LONDON, UK — When former NSA Edward Snowden leaked secrets of the US agency’s massive surveillance operations this summer, he prompted a global review of just how secure electronic data is.
For all of the outrage over the US government’s collection of data from global internet companies, at least one sector cheered the news: providers of cloud computing services located outside the US.
“I love Prism,” UK tech executive Simon Wardley wrote on his blog in the weeks after Snowden disclosed the program to the Guardian newspaper. “God bless America and the NSA for handing this golden opportunity to us.”
The NSA surveillance programs came to light just as cloud computing was taking off. US companies have so far dominated the global cloud computing market.
But in the wake of Snowden’s revelations, some countries are now seeking to bring their data back within their borders.
Brazil has announced its intention to route all regional internet traffic locally and set up a secure national email service. EU officials have called for a “European data cloud” that would store data exclusively on the continent.
In July, 10 percent of respondents outside the US said that they had cancelled a project with a US-based cloud computing provider since the NSA program came to light, in a survey conducted by the Cloud Security Alliance, a trade group.
More than half said the disclosures made them less likely to use US-based providers.
“If I were an American cloud provider, I would be quite frustrated with my government right now,” Neelie Kroes, European commissioner for digital affairs commissioner, told the Guardian in July. “If European cloud customers cannot trust the United States government, then maybe they won't trust US cloud providers either.”
Some cloud providers outside the US have jumped on the disclosures as a marketing tool. Others in the industry cautioned that walling off the internet was a reactionary step that would ultimately harm users.
“My fear is that with the excuse of the Snowden affair, some European policy makers will be tempted to introduce some protectionist rules to favor national companies, which would be totally foolish because that will be against the European customer itself,” said Daniele Catteddu, managing director for Europe, Middle East and Africa at the Cloud Security Alliance.
The European Commission also expressed concerns over the EU’s move toward a regional cloud.
“The Commission is strongly against a ‘Fortress Europe’ approach to cloud computing,” it stated in a memo last month, cautioning that a fragmented market would undermine the cost and technological benefits of the cloud’s pooled resources.
Concerns over the US government’s access to data has existed abroad since the founding of the Patriot Act in 2001. Yet the US is far from the only government with the ability to tap electronic data.
A 2012 market research report noted that most European countries have anti-terror legislation or other laws in place that give governments access to users’ data, even in countries with strict privacy regulations.
In most cases, the authors noted, the government had the power to access data stored outside the country’s borders.
“Ultimately if somebody really, really wants to get to something, they probably will. There is no such thing as 100 percent security,” said Philip Bindley, chief technological officer at the Bunker, a UK cloud provider.
With servers located in decommissioned military nuclear bunkers, the Bunker bills itself as the UK’s most secure cloud service. For all of its precautions, Bindley said, it is no more possible to stamp out data interception by a determined and well-financed third party than it is to end theft itself.
“We try to make it as difficult as possible. Do we make it impossible? Probably not. Can you make it impossible? Probably not,” he said.
“But if the guy next door has left his door open and yours has got five locks on it, chances are [a thief] is going to go for the guy next door.”