ORLANDO, Fla. - Data center customers are beginning to avoid the U.S. and place their infrastructure elsewhere because of data sovereignty concerns caused by revelations about NSA surveillance, according to David Snead, founder of the Internet Infrastructure Coalition (I2C).
"Our members are seeing a very real shift in putting data outside the U.S. rather than inside the U.S.," said Snead, whose group includes more than 100 companies in the hosting and data center business. "The NSA disclosures have undermined worldwide confidence in U.S. infrastructure."
It's not an accident, Snead said, that a large hosting company in Switzerland recently reported a 45-percent increase in business in the wake of the revelations of former NSA contractor Edward Snowden. One coalition member reports that it used to get 70 percent of its new business from overseas customers, but that now has dropped to 35 percent.
Spying and surveillance by state agencies is nothing new, and the U.S. isn't the only country engaged in surveillance and requesting information from service providers. But the U.S. has more at stake because it is the leading player in Internet infrastructure.
"The vast majority of data transfer traffic touches the United States," said Snead. "The U.S. remains an enormous market for the data center industry."
Secret process erodes confidence
The key issue is the secret nature of information requests by the NSA and other agencies. Service providers are barred from discussing whether they've received classified requests for user data. The I2C argues that companies should be able to explain how the process works and disclose the number of requests they have received from the government.
"Most of you have never received these requests, and your users assume that you have," said Snead, who said providers should be allowed to make this clear to their users.
One way for cloud platforms and service providers to defuse data sovereignty concerns from international clients would be to add infrastructure in other countries, allowing customer data to stay within their borders, rather than traveling through U.S. infrastructure where it might be accessed by federal agencies.
But this approach has been complicated by the U.S. government's effort to access data stored by Microsoft in a data center in Ireland, a case that has broad consequences for the data center industry, making it difficult for American providers to communicate with customers and assess how to expand their global networks.
Providers should pay attention
In April, a judge ruled that Microsoft must comply with search warrants from U.S. law enforcement agencies seeking customer data regardless of where that data is stored. In this case, the data is in a Microsoft facility in Dublin. Microsoft refused to comply with the request, arguing that a U.S. warrant did not apply to data located overseas, and the dispute ended up in court.
“We’re convinced that the law and the U.S. Constitution are on our side, and we are committed to pursuing this case as far and as long as needed,” said Microsoft General Counsel Brad Smith.
Snead said the Microsoft decision is "extremely troublesome" to U.S. companies. "This is a huge issue that the industry is not paying very much attention to," he said. "Companies should be able to place data where they think is necessary, and respect how the local law works."
Invite the FBI to visit
Snead noted that the relationship between data centers and law enforcement need not be adversarial. In fact, he said, there are times when it can be a good thing to have the FBI visit your facility.
"Develop a relationship with law enforcement," he said. "Call the local FBI office and invite them over for coffee, and then give them a tour of your data center. If there's no relationship, they'll just come in looking for a single customer's data and take the entire server. That's a huge problem, since you have other customers and SLAs.
"You never want to figure out your subpoena and access policy when the FBI knocks on your door," said Snead. "You have to work it out beforehand. The last thing you want to do is ask the FBI to sit in your conference room while you go call your lawyer."