Every time American whistleblower Edward Snowden slips a brown paper envelope through the mail slot of a newspaper, cloud computing companies outside America, including Canada’s RackForce Networks, stand to benefit.
BlackBerry Ltd. (TSX:BB), on the other hand, now has to worry that its biggest selling feature – its much-vaunted security – has been compromised by the National Security Agency (NSA), according to documents leaked to the German newspaper Der Spiegel.
Documents leaked by Snowden confirm the NSA in the United States has worked over the years with technology companies to weaken encryption standards to make it easier for the NSA to break codes used to scramble data before it’s transmitted via the Internet.
The NSA has also been able to get into iPhones, Android-based phones and even the heavily fortified BlackBerry, according to leaked documents.
The revelations could cost American cloud computing companies between US$21 billion and US$35 billion over three years, according to a recent report by Daniel Castro, senior analyst for the U.S.-based Information Technology & Innovation Foundation, and could benefit the cloud computing industry in other countries, like Canada.
“The take-away for many customers of cloud computing is that U.S.-based cloud computing is suspect,” Castro told Business in Vancouver. “I think it gives a pure advantage to any cloud computing provider that’s not based in the United States.”
He estimates the global cloud computing market will be worth more than $200 billion by 2016 and that the U.S. stands to lose between 10% and 20% of its foreign market share, thanks to the NSA and American Patriot Act, which can force American companies to hand over data to intelligence agencies.
A number of American companies use RackForce because they feel it is more secure, said Brian Fry, the company’s co-founder and senior vice-president.
“We only benefit from what Snowden does,” Fry said. “We have benefited from the start from data privacy issues.”
He confirmed RackForce – which has data centres in Kelowna, Calgary and Toronto – has had a number of requests from American intelligence and law enforcement agencies to hand over information. But Canadian privacy laws are stronger than those in the U.S. when it comes to protecting digital data.
“You have to go through a proper legal process to get access to data in Canada,” Fry said.
Since about 2010, businesses have been sold on the benefits of moving to the cloud. But most cloud computing is based in the U.S., where only a few companies, like Amazon.com Inc. (Nasdaq:AMZN) and Google (Nasdaq:GOOG), have the massive server capacity that is needed.
“People have been fearing the endpoint [the computers themselves], so they’ve migrated it to the cloud, when it’s beginning to look like the endpoint may have been the safest place for that data after all,” said Geoff Glave, senior product manager for endpoint security at Absolute Software Corp. (TSX:ABT).
Absolute specializes in protecting data on computers and the computers themselves.
But, because of the NSA’s ability to crack encryption codes, even data that’s stored in Canada could be vulnerable to prying eyes in the U.S. if it goes out over the Internet.
Unless the data remains within a closed network – as is done for things like medical records and some financial transactions – most data travelling over the Internet passes through the U.S. at some point.
But businesses and consumers could always take comfort in knowing that sensitive data, like online transactions, is encrypted.
In cracking encryption codes, the NSA has access to 75% of all online communications, according to the Wall Street Journal. The NSA does not dispute that it has cracked encryption codes, although it takes issue with the Journal’s 75% figure.
“In its foreign intelligence mission … the NSA ‘touches’ about 1.6% and analysts only look at 0.00004% of the world’s Internet traffic,” the NSA stated on its website.
Who else might use back doors?
The NSA maintains its digital spying is crucial to national security. And if all the NSA is after is terrorists and criminals, do Canadian companies really have anything to worry about?
“Unless you’re selling bonds to Syria, or something, they’re probably not interested,” said Geoff Glave, senior product manager for endpoint security at Absolute Software Corp.
But he added that “it would be foolish to say, ‘No, it’s not a concern that a third party can read traffic over the Internet that is supposed to be encrypted.’”
One of the more worrisome revelations is that the NSA didn’t just find a way to crack encryption codes, it also worked with technology companies – which have not been identified – to build in vulnerabilities into their encryption methods to make it easier for the NSA to break the codes.
“This is not new,” said RackForce’s Brian Fry, who has a background in computer security.
“Whenever a new encryption algorithm is developed, the U.S. government is almost always working with that group that’s creating this technology to make sure it has a back door, and that’s been going on for years. What Snowden has done is put it out there with proof.”
But if the NSA can use backdoor methods to decode encrypted data, can other intelligence agencies as well?
“If the Americans can do it, so can a whole bunch of other nation states,” said Dale Jackaman, president of Amuleta Computer Security and Investigations, “and their motives are sometimes less than pure.”
