Internet surveillance by the National Security Agency (NSA), leaked to the media by ex-contractor Edward Snowden, has shifted companies' priorities when sizing up cloud services providers in and outside the U.S., experts say.
The economic impact to the industry is open to debate. The Information Technology & Innovation Foundation estimated last week that U.S. cloud providers could lose as much as $35 billion in business by 2016, as companies flee to rivals overseas.
This week, Forrester Research took a much broader viewer and estimated a maximum loss of $180 billion.
Both numbers are projections, and may end up nowhere near the final tally. James Staten, an analyst at Forrester, acknowledges his numbers are "purposely inflated" to make the point that if the ITIF was correct, then the losses would be five times greater. That's because the IT hosting and outsourcing industries, which also store customer data, would be similarly affected.
"The reason I say this is unrealistic is because in order for this $180 billion to play out, then companies need to aggressively start pulling back from using outsourcers, using [hosting firms], using cloud providers," Staten told CSOonlineÃ'Â on Friday. "And frankly, we don't see any evidence that suggests they're going to start doing that."
What is happening is a shift in priorities when evaluating cloud service providers. Delving into government surveillance practices, which was not a major consideration in the past, has become a priority.
"What this has done is shift the focus to the country," said Jody Westby, chief executive of the consulting firm Global Cyber Risk.
Government surveillance is not unique to the U.S. All countries watch Internet traffic. What varies are the reasons and how open they are in disclosing the rules governing the activity.
China, Russia and some Middle Eastern countries are highly secretive and are assumed to be monitoring Internet traffic of people and businesses. Their secrecy make them a far greater concern when it comes to surveillance than places like the U.S., the European Union, Singapore and Australia, which have publicized their rules in varying degrees.
The NSA revelations darkened the U.S. reputation because they revealed a level of surveillance much broader than what most people and businesses had assumed. In addition, many people, from politicians and business leaders to ordinary citizens, saw the checks in place to protect privacy as inadequate and the constitutional limits of government spying violated.
"The NSA has thrown out those (constitutional) parameters," said Westby, who chairs the American Bar Association's Privacy and Computer Crime Committee. "They've thrown out the certainty of the law, because they just decided to do it their way."
Whether Congress steps in to tighten the Patriot Act, which governs the NSA's activity, remains to be seen. The national debate sparked by Snowden's leaked NSA documents still rages.
In the meantime, Forrester's Staten sees a market opportunity for countries willing to provide more details about their surveillance activities and about the data collected and how it is stored and used.
For example, Switzerland has become a banking hub because its financial laws seldom change when compared to those of most other countries, Staten said. That stability is what many companies and wealthy people find attractive.
A similar approach toward surveillance and privacy laws tailored toward transparency would be attractive to companies and to cloud service providers.
"Any county that wants to take that step could absolutely improve their position as a neutral, safe place for data sharing," Staten said.
Read more about cloud security in CSOonline's Cloud Security section.