A recent New York Times article says that Berlin has become a haven for those fleeing the reach of the British and American intelligence services. The documentary film maker who helped Edward Snowden leak documents from Hong Kong has moved there, advised by her attorney’s not to return to England. A WikiLeaks press spokesman lives there as well. After a visit by a German congressman to see Snowden in Russia, there is speculation that Berlin might become home to the man himself. Google, Amazon, and Microsoft might also want to set up shop there to prevent their cloud customers from dropping their services. Software-as-a-Service vendors face a similar problem.
American tech companies are on the defensive, trying to assure their international customers that data stored in the cloud is safe from prying eyes. Microsoft, Google, and Yahoo are all racing to encrypt data traveling between their data centers overseas, since NSA has been found to be tapping undersea fiber-optic cables. Since these cables are in the ocean, outside US borders, they do not fall under the jurisdiction of American law.
American companies are concerned that they may lose customers for their cloud services, because they cannot guarantee the security of the information held there. This has caught the attention of financial analysts, who are trying to measure the effect on the bottom line.
Forrester Research has weighed in with a financial estimate of what they think this will cost American tech firms: $185 billion by 2016, which is a whopping 25% of potential sales. Forrester carefully reviewed analysis by Daniel Castro at the Information Technology & Innovation Foundation (ITIF) and said his estimate of $35 billion over the same time period is far too small.
Beyond spying, foreign data in the US is subject to American confiscation creating an additional concern in the market. The US Patriot Act requires companies operating on American soil to hand over their data when presented with a subpoena.
James Staten of Forrester says the ITIF study, which focused solely on potential cloud customers located outside the United States, did not take into account what will happen with US-based potential cloud customers and cloud providers overseas. Staten says US cloud providers could lose 20% of potential international sales. Plus, US companies doing business overseas will, in some cases, move their cloud data outside the US costing American cloud providers another 20%. In addition, because the US is not the only country spying on its citizens, cloud providers overseas will lose 20% of their business as well.
Forrester points out that the Snowden revelations about NSA intelligence gathering will have a chilling effect on cloud sales regardless of where the cloud service provider is located. Just locating your data center in France doesn’t necessarily mean it will be safe from the eyes of the French government.
What does Forrester suggest cloud customers do? Add encryption. Newspapers have been somewhat reckless in their reporting that the NSA has figured out how to decrypt encrypted traffic. The problem is the journalists do not know understand what they are writing about. Encryption is based on number theory and prime numbers. If any mathematician had figured out the centuries old problem of how to determine whether a number is prime, it would have made international news and headlined peer-reviewed academic journals.
NSA may well be able to crack encryption using supercomputers, mainframes, or massively parallel systems by working with hardware and software vendors to add back doors, but can they do that on a massive scale on real-time traffic. If you have any doubt whether your encryption is compromised, work with one of the encryption providers who are upfront about their support for privacy and have published their source code on the Internet.
NSA has certainly dealt a blow to the cloud business by casting doubt on the ability of a company to protect its data kept there. The question for cloud customers (and SaaS customers) is whether the risks of putting data on the cloud outweigh the cost savings from doing so.