Last September, while Snowden was living under guard at a secret location in Russia, Yahoo CEO Marissa Mayer seemed caught off-guard when a reporter raised questions about NSA surveillance at the 2013 TechCrunch Disrupt conference in San Francisco.
When asked what would happen if Yahoo ignored an NSA data request or shared it with the press, Mayer uncomfortably replied: "Releasing classified information is treason. It generally lands you incarcerated."
Companies are often left with few options once the U.S. government starts putting the screws to them. So, how do NSA data requests fit in with overall corporate responsibility? What is a company to do when faced with a request that seems to counteract its responsibility to consumers? We spoke with three key experts in corporate social responsibility (CSR) to find out the answers.
A few months before Mayer spoke at TechCrunch Disrupt, Yahoo, along with other tech giants like Google and Microsoft, asked a U.S. surveillance court to open up records that would allow companies to be more transparent, but the requests were denied. “Releasing information that could induce adversaries to shift communications platforms in order to avoid surveillance would cause serious harm to the national security interests of the United States,” Department of Justice lawyers wrote in the redacted brief, issued on Sept. 30, 2013, as reported by PC World.
Predictably, companies, concerned citizens and privacy advocates were furious. But they got a bit of a reprieve in February, when the Obama administration agreed to relax some of the restrictions that barred companies from disclosing how many data requests they receive from the NSA. Under the new rules, a company can now report on how many requests for member data it has received, the number of accounts impacted and the percentage that they respond to. The rule came with some caveats: Although the aggregate data covers a six-month period, it can only be published six months after the reporting period has passed. The rules also prohibit young tech startups from disclosing data about NSA data requests for their first two years in operation.
Lawsuits from Google, Microsoft, Yahoo and Facebook were dropped as a result of the new rules, but companies were quick to note that further change was needed. “We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive,” a representative for Google, Microsoft, Yahoo and Facebook told the New York Times in a joint statement. “While this is a very positive step, we’ll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed.”
Nancy Mancilla, founder and CEO of ISOS Group and a leading expert on CSR reporting, also spoke in favor of further reform in a recent interview with Triple Pundit: "It's ridiculous that for six months [companies] are quarantined before they can release that information. In this digital age, with companies that are in that space, it just doesn't seem right."
The American Civil Liberties Union (ACLU) has been particularly vocal in its stance against NSA spying, participating in several rallies in Washington including Stop Watching Us in October 2013 and The Day We Fight Back in February. A year after the story first hit the press, the organization released a white paper calling for further privacy reform.
Along with action points for Congress, the president and the courts, the ACLU provided five ways for tech companies to take action:
"The other thing that's incumbent upon them to do is to get active in the public policy arena," Gunther told Triple Pundit. "So if [companies] feel like there are either too many requests or if the requests aren't fully supported by evidence, they need to be very loud in Washington about trying to put some restrictions on the government's efforts to pry information out of them ... Transparency -- and noisy transparency -- is a pretty good weapon."
"I authored the Patriot Act, and this is an abuse of that law," Rep. Sensenbrenner told the ACLU. "This misinterpretation of the law threatens our First, Second and Fourth Amendment rights. Congress never intended this. I will rein in the abuse of both the Patriot Act and the U.S. Constitution with the support of the American public."
Specifically, the bill would amend Section 215 of the Patriot Act – which is used to "collect the phone records of almost every American every day," as well as gather Internet metadata en masse – so that it can no longer be used in such a sweeping fashion, Michelle Richardson, legislative counsel for the ACLU's Washington Legislative Office, said in a blog post last fall.
A version of the bill was passed by the House in May, but some critics said "the bill’s language governing data-gathering was ambiguous, raising concerns that it still would allow the large-scale collection of data from phone companies and other entities," Ellen Nakashima of the Washington Post reported. Senate aides told the paper last week that a compromise bill could be introduced in the Senate before the August recess.
"I don't even think this a CSR thing," Elaine Cohen said bluntly. "I think most people would agree that any en-masse infringement of privacy just doesn't make sense ... Indiscriminate, unlimited exposure of potentially sensitive information shouldn't be the way governments do business."
"The first responsibility of any corporation is to obey the law," Cohen said. "And if the law says you must reveal certain aspects of your operations, which may include some of your customer data, then a company has every duty and responsibility to first and foremost comply with the law."
"Ultimately corporations have to do what they [can] to raise awareness for things that the law is demanding that may not be reasonable or that may not be in the public interest," she continued, "but ... at the end of the day companies can't pick and choose which laws to obey."
Marc Gunther agreed, quoting what has now become a popular idiom -- if you're not paying for a service, you become the product -- and pointing to the now-commonplace practice of tech companies harvesting user data for advertising purposes.
"We, by the very nature of using a free service like Gmail, Facebook, Yahoo Mail, Twitter, etc., if we're not paying for it with dollars and cents we're in a sense paying for it by agreeing to be sold to advertisers," he told Triple Pundit. "So it shouldn't come as a shock that some of that information makes its way into the hands of the government."
With the Freedom Act making its way through Congress, this story is clearly still developing, and one thing is for certain: Just like Big Brother, we, along with companies, advocates and Internet-lovers across the nation, will be watching.
Based in Philadelphia, Mary Mazzoni is a senior editor at TriplePundit. She is also a freelance journalist who frequently writes about sustainability, corporate social responsibility and clean tech. Her work has appeared in the Philadelphia Daily News, the Huffington Post, Sustainable Brands, Earth911 and the Daily Meal. You can follow her on Twitter @mary_mazzoni.
Mary Mazzoni, Senior Editor, has written for TriplePundit since 2013. She is also Managing Editor of CR Magazine and the Editor of 3p’s Sponsored Series. Mazzoni’s recent work can be found in Conscious Company, AlterNet and VICE’s Motherboard. She is based in Philadelphia, PA.