PRISM revelations result in lost business for US cloud companies

The revelations about the National Security Agency’s (NSA) broad monitoring of traffic and access to the data of cloud providers spurred by the actions of former NSA contractor Edward Snowden may or may not have hurt national security, depending on who you ask. But according to a recent survey by the industry organization Cloud Security Alliance (CSA), the exposure of NSA’s PRISM program is having a very real impact on the bottom line of US cloud service providers in the form of lost overseas customers.

Concerns about NSA surveillance are hardly new. The PATRIOT Act’s “Enhanced Surveillance” provisions have raised privacy concerns about using US service providers since it was passed. The allowance for warrantless access to traffic to and from “protected computers,” the overly broad definition of what exactly a protected computer is, and provisions for access to business records and metadata about customers left many concerned that the FBI and NSA could gain access to their corporate data just by asking cloud providers nicely for it. Revelations about the NSA’s collection of phone call metadata from telecom companies in 2006 offered more evidence for those concerns.

Two years ago, I was interviewing the CIO of a major Canadian healthcare organization for a story on cloud computing, and asked if he had considered using US cloud providers or software-as-a-service. He said that he couldn’t even begin to consider those because of concerns because of Canadian patient privacy laws—not just because of differences between US and Canadian laws, but because of the assumption that NSA would gain access to patient records as they crossed the border.

At the time, the concern might have sounded a bit paranoid. But now that those concerns have been validated by the details revealed by Snowden, US cloud providers are losing existing customers from outside the US, according to the CSA study. The survey of members of the organization found that 10 percent of non-US member companies had cancelled contracts with US providers as a result of revelations about PRISM.

The PRISM revelations are also making it harder for US companies to get new business abroad. Of the non-US respondents to the survey, 56 percent are now less likely to consider doing business with a US service provider. And 36 percent of respondents from US companies said that the Snowden “incident” was making it harder for them to do business overseas.

Concerns about government access to cloud data weren’t limited to the US alone. Information about the NSA's collaboration with foreign intelligence organizations to provide data on their citizens has also spooked cloud customers about their own countries' surveillance programs. Of all those surveyed, 47 percent rated the process by which their governments obtained user information for terrorist and criminal investigations as poor, with little or no transparency.

The survey suggests that giving cloud providers the ability to provide transparency to customers over government access to data could undo some of the damage done by the PRISM revelations. Ninety-one percent of respondents said that companies should be allowed to publish information about their responses to subpoenas and FISA warrants.