Analysis: European cloud computing firms see silver lining in PRISM scandal
PARIS/LONDON (Reuters) - France has its "Sovereign Cloud" project while across the Rhine data firms have created the label "Cloud Services: Made in Germany", all trying to reassure big companies that their information is stored away from the prying eyes of U.S. spies.
European firms believe revelations that the U.S. National Security Agency (NSA) has secretly gathered user data from nine big U.S. Internet companies, including Microsoft and Google, will hand them a competitive advantage as they play catch-up with the dominant American players in "cloud computing".
Yet companies and individuals may have to accept that while storing and processing their most sensitive information on servers owned by Europeans and located in Europe could keep it from the NSA's eyes, intelligence agencies closer to home may be looking anyway.
"If you are going to have a Big Brother, I'd much rather have a domestic Big Brother than a foreign Big Brother," said Mikko Hypponen, chief research officer at internet security company F-Secure, which also offers cloud services with data stored in the Nordic countries.
Cloud computing - an umbrella term for everything from web-based email to business software that is run remotely via the Internet instead of on-site - is being adopted by big companies and governments globally to cut costs and add flexibility to their IT departments.
In a Normandy town nestled in a loop of the Seine river lies a huge new data centre, a part of France's Sovereign Cloud project that some in the industry once poked fun at as being out of step with the realities of the borderless Internet.
Last year the French government ploughed 150 million euros ($200 million) into two start-ups, including the data centre's owner Cloudwatt, to equip the country with infrastructure independent of U.S. cloud computing giants.
Following the revelations that the NSA's PRISM program collected user data from the nine companies that also include Yahoo and Facebook, the French position now seems prescient to some people.
"People are being spied on without their knowledge, and non-U.S. residents have no legal rights," said Philippe Tavernier of Numergy, another cloud-computing group that got state help. "We feel vindicated that our strategy is right."
As European Union officials seek answers from the U.S. government on PRISM, technology executives, data protection regulators and analysts told Reuters the scandal may prove a turning point for the region's young cloud computing industry.
European companies such as telecoms groups Orange and Deutsche Telekom are trying to exploit the concerns as they build their own cloud businesses.
Government agencies and municipalities, especially in more privacy-conscious countries such as Germany, are more likely to turn to local alternatives for cloud services. Sweden recently banned Google Apps - cloud-based email, calendar and storage - in the public sector over concerns that Google had too much leeway over how the data was used and stored.
"SOMEONE IS ALWAYS WATCHING"
Similar changes could also gather pace in Asia where companies and regulators were already concerned about data security in the cloud before PRISM.
A source at a major Chinese company that provides cloud infrastructure said governments were likely to impose stricter controls on where data was stored, although this would not be a panacea. "Frankly, wherever you put your data, someone is always watching. It could be the U.S., it could be China," he said.
Some lawmakers in the European Parliament also want rules requiring companies undertaking cloud projects to protect European users' data better, and are using concerns around PRISM to lobby for their cause. They want supervisors or judges to oversee the transfer of personal data to overseas security services, and for customers of cloud companies to be able to opt out of their data being stored in the United States.
Caspar Bowden, an independent privacy advocate and Microsoft's chief privacy adviser from 2002-2011, said that before the PRISM revelations the big U.S. cloud companies had been largely able to quell fears about data security with savvy public relations. "The headlines this past week will change all that. The nationality of the company and the location of the data do make a difference," he said.
Even before PRISM, some companies abroad planning cloud computing projects were concerned about the powers given to U.S. intelligence agencies by anti-terrorism laws enacted after the September 11 attacks on the country: the 2001 Patriot Act and the 2008 Foreign Intelligence Surveillance Amendments Act (FISAA).
A European Parliament body said in a report last year that FISAA granted the U.S. "heavy-caliber mass surveillance fire-power aimed at the cloud" and had "very strong implications on EU data sovereignty and the protection of its citizens' rights".
Cloud computing companies and their customers globally are struggling to understand when and how governments can access users' data. Many national and international laws are at a play and different interpretations abound. Also since U.S. anti-terrorism laws require that information requests be kept secret, companies served with such warrants cannot disclose them.
This much is clear: a U.S. cloud computing company must comply with U.S. government search warrants and intelligence requests, just as a French or German company would when presented with a similar domestic warrant. Intelligence agencies also co-operate under what are known as mutual legal assistance treaties to gain access to data stored in one jurisdiction but needed in a lawful investigation in another country.
What remains murky, however, is whether the U.S. government can use anti-terrorism laws on a U.S.-based company such as IBM or Microsoft to force its local subsidiaries across the world into handing over user data. Or more simply, can the U.S. government just order a cloud company to use a U.S.-based computer to access data stored abroad?
"When data comes in to the U.S. or is handled in the cloud by U.S. companies, there is a question whether access can be obtained by the U.S. government," said Ellen Giblin, a lawyer who specializes in privacy and data protection at the Ashcroft Law Firm. "It's a very thick and layered concern."
Contacted by Reuters, major U.S.-based cloud providers including IBM, Microsoft, Amazon Web Services (AWS), and Google declined to answer specific questions. Many have built data centers abroad - AWS in Ireland and Australia, IBM in Germany and Ireland for example - to address data privacy concerns among non-U.S. companies.
A spokeswoman for AWS noted that it did not take part in PRISM. On its website, AWS says data stored in the EU never leaves the region unless the customer requests it.
Cloud companies in Europe are taking different steps to meet their customers' needs. Some are putting forward their local credentials such as the state-funded Cloudwatt and Numergy in France. German firms use the "Cloud Services: Made in Germany" label as a marketing tool if they can certify certain conditions such as contract terms that comply with national privacy laws.
Axel Heantjens, an executive at Orange Business Services, recently advised a French luxury group that needed computer servers in the Americas for a global cloud project but did not want them in the United States because of security concerns. "I told them to consider Costa Rica or Canada," he said.
Others such, as the German lawyers' association, are turning to technological fixes. It now encrypts data that 800 members of its information technology group put in a cloud computing program provided by T-Systems, the IT services unit of Deutsche Telekom.
Since only the association holds the encryption key and not T-Systems, the product adds an extra layer of security.
Such encryption has been unpopular among companies because the scrambled data crippled the functionality of cloud programs like Salesforce.com or Microsoft Office 365.
Now a number of tech companies have got around some of the problems, including California-based start-up CipherCloud. The company's software encrypts data on the fly as it is sent up or retrieved from cloud applications. The key to unscramble the files is kept by the customer and never given to the cloud provider.
"We've grown rapidly because so many people around the world are worried about cloud security," said CipherCloud CEO Pravin Kothari.