In a cloud computing economy, the NSA is bad for business

The real problem for the National Security Agency’s data-collection programs might not be citizen outrage, but something far more powerful — corporate outrage. We have an economy increasingly dependent on web and mobile services (broadly defined as “the cloud”), and it doesn’t make a whole lot of sense to put up barriers or conditions on using them. For consumers, it’s bad for privacy. For companies that sell cloud services, it’s bad for business.

Perhaps you noticed former Microsoft Chief Software Architect Ray Ozzie address the issue in a weekend post on Hacker News, where he wrote:

“[I]n this world where “SaaS” and “software eats everything” and “cloud computing” and “big data” are inevitable and already pervasive, it pains me to see how 3rd Party Doctrine may now already be being leveraged to effectively gut the intent of U.S. citizens’ Fourth Amendment rights. Don’t we need a common-sense refresh to the wording of our laws and potentially our constitution as it pertains to how we now rely upon 3rd parties? It makes zero sense in a “services age” where granting third parties limited rights to our private information is so basic and fundamental to how we think, work, conduct and enjoy life.”

Ozzie might be truly concerned about citizen privacy, but as the founder of a new cloud-based mobile communications service, he’s probably also concerned about attracting users. He’s not alone. His former employer and other large companies  — including some named as part of the NSA’s secretive PRISM program — have been pushing for privacy reform for years as a means to cement the viability of the cloud.

Maybe now they’ll finally get their way.

Money talks (and privacy nods its head)

The argument — as I’ve highlighted before — might not be so much about privacy as it is about profit: Companies like Microsoft(s msft), Google(s goog), Apple(s aapl) and all the startups that Congress seems to love so much rely on people trusting the cloud in order to make money. If the PATRIOT Act, the Electronic Communications Privacy Act or any other legislation scare users away, that money goes with it.

Thus far, most of the activity has centered around the antiquated Electronic Communications Privacy Act (ECPA), a piece of legislation written in 1986 that makes it relatively easy for government agencies to obtain people’s email and other electronic communications (e.g., Twitter direct messages) without a search warrant. The companies have banded together with unlikely allies like the Electronic Frontier Foundation and EPIC to create the Digital Due Process coalition, a group whose name references the Fourth Amendment right to due process that prohibits unreasonable searches and seizures.

At long last, their efforts are gaining some real traction. Updated versions of the ECPA are making their way through both the House and the Senate right now, with Sen. Patrick Leahy’s bill arguably the most high-profile of the bunch.

The trends in user data requests from Google.

The trends in user data requests from Google.

More generally, though, the third-party doctrine that Ozzie referred to is part of a larger legal theory that treats any information in the possession of someone else — your credit card transactions, call records, your journal, you name it — differently than if you alone were in possession of that information. It’s a hot topic of debate among legal scholars, and it seems the advent of the cloud has some members of the Supreme Court ready to weigh in on it should the right case arise.

In a 2012 case notable for its holding regarding the legality of warrantless GPS tracking, Justice Sonia Sotomayor addressed the bigger picture in a concurring opinion. She called the third-party doctrine “ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

“I would not assume,” she added, “that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.”

Does national security talk louder?

Importantly, though, while ECPA governs the actions of law enforcement agencies investigating crimes or just trying to gather data, it doesn’t address the types of surveillance that the NSA carries out under the banner of national security. But the tech industry isn’t blind to laws such as the PATRIOT Act, either. Here’s what they had to say about data privacy in 2011, via a thinktank comprised largely of IT industry executives:

(1) modernize legislation (the Electronic Communications Privacy Act) governing law enforcement access to digital information in light of advances in IT; (2) study the impact of the USA PATRIOT Act and similar national security laws in other countries on companies’ ability to deploy cloud in a global marketplace; and (3) have the U.S. government take the lead on entering into active dialogues with other nations on processes for legitimate government access to data stored in the cloud and processes for resolving conflicting laws regarding data.

Already, it appears Europeans are searching for ways to withdraw from American service providers. Users in other parts of the world might, or should, be even more hesitant to use American services. And even if some Americans say they’re not creeped out by the government collecting their phone records (and, presumably, the rest of their digital communications), many are.

It’s hard to say how intensely the tech lobby will step up its privacy efforts in light of the NSA scandal, but it’s hard to imagine it will stay quiet if its constituents see potential users bailing on their services. And what’s bad for corporations in this situation is probably bad for the economy. A bad economy is bad for politicians always looking toward the next election.

It seems crazy to think the NSA will willingly give up its surveillance powers or that a court could come to a decision on this issue any time soon, but some members of Congress could be swayed to act. In a debate between privacy and the economy on one hand and national security on the other, you’d think something will have to give.

Feature image courtesy of Shutterstock user ramcreations.