The NSA damages US tech biz overseas

The revelations of Edward Snowden have severely damaged the reputation of US technology firms. And now we can start counting the cost in terms of lost euros.

The "Safe Harbor Framework" between the US and Europe is intended to promote export US technological services, in fact, it has its own US government website. But now, EU Justice Commissioner Viviane Reding has launched a review of the deal. There are also calls for German Chancellor Angela Merkel to push for its suspension, due to NSA surveillance fears.

The Safe Harbor Framework, launched in October 1998, has always been at odds with the US Patriot Act, a piece of post-9/11 legislation that EU countries dislike--to the detriment of US business abroad. Now that it's clear that the NSA isn't concerned with EU standards of data privacy, Europeans are alarmed.

10% right off the top

How alarmed? According to Computerworld journalist Jaikumar Vijayan: "Non-US clients of American cloud hosting companies are clearly rattled by revelations that the [NSA] collects huge amounts of customer data from Internet Service Providers and telecommunication companies."

A Cloud Security Alliance (CSA) survey found that 10% of 207 officials at non-US companies have canceled contracts with US service providers following the revelation of the NSA spy program last month. The alliance, a non-profit organization with over 48,000 individual members, said the survey also found that 56% of non-US respondents are now hesitant to work with any US-based cloud service providers.

The online survey, seeking to gauge the potential impact of Snowden's disclosures on US-based hosting companies, was conducted between June 25 and July 9.

"The level of skepticism was greater than I expected," said Jim Reavis, co-founder and executive director of the CSA.

Reaction to NSA: locate outside USA

Consider this list of US companies claiming Safe Harbor compliance: Google, Yahoo, Microsoft, Facebook and AOL, all of which now appear to be part (willingly or otherwise) of the NSA's PRISM scheme. All of these firms are currently scrambling to improve their international image. Good luck with that.

If US firms are to continue to trade in Europe, realpolitik means it's good practice to show that none of their data goes through the USA. Facebook has a new datacenter in Sweden while Google chose Finland for its "This is definitely not located Stateside, so don't worry folks!" datacenter. But much rests on the shoulders of Commissioner Reding. Expect more revelations as the story continues.

Extraordinary pressure on US gov't

Following Snowden's leaks, the EU Parliament voted overwhelmingly to investigate the privacy and civil rights implications of the NSA spy programs on European citizens, and to seek more information from US authorities.

A vast majority of respondents to the CSA survey cited a need for more transparency about the US government's use of secret orders from the Foreign Intelligence Surveillance Act (FISA) court to extract customer data from American Internet companies, said Reavis. "Respondents from US and foreign companies were nearly unanimous in calling for the US to disclose more information about the level of cooperation extended by specific service providers to government requests for customer data," wrote Vijayan.

The CSA survey found that customers want hosting providers to pressure the US government to open the process, said the CSA's Reavis. A majority of respondents said hosting companies should be allowed to disclose how many NSA and FBI requests they get for customer records, what kind of information is being sought and how much is provided, he said.

"Virtually everyone that responded said that providers need to provide at least aggregate information on what they are doing," Reavis said.

"In Europe and elsewhere, Snowden's revelations resurfaced long-standing concerns about the US Patriot Act and other anti-terror statutes being used to gain access to customer data hosted by Internet service providers," wrote Vijayan. "Prior to Snowden's disclosures, in fact, European regulators published a report warning about how FISA can be used to target non-US individuals located outside the US."

The scope of the surveillance authorized under FISA goes beyond the interception of communications. The act also covers data in cloud environments, the EU report cautioned. FISA "can be seen categorically as a much graver risk to EU data sovereignty than other laws hitherto considered by EU policy makers," the report said.

Neutrality prized by security firms

"Ever since the PRISM scandal started in June, prospects in Europe, Middle East and Asia, are asking whether the ownership of the company is in US or whether we host customer data in US," said Mikko Hypponen, chief research officer of Finland-based security firm F-Secure.

"Right now, there are many customers who don't want to buy American--or to buy from a NATO country in general," Hypponen said. "Then again, there are many customers who don't want to buy Chinese, Russian or Israeli either. In a situation like this, it's good to be a solution provider coming from a fairly neutral country."

One thing is clear: the USA is in no way a "fairly neutral country" when it comes to data privacy protection.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityU.S. National Security Agencygovernmentprivacy

More about AOLCSAEUFacebookFBIF-SecureGoogleMicrosoftNATONSAYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stefan Hammond

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place