The PRISM data collection controversy should give businesses pause about adopting cloud computing, a data privacy expert told the U.K.’s House of Commons on Friday.
During a debate, Caspar Bowden, an independent data privacy consultant, said that the U.K. is “extremely exposed” because of the government’s close ties with the U.S. National Security Agency, according to this Techworld report. The agency gathers information (or metadata) about non-U.S. citizens from large American tech companies including Google(s goog) and Microsoft(s msft), a practice we know about because of Edward Snowden’s disclosures, although frankly the scope of NSA data collection was already tipped more than a year ago by three agency whistle blowers.
The issue was exacerbated by reports that Britain’s own Government Communications Headquarters (GCHQ) has been tapping fiber-optic cable traffic and collecting data in a program code-named Tempora for the last year and a half, according to The Guardian.
The one-two punch of PRISM and Tempora means that authorities in the U.S. and U.K.have access to huge amounts of communications between innocent people as well as criminals and terrorists, according to Bowden, an expert on data privacy and U.K. and U.S. surveillance laws. The PRISM program focused on communications of non-American citizens, which makes it a bone of contention for Bowden, who wants European authorities to take action.
According to another report, Bowden said that the U.S. Foreign Intelligence Surveillance Act (FISA), which is the basis for PRISM, discriminates against non U.S. citizens and European authorities should take that seriously
“So effectively it’s a law aimed at the rest of the world. Now Americans can still get caught up in this law in a number of ways and that has been the focus of the American civil liberties groups campaigning against it but from the perspective of everybody else in the world, it is somewhat alarming that there is one law for Americans, and one law for everybody else.”
Reliance on U.S.-based companies for cloud technology is a problem
Bowden said the issue is that companies worldwide are attracted to potential cost savings in cloud computing but should be aware of the risks to data — both their own and their customers — of such a move.
“Why I bang on about cloud computing is because every organization is now under the cost [pressure] to think about migrating their data to the cloud, and overwhelmingly the cloud computing industry is an American industry,” Bowden said, according to Techworld. And these U.S. cloud service providers are subject to U.S. laws and requests for information under FISA. Critics hold that at least if you run your own operations, chances are you’ll know if you’ve been asked for information but if you use SaaS applications run by Google or Microsoft, your provider could be asked for that data and turn it over without you even knowing.
Europe has taken longer to embrace of cloud than the U.S., in part because that market is less monolithic due to language, currency and cultural differences. Any fear, uncertainty and doubt about whether data in the cloud is safe from prying eyes is a negative for big U.S. providers and will be a hot topic of conversation at GigaOM Structure Europe in London September 18 and 19.
Desire for data privacy could fuel national clouds
It is the case that data privacy is a bigger deal in Europe, particularly in Germany, where the idea that a provider could turn over data about German nationals to the U.S. government is as welcome as a fox in a henhouse. That concern has driven a desire to build “national” clouds to prevent this sort of thing. Anything that adds fuel to that flame is not good news to companies like Amazon (s amzn) and Microsoft (s msft) that want to move as many cloud workloads and as much data to their respective infrastructure as possible.
It’s clear that these regulations are on the radar of U.S. cloud providers. In his Structure talk two weeks ago, Microsoft cloud chief Satya Nadella referenced this issue in talking about cloud adoption. He said “the big wild card is how do all the regulation and privacy laws around cloud computing settle?”