Conventional wisdom is that the revelations about the NSA domestic and international surveillance programs are bad news for US security, privacy, cloud and other companies.
The revelations include assertions (probably true) that the NSA placed back doors, Trojan horse programs, and other malware into a wide variety of hardware and software, cables, chips and other devices that would give it access to computers and data anywhere in the world.
Even security and encryption technologies are not immune, with rumors circulating that the NSA installed back door programs, cracked, or encouraged the use of less secure cryptology by RSA and others. The conventional wisdom is that companies interested in protecting data from the prying eyes of both the NSA and hackers would best be served by keeping their data overseas secured by non-US hardware and software.
But the problem with conventional wisdom (if indeed it is wisdom) is that it is… well, conventional.
In fact, as a matter of law non-US persons may enjoy better data protection against NSA surveillance if their data is in the U.S.
There is little doubt that the revelations of the actions of the NSA have done irreparable harm, if not to national security itself, to the national security apparatus. It also has harmed those U.S. companies that host secure data, that provide cloud services, that provide encryption devices and/or software, or that provide other hardware or software.
In an arena where perception IS reality, the perception is that U.S. companies (either voluntarily or involuntarily) work for the US government, and provide data (again either voluntarily or involuntarily) to US intelligence, law enforcement, or other agencies – or worse, provide these agencies with access to servers or data from which the agencies can simply take what they want.
As a result, companies with a choice may choose to select products or services from companies that are not perceived to be as beholden to Uncle Sam. Companies like Siemens (you know, the one whose software was hacked in the Stuxnet attack), or Israeli companies. Or maybe Huawei.
Truth is, these days it’s hard to decide who to trust.
Look at Clouds from Both Sides Now
Many US companies, and the U.S government itself, in deciding among cloud providers, third party service organizations, processors or others, insist on “CONUS” clouds – that the cloud be located within the continental United States, and that it be exclusively operated by US citizens – sometimes insisting that these US citizens also have background checks or security clearances.
For some data, this is required by law. For example, the export laws including ITAR, do not permit the “export” of ITAR controlled data. Hosting data securely on a non-US site, even when the hoster does not have the key would likely be considered an “export” of the data. While the Internet doesn’t care about location, governments do.
While we insist on US based clouds, our cloud providers can’t understand why foreigners would be reluctant to host THEIR data on US clouds. We are the land of the free and the home of the brave. Or vice versa. To them I ask, would you be willing to host your competitive or sensitive data in Pyongyang? If not, why not? So why would you think that they would be comfortable hosting with you? Or using your crypto? Or your source code?
Sauce for the goose.
But We’re ‘Merkins
There are some practical distinctions between the US and other countries. We are a democracy government (loosely) by the rule of law. But we also have a secret set of laws and procedures that have had little public debate until now. We don’t use the state espionage apparatus to impart private commercial advantage – mostly. Unless it is in our national security interest to do so (e.g., providing info about Chinese military capabilities directly or indirectly to US defense contractors).
So why is it to the advantage of foreigners to put their data and their trust in the United States?
If you are a French person with data on a French server in France, and the NSA wants that data, the law is simple. Well, the law is complicated, but the reality is simple. The law is that it violates French computer crime laws, security laws, espionage laws, theft laws, privacy laws, and even agriculture and export control laws. (Yea, agriculture.. don’t get me started…)
The NSA, like the honey badger don’t care.
Sure, we want to work with DGSE, DCRI, DRM, and DPSD (French intelligence) and hold hands and sing the French equivalent of Kumbaya (I think it’s Frere’ Jacques). But if our national security is at stake (or if we think it is) well, see honey badger above. We just take what we want, and hope we don’t get caught.
Welcome to the world of intelligence. Oh, and the French? They do it too. Sacre bleu!
Surprisingly though, if you are a French person and your data is in the United States and the NSA wants it, well the rules are different (slightly). You see, the NSA and the CIA have broad authority to conduct surveillance, espionage, SIGINT, HUMINT and other data gathering operations overseas. Within the US? Not so much.
The key here is that the NSA can’t “deliberately target” a US person.
A Tale of Two Cities
When the NSA goes after Marcel in Marseilles, well, it’s easy to show he’s not a US person, and the gloves come off. When they go after Pierre in Pierre (South Dakota), well it’s not so obvious. So the NSA is probably going to get a FISA order to go after Pierre. And that provides a modicum (well, a scintilla at least) of legal protection to Pierre.
Moreover, in Marseilles, the NSA can just hoover up everything, since they aren’t going after US persons. In Pierre, the NSA is likely to try to be more narrow in what it takes because of the almost certainty that it will collect (inadvertently of course) data on US persons. Also, in Pierre, they are more likely to attempt to secure the cooperation of the South Dakota cloud providers; in Marseilles, they will just hack into the fiber. Small comfort, but some. Not quite the best of times, but not the worst.
So, in a sense the revelations about the NSA activities may actually favor US providers. Slightly. Then again, what choice do you have?