10 Comments

Summary:

Firms in the UK and Canada are reportedly updating their cloud contracts to demand that their data be kept out of the US. The report doesn’t contain enough details, however, to say if this is a trend or an isolated incident.

American flag at the top of the viewing platform

Is this the backlash? A handful of companies are requiring cloud service providers to promise — in writing — that they won’t store any client data in the United States, according to Bloomberg.

The report says that a British grocery chain and a Canadian pharma company have responded to the ongoing US surveillance scandal by adding language to existing contracts that mandate suppliers to segment their data and keep it out of America.

The report of the revised contracts comes as the cloud computing industry continues to digest news that America’s National Security Agency is tapping underwater cables and infiltrating the servers of storage providers as part of a sweeping counter-terrorism program.

In August, shortly after news of the surveillance was leaked by Edward Snowden, a Forrester analyst reported that it could cost the U.S. cloud computing industry up to $180 billion as a result of foreign firms bolting American providers.

The $180 billion figure (which appears plucked from the air) was cited as a worst case scenario and so far there has been no systemic exodus from American cloud companies. But the fear and anger in Europe and elsewhere over America’s surveillance activities are very real; a recent PWC report said that 15 percent of German companies are looking for cloud providers that promise not to cooperate with U.S. or U.K. intelligence services.

So does the Bloomberg report portend the start of a trend? It’s too soon to say. The report, which also claimed a Canadian agency had asked for the “no data in USA” clause, was based on a single source (an Indiana security firm known as Rook Consulting) and did not name any of the companies involved.

And, while such reports are eye-catching, they also provide a public relations opportunity for cloud providers outside of the US.. to drum up business. In the meantime, it’s unclear if European cloud providers have the capacity to take over existing large-scale data storage contracts, and to what degree companies’ existing cloud contracts dissuade them from switching services.

  1. Great article. So, the lawyers will insert this language into the contract, but the due diligence behind the statement typically isn’t done. If generalized statements such as these are going to be inserted into contracts, the vendors and the customers need to do their due diligence to ensure that there isn’t any storage outside of the U.S. From a customer perspective, requesting a vendor’s SOC 2 report is a good start, but they will most likely need to sign a Non-Disclosure Agreement with the vendor to review this information. I guarantee that this will be easier for an attorney to write into a contract than it will be to find a vendor (especially a cloud vendor) who has no storage in the U.S.

    Share
    1. “the vendors and the customers need to do their due diligence to ensure that there isn’t any storage in the the U.S.” My apologies, typing too fast today!

      Share
  2. A BRITISH grocery chain and a CANADIAN pharma company, eh? Either this is purely a public relations maneuver, or the people behind it are clueless. The reported activities of GCHQ are about as outrageous as those of NSA, and there’s little reason to think the Canadian spooks are any better (cf. “Five Eyes”).

    Share
    1. Maybe, but I suspect people will argue along the lines of “Better the devil you know than the devil you don’t”,

      Share
  3. Reblogged this on Capacitive Flux and commented:
    And so it begins! I doubt much of this backlash will actually be public, but I expect to see more folks wanting to steer clear of US infrastructure. This will be a larger impact to the US economy than folks will initially want to admit.

    Share
  4. It’s important to note that there is nothing new in geographic restrictions on data storage, which are sometimes the result of regulatory requirements in the home country.

    Share
  5. It’s also important to note that some of the above comments are nothing more than self advertising bs devoid of any worthwhile input…

    Share
    1. Evidently your comment is as worth as theirs

      Share
  6. A-way to react to sensationalist headlines they probably know very little about, in the end – its like my paranoid friends convinced that phone number metadata is the same as a soviet agent listening to your conversation with a girlfriend and notating her name, address, what she likes you to do with your fingers, and when you will be over there – and then following your car home because they know you had a fight when the finger went elsewhere. Maybe it plays well to a few ignorant consumers so the PR is decent, but you’re not moving the anti-facist dial by witholding some analytics about grocieries.

    B-if you think the US is the only one doing it, or that the US can only reach data on machines sitting inside US borders, you’ve misunderstood the most basic premise of cloud, communications, the internet, and intelligence gathering. Oh, and I’ve got some high-end real estate on the moon I want to sell you.

    Share
  7. I believe most people – and business – are well aware of national security agencies doing what they think is needed to ensure safety of Life and property.
    The main issue I see is the fact that a security Agency in ANOTHER COUNTRY is spying on me/my Company.
    This is the exact situation that my own Nation’s Security Agency (!) should protect me from, even if they themselves have the right to check me.

    I trust most (at least many?) US Citizens are OK with NSA securing US safety on US soil, as well as British Citizens can muster GCHQ’s surveillance of their activities and I can accept SÄPO’s surveillance of Swedish Citizens – but how would e.g. US Citizens react if Spotify* and the Candy Crusher* app reported all usage data and positioning to Swedens Security Police (SÄPO) without relevant court order and tranpsarency?

    Maybe in the same way as Europeans (and South Americans) react to NSA’s surveillance activities?
    (* Spotify originated as a Swedish company and the app is developed by the Swedish company King)

    Share

Comments have been disabled for this post