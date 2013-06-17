* Internet spying scandal boosts European cloud services
PARIS/LONDON, June 17 France has its "Sovereign
Cloud" project while across the Rhine data firms have created
the label "Cloud Services: Made in Germany", all trying to
reassure big companies that their information is stored away
from the prying eyes of U.S. spies.
European firms believe revelations that the U.S. National
Security Agency (NSA) has secretly gathered user data from nine
big U.S. Internet companies, including Microsoft (MSFT.O) and
Google (GOOG.O), will hand them a competitive advantage as they
play catch-up with the dominant American players in "cloud
computing".
Yet companies and individuals may have to accept that while
storing and processing their most sensitive information on
servers owned by Europeans and located in Europe could keep it
from the NSA's eyes, intelligence agencies closer to home may be
looking anyway.
"If you are going to have a Big Brother, I'd much rather
have a domestic Big Brother than a foreign Big Brother," said
Mikko Hypponen, chief research officer at internet security
company F-Secure, which also offers cloud services with data
stored in the Nordic countries.
Cloud computing - an umbrella term for everything from
web-based email to business software that is run remotely via
the Internet instead of on-site - is being adopted by big
companies and governments globally to cut costs and add
flexibility to their IT departments.
In a Normandy town nestled in a loop of the Seine river lies
a huge new data centre, a part of France's Sovereign Cloud
project that some in the industry once poked fun at as being out
of step with the realities of the borderless Internet.
Last year the French government ploughed 150 million euros
($200 million) into two start-ups, including the data centre's
owner Cloudwatt, to equip the country with infrastructure
independent of U.S. cloud computing giants.
Following the revelations that the NSA's PRISM programme
collected user data from the nine companies that also include
Yahoo (YHOO.O) and Facebook (FB.O), the French position now
seems prescient to some people.
"People are being spied on without their knowledge, and
non-U.S. residents have no legal rights," said Philippe
Tavernier of Numergy, another cloud-computing group that got
state help. "We feel vindicated that our strategy is right."
As European Union officials seek answers from the U.S.
government on PRISM, technology executives, data protection
regulators and analysts told Reuters the scandal may prove a
turning point for the region's young cloud computing industry.
European companies such as telecoms groups Orange FTE.PA
and Deutsche Telekom (DTEGn.DE) are trying to exploit the
concerns as they build their own cloud businesses.
Government agencies and municipalities, especially in more
privacy-conscious countries such as Germany, are more likely to
turn to local alternatives for cloud services. Sweden recently
banned Google Apps - cloud-based email, calendar and storage -
in the public sector over concerns that Google had too much
leeway over how the data was used and stored.
"SOMEONE IS ALWAYS WATCHING"
Similar changes could also gather pace in Asia where
companies and regulators were already concerned about data
security in the cloud before PRISM.
A source at a major Chinese company that provides cloud
infrastructure said governments were likely to impose stricter
controls on where data was stored, although this would not be a
panacea. "Frankly, wherever you put your data, someone is always
watching. It could be the U.S., it could be China," he said.
Some lawmakers in the European Parliament also want rules
requiring companies undertaking cloud projects to protect
European users' data better, and are using concerns around PRISM
to lobby for their cause. They want supervisors or judges to
oversee the transfer of personal data to overseas security
services, and for customers of cloud companies to be able to opt
out of their data being stored in the United States.
Caspar Bowden, an independent privacy advocate and
Microsoft's chief privacy adviser from 2002-2011, said that
before the PRISM revelations the big U.S. cloud companies had
been largely able to quell fears about data security with savvy
public relations. "The headlines this past week will change all
that. The nationality of the company and the location of the
data do make a difference," he said.
Even before PRISM, some companies abroad planning cloud
computing projects were concerned about the powers given to U.S.
intelligence agencies by anti-terrorism laws enacted after the
Sept. 11 attacks on the country: the 2001 Patriot Act and the
2008 Foreign Intelligence Surveillance Amendments Act (FISAA).
A European Parliament body said in a report last year that
FISAA granted the U.S. "heavy-calibre mass surveillance
fire-power aimed at the cloud" and had "very strong implications
on EU data sovereignty and the protection of its citizens'
rights". link.reuters.com/tem88t
MURKY
Cloud computing companies and their customers globally are
struggling to understand when and how governments can access
users’ data. Many national and international laws are at a play
and different interpretations abound. Also since U.S.
anti-terrorism laws require that information requests be kept
secret, companies served with such warrants cannot disclose
them.
This much is clear: a U.S. cloud computing company must
comply with U.S. government search warrants and intelligence
requests, just as a French or German company would when
presented with a similar domestic warrant. Intelligence agencies
also co-operate under what are known as mutual legal assistance
treaties to gain access to data stored in one jurisdiction but
needed in a lawful investigation in another country.
What remains murky, however, is whether the U.S. government
can use anti-terrorism laws on a U.S.-based company such as IBM
or Microsoft to force its local subsidiaries across the world
into handing over user data. Or more simply, can the U.S.
government just order a cloud company to use a U.S.-based
computer to access data stored abroad?
"When data comes in to the U.S. or is handled in the cloud
by U.S. companies, there is a question whether access can be
obtained by the U.S. government," said Ellen Giblin, a lawyer
who specialises in privacy and data protection at the Ashcroft
Law Firm. "It's a very thick and layered concern."
Contacted by Reuters, major U.S.-based cloud providers
including IBM, Microsoft, Amazon Web Services (AWS), and Google
declined to answer specific questions. Many have built data
centres abroad - AWS in Ireland and Australia, IBM in Germany
and Ireland for example - to address data privacy concerns among
non-U.S. companies.
A spokeswoman for AWS noted that it did not take part in
PRISM. On its website, AWS says data stored in the EU never
leaves the region unless the customer requests it.
Cloud companies in Europe are taking different steps to meet
their customers' needs. Some are putting forward their local
credentials such as the state-funded Cloudwatt and Numergy in
France. German firms use the "Cloud Services: Made in Germany"
label as a marketing tool if they can certify certain conditions
such as contract terms that comply with national privacy laws.
Axel Heantjens, an executive at Orange Business Services,
recently advised a French luxury group that needed computer
servers in the Americas for a global cloud project but did not
want them in the United States because of security concerns. "I
told them to consider Costa Rica or Canada," he said.
Others such, as the German lawyers’ association, are turning
to technological fixes. It now encrypts data that 800 members of
its information technology group put in a cloud computing
programme provided by T-Systems, the IT services unit of
Deutsche Telekom.
Since only the association holds the encryption key and not
T-Systems, the product adds an extra layer of security.
Such encryption has been unpopular among companies because
the scrambled data crippled the functionality of cloud
programmes like Salesforce.com or Microsoft Office 365.
Now a number of tech companies have got around some of the
problems, including California-based start-up CipherCloud. The
company's software encrypts data on the fly as it is sent up or
retrieved from cloud applications. The key to unscramble the
files is kept by the customer and never given to the cloud
provider.
"We've grown rapidly because so many people around the world
are worried about cloud security," said CipherCloud CEO Pravin
Kothari.
($1 = 0.7496 euros)
