it.

Meanwhile, there's a related article over at The Atlantic by James Fallows, in which he publishes an email from a Defense Department insider, which hopefully should put to rest the idea that everyone knew about this and that there's nothing "shocking" in the revelations. This is from an actual insider who argues the exact opposite, even as he supports many of the general actions:

I obviously can't be quoted by name on this ... and indeed, since this email is being read (Hi guys!), I can probably get fired just for sending it, but let me just stress how shocking these NSA revelations are.

Look, I'm not a shrinking violet. I work for DoD. I support much of the war on terror. Some of these assholes out there just need killing. And gathering info on them that allows us to schwhack them is okay with me.

But there is law. And my view is that you have two choices. Either you change the law openly, publicly, or if that is impossible and you consider violating the law imperative, then you make a claim of "exceptional illegality."

But, that insider notes, the stunning thing about the NSA revelations aren't that they exceeded what most people believed the law is, but that it was an everyday thing rather than an "exceptional" case:

But the thing about the NSA revelations is that this isn't exceptional illegality. It is routine, somehow justified by legal opinions written by John Yoo-style hacks.

And worse, it is so routine that 29 y/o contractors have access to it.

The situation is stunning in many ways. To claim that "there's nothing new" or that "everyone spies" is to miss almost everything that's important about these revelations and the impact they are already having.

Just recently Thomas Rid, the author of a new book entitled Cyber War Will Not Take Place, was on the Surprisingly Free podcast, and had a very interesting discussion about the fact that the whole concept of "cyberwar" is incredibly overhyped (as we've also discussed in the past many times). At best, it's often really about espionage, not war, and (on the good side) unlike war, the likelihood of serious physical harm and deaths is much more limited when it comes to technological attacks. I highly recommend listening to the podcast, because Rid does a nice job laying out his thesis, much of which I agree with.

However, I was then somewhat surprised to see him over at Slate arguing that the rest of the documents Ed Snowden leaked should be destroyed. Unlike some others, he's not arguing that the leak was evil and that Snowden was a traitor. Instead, the argument is somewhat more nuanced. He basically argues that a lot of good things have already come out of the leaks that have been published, but he's unsure of the marginal benefit of additional leaks, while much more worried about potential harm from continued leaks. I think this argument is wrong, but it does provide an interesting thought experiment.

Rid does point to the good things the leaks have done, namely: (1) kicking off a long-overdue debate on these issues, (2) informing the public about digital security issues that they've ignored for ages and (3) convincing many tech companies to take security much more seriously. We all agree those are three good things that have come out of the leaks. However, it appears that Rid isn't sure that future leaks will do much more than existing leaks to further any of those points. Of course, I'd argue that part of the problem is he leaves out the fourth important point: putting into motion events that hopefully will lead to more limited surveillance, less abuse of the surveillance infrastructure and much more respect for things like the 4th Amendment and basic privacy rights. And it seems pretty clear that continued leaks do help to drive that forward.

However, Rid seems to see limited upside to further leaks, and also significant downsides to existing leaks, which he thinks could get worse with more. I think he's wrong on the downsides, but let's go through them:

One is that intelligence capabilities are damaged. There is no doubt that signal intelligence agencies are an essential tool necessary for international statecraft as well as for maintaining the domestic constitutional order. Revealing capabilities and tactics often means they become worthless as a result. Measuring such tactical costs is hard, but the damage is significant.

This is overblown. Yes, intelligence and espionage are always going to be a part of the way things work, but that has never meant that we should make it easy. In fact, the likelihood of abuse is so high that we've always tried to make this very, very difficult. There are reasons that the 4th Amendment has requirements for things like probable cause, warrants (i.e., oversight by a third party) and reasonable and limited searches.

This means, secondly, that militants, violent extremists, and adversaries—think the Syrian regime—are already racketing up their communication security. In the future it will be harder to detect and foil terrorist attacks. In the future it will be harder to say if some regime possesses or used a specific weapon system. In the future it will be harder to unveil wealth-draining cyberespionage. This is very serious.

The history of signals intelligence is littered with the cat and mouse game of finding new ways to hide messages, followed by someone cracking them, and people moving on to other methods. Arguing there's some awful damage from this is an unsupportable statement. Out of what's been leaked so far, much had already been suspected by many -- meaning that the major terrorists and foreign enemies almost certainly were already using methods to try to avoid such systems. There is little evidence to suggest the damage is really that significant.

Meanwhile, thirdly, authoritarian states get a confidence boost. “Washington ate the dirt this time,” wrote China’s Global Times, an outlet sometimes called the Fox News of China. The U.S. administration “has long been trying to play innocent victim of cyberattacks” but now turned out to be “the biggest villain,” said Xinhua, the state-run news agency. This argument, of course, is hypocrisy. The National Security Agency is not spying in order to round up Obama's political opposition, and Government Communications Headquarters is not listening to Internet traffic to help London's banks—both of which stand in sharp contrast to China's own practices. Nevertheless, Snowden's revelations make it easier for the world's authoritarian regimes to crush dissent at home.

I agree with the impact here, but it's not the fault of the Snowden leaks. This is the fault of the US (and others) being overaggressive in its surveillance activities. The way to avoid losing the moral high ground is to, you know, stay on the moral high ground. It's fairly ridiculous to argue that Snowden's leaks are to blame here. It's the NSA's actions that are to blame.

A fourth result: Internet governance is creaking. Diminishing America and Britain’s diplomatic and moral standing is threatening the multistakeholder approach, so far a guarantor for a free and open Internet. A patchwork of smaller, sovereign "Internets" is becoming more and more likely. As a result, the Internet could now become more authoritarian, not less.

Finally, and perhaps most significantly, American and British Internet and telecommunication companies are under economic pressure, set to lose disgruntled customers at home and large contracts abroad. This last damage multiplies all previous ones.

Ditto my comment above. This is blaming the messenger. The problem here is not the leaks, but rather the actions of the NSA in going overboard with surveillance. Rid tries to cut off this argument with the following:

Some may retort that it was the NSA and its allies who created this damage in the first place, not Snowden and his allies. But this argument is problematic: Spy agencies spy, all of them. Suggesting that all secrecy is bad is plainly naive. Instead there is a moral case to be made for open democracies to have the most capable intelligence agencies, operating lawfully with robust oversight mechanisms. No liberal mind can want the NSA to sit in Beijing or Moscow.

But that's not responding to the actual argument. While I'm sure some are arguing against any and all espionage, most of us are not. We're arguing against overly broad surveillance, often for no legitimate reason, with little oversight and no actual threat to deal with. We're not saying that "all secrecy is bad," but rather that there has been massive overreach here, and little benefit. That seems worth discussing, and the Snowden documents keep revealing just how bad that overreach really is. Rid is responding to a strawman here, rather than the actual argument most people are making.

As Julian Sanchez notes, Rid seems to be basing the entire article a belief that is unsupported: that terrorism is a threat to democracy, when the reality is that it's authoritarianism and surveillance that are the real threats to democracy. Yes, terrorism can do tremendous damage, but it's difficult to believe that terrorism alone harms the democratic process. A surveillance state is simply antithetical to democracy. Rid seems to not understand that, which is too bad, given his recognition of how much the claims about "cyberwar" are overhyped.

We've been pointing out that the various disclosures about NSA surveillance, and its ability to tap into various servers associated with US companies, should be very troubling to the US tech industry, because it will make it harder and harder to do business -- especially with those outside of the US. Of course, some are claiming that this will all blow over, and while people will make noise about it, they won't actually go anywhere else. And, of course, the latest Netcraft data suggests that there's been little movement so far:

Despite speculation that the recent PRISM revelations would result in a mass exodus from American data centers and web hosting companies, Netcraft has not yet seen any evidence of this. Within the most popular 10 thousand sites, Netcraft witnessed only 40 sites moving away from US-based hosting companies. Contrary to some people's expectations, 47 sites moved to the US, which actually resulted in a net migration to the US.

This trend is also reflected by the entire web server survey, where a net sum of 270 thousand sites moved to the US from other countries (in total, 3.9 million sites moved to the US, while 3.6 million moved from the US). Germany was the most popular departure country, with nearly 1.2 million sites moving from German hosting companies. This was followed by Canada, where 803 thousand sites hopped across the border to the US.

Of course, I think it's way too early to conclude much about this at this point for a variety of reasons. First, we're still learning about the extent of the surveillance, and some of the more damning revelations have really only just started to trickle out. Second, moving your hosting services is not generally something you just do overnight. It can take quite a bit of time. Third -- and this is a big one -- I'd argue the bigger concern is less about companies moving, but that the next generation of users will never agree to use US servers. And, finally (and perhaps most importantly), prior to these revelations, the market for more private and secure hosting and communications was fairly limited. Some have pointed out that even for those who wish to leave US services, it's not clear where to go.

But I am expecting that's going to change. One thing that these revelations have made clear is that current solutions are not as secure or private as people expected and that this is an issue that many, many people and companies are concerned about. As such, it seems quite likely that there will be investment and entrepreneurship focused on these areas over the next few years -- and I fully expect that a number of more secure and private solutions, who actively promote themselves on these features, will hit the market.

One of the key talking points against Bradley Manning was how his leaks "put people in danger" and we've even seen some of the defenders of his prosecution claim that people had lost lives because of them. In fact, Army Chief of Staff Mike Mullen had directly stated that Manning (and Wikileaks) "might already have on their hands the blood of some young soldier or that of an Afghan family." Guess what? That was all FUD. As Manning's sentencing hearing kicked off, a key government witness admitted that there were no deaths that were attributable to those leaks. That came straight from Brig. Gen. Robert Carr, who was in charge of the response to the leaks. Among other things, he also noted that since the names did not appear in Arabic, it was unlikely that our enemies would have figured out who they really were anyway.

The retired general added that some of these contacts could not be found, others had died before the WikiLeaks disclosures, and others had been insurgents rather than cooperators with coalition forces.

Carr acknowledged that none of the names of Iraqi and Afghan contacts appeared in the original Arabic.

To this point, Manning's military defenders, Maj. Thomas Hurley, asked: "We don't share an alphabet with either of those countries, do we, Sir?"

"No," Carr replied.

Hurley also prompted Carr to concede that Iraqi and Afghan nationals tend not to be "not as plugged in" as Westerners.

The report also notes that while, in the past, some have claimed that an Afghani man killed by the Taliban was a result of those leaks "the supposed informant the Taliban claimed to have executed was not in fact named in the leaked materials." In other words, all the talk of people dying because of his leaks? Not true. Yet why do we trust the government every time there's a leak when they insist that everyone's lives are at risk?

It's hardly a surprise these days that Chinese Internet companies routinely self-censor what appears on their services: the world knows there's not much it can do about what happens within China's borders. But here's a disturbing story about how that censorship has started spreading further afield.

It concerns the WeChat app from the Chinese company Tencent, which has started to gain users in countries like Singapore, Malaysia, Thailand and Vietnam. But as Tech In Asia now reports:

the Chinese name of the outspoken magazine caught up in a tense struggle of wills with the government -- Southern Weekend in English, nan fang zhou mo in Chinese -- is censored in Chinese on WeChat. But it's not just restricted to users in China (where the app is called Weixin), and typing that name in the Chinese language is now blocked globally.

Sending a message with "Southern Weekend" in Chinese produced the warning that it contained "restricted words":

We've tested it out going from users in China to Thailand (blocked), Thailand to China (blocked), and even Thailand to Singapore (blocked); the prohibited words are not sent at all. The name of the magazine can be sent in English.

Interestingly, just a day later the warning was gone, and Tencent claimed it was simply a "technical glitch":

A small number of WeChat international users were not able to send certain messages due to a technical glitch this Thursday. Immediate actions have been taken to rectify it.

But as Tech In Asia points out:

It's as clear as day in many screenshots. "The message [Southern Weekend] you sent contains restricted words. Please check it again."

Yes: Restricted words. That's no error message. It's very far from being: Ooops, our servers are a bit busy right now, please try again a few minutes later.

As the article notes, maybe the "technical glitch" referred to was accidentally turning on the censorship for the service outside China.

In any case, this is a clear straw in the wind. China's Internet companies are now so big and successful in their home market that it is only natural for them to look to expand overseas. I'm sure that at first they will be very reluctant to censor material there to avoid drawing the ire of digital rights groups and local governments; but at some point something will crop up that is sufficiently problematic for them as Chinese companies that they will feel compelled to act in order to safeguard their relations with the government in China, which will remain their priority.

Of course, the West can hardly claim the moral high ground here, since it, too, is censoring material. It's just that different governments take exception to different things, and react with differing degrees of severity against those who flout their laws. Unfortunately, the end-result of Chinese Net companies expanding overseas is likely to be double censorship – one imposed by local authorities, and the other flowing from China.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

We've talked plenty about the Streisand Effect for years, but every so often something happens that actually demonstrates the impact graphically with data. We saw this a couple years ago when Washington Redskins owner Dan Snyder tried to censor a satirical article about himself. Add to that this week's controversy over Twitter suspending the account of journalist Guy Adams, at the request of NBC Universal (after Twitter alerted NBC to some of Adams' tweets). Twitter has reinstated the account, but in the interim, there was an awful lot of discussion about Adams and what he had to say. Megan Garber, over at The Atlantic, has highlighted graphically how much more attention Adams got (via Topsy). Once again: seeking to stifle speech online is only likely to give that speech much, much, much more attention.

This one's from a few week's back, but a few people have called it to my attention. Nilay Patel over at The Verge argued that because various companies offering Android phones have been able to design around a couple of Apple patents that have made their way into lawsuits -- #7,469,381 which covers the "scrollback" bounce when you scroll to the end of a page, and #7,657,849, which covers the "slide-to-unlock" concept -- that there's "really no day-to-day impact on the consumer" from the big patent fights going on over smartphones.

That seems like a rather simplistic analysis. Patel is right that many companies are "designing around" these overly broad and somewhat silly patents, and so it doesn't mean that Android phones aren't available. But that doesn't mean that there's no real impact on consumers. While it can't be quantified directly, there are numerous ways in which these patents are likely impacting the results. First, there's a matter of cost. The legal fights over patents are quite expensive, and that's almost certainly keeping prices on these devices somewhat higher than they might otherwise be. Second, the money and time it takes to do that "designing around" potentially slows the development of these phones. Third, those same resources could have been put elsewhere, working on additional innovations that would make the phones better and more valuable. Instead, they're forced to reinvent the wheel without doing the same scrollback or slide to unlock. Finally, while some will claim that forcing these companies to invent around the patents can lead to new innovations, there's little evidence to support this claim. Certainly it might happen accidentally, but letting developers come up with new innovations based on their own experiments and what the market tells them is always going to be more efficient than stumbling on some innovation because you're trying to avoid the artificial monopoly of a patent.

Of course, this is one of the difficult things in discussing the problems of the patent system. People insist they can't be that bad because these devices are still on the market. It's difficult to see or even explain the innovations that we don't have because of this, or even to show how the pace of innovation is almost certainly slower because of this, but that's exactly what plenty of research has shown for years. No one says that innovation stops completely because of patents, but we have significant concerns about how they impact the overall pace of innovation, as well as the specific direction of innovation. While it might not seem to have a "day-to-day impact on the consumer," chances are it's having quite a large one. We just can't see how big.

The first big analysis of what happened to file sharing via cyberlockers following the shutdown of Megaupload shows that there was no slowdown in file sharing -- it's just that the traffic moved elsewhere. The analysis, by Deepfield Networks, concludes that there was no significant drop off in file sharing in the US... but that it has become "staggeringly less efficient" from a network standpoint, because much of it moved to offshore locations over "expensive transatlantic links." This isn't a huge surprise. We've been pointing out for ages, that you can shut down as many sites as you can, and new options will always pop up. Shutting down sites has never worked, but for whatever reason, ICE and the MPAA/RIAA never seem to learn from their past mistakes.

SpiderOak is an online backup/syncing/storage platform. If you're familiar with Dropbox, it's quite similar to that. In fact, when Dropbox ran into some very public challenges concerning its privacy setup as well as how it handles government requests, one of the "alternatives" we heard about a lot was SpiderOak. I haven't used it myself, but a lot of folks I know and trust suggest that it's a good product, with really strong security and privacy rules. The company recently sent out an email to its users, which (in part) discusses SOPA:

What is SOPA? This act allows content owners - movie companies, music labels, etc. - to obtain court orders requiring search providers such as Google to filter their search results to exclude websites that host allegedly infringing material, and requiring the net registrars to block DNS servers from providing the correct IP address for such sites. The act also makes site owners civilly liable for the availability of copyright material on their sites. In addition, it makes the posting of a link to a third party website that has copyright material on it the same as hosting the material on your own site.

What does this mean for SpiderOak users if this act passes? You don't have to worry. Our level of encryption means not even your filenames, file sizes or file types are readable.

They also include a link to the American Censorship site. That's all cool, and it's certainly reassuring that their encryption keeps things secret... but in saying that you don't have to worry about it, it seems like SpiderOak actually just put a huge target on themselves. After all, SOPA has a big fat anti-circumvention clause, which specifically includes calling out products that are "marketed for the circumvention or bypassing of measures" in the bill. SpiderOak may have run afoul of that by "marketing" its product as immune to SOPA because of encryption (a circumvention tool).

This is, obviously, not to question SpiderOak at all, but rather to point out just how ridiculous the anti-circumvention clause is. Obviously there are tremendously good reasons why we all should want services like SpiderOak, with their high levels of encryption. But just the fact that it advertises that shouldn't be cause to get it in trouble under the law.

And the larger point is that even companies who think they're immune to SOPA may discover otherwise, thanks to the way the bill actually works.

One of the most important aspects of the UK's Hargreaves Report was that it called for copyright policy to be based on evidence. It also noted that so far that simply hadn't been the case, and that practically all of the so-called "studies" used to justify laws in this area came from the copyright industries, with missing or dubious methodologies.

The French three-strikes scheme known as HADOPI (actually the name of the government agency that oversees its implementation) is a perfect example of such dogma-based legislation: no research was done into how files were being shared or even whether they did any harm (there's a fair amount of evidence that file sharing increases sales).

So it's interesting to see HADOPI putting out a call for some research into streaming sites (original in French):

The commissioned study focuses on an economic analysis of streaming sites and direct download where illegal practices are the most common, offering cultural property in the areas of music and video.

This new interest in streaming sites is presumably a consequence of Nicolas Sarkozy's announcement at the recent Forum d'Avignon that "we have to tackle the streaming web sites." It's certainly welcome that HADOPI is doing some research before it draws up its proposals in this area; but shouldn't it have done the same with the original three-strikes scheme?

There's an interesting parallel with SOPA here. In the section with the splendid title "Denying U.S. Capital To Notorious Foreign Infringers", we read the following:

Report to Congress- The Intellectual Property Enforcement Coordinator shall, not later than 6 months after the date of the enactment of this Act, submit to the Committees on the Judiciary of the House of Representatives and the Senate a report that includes the following:

(1) An analysis of notorious foreign infringers and a discussion of how these infringers violate industry norms regarding the protection of intellectual property.

(2) An analysis of the significant harm inflicted by notorious foreign infringers on consumers, businesses, and intellectual property industries in the United States and abroad.

Again, it's good that some research into that "significant harm" will be carried out, but shouldn't that come before the legislation is drawn up and enacted, not after it?

Follow me @glynmoody on Twitter or identi.ca, and on Google+