How the NSA leaks could affect the US cloud computing industry

Experts say that leaks about the NSA surveillance program could hurt US cloud companies as their customers worry about data security.

A projection of text on the face of a woman in Berlin, June 12, 2013.
NSA leaks have fueled conversations about the security of US-based cloud computing companies.

Pawel Kopczynski/ Reuters/ File

August 26, 2013

News of the National Security Agency's data collection and surveillance programs made public ongoing privacy debates in the Foreign Intelligence Surveillance Court, inciting a backlash against the US government both domestically and internationally. 

Concerns about who has access to troves of online data extends from foreign negotiations to business deals: If the FISA court can issue a "national security letter" to gain access to US-based Internet companies’ servers, any foreign company’s data stored on these servers could be accessed by the US government.

A recent report from the Information Technology and Innovation Foundation estimates that the United States’ multibillion-dollar US cloud computing industry stands to lose anywhere from $22 to $35 billion over the next three years because of the NSA revelations.

Monitor Breakfast

Jimmy Carter and Monitor Breakfasts: A long, storied history

“If European cloud customers cannot trust the United States government, then maybe they won’t trust US cloud providers either,” said European Commissioner for Digital Affairs Neelie Kroes in an interview with the Guardian in July. “If I am right, there are multibillion-euro consequences for American companies. If I were an American cloud provider, I would be quite frustrated with my government right now."

Industry shifts since the NSA leaks in early June support Mr. Kroes’ argument. Amazon Web Services, widely acknowledged as the global market leader in cloud storage, cut some of its prices by 80 percent in July to remain competitive. The writing on the walls seems clear: The NSA leaks will hurt US cloud companies. But to peg an industry shift to June 2013 would overlook a larger trend that has been taking place in the industry since 2001.

“Enterprises were worried about government snooping well before the NSA leaks,” writes Camille Mendler, principle analyst with the Informa group in an e-mail to the Monitor. “The US government gets most [of the] attention because of the implied powers of the Patriot Act, let alone issues around NSA [and] Prism.”

The concept of cloud computing, or storing massive amounts of data in computers, dates back to the 1950s, though the feasibility of maintaining servers with vast amounts of information did not really take off until the early 2000s with the spread of the Internet. In 2006, Amazon Web Services was one of the first companies to offer large amounts of cloud storage to clients. Within several years, the industry had taken off. Data was increasingly stored in electronic clouds, rather than company hard drives.  

In 2011, Germany’s Deutsche Telekom and other telecommunications companies began promoting cloud-computing offerings as a way for businesses to “outsource their data centers,” according to a Bloomberg article from the time. 

Cause of plane crash remains uncertain, as Azerbaijan observes day of mourning

Having all corporate data under the stewardship of US companies would not really be “good for the future of the European people,” said Jean-Francois Audenard, the cloud security advisor to France Telecom, in January 2012. It is “extremely important to have the governments of Europe take care of this issue."

Before details of the Prism program were known, rivals of large US cloud computing companies could only point to the possibility of government surveillance, rather than concrete incidences of the US government accessing user data from Internet providers. The Prism programs confirmed suspicions that data in US servers could be accessed by the US government without a client’s knowledge via US-based Internet servers.

“Whoever fears their communication is being intercepted in any way should use services that don’t go through American servers,” and should stop using American companies such as Google and Facebook, said German Interior Minister Hans-Peter Fredrich in July.

And according to the Information Technology and Innovation Foundation, any market edge within the rapidly growing cloud industry, such as the promise of server security away from the US government’s data collection program, could be a game changer for young cloud companies. 

However, some in the cloud computing industry think that the NSA leaks could signal a shift away from large companies with data storage offerings, such Google, Yahoo, and IBM, commonly referred to as “public” companies, compared to less consumer-driven “private” data storage companies.

If you use one of these data storage companies, even a foreign data firm, “you should have the expectation that data ... is being fed to government agencies,” says Charles Weaver, chief executive officer of MSP Alliance, an international group of cloud and data service providers that advises small software and data storage companies.

This month, President Obama hosted Apple chief executive officer Tim Cook, AT&T CEO Randall Stephenson, and Google computer scientist Vint Cerf to discuss government surveillance. It is this kind of close relationship between large Internet companies and the government that Mr. Weaver finds concerning and says does not exist between smaller data companies and federal governments.

Mr. Weaver says that it is harder to get information from a smaller cloud storage company. Seizure of this data will be noticed, he says. It’s the same thing as with small e-mail service providers such as Edward Snowden’s provider Lavabit. It shut down rather than surrender consumer data. But, Google isn’t about to shut down because of a data request, says Weaver.

Earlier this month, Google announced the company’s intentions to encrypt all data on its cloud platform, typically used by businesses, rather than individuals. Google, however, will still have access to the encryption codes, making arguably them just as susceptible to be requested by national security letters.