After Edward Snowden's disclosures regarding the alleged scope of National Security Agency (NSA) surveillance of communications involving Americans and others were published, an expanding discussion of the impact of electronic communications monitoring emerged. Much of that conversation focuses on the effects the spying has on the civil liberties of individual people. To date, however, little attention has been paid to the likely impact of the surveillance on businesses and other organizations. It is important that businesses understand that the broad communications surveillance described by Snowden has significant implications for organizations as well as individual citizens and that those implications must be recognized and addressed.
Snowden's disclosures describe a world in which virtually all communications, including telephone conversations, electronic mail messages, social media posts, shared documents, and Web browsing can be monitored by governments on a global basis. In this environment the "metadata" (including telephone numbers, e-mail addresses, and Website URLs) are collected and analyzed to identify connection among communicating parties. In addition to the metadata, the actual content of large volumes of voice, e-mail, social media, and Web communications are also reportedly collected and stored for future analysis.
The volume of communications data and content collected appears to be of such great scope that it is difficult to comprehend. Snowden and others allege that the NSA and its British equivalent signals intelligence organization, the Government Communications Headquarters (GCHQ) each routinely harvest the entire communications traffic transmitted through specific undersea communications facilities around the world.
Snowden claims that the GCHQ, through its "Tempora" program captures and stores all of the communications content handled by more than 200 undersea cable facilities around the world for periods of thirty days. The GCHQ allegedly stores that data for future analysis and shares it with the NSA.
If these allegations describing the scope of NSA and GCHQ communications surveillance are accurate, we must effectively assume that essentially all telephone and Internet communications are likely to be subject to government monitoring as to their metadata or their content. The extensive communications monitoring activities identified by Snowden capture the communications of individuals and those of businesses and other organizations alike. This situation has important consequences for individuals and for organizations.
Individuals must assume that the privacy of their electronic communications has been compromised. In this setting, there are virtually no personal secrets that an individual can confidently assume to be entirely private.
Organizations must assume that none of their electronic communications are entirely secure. They should use best efforts to protect all electronic content, through use of strong encryption, for example, yet they must recognize that even the strongest commercially available encryption is no match for the code-breaking capabilities of the NSA and other government intelligence organizations.
Businesses and other organizations should also reconsider their overall use of electronic communications. Although electronic communications systems offer great economic value and important functional capabilities, the NSA revelations suggest that those systems may, in some ways, actually be less secure than old forms of communications such as paper documents and traditional mail and express courier services.
Organization should consider carefully the type of content they choose to communicate electronically. Prudence suggests that organizations may be better served if they choose not to communicate their most sensitive materials electronically. For all content which is communicated using electronic systems, best efforts should be applied to make that content secure. Despite active use of encryption and other protective measures, however, the working assumption should be that governments will have the ability to identify the parties involved in the communications and will have access to communications content, as well.
In addition to interception of electronic communications, Snowden's disclosures suggest that the NSA is actively involved in ongoing efforts to access material stored on computers and in closed computer networks. Similar allegations have been made against governments in China, Russia, and North Korea. In this environment, organizations should apply best efforts to implement effective safeguards for their computer networks, including active use of firewalls. They should also consider storing their most sensitive materials on computers that are not connected to the Internet. Organizations should also make sure that their most sensitive content is not stored on document sharing systems or "cloud" computing networks.
Businesses should recognize that massive government surveillance of electronic communications threatens both the civil liberties of individuals and the security of organizations. To date, the concerns expressed regarding broad electronic surveillance of communications have been largely voiced by those emphasizing personal civil liberties. Businesses and other organizations should join this debate as they too are significantly affected by government communications surveillance activities.