A Clunky Cyberstrategy

Soon after Egyptian President Hosni Mubarak was ousted from power last year, protesters stormed the Egyptian national security headquarters, in which police records are housed. Some Egyptians found files the authorities had compiled about them. Others uncovered files focusing on friends and colleagues. There were wiretap transcripts, reams of printouts of intercepted e-mails, and mobile messages, communications once thought to be private.

As it turns out, American-made technology had helped Mubarak and his security state collect, compile, and parse vast amounts of data about everyday citizens. The Egyptian government was using "deep packet inspection" technology purchased from Narus, a Sunnyvale, California-based firm owned by Boeing. The company's most successful product is NarusInsight, which according to Narus' website, helps "network and security operators obtain real-time situational awareness of the traffic traversing their networks." In short, the same technology not only assists network administrators in pursuing attackers and intruders; it can also help governments patrol their citizens' online activities. Narus' core clients are the U.S. Department of Homeland Security and the National Security Agency, but a good portion of the company's business comes from abroad. In 2005, Narus signed a multimillion-dollar licensing deal for the use of its technology with Egypt, Palestine, Saudi Arabia, and Libya.

Half of all Foreign Affairs content is now published online only. So if you don’t check out ForeignAffairs.com daily or sign up for our free weekly e-mail newsletter, you’re missing half the story.

Noting the Narus case this week is particularly ironic as the White House announced new sanctions against Iran and Syria on Monday, aimed at technology that Tehran and Damascus are using to target their own citizens. On Monday, President Barack Obama said of the Internet and mobile technologies that they, "should be in place to empower citizens, not suppress them." 

In the Internet age, it is technically trivial for corporations and governments to gain access to people's private communications and track their movements. The Obama administration recognizes that online freedom requires not only an open and uncensored Internet, but also one on which government and corporate surveillance powers are appropriately constrained, so that citizens are protected against abuse, and abusers are held accountable. Without strong global standards of public transparency and accountability in how surveillance technologies are deployed, the empowering potential of the Internet diminishes quickly.

Yet, even as the White House clamps down in Iran and Syria, other parts of the U.S. government are driving the development of policies, regulatory norms, and business practices that make a mockery of Washington's well-meaning efforts to expand Internet freedom abroad. Put another way, although the State Department funnels millions of dollars to nonprofits fighting censorship and surveillance beyond U.S. borders, repressive digital surveillance around the world continues to expand in scope and sophistication.

Over the past four years, as part of Secretary of State Hillary Clinton's "global Internet freedom" agenda, the State Department has spent more than $70 million promoting Internet access around the world. The money has funded projects that produce circumvention software -- for example, Tor, Psiphon, Ultrasurf, and Freegate -- that has helped millions of people in China, Iran, and other countries access censored websites. Other initiatives have provided Internet security training for activists and bloggers. State Department-funded groups now publish technical training manuals in more than a dozen languages.

Underscoring the point, last December Clinton gave a speech at a Dutch-sponsored Internet freedom conference in The Hague, calling for a "global coalition to preserve an open Internet." Soon after her speech, the 34 member-states of the OECD adopted principles that stressed keeping the Internet open and interconnected and called on member states to "ensure transparency, fair process, and accountability." But then the document pivoted -- it emphasized the need to "encourage co-operation to promote Internet security" and "give appropriate priority to enforcement efforts." That language provided a loophole for governments to do what they deem necessary as long as the goal is labeled "security" and "enforcement." 

Path breaking as Clinton's global Internet agenda may be, it is dwarfed by a multi-billion dollar global censorship and surveillance technology industry. The bulk of that work emanates from research and development labs owned by companies based in North America and Western Europe whose main clientele -- as in the case of Narus -- are law enforcement and national security agencies of their own governments. According to the Washington Post, at a surveillance technology trade show held last year near Washington, D.C. known informally as the "wiretappers' ball," 35 federal agencies, alongside representatives from state and local law enforcement, joined representatives of 43 countries to inspect the wares of companies who manufacture the world's most state-of-the-art surveillance tools and devices. Such trade shows are held regularly around the world as part of a global market that sells an estimated $5 billion dollars worth of cutting edge surveillance equipment every year.

Despite the Obama administration's proclaimed commitment to global Internet freedom, the executive branch is not transparent about the types and capabilities of surveillance technologies it is sourcing and purchasing -- or about what other governments are purchasing the same technology. Trade shows such as the wiretappers' ball are highly secretive, and ban journalists from attending. None of the U.S. agencies that attended the wiretappers' ball -- including the FBI, the Secret Service, and every branch of the military -- were willing to comment when a reporter queried them about their attendance. 

Revelations over the past several years, however, show that these technologies are deployed in illegal and unconstitutional contexts. The American Civil Liberties Union recently uncovered evidence that police departments around the United States used of cell phone tracking technology in non-emergency situations -- without court orders or warrants. In 2004, a whistleblower revealed that the National Security Agency built a secret room inside an AT&T facility in San Francisco, into which all phone and e-mail traffic passing through the facility was copied. The software used to inspect the data and transmit anything of interest back to the NSA came from Narus. According to national security expert James Bamford, secret NSA rooms using Narus technology are still operating at AT&T facilities around the country.

Meanwhile, on Thursday the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), a cyber-security bill that supersedes all existing privacy laws by authorizing Internet service providers and other companies to share information -- including customers' private communications -- with the National Security Agency and other federal entities. Civil liberties groups opposed the bill out of concern that it allows the sharing of citizens' personal communications without due process or judicial oversight. Indeed, even as American networks come under constant attack by cyber-criminals and military-grade overseas hackers, CISPA threatens to undermine the citizen's right to privacy from unreasonable search and surveillance.

An eleventh-hour announcement that Obama will veto CISPA in its present form signaled that the White House understands the problems of unfettered surveillance. An e-mail from the Office of Management and Budget sent on Wednesday afternoon cautioned that, "legislation should address core critical infrastructure vulnerabilities without sacrificing the fundamental values of privacy and civil liberties for our citizens." The White House has also sought to promote responsible consumer data collection and sharing practices by companies. In February, it released a blueprint for a Consumer Privacy Bill of Rights and made a pledge to work with companies and civil society to ensure that citizens' private information is collected and used in a responsible, transparent manner. 

Vetoing CISPA and promoting consumer privacy are important steps, but if the United States is to have a truly credible global Internet freedom agenda, both the administration and Congress have to demonstrate a clear and consistent commitment to Internet freedom at home.

There are several steps to be taken. First, Congress should pass legislation requiring "know your customer" due diligence standards for companies selling network security technology that can also be used for censorship and surveillance. Monday's sanctioning of Iran and Syria was a first step, but as the Narus case in Egypt shows, the abuses are by no means limited to those two countries. The Electronic Frontier Foundation (EFF), an organization dedicated to protecting civil liberties of Internet users, has called for legislation modeled after the Foreign Corrupt Practices Act. The EFF recommends a framework for companies to audit and keep track of their customers. Companies should have a due diligence process to determine the likelihood that their technologies will be used to carry out human rights abuses before doing business with a particular country or distributor. 

Congress can also establish requirements on tech firms to report on how user information is gathered and retained, and how and under what circumstances it is shared with governments (including the U.S. government) in all markets in which a company operates. Google has taken a step in this direction with its Transparency Report, which tracks the numbers of requests it receives from governments to take down content or hand over user information, broken down by country. Similar reporting could be required of all U.S. companies.

In many ways, Washington must lead by protecting U.S. citizens against unaccountable surveillance at home. Requiring regular and accurate reporting by government agencies, as well as federal and state law enforcement, on how information about citizens' activities is obtained would limit the potential for abuse. Likewise, a comprehensive review of federal and state surveillance practices, subjected to the same standards applied by the administration to CISPA would establish clearer standards for what is acceptable, and what is not. 

There is also specific legislation that needs reform, firstly the Patriot Act, which gives several government agencies sweeping authority to spy on individuals inside the United States -- and in some cases without any suspicion of wrongdoing. Likewise, the time has come to rescind the FISA Amendments Act, which was passed in 2008 and gave the NSA new power to conduct comprehensive dragnet surveillance of Americans' international telephone calls and e-mails, without a warrant, without suspicion of any kind, and without sufficient judicial oversight. 

Lastly, the Electronic Communications Privacy Act was passed in 1986 and never revised, despite the massive technological innovations that have taken place since. ECPA requires authorities to obtain a warrant in order to access to a document stored on a computer but makes it much easier to access documents and personal communications stored by third-party e-mail and web-hosting services without a warrant requirement. In the age of cloud computing this leaves Internet users exposed to unreasonable search and surveillance without legal recourse.

The U.S. global Internet freedom agenda will only succeed in the long run if the United States can find a way to live up to its own values and offer a vision -- in practice -- of what a digital future based in civil liberties can provide. So long as confusion reigns, there will be no successful global Internet agenda, only contradiction.