January 27, 2014, 8:43 PM —
flickr/Tony Fischer Photography
Following revelations of widespread NSA surveillance, U.S. hosting companies and cloud providers say they now face pressure from international customers to keep data off of U.S. infrastructure – a request many admit is almost impossible to honor.
The same leaks that have put U.S. allies on edge and stoked controversy at home are also creating headaches for U.S. firms that offer Internet-hosted services for customers in Europe and Asia, according to interviews with executives.
An executive at one, prominent U.S. hosting firm said that the picture of NSA spying that has come as a result of leaks by Edward Snowden prompted a slew of requests from European customers to have data cordoned off from U.S. infrastructure.
Customers in Germany are often the source of the requests, he said. Revelations of NSA spying there, including a tap on the phone of German Chancellor Angela Merkel, have stoked a kind of economic nationalism.
"You have this really jingoistic response in Germany, where they're saying 'Americans are evil' and 'don't do business with them,'" he said. German firms are likely feeling pressure from the press and even the German government to cut ties to U.S.-based service providers, he said.
The executive spoke on the condition of anonymity, saying that he did not have permission to speak publicly about the issue. He acknowledged that requests to segregate data were rare before the revelations of NSA spying by former Booz Allen Hamilton contractor Edward Snowden, but have become more common since.
Chris Swan, the chief technology officer at Cohesive FT, a cloud networking company, said that his company began fielding calls from European clients, Germany companies, in particular, last year. "They were asking for help finding and using non U.S.-affiliated infrastructure," he said.
"It’s a bit of a gradient with Germany at the top of the hill and the Swiss standing right alongside them," said Swan. In the U.K., Swan said the sense of urgency is much less, possibly due to the 'special relationship' with the U.S.
John Dickson, a Principal at The Denim Group, said that the complaints aren't limited to privacy-conscious countries like Germany, either.
"You have Canadian firms that are trying to figure out how to get out of the U.S.," he said. The wrath of customers is not limited to U.S.-based firms, either. Other so-called 'Five Eyes' nations that are known to have cooperated with the U.S. intelligence community, including Canada, the U.K., Australia and New Zealand are all facing scrutiny by customers, Dickson said. "The pain is being felt by hosting companies, cloud companies, anyone that handles data," he said.
A November survey from the Information Technology and Innovation Foundation, (ITIF) pegged potential losses to U.S. businesses from concern over NSA spying at between $21 billion and $35 billion through 2016, assuming the U.S. loses about 10 percent of foreign business to European or Asian competitors, according to Daniel Castro, a senior analyst at ITIF.
Companies that do business in the cloud already face customer demands for assurances that their data is safe from prying eyes. Those requests take a couple different forms, according to the hosting company executive. Customers have asked for their data to be kept 'locally,' segregating it on infrastructure located within the geographic border of Germany or other EU nations that are not perceived to be subject to access from U.S. intelligence agencies.
Given the complexity of cloud deployments and the need to balance data flows across global infrastructure, segregating data in the way the customers want isn't possible, according to Dickson.
"That kind of thing is an anathema to the cloud," he said. For one thing, even with IT assets spread across the globe, hosting firms – by necessity- maintain centralized control of those assets and the data stored on them.
Swan, whose company sells software that helps companies manage cloud resources alongside traditional IT assets, said that it is impossible for U.S.-based cloud providers to make assurances that data stored on their infrastructure might not be subject to lawful interdiction of some kind.
Realizing that, some firms are asking for changes that at least give them plausible deniability with local press and government officials. For example, they might ask for hosting firms to transfer the registration IP addresses used to host content from U.S.–based entities to a German or EU-based subsidiary.
But such assurances count for little in the wake of reports that the NSA was able to spy on cloud providers such as Google and Yahoo without their knowledge. Besides, the U.S. government and the Obama Administration has set a precedent with the use of tools such as National Security Letters that companies may be prohibited from disclosing their cooperation with the federal government, said Bruce Schneier, the Chief Technology Officer at C03 Systems.
"This is a fundamental trust problem that arises when you have 'secret laws' in a society," he said. "There's nothing these companies can say because you always have the possibility that there's a secret law that is compelling them to lie."
In the short term, the pressure to disentangle operations from U.S.- and "Five Eyes"- firms may benefit local competitors who promise homegrown hosting without fear of spying. U.S. companies may also not be asked to the table to bid on work in countries that are wary of the long arm of the U.S. intelligence services, Dickson said.
Today, there aren't really home-grown equivalents of Amazon or Rackspace in countries like Germany. Backlash over reports of NSA spying may give impetus to create domestic competitors, especially in countries like Germany. In Switzerland, for instance, a company named Swisscom said it is working on a secure cloud offering for "businesses located inside of Switzerland."
Swan said that hosting firms that aren't based in the U.S. or rely on U.S. infrastructure are "pretty thin pickings," but that some vendors do offer both. Greenqloud, based in Iceland, is one. He is more sanguine about the ability of cloud providers to keep data segregated geographically.
Still, long time agreements providing "safe harbor" for EU data on U.S. infrastructure have been harmed by the spying revelations. "U.S. safe harbor for EU data technically exists,” Swan said. “But if I had to protect data in accordance with EU regulations, I would not rely on U.S. safe harbor promises,” he said.
Another likely outcome of the NSA spying revelations may be demands by customers for radical transparency before they trust their data to U.S. providers – an expansion of audits such as SAS70 and SOX3 that are now common due-diligence among security-conscious firms, said Dickson of Denim Group.
Questions about government surveillance may be handled by account management, IT and in-house counsel, Dickson said. "It's the same thing with fraud or other issues," he said. "You have to put internal processes and checks and balances in place, but it's a rigor that most companies haven't had to adhere to."