Counting the cost of the NSA

The revelations of Edward Snowden have severely damaged the reputation of US technology firms. And now we can start counting the cost in terms of lost euros.

The “Safe Harbor Framework” between the US and Europe is intended to promote export US technological services, in fact, it has its own US government website. But now, EU Justice Commissioner Viviane Reding has launched a review of the deal. There are also calls for German Chancellor Angela Merkel to push for its suspension, due to NSA surveillance fears.

The Safe Harbor Framework, launched in October 1998, has always been at odds with the US Patriot Act, a piece of post-9/11 legislation that EU countries dislike—to the detriment of US business abroad. Now that it's clear that the NSA isn't concerned with EU standards of data privacy, Europeans are alarmed.

10% right off the top
How alarmed? According to Computerworld journalist Jaikumar Vijayan: “Non-US clients of American cloud hosting companies are clearly rattled by revelations that the [NSA] collects huge amounts of customer data from Internet Service Providers and telecommunication companies.”

A Cloud Security Alliance (CSA) survey found that 10% of 207 officials at non-US companies have canceled contracts with US service providers following the revelation of the NSA spy program last month. The alliance, a non-profit organization with over 48,000 individual members, said the survey also found that 56% of non-US respondents are now hesitant to work with any US-based cloud service providers.

The online survey, seeking to gauge the potential impact of Snowden's disclosures on US-based hosting companies, was conducted between June 25 and July 9.

"The level of skepticism was greater than I expected," said Jim Reavis, co-founder and executive director of the CSA.

Reaction to NSA: locate outside USA
Consider this list of US companies claiming Safe Harbor compliance: Google, Yahoo, Microsoft, Facebook and AOL, all of which now appear to be part (willingly or otherwise) of the NSA’s PRISM scheme. All of these firms are currently scrambling to improve their international image. Good luck with that.

If US firms are to continue to trade in Europe, realpolitik means it's good practice to show that none of their data goes through the USA. Facebook has a new datacenter in Sweden while Google chose Finland for its "This is definitely not located Stateside, so don't worry folks!” datacenter. But much rests on the shoulders of Commissioner Reding. Expect more revelations as the story continues.

Extraordinary pressure on US gov't
Following Snowden's leaks, the EU Parliament voted overwhelmingly to investigate the privacy and civil rights implications of the NSA spy programs on European citizens, and to seek more information from US authorities.

A vast majority of respondents to the CSA survey cited a need for more transparency about the US government's use of secret orders from the Foreign Intelligence Surveillance Act (FISA) court to extract customer data from American Internet companies, said Reavis. “Respondents from US and foreign companies were nearly unanimous in calling for the US to disclose more information about the level of cooperation extended by specific service providers to government requests for customer data,” wrote Vijayan.

The CSA survey found that customers want hosting providers to pressure the US government to open the process, said the CSA's Reavis. A majority of respondents said hosting companies should be allowed to disclose how many NSA and FBI requests they get for customer records, what kind of information is being sought and how much is provided, he said.

"Virtually everyone that responded said that providers need to provide at least aggregate information on what they are doing," Reavis said.

“In Europe and elsewhere, Snowden's revelations resurfaced long-standing concerns about the US Patriot Act and other anti-terror statutes being used to gain access to customer data hosted by Internet service providers,” wrote Vijayan. “Prior to Snowden's disclosures, in fact, European regulators published a report warning about how FISA can be used to target non-US individuals located outside the US.”

The scope of the surveillance authorized under FISA goes beyond the interception of communications. The act also covers data in cloud environments, the EU report cautioned. FISA "can be seen categorically as a much graver risk to EU data sovereignty than other laws hitherto considered by EU policy makers," the report said.

Neutrality prized by security firms
"Ever since the PRISM scandal started in June, prospects in Europe, Middle East and Asia, are asking whether the ownership of the company is in US or whether we host customer data in US," said Mikko Hypponen, chief research officer of Finland-based security firm F-Secure.

"Right now, there are many customers who don't want to buy American—or to buy from a NATO country in general," Hypponen said. "Then again, there are many customers who don't want to buy Chinese, Russian or Israeli either. In a situation like this, it's good to be a solution provider coming from a fairly neutral country."

One thing is clear: the USA is in no way a "fairly neutral country” when it comes to data privacy protection.