Cloud computing and surveillance

Cindy Wolf //August 13, 2013//

Cloud computing and surveillance

Cindy Wolf //August 13, 2013//

The U.S. cloud-computing industry is twisting in the wind over the NSA surveillance revelations, and the media isn’t helping. Where are the spin doctors for the cloud industry?

The most vocal foreign critics are British and EU officials. They’ve been warning their constituents away from U.S. cloud services over fears of government intrusions; some are even proposing more restrictive legislation and a UK-only (or EU only) cloud. I’m not advocating for PRISM, but some background would help here.

As reported recently in The Guardian and the Irish Times, most European governments can and do access their citizens’ electronic data when held in country with far less due process than the U.S. requires. The GCHQ (Britain’s version of the NSA; its motto: “Keeping our society safe and successful in the Internet age”) has its own version of PRISM:  Tempora. With the secret cooperation of BT, Vodafone, Verizon, Global Crossing, Level 3, Viatel and Interoute, GCHQ gets details of telephone calls, emails, Facebook posts and other online traffic by monitoring undersea fiber-optic cables – the ones that make up an enormous share of the backbone of the Internet.

So, excuse me for laughing at the hyperbole around the dangers of U.S. cloud providers because of PRISM. Methinks there is more behind the European outrage than data privacy. The U.S. absolutely dominates cloud computing. I don’t know why really, but I can make some guesses.

One would be the relative strength of the U.S. economy versus Europe in the last 10 years when cloud computing has mushroomed. I have another theory that is related to privacy. The reality is that the U.S. has lax privacy laws and the EU has restrictive privacy laws that don’t play well in a cloud environment. It’s normal for the law to lag behind technology, but in this case, the U.S.’ dearth of regulation has allowed the cloud industry to develop relatively unhindered. Europe’s privacy laws from the nineties don’t help.

While both U.S. and European cloud providers serving EU residents need to comply with EU law, in my experience many U.S. providers don’t bother. I blame that on ignorance and arrogance. As many lawyers as we have in the U.S., cloud providers just don’t think they have to worry too much about legal requirements. And if they stay within our borders and don’t handle financial or health related data, they don’t have much to think about. So, why not allow users from other countries? The U.S. doesn’t regulate transborder data flows.

I’m not advocating for PRISM or Tempora (or the next secret government program that will be revealed). Nor do I believe all privacy laws are useless. But so far, there has been a major disconnect between what cloud users expect, believe and actually get related to privacy – whether their data is in the cavalier U.S. or the tight-lipped EU.