Blog Post

If PRISM doesn’t freak you out about cloud computing, maybe it should, says privacy expert

The PRISM data collection controversy should give businesses pause about adopting cloud computing, a data privacy expert told the U.K.’s House of Commons on Friday.

map of europeDuring a debate, Caspar Bowden, an independent data privacy consultant, said that the U.K. is “extremely exposed” because of the government’s close ties with the U.S. National Security Agency, according to this Techworld report. The agency gathers information (or metadata) about non-U.S. citizens from large American tech companies including Google(s goog) and Microsoft(s msft), a practice we know about because of Edward Snowden’s disclosures, although frankly the scope of NSA data collection was already tipped more than a year ago by three agency whistle blowers.

The issue was exacerbated by reports that Britain’s own Government Communications Headquarters (GCHQ) has been tapping fiber-optic cable traffic and collecting data in a program code-named Tempora for the last year and a half, according to The Guardian. 

The one-two punch of PRISM and Tempora means that authorities in the U.S. and U.K.have access to huge amounts of communications between innocent people as well as criminals and terrorists, according to Bowden, an expert on data privacy and U.K. and U.S. surveillance laws. The PRISM program focused on communications of non-American citizens, which makes it a bone of contention for Bowden, who wants European authorities to take action.

According to another report, Bowden said that the U.S. Foreign Intelligence Surveillance Act (FISA), which is the basis for PRISM, discriminates against non U.S. citizens and European authorities should take that seriously

“So effectively it’s a law aimed at the rest of the world. Now Americans can still get caught up in this law in a number of ways and that has been the focus of the American civil liberties groups campaigning against it but from the perspective of everybody else in the world, it is somewhat alarming that there is one law for Americans, and one law for everybody else.”

Reliance on U.S.-based companies for cloud technology is a problem

Bowden said the issue is that companies worldwide are attracted to potential cost savings in cloud computing but should be aware of the risks to data — both their own and their customers — of such a move.

“Why I bang on about cloud computing is because every organization is now under the cost [pressure] to think about migrating their data to the cloud, and overwhelmingly the cloud computing industry is an American industry,” Bowden said, according to Techworld. And these U.S. cloud service providers are subject to U.S. laws and requests for information under FISA. Critics hold that at least if you run your own operations, chances are you’ll know if you’ve been asked for information but if you use SaaS applications run by Google or Microsoft, your provider could be asked for that data and turn it over without you even knowing.

Europe has taken longer to embrace of cloud than the U.S., in part because that market is less monolithic due to language, currency and cultural differences. Any fear, uncertainty and doubt about whether data in the cloud is safe from prying eyes is a negative for big U.S. providers and will be a hot topic of conversation at GigaOM Structure Europe in London September 18 and 19.

Desire for data privacy could fuel national clouds

It is the case that data privacy is a bigger deal in Europe, particularly in Germany, where the idea that a provider could turn over data about German nationals to the U.S. government is as welcome as a fox in a henhouse. That concern has driven a desire to build “national” clouds to prevent this sort of thing. Anything that adds fuel to that flame is not good news to companies like Amazon (s amzn) and Microsoft (s msft) that want to move as many cloud workloads and as much data to their respective infrastructure as possible.

It’s clear that these regulations are on the radar of U.S. cloud providers. In his Structure talk two weeks ago, Microsoft cloud chief Satya Nadella referenced this issue in talking about cloud adoption. He said “the big wild card is how do all the regulation and privacy laws around cloud computing settle?”

10 Responses to “If PRISM doesn’t freak you out about cloud computing, maybe it should, says privacy expert”

  1. Tom Murphy

    I agree with Mario. We ALL should care more about our privacy.

    If you are using Cloud Storage Providers, you should be looking at nCrypted Cloud.

    nCrypted Cloud offers increased Privacy, Security and Collaboration.

    Data is encrypted on the end point and nCrypted Cloud provides superior secure Collaboration as well as Enterprise level Auditing.

  2. Mario Gastelum

    This is really a great article. Companies should be concerned about privacy and data protection. The basis for any platform from any company should be trust and security, and from what we are seeing, US based cloud platform service providers, whether willingly or by FISA Order, seeking such information will be bad for business. Companies will be discouraged to take their data to the cloud, and might be better off putting their data in their own cloud.

  3. jonnyturk

    What the US (and UK) governments do with the data they collect is more important. For example, does the US government provide IP it has discovered e.g. designs from Airbus, to Boeing? Several governments are capable of running extensive IP theft operations and this should be the major concern of businesses. Many firms have a poor level of computer security and there is an argument that their data is better protected in the cloud.

  4. Rajarshi Ray

    Barb, this is a nice post. The PRISM episode is going to have a fallout on cloud based adoption in Europe that has always been a very conservative adopter of technology, when compared to the US. However, PRISM and data privacy is only one small part of the problem. The big part of the overall problem is with keeping the Internet free. See – Internet Surveillance: How much Power is ‘too much’ Power

  5. I was at this debate in the House of Commons and one point raised was in relation to business data. Currently the Prism affair has focused on consumer services in terms of how interception is generally targeted at individuals.

    However, the concern for businesses is how this could be used for commercial intelligence. If sensitive business data is stored in a foreign cloud then it’s possible that data could be extracted for the benefit of local business, where that is competitive e.g. aviation, defence, medical.

    There are additional concerns in terms of availability in the event of diplomatic incidents e.g. if a country is hosting services in the US and the US then decides to take sanctions against that country. Access could be blocked, or other actions taken.

    The opportunity here is for localised data hosting and for the EU to regulate on Europe wide privacy standards. The Patriot Act makes it risky for data stored with any US owned company, regardless of the final location of that data.

    Further good writeups can be found at and specifically for the UK at

  6. This is the biggest danger of the PRISM episode…the fallout that could make great things like Big Data and Cloud both suspicious and possibly even unattractive. We wrote about how Edward Snowden awakened the world to Big Data here:

    Lots of great things are already happening because of the flexibility and speed of development of cloud apps and the new views into data that couldn’t be had before. It would be a shame to see either take a step backward.