Spies, Smurfs and Snowden Are Bad for Business

“Why did you decide to do what you did?”

“All of our communications were being intercepted all of the time, in the absence of any suspicion of wrongdoing, and this was something that was occurring without our knowledge, without our consent.”

Edward Snowden interview, BBC Panorama

Last week the BBC broadcast their first interview with Edward Snowden (pictured), the contractor who spilled the secrets of the United States’ National Security Agency (NSA) and its sister organization in the UK, the Government Communications Headquarters (GCGHQ). If you like your privacy, the interview was uncomfortable to listen to. There was one major revelation that I had not heard previously: the surveillance agencies have invested heavily and succeeded in hacking smartphones. Previously it was possible to guess this was taking place, given the legal right to hack that has been given to agencies like GCHQ. However, Snowden talked about it explicitly, saying GCHQ’s smartphone surveillance capabilities were named after Smurfs, the cuddly blue cartoon creatures. For example, ‘Dreamy Smurf’ can switch your phone on and off without your knowledge, whilst ‘Nosey Smurf’ can switch on the microphone so spies can use it to eavesdrop.

The rest of the program was mostly a retread of previous revelations plus commentary from various people who either confirmed the likelihood of Snowden’s claims or damned him as a traitor. However, there is still some shock factor in hearing that GCHQ hacked Cisco routers to gather huge amounts of data from Pakistani telcos. If Cisco routers were compromised in one country, then presumably they can be compromised anywhere.

It is over two years since Snowden fled the USA, but the landscape of the public debate has changed little in the interim. The spooks say that what they do is vital for national security, and insist their methods are justified. Snowden counters that if comms surveillance has always been so reasonable, then why did the spies lie about what they were doing, even to elected politicians? The spooks argue that giving government secrets away makes it harder for them to do their job. I can believe this is true when they are spying on moronic terrorists, but this seems less likely when their targets work for foreign governments. Osama bin Laden knew the risks of using a mobile phone, well before Snowden went rogue. If the head of a terrorist organization knows not to have any mobile phones in his safe house, we can safely assume governments in China and Iran have a good idea of what the NSA and GCHQ are capable of doing, not least because they do similar things. That begs a question: how are governments supposed to give good advice to businesses about the ways to counter espionage, without making it obvious what espionage is technically possible?

The threat to telcos was repeated in the BBC’s program, but as usual the spooks focused on security rather than wider consequences. Given the capabilities accumulated by the spies, it is questionable why they also insist that businesses like Facebook should copy the tactics of the NSA and GCHQ, and deploy automation to spy on every message that passes through their systems. Whilst terrorism is always presented as the justification for such capabilities, it is hard to believe that a business would invest lots of money in automated analysis of billions of messages, and not seek to use the capability for commercial advantage as well.

Many people are repulsed by the idea of comms providers gathering huge volumes of data about our likes, tastes, friends and activities, and thus being able to construct a more comprehensive picture of us than even our friends can. Much of the argument around terrorists’ use of social networks concentrates on their ability to ‘brainwash’ people into committing atrocities. But if terrorists can brainwash people, using their feeble techniques and resources, then what could a government or unscrupulous business achieve, if they set out to systematically manipulate individuals by exploiting the data they have gathered?

I cannot blame Snowden for what he has done, but the associated publicity and the unyielding, fixed nature of public debate is very bad for comms providers. Customers are constantly reminded of the threat to their privacy, but comms providers are denounced for not volunteering more information to government authorities. So-called public servants, whose wages are paid by taxes on workers and businesses, feel entitled to moan and bitch about perfectly legal decisions made by privately-owned companies. For example, the BBC asked a senior British policeman about his experience of dealing with comms providers. He said “some are helpful, some are extremely unhelpful”. Does that sound like an unbiased point of view? Are there no companies that are extremely helpful? Are none only slightly unhelpful? And what does “help” consist of, except volunteering personal information, without the consent of that person, when the police has no legal right to demand or expect that information? If the police cannot persuade the government to give them additional legal rights, they should not feel entitled to criticize businesses that obey the law but refuse to do whatever the police wants.

The tone of the debate is divisive, and it seems politicians are happy to keep it that way. They will not impose (additional) surveillance powers that they know would be (even more) unpopular with the public. However, the politicians are happy to stand back and let government employees wage a campaign of slandering and belittling comms providers for putting their customers first.

Comms providers are put in an awful position: they do not want to openly challenge government and lobby for better laws, as they know some customers will side with the spooks, whilst others fear surveillance. However, government employees are given free reign to voice their opinions, to lobby government, and to chastise businesses and individuals who refuse to follow their diktats. Governments can prevent this conflict – by drawing clear lines where businesses are not expected to volunteer information because the law strictly and unambiguously balances personal privacy with security. Governments can also remind their employees that they are not paid to vilify the private sector, or to lecture the public on what they should think.

Whatever your views on surveillance, I think we can all agree that if government agencies are complaining about what private sector firms refuse to do, the best solution is for government to recast the laws so we all know – comms providers, spooks, police, and the public – where the line is drawn between the right to privacy and the needs of security. Or as Snowden put it during his interview:

It is really a question of free enterprise. Who do companies work for? Do they work for their customers, or do they work for governments?

Brits can view the BBC interview with Snowden here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.