US government “legal intercept” regulations in force today require US and non-US IT firms to permit US agencies to penetrate their operations and conduct surveillance against unsuspecting US citizens and others.

These regulations threaten to balkanize international telecommunications markets, as countries around the world try to protect themselves and their citizens from minute-by-minute American surveillance.

What is the exact nature of these US surveillance laws and regulations? To whom do they apply? What can be done to prevent them from tearing apart global telecommunications markets?

Under the authority of the Patriot Act – passed after 9/11 – a special court in Washington DC issues secret warrants for records, documents, library searches, email, and internet browsing histories of American citizens and other individuals in the United States. While surveillance is subject to judicial process, the FBI or NSA need not show probable cause that the persons targeted have committed any crime whatsoever; the records need only to be “relevant” to an investigation of terrorism. Since the warrants are classified, the targets have no way of knowing that they are under investigation, or that their emails and other records are being scrutinized continuously by US government agencies. Nor do they have any way of responding to, much less rebutting, allegations about possible links to criminal activity.

Other complementary US regulations require all IT companies operating in the US to build backdoors into their equipment and software to permit the FBI and NSA to conduct this round-the-clock surveillance. These regulations force companies to turn over to the US government any encryption keys customers think are protecting them.

These legal directives imposed on all IT operators in the United States do indeed apply to every IT provider, including European, Japanese, South Korean, and Chinese IT companies that supply goods and services to the US market.

US court orders for surveillance and US mandates that require penetration of IT systems do not stop at the border. American regulations, upheld by American courts, require IT companies with operations in the United States to permit extraterritorial access to emails and documents stored outside of the United States. Today these requirements of American origin are being challenged as violating the Privacy Directive of the European Union.

Indeed, the surveillance regime that the US government asserts is necessary to fight terrorism and global crime – all the more needed now that ISIS has joined Al Qaeda in threatening the United States and its allies — is nonetheless threatening to segment international telecommunications markets. To avoid backdoors that permit US government surveillance, Brazil is already excluding all US companies from participating as it lays a new IT cable to Portugal. German companies are warning Microsoft that they will stop all purchases from the company if Microsoft complies with a US Justice Department order to provide access to the data of a German citizen stored on a server in Ireland. IBM says it is spending more than $1B to build storage facilities in overseas markets to prevent US government snooping, but it is not clear that IBM’s offshore cloud strategy will be able to accomplish this objective.

To prevent such discrimination against themselves, US IT companies and suppliers are arguing for creation of a transparent multilateral framework, across jurisdictions, to govern lawful requests for secret surveillance. Without such a framework, the worldwide telecommunications market will likely continue to fragment as governments and private buyers around the globe attempt to avoid US surveillance measures. Such a multilateral agreement would have to allow other governments to follow the same procedures as are now allowed by US regulations, or else would have to require US regulations to be restricted to conform to new international norms.

Are we ready to accept as legitimate that other countries – from Germany, the United Kingdom, France, Japan and South Korea, to Russia, India, and China – set up mirror-image surveillance regimes like our own? Will Congress ratify an international protocol that allows the Chinese government to snoop on Chinese dissidents via Facebook’s operations in China, and to collect data on democracy activists stored on China Telecom servers in Atlanta, Georgia?  Is Congress likely to be more persuaded to join up if Chinese surveillance agencies claim to have a secret warrant from a special court in Beijing? Will sober-minded Germans legitimately concerned about jihadists coming and going in their midst permit the Federal Republic to sign on to an international surveillance regime that Stasi could only have dreamed of?

Or will US surveillance regulations have to be scaled back – despite ongoing threats of international terrorism — and become subject to verifiable limitations?

Hard choices await.

 

Professor Moran will present his new research, “US Government Surveillance Regulations for IT Company Networks” at the American Enterprise Institute on December 10.