NSA spying challenges U.S. cloud providers, analyst says
Congressional lawmakers last week pondered what, if any, changes can be made to U.S. government surveillance programs, as fallout continues over whistleblower Edward Snowden's disclosures about the National Security Agency's (NSA) collection of massive amounts of personal data.
The agency's actions stand to harm U.S.-based cloud service providers and their customers around the globe. Revelations about the NSA's PRISM program could cost cloud computing companies $22 million to $35 million by 2016, according to an August estimate by the Information Technology & Innovation Foundation. Forrester predicted the losses could be much higher at $180 billion, or a 25 percent hit to overall revenues.
CIO.com talked to Alex Lakatos, partner in the Washington, D.C. office of Mayer Brown's litigation and financial services regulatory and enforcement practice, about the reactions of European governments to NSA surveillance, the likely inaction of the U.S. government, and what is all means for cloud providers—stateside and abroad—and their clients around the world.
What's been the reaction thus far to the NSA revelations in the global business community?
Alex Lakatos, Mayer Brown: Most businesses we have spoken with have a negative view of the PRISM and phone records programs, viewing them with suspicion and distrust. The programs can undermine retail customers' trust in U.S. businesses, and that trust is an asset that U.S. businesses value. The programs can put U.S. businesses at a competitive disadvantage when competing against non-U.S. businesses.
For program participants, it has been a reputational hit, and no doubt an administrative burden to provide their (likely involuntary) cooperation to the NSA. Anecdotally, there is a lot of quiet admiration for Twitter's general counsel, who led the company in its decision to resist pressure to participate in the PRISM program. Of course, U.S. business tends to appreciate a stable climate fostered by strong national security, but these programs that impose directly on U.S. business are largely seen to have crossed the line.
What do you predict the overall impact will be for cloud services providers and their customers, given current sentiment about the NSA surveillance programs?
Lakatos: There is a risk that cloud services customers will avoid using U.S.-based cloud service providers based on the perception that U.S. providers are more vulnerable to NSA surveillance. Sen. [Al] Franken [D-Minnesota] cited studies supporting this conclusion in his statement at this week's hearing.
We anticipate that non-U.S. providers will continue to market their services as being beyond the reach of the U.S. government and the NSA, although such assertions may be dubious from a legal and, perhaps, technological perspective. In short, recent revelations about NSA surveillance are likely to be a boon for non-U.S. cloud service providers.
How are European governments reacting and what might that mean for cloud customers in that region?
Lakatos: European governments are strongly objecting to the NSA's activities. The European Parliament is considering revisions to its data privacy laws to include a provision—previously considered and rejected—that would put many cloud service providers between a rock and hard place, not just U.S.-based cloud service providers, but also EU cloud service providers that have offices in the United States.
The provision, if enacted, would impose a Hobson's choice on such providers: Either violate U.S. law compelling production of data to the NSA or violate the EU law prohibiting such transfers. Either violate a U.S. gag order or violate the EU requirement to inform the data subject when its data is shared with the U.S. government. All of this is unfair to the business caught in the middle. It's like denying your waiter a tip to send a message to the kitchen about the food.
Given the U.S. Congressional hearings to date on the NSA programs, what legislative action, if any, is likely to be taken?
Lakatos: We do not expect Congressional action in the near term because of the lack of cooperation between the parties.
Rep. Justin Amash (R-Michigan) proposed legislation that would have defunded the NSA's phone records program. In other words, had the bill been enacted, the NSA would not have been permitted to use government funds to conduct its phone records program, which would sounded the program's death knell.
But the Amash bill would not have affected Section 215 of the Patriot Act, the underlying law authorizing the phone records program, itself. Thus, even if the bill were enacted, the NSA would still have been able to use Section 215 for other types of investigations. In any event, the Amash bill was not long ago defeated in the House by a narrow 205-217 majority. In the past, similar bills have been defeated by a much wider margin. This shows some momentum for reform, but also how difficult it is to get even modest reforms enacted.
How will U.S. cloud providers deal with these issues?
Lakatos: Some U.S. companies may respond to consumer concerns by opening EU subsidiaries and data centers. To the extent that those same resources might better be spent on innovations that would be benefit consumers, that would be a shame. Providers should also expect to see more questions from their customers, and greater demands for contractual and other assurances about the safekeeping and confidentiality of customer data.
What steps should cloud services customers take to protect themselves?
Lakatos: At the outset, customers looking to use cloud services should give careful thought to the question of what risks they are concerned with when it comes to putting their data on the cloud. For example, is the customer concerned that it will suffer business interruptions and loss of use of data? Or that its own reputation in the marketplace will suffer based on the cloud service provider's treatment of its data? Or that it may find itself in violation of EU or other data protection laws? There are myriad other possible concerns.
Once the concerns are identified, some may be addressed by choosing the right provider or including the right contractual terms. For example, a customer might include provisions in its agreement with its cloud service provider that require data to be stored in certain jurisdictions with certain levels of encryption. Or customers could require their cloud service provider to notify them of government requests and even to fight government gag orders in court that would prevent such notification.