Let's stop the NSA before it destroys the cloud industry

Most people don’t seem to care much whether the government is spying on them.

For these people, the constant drumbeat of revelations about the National Security Agency’s apparently limitless and nearly unfettered capability to spy on Americans, whether at home or abroad, is no big deal. If you’ve got nothing to hide, why worry? These folks are even less worried about the NSA’s truly unfettered capability to monitor non-citizens in any part of the world — to say nothing of sending drone strikes to take out suspects even marginally connected with terrorism. Why should they be concerned about what happens to non-Americans?

Because the NSA’s actions might put a stake in the heart of the next big technology revolution, that’s why.

The potential impact

According to a recent estimate by the Information Technology and Innovation Foundation, the U.S. cloud industry could lose out on $22 billion to $35 billion of revenues (.pdf) in the next three years, simply due to concerns over NSA surveillance of U.S.-based cloud data centers.

The beneficiaries could be European cloud providers — especially those based in countries with a history of respect for privacy. For instance, the ITIF report stated, Switzerland’s largest hosting provider, Artmotion, reported a 45 percent increase in revenue in the month after the first leaks about the NSA’s PRISM program. German telecommunications executives and government authorities are considering blocking data transfers to the U.S., which could position that country as a good alternative for companies that want to steer clear of American servers.

That, of course, assumes that the governments of Switzerland and Germany don’t already have their own NSA-like spying programs, as England does — or data-sharing agreements with the NSA itself. Time will tell whether these assumptions are correct.

An estimate by research firm Forrester is even more dire. Taking a global view, Forrester estimates that PRISM and programs like it around the world will end up costing the cloud industry $180 billion over the next three years.

Now, keep in mind that these predictions, like most monetary figures generated by research analysts, are quite possibly wildly overstated. Let’s assume that the numbers are bogus but that they reflect a real uncertainty, at the moment, about the ability of IT managers to trust cloud services. In other words, individual Americans may not care about the NSA. But IT managers for large corporations, at home and abroad, are certainly going to take an even harder look at the idea of using Amazon Web Services, Rackspace, or Google Cloud Platform than they already are.

Are you going to trust your customer data to Salesforce.com if you are an overseas company with a long history of dealing with people in the Middle East — say, an oil company? Or a manufacturer with an interest in setting up shop in China, but who is dealing with skittish customers and government officials who don’t want to become a target of U.S. government espionage?

My guess is that IT guys at companies like these, who are already nervous about cloud solutions, are going to use the NSA revelations as yet another big mark against the cloud. Instead, they’ll refocus their efforts on data centers they control themselves.

What’s an IT guy to do?

Now, IT guys are not dumb. They know that any data transmitted on the Internet, encrypted or not, is vulnerable to interception at some point. Avoiding American cloud services won’t do very much to prevent a determined spy agency from sniffing out your secrets. But at the same time, you don’t have to make it easy for the NSA spooks by loading all of your data to a server whose every communication may be scooped up and stored for possible reference in a giant data center in Utah. You can buy yourself some time, avoid some oversight, and give your customers some assurance by steering clear of those “scary” cloud services.

And that’s the problem, because the shift to cloud services (and the corresponding consumer shift to mobile devices, which goes hand in hand with the cloud) is one of the biggest technology transformations to come along in years. It’s as big as the shift to the Internet was 15 years ago, or the shift to client-server a decade before that. Publicly-traded cloud companies already have a combined market capitalization of $100 billion. Destroying trust in the cloud is not the way to make that number grow.

What the U.S. government decides to do in the next six months regarding digital surveillance will make a big difference. Are we going to become a state that, by default, monitors the vast majority of communications traversing our networks? Or are we going to strike a balance between the desire for security and our need for civil rights — a need that, I might add, has much to do with the richness of the entrepreneurial ecosystem here?

As the ITIF recommends, the U.S. government needs to step up and say exactly what information it does and does not have access to. Other countries should do the same. We need transparency, so it is clear — now and in the future — what data is being collected, how long it’s being held, and what purposes it is really being used for.

I’m not disputing the need to monitor Internet communications for national security needs. But I do think that there should be disclosure requirements. We can’t permit law enforcement agencies to collect any data they want, for any purpose, with no meaningful oversight or disclosure.

If you want a picture of what the business climate looks like in a country without a rich regard for freedom and privacy, just look at Russia. That country jails punk rockers for church protests, is outlawing homosexuality in the face of strident international protest, and has imprisoned millions of entrepreneurs over the past 10 years.

Did Steve Jobs grow up in Russia? Did Russia produce Bill Gates, Larry Ellison, or Mark Zuckerberg? Could Sergey Brin have cofounded Google while remaining in Russia?

The answer to these questions is obvious. That’s why we need to take a stand, in no uncertain terms, against the blanket surveillance of internet communications.

The future of the cloud — and a generation of new businesses — is at stake.