When news broke this past summer that the National Security Agency has been siphoning data from the likes of Google, Apple and Facebook, consumers like you and me, and pretty much everybody else, had two stark options. We could shut down our Facebook and Gmail accounts in protest, and run back to the loving embrace of Canada Post. Or we could squirm a little bit at this uncomfortable new dystopia and get on with the day.
To the surprise of no one, the second option proved more popular. There has always been a disconnect between the principled outrage of columnists and actual consumer behaviour. Fretting about these risks has long been the province of CIOs and fans of tinfoil haberdashery. But as the scandals mount, data security is worming its way into consumer consciousness. The question is whether consumers can be prodded into doing anything to protect themselves.
The NSA scandal has its transfixing qualities. It comes loaded with international intrigue and the conflicted character of Edward Snowden, the soft-spoken, goateed NSA-analyst-turned-Russian-refugee who decided the world needed to know that the U.S. government had arranged for large-scale access to consumer data stored on cloud services like Facebook.
But the most significant element of this saga could be that it introduces a whole new kind of surveillance to the public awareness—one distinct from the kind of monitoring that has dominated the popular imagination so far.
That more familiar type of surveillance is what you might call network monitoring: the threat that someone might tap in to your data as it traverses the Internet's pipes. The NSA has long stood accused of tapping the Internet's key junctions. And last year, the Canadian government stirred outrage when it tried ordering Internet service providers to re-engineer their systems for surveillance.
This latest NSA scandal, on the other hand, concerns data that has already gone through the network and arrived at its final destination. The Prism program allegedly had the U.S. government using various secret legal bludgeons to force the likes of Google, Apple and Microsoft to give it the means to scoop up data that users stored on the companies' servers. All the network encryption in the world is useless if the government simply does an end-run around it and nabs the data at its destination.
The two types of surveillance can be fought in different ways. In the case of network monitoring, the most effective means of protection is encrypted communication. Toronto-based SurfEasy sells a virtual private network (VPN) service that encrypts traffic travelling between clients' computers and their servers, protecting the data from anyone trying to peek in on their WiFi connection or the service provider that connects them to the open Internet.
VPNs aren't new; in fact, they're standard issue for corporations that want employees to log in to corporate intranets in a secure way. But SurfEasy isn't for corporate IT folks at all: It's a consumer product that you, or your mom, can buy off the shelf at Staples, Best Buy, Target, even London Drugs. When drugstores are giving shelf space to VPN software, it's a sign that the general population is getting rattled.
But off-the-shelf software isn't going to help when state actors can grab data directly from servers. That requires a much tougher response from consumers: ditching web services like Gmail in favour of ones that aren't based in the United States—difficult when the world isn't exactly crawling with alternatives.
Offering those alternatives could be a growth market. A survey by the Cloud Security Alliance in the wake of the NSA revelations showed that 56% of non-U.S. members said they'd be less likely to use an American-based host. And Canadian hosting companies like Calgary's GlobalWorx are actively marketing themselves as "100% Canadian," not only selling server space that's out of the NSA's reach, but hosting web applications that customers are more accustomed to using on American servers.
Unnerving as all this is, these kinds of privacy breaches haven't been a deal-breaker for users. Google, Facebook and their ilk have spent a decade repurposing our personal data, despite consumer discomfort with the idea—and so far, we've abided by the pact.
But as the NSA scandal ratchets up popular unease, companies that put privacy first could find a much more welcoming market than before. Nobody's running back to Canada Post, bless them, but the time might have finally come for web services to make a buck by making us a better offer. /Ivor Tossell