Disclaimer: I do not, nor ever had, any level of secret clearance for any government. I have no connections to Snowden, the NSA, or any person or organization linked to them.
From 2006 through 2012, I was the information security officer for a global financial services company, selling subscription based services to the largest companies in the world in every industry sector. Understandably, many of the larger corporate customers expressed a lot of concern over the confidentiality of their financial data when stored in our systems. Despite having numerous external audits and penetration tests (with reports available to these customers), many of the larger customers won additional concessions in the form of additional security controls, in exchange for their business.
The U.S. PATRIOT Act was a tremendous stumbling block for many potential non-U.S. customers. They were concerned about the ability for law enforcement to serve secret subpoenas and obtain business records without their knowledge or consent. Our only argument was that we were not the source for original data, and that federal law enforcement would more likely go after original records, such as banking and telecommunications. Still, many non-U.S. companies elected not to do business with our U.S. based company because of PATRIOT.
Revelations of Prism and XKeyscore represent U.S. law enforcement and spy agencies taking a gigantic leap beyond PATRIOT. With PATRIOT (as I understand it — my former employer was never, to my knowledge, served with a National Security Letter), a judge was required to sign or approve the national security letter on behalf of the federal law enforcement agency that wished to obtain information. But with Prism and XKeyscore, U.S. federal law enforcement and other agencies have unilaterally obtained – and apparently continuously obtain – many forms of electronic records, without the consent of anyone.
Prism and XKeyscore, in my belief, will prove to be extremely harmful to U.S. based electronic services providers at every level: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and virtually all other forms of electronic services that store, transmit, or process electronic information. With PATRIOT, the mere prospect of law enforcement obtaining information in special, limited circumstances was enough to scare away many potential customers. With XKeyScore and Prism, law enforcement continuously obtains much of this same information. Thus, the probability of law enforcement (and other agencies) obtaining sensitive information increases from longshot to near absolute certainty.
This has got to be bad for U.S. based businesses in nearly every sector that provides services to customers worldwide.
Aug 5 update: headline article in Puget Sound Business Journal echos my sentiments. http://www.bizjournals.com/seattle/news/news-wire/2013/08/05/nsa-revelations-could-cost-us-lead.html
Peter, you are absolutely correct! I write from the UK and, while we knew that the Patriot Act gave the US authorities access to our data in the US (or stored on system owned by US companies) we took some comfort from the constraints associated with the Patriot Act. Those comforts are now dust.
I have re-read the licence agreements and various other documentation from US-based service providers (e.g. Microsoft MS365, AWS etc.) and it is amazing how those same words read very differently now that we are aware of PRISM etc.
My belief is that there will be a two-pronged impact on US providers:
1. commercial as users switch to providers in their home countries or regions where they better understand the legislative landscape and the mindset and capabilities of the various legal agencies
2. commercial as users start applying encryption to their data to render it much more difficult to analyse without the key. This will probably speed the development of viable and affordable homomorphic encryption for this purpose. The result will be that companies like Google that index the data for all kinds of uses (e.g. selling summarised or anonymised data) will see that revenue stream dry up.
Either way, this will hit the vendors in the most powerful way – by reducing revenues.