Reports of the National Security agency’s surveillance programs based on documents leaked by Edward Snowden have been embarrassing for some, enraging to others. But to governments and security services in developing economies they will prove inspirational, according to a report (PDF) from the University of Toronto’s Citizen Lab, which studies online security and privacy.
The report warns that governments that already impose authoritarian controls on the Internet, such as China, India, and Saudi Arabia, may now seek to boost those efforts with NSA-style bulk collection programs that trample on civil liberties.
Ron Deibert, director of Citizen Lab, writes in the report that:
“No doubt one implication of Snowden’s revelations will be the spurring on of numerous national efforts to regain control of information infrastructures through national competitors to Google, Verizon, and other companies implicated, not to mention the development of national signals intelligence programs that attempt to duplicate the US model.”
Deibert says that many companies already face “complex” and “frustrating” requests from “newly emerging markets” for data on their users. He believes that the NSA revelations will cause those to become even more common, with unwelcome results.
“Many countries of the global South lack even basic safeguards and accountability mechanisms around the operations of security services, and their demands on the private sector could contribute to serious human rights violations and other forms of repression.”
India, the United Arab Emirates, and Saudi Arabia, for example, have already demanded that BlackBerry add interception technology to its services, notes Deibert. He says that insisting that companies add such “backdoors” to their services introduces serious security risks, because they could be discovered and abused by others.
Citizen Lab has evidence to back up that argument. In 2008, researchers in the group that the Chinese version of Skype, Tom-Skype, had been modified to help the Chinese government’s surveillance efforts. The program sent chat logs to a government server if certain keywords were typed, but that server was not password protected. Anyone could download millions of personal conversations collected by the authorities, which included credit-card numbers and other sensitive information.
Deibert doesn’t argue that security services should never access data held by Internet companies. But he maintains that can be done without hard-wiring backdoors into communications services. Rather he would prefer agencies to be restricted to requesting specific, limited information about certain accounts on a case-by-case basis, rather than harvesting bulk data for later processing as we have learned the NSA does.