Tech Giants To US: Stop Spying

Eight technology companies have banded together to ask the US government to reform its surveillance policies and practices.

Apple, AOL, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo on Monday published an open letter to President Obama and members of Congress in which they state that recent revelations about the scope of NSA surveillance highlight "the urgent need to reform government surveillance practices worldwide."

The revelations in question, published over the summer in The Guardian and The Washington Post, were made possible by documents leaked by former NSA contractor Edward Snowden, who is living in Russia for fear of arrest by US authorities.

"The security of users' data is critical, which is why we've invested so much in encryption and fight for transparency around government requests for information," said Google CEO Larry Page in a statement. "This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world. It's time for reform and we urge the US government to lead the way."

The companies want governments to: set self-imposed limits on their data collection; seek data through intelligence agencies under a clear legal framework; be transparent about government information demands; not require service providers to use in-country infrastructure; and cooperate with one another when seeking data across jurisdictions.

[ Snowden: Hero or traitor? Read NSA Prism Whistleblower Snowden Deserves A Medal. ]

Although the documents provided by Snowden reveal the scope of NSA data collection, this isn't just about the reach of US intelligence agencies. As Forrester analyst James Staten wrote in August, "It's naive and dangerous to think that the NSA's actions are unique. Nearly every developed nation on the planet has a similar intelligence arm which isn't as forthcoming about its procedures for requesting and gaining access to service provider (and ultimately corporate) data."

For several of these companies, this letter adds weight to their ongoing litigation against the US government for permission to disclose the number of national security-related data disclosure orders they receive, which they cannot reveal under current law.

The Obama administration is currently reviewing US surveillance policy, following the initial outcry over the revelations and the subsequent finding that the US eavesdropped on foreign government leaders, friend and foe alike. The non-classified findings of the review are expected to be published in mid-December.

Each of the signatory companies stores data for customers. Much like banks, they depend on customer trust to remain stewards of customer data.

"People won't use technology they don't trust," said Microsoft general counsel and executive VP Brad Smith in a blog post. "Governments have put this trust at risk, and governments need to help restore it."

When the government has access to that data without legal process -- through bulk collection, for example -- and without the knowledge of the company storing the data, corporate assurances of data safety become less credible and customer trust erodes.

That erosion has an estimated cost: The Information Technology & Innovation Foundation (ITIF) has estimated that the US cloud computing industry could lose as much as $35 billion by 2016 from companies that balk at the prospect of unfettered US access to data service providers.

Forrester's Staten argues that the ITIF figure is too low. He said the US cloud computing industry stands to lose as much as $180 billion, or 25% of overall IT service provider revenues, by 2016.

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, puts the risk in context and offers recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)