Ten years ago, a young man left a nice job, his girlfriend and his home with just his laptops. His fantastic story changed the world and the way we think about our internet privacy.

And today, we are still feeling the impact of the revelations from Edward Snowden (pictured) contained in thousands of documents he collected from his job as a National Security Agency contractor. The past decade has shown Snowden’s impact has had a long tail, both beneficial and bad for business security. Data leaks continue, such as what happened with Facebook whistleblower Frances Haugen back in 2021.

Leaks also continue to plague unprotected cloud storage repositories, which honestly would have happened without Snowden sneaking his infamous USB drive through a security checkpoint. However, the past 10 years have seen a remarkable transformation from ordinary virtual machines to cloud-based containers, increasing the stakes of securing this data.

One of the biggest benefits is a boon for secured email usage. Snowden made many of us more paranoid and prudent, and willing to put up with the problems and usability issues to move to encrypting and better securing of our emails. That includes the bad guys, who are probably even more motivated to keep their messages private. A report from Flashpoint in July 2016 describes the role encrypted email plays in what it called the Jihadist toolbox.

In this post from last month, I described this trend and the series of secure email protocols that were formulated in the past decade, along with ways to implement them. But like many internet innovations, the protocols are difficult to put into practice and will require lots of attention to the details.

Snowden’s leaks also made us more aware of the lack of data privacy, and it took many years before states began to formulate better laws to protect our privacy, a trend described in detail here. But although the number of individual states with these laws has more than doubled in the past year, their implementation varies, making compliance by businesses that have a nationwide footprint more difficult to keep track of these changes.

One of the more important changes to data privacy has to do with algorithm transparency. One recent example is the “system cards” that Meta Platforms Inc. implemented last month. These cards describe ways that individuals can fine-tune what shows up in their Facebook and Instagram feeds and how to manipulate the dozens of controls.

Again, this has taken far too long, especially given the various fines and brickbats that Facebook has endured over the Snowden decade. But the system cards are a useful template for other businesses that are concerned about their own algorithm transparency, and they could motivate a movement in the right direction too.

As Snowden was making his revelations, the NSA was in the process of building a huge data center in Bluffdale, Utah, south of Salt Lake City. In fact, it’s next door to one of Meta’s data centers. One of the things stored in both is plenty of metadata — and thanks to Snowden, we now know what that is. Back in 2014, then NSA director Michael Hayden said, “We kill people based on metadata.”

Another sign that metadata has entered the popular lexicon is how frequently the concept has become a plot point in many popular TV shows and movies, everything from “The Good Wife” to the Jason Bourne and other spy-oriented series. And most recently, Massachusetts is considering banning the selling of cellphone location metadata.

These developments have motivated both Apple Inc. and Google LLC to add better privacy controls, both for location collection and other parameters, in their mobile operating systems. Now if only corporate app developers would implement them, and if users would pay attention when installing a new app to understand what data elements it intends to access.

There have been other technologies that arose from the Snowden leaks. One of the more influential for corporate security is Bugcrowd Inc. and similar operations such as HackerOne, both of which promote crowdsourced bug-finding analysis and were founded at the time of those leaks.

Other innovations in threat sharing have gained prominence in the past 10 years as well, including the MITRE ATT&CK framework and Traffic Light Protocols. The former is a living document of threat tactics culled from millions of observations to break down an attack into its components for more careful analysis. The latter is a way for security researchers to collaborate and share threat data. Both have been adopted by numerous security providers, the idea being that the more data is shared amongst defenders, the better the overall chances of stopping attacks will be.

Along with finding bugs, one of the bigger impacts to improved defensive security is the rise and now fall in virtual private networks or VPNs. Before Snowden, VPNs were mostly the province of the information technology department, and rarely universally used across the corporate landscape.

Thanks to a combination of paranoia about Snowden’s leaks, widespread sponsorship by nearly every popular YouTube travel blogger, and a forced march to remote work, VPNs gained in popularity. However, their popularity was also their undoing, as more untrusted remote devices joined corporate networks to neuter their protection.

Since those revelations, Snowden has been living in Russia and is now a citizen with a Russian passport. His 2013 girlfriend is now his wife and the couple have two children. He is still a sought-after speaker at various events, and since COVID, it’s common to see many others give remote presentations, even alone entire conferences.

So, is Snowden a traitor or a patriot? After 10 years, it is still hard to say. And it may not be the most important point anyway.

When I interviewed Chandler Givens, head of consumer privacy at Avast, back in 2022, he told me that “reasonable minds can differ about the propriety of Snowden’s revelations. What’s indisputable is that his action was a critical event in shaking people awake to the realities of wide-scale data collection, perpetrated both by governments and private companies. In the intervening years since his leak, the perception of privacy has shifted dramatically from a ‘tin-foil hat’ fringe topic to a defining challenge of our generation.”

We have come a long way in 10 years. Some circumstances, such as fighting malware attacks, haven’t changed much, although they have gotten more sophisticated. We have gotten better tools to defend ourselves and our privacy, and the pace of development was hastened by what Snowden did and how he did it.

But governments, the U.S. included, still collect massive amounts of private data every second of every day. That’s one thing that hasn’t changed.

Image: GDJ/Pixabay