Storing data offshore won’t protect it from NSA, expert says

Chuck Bednar for – Your Universe Online

Ever since Edward Snowden first blew the lid off the US National Security Agency’s data collection practices, Americans have been looking for a way to keep their information safe from prying eyes in the federal government.

Some tech companies, including Google, have explored the possibility of using floating data centers to move servers offshore. However, in a new article penned for TechCrunch, former Obama administration director of privacy and civil liberties and Brown University fellow Tim Edgar says that simply moving data centers offshore will not protect them from the NSA.

“The natural reaction of many citizens, companies and governments is to try to get their data out of the United States and out of the hands of American companies,” Edgar wrote, calling the idea “a seductive one, even for Americans.”

“This offshoring of data to avoid surveillance is not just an idle notion,” he continued. “As a privacy lawyer with experience in the intelligence community and the Obama White House, technology companies have asked me how they might pursue such a strategy.  It turns out that shifting user data abroad or into the hands of foreign companies is a very poor way to combat American surveillance.”

While the NSA’s top brass have “stated quite openly their desire to collect everything American law permits,” Edgar explained that regulations governing what they do depends upon where they are collecting information. The Foreign Intelligence Surveillance Act (FISA), places stricter guidelines on data collected from domestic servers than from those located overseas, he noted.

“FISA requires an order from a federal court, albeit a special one that operates mainly in secret,” he explained. “By contrast, the NSA’s rules for collecting data from switches and servers overseas are governed not by a law, but by an executive order. There is no court oversight and far less intensive review… Shifting data away from the United States actually makes it more vulnerable to these broader forms of collection.”

Less than a month ago, reports surfaced that the NSA had spent several years monitoring both domestic and international cellphone carriers in an attempt to discover security vulnerabilities. The program, codenamed Auroragold, also detailed how the agency planned to secretly introduce new flaws into communications that they could tap into, but which also would have made the general public more susceptible to hackers in the process.

In light of  those reports, as well as previous ones detailing how the NSA was collecting email and browsing information from millions of Americans, may have been obtaining personal information (including location and political affiliation) through mobile apps and was using malware to infect domestic computers, making sure that such information is beyond US borders might seem like a slam-dunk good idea. Edgar, however, disagrees.

“A company that shifts its data abroad should consider whether it is confident there is no way the world’s most sophisticated intelligence agency… would gain access to its data, at rest or in transit,” he wrote. “Even if the United States lacks that ability, one of its partners might… [and] storing data outside the United States does nothing to protect it against the world’s other major intelligence powers, such as China and Russia, or the myriad of criminal groups and hackers.”

“Far more important than where data is held is how it is secured. The answer, for too many companies and individuals, is that it is not secured at all, despite the availability of strong encryption,” Edgar added. “However, the technology industry is starting to change that.”

The iPhone 6, the latest smartphone from Apple, has built-in encryption features that allow users to keep stored information private from prying eyes, including those in the government, he said. Companies such as Virtru and AppRiver offer secure e-mail services, and some messaging firms are working to limit the amount of data they collect for both security and privacy reasons.

“Keeping that data in the United States provides greater legal protection than offshoring it,” Edgar said. “For good and for ill, there is only one global network.  Isolating data from the United States is technically difficult – if not impossible – and counterproductive if the goal is to protect privacy.  Reforming global surveillance will require major shifts towards transparency, accountability, and better privacy rules for the NSA and its partners.”

“The world’s citizens, companies and governments should continue to press the United States to reform its spying practices.  Keeping data out of the United States is no answer.  There is no easy substitute for reforming government surveillance,” he added.


Follow redOrbit on TwitterFacebookInstagram and Pinterest.