Tools and Weapons: The Promise and the Peril of the Digital Age

by Brad Smith

Today, every aspect of human life is fueled by data. When it comes to modern civilization, data is more like the air we breathe than the oil we burn.

We call the digital infrastructure that supports this the cloud. While its name sounds soft and fluffy, in truth the cloud is a fortress. Every time you look something up on your smartphone, you pull data from a mammoth data center—a modern-day marvel that almost no one gets to step inside.

How do we strike the right balance between public safety, individual convenience, and personal privacy in this new era? How do we protect ourselves from cyberattacks that are using this technology to disrupt our countries, businesses, or personal lives? How do we manage the economic effects that are now rippling across our communities? Are we creating a world that will have jobs for our children? Are we creating a world we can even control?

Since the dawn of time, any tool can be used for good or ill. Even a broom can be used to sweep the floor or hit someone over the head. The more powerful the tool, the greater the benefit or damage it can cause. While sweeping digital transformation holds great promise, the world has turned information technology into both a powerful tool and a formidable weapon.

While we successfully defended against the breakup of the company, it was a difficult, bruising, and even painful experience. When I was appointed the company’s general counsel in 2002, it became my job to hammer out the equivalent of peace treaties with governments around the world and companies across the tech sector. It took almost a decade,6 and we made more than our share of mistakes. Given my role, I personally was responsible in some way for almost all of them.

But we emerged from the challenges both older and wiser.

We learned that we needed to look in the mirror and see what others saw in us and not just what we wanted to see in ourselves. It was like being in the first class to graduate from a new school. We weren’t necessarily first in the class, but w...

When your technology changes the world, you bear a responsibility to help address the world that you have helped create.

In short, companies that create technology must accept greater responsibility for the future.

The tech sector cannot address these challenges by itself. The world needs a mixture of self-regulation and government action.

Put simply, governments need to move faster and start to catch up with the pace of technology.

These challenges come without a playbook, but there are nonetheless important insights that can be learned and applied from the past.

We need to reconcile an era of rapid technological change with traditional and even timeless values. To achieve this goal, we must ensure that innovation continues but does so in a way that makes technology and the companies that create it subject to democratic societies and our collective capacity to define our destiny.

Like the PRISM program, the NSA’s post–September 11 efforts to obtain customer information voluntarily from the private sector raised a fundamental question: How can we fulfill our responsibility to customers while answering the call to protect the country?

Once the question was apparent, the answer was clear. We can’t turn over customers’ data voluntarily without valid legal process. And as the company’s most senior lawyer, I have to take responsibility—and bear any criticism—for this position. After all, who better than the lawyers to defend the rights of the customers we serve?

Governments serve constituents who live in a defined geography, such as a state or nation. But tech has gone global, and we have customers virtually everywhere.

For five years our two companies had battled our differences before regulators around the world. Google argued for restrictions on Windows. Microsoft argued for restrictions on Google searches. We knew each other well. I had a lot of respect for Kent Walker, Google’s general counsel. But no one would have accused us of being best friends.

Given the Washington Post’s report about the NSA tapping cables run by American companies outside the United States, I thought it was an important question. Valerie thought he’d find the topic interesting. She was right. As I spoke with the president, the former constitutional law professor emerged. While President Obama had clearly mastered more constitutional law than I remembered, I recalled enough to have a respectable conversation.

As I commented to officials while visiting nations in the Middle East, “Ireland is to data what Switzerland is to money.”

In other words, it is a place where people should want to store their most precious personal information. It feels like the last place that would produce a modern-day counterpart to the Stasi prison we had walked through in Berlin.

One reason is that more countries now want to store their data within their own borders. While this prospect had never excited the tech sector, in some ways it’s understandable. In part it’s a matter of national prestige. It also guarantees that a government can apply its own laws and ensure that its search warrants can reach all the country’s data.

We’re fortunate to work in one of the most lucrative economic sectors of our lifetime. But the money at stake pales in comparison to the responsibility we have for people’s freedom and lives.

For this reason, every decision to put a Microsoft data center in a new country requires a detailed human rights assessment.

That’s when I first realized the importance of using my computer to do what I needed to do better—writing memos and drafting legal decisions—without upsetting old practices that still worked well. It’s a valuable lesson that I take with me to this day: Use technology to improve what can be improved while respecting what works well already.

“There is absolutely no way that my state will ever put any of our data in an American company’s data center unless you get this reversed.”

“What has this case got to do with photons?” I wondered. “And why are we talking about New York?”

But I had learned a valuable lesson that went beyond the need for me to keep a straight face during the hearing. The justices didn’t always understand every detail of the latest technology, but they had younger clerks who did. And the justices complemented that factual understanding with wisdom and judgment that often went even beyond the law itself.

Even though this type of tactic is known to many computer users, it’s hard to combat. As one person tweeted from network security company RSA’s annual conference in San Francisco, “Every organization has at least one employee who will click on anything.” The technique takes advantage of human curiosity, as well as people’s carelessness. As we analyzed hackers’ activities, we found that the first thing they often did when they successfully penetrated an email account was search for the keyword password. As people accumulated more passwords for more services, they often sent emails to themselves with the word password in them, which made for easy pickings for hackers.

One aspect of this novel approach was an easy win—we were pretty much guaranteed the hackers would not show up in court to defend themselves. How could they?

They would subject themselves to jurisdiction and even prosecution. The DCU team had succeeded in achieving something that we’d always sought to do but that was typically difficult to achieve. Our legal strategy had turned the hackers’ strength—their ability to hide in the shadows—into their weakness.

it was apparent that emails were not the only digital technology that risked being weaponized. One of the important lessons in the field of risk management is that you need to think about both the risk that you’re most likely to face and the risk that, even if unlikely, would be the worst to have to face.

Olga donated her life’s savings to build a museum that would memorialize an important story that she wanted to ensure the world would neither forget nor repeat.

“So what should you want if everything’s allowed? And then people run themselves ragged in all directions.”

Beginning in the 1960s, landline telephones had a similar effect on families. For teenagers, spending time alone in their bedrooms now meant spending time with their friends on the phone and later on their computers. The members of a family found themselves alone together in the same home.

Repeatedly over time, technology has made the world a smaller place, but people are less connected with those living next door or under the same roof.8

By manipulating American-made technology, the Russians were able to reach into and stir the US political pot. This foreign influence spilled over into the real world, notably during the IRA’s successful effort in 2016 to organize a synchronized protest and counterprotest in Houston.11 Neighbors shouted at neighbors, unknowingly egged on by people in Saint Petersburg, Russia.

Interestingly, the same approach is used by a nongovernment initiative launched by two prominent Americans from the media sector—one a conservative and the other a liberal. Gordon Crovitz is the former publisher of the Wall Street Journal and Steven Brill is a former journalist who founded The American Lawyer and Court TV. Together they created NewsGuard, a service that relies on journalists to create what they call “nutrition labels” for the media. Working through a free internet browser plug-in, NewsGuard displays green or red icons next to links on search engines and social media feeds, including Facebook, Twitter, Google, and Bing, indicating whether a site is “trying to get it right or instead has a hidden agenda or knowingly publishes falsehoods or propaganda.”33 In addition to rating news and information websites, NewsGuard applies a blue icon for platform sites that host user-generated content and an orange icon for humor or satire sites designed to look like legitimate news. There are gray icons for websites that haven’t yet been reviewed and rated.34

Ultimately, there are two broader lessons that emerge. First, initiatives from the public and private sectors will likely need to move forward together and complement each other. And, second, despite the novelty of current technology, there is a lot to learn from the challenges of the past.

At one level, we can divide these activities into separate categories based on principles that we connect with fundamental human rights. But at another level, realpolitik has changed in a critical respect. Until recently, communications technologies seemed to favor democracy and put authoritarianism on the defense. Now we must ask whether the internet has created an asymmetric technology risk for democracies that authoritarian governments can counteract more readily than the republican form of government that Franklin’s words urge us to protect.

When Casper Klynge arrived on Microsoft’s Redmond campus in February 2018, he could have been mistaken for a tech entrepreneur. Or given his sharp dress, California vibe, and less-than-close shave, perhaps an actor or musician. When I shook his hand, I paused to recall whom I was meeting.

Casper is not your typical ambassador. And he doesn’t have a typical assignment. He is the first person to serve as Denmark’s tech ambassador, responsible for connecting the Danish government to tech companies around the world. His “embassy” has more than twenty employees working on three continents, with staff in the United States, China, and Denmark.

When I had met with a group of European ambassadors in Copenhagen the preceding spring, Casper’s new job was on people’s minds. The Danish foreign minister, Anders Samuelsen, had proclaimed the position “a world first” and a necessity, stating that tech companies affect Denmark as much as countries do. “...

We also encountered pushback from people who objected to the notion that international companies would protect civilians on a global basis rather than help their home government attack other nations. As one Trump adviser challenged me on a trip to Washington, DC, “As an American company, why won’t you agree to help the US government spy on people in other countries?” I pointed out that Trump Hotels had just opened a new property in the Middle East as well as down the street on Pennsylvania Avenue. “Are these hotels going to spy on people from other countries who stay there? It doesn’t seem like it would be good for the family business.” He nodded.

In 2018, we were once again looking back to the future. As former US ambassador to Russia Michael McFaul put it, there was no longer a Cold War, but instead a Hot Peace.14 It’s time to dust off some of the lessons from the past.

All of this points to the continuing importance of international diplomacy. As we think about this new generation of diplomatic challenges, there are some new tools in the diplomatic toolbox. The Danish foreign minister identified one of our new opportunities when he said that tech companies have become a “nation” of sorts.

In the final weeks running up to announcing the Cybersecurity Tech Accord, we shared our plans with the White House and key officials in other parts of the United States and other governments. We didn’t want them to be surprised. We got positive feedback from the White House itself, but we heard through the grapevine that some in the intelligence community had concerns about the language pledging not to help governments launch cyberattacks against “private citizens and enterprises.” They were concerned that the reference to “private citizens” would cover terrorists and mean they could not turn to the tech sector if there was such an emergency. It was helpful feedback. We changed the text to refer to “innocent citizens” instead, which seemed to address this issue.

It seemed ironic and even uncomfortable as a company to advance the mantle of multilateralism, which typically was the role of governments. But we found far more support than criticism as we pushed forward. And as we made progress, an increasing number of companies expressed a desire to join in.

Viewed from this perspective, the most novel aspect of the Paris and Christchurch calls is perhaps the involvement of companies, as distinct from other types of non-state actors, on a new generation of humanitarian and arms limitation issues. There is no doubt that some will be more skeptical of companies than of NGOs. But given the degree to which cyberspace is owned and operated by these companies, it seems hard to argue that they have no role to play.

Perhaps as much as anything, we need to advance digital diplomacy with a sense of determination based not just on new circumstances and hopeful lessons from the past, but history’s sobering failures as well. We were reminded of this when we visited the United Nations European headquarters in Geneva for a speech in November 2017. The Palais des Nations, which now houses the UN, served as the headquarters for the League of Nations in the 1930s. The building still has several small art deco conference rooms that reflect the post–World War I era.

Before the diplomatic conference convened in 1932, Albert Einstein, the greatest scientist of his age, proffered a warning that fell on deaf ears. Technology advances, he cautioned, “could have made human life carefree and happy if the development of the organizing power of man had been able to keep step with his technical advances.”35 Instead, “the hardly bought achievements of the machine age in the hands of our generation are as dangerous as a razor in the hands of a three-year-old child.” The conference in Geneva ended in failure, and before the end of the decade, that failure had translated into unimaginable global devastation.