Of all the bummers to emerge from the ongoing Snowden/NSA saga, surely the most distressing is the prospect of US tech companies losing billions of dollars in profits as their customers lose trust that their data will remain ‘private’. Read this report from the Information Technology & Innovation Foundation and weep, as it’s (not particularly rigorously) projected that the US cloud computing industry will lose between $21.5 and $35.0 to mostly EU cloud computing competitors due to revelations about the NSA PRISM program.
But there may be a crack of light shining through the darkness, according to a story in the Financial Times (Login needed), Microsoft is breaking from the pack and planning to differentiate its services by allowing foreign customers to store their data on servers outside of the US. Details don’t seem to yet be forthcoming. Just how “local” will your servers be? If you insist on local servers, just how much redundancy will be able to be built your “cloud”? After all that’s part of the attraction of the cloud, your data is just out there, hopefully on a bunch of redundant, geographically dispersed servers. And how, exactly, even if the servers are local, can one guarantee that your data, going from point A to Z, won’t traverse a line that the NSA has access to? The internet is anarchic that way, and you don’t have a lot of control once your data leaves your network.
Not to mention that there are plenty of other countries around the world, many of them in the EU, who have capable signals intelligence agencies of their own. What about them? And let’s not forget…the companies themselves have your data, and even if they don’t violate your privacy and use it themselves, there is plenty of evidence that large companies aren’t great at keeping your data safe from thieves.
We’ve had a long, pretty narrowly circumscribed conversation about specific programs at one intelligence agency, so I suppose it shouldn’t surprise when neat, clean “fixes” are presented. It’s certainly good marketing, Microsoft gets to look like a privacy champion, differentiate itself from its competitors, and maybe claw back of that revenue that would have otherwise gone to a European company. What of actual substance that is to be done is unclear, and I suspect will remain so.
I wouldn’t be surprised if other US companies started to make similar offerings. As an industry they may even create some sort of seal or certification: “Guaranteed NSA Free!”. It’ll be very comforting, but fuzzy in its details. What I don’t expect is anything to fundamentally change behind the scenes.
This piece in the BITS blog at the New York Times about the recent RSA security conference is amusing, particularly the section “Danke, Edward Snowden”:
German executives and intelligence officials called Mr. Snowden a hero and said his disclosures had been a boon for business, as N.S.A. suspicions prompted global companies to look for alternatives to American products and services. One German executive said that many clients who had considered moving their services to the cloud were now looking to store their data on hardware inside Germany, given that “the U.S. owns the cloud.”
This must be one of those serendipitous moments when principles intersect with pecuniary interests. But, sure enough, some folks come along to rain on the parade:
But American officials were quick to rebut the idea that foreign data would be more secure outside American borders. “There’s a big call for data localization,” said Richard A. Clarke, the former United States counterterrorism czar. He pointed to the announcement this week between the European Union and Brazil that they would run a new undersea fiber-optic cable between Brazil and Portugal to thwart American spying.
“First of all, who doesn’t think the U.S. can’t listen in?” Mr. Clarke said. “Could it possibly be that these countries are trying to take business away from U.S. carriers?”
Michael V. Hayden, the former head of the N.S.A., said on a panel that Germany’s criticism of the United States intelligence community was hypocritical given European nations’ own cyberespionage programs.