When Edward Snowden made the decision to leak information about the National Security Agency’s (NSA) surveillance activities, he contacted Laura Poitras – signing off his emails as ‘Citizenfour’.
Over the next few months, Poitras and Snowden continued to exchange encrypted correspondence until June 2013, when Snowden was ready to meet.
He chose a hotel in Hong Kong and suggested Poitras take along journalist Glenn Greenwald from The Guardian. CITIZENFOUR documents those meetings in his hotel room, with Snowden explaining the extent of government spying, including that by the British government.
>See also: In a post-Snowden world: 3 questions CIOs must consider when deploying an email system
Most people in the industry read the revelations day by day, as they appeared in The Guardian last year.
First Greenwald published that an anonymous source had revealed the NSA was collecting Verizon’s phone records daily, thereby conducting indiscriminate surveillance on millions of Americans.
Then, over the coming days, he and Ewan MacAskill wrote about the NSA’s Prism program, which was afforded secret access to the servers of US-based internet companies, including Apple, Google, Microsoft, Yahoo, Facebook, YouTube, Skype and AOL.
Two weeks later, The Guardian published a story about Tempora – GCHQ’s surveillance programme which Snowden explained does ‘a full take’ of data, meaning it’s not just the metadata that they are collecting, but the content too.
The US government won’t do this, as it is against their laws. Britain does not have a constitution, so the laws are more flexible. However, true to form, Britain gave its close ally America full access to Tempora, meaning the US could now snoop on British citizens too.
Why should you care?
Many people take these revelations at face value. They struggle to understand why this mass surveillance is a particularly bad thing. After all, they don’t do anything wrong, so why should they care?
They’ve never knowingly suffered the consequences of being snooped upon, so it seems harmless. After all, this is how they catch terrorists and paedophiles, we are told.
Anyone who says they have nothing to hide is kidding themselves. In the words of F-Secure’s chief research officer Mikko Hypponen, “give me ten minutes on your computer and I’ll find something you’ll wish I hadn’t.”
People are more honest with their search engines than they are with their own family. Whether it’s sexual interests or persuasion, unsavoury friends, controversial beliefs or embarrassing health problems, everyone has something they want to keep private.
Why should this be up for discussion? Everybody has a right to privacy, especially from their own elected representatives.
Granted, if a person is under suspicion of criminal activity, they should be monitored. Targeted surveillance is not bad. Mass surveillance of an entire populace is.
The tools that GCHQ now have at its disposal have created a surveillance state. There is now one CCTV cameras for every 11 people in the UK.
By comparison, in the totalitarian police state of East Germany, for every 65 citizens, there was one informer covertly working for the Stasi secret police.
>See also: Brave new world: Will the Internet of Things be a privacy nightmare or consumer paradise?
Then, when you consider that nearly everyone now owns a mobile phone, which is a perfect tracking and spying device (with cameras, a microphone, GPS and comms channels), it starts to become scarily clear how far down the rabbit hole Britain has gone.
The only thing holding society (as we know it) in place are a set of policies agreed on by politicians.
However, considering GCHQ doesn’t answer to these politicians, it is not the reassurance required to mitigate the sense of uneasiness that Britain is becoming distinctly illiberal.
Why should your business care?
Two words: competitive advantage. Snowden’s revelations about the Prism program showed that data is not secure if held on US servers.
Jacob Appelbaum features in the film warning the European Parliament that US intelligence will attack “anyone they can, if they perceive an advantage”.
Greenwald reiterates this point when talking to the Brazilian Senate. He explains that the USA’s foreign surveillance activities are primarily about economic competition, not terrorism.
British companies are now at a disadvantage against US competitors due to the unrestricted access the US government has to data held within its borders.
However, technology companies have been afforded an opportunity. Given the choice, most businesses in Britain and Europe would prefer their data to be stored here, where it is safe. It is a USP American companies cannot offer.
The problem with this is that Europe doesn’t have a technology industry. It has regional offices, but few headquarters.
European start-ups that are successful have tended to relocate to California or are bought by US companies – Skype, Minecraft and Nokia Mobility to name a few.
There is only one European software company in the Fortune 500 and that is SAP. If ever there was a time for European technology companies to grab market share, it is in the wake of the Snowden revelations.
It requires the support of European-based companies to purchase services from within the EU though. With IT departments recommending European services, the industry can grow and, most importantly, business data will remain private.
What next?
Over the summer, the British government rushed through ‘emergency’ legislation in the form of the Regulation of Investigatory Powers Act 2000 (RIPA) to ensure it continues to collect metadata on all British citizens from ISPs.
With this in mind, the government is unlikely to revoke its surveillance activities in the short term. Businesses must take measures to protect themselves.
There are some relatively simple steps that should be taken which are extensions to common IT policies in most businesses.
>See also: Mikko Hypponen, F-Secure – 'I hope we get more Snowdens'
The prevalence on BYOD has opened up businesses to increased security attacks, but now surveillance too.
Encryption software and VPNs should be deployed on all devices to ensure they are secure. It complements the familiar message that a business’ reputation can be damaged – with all the unwelcome financial impacts this has – if data is compromised.
It can be a hard sell to higher-ups to invest in additional security measures without a clear return on investment visible.
To make the job of selling these ideas easier, everyone in your company should watch Citizenfour. Their jaws will hit the floor and change will be easier to come by.
Sourced from Allen Scott, F-Secure UK & Ireland