NSA's Prism Could Cost U.S. Cloud Companies $45 Billion

9 Android Apps To Improve Security, Privacy

The revelations about the monitoring of phone calls, emails and Internet traffic by the National Security Agency's Prism program will cost U.S. cloud suppliers either $35 billion, $45 billion, or maybe not so much, depending on how you interpret recent data on the continued use of hosting services, according to analysts looking at the aftermath of the Edward Snowden leaks.

The $35 billion figure springs from a recent survey by the Cloud Security Alliance, which found that 56% of 500 respondents said the disclosures by the fugitive NSA systems administrator would cause them to lose non-U.S. business. Canada, plus Germany, France and other European countries, have rules that require companies to guarantee the privacy of data that originates within their borders. Most comply by keeping the data on storage inside its country of origin.

Daniel Castro, an analyst at the Information Technology and Innovation Institute, a technology think tank, used that figure to project that U.S. cloud service suppliers are likely to lose $22 billion to $35 billion in business to European rivals over the next three years. The rivalry is already well entrenched, with European governments investing in future competitors of U.S. companies.

Castro reported that Jean-Francois Audenard, the cloud security advisor to France Telecom, "said with no small amount of nationalistic hyperbole, 'It's extremely important to have the governments of Europe take care of this issue. ... If all the data of enterprises is going to be under the control of the U.S., it's not really good for the future of the European people.''' France recently invested 135 million Euros in a joint cloud venture with French business.

[ What can you learn from the NSA? See The NSA And Big Data: What IT Can Learn. ]

The losses by U.S. companies could be greater, concluded James Staten, lead cloud analyst at Forrester Research, after reviewing Castro's report. Castro's analysis looked only at the business that might be withdrawn from U.S. providers by foreign companies and concluded that 20% of that business was at risk of going away regardless of security questions. Staten said some cloud users in the U.S. will also have to bypass U.S. cloud providers and move part of their business overseas to satisfy their international units and customers. That would add $10 billion to Castro's total, he said.

"European Union rules require data about EU citizens be stored and retained in the EU ... so seeking an EU-based cloud provider or non-cloud IT provider would be a prudent tactic for a U.S. business," Staten noted in a lengthy blog post dated Aug. 14.

Staten wrote that Neelie Kroes, European Commissioner for Digital Affairs, summarized the problem: "If European cloud customers cannot trust the United States government, then maybe they won't trust U.S. cloud providers either. ... If I were an American cloud provider, I would be quite frustrated with my government right now." Between now and 2020, the consequences may be a shift in billions of dollars worth of business away from American suppliers to European suppliers, Kroes predicted.

The data privacy rules don't only apply in European countries. Canada has strict requirements on its citizen's medical records. Since the U.S. Patriot Act was passed, Canada has forbidden medical information on its citizens to be stored on U.S. servers. It's unlikely that concern would be eased by the Snowden revelations.

Pat O'Day, co-founder of the VMware-compatible cloud service, Bluelock, said there are many VMware customers in Canada that have an interest in a cloud supplier for backup and recovery purposes. Bluelock offers such a service, geared to work with the VMware product set. But he finds Toronto customers moving their data across the continent to suppliers in Vancouver "just to keep it on the north side of the border," rather than turn to a closer provider in Indianapolis.

"Both data and IP concerns were already driving decision-making behavior for our northern neighbors due to the Patriot Act. But the recent NSA situation is unfortunately underscoring and exacerbating the issue," O'Day said in an email. Staten pointed out that the U.S. isn't the only country conducting government surveillance of traffic flowing through Facebook, Google, Microsoft, Yahoo, Apple and other big Internet-based services -- but it's the only one in the news. Germany has its own equivalent to the NSA, the BND, but little is known about what its surveillance practices are. The U.K. maintains a strong surveillance system over public transit and city centers and is likely to have one over its Internet pathways as well. India reportedly mounts its own electronic watch against potential intruders and terrorists.

Staten said the fallout from the Prism news on U.S. companies is likely to be "particularly acute because cloud computing is a rapidly growing industry. This means that cloud computing vendors not only have to retain existing customers, they must actively recruit new customers to retain market share."

Global spending on the cloud will grow 100% between 2012 and 2016. The global IT market is growing 3%, he pointed out. "If U.S. companies lose market share in the short term, this will have long-term implications on their competitive advantage in this new industry," he concluded.

But it may be too soon to estimate the long term effects of Snowden's revelations and subsequent flight to Hong Kong and Russia. Data Center Knowledge, a news site devoted to the latest data center technology, pointed to a survey by Netcraft, a U.K. firm that tracks Internet servers. It found the number of websites hosted in the U.S. from overseas has grown since the Snowden disclosures. In the month of July, 3.6 million websites left the U.S. to hosts overseas. That sounds like a large number, but about 3.9 million moved into the U.S. from other countries, for a net gain of 270,000 additional sites.

Germany, with its strict rules on data privacy, was the most popular point of departure for websites moving to the U.S. "Nearly 1.2 million sites moved from German hosting companies. This was followed by Canada, where 803,000 sites hopped across the border to the US," Netcraft reported.

"Netcraft's monthly Web Server Survey suggests that if multi-national customers have concerns about being hosted in the U.S., they're not acting on them -- at least not yet," wrote Data Center Knowledge editor in chief Rich Miller.

Netcraft also reported that of the 10,000 most popular websites in the world, 40 had moved away from the U.S. since the Snowden revelations. But 47 moved into the U.S., leaving the U.S. with a net gain of seven.

It may take more than 30 days for major cloud customers to decide to move their business, or the sensitive parts of their business, away from U.S. providers. The Netcraft Web server and website data is one indicator. But Netcraft doesn't look down into the repositories of business data, customer data and international patient data that may in fact be starting an outward migration, one that will make Staten's projection of a $45 billion loss by 2016 a reality.

Staten and others agree with the ITIF recommendation that the U.S. must state what data it has access to and the rules that govern that access. It must also establish a judicial check on what security agencies may do to obtain data.

He also recommended that the U.S. lobby other nations at the next G30 economic summit to jointly draft "international surveillance transparency rules that will take any potential chill off the burgeoning cloud computing market."