Tools and Weapons: The Promise and the Peril of the Digital Age

by Brad Smith

Unlike oil, data has become a renewable resource that we humans can create ourselves. This decade will end with almost 25 times as much digital data as when it began.

Since the dawn of time, any tool can be used for good or ill. Even a broom can be used to sweep the floor or hit someone over the head. The more powerful the tool, the greater the benefit or damage it can cause. While sweeping digital transformation holds great promise, the world has turned information technology into both a powerful tool and a formidable weapon.

The time has come to recognize a basic but vital tenet: When your technology changes the world, you bear a responsibility to help address the world that you have helped create. This might seem uncontroversial, but not in a sector long focused obsessively on rapid growth, and sometimes on disruption as an end in itself. In short, companies that create technology must accept greater responsibility for the future.

Put simply, governments need to move faster and start to catch up with the pace of technology.

The courts ruled in Wilkes’s favor. Upending literally centuries of power exercised by the King and his men, the courts required that the authorities have greater probable cause to support a search, and even then, that they do so in a more limited manner. The British press hailed the rulings, citing the famous phrase that every Englishman’s “house is his castle, and is not liable to be searched, nor his papers pried into, by the malignant curiosity of the King’s messengers.”11 In important respects, John Wilkes’s lawsuits marked the birth of modern-day privacy rights. These rights were the envy of free people, including the British colonists living in North America.

The Supreme Court in the 1800s had no trouble finding that people still had a right to privacy in their sealed letters.19 As a result, the Fourth Amendment applies and the government cannot open an envelope and look inside without a search warrant based on probable cause, even though the government’s postal service is in possession of that envelope.

Over the centuries, the courts looked at whether people had a “reasonable expectation of privacy” and considered what it meant when you stored your information with someone else. Put simply, if it was in something like a locked storage container and the key was inaccessible to others, then judges concluded that there was such an expectation and the Fourth Amendment applied. But if you stored your documents in a box of files that was stacked next to other people’s boxes where people could come and go, then the police didn’t need a search warrant. This was because the courts concluded that you had abandoned your reasonable expectation of privacy under the Fourth Amendment.20 Today’s fortified data centers with redundant layers of physical and digital security seem to adequately qualify for a locked storage container.

we assembled a team that developed what would become four principles that we would call our “cloud commitments”: privacy, security, compliance, and transparency. I loved pointing out to the company’s marketing leaders that the lawyers had found a way to take a complicated topic and reduce it to four words. Not surprisingly, they were quick to point out that this was a first.

In 2013, we stated publicly that we would notify our business and government customers if we received legal orders for their data.13 If a gag order prohibited us from telling them, we’d challenge the order in court. We’d also direct government agencies to go straight to our customers for information or data about one of their employees—just as they did before these customers moved to the cloud. And we’d go to court to make it stick.

While the Fourth Amendment was adopted to protect people in their homes, Roberts explained that modern phones “typically expose to the government far more than the most exhaustive search of a house: A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form.”17 Hence the Fourth Amendment applied. We cheered when we read what Roberts wrote next. For the first time, the Supreme Court in effect addressed the files stored in our data centers,

The pressure to put data centers in more countries is giving rise to what rapidly is becoming one of the world’s most important human rights issues. With everyone’s personal information stored in the cloud, an authoritarian regime bent on broad surveillance can unleash draconian demands to monitor not only what people are communicating, but even what they’re reading and watching online. And armed with this knowledge, governments can prosecute, persecute, or even execute those individuals they consider threats. This is a fundamental fact of life that everyone who works in the tech sector needs to remember every day. We’re fortunate to work in one of the most lucrative economic sectors of our lifetime. But the money at stake pales in comparison to the responsibility we have for people’s freedom and lives. For this reason, every decision to put a Microsoft data center in a new country requires a detailed human rights assessment.

By midday, our security team concluded that newer Windows machines were protected against the attack by a patch we had released two months earlier, but older machines running Windows XP were not. This was not a small problem. There were still more than a hundred million computers in the world running Windows XP. For years we had tried to persuade customers to upgrade their machines and install a newer version of Windows. As we pointed out, Windows XP had been released in 2001, six years before the first Apple iPhone and six months before the first iPod. While we could release patches for specific vulnerabilities, there was no way technology this old could keep pace with current security threats. Expecting sixteen-year-old software to defend against today’s military-grade attacks was like digging trenches to defend against missiles.

“Every organization has at least one employee who will click on anything.” The technique takes advantage of human curiosity, as well as people’s carelessness. As we analyzed hackers’ activities, we found that the first thing they often did when they successfully penetrated an email account was search for the keyword password.

In ordinary times, there would have been a strong and unified response from the United States and its NATO allies. But this was no ordinary time. Because the incidents in the United States became so intricately bound with the perceived legitimacy of the 2016 presidential election, all potential bipartisan discussion went out the window.

We had recently watched Strontium as it had created six websites that clearly targeted American politicians. Three were focused on the US Senate, and two others were particularly noteworthy. One of these appeared to target the International Republican Institute, or IRI, which was a leading Republican organization that supported democratic principles around the world. The other appeared to target the Hudson Institute, a conservative think tank that had objected strongly to a variety of Russian policies and tactics. Put together, these provided a solid indication that Strontium was not targeting Democrats alone and instead was focusing on both sides of the American political aisle.

By manipulating American-made technology, the Russians were able to reach into and stir the US political pot. This foreign influence spilled over into the real world, notably during the IRA’s successful effort in 2016 to organize a synchronized protest and counterprotest in Houston.11 Neighbors shouted at neighbors, unknowingly egged on by people in Saint Petersburg, Russia.

No one at the company—or in the tech sector or the US government, for that matter—had anticipated such a phenomenon until Russia turned Facebook against the very country that had given it life.

While the concerns were understandable, I was increasingly exasperated by the discussion. Everyone was pointing a finger at Facebook, but no one was pointing a finger at the prime culprit. It was like yelling at the person who forgot to lock the door without talking about the thief who broke in. The bigger question for Facebook, the United States, the world’s democratic republics, and the entire tech sector was what to do. The reaction of some in government was to cast blame on Facebook and other social media companies, insisting that they solve the problem. While the companies who invented this technology indeed held much of the responsibility, such an approach seemed incomplete. The answer would require a mix of action by governments and by the tech sector itself.

As Kevin Roose wrote in the New York Times, the horrific terrorist slaying of fifty-one innocent Muslims on March 15 in two mosques in Christchurch, New Zealand, in some ways “felt like a first—an internet-native mass shooting, conceived and produced entirely within the irony-soaked discourse of modern extremism.”

New Zealand’s Prime Minister, Jacinda Ardern, who had handled the shock and crisis with extraordinary judgment and grace, had given a speech that captured a marked shift toward social media. “We cannot simply sit back and accept that these platforms just exist and that what is said on them is not the responsibility of the place where they are published,” she said.19 She then referred to social media sites even more emphatically, “They are the publisher, not just the postman. It cannot be a case of all profit, no responsibility.”20

As radios became ubiquitous in the latter half of the 1930s, concerns about its societal impact spread. As noted in a 2010 article in Slate, “The wireless was accused of distracting children from reading and diminishing performance in school,

As Pickard observes, “This criticism took shape across grassroots social movements, commentary from varied newspapers and opinion journals, as well as hundreds of letters from average listeners to editors, broadcasters, and the FCC.”26 Impatience reached a peak, leading the Federal Communications Commission in 1946 to publish its Blue Book, a report named after its blue cover that sought to make “the privilege of holding broadcast licenses contingent upon meeting substantive public interest requirements.”27 Commercial broadcasters unleashed a political backlash against the report and defeated its proposals, but the episode nonetheless altered broadcasting history, causing the major radio networks to fund documentaries and improve their public interest programming.28 Some might look at the revolt against radio and find in this history reason to believe that a challenge to social media might similarly represent a passing political moment, unlikely to lead to lasting regulatory change.

If there was any doubt about this latter aspect, it was quickly laid to rest by events in Australia that followed the attack in Christchurch, New Zealand. Within less than a month, the Australian government passed a new law requiring social media and similar sites to “expeditiously” remove “abhorrent violent material” or risk criminal penalties

There remains a big difference, however, between needing something new and knowing precisely what’s needed. It seems impossible for social media sites to follow the pre-publication editorial review processes that are used by traditional print, radio, or television outlets.

Interestingly, the same approach is used by a nongovernment initiative launched by two prominent Americans from the media sector—one a conservative and the other a liberal. Gordon Crovitz is the former publisher of the Wall Street Journal and Steven Brill is a former journalist who founded The American Lawyer and Court TV. Together they created NewsGuard, a service that relies on journalists to create what they call “nutrition labels” for the media.

Interestingly, foreign interference in democracy is almost as old as the United States itself. A democratic republic by its very nature is subject to disruption—both foreign and domestic—by efforts to disrupt confidence and sway public opinion. The first person to realize this was an early French ambassador to the United States named Edmond Charles Genêt. He arrived in America in early April 1793, just a few weeks before President George Washington officially declared the United States’ neutrality in the expanding war between France and the United Kingdom. Genêt was on a mission to tip the young republic toward supporting France, including by persuading the United States to accelerate the repayments of its debt to his country and by enabling attacks on British shipping by armed privateers operating from US ports. If required, he was prepared to spark an attempt to overthrow the country’s young government. Genêt’s arrival sparked increasing tension within Washington’s cabinet, with Thomas Jefferson sympathetic to the French and Alexander Hamilton sympathetic to the British. Genêt sought to appeal directly to the American public for his cause, a move that, in the words of one historian, did more than spark the origins of our two-party system. “Political dialogue was impassioned, street brawls were not uncommon, and old friendships were severed.”35 In 1793, Washington and the members of his cabinet overcame their differences and united in demanding Genêt’s recall to France.36...

It was against this backdrop and continuing French attempts to tamper with American politics that Washington used his farewell address in 1796 to warn against the risks of foreign influence. “A free people,” he said, “ought to be constantly awake, since history and experience prove that foreign influence is one of the most baneful foes of republican government.”

The United States government itself has used information technology to inform and even persuade the public in other countries to support certain stances. Some of this has been clandestine; many in the United States today would reject some of the steps taken by the CIA in Europe and Latin America in the 1950s. But others have been out in the open, including Radio Free Europe during the Cold War and today’s Voice of America. The United States as a nation has been comfortable using technology to spread information to seed and advance democracy. But now technology is being used to spread disinformation and disrupt democracy. At one level, we can divide these activities into separate categories based on principles that we connect with fundamental human rights. But at another level, realpolitik has changed in a critical respect. Until recently, communications technologies seemed to favor democracy and put authoritarianism on the defense. Now we must ask whether the internet has created an asymmetric technology risk for democracies that authoritarian governments can counteract more readily than the republican form of government that Franklin’s words urge us to protect. The answer is probably yes.

The Danish foreign minister, Anders Samuelsen, had proclaimed the position “a world first” and a necessity, stating that tech companies affect Denmark as much as countries do. “These companies have become a type of new nation and we need to confront that.”1 While Denmark was the first country to name a formal ambassador to liaise with the tech sector, the country’s decision followed a similar step by the British government. In 2014, Prime Minister David Cameron created a position in his office for a special diplomatic role, initially to address law enforcement technology issues and then to serve as “special envoy to US technology companies.”

Railroads were America’s first big business, crossing state lines with thousands of miles of track, and they sparked a surge of regulation and laws governing commerce, patents, property, and labor.

In 2016, a mantra, “There’s no national security without cybersecurity,”4 took hold within Microsoft and started to seep into the public discussion.

We needed to prop the cybersecurity stool with a third important leg: stronger international rules and coordinated diplomatic action to restrain cyberthreats and help galvanize the international community to pressure governments to stop indiscriminate cyberattacks. Until there was a greater degree of global accountability, we worried that it was too easy for governments to deny any wrongdoing.

In Washington, DC, those most bothered by the idea of a Digital Geneva Convention were often officials who had played a leading role in developing the nation’s offensive cyber capabilities. They argued that rules restricting the use of cyber capabilities would hold back governments like the United States. We pointed out that the US government already stood against the use of cyberattacks against civilians in times of peace, which was the area we were trying to restrict. And more broadly, the history of weapons technology showed that even if the United States was in a leadership position today, other nations would catch up soon. They pointed out that if we created stronger rules and the United States followed them, the country’s adversaries would not. But we believed international rules could nonetheless help put greater pressure on all countries, including by creating the moral and intellectual foundation needed for more coordinated international responses to cyberattacks. After all, it was even harder to restrain conduct if it violated no rules in the first place.

one Trump adviser challenged me on a trip to Washington, DC, “As an American company, why won’t you agree to help the US government spy on people in other countries?” I pointed out that Trump Hotels had just opened a new property in the Middle East as well as down the street on Pennsylvania Avenue. “Are these hotels going to spy on people from other countries who stay there? It doesn’t seem like it would be good for the family business.” He nodded.

But as one study concluded just as the Cold War was ending, agreements to control weapons so they are not used—as distinct from eliminating them entirely—“may, in the end, be better, if only because its prospects for success are greater.”18 It’s perhaps this concept, as much as anything else, that has animated the efforts of international legal experts to define international norms that limit the way cyberweapons can be used.19 Another repeated lesson from the history of arms control is also applicable: Governments will sometimes seek to evade international agreements if they can, so there need to be effective ways to monitor compliance and hold violators accountable. This speaks directly to one of the biggest challenges for controlling cyberweapons. Governments not only perceive them as useful but also uniquely easy to use in a manner that evades detection. As David Sanger of the New York Times has put it, this unfortunately makes them “the perfect weapon.”20

When we unveiled the Cybersecurity Tech Accord in April 2018, thirty-four companies signed on.23 It was more than enough to generate momentum. By May 2019, the group had more than one hundred companies from more than twenty countries, and it was putting the accord into action by endorsing practical steps to strengthen cybersecurity protection.

While in Tokyo in July 2018, we met with senior executives at Hitachi, which wanted to be the first large Japanese signatory. When we arrived at their headquarters to seal their approval, they were quick to say, “We were attacked by WannaCry. We thought about staying silent, but we realized that we’ll never solve this problem if we don’t stand up together and do something like this.” This was in fact the whole point. I was struck by the fact that a long-standing Japanese technology company in a sector that had a reputation for being more conservative than American companies was willing to stand up at a time when companies like Google, Apple, and Amazon were still sitting down.

Ironically and in our view unfortunately, the Paris Call garnered all this support without the backing of the United States government, which didn’t sign the declaration in Paris. Although we originally were hopeful that Washington would sign on, it became apparent a month before the Paris meetings that the U.S. government wasn’t ready to take a position one way or another. The political winds among some on the White House staff were not blowing in favor of multilateral initiatives,

On May 15, two months to the day after the horrific attacks in New Zealand, Ardern joined Macron in Paris with eight other government leaders to launch the “Christchurch Call to Action.” Its text addresses terrorist and violent extremist content online through commitments by governments and tech companies to act both separately and together.

Launched just a little more than six months apart, the Paris and Christchurch calls highlight the progress the world can make by advancing what Casper Klynge likes to call “techplomacy.” Instead of relying on governments alone, a new approach to multi-stakeholder diplomacy brings governments, civil society, and tech companies together.

one of the most successful recent initiatives was the International Campaign to Ban Landmines in the 1990s. The latter campaign started with six nongovernmental organizations in 1992 and grew to involve roughly 1,000 such NGOs from sixty countries.30 The group “successfully reframed landmines into a humanitarian and moral issue rather than a purely military matter” and, with support from the Canadian government, took its campaign to an ad hoc forum that adopted “a landmine-ban treaty in December 1997, barely five years after the campaign for a ban was initiated.”31

in 1932, Albert Einstein, the greatest scientist of his age, proffered a warning that fell on deaf ears. Technology advances, he cautioned, “could have made human life carefree and happy if the development of the organizing power of man had been able to keep step with his technical advances.”35 Instead, “the hardly bought achievements of the machine age in the hands of our generation are as dangerous as a razor in the hands of a three-year-old child.” The conference in Geneva ended in failure, and before the end of the decade, that failure had translated into unimaginable global devastation. Einstein’s words speak to the crux of today’s challenge. As technology continues to advance, can the world control the future it is creating? Too often, wars have resulted from humanity’s failure to keep pace with innovation, doing too little too late to manage new technology. As emerging tech such as cyberweapons and artificial intelligence become more powerful, our generation will be put to this test yet again.

This is the critical reliance of the US economy on the ability of American firms to move data to and from other countries. In the world today, one can debate whether to construct an immigration wall to stem the flow of people. But no nation can tolerate a barrier that stops the international flow of data.

The GDPR is different from many government regulations. Most of the time, a regulation tells a company what it cannot do. For example, don’t include misleading statements in your advertisements. Or don’t put asbestos in your buildings. The fundamental philosophy of a free market economy encourages business innovation, with regulation putting certain conduct off-limits but otherwise leaving companies broad freedom to experiment. One of the biggest features in the GDPR is in effect a privacy bill of rights. By giving consumers certain rights, it requires that companies not just avoid certain practices but create new business processes. For example, companies with personal information are required to enable consumers to access it. Customers have a right to know what information a company has about them.

In March 2018, the privacy equivalent of Three Mile Island arrived when the Cambridge Analytica controversy exploded.

“I live in a highly regulated world,” he said, referring to the accepted regulation and building codes that govern real estate. “It’s healthy. The law needs to catch up with tech or people will just continue to push the boundaries.”

We quickly learned that American consumers were even more interested in putting these rights to work than Europeans, validating our sense that the arc of American history would ultimately bend toward the adoption of privacy rights in the United States.16

At the last possible minute, the legislature adopted the California Consumer Privacy Act of 2018, and Governor Jerry Brown quickly signed the measure. It was the strongest privacy law in the history of the United States. Like the GDPR, it gives the Golden State’s residents the right to know what data companies are collecting on them, to say no to its sale, and to hold firms accountable if they don’t protect personal data.

The combination of the efforts of Max Schrems and Alastair Mactaggart reveals several important lessons for the future. First, it’s hard to believe privacy will ever die the quiet death that some in the tech sector predicted a decade or two ago.

we’re already hearing concerns that people lack the time to review all the data that the GDPR is making available online. This is likely to prompt a new wave of governmental rules to regulate how data can be collected and used.