U.S. Surveillance Fallout Costing Third-Party Providers

E-mail encryption provider Lavabit shuts down, Silent Circle shutters its own service, and analysts are forecasting tens of billions of lost revenue for cloud and service providers

It began with e-mail encryption provider Lavabit.

On August 8, the founder of Lavabit, Ladar Levison, shuttered the service, stating that he could not legally explain the reason for the closure. Yet, the post, which is all that remains of the service online, has all the hallmarks of tiptoeing around one conclusion: Levison received a National Security Letter or sealed subpoena, experts say. Such legal requests, allowed by the USA PATRIOT Act, require a provider to not only turn over data about a subscriber to the U.S. government, but also to keep silent about the request.

Levison, who counted whistleblower Edward Snowden among his subscribers, only stated that he had fought against the mysterious gag order for six weeks, but in the end, came to the conclusion that he could no longer protect his customers. So he shuttered the service and issued a damning statement.

"This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States," he wrote.

The shutdown of the service highlights the impact that the United States' secretive surveillance policy has had on U.S. companies. In Europe, German and French authorities spoke out about trusting data to U.S. companies, while enterprises worldwide contacted their U.S.-based cloud providers for information about protections against unwanted government access. In fact, more than half of non-U.S. managers responding to a recent Cloud Security Alliance survey said that the revelations about the NSA's surveillance will make them less likely to use a U.S. cloud provider.

Web-security firm CloudFlare has been inundated with calls from customers wanting to know more about their policies regarding government access. While the company acquiesces to legal requests from law enforcement, it has hired a legal counsel specifically to help it minimize the scope of such requests, says CEO Matthew Prince.

"Fundamentally, we are in the trust business, and if people stop trusting us, or stop trusting Google, or stop trusting Yahoo, the switching costs are not that high and people go away," he says.

Other security service providers have reacted to the news as well. A day after Lavabit closed, secure-communications provider Silent Circle shuttered their encrypted e-mail service. The company did not receive a National Security Letter or any request from law enforcement, but it wanted to pre-empt the possibility of such a request, says John Callas, chief technology officer of the company he co-founder with Phil Zimmerman, best known for creating the open-source encryption protocol, Pretty Good Privacy.

The fundamental problem, Callas says, is that sending messages via e-mail, which are then stored for an indefinite period of time if not deleted, is inherently insecure.

"You can make [e-mail] secure, but you have to start from scratch," he says. "The architecture of e-mail is fundamentally insecure."

The revelations of the last three months of widespread data-collection and surveillance by the National Security Agency has fueled concerns over the security and safety of business data and has been a windfall for other countries, giving them ammunition in their battles against U.S.-based cloud and service providers. Leaked classified documents provided to the media by former NSA analyst Edward Snowden have shown that the secretive agency has had access to about three-quarters of Internet traffic, information on phone calls made by millions of Americans, and reportedly gave that information to other nations for non-terrorism investigations.

[The NSA has hit back after mounting criticism about its ability to intercept Web communications domestically, claiming that reports of its capabilities are "inaccurate and misleading." See NSA Responds To Criticism Over Surveillance Programs.]

The revelations have damaged the interests of U.S. cloud and managed-service providers in other countries. Many European nations had already taken a political stance against handing their data over to U.S. companies; the fact that the U.S. government can demand access to that data has only increased concerns, says James Staten, a principal analyst with Forrester Research.

While much of the criticism of U.S. companies was initially made to justify a preference for local cloud providers, the revelations have given the concerns a basis in fact, he says. That could lead to significant damages: In an analysis of the worse-case impact of the loss of confidence in U.S. cloud providers, the Information Technology and Innovation Foundation (ITIF) estimated (pdf) that U.S. businesses could stand to lose $22 billion to $35 billion over three years from a decline of business from foreign firms. Forrester raised the stakes and added the potential costs of all outsourced business, finding that the worse case could be $180 billion in losses over three years, or about 25 percent of provider revenue.

In reality, the drop will likely be much less--only 3 to 5 percent, says Forrester's Staten.

"Should service providers be worried about this? Absolutely. They stand to lose significant money," he says. "Should they overreact? No."

Yet, U.S. service providers believe that businesses have to stick with the cloud to remain competitive, and that business realities will take precedence over dire what-if scenarios involving the NSA. For the average company, remaining with a cloud service provider--whether for e-mail, storage or other business applications, such as customer-relationship management--makes sense, because centralized administration of software and data is, on the whole, more efficient and secure than individual companies doing it themselves.

Ditching cloud services and going back to implementing such technologies on their own will hurt a company's competitiveness, says a representative of one cloud provider, who asked not to be named because of the sensitivity of the issues. Yet, the concerns are there, the representative says.

"There are people asking questions that they wouldn't have asked before, such as how a process works, and that's totally reasonable," the representative says. "But we haven't seen any kind of dramatic or noticeable shift in our business."

In addition, the issues may boost revenues in related industries, as some businesses spend to augment the security of their cloud providers. Add-on encryption provider CipherCloud, which allows companies to add a proxy server to their infrastructure and encrypt data going into the cloud, has seen a steep increase in interest in its services, says Willy Leichter, global director of cloud security for the firm.

"The awareness has shot through the roof now," Leichter says. "There is significantly more interest, because ... people have to solve this problem of data that is stored outside its reach."

In the end, U.S. companies have less concern protecting their data from the NSA and more concern with keeping hackers from stealing and using customer information, he says. And global firms will have to decide whether using a local provider or a U.S. provider makes more business sense.

The U.S. government could help matters by creating more protections for data being held by a third party. Right now, U.S. firms do not have good guidance for handling requests for data needed for counter-terrorism or national-security reasons, says Silent Circle's Callas. The company put its servers in Canada, because the nation has a better privacy framework and better understood process to fight requests for data than in the United States.

"The legal system in the U.S. does not have a framework for what you need to do," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio