News that the NSA is sneaking around back doors in a data gathering quest really isn't that surprising. Despite the idea being the lore of offhanded comments and jokes for years, the actual acknowledgement that big brother is closely watching has shocked just about everyone. Now the fallout begins.
Ladar Levison, owner of Lavabit, the email service used by Snowden, posted on the Lavabit homepage:
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
Levison goes on say that he will fight for his constitutional rights then strongly recommend against anyone trusting their private data to a company with physical ties to the United States.
Days later the unexpected closing of the hugely popular Groklaw website, hosted on University of North Carolina servers made international headlines. Pamela Jones in her emotional thought provoking final post prefaced with a reference to Levison. “The owner of Lavabit tells us that he's stopped using email and if we knew what he knew, we'd stop too”. Jones continues stating “For me, the Internet is over. Perhaps it should be over for many of us.” Although the majority would see Jones response as an over-reaction, many are reflecting on their own web surfing habits and practices.
America tech giants Google, Amazon, and Microsoft, along with numerous smaller web hosting entities have globally promoted the benefits and competitive advantage of their cloud hosting. “The disclosures of widespread Internet surveillance represents an enormous privacy risk that could tilt the balance away from these cloud-based services altogether or increase demand for local providers that are less vulnerable to U.S.-based surveillance” says Michael Geist.
Ben Werdmuller in a post titled 'Government - the last great gatekeeper - is ripe for disruption' wrote:
Here are two things I would love for everyone to do; I'll start. The first is to publicly declare the jurisdiction in which you live, and in which your data is hosted. That way, people can make an informed decision about how to communicate with you.You can do it like this: Hey, everyone! I live in California, my email is hosted by Google, I keep documents on Dropbox, and my server is hosted in Dallas, Texas.
Kim Dotcom of Mega fame was early out the gate, musing that Iceland and its green data centers would become the destination of choice for many concerned about privacy issues. In spite of the presently limited connectivity capacity, Dotcom saw Iceland as one of few countries whose stance against overtly overreaching government intrusion could be trusted.
As in the past when some Canadian web hosts marketed their servers as a way of circumventing some aspect of the Patriot Act dealing with copyright, there are now a growing number of Canadian-based firms suggesting they are a viable alternative to their American counterparts. The concept that Canuck servers are 'uniquely Canadian' has even been perpetuated by provincial government departments responding to concerns that provincial health data could be subject to disclosure under the USA Patriot Act. A number of Canadian provinces enacted laws requiring "personal health care information be stored and accessed only in Canada." The laws required institutions and their service providers to notify the Minister if it received a foreign demand for personal information. All this ignores that Canadian data often crosses the border into the U.S. during transit, presumably allowing for the communications to be captured by the expansive surveillance infrastructure that seemingly tracks all Internet communications.
The dramatic shift in public opinion and attitudes hasn't been lost on European web hosting companies. Irish web host BlackNight Solutions in a recent post discussing Prism wrote:
What if you can’t trust the cloud or more correctly, what if you can’t trust the companies running the cloud to not handover your data to government? Are all Irish hosting companies immune from PRISM?
No. If servers are physically based in Ireland AND owned AND controlled by an Irish company then they are subject to Irish law. BUT If the servers are physically located outside Ireland they do not have the benefits of Irish law regardless of who owns them. A server physically located in the US is subject to US law, a server physically located in the UK is subject to UK law etc., etc.
Servers (or services) running off servers physically based in Ireland (or other parts of the EU) should be covered by EU law, but if the hosting provider is US owned then you have no guarantees.
At least the BlackNight post does qualify their statement by saying their physical network is NSA and PRISM-free, but they have no way of knowing what is happening elsewhere.
Then there is Icelandic upstart Mailpile which aims to build a 'modern, fast web-mail client with user-friendly encryption and privacy features that allow you to 'store your mail on devices you control, encrypt and share or restrict access as you see fit'. It reached its fund raising goal on Indiegogo weeks early.
The Information Technology and Innovation Foundation recently estimated that the U.S. Web hosting industry could lose tens of billions of dollars in the coming years should non-U.S. users withdraw their data. The idea that an American users could begin to abandon their US web hosting providers wasn't even considered.