In 2008 when we were opening the US office for a European maker of membrane production equipment, we had all of the early IT choices someone has to make when first opening a business.

How should we access email?

What CRM tool should we use?

From our standpoint, that was easy. We should use a Google/Apps account and Salesforce.com, both of which we’d worked with quite a bit.

You could feel the head of our Czech IT team recoil in horror over the phone. “No, we will put a server in your office and here are the applications we’ll use.” We pushed back, talking about how while hosted solutions were then rare in Europe, they were commonly used here in the US. He sent us an email with highlights of the Google Terms and Conditions that would preclude us from working with them.

We sell heavy industrial equipment to entities all over the world, including some foreign governments. Any possibility that our emails could be remotely read in one jurisdiction would make it hard to work with governments in another.

My colleague went on to make another point, “As written, someone could go into our account and take confidential information, and we would never know. This way, they would at least have to come get our server – we would know that the information was out there and decide what to do next.”

I then argued that things don’t work that way in the US, that there is judicial oversight, extensive use of warrants and that the activities such email tracking programs pursue don’t pertain to our business. My colleague, who grew up under Communism and had lived through the Velvet Revolution in 1989 replied,

“On one hand I’m glad you have grown up in an environment where you’re able to trust your government so much, and on the other I’m sorry to tell you that governments can change.”

As more information comes out on Prism, two criteria consistently show up that we would have consistently triggered oversight:

Almost all of our emails, phone calls or other digital correspondence have a participant outside of the US.

Because of the sensitive nature of machine design, much of our work is sent encrypted.

Their concerns were sadly correct – they were right, I was wrong.

Edit: The Hacker News discussion thread covers most of these points in a better way than I can.