NSA spying could mean U.S. tech companies lose international business

Domestic Internet firms face political, economic consequences for breach of trust over the NSA surveillance controversy. Many are concerned the revelations could hurt their bottom line

It is not just personal information that is being swept into the National Security Agencys (NSA) massive databases. It is corporate data as well. And that could cause some serious international blowback for the U.S., both politically and economically.

According to a number of security experts, the U.S. surveillance state —exposed more officially than ever before by former NSA consultant Edward Snowden — will likely undercut the U.S.'s role and influence in Internet governance.

[NSA spying controversy: Much ado about nothing new?]

Ron Deibert, a professor of political science at the University of Toronto, wrote last week on the CNN website that, "there are unintended consequences of the NSA scandal that will undermine U.S. foreign policy interests — in particular, the 'Internet Freedom' agenda espoused by the U.S. State Department and its allies.

"The revelations that have emerged will undoubtedly trigger a reaction abroad as policymakers and ordinary users realize the huge disadvantages of their dependence on U.S.-controlled networks in social media, cloud computing, and telecommunications, and of the formidable resources that are deployed by U.S. national security agencies to mine and monitor those networks," Deibert wrote.

Bruce Schneier, CTO at BT and author/security guru, agreed. He linked to Deibert's article on his own blog, adding, "Now, when countries like Russia and Iran say the U.S. is simply too untrustworthy to manage the Internet, no one will be able to argue."

"We can't fight for Internet freedom around the world, then turn around and destroy it back home."

The revelations also pose an economic problem for U.S. cloud providers on the international market. Richard Stiennon, chief research analyst at IT-Harvest, wrote in Forbes that this kind of, "vast foreign and domestic spying & threatens the global competitiveness of U.S. tech companies."

[Intellectual property protection:The basics]

Stiennon wrote that since 2006, when making presentations outside the U.S., he has always been asked if the U.S. is reading foreigners' email.

"Answers that allude to 'protections from abuse' and 'oversight' now seem specious," he wrote. "From this week forward a universal suspicion has transformed into acknowledged fact. Yes, U.S. government agencies are reading email, tracking phone calls, and monitoring all communications."

It would seem that any savvy cloud customers in other parts of the world would have already been aware for years of the NSA's data collection. Former longtime NSA employee William Binney has been talking about it for more than a decade, the agencys capabilities have been widely reported in the mainstream and technology press and even members of Congress have hinted at it at least since 2009.

But Brian Honan, of BH consulting and also a board member of the UK & Ireland chapter of the Cloud Security Alliance, said that, "reassurances from both the providers and U.S. government officials may have allayed to some extent some of those concerns. However the recent revelations about the alleged extent of the surveillance have undermined completely those reassurances."

The "denials" coming from cloud providers are not much reassurance either. Kerri Catalozzi, speaking for Amazon, said by email that the company "is not participating in PRISM (an NSA program that reportedly has agreements to collect data from nine Internet companies)."

[5 things known and alleged about NSA surveillance]

That is likely true: Amazon was not among the companies listed in a leaked PowerPoint presentation. But nonparticipation in PRISM offers no guarantee that data isnt being collected.

The response was similar from Salesforce.com — spokesman Chi Hea Cho emailed a statement that, "nothing is more important to salesforce.com than the privacy and security of our customers' data. We are not involved in the PRISM program, and we do not provide any governments with direct access to Salesforce servers."

But "direct access" does not mean no access. As a number of analysts have pointed out, the data could come indirectly to the government, through a third party.

Honan said European companies using services from U.S. Internet companies must now be concerned about whether they are in breach of EU Data Protection laws. Those laws require companies to, "ensure only authorized personnel have access to any personal information of individuals. The fact that U.S. government agencies may be accessing this data could result in many European organizations being unable to satisfy their data protection obligations," he said.

While U.S. cloud providers are not saying if they are having trouble either gaining or holding international customers, Honan said he has talked with cloud providers based in the EU, "and they have told me they have seen an increase in sales inquiries."

Stiennon wrote that there has been a level of distrust for a while.

"Email archiving services such as ProofPoint could not sell to even Canadian customers without building local infrastructure. Even establishing separate data centers in Canada and Europe is not enough to assure customers that their data would forever stay out of the grasp of U.S. intelligence services."

The recent revelations, he said, will only make things more difficult.

In an interview, Stiennon said the only way for U.S. cloud providers to bridge the current trust gap is to, "adjust their delivery model to a zero-trust mode. In this model the provider encrypts everything and does not even have the keys. Those are left to the customer to store and manage."

And that, he noted, will only work for, "pure cloud providers. Google and Facebook have models that need access to that data to tailor ad delivery."

Politically, he said, it will be a very tough sell.

"It would take a rollback of the surveillance state to deflect this avalanche. Once trust is betrayed, it takes a complete reversal of course to get it back. The U.S. would have to become the privacy state, and demonstrate the absence of surveillance."

Honan said he knows U.S. Internet companies have to comply with legal requests for information from the government. But, he said they could reassure their international clients by, "being more transparent regarding the requests they get from the government agencies. As an industry these companies should also consider lobbying the government on how to balance the need of their clients with the security demands of the government."

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)