ORLANDO, Fla. â€“ Data center customers are beginning to avoid the U.S. and place their infrastructure elsewhere because of data sovereignty concerns caused by revelations about NSA surveillance, according to David Snead, founder of the Internet Infrastructure Coalition (I2C).
â€œOur members are seeing a very real shift in putting data outside the U.S. rather than inside the U.S.,â€ said Snead, whose group includes more than 100 companies in the hosting and data center business. â€œThe NSA disclosures have undermined worldwide confidence in U.S. infrastructure.â€
Spying and surveillance by state agencies is nothing new, and the U.S. isnâ€™t the only country engaged in surveillance and requesting information from service providers. But the U.S. has more at stake because it is the leading player in Internet infrastructure.
â€œThe vast majority of data transfer traffic touches the United States,â€ said Snead. â€œThe U.S. remains an enormous market for the data center industry.â€
Secret process erodes confidence
The key issue is the secret nature of information requests by the NSA and other agencies. Service providers are barred from discussing whether theyâ€™ve received classified requests for user data. The I2C argues that companies should be able to explain how the process works and disclose the number of requests they have received from the government.
â€œMost of you have never received these requests, and your users assume that you have,â€ said Snead, who said providers should be allowed to make this clear to their users.
One way for cloud platforms and service providers to defuse data sovereignty concerns from international clients would be to add infrastructure in other countries, allowing customer data to stay within their borders, rather than traveling through U.S. infrastructure where it might be accessed by federal agencies.
But this approach has been complicated by the U.S. governmentâ€™s effort to access data stored by Microsoft in a data center in Ireland, a case that has broad consequences for the data center industry, making it difficult for American providers to communicate with customers and assess how to expand their global networks.
Providers should pay attention
In April, a judge ruled that Microsoft must comply with search warrants from U.S. law enforcement agencies seeking customer data regardless of where that data is stored. In this case, the data is in a Microsoft facility in Dublin. Microsoft refused to comply with the request, arguing that a U.S. warrant did not apply to data located overseas, and the dispute ended up in court.
â€œWeâ€™re convinced that the law and the U.S. Constitution are on our side, and we are committed to pursuing this case as far and as long as needed,â€ said Microsoft General Counsel Brad Smith.
Snead said the Microsoft decision is â€œextremely troublesomeâ€ to U.S. companies. â€œThis is a huge issue that the industry is not paying very much attention to,â€ he said. â€œCompanies should be able to place data where they think is necessary, and respect how the local law works.â€
Invite the FBI to visit
Snead noted that the relationship between data centers and law enforcement need not be adversarial. In fact, he said, there are times when it can be a good thing to have the FBI visit your facility.
â€œDevelop a relationship with law enforcement,â€ he said. â€œCall the local FBI office and invite them over for coffee, and then give them a tour of your data center. If thereâ€™s no relationship, theyâ€™ll just come in looking for a single customerâ€™s data and take the entire server. Thatâ€™s a huge problem, since you have other customers and SLAs.
â€œYou never want to figure out your subpoena and access policy when the FBI knocks on your door,â€ said Snead. â€œYou have to work it out beforehand. The last thing you want to do is ask the FBI to sit in your conference room while you go call