September 3, 2013
The widespread electronic surveillance activities of the National Security Agency (NSA) disclosed by Edward Snowden now appear to be placing American companies at a notable competitive disadvantage in commercial markets. That surveillance also has important business and legal implications for all users of the products and services provided by those companies.
Reportedly, German authorities have determined that government agencies in that country should not use Microsoft’s “Windows 8” product. The German Federal Office for Information Security (BSI) has apparently concluded that Windows 8 poses an unacceptable security risk. That conclusion is based on a review of the product by the BSI which was prompted by the Snowden disclosures.
The German authorities reportedly believe that Windows 8 has been engineered to permit the NSA to access the computer systems running that software. This “backdoor” would provide a vulnerability which could be exploited by the NSA and by other parties. It would make the computer system and the data communicated or stored on that system insecure. Based on these findings, the BSI has reportedly decided that Windows 8 should not be used for German government activities that require security.
This action by the German government is an important blow to Microsoft’s competitive position. If other national governments follow this lead, Microsoft could face serious commercial consequences.
Snowden’s revelations suggest that the NSA likely required many other companies to incorporate similar security backdoors into their products and services, as well. As government users around the world follow the German lead, it seems that other major American companies will find themselves facing similar bans based on the existence of data security vulnerabilities in their products and services that were required by the NSA. This could adversely affect the international competitive position of many American companies.
As governments take these actions, major corporate users of these communications and information technology products and services are also likely to reconsider their use of the American products. Corporate users operating under contractual or regulatory obligations to protect certain confidential data and personal information from unreasonable risk of disclosure will need to reconsider their use of products and services provided by the American companies to the extent that those products and services are known to contain security vulnerabilities mandated by the NSA. Those corporate users could face legal liability if they continue to use the American products and services after government users have concluded that those products and services are inadequately secure.
By insisting that a range of communications and information technology products and services be engineered to provide it with access to the computer systems and content of users, the NSA has unintentionally undermined the competitive posture of many American companies in international markets. Those actions by the NSA have also placed American corporate information technology users at risk of significant potential legal liability. These serious adverse consequences should be recognized and examined carefully as we consider the overall costs and benefits associated with government electronic surveillance.