SEATTLE – Edward Snowden’s whistleblowing escapades could seriously undermine the growth of cloud computing and thus stifle the growth models for America’s biggest tech companies.
And that appears to be the reason why Apple CEO Tim Cook, AT&T CEO Randall Stephenson, Google computer scientist Vint Cerf and other tech executives met behind closed doors with President Obama Thursday.
“The meeting appears to be for a variety of reasons, but basically the companies want to understand exactly what the government is doing with their systems as they try to assuage a lot of concerns from a lot of different stakeholders,” says Brian Henchey a privacy and information tech attorney at Baker Botts.
A group called the Information Technology and Innovation Foundation on Tuesday issued a report asserting that Google, Microsoft, Yahoo, Facebook and Apple stood to lose as much as $35 billion over the next three years as Europeans shy away from cloud services with suspect privacy safeguards.
European privacy laws are all about safeguarding the data within a nation’s geographical borders. Unfortunately, that doesn’t work for Apple, Google, Facebook and other cloud services providers who manufacture efficiencies by scattering data in far-flung data centers.
Snowden’s disclosures threw kerosene on simmering fears about the extent to which the US Patriot Act can compel the tech giants to break their promise to keep consumer data sacrosanct.
“Many people have known the extent of data collection by the NSA and other US authorities, but it hasn’t been laid bare in this kind of spotlight before,” says Wendy Nather,a research director at 451 Research. ” We may have known the potential amount of data, but it’s another thing entirely to know the actual amount. This is the kind of exposure that brings public discussion, makes it concrete in a way that applies to everybody, and hopefully prompts some adjustments in the law.
“Right now, US-based cloud providers are caught in the crossfire,” Nather says.
Any backlash – assuming one does materialize – is likely to be tempered at least somewhat by the availability of encryption services from fast-growing U.S. tech start-ups like CipherCloud, AlephCloud and HighCloud.
For a couple of years now encryption vendors have been pitching the notion that large organizations ought to be more extensively classifying data and encrypting sensitive information before sending it up into the Internet cloud.
Privacy stipulations in the 1996 Health Insurance Portability and Accountability Act provided the initial impetus. And state-level data loss disclosure laws have come along to force companies to notify consumers whose data they lose.
Typically, these rules exempt companies from paying steep fines or having to make embarrassing disclosures about a network breach if the stolen data was encrypted and the organization retained the decryption keys, says Pravin Kothari, founder & CEO of CipherCloud
“Whether you’re using the cloud or not, encryption is becoming a best practice that is increasingly recognized by regulators in many jurisdictions,” Pravin says.
Even so, rising use of encryption won’t immediately temper complex backlash from regulators and privacy advocates.
The EU regulators are working on updating their laws and regulations for protection of people’s electronic data, even if the data is held outside the EU. This includes almost everything a person might post to the web, including photos and blog postings.
“The conflict is that the EU may strengthen their regulations to a level that will be extremely difficult and expensive for companies to adhere to,” says Jieming Zhu, CEO of encryption vendor AlephCloud. “Currently there is an agreement in place that US companies can voluntarily sign up for which determines what sort of protection they need to provide. That agreement could be replaced by much more stringent requirements, though they will not take effect before 2016.”
The Snowden disclosures reignited the debate in the EU regarding the US government’s power to access EU data. However, instead of the US government requiring US companies to provide access under the Patriot Act, the information leaked by Snowden suggested that the US government may not need service provider cooperation at all.
“As they did during the Patriot Act controversy, members of the European Parliament have publicly objected to the ability of the US government to override EU data protection laws,” says Henchey.
The Snowden revelations “strongly suggest” that the U.S. tech giants “won’t actually be able to meet the EU standards because they are required to cooperate with US government agencies in the collection of personal data,” says Zhu. “The US legal data protections apply to US citizens but not to foreigner’s data, and in any case the scale of data collection may be so vast that this distinction is moot much of the time.”