For some firms, NSA eavesdropping means business

Image 1 of / 3 Caption Close For some firms, NSA eavesdropping means business 1 / 3 Back to Gallery

To many Americans, online eavesdropping by the U.S. National Security Agency is an outrage, a threat to privacy and freedom.

To some, it's a business opportunity.

A small but growing number of companies have introduced Internet and communications services designed to shield users from the government's eyes. A few even advertise their products as "NSA-proof." Spies are part of their sales pitch.

Cybersecurity fears, of course, didn't start with Edward Snowden, the former NSA contractor who in 2013 started leaking details of the agency's far-reaching surveillance programs.

Many of the companies have been offering encrypted online services for years, scrambling their customers' data and communications in ways that require the right computer-generated "key" to decode. They are at least as concerned with thwarting private hackers and corporate spies as they are with blocking federal agents. Last week's disclosure that Russian hackers have amassed 1.2 billion user name and password combinations worldwide was a potent reminder of that threat.

But some entrepreneurs in the field found motivation in the NSA, after learning that the agency has been collecting troves of Internet and phone data on ordinary citizens for years.

"Privacy and democracy go hand in hand - that's why this is so important," said Jason Stockman, one of the creators of ProtonMail, which began offering an encrypted e-mail service in May. "Our goal is to protect people against mass surveillance."

But most companies will quickly admit that if the NSA - or some foreign intelligence service - really wants your data, they can't guarantee protection.

"There is absolutely some level of wishful thinking in any claim that a product is NSA-proof," said Peter Eckersley, technology projects director for the Electronic Frontier Foundation, a nonprofit focused on digital privacy. "It varies from complete and utter fiction to just overconfidence."

ProtonMail got its start on the crowdfunding website Indiegogo, playing up the threat of government intrusion and noting its servers are in Switzerland, beyond the reach of U.S. jurisdiction. The service encrypts messages before they're sent, and they remain encrypted while they're on the company's servers. Each user has an individual encryption key, to which the company does not have access. Those measures should keep messages safe as they traverse the Internet. But they won't help if a hacker, government-employed or not, breaks into your computer.

"If someone hacks your machine, there's not a lot we can do," Stockman said.

NSA speculation

Since the NSA conducts its business in secret, its full capabilities remain a matter of speculation. But a series of revelations that began in 2005 uncovered programs in which the agency routinely collects Internet traffic and telephone records, through which it sifts, looking for patterns that could point to terrorist activities. The agency recently built a massive facility near Salt Lake City to store the data.

Documents leaked by Snowden last year showed that the agency also secretly tapped into the connections linking Google and Yahoo data centers, where the companies route traffic and store data. Both companies expressed outrage and scrambled to protect their data. Google and Yahoo, as well as other Internet companies including Facebook and Microsoft, were already legally required to turn over stored communications and data that the NSA requests on specific users under the agency's Prism program.

Most companies that invoke the NSA in their marketing focus on encryption. That includes, iDrive, which rented billboards in San Francisco this spring advertising "NSA-Proof Cloud Backup" data storage. (The billboard's slogan: "We won't tell"). Like ProtonMail, iDrive encrypts its customers' data on the user's computer, using a key known only to the user. The type of encryption the company uses, known as 256-bit, has not been broken by the NSA - as far as the public knows.

"We're definitely seeing an uptick from the whole NSA fallout," said Raghu Kulkarni, iDrive's CEO and founder. "There are companies that are better positioned than others, and we may be one of them."

Search engine DuckDuckGo employs encryption too. But its main tactic for protecting users is its refusal to collect, store or share information on users and their searches. Tracking users as they roam the Internet is central to the business plans of Google and Yahoo, allowing the companies to tailor ads with precision, and it generates data that government investigators covet. Although DuckDuckGo, created in 2008, does accept advertising, showing sponsored links in response to search queries, it doesn't track.

"This is something we can do that the big guys can't do," said founder Gabriel Weinberg.

Less clutter

Weinberg argues that search without tracking gives users a better experience, with less junk and clutter clogging their results. "At the same time, you have the benefit of not having to turn over information to the government," he said. "I personally didn't like the idea of participating in that. If you've got the data, you're pretty much legally obliged to give it to them. There's no way around that."

DuckDuckGo is in a small town outside Philadelphia. The Bay Area, center of so many subsets of tech, doesn't command the same position among companies offering NSA-shielded services. ProtonMail is based in Switzerland, with an office in Boston, while iDrive resides in the Los Angeles suburb of Calabasas. There may or may not be a reason for that.

"I get more skepticism about privacy from the valley than I do in day-to-day life," Weinberg said. "There are a lot of Silicon Valley companies built on data mining. The notion of privacy protection has generally been shirked off."

So what does it say about this moment in American history that companies advertise their ability to frustrate their own government's spies?

"Welcome to the future," Eckersley said. "I think in some sense, discovering how big a problem surveillance has become for us is coming to understand the nature of the digital world. And we're going to be living in it for the rest of time."