NSA Internet Spying Sparks Race to Create Offshore Havens for Data Privacy

TECHNOLOGY  September 27, 2013, 12:15 p.m. ET

NSA Internet Spying Sparks Race to Create Offshore Havens for Data Privacy

Firms Tout 'Email Made in Germany' as More Secure; Brazil Wants Its Own Servers

By ELIZABETH DWOSKIN And FRANCES ROBINSON

On the heels of allegations about U.S. government surveillance of Internet traffic, some foreign companies and politicians are seeing an opportunity. WSJ reporter Elizabeth Dwoskin explains.

Google Inc., GOOG Facebook Inc. FB and other American technology companies were put on the defensive when Edward Snowden's allegations about U.S.-government surveillance of Internet traffic emerged this spring.

Outside the U.S., some companies and politicians saw an opportunity.

Three of Germany's largest email providers, including partly state-owned Deutsche Telekom AG, DTE.XE teamed up to offer a new service, Email Made in Germany. The companies promise that by encrypting email through German servers and hewing to the country's strict privacy laws, U.S. authorities won't easily be able to pry inside. More than a hundred thousand Germans have flocked to the service since it was rolled out in August.

"We can say that we protect the email inbox according to German law," says Jorg Fries-Lammers, a spokesman for one of the German companies, 1&1 Internet AG. "It's definitely a unique selling point."

The U.S. National Security Agency has acknowledged collecting email data about Americans through phone and Internet companies. Silicon Valley companies have said that they don't give the government unfettered access to user data but that they are barred from disclosing details.

Fueled by the controversy, countries are seeking to use data-privacy laws as a competitive advantage—a way to boost domestic companies that long have sought an edge over Google, Microsoft Corp. MSFT and other U.S. tech giants.

"Countries are competing to be the Cayman Islands of data privacy," says Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, a nonpartisan Washington, D.C., think tank that receives funding from the tech industry.

While establishing these islands of privacy might make for good marketing, the initiatives face hurdles. Laws demanding that data be stored in-country can give domestic Internet-service providers a boost but also could raise their customers' costs.

And creating domestic walls for online service runs into a hard reality.

  

"It basically ignores the entire Internet," says Ronaldo Lemos, director of the Institute for Technology & Society, a Rio de Janeiro think tank. "This data has to circulate. It's going to be sent to Miami, to Europe. It's not going to be sitting idle."

Nevertheless, some European leaders are renewing calls for a "euro cloud," in which consumer data could be shared within Europe but not outside the region. Brazil is fast-tracking a vote on a once-dormant bill that could require that data about Brazilians be stored on servers in the country. And India plans to ban government employees from using email services from Google and Yahoo Inc.

U.S. companies are watching such developments with trepidation.

"We should all be nervous when countries impose costly new requirements on companies as a condition of serving their citizens," says Facebook Chief Operating Officer Sheryl Sandberg. "It means fragmenting the Internet and putting the economic and social opportunities it creates at risk."

Google declined to comment for this article, and Yahoo didn't respond.

It is too soon to tell if a major shift is under way. But the Information Technology and Innovation Foundation estimates that fallout from revelations about NSA activities could cost Silicon Valley up to $35 billion in annual revenue, much of it from lost overseas business. A survey conducted this summer by the Cloud Security Alliance, an industry group, found that 56% of non-U.S. members said security concerns made it less likely that they would use U.S.-based cloud services. Ten percent said they had canceled a contract.

"We talk to our sales leaders, who talk to customers every day, and this has the potential to significantly erode the trust of customers around the world," says John Frank, a deputy general counsel at Microsoft.

It could be tough for U.S. companies to undo any damage, particularly when the extent of NSA activities is secret and other nations have been critical of the U.S. On Tuesday, Brazilian President Dilma Rousseff in a United Nations address assailed U.S. snooping on her country. Last week she canceled a planned visit to Washington.

European Commission Vice President Neelie Kroes, who supervises the European Union's digital portfolio, has been encouraging the bloc's companies to tout their privacy creds. "Privacy is not only a fundamental right," she said in Estonia this summer. "It can also be a competitive advantage."

For small German companies competing against big ones—like online-security company Symantec Corp. SYMC and Amazon.com Inc., AMZN which provides corporate cloud services—the NSA surveillance program "is a present from heaven," says Oliver Dehning, chief executive of antispameuropeGmbH, which builds spam-protection software. "It's kind of an opportunity to strike back and protect our home market."

He turned the Snowden leaks into a marketing campaign, tweeting about the news and speaking at industry conferences about how Germans can protect themselves from spying.

Symantec and Amazon declined to comment for this article.

Some of the promises of the would-be data islands could be tough to meet.

While much of the legislation proposes that information about citizens be located in-country, that overlooks that the data may need to be transferred elsewhere.

And laws requiring domestic hosting could raise the price of computing. The in-country hosts could have trouble competing with the economies of scale enjoyed by big U.S. companies, says Jim Reavis, president of the Cloud Security Alliance. Also, it could well be less expensive to use a data center in another country than to build one at home.

Country-specific computing can have its own privacy concerns, meanwhile. Some countries pushing domestic hosting—Brazil, for example—don't protect the privacy of citizens' Internet data, so consumers wouldn't be safe from their own governments' eyes. Brazil made 715 requests for Facebook user data in the first half, according to the company.

Because Germany has strict privacy laws, Email Made in Germany says customers who send email to fellow subscribers can be assured the U.S. and German governments will have a difficult time accessing the users' messages. Customers see a bright-green check mark next to messages sent by fellow subscribers. A gray check appears next to messages from other email providers. That means Germans can ensure their privacy only for email to people on German soil.

Even some companies that seek to profit from fears about U.S. snooping acknowledge that law-enforcement agencies in other countries want to catch up with Washington's capabilities.

"In the long run, there won't be any difference between what the U.S. or Germany or France or the U.K. is doing," says Roberto Valerio, whose German cloud-storage company, CloudSafe GmbH, reports a 25% rise in business since the NSA revelations.

"At the end of the day, some agency will spy on you," he says.

—Loretta Chao contributed to this article.

Write to Elizabeth Dwoskin at elizabeth.dwoskin@wsj.com and Frances Robinson at frances.robinson@wsj.com

A version of this article appeared September 28, 2013, on page B1 in the U.S. edition of The Wall Street Journal, with the headline: Creating Havens For Web Privacy.

http://online.wsj.com/article_email/SB10001424052702303983904579096082938662594-lMyQjAxMTAzMDIwNzEyNDcyWj.html