The Costs of NSA Surveillance

New America Foundation has a new paper on the costs of NSA surveillance: economic costs to US business, costs to US foreign policy, and costs to security.

News article.

Posted on July 29, 2014 at 12:10 PM • 25 Comments

Comments

anonymousJuly 29, 2014 12:42 PM

Who cares. Just print more American pesos. As long as those uppidy towelheads don't start selling their oil for Euros or that funny Chinese currency all is well.

jonesJuly 29, 2014 12:54 PM

Its strange to me that 1) these discussions don't get anywhere unless costs are discussed; and 2) that people don't opt out of the surveillance society by closing their FaceBooks and ditching their "smart" phones.

Seriously, it should be reason enough to be disturbed by this that the Founders prohibited this type of information gathering in the 4th Amendment. The government should obey the law, that's a core feature of what "rule of law" means. And the example of non-violent resistance through non-participation set by Ghandi and the SCLC and vegetarians and vegans ought to be a lesson enough for how to deal with the surveillance society.

There's no having internet without surveillance. It was built by the military for resilience, not for security. CALEA was enacted at the same time that Windows 95 introduced Americans to computers and the phrase "information superhighway" introduced Americans to networking. Surveillance was part of the plan for handing the internet over to commerce.

If you don't like internet surveillance, stop surveilling yourself.

AlanSJuly 29, 2014 1:10 PM

Other recent reports on costs of surveillance that I don't think have been referenced here yet:
 
American Civil Liberties Union and Human Rights Watch joint report: With Liberty to Monitor All: How Large-Scale U.S. Surveillance is Harming Journalism, Law, and American Democracy.

U.N. High Commissioner for Human Rights report on The Right to Privacy in the Digital Age. Report PDF  here.
 
Summary and discussion of U.N. report on Just Security: Major New United Nations Report Rebukes Five Eyes’ Attempts to Weaken Digital Privacy Rights.

name.withheld.for.obvious.reasons July 29, 2014 1:32 PM

COSTS? What the government has done in a significant way has disproportionately affect my small R&D company in so many ways it is about to make progress impossible. The NAP's, ISP's, and even the suppliers (with all the ad and browser history) make it nearly a monumental task to do anything related to our work online...even communicating with colleagues and business partners is not possible. I cannot get others to provide secured, at rest, encryption for the most sensitive or proprietary messages, documents, or drawings.

What was once thought possible (encrypted PDF's for example) cannot be considered in the course of regular business. In October of 2012 we restructured our business operations in a manner resembling that of a fortune 100 computational component or systems company just so we could skillfully answer any potential investor or auditing questions. We still have not achieved operational status given what we know. We cannot vet our vendors, suppliers, or manufacturers as to the veracity of their processes even if they CLAIM ISO 900x, 15408, or 2700x.

This crap truly sucks!!!

Mike SJuly 29, 2014 2:04 PM

@name.withheld.for.obvious.reasons:
Suggest you try SecureDrop for at rest encryption. See HOPE X talk on YouTube.

anonJuly 29, 2014 3:04 PM

@jones:
You do realize the solution you're proposing is utterly incompatible with the modern world, right? Any cellphone, not just smart phone, will give away your position 24/7 to "close enough" standards. Using credit cards and debit cards - those "business records" are all being siphoned up wholesale giving a very clear picture of what you bought and where. License plate readers will track your travels.
Are you proposing citizens should either just bend over and take it, or revert to cave-dwelling hunter-gatherers if they don't want the government knowing every detail of their life?
We share information with those for whom it is intended. It's the government who is claiming that they should be included as intended recipients to everything by strong arming the companies that provide your channel of communications/interactions. Accepting that this is somehow okay is the problem, not using the medium.

ggraingerJuly 29, 2014 4:50 PM

I suspect the U.S. government will blame, and criminally charge, Snowden with the loss to business and the government because he revealed these government shenanigans.

Alan KaminskyJuly 29, 2014 5:52 PM

@anon Are you proposing citizens should either just bend over and take it, or revert to cave-dwelling hunter-gatherers if they don't want the government knowing every detail of their life?

My wife and I recently returned from a vacation in Holmes County, Ohio, site of the largest Amish settlement in the USA. The Amish don't use the Internet. Some Amish folks have a cellphone at their place of business (if permitted by their local Ordnung), but I doubt any Amish person carries a cellphone in a pocket. As for traffic cameras, I didn't see any; there aren't that many traffic signals in Holmes County anyway.

The Amish are far, far above the level of "cave-dwelling hunter-gatherers", and I suspect they would be offended by the comparison. I also suspect the NSA would have a very tough time surveilling the Amish. The Amish get along just fine, and lead perfectly happy lives, without all the modern contrivances the rest of us "need."

We, the "English" (as the Amish refer to non-Amish folk), could do worse than to imitate at least some aspects of the Amish way of life.

BuckJuly 29, 2014 9:25 PM

@Alan Kaminsky

My wife and I recently returned from a vacation in Holmes County, Ohio, site of the largest Amish settlement in the USA.
...
I also suspect the NSA would have a very tough time surveilling the Amish. The Amish get along just fine, and lead perfectly happy lives, without all the modern contrivances the rest of us "need…"
I hope you realize how your second point contradicts your first... ;-) Knowing what we 'know' about the Breaking Amish 'gangstas', and how easy it was for your wife and you to integrate into their community... Perhaps it's not the NSA themselves, but a CIA, DEA, FBI, or just any ol' LEO or collections agency that would insert their own 'confidential' informant here...

BobS.July 30, 2014 6:48 AM

The paper outlines the tremendous cost of runaway surveillance on Americans and the world in depth.

Then it falls flat.

The recommendations are essentially unrealistic pablum. For example, it supports the completely gutted USA Freedom Act which one representative (Amish) said, "mocks our system of government". Others aren't quite that kind.

Dudes, we are on our own.

mike~ackerJuly 30, 2014 7:29 AM

the outrage is mis-directed. NSA doesn't sell stolen credit card numbers. "Carding", and other electronic crime -- is facilitated by two principle faults: (1) weak operating software, and (2) weak authentication procedures.

Better solutions are readily available but the information industry skirts around these with a briefcase full of band-aids. at some point the cost of electronic crime will make corrections the less expensive option. but, until we reach that tipping point we will all continue to lament our woes rather than acting to correct them.

PatJuly 30, 2014 11:38 AM

Are you implying that tracking expenditures is important to someone in charge of governmental and/or corporate budgets?

Don't they just raise revenues instead, to compensate, by raising prices, taxes, or cutting corners to cut costs or shortchange customers or taxpayers elsewhere?

It's all so confusing. I don't have the big picture (obviously).

zJuly 30, 2014 2:29 PM

Problem is the government see these as the costs of leaks, not surveillance.

ChrisJuly 30, 2014 4:25 PM

Hi Funny but as an non european, reading the Link I would have thought you would be talking about all the money the cloudbusiness etc would lose, but you are just peptalking like it doesnt bother you, high5 to that, shake it all of and move forward, nothing to see here.
Bad publicity is better than no publicity.

Seriously even that it sounds sarcastic i do believe its right to try to move forward and bloody do the best to make a change, i think thats the whole agenda of this affair anyway.

Hmmm.. funnily enough Cheers dudes

//Chris

BenniJuly 30, 2014 4:42 PM

regarding surveillance costs, we have news from our cheap freshman consultant and former NSA director general Alexander:

http://www.foreignpolicy.com/articles/2014/07/29/the_crypto_king_of_the_NSA_goes_corporate_keith_alexander_patents

He says he will come up with patents that could protect companies from "advanced presistent threats".


Actually, I believe that Alexander knows much about "advanced persistent threads".


We go back to the year 2007. At that time, there was no Snowden, but even other NSA employees were disgusted by what the NSA was developing. The german computermagazine C't mentions in an article from 2007:

http://www.heise.de/newsticker/meldung/US-Geheimdienst-NSA-hat-Schwierigkeiten-mit-der-Internet-ueberwachung-146028.html

"After trailblazer, a program for internet surveillance had to be cancelled in 2005, its successor turbulence is in difficulties. Turbulence was started at the time when Alexander became director of the NSA, and for Alexander, turbulence has the highest priority.

According to an anonymous NSA employee, it should cost 2 billion dollars. Up to 500 million dollar each year are invested for the project which gets delayed again and again, and faces technical difficulties. Apparently, the NSA fears that the democrats which lead the security councils will look closer than this has happened before.

Turbulance consists of many subprograms and should monitor the internet, as well as manipulat data streams in order to block the information flow if necessary.
Turbulence should monitor individual network routes and thereby filter suspected data packets or block their transmission. Parts of turbulence should indentify social networks, install programs in networks in order to collect data, or search after patterns in databases. Compared to trailblazer, turbulence uses a different method. Trailblazer should collect all data from the internet first, and then analyze it"


Now, thanks to edward snowden, we know what turbulence is. The wikipedia article on it

http://en.wikipedia.org/wiki/Turbulence_(NSA)

mentions this document, where NSA tried to sell turbulence to Congressmen.

The slides show turmoil to be a part of turbulence

http://en.wikipedia.org/wiki/File:What_A_Success.pdf

And what is turmoil?

Well that is this:

How the NSA Plans to Infect ‘Millions’ of Computers with Malware:

https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/

From the slides above, it becomes clear that burmoil was not just a small misguided project of NSA. Instead it was a major effort that was backed up by congressmen.


And now you have to Imagine. How rotten and disgusting must congressmen be, when they approve a project, even spending 2 billion dollar on it, that aims to infect millions of computers with malware?

And how rotten must NSA director Alexander be, when he made this his primary project in 2007?

Yes, that man knows much about persistent advanced threats.

Because he was personally responsible for developing them....

No, this is not just a corrupt agency. This is a completely rotten and disgusting government and agency that we deal with here.

What do they think they are? Do these congress men really think that non-us persons do not have a right on a computer that is free of malware?

And they have critizised turmoil because of what? Because it was "not effective" and "its development was delayed" and "bureocratic"?

Apparently, the US congress thinks US malware on millions of foreign computers is a good thing, as long as it supports them in their goals. This is the thinking of a rotten government that believes the foreign population around it consists entirely of unworthy underlings.

DBJuly 30, 2014 9:27 PM

@Benni

This is the thinking of a rotten government that believes the foreign population around it consists entirely of unworthy underlings.

Make no mistake, this is the thinking of a rotten government that believes ALL PEOPLE EVERYWHERE (including their own citizens!) are unworthy underlings, it's just not yet politically expedient to admit to that... but if what they are saying is accepted by the populace, and some people really are accepted as enslaved to other people, after a while they will throw off all pretenses and openly admit to enslaving everyone...

Like A Disgraced CosmonautJuly 31, 2014 1:46 AM

I think people see an emergence of a massive pattern that disturbs them, one which they previously just had a fuzzy, almost unconscious view of -- with these Snowden disclosures.

This is my conclusion at considering the sudden, global balking; perhaps, especially as discerned in these discussions about the enormous cost.

I go, "how did they know", and "how did I know".

The basics were already there. One was that they were well aware of mass hacking by nation states. A seemingly minor point in the jigsaw puzzle. But, the US was oddly absent from all of that. If China was hacking every nation, left and right, what, on earth, was the US doing?

And they had a lot of puzzle pieces to everything: the internet was formed, basically under US Military research. The chips everyone depends on comes from there. The operating systems. The major tech companies that founded the four corners of the internet. The underlying infrastructure was straight from the darkest, smartest teams of researchers the US Government had.

You know they were deep in telco from some of the earlier disclosures.

With Prism, and these other disclosures, you see a strong pattern of the US Government deep in the middle of everything. I especially mention Prism because of the hot denials, in concert, from the companies highlighted there. Not only did they all come out and deny everything, they protested these things. And they now stand to lose.

You see the US Government and other Five Eyes countries being very up in arms over major Chinese hardware makers. Telcos and router makers. No details really given, they seem like blind claims. But, it is hard to miss China's suddenly very loud balking at US chip makers and major vendors like Apple. (Which comes about the same time as releasing of deep code that looks distinctly like legitimate backdoor code.)

People can argue, "so they have the main cables and major artery of the internet", and "so they have a lot of the major hardware and software vendors". So what. This does not mean they have backdoors in all of that. And we have strong crypto. They must not have broken it, even if it largely came from US shores. After all, there are experts who constantly certify all of this.

We trust their expertise.

Has the US government been angel funding a lot of these companies, seeing the direction, even guiding the direction of the internet to ensure that they had the keys to everything?

And what about other governments? If they are aware of severe backdoors in these products, why don't they mention it? Could it be because they want to keep quiet on their own discoveries to play the same game, or even utilize those very backdoors for their own purposes?

Maybe, for instance, Microsoft has had so many security vulnerabilities, so consistently, in their products is because a system had been created to ensure there always would be new ones? Maybe the stuxnet code was relying on bugs not found, but planted in the first place? Cleverly designed, intentional vulnerabilities designed specifically to evade the latest methods of vulnerability analysis?

Anyway, thought I would just throw this out here, and also point out the reason why technologists don't buy this even if they may be more conscious of this seeming pattern then lay people: people are simply not that competent. They are human beings. If you give them a bow and arrow, they will miss the target. They surely can't shoot it straight on a hundred percent of the time. They are error prone creatures. Error is necessary for social evolution. It, by mistakes, ensures progressive change beyond the capabilities of deliberate consideration.

Wesley ParishJuly 31, 2014 5:40 AM

And I wondered why I liked Radiohead so much:

Can't get the stink off
He's been hanging round for days
Comes like a comet
Suckered you but not your friends
One day he'll get to you
And teach you how to be a holy cow

You do it to yourself, you do
And that's what really hurts
Is that you do it to yourself
Just you and no one else
You do it to yourself
You do it to yourself

name.withheld.for.obvious.reasonsJuly 31, 2014 11:02 AM

In February 2010 my company shutdown due to a death in the family and it took nearly three years to return to operations. My first task was to survey the technical industry as three years is a "career change" worth of time in electronic design. I quickly discovered that the commercial markets were compromised; manufacturers, suppliers, and vendors all had data and tracking issues and actively participate in big-data collection for companies like check-point, Experion, Trans Union, and the like. Understanding this, the reality for any technology-based organization is how to maintain proprietary data, contact relationships, and operational details without giving away the store.

Personal data is subjected to a litany of abuses, data brokers and aggregators combine with social media/internet marketing companies to compound abuse. All those little "like" this and "ass-book" this tags along with XML/URL/URI data tracking methods and some help from your ISP/NAP helps provide a smuck somewhere on Wall Street and a poor excuse for a politician, the capital they need to extract from you your penance.

What was at one time a useful tool for research and development, source selection, design and electronic tool evaluation, and basic market research could lead (especially behind single network entry points) to exposing a company's latest research investigation and confidential business trade-craft.

Add an Orwellian government "gotta have it all" mentality to the mix and if you are serious about starting a technology-based enterprise it is wise to think carefully about the scope and scale of issues that could lead to the loss of business, process advantage/innovation, or resources. For myself, nearly $100,000 into a business venture that cannot leave the ground it is concerning; criminal negligence by the hand of the government supported by a morally and ethically corrupt political system leaves one to conclude that the U.S. is a banana republic...maybe I can get a good deal on smart and trendy youth clothing.

Like A Disgraced CosmonautJuly 31, 2014 9:41 PM

@name.withheld.for.obvious reasons

I get where you are coming from, but have a positive outlook myself. I suppose the REM song, "The end of the world as we know it and I feel fine" may sum up my stance on that.

I suppose my stance is pretty optimistic. My view is, 'if the free world goes totally totalitarian then they will be destroyed and the world will change'. What is it like... like allergies. Like a drum being filled up. All these horrible regimes and horrible genocides and horrible times... and somewhere, there is a breaking point.

I have incredible, perhaps insane, confidence, that if these free world nations... so very close to a true, better place... end up Hitlerian, Stalinism, Pol Potism... that then, everything will collapse. And something far better will take over.

65535July 31, 2014 10:49 PM

I am late to this discussion so I will keep my observations to the point.

@ Benni

Those are good links.

I now sense a lot of “PR spin” by the major players to suppress the reality that these companies cannot be trusted. This would include the major cloud players.

If you are planning to use US jurisdiction cloud companies then you should be careful what information you place on those cloud data centers – you know the information will be read and disseminated [by even five-eye companies].


“Make no mistake, this is the thinking of a rotten government that believes ALL PEOPLE EVERYWHERE (including their own citizens!) are unworthy underlings…” –DB

By weaponizing the internet the government-industrial complex has created a one-way mirror where the government can look at you but you cannot look at them. This is the anti-thesis of a democracy. It is enslavement, a police state, or what you choose to call it. It must be stopped.


“I quickly discovered that the commercial markets were compromised; manufacturers, suppliers, and vendors all had data and tracking issues and actively participate in big-data collection for companies like check-point, Experion, Trans Union, and the like. Understanding this, the reality for any technology-based organization is how to maintain proprietary data, contact relationships, and operational details without giving away the store…” -name.withheld.for.obvious.reasons

Yes, that is the problem.

The system is broken at the core. Without privacy business cannot function. A proprietary business plan or drawing [or even a customer list] being revealed to a competitor can break a business.

This constant monitoring of all communication effects everyone: Doctors, lawyers, accountants, investment advisers, business planners and their respective clients, to the point where critical information could sold to a competitor and the business destroyed.

People are now being more careful of what they say over the wire because it could ruin their livelihood.

The situation is more dangerous than the Orwellian TV set watching the viewer. All communications could capture along with a location and time stamp [including license plate reader’s capturing your family location to post cards to your children photo-copied at the Post office].

The vast drag net of information collection from the 9/11 emergency era is over and it should be stopped. The quickest way is to force the defunding of these spy agencies and get proper judicial oversight to enforce privacy laws.

This will not be an easy task due to the number of big players involved but it must be done! We are the ones funding this grotesque misuse of spy power and we should be able to shut it down.

FigureitoutJuly 31, 2014 11:20 PM

In February 2010 my company shutdown due to a death in the family and it took nearly three years to return to operations.
name.withheld.for.obvious.reasons
--Sorry about that. Your comments and sentiments are *spot* on. I have pretty similar worries and I feel like the owner of the company I'm at right now would *possibly* be into a high-security business model due to OPSEC/cleanliness that is required, but most importantly the money that is coming...I won't mention anything more due to the respect I have for the owner and the company, I suspect deep transnational compromise already (French and Korean in particular) but that's extremely hard to prevent unless you make the culture and atmosphere totally sterile...which I wouldn't mind but a lot of "normal" won't like at all. I aim to bore and troll those attackers, which I've become pretty good at. Reason being my dad has a quite a few patents (nothing totally insane, just pretty good) so any intel-agency will probably look him up on google-patents and look to steal his work, which he doesn't care enough to protect sometimes; and I get into arguments w/ him when I tell him weaknesses, "Hack my computer!", he says...as if I haven't already...

I will say that there has been a physical break-in at the company, but the attackers left lots of computers untouched, but got the "sales" computers, hopefully that doesn't mean a sponsored attack by competitors seeking our buyers...Also it's easy to connect to all the wifi networks of all the businesses around (some of which I'm extremely suspicious about..) and like every other physical business location there are some glaring holes that any attacker will exploit w/ pleasure...

maybe I can get a good deal on smart and trendy youth clothing.
--No, f*ck that stupid market. Have respect for yourself and go out w/ dignity. We need old guardians, which I'm already becoming as I'll probably burn out quickly due to the environment today. Otherwise no hope.

SkepticalAugust 2, 2014 7:35 PM


This is a paper that seems to have been started with its conclusions already set. So far as I can tell, it does not make any attempt to unify and aggregate the various costs it references in a manner that would enable someone to meaningfully offset them against the benefits of the programs it criticizes. It also includes melodramatic claims that detract from its credibility, e.g. "[w]e literally cannot afford to continue ignoring the costs...."

The most damaging part of the paper, though, is how thin the economic arguments for its recommendations are.

Foreign governments may want systems that are resistant to US eavesdropping, but they don't want systems that are resistant to their own eavesdropping. Most of the countries mentioned in this report as cancelling contracts that harm US business, such as China or Brazil, are not going to be interested in systems that they cannot eavesdrop on. No US company is going to win Chinese Government contracts by providing them equipment for employees or customers that they themselves cannot conduct surveillance upon.

Nor are foreign governments likely to place much trust in some limitation of intelligence collection to "specific national security goals" rather than "foreign intelligence" (one of the measures advocated by the paper).

Whatever the economic damage is, and it's likely less than some of the estimates quoted in the paper, it was done the moment an orchestrated campaign of leaks about US intelligence collection in foreign countries was launched.

As to foreign companies and foreign individual consumers... to the extent their decisions are free from the influence of their own governments, I doubt that "the NSA factor" is any greater than, and probably much less than, the factor of surveillance by their own governments, or that of monetary cost and product performance. If anything, the lack of leaks showing any commercial espionage by the US, and the clean focus on national security concerns by the US, should encourage them to buy from companies based in the US over those based in countries where governments do practice commercial espionage or where governments are more susceptible to corruption.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.