Despite fears, NSA revelations helping US tech industry
Joseph Menn in San Francisco
Edward Snowden’s unprecedented exposure of US technology companies’ close collaboration with national intelligence agencies, widely expected to damage the industry’s financial performance abroad, may actually end up helping.
Despite emphatic predictions of waning business prospects, some of the big Internet companies that the former National Security Agency contractor showed to be closely involved in gathering data on people overseas - such as Google and Facebook - say privately that they have felt little if any impact on their businesses.
Insiders at companies that offer remote computing services known as cloud computing, including Amazon and Microsoft, also say they are seeing no fallout.
Meanwhile, smaller US companies offering encryption and related security services are seeing a jump in business overseas, along with an uptick in sales domestically as individuals and companies work harder to protect secrets.
“Our value proposition had been that it’s a wild world out there, while doing business internationally you need to protect yourself,” said Jon Callas, co-founder of phone and text encryption provider Silent Circle, where revenue quadrupled from May to June on a small base.
“Now the message people are getting from the newspapers every day is that it’s a wild world even domestically.”
Shortly after Snowden’s leaked documents detailed collabouration giving the NSA access to the accounts of tens of thousands of net companies’ users, the big Internet companies and their allies issued dire warnings, predicting that American businesses would lose tens of billions of dollars in revenue abroad as distrustful customers seek out local alternatives.
In a federal court filing last week, Google said that still-unfolding news coverage was causing “substantial harm to Google’s reputation and business”. The company said that could be mitigated if it were allowed to comment with precision about its intelligence dealings.
Likewise, last month, six technology trade groups wrote to the White House to urge reforms in the spy programs, citing what it called a “study” predicting a US$35 billion cumulative shortfall by 2016 in the vital economic sector.
That number, it turns out, was extrapolated from a security trade group’s survey of 207 non-US members - and the group, the Cloud Security Alliance, had explicitly cautioned that its members weren’t representative of the entire industry.
“I know you want sectors and numbers, but I don’t have it,” said Ed Black, president of the Computer & Communications Industry Association, one of the trade groups behind the letter. “Anybody who tells you they do is making it up.”
The trade groups aren’t the only ones issuing dismal, and headline-grabbing, forecasts.
Forrester Research analyst James Staten wrote of the $35 billion figure: "We think this estimate is too low and could be as high as US$180 billion, or a 25 percent hit to overall IT service provider revenues."
Staten’s comments generated dozens of media stories, some of which neglected to mention that Staten said the worst would come to pass only if businesses decided that spying was a bigger issue than the savings they gained from a shift to cloud computing.
In an interview with Reuters, Staten said he didn’t believe that would be the case. “I don’t think there’s going to be a significant pullback,” he said, though the rate of growth could slow for a couple of years.
Google employees told Reuters that the company has seen no significant impact on its business, and a person briefed on Microsoft’s business in Europe likewise said that company has had no issues. At Amazon, which was not named in Snowden’s documents but is seen as a likely victim because it is a top provider of cloud computing services, a spokeswoman said global demand “has never been greater.”
In the more than three months since Snowden’s revelations began, no publicly traded US company has cited him in a securities filing, where they are required to report events that are material to their business.
One reason that the prophecies of business doom are getting such a wide airing is that both the US industry and its overseas detractors have been saying the same thing - that customers will stop buying from US cloud companies.
Politicians in Europe and Brazil have cited the Snowden documents in pushing for new privacy laws and standards for cloud contracts and in urging local companies to steer clear of US vendors.
“If European cloud customers cannot trust the US government, then maybe they won’t trust US cloud providers either,” European Commission Vice President Neelie Kroes told The Guardian. “If I am right, there are multibillion-euro consequences for American companies.”
There have indeed been some contract cancellations.
Charles Mount, chief executive of business file-sharing service OneHub, told Reuters that an automated system that asks customers why they have dropped the OneHub service elicited this reply from an unspecified Bertelsmann unit in Austria:
“Headquarters is banning storage of company data in the US or with US companies altogether because of the NSA data-mining and industrial espionage. You should watch out for that. Maybe you should think about hosting in Iceland, Sweden or some other place known for complying with their own privacy legislation.”
Bertelsmann spokesman Christian Steinhof said the company couldn’t confirm that the exchange had occurred and therefore wouldn’t comment.
There are multiple theories for why the business impact of the Snowden leaks has been so minimal.
One is that cloud customers have few good alternatives, since US companies have most of the market and switching costs money.
Perhaps more convincing, Amazon, Microsoft and some others offer data centres in Europe with encryption that prevents significant hurdles to snooping by anyone including the service providers themselves and the US agencies. Encryption, however, comes with drawbacks, making using the cloud more cumbersome.
On Thursday, Brazil’s president called for laws that would require local data centres for the likes of Google and Facebook. But former senior Google engineer Bill Coughran, now a partner at Sequoia Capital, said that even in the worst-case scenario, those companies would simply spend extra to manage more Balkanized systems.
Another possibility is that tech-buying companies elsewhere believe that their own governments have scanning procedures that are every bit as invasive as the American programs.
Some think it’s just a matter of time, however, before US industry suffers significantly.
“Industry is still in denial,” said Caspar Bowden, once the chief privacy officer at Microsoft and now an independent researcher and privacy advocate in Europe. “It’s like Wile E Coyote running over the cliff, his legs are still turning but he hasn’t started falling yet.”
As for the upside, so far only a minority of people and businesses are tackling encryption on their own or moving to privacy-protecting Web browsers, but encryption is expected to get easier with more new entrants. Snowden himself said that strong encryption, applied correctly, was still reliable, even though the NSA has cracked or circumvented most of the ordinary, built-in security around Web email and financial transactions.
James Denaro, a patent attorney with security training in Washington, was already using Pretty Good Privacy (PGP), a complicated system for encrypting email, before the Snowden leaks. Afterward, he adopted phone and text encryption as well to protect client information.
“One of the results we see from Snowden is an increased awareness across the board about the incredible cyber insecurity,” Denaro said.
Some early adopters of encryption have senior jobs inside companies, and they could bring their habits to the office and eventually change the technology habits of the whole workplace, in the same way that executive fondness for iPhones and iPads prompted more companies to allow them access to corporate networks.
“Clients are now inquiring how they can protect their data overseas, what kinds of access the states might have and what controls or constraints they could put in with residency or encryption,” said Gartner researcher Lawrence Pingree, formerly chief security architect at PeopleSoft, later bought by Oracle.
Richard Stiennon, a security industry analyst and author, predicted that security spending will rise sharply.
A week ago, Google said it had intensified encryption of internal data flows after learning about NSA practices from Snowden’s files, and consultants are urging other big businesses to do the same.
Stiennon said that after more companies encrypt, the NSA and other agencies will spend more to break through, accelerating a lucrative cycle.
“They will start focusing on the encrypted data, because that’s where all the good stuff is,” Stiennon said.
Already, in a fiscal this year federal budget request from the intelligence community published this month by the Washington Post, officials wrote that investing in “groundbreaking cryptanalytic capabilities” was a top priority.