Foreign Businesses Flee US Cloud Computing, Survey Finds

Top 10 Cloud Fiascos

Fully a quarter of businesses are moving data out of the US as a result of revelations about the scope of data gathering by the US National Security Agency, claims Canada-based cloud hosting provider PEER 1 Hosting.

Some qualifications apply: The survey behind the company's assertion doesn't cover 25% of all businesses. It describes findings from a 10-minute survey of 300 small companies -- 250 employees or less -- based in the UK and Canada.

When the sample is confined to just Canadian companies, 33% say they plan to move data out of US datacenters. Evidence of that exodus isn't extensive: PEER 1 was able to point to one client, iDigital, that has been dealing with data flight.

Matt McKinney, managing director of iDigital, an 85-person cloud hosting provider based in British Columbia, Canada, said in a phone interview that privacy is particularly important to Canadians, noting that the country has been aggressive in dealing with online privacy through its regulatory agencies.

McKinney said customers began asking where iDigital's servers were housed two or three years ago, when concern about the implications of the US Patriot Act became more widespread. The NSA revelations last year, he said, "were the straw that broke the camel's back. Eight out of 10 questions from customers now deal with governance, compliance, and data storage."

During the past 12 months, McKinney said, a substantial number of iDigital's 18,000 customers have been moving data that had been housed in Dallas, Texas, to north of the border, despite the costs being slightly higher. He estimated that the company is handling 10 to 15 migrations a week and claimed that other hosting companies like HostGator and Rackspace have seen customers move north.

Acknowledging that data may be sought by authorities in Canada, as it is in the US, McKinney suggested that Canadian companies, because of the cultural importance of privacy in the country, would be more likely, and better able, to resist overly expansive demands for information than companies in the US.

"Companies like Microsoft and Google just don't have the option to say, 'No, I won't give it to you,' because of the Patriot Act," he said.

(In fact, US companies do have the option to resist, but may be forbidden under the Patriot Act from disclosing demands for information or legal filings in opposition of said demands. The extent to which the US judical branch sees a legal basis for opposing demands for access made under the mantle of national security is another matter.)

PEER 1's survey finds that despite rising mistrust, the US continues to be the most popular place for companies to host data (51%) outside of their home countries. That suggests the perception that data insecurity is at least as bad outside the US. A Der Spiegel report says that the NSA has a lengthy catalog of exploits with which to compromise commercial IT gear, so it appears that the only secure computing device is an abacus muffled in a black bag. Presumably, every national intelligence agency with even a modicum of ambition aspires to total information awareness.

There's little doubt that the ongoing reports about the NSA's reach and methods, based on documents leaked by former NSA contractor Edward Snowden, have provoked anger, frustration, and calls for reform among companies, legal experts, security professionals, and lawmakers around the globe.

In fact, PEER 1's survey aligns with warnings from other groups with perhaps less of a vested interest in such findings. The Information Technology and Innovation Foundation (ITIF), a technology think tank, projected last August that US cloud computing providers would eventually lose 20% of the foreign market to competitors. In dollar terms, it projected losses as high as $35 billion by 2016.

The ITIF based its projection on a July 2013 Cloud Security Alliance survey. It relied on 456 responses to an online survey, 234 from the US and 222 from other countries.

Daniel Castro, an analyst at the ITIF, said in an email that PEER 1's findings are on the high end of what he'd expect. He said his organization's previous estimate assumed no more than a 5% drop in foreign companies buying cloud computing services in the first year.

While noting that that value of cloud contracts with small businesses isn't easily compared to what medium and large companies buy, he said that PEER 1's findings support the ITIF estimate and indicate that policymakers should be paying attention to the issue.

But Castro said the US government has failed to respond adequately to the economic impact of its intelligence operations. "US companies are at an unfortunate disadvantage and the intelligence community has done little to remedy this situation," he said. "The policies that led to this situation have not changed and are currently in direct conflict with the economic strategy of the nation which is to promote a level playing field for US companies abroad."

Thomas Claburn is editor-at-large for InformationWeek. He has been writing about business and technology since 1996 for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television. He's the author of a science fiction novel, Reflecting Fires, and his mobile game Blocfall Free is available for iOS, Android, and Kindle Fire.

Can the trendy tech strategy of DevOps really bring peace between developers and IT operations -- and deliver faster, more reliable app creation and delivery? Also in the DevOps Challenge issue of InformationWeek: Execs charting digital business strategies can't afford to take Internet connectivity for granted.