One of the reasons electronic surveillance tools such as PRISM work so well is because much of the world's Internet traffic goes through U.S. servers. The American companies that own and operate that equipment can be subpoenaed and the data handed over to the government. Voila — intelligence secured!
But that works only so long as the traffic keeps going where intelligence agencies want it to go. There are signs now that the gravy train of easy data is coming to an end. Foreign companies who once considered hosting their information on U.S. servers are beginning to change their minds. And they're not the only ones. Governments are growing more wary, too.
Brazil, for example, is weighing a law that would bar companies such as Google and Facebook from storing data on its citizens in servers based in the United States. Instead, the data would have to be stored domestically, under Brazilian jurisdiction.
Then there are independent communications services that vow to have nothing to do with the United States or its allies. Kim Dotcom, the creator of the filesharing website MegaUpload, said earlier this month that he intends to build a new encrypted e-mail service, possibly in Iceland.
"I expect that more and more Internet businesses will find the hostile U.S. environment unbearable and will move their business elsewhere," he told TorrentFreak. "Who wants to store any sensitive data on U.S. based servers anymore?"
Of course, many of the Internet's largest companies — Google, Facebook — are still probably going to do much of their work in the United States. And the NSA has other tools at its disposal for going after unencrypted foreign communications, such as XKeyscore.
But thanks to the NSA leaks and the government's reluctance to fully disclose its activities, criminals are about to have more ways to evade online detection than ever. Investigators' jobs will get far more difficult if their suspects' communications suddenly vanish from U.S. servers and reappear in an encrypted format in a country that won't cooperate with American demands. The task for Washington, then, is to keep data from fleeing the country.
One way it can do that is by clearing up the rules associated with information requests, says Christian Dawson, co-founder of the Internet Infrastructure Coalition. Being more specific about what is being seized — and lifting the gag order that prevents companies from telling their customers about it — may help restore international confidence in the system. It's not a weakness to be transparent, in other words. To the contrary, it gives companies greater assurance that the system is not being secretly abused or subverted.
"The Electronic Communications Privacy Act was written in 1986, before the rise of the commercial Internet," says Dawson. "It forces law enforcement to use terminology that doesn't make a lot of sense to this industry. A lot of well-informed officers will come to us and ask for things like subscriber information. I'll say, 'Well, we're a Web hosting company. We don't have subscriber information. What is it you really want?'
"The more comfortable companies are hosting in the United States, the more the economy grows," Dawson adds. "Without that, you push law enforcement's problem cases out to the fringe."