N.S.A. Able to Foil Basic Safeguards of Privacy on Web


The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
Associated Press
This undated photo released by the United States government shows the National Security Agency campus in Fort Meade, Md.
This article has been reported in partnership among The New York Times, The Guardian andProPublica based on documents obtained by The Guardian. For The Guardian: James Ball, Julian Borger, Glenn Greenwald. For The New York Times: Nicole Perlroth, Scott Shane. For ProPublica: Jeff Larson.
Multimedia
Document
Secret Documents Reveal N.S.A. Campaign Against Encryption
Graphic
Unlocking Private Communications
National Twitter Logo.

Connect With Us on Twitter

Follow@NYTNational for breaking news and headlines.
Twitter List: Reporters and Editors
Enlarge This Image
Susan Walsh/Associated Press
CITING EFFORTS TO EXPLOIT WEBJames R. Clapper Jr., the director of national intelligence.

Readers’ Comments

Readers shared their thoughts on this article.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.
Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.
The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.
The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.
“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
When the British analysts, who often work side by side with N.S.A. officers, were first told about the program, another memo said, “those not already briefed were gobsmacked!”
An intelligence budget document makes clear that the effort is still going strong. “We are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic,” the director of national intelligence, James R. Clapper Jr., wrote in his budget request for the current year.
In recent months, the documents disclosed by Mr. Snowden have described the N.S.A.’s reach in scooping up vast amounts of communications around the world. The encryption documents now show, in striking detail, how the agency works to ensure that it is actually able to read the information it collects.
The agency’s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of Americans’ e-mails or phone calls without a warrant. But it shows that the agency, which was sharply rebuked by a federal judge in 2011 for violating the rules and misleading the Foreign Intelligence Surveillance Court, cannot necessarily be restrained by privacy technology. N.S.A. rules permit the agency to store any encrypted communication, domestic or foreign, for as long as the agency is trying to decrypt it or analyze its technical features.
The N.S.A., which has specialized in code-breaking since its creation in 1952, sees that task as essential to its mission. If it cannot decipher the messages of terrorists, foreign spies and other adversaries, the United States will be at serious risk, agency officials say.
Just in recent weeks, the Obama administration has called on the intelligence agencies for details of communications by leaders of Al Qaeda about a terrorist plot and of Syrian officials’ messages about the chemical weapons attack outside Damascus. If such communications can be hidden by unbreakable encryption, N.S.A. officials say, the agency cannot do its work.
But some experts say the N.S.A.’s campaign to bypass and weaken communications security may have serious unintended consequences. They say the agency is working at cross-purposes with its other major mission, apart from eavesdropping: ensuring the security of American communications.
Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL; virtual private networks, or VPNs; and the protection used on fourth-generation, or 4G, smartphones. Many Americans, often without realizing it, rely on such protection every time they send an e-mail, buy something online, consult with colleagues via their company’s computer network, or use a phone or a tablet on a 4G network.
For at least three years, one document says, GCHQ, almost certainly in collaboration with the N.S.A., has been looking for ways into protected traffic of popular Internet companies: Google, Yahoo, Facebook and Microsoft’s Hotmail. By 2012, GCHQ had developed “new access opportunities” into Google’s systems, according to the document. (Google denied giving any government access and said it had no evidence its systems had been breached). 
“The risk is that when you build a back door into systems, you’re not the only one to exploit it,” said Matthew D. Green, a cryptography researcher at Johns Hopkins University. “Those back doors could work against U.S. communications, too.”
Paul Kocher, a leading cryptographer who helped design the SSL protocol, recalled how the N.S.A. lost the heated national debate in the 1990s about inserting into all encryption a government back door called the Clipper Chip.
“And they went and did it anyway, without telling anyone,” Mr. Kocher said. He said he understood the agency’s mission but was concerned about the danger of allowing it unbridled access to private information.
“The intelligence community has worried about ‘going dark’ forever, but today they are conducting instant, total invasion of privacy with limited effort,” he said. “This is the golden age of spying.”
A Vital Capability
The documents are among more than 50,000 shared by The Guardian with The New York Times and ProPublica, the nonprofit news organization. They focus on GCHQ but include thousands from or about the N.S.A.
Intelligence officials asked The Times and ProPublica not to publish this article, saying it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful privacy tools.
The files show that the agency is still stymied by some encryption, as Mr. Snowden suggested in a question-and-answer session on The Guardian’s Web site in June.
“Properly implemented strong crypto systems are one of the few things that you can rely on,” he said, though cautioning that the N.S.A. often bypasses the encryption altogether by targeting the computers at one end or the other and grabbing text before it is encrypted or after it is decrypted.
The documents make clear that the N.S.A. considers its ability to decrypt information a vital capability, one in which it competes with China, Russia and other intelligence powers.
“In the future, superpowers will be made or broken based on the strength of their cryptanalytic programs,” a 2007 document said. “It is the price of admission for the U.S. to maintain unrestricted access to and use of cyberspace.”
The full extent of the N.S.A.’s decoding capabilities is known only to a limited group of top analysts from the so-called Five Eyes: the N.S.A. and its counterparts in Britain, Canada, Australia and New Zealand. Only they are cleared for the Bullrun program, the successor to one called Manassas — both names of an American Civil War battle. A parallel GCHQ counterencryption program is called Edgehill, named for the first battle of the English Civil War of the 17th century.
Unlike some classified information that can be parceled out on a strict “need to know” basis, one document makes clear that with Bullrun, “there will be NO ‘need to know.’ ”
Only a small cadre of trusted contractors were allowed to join Bullrun. It does not appear that Mr. Snowden was among them, but he nonetheless managed to obtain dozens of classified documents referring to the program’s capabilities, methods and sources.
Ties to Internet Companies
When the N.S.A. was founded, encryption was an obscure technology used mainly by diplomats and military officers. Over the last 20 years, it has become ubiquitous. Even novices can tell that their exchanges are being automatically encrypted when a tiny padlock appears next to a Web address.
Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware.
According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” Sigint is the acronym for signals intelligence, the technical term for electronic eavesdropping.
By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors or by exploiting security flaws, according to the documents. The agency also expected to gain full unencrypted access to an unnamed major Internet phone call and text service; to a Middle Eastern Internet service; and to the communications of three foreign governments.
In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.
The 2013 N.S.A. budget request highlights “partnerships with major telecommunications carriers to shape the global network to benefit other collection accesses” — that is, to allow more eavesdropping.
At Microsoft, as The Guardian has reported, the N.S.A. worked with company officials to get pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.
Microsoft asserted that it had merely complied with “lawful demands” of the government, and in some cases, the collaboration was clearly coerced. Some companies have been asked to hand the government the encryption keys to all customer communications, according to people familiar with the government’s requests.
N.S.A. documents show that the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages. If the necessary key is not in the collection, a request goes to the separate Key Recovery Service, which tries to obtain it.
How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored. To keep such methods secret, the N.S.A. shares decrypted messages with other agencies only if the keys could have been acquired through legal means. “Approval to release to non-Sigint agencies,” a GCHQ document says, “will depend on there being a proven non-Sigint method of acquiring keys.”
Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.
Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”
“Eventually, N.S.A. became the sole editor,” the memo says.
Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.
By introducing such back doors, the N.S.A. has surreptitiously accomplished what it had failed to do in the open. Two decades ago, officials grew concerned about the spread of strong encryption software like Pretty Good Privacy, designed by a programmer named Phil Zimmermann. The Clinton administration fought back by proposing the Clipper Chip, which would have effectively neutered digital encryption by ensuring that the N.S.A. always had the key.
That proposal met a backlash from an unlikely coalition that included political opposites like Senator John Ashcroft, the Missouri Republican, and Senator John Kerry, the Massachusetts Democrat, as well as the televangelist Pat Robertson, Silicon Valley executives and the American Civil Liberties Union. All argued that the Clipper would kill not only the Fourth Amendment, but also America’s global technology edge.
By 1996, the White House backed down. But soon the N.S.A. began trying to anticipate and thwart encryption tools before they became mainstream.
Each novel encryption effort generated anxiety. When Mr. Zimmermann introduced the Zfone, an encrypted phone technology, N.S.A. analysts circulated the announcement in an e-mail titled “This can’t be good.”
But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government’s nuclear department and another’s Internet service by cracking the virtual private networks that protected them.
By 2010, the Edgehill program, the British counterencryption effort, was unscrambling VPN traffic for 30 targets and had set a goal of an additional 300.
But the agencies’ goal was to move away from decrypting targets’ tools one by one and instead decode, in real time, all of the information flying over the world’s fiber optic cables and through its Internet hubs, only afterward searching the decrypted material for valuable intelligence.
A 2010 document calls for “a new approach for opportunistic decryption, rather than targeted.” By that year, a Bullrun briefing document claims that the agency had developed “groundbreaking capabilities” against encrypted Web chats and phone calls. Its successes against Secure Sockets Layer and virtual private networks were gaining momentum.
But the agency was concerned that it could lose the advantage it had worked so long to gain, if the mere “fact of” decryption became widely known. “These capabilities are among the Sigint community’s most fragile, and the inadvertent disclosure of the simple ‘fact of’ could alert the adversary and result in immediate loss of the capability,” a GCHQ document warned.
Since Mr. Snowden’s disclosures ignited criticism of overreach and privacy infringements by the N.S.A., American technology companies have faced scrutiny from customers and the public over what some see as too cozy a relationship with the government. In response, some companies have begun to push back against what they describe as government bullying.
Google, Yahoo, Microsoft and Facebook have pressed for permission to reveal more about the government’s requests for cooperation. One e-mail encryption company, Lavabit, closed rather than comply with the agency’s demands for customer information; another, Silent Circle, ended its e-mail service rather than face such demands.
In effect, facing the N.S.A.’s relentless advance, the companies surrendered.
Ladar Levison, the founder of Lavabit, wrote a public letter to his disappointed customers, offering an ominous warning. “Without Congressional action or a strong judicial precedent,” he wrote, “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”
John Markoff contributed reporting.

Internet outside of Law

Who knows minimally functioning of Criminal Justice in Brazil can not be deceived : it is generally slow and scrapped . Civil urgent measures in the universe are more effective in these cases . Anyway , there was intention to fill a gap in Brazil , already jaded by " popular clamor " . In the interpretation and application of this Law legal operators should pay attention to the tacit authorization of breach of confidentiality, the intimacy of the investigation , and anyone can be enrolled in this situation . The Act has broad interpretation and the penalties are low (usually up to two years ) , so the chance to right prescription in most cases . For all these reasons , do not trust the preventive efficacy of this law . Guardianship Civil conditions would be more efficient .

Brazilian Professor Kennedy Barreto
talks about internet security in your country


Although the internet has been around for a long time , the Law Courts and consequently , can not seem to follow the evolution perceived with a minimum of attention. When trying to equate with the national law of other nations , it distorts the laws homelands and therefore undermines those who suffered from unlawful acts , because they can not be compensated monetarily at least , a way to try to minimize their suffering .

Existing technologies do not allow a user to be correctly identified , if necessary , even with the use of IP addresses which are stored by the companies . It is easy and common that the same address is used by numerous people and the existence of servers in order to hide the actual address of the user are crucial facts to prove that such a feature can not be used as evidence , but rather , just and only as an indication of authorship.


The lack of standardization and synchronization of dates and times of access also allow misidentification of the charge , which can lead to injustice and punishment for people who were not involved in the commission of unlawful acts , generating even more controversial about a judicial system lacking good results .

The responsibility of content providers , especially social networks like Orkut , Facebook , Twitter and others, is objective . This is because such companies do not bother to meet the minimum requirements required by national laws , not properly identifying users . The argument used for the storage of the IP address is sufficient for correct identification of these , do not prosper , and even that not even in U.S. courts this argument is accepted .

The primary function of such networks is the communication of users through texts , images , audios and videos , which in itself fully configures the theory of risk and demonstrates the direct relationship between the core and the vulnerability that such platforms have to allow that users might commit unlawful acts. Moreover , the lack of appropriate channels as a means of contact for people who have been victims of these crimes demonstrates that there is no interest , even minimal , preventing damaging facts nor quick response removing inappropriate content from their systems when done one complaint.

Serious flaw is the lack of appropriate tools to control the content provided . There is no talk here of censorship or any other kind , but of utilities that allow greater control over what is published , avoiding, for example, those listed in Estatudo the Child and Adolescent , among others , which can be done with relative ease by these companies , since they already have mechanisms that scan the content and form of targeting for advertisers , maximizing profit opportunities . Also , there should be professionals tasked to scour the deck incessantly checking reports of users acting as moderators , which already occurs in the vast majority of internet forums .

It seems, therefore, that the Supreme Court was wrong to assert that there is no strict liability of the content provider , where such social networks , to those who have suffered harmful acts , given that there are situations in our laws and doctrine to preclude the such responsibility and risk provided directly by the activity performed , and so little a way minimally effective to identify properly the criminal agent , with the aggravating no further mechanisms consistent and easy to use so you can get in touch , proving that the real interest of these companies is solely profit.

Kennedy Barreto
kennedybarreto@uol.com.br


Consultant and Professor of Law.

Dia’s New Age Investor, Inspired To Create A Global Brand


   /   Oct 11th, 2013AsiaBusinessInternationalInterviewsTech
India has been referred to as a ‘hotbed’ for social enterprise and startups. Millennials are turning to careers in tech and innovation, launching their own ventures instead of signing up for ‘9-5’ careers.  But the ecosystem to support these entrepreneurs is still very weak in the subcontinent, says Rajesh Sawhney (@rajeshsawney), the former CEO of Reliance Entertainment.  So he’s decided to break away from films and return to tech by building an Indian incubator with global reach.
GSF Accelerator aims to identify the best of India’s tech startups and help them scale and create social impact.
Esha Chhabra (@esh2440), writer and social entrepreneur, caught up with Sawhney about venture capitalists in India, impact investing, and mobile innovation.
Why is the venture capital space in India so lacking? What is holding it back?
The issue is that VCs in India don’t dream big. Initial setbacks have forced many to focus on smaller opportunities and seek average returns rather than funding local innovation.
I believe the VC industry needs to change its mindset and get back to seeking exceptional returns by backing the exceptional ideas of exceptional entrepreneurs.
GSF is partnering with global institutions. Why not just focus on the Indian market?
It’s tempting for many entrepreneurs and investors to focus solely on India because the opportunities are ripe for the picking. However, extending this market to the world is a far greater opportunity.
Technology and the Internet have leveled the playing field for smart entrepreneurs around the world. It’s by no means easy to build global companies, but I believe talented entrepreneurs in India have a chance of succeeding and should seize the opportunity.
India also has a lot to offer the world in terms of innovation. Here are two huge opportunities:
Mobile Digital Economy: In five years, India will become one of the leading “mobile only” digital economies in the world. India has added a billion new mobile phone users since 2000. In the next 5 years, 500 million new Internet users will come online, primarily through smartphones and mobile technology.
Frugal Innovation: Indian entrepreneurs are inherently frugal with resources. As the world adjusts to falling incomes, Indian companies will be called upon to share their innovative solutions and lean business models.
Your focus is on tech-based solutions. Why simply tech?
I believe it’s important to focus on what you are passionate about.  I enjoy working with technology start-ups and leveraging the positive power of technology to find solutions for some of the world’s most pressing challenges.
Is there much interest in impact investing in India?
The impact ecosystem is still nascent in India, but it’s rapidly evolving. In the last five years, we have seen the emergence of specialized venture capitalist/private equity funds in this area. The next stage in the evolution is the formation of seed funds and impact accelerators. My concern is the lack of institutional capital to support an early stage ecosystem as well as the lack of interest from angel investors.
At GSF, we have incubated 25 companies thus far, 20% of which are addressing high impact challenges. We have focused on mobile-based healthcare solutions for rural areas and transportation solutions for densely populated Indian cities.
What do you think about the criticism around the capacity of incubators to create world-class companies?
Relentless experimentation is what leads to innovation, and smart start-up eco-systems reduce the cost of trials to zero and enable this to happen. We shouldn’t fear failure; in fact, we should welcome it.
Like start-ups, many of the incubators themselves will fail. Only a few will become effective at attracting the best talent and building great companies.  At GSF, we obsess about attracting and surrounding ourselves with the smartest people.
What inspires you to tackle this monumental challenge of building India’s start-up scene?
As I mentioned before, the rise of mobile digital economy in India and the emerging world is a huge and transformative opportunity. The second thing is the shifting attitude of Indian young people. In contrast to previous generations, they are willing and able to experiment and take risks. They are smart, globally-connected, aspirational leaders. They inspire me.
The combination of these two realities will open up a new world of possibilities. These possibilities are inspirational to me.
What advice do you give to young Indian entrepreneurs just starting out with their first idea?
  1. Dream big. This world is as much yours as anyone else’s.
  2. Experiment, travel, seek and create new experiences.
  3. “Open your doors” and the world will “open its doors” to you.
What book that you’ve read in the last few years has impacted you and your philosophy?
There are actually two I should mention:
The Hero with a Thousand Faces by Joseph Campbell had a profound impact on my thinking and evolution. It’s a must read for anyone who wants to change the world.
Jitterbug Perfume by Tom Robbins is a fascinating tale of the medieval King Alobar and his quest to stay young forever.

Brazil's Rousseff targets internet companies after NSA spying


Brazil's President Dilma Rousseff speaks during a ceremony where she signs into law, the bill that allocates the country's oil royalties to education and health care, at the Planalto Palace in Brasilia September 9, 2013. REUTERS/Celso Junior
By Brian Winter
SAO PAULO | Thu Sep 12, 2013 7:44pm EDT
(Reuters) - Angered by reports that the U.S. government spied on her and other Brazilians, President Dilma Rousseff is pushing new legislation that would seek to force GoogleFacebook and other internet companies to store locally gathered data inside Brazil.
The requirement would be difficult to execute, technology experts say, given high costs and the global nature of the Internet. Still, Rousseff's initiative is one of the most tangible signs of a backlash following revelations that the U.S. National Security Agency monitored emails, phone calls and other communications abroad.
The legislation, which is being written by a lawmaker in Rousseff's left-wing Workers' Party and is scheduled to be completed next week, would force foreign-based internet companies to maintain data centers inside Brazil that would then be governed by Brazilian privacy laws, officials said.
Internet companies operating in Brazil are currently free to put data centers wherever they like.Facebook Inc, for example, stores its global data in the United States and a new complex in Sweden.
Rousseff believes that the change would help shield Brazilians from further U.S. prying into their activities, and she is considering urging other countries to take similar measures when she speaks at the United Nations General Assembly later this month, a senior Brazilian official told Reuters.
"This would be a turning point for these companies," the official said, naming Facebook, GoogleInc and Microsoft Corp as examples, although they would not be the only companies affected. "If you want to work here, you will have to obey our rules."
The official spoke on condition of anonymity to frankly discuss Rousseff's plans and the consequences of the law.
The proposal follows a series of media reports based on documents leaked by Edward Snowden, a former NSA contractor who is now in asylum in Russia.
While Brazil is one of several countries named as targets in the documents, the revelations have been especially controversial here because of a long-standing distrust of U.S. spy agencies' activities in Latin America and a report that Rousseff's own communications were compromised.
In another sign of concern from the region, Brazil's Defense Minister Celso Amorim said on Thursday he planned to discuss a plan for bilateral cooperation on cyber defense with Argentina's president, Cristina Fernandez, during a meeting in Buenos Aires.
Alessandro Molon, a legislator in Brazil's house of deputies, was invited to the presidential palace on Tuesday to meet with Rousseff, several ministers and other top aides to discuss the proposed changes to data storage requirements.
Molon has been pushing Congress since 2012 to pass a bill known as the "Internet Constitution." The law would establish Brazil's first legal framework for users' rights online, and among other requirements would force social media companies to delete users' data once they close their profiles.
The president asked Molon to add language to the bill regarding data centers, Molon's spokesman Leonardo Santos said.
Following the meeting, Rousseff's office filed a motion in Wednesday's edition of the government's official gazette that seeks to force Congress to vote on the bill in the next 45 days.
DIFFICULT, BUT MAYBE NOT IMPOSSIBLE
Santos said Molon has been in regular contact with internet companies over the past year and he is aware of the technical challenges posed by Rousseff's request and other provisions.
The proposed changes are "difficult, as they (the companies) say, but I don't know if they're impossible," Santos said.
Santos declined to provide further details of the legislation, such as which types of data would be covered by the law or which categories of companies would be subject to such rules, saying such questions were still under study.
Bill Coughran, a former senior vice president of engineering at Google and now a partner at top-tier venture firm Sequoia Capital, said Brazil would not be able to impose controls on the transport of all data.
A more likely outcome would be less onerous restrictions that keep some data local, which might add to corporate expenses and reduce income while making the consumer experience slightly worse, he said.
"Balkanization would increase the complexity of how you manage your business," Coughran said.
Representatives for Facebook and Microsoft did not immediately respond to requests for comment.
Some European countries already require certain sensitive personal data to be stored locally. Microsoft, Amazon and other big providers of remote computing services have data centers in those countries so their customers can comply with local regulations.
Social media may be more difficult to govern. If a Facebook user in Brazil commented on a French friend's post, for example, it is not clear how that data could stay in Brazil.
Studies suggest building data centers in Brazil is more expensive and logistically difficult than many other countries.
A 2012 report by real estate firm Cushman & Wakefield and hurleypalmerflatt, an engineering consultancy, ranked 30 nations in terms of risks posed to data center operations. Brazil finished in last place, due primarily to high electricity costs, low education levels and a poor environment for doing business.
However, as Latin America's largest economy and home to some of the world's most prolific users of social media, Brazil may be too big for companies to just walk away from if they do not like the legislation.
Brazil's internet penetration rate is 44 percent - half that of the United States - meaning it still has plenty of growth potential.
The new legislation is one of several responses by Rousseff to the reported spying.
She has demanded a detailed account from Washington on the extent of its espionage in Brazil, and said that otherwise she may cancel a planned state visit to Washington next month.
Her government has so far rejected Washington's contention that it gathers intelligence only to guard against threats to U.S. national security. Brazil is a peaceful democracy with no history of international terrorism and no access to weapons of mass destruction.
The senior Brazilian official voiced a belief that the data storage bill would not only work but other countries would follow suit, naming other members of the BRICS bloc of large emerging markets:China, India, Russia and South Africa.
"Once we do it, it will become a standard," the official said.

(Additional reporting by Esteban Israel, Anthony Boadle and Brad Haynes in Brazil, Guido Nejamkis in Argentina and Joseph Menn in San Francisco; Editing by Kieran Murray, Eric Walsh and Mohammad Zargham)
Subscribe to: Posts (Atom)