The privacy differential - why don't more non-US and open source firms use the NSA as marketing collateral?

The NSA has far-reaching powers to monitor US cloud companies. So why aren't alternative non-US providers shouting louder?

The shockwaves generated by Edward Snowden's revelations of the close collaboration between US tech giants such as Microsoft and Apple and the NSA are still reverberating through the industry. Those disclosures, together with related ones such as the involvement of the NSA in industrial espionage, as well as the asymmetric nature of US law when it comes to gathering data from foreign individuals, present something of an open goal for non-US technology companies - or so one might have thought.

On the face of it, then, it is surprising that non-US technology firms and others that can distance themselves from the US law are not proclaiming this fact more loudly. After all, there must be a considerable number of organisations that would dearly love to locate their data as far away from the attentions of the NSA as possible.

Perhaps the lack of fanfare is merely a reflection of the relative sizes of the marketing budgets available to the US tech giants and local contenders; or perhaps the shock of Snowden has yet to translate itself into meaningful action, making such messaging premature.

Can of worms?

Or maybe the alternatives to the US cloud giants are simply wary of making bold promises that may later come back to bite them. Analyst Clive Longbottom of Quocirca certainly believes that organisations need to be very careful about seeking to differentiate themselves from others on the basis of the leaks.

"In my view, trying to market off the back of Snowden would be opening a can of worms," Longbottom said. "To every possibly positive marketing message there will be a few sensible contradictions. 'Hey, we have no back doors on our system!' - bet you use equipment at the hardware level from vendors who Snowden implicated in such backdoors. 'Hey, we're open source, so it's all OK!' Sure - the NSA has never infiltrated any open source group and built in back doors through such means."

Despite the possible "worms", however, there are some companies that are using the revelations to set themselves apart. One is security firm F-Secure, which is actively involved in promoting privacy via collaboration with pressure groups such as Don't Spy on Us and the Open Rights Group and which uses its very Finnish-ness as an asset.

"Finnish culture is very much about privacy. Freedom of speech is written into their constitution so the technology is built with the idea that people are anonymous and data is protected," said Allen Scott, F-Secure's managing director for UK and Ireland.

Scott acknowledged the dangers of over-promising on the issue, saying that any organisation promoting itself as ethical will become a target for attackers trying to prove it wrong.

"This is the sort of thing that has to be built into your company at an R&D level and a board level. If you're going to say that you're 100 per cent anything you're already open to ridicule. If you say the safest company in the world people try to hack you."

However, given the right operational safeguards, such as abstracting the development environment from the hardware, running cloud services locally away from the reach of "Five-Eyes" – an intelligence alliance comprising Australia, Canada, New Zealand, the UK, and the US – and applying a corporate culture of respect for privacy and data protection, Scott believes much higher standards are possible at a technology level. His firm is looking to create a broader certificate of assurance.

"We are looking for other ethical companies to sign up to a pledge, to create a kite-mark of some kind that talks about the trusted internet. If you see this little sign you'll know that you're with an ethical company that is keeping your data anonymous, that's not tracking you."

Scott said business has been brisk as a result of Snowden, especially in the area of VPN software, but he admitted that awareness of the implications is still at an early stage, saying: "What Snowden revealed, people haven't quite digested yet."

He expects this to change because the sheer number of hacks and leaks of personal data will make individuals and organisations more privacy-aware and eventually they will start to "vote with their wallets". The trouble is, he said, at the moment there are too few alternatives out there.

Surveillance footprint

An alternative to cloud-based email services such as Gmail and Outlook, which are subject to NSA surveillance, is one hosted locally. Zimbra CMO Olivier Thierry said there has been an upswing in interest in his company's email and collaboration software since Snowden. It may be headquartered in the US, but Zimbra does not run its own servers, said Thierry, meaning that the US government has no legal right to monitor its users outside of that country.

"The applicability of US intelligence and surveillance laws to non-US citizens, and the implications for data privacy, is specifically relevant to global cloud and email providers that are running US-based services for a global audience," he said.

"Despite a global footprint, all of these services are under the purview of US laws. To contrast, the approach we are taking at Zimbra is to enable local and regional providers, to which US laws are not applicable, to provide country-specific or pan-European services that are under the sole jurisdiction of the EU and/or European countries."

In spite of this situation existing prior to Snowden, the revelations have led to European governments and companies paying more attention to that issue, he said: "From that perspective we are very different and actually that gains us a tremendous amount of business."

The other string to its bow is that its software is open source, which would make it harder (although not impossible, as in the ways that Longbottom alluded to) for backdoors to be introduced. Relying on teams of volunteers to find vulnerabilities in the code is not foolproof - witness the Heartbleed flaw in OpenSSL and Shellshock, an oversight by writers of the Bash shell widely used in Linux/Unix that dates back to 1989. However, Thierry insisted it's still more dependable than the closed-source model.

"You have thousands of eyeballs who actually are in the code on a regular basis. It's just the law of averages - while they might not be looking for vulnerabilities they'll find them. We're increasing the chances that we are going to find things in a way that a proprietary vendor really can't," he said. "A proprietary vendor is actually not generally looking for vulnerabilities in their code. They might be scanning it but they're working on one section of their code. We are working on many sections of the code so that just increases the chances."

Thierry continued: "The second piece is that anybody can validate what we have done in fixing the problem."

There are other organisations that are using their ability to distance themselves from the long arm of US (and other) intelligence agencies in order to stand out, of course. But this has yet to become a simple, clear and positive marketing message. This may be a good thing as there is only so much that technology can do to ensure privacy and data security, and users could be lulled into a false sense of security.

The forthcoming EU General Data Protection legislation may help the cause of privacy-focused vendors by providing a stronger legal framework with respect to state surveillance, but many EU watchers seem to think this is unlikely, as member nations are as suspicious of each other as they are of the US, some (like the UK) collaborate closely with US intelligence, and others may be equally as likely to snoop.