Edward Snowden, the NSA, Heartbleed – it seems every technology story at the moment is in some way linked to these topics. Whether or not you believe that the NSA was directly involved in the Heartbleed security flaw, it is apparent that cloud customers around the world have been rattled by the disclosure of mass government surveillance and security leaks.
What affect have these revelations and worries had on United States-based cloud providers?
A Cloud Security Alliance (CSA) survey found that ten percent of non-United States companies cancelled contracts with American service providers following the admission of the NSA spying program in the middle of 2013.Worryingly for those providers, the survey also found that a massive fifty six percent of respondents are now reluctant to work with any US-based cloud service. Only thirty percent of those surveyed said that ‘spygate’ would have no impact on their use of cloud services.
The data surprised senior figures within the cloud computing industry. Jim Reavis, Co-Founder and Executive Director of the CSA, said the level of scepticism was greater than he expected, but pointed out that he “thought that more people would understand that these activities happen all the time in their countries as well”. Whether or not other countries conduct the same level of covert operations is not clear.
Most customers cited one major stumbling block that would need to be addressed before they once again consider American cloud providers – transparency about the US Government’s use of secret orders from the Foreign Intelligence Surveillance Act (FISA).
With internet giants such as Google, Microsoft, and Yahoo all being regularly subjected to FISA court orders, the report showed an almost unanimous call for the White House to disclose more information about the details that are being requested.
“Virtually everyone that responded said that providers need to be able to provide at least aggregate information on what they are doing” Reavis said, pointing out that a majority of respondents want hosting companies to be allowed to disclose how many NSA requests they get for each customer record, what kind of information is being requested, and how much is being provided.
The region that cloud providers will be most concerned by is Europe. The cloud is already suffering from a slower uptake in Europe than in North America, and even before the Wikileaks disclosures last year European regulators had published a report warning about how FISA can be used to target non-US individuals located outside America.
The report stated that “FISA can be seen categorically as a much graver risk to European Union (EU) data sovereignty than other laws hitherto considered by EU policy makers” – a quote that led one European-based security firm to note that “”Right now, there are many customers who don’t want to buy American”.
After the Snowden leaks the EU Parliament voted to investigate the privacy and civil rights implications of the NSA spy programs on European citizens. The report is still being conducted, but it is certain that its conclusions will not be favourable for American cloud providers.
What do you think is the solution the problem of trust and privacy in the cloud? Is it an inevitability of modern life that other people will be able to learn everything about us merely by switching on a computer, or is government spying an unacceptable level of intrusion?
By Daniel Price