A New Twist in International Relations: The Corporate Keep-My-Data-Out-of-the-U.S. Clause
By Jordan Robertson Dec 24, 2013 3:45 AM PT
By now, we've heard from tech companies such as Facebook, Google and Cisco Systems that the National Security Agency's spying poses a threat to their international business and, in Cisco's case, is already hurting it. So what does that threat look like, exactly, at ground level?
Some companies are apparently so concerned about the NSA snooping on their data that they're requiring - in writing - that their technology suppliers store their data outside the U.S.
In Canada, a pharmaceutical company and government agency have now both added language to that effect to their contracts with suppliers, as did a grocery chain in the U.K., according to J.J. Thompson, chief executive officer of Rook Consulting, an Indianapolis, Indiana-based security-consulting firm. He declined to name the companies, which are using Rook to manage the segmentation and keep the data out of the U.S.
Thompson said the language began appearing in contracts over the past couple weeks, and could be an early indicator of things to come as businesses adapt to a landscape altered by former NSA contractor Edward Snowden's leaks. Documents leaked by Snowden indicate that the NSA has tapped fiber-optic cables abroad, circumvented or cracked encryption and is massively collecting telephone records and Internet traffic. Facebook, Google, Apple and Yahoo were among 15 technology companies that asked President Barack Obama Dec. 17 to restrain the spy programs. Cisco said Nov. 13 that NSA spying has caused delays to networking equipment orders.
U.S.-based technology companies face a serious threat. The NSA disclosures may reduce U.S. technology sales overseas by as much as $180 billion, or 25 percent of information technology services, by 2016, according to Forrester Research Inc., a group in Cambridge, Massachusetts.
Some large tech firms have used the revelations as a public relations opportunity, casting themselves as defenders of individual privacy and a bulwark against government encroachment. The approach has elicited accusations of hypocrisy from privacy advocates who say that many tech companies are eroding privacy, as we reported Monday.
It's not all doom and gloom, however. Thompson's comments show that some U.S. firms stand to benefit from distrust of the U.S. government, and that a new model may be in the offing for protecting sensitive data from the NSA's prying eyes.
There's a worry in this approach, though. Keeping the data out of the U.S. makes intuitive sense, and limits the likelihood that U.S. firms bound by U.S. laws will disclose it to the government. However, if the scandal has proven nothing else, it's that the NSA isn't bound by geography. And bucking the childhood admonishment, it certainly doesn't do the polite thing and always ask permission first either.