European cloud computing firms see silver lining in PRISM scandal
Prism revelations may help European technology firms win market share from US competitors
France has its “Sovereign Cloud” project while across the Rhine data firms have created the label “Cloud Services: Made in Germany”, all trying to reassure big companies that their information is stored away from the prying eyes of US spies.
European firms believe revelations that the US National Security Agency (NSA) has secretly gathered user data from nine big US Internet companies, including Microsoft and Google, will hand them a competitive advantage as they play catch-up with the dominant American players in “cloud computing”.
Yet companies and individuals may have to accept that while storing and processing their most sensitive information on servers owned by Europeans and located in Europe could keep it from the NSA’s eyes, intelligence agencies closer to home may be looking anyway.
“If you are going to have a Big Brother, I’d much rather have a domestic Big Brother than a foreign Big Brother,” said Mikko Hypponen, chief research officer at internet security company F-Secure, which also offers cloud services with data stored in the Nordic countries.
Cloud computing - an umbrella term for everything from web-based email to business software that is run remotely via the Internet instead of on-site - is being adopted by big companies and governments globally to cut costs and add flexibility to their IT departments.
In a Normandy town nestled in a loop of the Seine river lies a huge new data centre, a part of France’s Sovereign Cloud project that some in the industry once poked fun at as being out of step with the realities of the borderless Internet.
Last year the French government ploughed 150 million euros (HK$1.6 billion) into two start-ups, including the data centre’s owner Cloudwatt, to equip the country with infrastructure independent of US cloud computing giants.
Following the revelations that the NSA’s PRISM programme collected user data from the nine companies that also include Yahoo and Facebook, the French position now seems prescient to some people.
“People are being spied on without their knowledge, and non-US residents have no legal rights,” said Philippe Tavernier of Numergy, another cloud-computing group that got state help. “We feel vindicated that our strategy is right.”
As European Union officials seek answers from the US government on PRISM, technology executives, data protection regulators and analysts told Reuters the scandal may prove a turning point for the region’s young cloud computing industry.
European companies such as telecoms groups Orange and Deutsche Telekom are trying to exploit the concerns as they build their own cloud businesses.
Government agencies and municipalities, especially in more privacy-conscious countries such as Germany, are more likely to turn to local alternatives for cloud services. Sweden recently banned Google Apps - cloud-based email, calendar and storage - in the public sector over concerns that Google had too much leeway over how the data was used and stored.
Similar changes could also gather pace in Asia where companies and regulators were already concerned about data security in the cloud before PRISM.
A source at a major Chinese company that provides cloud infrastructure said governments were likely to impose stricter controls on where data was stored, although this would not be a panacea. “Frankly, wherever you put your data, someone is always watching. It could be the US, it could be China,” he said.
Some lawmakers in the European Parliament also want rules requiring companies undertaking cloud projects to protect European users’ data better, and are using concerns around PRISM to lobby for their cause. They want supervisors or judges to oversee the transfer of personal data to overseas security services, and for customers of cloud companies to be able to opt out of their data being stored in the United States.
Caspar Bowden, an independent privacy advocate and Microsoft’s chief privacy adviser from 2002-2011, said that before the PRISM revelations the big US cloud companies had been largely able to quell fears about data security with savvy public relations. “The headlines this past week will change all that. The nationality of the company and the location of the data do make a difference,” he said.
Even before PRISM, some companies abroad planning cloud computing projects were concerned about the powers given to US intelligence agencies by anti-terrorism laws enacted after the Sept. 11 attacks on the country: the 2001 Patriot Act and the 2008 Foreign Intelligence Surveillance Amendments Act (FISAA).
Cloud computing companies and their customers globally are struggling to understand when and how governments can access users’ data. Many national and international laws are at a play and different interpretations abound. Also since US anti-terrorism laws require that information requests be kept secret, companies served with such warrants cannot disclose them.
This much is clear: a US cloud computing company must comply with US government search warrants and intelligence requests, just as a French or German company would when presented with a similar domestic warrant. Intelligence agencies also co-operate under what are known as mutual legal assistance treaties to gain access to data stored in one jurisdiction but needed in a lawful investigation in another country.
What remains murky, however, is whether the US government can use anti-terrorism laws on a US-based company such as IBM or Microsoft to force its local subsidiaries across the world into handing over user data. Or more simply, can the US government just order a cloud company to use a US-based computer to access data stored abroad?
“When data comes in to the US or is handled in the cloud by US companies, there is a question whether access can be obtained by the US government,” said Ellen Giblin, a lawyer who specialises in privacy and data protection at the Ashcroft Law Firm. “It’s a very thick and layered concern.”
Contacted by Reuters, major US-based cloud providers including IBM, Microsoft, Amazon Web Services (AWS), and Google declined to answer specific questions. Many have built data centres abroad - AWS in Ireland and Australia, IBM in Germany and Ireland for example - to address data privacy concerns among non-US companies.
A spokeswoman for AWS noted that it did not take part in PRISM. On its website, AWS says data stored in the EU never leaves the region unless the customer requests it.
Cloud companies in Europe are taking different steps to meet their customers’ needs. Some are putting forward their local credentials such as the state-funded Cloudwatt and Numergy in France. German firms use the “Cloud Services: Made in Germany” label as a marketing tool if they can certify certain conditions such as contract terms that comply with national privacy laws.
Axel Heantjens, an executive at Orange Business Services, recently advised a French luxury group that needed computer servers in the Americas for a global cloud project but did not want them in the United States because of security concerns. “I told them to consider Costa Rica or Canada,” he said.
Others such, as the German lawyers’ association, are turning to technological fixes. It now encrypts data that 800 members of its information technology group put in a cloud computing programme provided by T-Systems, the IT services unit of Deutsche Telekom.
Since only the association holds the encryption key and not T-Systems, the product adds an extra layer of security.
Such encryption has been unpopular among companies because the scrambled data crippled the functionality of cloud programmes like Salesforce.com or Microsoft Office 365.
Now a number of tech companies have got around some of the problems, including California-based start-up CipherCloud. The company’s software encrypts data on the fly as it is sent up or retrieved from cloud applications. The key to unscramble the files is kept by the customer and never given to the cloud provider.
“We’ve grown rapidly because so many people around the world are worried about cloud security,” said CipherCloud CEO Pravin Kothari.