Since the summer of 2013 when Edward Snowden, a government system administrator and insider, unveiled secret government snooping on large volumes of citizen data (without proper legal tools such as search warrants), media coverage and discussion of government surveillance operations have been widespread.
It's been revealed that U.S. law enforcement and spy agencies with the three-letter acronyms (NSA, FBI, CIA and so on) have enormous data gathering operations, including accessing and analyzing data about phone calls as well as the content of emails, documents and web visits of U.S. and foreign citizens.
The Internet infrastructure industry is experiencing business and operational impacts, since these headlines caused renewed focus on data privacy and surveillance issues.
How does one sort through the fact and fiction, while reassuring jittery customers and maintaining business relationships? David Snead, co-founder and public policy chair, Internet Infrastructure Coalition (I2C) will address these issues in a session titled, “Surveillance, Privacy and the New Congress” at the spring Data Center World, which convenes in Las Vegas April 19-23. The conference’s educational tracks will include many topical sessions, covering issues and new technologies that data center managers, service providers as well as owners and operators face, such as external challenges like the security, privacy and surveillance situations in the Internet age.
Snead said his session will cover “understanding what the debate is about, how the world has responded and how to deal with it.”
Snead, an attorney, makes presentations globally on behalf of the I2C, which is an industry group representing the interests of those who build and run the “nuts and bolts” of the Internet. Coalition members include such companies as Google, Equinix, Rackspace, among many others.
Surveillance Erodes Trust
“The debate about privacy has been going on for a significant amount of time,” Snead said. However, the NSA-triggered discussion has become a big issue for business, and particularly, for data centers and infrastructure providers, he explained.
The business relationships have changed. “Customers don’t trust infrastructure providers,” Snead added. “They don’t want to be in a situation where they won’t know that their data is being disclosed. People are getting questions from customers." Concerned clients are moving their business to providers outside the United States, he added. That is a significant business impact.
Among privacy advocates and businesses, law enforcement agencies were not trusted previously, but now companies in general have had an erosion of trust. "Government and people are responding in different ways to restore that trust," Snead said, adding that the I2C is "pushing hard" to create more transparency and improved surveillance laws.
Current Hot Issues
Since Snowden's revelations, there have not been any successful changes to U.S. laws and regulations to alter how the government is going about its surveillance operations. However, a part of the Patriot Act (Section 215) that is used as a legal justification for phone metadata collection will be up for renewal before Congress this summer.
"This is going to be a huge fight," Snead said. The coalition believes that the situation needs to be addressed and it will be hotly debated, he added.
This week, the Obama administration said that if the provision is not renewed, the government will stop the bulk data collection, according to this statement on the Electronic Frontier Foundation website. The EFF also states that there is a possibility that data collection could continue, even with Section 215 being expired. Snead said the continued collection is a slim possibility.
Other current issues are laws that were put in place in the European Union to protect data privacy, which impacts U.S. companies as well as global ones. "Privacy and surveillance are a continuing concern for people around the world," he added. "Germany is particularly concerned about this issue. Other countries are concerned as well, such as Brazil."
The European Union has finalized a new regulation, the General Data Protection Regulation, which applies to American businesses doing business in any European country and holds them to the European standards of privacy protection.
Also, there are issues of localization of data. New regulations are coming about the knowledge of where data resides and where it transits. This presents operational challenges as data centers need to audit their policies and procedures, review IT applications and really know where data lives. For example, if a business requires its data to be entirely in the United States, Snead said, a small application or script cannot hit a server in Canada for any reason.
"Data centers will have to work with customers to ensure that data will not leave this bandwidth, that it won’t transit outside this area," he said. This brings real operational concerns to infrastructure providers, and calls for working with bandwidth providers and detailing customer requests in contracts.
What Can Data Centers Do?
In terms of building trust with customers, Snead suggests a review of privacy policies or other customer statements and agreements is in order. He adds that being as transparent as possible with customers helps.
Infrastructure providers would be well served to "set out how information is disclosed, and how they share info (to the extent that you can), have a detailed compliance policy (what happens when the provider is served a warrant or subpoenas and differentiate between the two), and explain how any data request activity is disclosed to customers," Snead said.
One challenge with some data requests made by law enforcement is a provision which includes a "gag order" on the infrastructure provider. "Google and larger companies have an agreement with the Attorney General," he noted, "that allows them to reveal the number of requests for data that they have responded to, in 'bands.' For example, a band is 0-100, in number of requests. Most companies are a lot smaller than Google or Yahoo!. When the bands are larger rather than smaller, customers assume the worst, so if a band is 0 to 100, they assume 100 requests. It would be better to have narrower bands."
What Lies Ahead?
Snead said the heightened awareness of privacy and surveillance will remain at front of mind for a while. "Requests are coming from all customers," he noted. "The privacy pendulum is moving towards increased awareness of these issues, rather than away from it."
To learn more about privacy, surveillance and its business impacts on data centers, attend Snead's session at spring Data Center World Global Conference in Las Vegas. Learn more and register at the Data Center World website.