When the secure email provider known as Lavabit, which National Security Agency (NSA) intelligence leaker Edward Snowden had used, abruptly ended its service, founder Ladar Levison couldn’t go into details of the shutdown for legal reasons.
However, the message Levison posted on the Lavabit home page on Aug. 8 strongly implied that he’d been pressured by the U.S. government, which can compel Internet companies to hand over confidential user data. The companies must also comply with gag orders forbidding them to even reveal the existence of the government demands.
Levison’s message ended with a cryptic warning: “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”
Mikko Hyppönen, a Finland-based security researcher, has also warned non-U.S. persons not to trust U.S. products.
“Frankly, U.S. cloud providers do not deserve foreign business as long as U.S. intelligence has legal right to do wholesale surveillance on them,” Hyppönen tweeted.
Levison and Hyppönen are far from the only people whose trust in U.S.-based data companies has been shaken by recent revelations that the NSA “covertly influence[s]” these companies to gain access to their communications, according to formerly top-secret NSA documents leaked by Snowden and subsequently published by the New York Times and The Guardian.
The evidence of this loss of trust is in the numbers: the fallout from revelations about the NSA’s massive communications-gathering program could cost U.S.-based cloud-computing providers such as Google, Apple and Microsoft up to a collective $35 billion in revenue over the next three years, according to a report by financial analyst Daniel Castro of the Information Technology and Innovation Foundation.
James Staton of market research firm Forrester predicts that the widespread mistrust of U.S.-based data companies is much higher, and could cost the industry as much as $180 billion, equivalent to a 25% revenue loss.
These numbers also account for increased competition from non-U.S. data companies, but even so, they clearly predict a growing mistrust of the U.S. government and, by extension, the companies under its jurisdiction.
However, the U.S. is not the only country to perform surveillance. “My view is that if you move your data to foreign servers, then you could open yourself up to surveillance by that country without necessarily avoiding surveillance by the NSA,” said Jennifer Granick, the Director of Civil Liberties for the Center for Internet and Society at Stanford Law School.
So if you’re concerned about your online privacy, what should you do?
NSA data requests
Section 215 of the PATRIOT Act of 2003 gives the government the ability to request that U.S. communication companies turn over information such as business records, metadata, and other “tangible things” pertaining to people involved in an investigation.
Section 702 of the FISA Amendments Act of 2008 gives the Foreign Intelligence Surveillance Court broad powers to target any non-U.S. person (defined as anyone who’s not a U.S. citizen or a legal U.S. resident) located outside the U.S.
Some companies protested the Section 215 requirements, but the law dictated that they were not allowed to even disclose to their customers that these requests were happening.
For example, Yahoo CEO Marissa Mayer recently told the audience at the TechCrunch Disrupt conference in San Francisco that in 2007, Yahoo had filed a lawsuit against “the Patriot Act parts of PRISM and FISA” but lost the case.
So are both companies and customers better off looking abroad for non-U.S. data-storage options?
“It isn’t that simple,” said Jon Callas, chief technology officer and co-founder of secure communications company Silent Circle, which is based in National Harbor, Md. and offers encrypted text and voice conversation services called Silent Text and Silent Phone.
“Our servers are in Canada because we like their privacy laws,” Callas told Tom’s Guide. “We like that their legal infrastructure has privacy considerations in it. But other countries have other issues. The [European Union (EU)] has data-retention laws that cause their own privacy issues. There’s no place that’s perfect.”
“The US can issue information requests to other countries,” Granick pointed out. “There are both law enforcement and national security procedures for that. It may be that some non-US companies would be more resistant to US requests, however, and challenge them rather than meekly comply.”
The EU currently has a data-sharing agreement with the U.S., but in the wake of the Sept. 5 revelation that the NSA has compromised huge swaths of Internet security, several European politicians are calling for an end to that agreement.
But many European countries issue data requests of their own, at rates comparable to the U.S.’ requests when adjusted for population size, according to a report by Christopher White, director of the Privacy and Information Management practice at Hogan Lovells international law firm.
In fact, despite everything that’s been revealed about the NSA’s surveillance habits, U.S. law still guarantees its citizens’ privacy far more than many other countries do.
“The Patriot Act is nothing special,” wrote International Data Corp. research manager David Bradshaw in 2012. “Indeed, data stored in the U.S. is generally better protected than in most European countries, in particular the U.K.”
In Germany, a law called the G-10 Act allowed German intelligence services to monitor and record telecommunications pertaining to a serious crime or national security threat. The G-10 Act also established an information-sharing network among Germany, the U.S. and the U.K.
On Aug. 2, however, Germany repealed the G-10 Act. “The abolition of [the G-10 Act]…is a necessary and proper consequence of the recent debates on the protection of privacy,” German Foreign Minister Guido Westerwelle said in a statement.
Read More: Here