One year ago, Edward Snowden gave the world an unprecedented wake-up call—a shock from which the public, governments, and industry are still stumbling to recover.
The public has reacted, appropriately, with alarm, anger, and demands for information and reform. The U.S. government has responded, predictably, with embarrassment, obfuscation, and invocations of national security. As for the technology companies—which financially benefit from their status as stewards of our private information—well, it’s complicated.
From the start, users’ trust was at the center of the tech companies’ concerns. While companies like Facebook, Google, Microsoft, and Yahoo immediately issued vague statements refuting the suggestion in several leaked documents that the NSA had “direct access” to the companies’ data servers, public skepticism persisted. Eventually, though, these firms started getting their acts together, taking some real steps towards improving their standing with customers by competing on privacy. (One inflection point was surely the Washington Post’s revelation that the NSA had tapped into Google and Yahoo’s overseas data links—as one Google engineer said, “Fuck these guys.”)
A large group of leading tech companies sued the government in the Foreign Intelligence Surveillance Court to allow them to publish more information about the kinds of government requests for user data they receive. The tech lobby has used its clout in Washington to push for some pro-privacy measures, signing on to support meaningful surveillance reform in Congress and publicly breaking with members of the intelligence community who have sought to gut reform bills of important privacy protections. And, of late, Internet companies across the board have rushed to implement technological solutions, like basic encryption, that are aimed at preventing surreptitious government collection of data directly from the Internet backbone.
As encouraging as these steps have been, these technology companies can—and must—do much, much more. The Snowden revelations have upset the latent assumption that these companies’ responsibilities to us end when they give us free, convenient tools. We trust them to be the custodians of our data in part because we believe they will have our backs when it comes to keeping that data private. After all, who knows better than these companies just how much can be gleaned from the aggregated bits and bytes we send their way every single day?
Here are just a few things they can do, starting now:
- Insist on warrants and resist overbroad demands: As the first line of defense against government requests, companies have not just the right but the obligation to stand in their customers’ shoes and push back when law enforcement makes intrusive or novel demands. Many government requests are informal requests against which firms can push back—and, as Microsoft’s successful resistance to a recent national-security letter demonstrates, the government knows many of these requests would never hold up in court. And even when the government comes with a warrant, companies have the duty to challenge new or expansive uses of surveillance authorities in court, where users themselves are often shut out by law.
- Notify users of surveillance requests: Only in rare circumstances do law-enforcement requests for data come with court-ordered gags. (Even in those rare cases, the gags are often unconstitutional.) It should be company policy across Silicon Valley to notify users when the government requests customer information—and, both promisingly and increasingly, it is. Changing the practices of Internet companies who receive these kinds of requests will, as tech lawyer Al Gidari told the Washington Post, “serve to chill the unbridled, cost-free collection of data.”
- Encrypt and protect users’ communications in transit: One of the most startling discoveries from the Snowden documents was that even though simple encryption solutions exist to protect communications data in transit, most tech companies were simply not using them. As Snowden explained shortly after his first disclosures, “Encryption works.” Thankfully, there are signs of positive change—just this week, Google effectively shamed Comcast into adopting STARTTLS to protect batches of email sent from one service to another. And, like Apple, more companies should use end-to-end encryption for proprietary services like voice, video, and text messaging. What we say privately deserves protection.
- Minimize data collection and retention: The best protection that technology companies can provide for private information is simply not having it in the first place. For too long, Silicon Valley’s business model has depended on collecting and keeping as much user data as possible. But, to paraphrase the voice in Kevin Costner’s cornfield, “if you keep it, they will come.” Responsible custodians of private information will minimize what they keep, and how long they keep it, to what is truly necessary for business purposes.
There is clear public support for surveillance reform. While Congress is struggling to pass meaningful changes, tech companies can step up and play their part as true champions of our privacy. We’ve trusted them with our secrets—and they should begin to act like it.