The Quest to Build an NSA-Proof Cloud
European leaders want to go head to head with Amazon and Google. But some tech executives are pushing back against the plan.
BERLIN – If Germany’s special parliamentary session on U.S. surveillance this week was any indication, European politicians are still worked up about former NSA contractor Edward Snowden’s leaks. Chancellor Angela Merkel declared that the revelations had “tested” U.S.-German relations. Green Party politician Hans-Christian Strobele urged the German leader to thank Snowden and offer him asylum for discovering that her cell phone “was probably bugged.” Merkel even got called a “scaredy-cat” for not standing up to Washington.
The criticism comes as politicians in the region—from Estonia to Germany—are calling for the European Union to create a cloud-computing infrastructure of its own to compete with American providers like Amazon, Google, and Verizon.
The idea is that if the EU has its own cloud—and what form it would take, who would build it, and where it would be based remain unclear—then member states could compel providers to abide by the EU’s (comparatively) stricter data-protection rules. It's part of a backlash against the long arm of the U.S. intelligence community that has echoes everywhere from Brazil to the United Nations.
One of the main proponents of a European cloud is EU Commission Vice President Viviane Reding, who was in Washington earlier this week to hammer out a treaty that would, if signed, assure that any EU citizens’ data stored in the United States be given the same privacy protections as U.S. citizens’ data (in the aftermath of the Snowden leaks, however, policymakers and privacy advocates in the U.S. are questioning the effectiveness of those protections).
Reding’s cloud formation plan essentially calls for EU nations to band together and create a European champion in cloud systems just as France, Germany, and Britain did in the 1960s, when they created aircraft manufacturer Airbus to compete with Boeing.
“For awhile now, I have been saying it’s time for the Europeans to build their own cloud,” Reding told a German radio station last week. “I think data protection needs to be thought of not as some extra cost, but something that makes us more competitive. When a company can guarantee that its customers’ data will remain secure, they will flock to you—it’s a golden business opportunity for European tech companies. It can become a sales argument.”
Indeed, part of the motivation here is a business one. European politicians want to see their companies exploit a gap in trust in U.S. companies as a result of the Snowden leaks. And two recent studies suggest that this is a sensible idea.
In one study of “industry practitioners and cloud-computing stakeholders” based outside the United States, the Cloud Security Alliance found that 56 percent of those polled would be less likely to work with U.S.-based cloud service providers due to data-protection fears. Another report by the Information Technology and Innovation Foundation suggested that the surveillance revelations could cost the U.S. cloud-computing industry $22 to $35 billion in lost revenues over the next three years.
European providers have already been positioning themselves to become the router and storage solution of choice for companies in Africa, which has seen its share of traffic passing through the U.S. drop dramatically over the last 10 years. In 1999, some 70 percent of African Internet traffic went to the United States, according to a 2012 report by Analysis Mason. By 2011, the study noted, less than 5 percent of that traffic went to the U.S., “having been replaced by bandwidth to Europe.” It is unclear, however, what percentage of this data actually migrated away from American companies, many of which have built data centers in Europe to be closer to customers in the EU and Africa.
Not all Europeans share the outrage voiced by their political leaders over U.S. surveillance. A survey commissioned earlier this month by the magazine Wirtschaftswoche, for instance, found that 76 percent of Germans were not bothered by Snowden’s leaks. “Most people didn’t think that anything in their lives would be of interest to the American intelligence service,” the survey’s authors wrote. While the study didn’t ask whether Germans were concerned about charges that U.S. intelligence tapped into their chancellor’s phone, it did reveal that Germans are uneasy about their own officials: only 17 percent of those polled trusted the German government’s handling of their personal data.
Caught between public apathy and politicians’ anger, some German tech industry figures are calling for a middle path (others, like Deutsche Telekom’s CEO, have eagerly backed Reding’s cloud proposal). They like the data-protection treaty that Reding wants to sign with the U.S., but favor more stringent use of data encryption over rash plans to build EU clouds. The thinking is that stronger and more regular use of encryption could slow, to a degree, apparent U.S. attempts to comb through the world’s Internet traffic.
One German tech industry figure I spoke with felt it would be difficult, if not impossible, for Europeans to migrate completely away from U.S. services. He likened America’s hegemony on the Internet to the control Gulf States wield over oil resources.
“What you have with oil in the Middle East, you have in the U.S. with information,” said Malte Pollmann of Utimaco Safeware AG. “The U.S. is in a unique position of geopolitical strength in the information age—and there’s no other country like this.”
Pollmann suggested that U.S. and British intelligence services are exploiting gray zones in treaties between nations—and that European diplomats should, first and foremost, push for clarity on this issue.
“What we need right now is a debate,” Pollmann told me. “Two years from now, we will have a better idea of which tactics are clearly illegal, and which are legal, but not what we wanted. There will have to be a rebalance in terms of legal oversight. That’s why you have people like [Google's] Eric Schmidt saying ‘I don’t know’ if it is legal for the U.S. and British intelligence agencies to tap into Google’s cables.”
The CEO of a leading German marketing consultancy described the mood among German executives like this: They’re bothered by the U.S. government’s intelligence-gathering overreach, but they don’t see the U.S. as Europe’s main threat the way some politicians might.
“It’s sad and stupid that Merkel’s phone was listened to,” said this CEO, who asked not to be named because he was critical of some of the countries in which he consults. “But I think most of the economic elites in Germany still see the U.S. as a strong ally. They don’t see economic espionage as the motive. Most economic elites here agree that the real danger and threat is in the emerging powers, like China.”
This CEO said his business stores most of its data on clouds in the United States, and that he wasn’t concerned about the situation because everything the company does is encrypted.
“We are using fully encrypted hard disks,” he noted. “As for phone communication—it just hasn’t been a topic for us. Many times what we are saying on the phone really isn’t too sensitive. And, if it is sensitive—construction plans or stock market-related transactions—we just don’t talk about it on the phone.”
Pollmann also echoed this sentiment.
“In the end,” he noted, “It’s cheaper to fly someplace and have a conversation in a room than to build elaborate systems for super-secret conversations.”