Section 702 Spying and Its Impact on Startups

The debate over Internet surveillance is heating up on the Hill, and startups are watching.

Debates over government surveillance are often dominated by intelligence community officials and privacy and civil liberties advocates, but U.S. businesses also have a critical role to play in this discussion, as U.S. surveillance impacts businesses’ reputations and opportunities abroad. For instance, one 2014 study estimated that U.S. surveillance could cost the cloud computing industry alone billions of dollars.

And while companies of all sizes should care about how Congress’ actions on U.S. surveillance will impact companies’ reputations and opportunities abroad, it’s the startups without heavy-hitting legal teams that will be especially affected if lawmakers fail to rein in controversial Internet surveillance programs.

Congress has until the end of this year to decide whether and how to renew Section 702 of the Foreign Intelligence Surveillance Act, a sweeping spying power that the U.S. government uses to collect Internet communications en masse. Section 702 is responsible for two specific programs you may have heard of: Upstream and PRISM, both revealed by Edward Snowden in 2013.

Both programs allow the U.S. intelligence community to obtain, without a warrant or other specific court approval, communications that it thinks are tied to “foreign intelligence targets.” These targets are non-U.S. citizens or legal permanent residents whom the intelligence community thinks have “foreign intelligence information,” a broad category that can include things like information about foreign governments. These vague terms could easily sweep in someone like a business owner trying to navigate another country’s regulations.

Upstream involves the National Security Agency (NSA) tapping directly into Internet cables to siphon off and then search overseas Internet traffic. Upstream was in the news earlier this year when the NSA announced that, after being criticized by privacy advocates and its judicial overseers, it would stop one of its search techniques that drastically widened the net of communications of it was collecting.

Prior to the April announcement, the NSA had been conducting “about searches,” or looking to see whether online communications it intercepted merely mentioned identifiers (like email addresses) associated with “foreign intelligence targets.” After the announcement, the agency only looks to see whether communications are to or from those identifiers, but officials have said they want to leave the door open to restarting this practice in the future.

PRISM involves U.S. intelligence agencies going directly to specific tech companies and asking those companies’ for the communications to and from “foreign intelligence targets.” While those targets cannot by law be Americans, the communications from Americans to targets are fair game to be collected through PRISM and then searched later.

Lawmakers have been debating the privacy and global implications of these programs since they first became public four years ago. But with the law’s expiration date at the end of 2017 looming, they’re about to begin taking action. Some members of Congress are already trying to make the law permanent, which would deprive lawmakers and the public the opportunity to periodically review and reassess the law as technology changes. And just last week, a bipartisan group of lawmakers introduced a bill that makes some of the necessary changes to the law.

As lawmakers get serious about addressing Section 702, they need to consider the global impact these surveillance programs have on the startups created, run, and staffed by their constituents.

In recent years, European officials and courts have been extremely critical of U.S. Internet surveillance and its impact on Europeans’ privacy, which is seen as a fundamental right across the Atlantic. In 2015, the European Union’s top court struck down a transatlantic agreement that let U.S. companies store and process European users’ data in the U.S. due to concerns with U.S. surveillance policies. While a new deal, dubbed Privacy Shield, was quickly put into place, it is currently facing similar legal challenges in European courts.

Thousands of U.S. companies rely on these transatlantic deals to legally process and store the data of users based in Europe. A quick scan of the Commerce Department's running list of companies with Privacy Shield certifications shows that companies of all sizes rely on Privacy Shield to do business abroad.

As lawmakers debate reauthorizing and reforming Section 702, they have many national security, privacy, and legal questions to consider, but they shouldn’t forget that this is also a business issue to the many startups across the country that have users in Europe.

Agreements like Privacy Shield allow U.S. small business with few legal resources to reach users abroad, expanding their businesses and, in turn, spurring job growth back home. Failing to address the serious privacy concerns related to Section 702 could gravely hurt the U.S. startup ecosystem, and Congress needs to consider that when debating reauthorization this year.