According to a recent study by the Cloud Security Alliance, foreign companies are beginning to shy away from using US-based cloud computing services because of their fears concerning the NSA’s PRISM program. The study found that ten percent of the Alliance’s non-US firms had canceled a contract with a US-based provider, and 56% indicated they were less likely to seek the services of US cloud companies in the future.
I suspect that this will be a short-lived trend. If US cloud providers offer the best services at the best prices, they’ll go a long way toward luring would-be overseas customers back. I also believe that the companies who have canceled contracts were already looking for an excuse to get out.
There is, of course, a lingering worry that we’ve only scratched the surface of this story and that our government’s surveillance initiatives are far more comprehensive. Further disclosures will have a longer lasting effect and force US cloud companies either to close up shop or move their server farms overseas. That would be the latest in a troubling series of US-led tech innovations that flea home once they’ve come of age.
In the late 1990s, manufacturers of wireless networking devices faced a similar problem. Encryption was governed under the same strict export rules that governed overseas transport of nuclear munitions. Any product that encrypted data with a key longer than a puny 40 bits could not be exported. So, wireless router manufacturers like Cisco equipped their products with a terribly weak encryption algorithm called WEP that complied with this edict. They began to lose market share, particularly overseas. Fortunately, the US government finally saw the punitive impact encryption regulations were having on US tech firms, and they relaxed the rules to far more reasonable and workable constraints in 2000.
Ultimately, some kind of similar legislative initiative is going to have to happen in this case. I highly doubt we’ve learned all there is to know about PRISM, New revelations are going to continue to hammer away at international trust, both politically and commercially. Somehow, Congress and the Administration are going to have to legislate controls that guarantee freedom from governmental snooping for private data services unless all such surveillance attempts are negotiated in the open. Future service level agreements may have to be written in such a way to give customers the opportunity to pay a premium for demonstrable guarantees of privacy.
This is certainly not what the NSA wants, for it is certain to cloud their vision. It will be interesting to see how government and industry work out these thorny issues in the coming months.