Tech giants are countering government spying

Jon Swartz | USA TODAY

SAN FRANCISCO — Google, Facebook, Microsoft and Twitter are engaged in a costly tech arms race, with their businesses and cultures at stake. Not against one another, mind you, but a common foe: the National Security Agency.

The tech juggernauts are investing in security technology, lobbying efforts and good old-fashioned PR to thwart U.S. government snooping of their data systems, often without their cooperation or knowledge.

For months, the narrative has focused on data breaches and spying as tech's biggest players quietly stewed over a sense of government betrayal, while assessing threats to their brands because of consumer outrage over invasion of their privacy. The breaches, and their threat to company reputations, are collateral damage of the government's war on terrorism.

"This may be the first time a computer-security problem has had such sustained interest on a national level," says Stephen Cobb, senior security researcher at cybersecurity firm ESET North America.

Google, Facebook and others are pouring money into security, mirroring an industry-wide trend. Cyber IT budgets are expected to soar from $65 billion this year to $93 billion in 2017, says tech market researcher Gartner. Last week, Microsoft confirmed that it plans to step up its cyberdefenses to thwart the NSA.

The NSA's staggering ability to access rich troves of data at the largest companies strikes at the core of consumers' and businesses' confidence in computer security and privacy. Encryption, the holy grail of security for the largest tech firms — in which digital messages are scrambled and unscrambled so third parties cannot read them — was easily cracked by the NSA through court orders, supercomputers and technical wizardry.

Deeply shaken tech executives, who are increasingly dependent on customer data in their pursuit of advertising revenue and fear a backlash from spooked consumers, have been loath to speak publicly about their efforts to counter government snooping.

The government routinely pried into the data systems of the largest tech companies in an online surveillance program it says has been necessary to combat terrorism in a post-9/11 world. It has done so largely without the knowledge of those companies.

The NSA initially said that Americans have not been spied upon and that the programs are intended to monitor foreign threats. Yet some Americans were inadvertently spied upon. Robert Litt, general counsel at the Office of the Director of National Intelligence, told the Senate Judiciary Subcommittee on Privacy last month that the NSA could not say how often Americans' data are accidentally captured.

Other documents leaked to media outlets this year by former NSA contractor Edward Snowden revealed that Google, Facebook, Yahoo, Microsoft, Apple and other tech companies supplied the federal government some information about their overseas customers under a court-monitored program called PRISM. The companies insist that they forked over data only on a small fraction of users and cooperated only when legally required to do so.

Nevertheless, the PRISM program "has materially damaged our reputation and made customers more cautious," says Craig Carpenter, senior vice president of strategy at AccessData.

AN 'OVERNIGHT CHANGE IN BEHAVIOR'

There's good reason for the tech companies' apprehension, The disclosures by Snowden are having real-world impact. A sign of a more gun-shy population: Four out of five people have changed the privacy settings of their social-media accounts in the past few months, and most have made changes in the past six months, according to a Harris poll of about 2,000 people this month.

What's more, the spying revelations have prompted 19% of consumers to do less banking online and 14% to cut back on online shopping, according to a survey of 362 American adults in September. "It's a fundamental, overnight change in behavior — I have not seen this type of reaction to virus or hacking" in more than 20 years, says Cobb of ESET, which commissioned the survey in the wake of the NSA flap.

Ordinary citizens are not bashful about expressing their concern.

"I'm not computer literate, but this bothers me," says Clare Rhodes, 59, of San Jose, who is disabled. "I was born during the Cold War and understand the importance of security. The government needs certain information to protect citizens, but how much do they have on people like me?"

Lou Mazzucchelli, 58, of Providence fears that the problem runs deeper. A Cisco Systems shareholder, he saw the stock take a hit as a consequence of the NSA flap and fears blowback from the spying disclosures could damage the tech stock portfolios of everyday people. "The ramifications go far beyond our personal data," he says.

Some see the contretemps as overblown.

"We live in a digital age where people are sharing literally every stupid thing happening in their life," says Sabrina Cognata, 32, a writer in Los Angeles. "But then they suddenly want privacy? If you want privacy, get off Twitter and Facebook, move to a remote area in Montana, and be private.

"But if you are online constantly and griping about having your rights infringed upon, I think you are a moron."

TIGHTENING SECURITY

Still, many online users have expectations of privacy. So tech titans are fighting back by improving their security and using legal and public relations maneuvers to combat government spying.

Here's what some of the biggest companies are doing:

Yahoo. The Internet icon, with some 800 million members worldwide, took the latest, and perhaps boldest, action this month. It had vowed to encrypt its e-mail service by January but now plans to have all of its data encrypted by March to make it more difficult for unauthorized parties to decipher the information.

Google. The search giant has taken several steps to protect its data from snooping. It has intensified its program to encrypt data passed between data centers — the physical facilities scattered across the globe that house computer systems — and telecommunications and storage systems. It also employs network links between data centers that run at high speeds — typically on its own fiber-optic lines — that are harder to tap, according to a source familiar with the company who is not authorized to speak publicly.

Additionally, the company now frequently changes its security keys, which unlock encrypted data.

Facebook. The social-networking juggernaut has added an encryption method that limits access to data even if a security key is breached. In July, Facebook said it had turned on secure browsing by default. Yahoo followed suit in August.

Microsoft. The software behemoth has taken a legal and policy approach. In June, it was one of the first companies to file suit against the U.S. government, pressing for greater accountability in how the government views personal data. Microsoft has also shepherded the tech, privacy and security communities to push Congress and the Obama administration for legislative reform, seeking greater accountability by the NSA and tighter oversight by Congress.

In September, the four companies petitioned the U.S. government to permit businesses to disclose more information about the volume and types of national security-related orders they receive. The U.S. federal court was established in 1978 to oversee requests for surveillance warrants by law-enforcement agencies against suspected foreign intelligence agents in the U.S.

Twitter did not respond to e-mails seeking comment.

AD DOLLARS AT STAKE

There's no guarantee that the NSA, which was able to crack the digital codes of tech companies before, will be less successful in the future, given it's enormous resources and IT prowess.

Still, reassuring the public that sensitive information is safe from the prying eyes of the government is crucial to Google, Facebook and other Internet companies. They need people to keep using their services regularly so they can acquire more data and sell more of the digital ads that bring in most of their revenue. Should enough jittery Web surfers flee, it could slow the companies' financial growth and dampen their stock prices.

The surveillance kerfuffle is becoming an ominous asterisk to what has become a data obsession among major tech companies. Nearly every day, Google, Facebook, Microsoft and countless start-ups are carting out new products and services that breathlessly promise to make the most of cloud computing and data.

More than 1.5 billion people volunteer personal information, including photos, their favorite movies and summer vacation plans, on Facebook and Google.

"There is a tension point as long as Google and Facebook base their business models on advertising from people's preferences," says Siobhan MacDermott, chief policy officer at anti-virus computer company AVG. "NSA goes to (them as) the best source. This reinforces people's fears in Google and Facebook."

"We live in a user-driven, technology-adoption curve," says J.J. Thompson, CEO of Rook Security. "As people get shiny new toys like iPhone, general security lags. It has created an issue that is right in front of our face."