Most of the discussion of the NSA’s Prism program has focused on the domestic fallout in the States, with some spill-over into the question of what Google, Microsoft, Facebook and Apple did (or didn’t) do to safeguard user data when the NSA (National Security Agency) came knocking.
There’s another facet to the issue that’s worth discussing, I think, even though it’s going to take months or even years to play out. The Prism leak could lead to fundamental changes in how the Internet is controlled, administered, and routed.
Despite the focus on domestic implications, Prism is a system specifically designed to eavesdrop on foreign Internet traffic flowing through the United States – the NSA even says so.
This leak is a colossal embarrassment for the United States. Every time the UN-backed ITU has raised the issue of a more global approach to Internet governance, the United States has fired back with both barrels and a tactical nuke. Last December, the House of Representatives passed S. Con Res 50 by a vote of 397-0. The opening paragraph of that resolution declared it vital that the Internet “remain stable, secure, and free from government control” and stated that the structure of Internet governance “has profound implications for competition and trade, democratisation, free expression, and access to information.”
For a decade, the United States has fought to position itself as a neutral party that could be trusted to administer the Internet in a manner that was beneficial to all parties.
Now, the NSA has been caught gloating over the fact that Internet traffic routing rules drive foreign data directly into its data centres by the truckload.
Latin America, China, and to a much smaller extent, Europe, have precious little reason to trust the NSA and now, a great many reasons to guard their own digital borders. The question of whether the NSA actually did anything inappropriate is remarkably unimportant when there’s political hay to be made.
So what happens next?
Not every sea change kicks off with a trumpet fanfare and international brouhaha. If this had happened seven months ago, in the run up to the ITU’s latest vote on Internet governance, it might have been a different story. As things stand, the short-term impact may be minor. Long-term, however, I think things will change.
The above slide shows the amount of Internet traffic that passes through the United States or Canada from other major regions. The percentage of worldwide Internet traffic routed through the US has been falling for years as nations have brought their own IXPs (Internet Exchange Points) online – African traffic, for example, routes almost entirely through Europe. These trends could accelerate sharply now that Prism is in the limelight, either out of a genuine fear of US spying or because politicians see a handy opportunity to launch their own regional efforts and projects. Either way, the total amount of traffic routed through US servers is likely to decrease at an accelerating rate.
The Prism disclosure could cause problems for the United States’ diplomatic efforts in other seemingly unrelated areas. The ACTA (Anti-Counterfeiting Trade Agreement) treaty was narrowly defeated at the last minute, after the various member states of the EU raised concerns regarding the treaty’s negotiation process and copyright strong-arming. There’s a philosophical link between the idea that the NSA has the right to spy on foreign Internet traffic and the treaty’s requirement that various EU member states agree to US-mandated copyright laws and the enforcement mechanisms those laws promote. Both the spy program and the treaty implicitly position the United States as the arbiter of legal rights in a manner that’s not subject to oversight from member states or their own citizenry.
I wouldn’t be surprised to see foreign nations simultaneously boosting their own regional networks and tightening their data protection laws. The long-term impact on companies like Google or Facebook is unclear. It’s one thing to require Google Germany to comply with German privacy laws, but how would Google go about isolating email sent from a German user to a US citizen?
Prism is designed to theoretically intercept such a missive – so what happens if Germany decides it doesn’t like that possibility? I honestly don’t know. It seems unlikely, however, that the status quo will continue. Nations that want to build their own spy systems and carry more traffic internally now have political cover to build the networks and blame Prism as the reason. Countries that were genuinely concerned about US overreach now have a concrete system to point to rather than a vague fear. Regardless of underlying motivation, there are precious few arguments for funnelling traffic through the US.