PRISM and other federal surveillance programs could end up costing the U.S. cloud-computing industry billions of dollars, suggested a recent report from the Information Technology & Innovation Foundation.
Such concerns are again at the forefront after a small encrypted-email provider, Lavabit, announced that it would shut down in response to government pressure; a few hours after that announcement, IT security firm Silent Circle told the world that it would stop supporting its own encrypted mail service. Both companies were small, and many people never heard of them before this week—but if their respective shutdowns are the start of a larger trend, it could shake the cloud-computing and online data-storage industry to its core.
Some of the biggest cloud companies are based in the United States, and many of them made a big show of pushing back against the federal government after The Guardian newspaper published documents (provided by whistleblower Edward Snowden) suggesting that the NSA’s top-secret PRISM program had a tunnel directly into their user databases. Given the thousands of companies that rely on those big IT vendors for everything from email to document storage, it’s perhaps surprising that there hasn’t been more protest—but at some point, more security-conscious companies could start indicating their displeasure with their wallets.
This holds doubly true for companies outside the United States, which may not feel as bound to cloud providers based in this country. “If European cloud customers cannot trust the United States government, then maybe they won’t trust U.S. cloud providers either,” Nellie Kroes, European Commissioner for Digital Affairs, wrote in a statement included in the Information Technology & Innovation Foundation’s report. “If I am right, there are multibillion-Euro consequences for American companies. If I were an American cloud provider, I would be quite frustrated with my government right now.”
As an executive with the European Commission, Kroes has a vested interest in seeing European companies succeed in the open marketplace, even if that comes at the expense of American firms; but competitive dynamics aside, her statement hints at a broader truth: so much of the so-called “cloud industry” is built on the trust that, once your data is uploaded to a provider, that provider won’t turn around and expose the data to a third party without your consent.
If paranoid companies begin pulling their data from U.S. cloud computing providers, the report estimates, it could cost the latter between $21.5 billion and $35.0 billion over the next three years. That’s a huge number (and a scary one, for cloud providers), but it’s also based on relatively thin data: some 10 percent of respondents to a Cloud Security Alliance survey said they would cancel a project with a U.S.-based cloud computing provider if questions over security arose, a number that the report-creators used to create their low-end estimate.
As the report acknowledges, shifting data from a U.S. cloud provider to one headquartered in another country wouldn’t necessarily make things any safer for the client. “The reality is that most developed countries have mutual legal assistance treaties (MLATs) which allow them to access data from third parties whether or not the data is stored domestically,” it concluded.
In theory, the U.S. government could declassify at least some of its data-collecting methods; making its processes transparent would probably go a long way toward easing companies’ blooming paranoia. But it’s also highly unlikely that the government will ever take those sorts of steps—intelligence officials routinely argue that any sort of insight into data-gathering processes constitutes a national security risk.
In other words, it’s wait-and-see time: will more companies decide to take even more extreme steps to protect their data? Will cloud providers begin modifying service or shutting down in order to blunt any perception that they’re somehow beholden to the U.S. government? Will all this controversy ultimately harm the cloud-computing industry?
Then again, given how the tech industry’s emphasized online services as the best way to do things, do companies have any choice but to embrace the cloud for their needs—even if some entity is watching their every move?
Image: Maksim Kabakou/Shutterstock.com