About a month ago I had written a draft post regarding the FBI vs. Apple encryption battle going on at that time. In it I hypothesized that the attempts by the FBI to force IT companies to crack their security, and perhaps add backdoors, may have a chilling effect on IT in the United States, forcing companies to move to other jurisdictions. I.e. outside of the United States.
I didn’t publish the post because it seemed a bit far fetched. It was an interesting topic that could be debated, but it probably wouldn’t happen, so I abandoned it.
Then yesterday I saw this:
Following the Edward Snowden revelations, governments, companies, and individuals became increasingly concerned that their data can be accessed by the US government spy agencies when it is stored in US data centres.
Perhaps my hypothetical post wasn’t such a far fetched notion at all?
So, here is an excerpt of what I wrote related to this topic:
(March 7, 2016) Let’s use a current event to illustrate a point regarding how a public Cloud run by a huge U.S. Cloud company is not necessarily synonymous with security: FBI vs. Apple.
Today the FBI, heck most of the U.S. government, is putting a lot of pressure on Apple to crack the security on an iPhone to enable them to read the data on it, or to otherwise provide some form of backdoor. Apple is pushing back on this because to do so could effectively be the end of Apple.
If Apple were to provide the keys/backdoors necessary to recover the data on that iPhone, they would effectively be providing keys/backdoors to all iPhones, and quite probably more products or services (that are based on similar security or encryption methods) that Apple sells throughout the World. iPhones and other Apple products and services are used by customers worldwide; other governments use them, citizens of other countries use them, companies in other countries use them.
What do you think the rest of the World would do if the U.S. government were to acquire this type of access?
Do you think they would continue to use Apple products and services? Most likely not. Hence, Apple resists these efforts to avoid being at risk of significant, if not catastrophic, loss of market share.
What can happen?
Let’s assume for a moment that Apple loses, or is at significant risk of losing, this fight. Apple is a huge U.S. company, but they don’t have to be. They can be a huge Swiss company, or a huge Australian company, or a huge Irish company if they so choose. They can merely move the flag to a new location, update their website and business cards, and now the company is headquartered somewhere else, and no longer subject to the same laws, rules, and conditions being used to force their hand today. (granted it is a bit more complex than this, but you get the idea)
Now, let’s assume that apple.com all of a sudden becomes apple.ch. Who now has jurisdiction over the data that they host? What laws are they subject to? Can the Swiss turn around and require the keys/backdoors as well? Would they? What happens to all that government and corporate data already on iCloud? Can it be deleted? Would we trust that it were truly gone?
Far fetched? Perhaps
This scenario is a bit far fetched, but the public Cloud market and the IT security/encryption market is worth hundreds of billions (trillions?) of dollars, of which the U.S. government is a small percentage, negating most of its power/leverage when solely accounting for gross worldwide revenue. When enough zeros are at stake even the most implausible scenario could become reality. While Apple was used in this hypothetical example, this scenario is applicable to any huge company providing public Cloud resources. (I.e. AWS, Google, Dropbox, etc…)
What if tomorrow you woke up and you had to go to a .cn to get access to your cloud hosted data?
Undoubtedly, the U.S. government would attempt to step in and attempt to prevent such a thing from happening. Or, perhaps, there are some contractual prohibitions between your corporation and your cloud provider to prevent this, or require all corporate data be removed if this were to happen. But then again, is that data really, permanently, and completely gone? No, not really.
Would you trust the company hosting your data as a new .cn company? What if you couldn’t secure/encrypt your data in the U.S. any longer? Would that change your mind? Would your company move as well in order to maintain its security?
What if this did happen? What would the economic impact to the U.S. be if these enormous multi-billion dollar U.S.-based companies up-and-left? Would you follow the company to keep your job? How many jobs would be lost? How much tax revenue would be lost? I don’t know, but it is undoubtedly a big number!
Not a quick “fix”, but a permanent change
Do these efforts to create backdoors and weaken security actually fix anything? Nope.
If the Apple were forced to weaken their security, and thereby other companies by precedent, and backdoor their security, and/or laws were created to force U.S. companies to create backdoors from now on, it doesn’t prevent non-U.S. companies from creating strong encryption and security technologies, nor does it prevent people from using them (whether “legal” or not). It definitely won’t prevent those with criminal intent from using them, which is the stated purpose/justification behind these efforts.
Occurrences in this domain are beyond the reach of exact prediction because of the variety of factors in operation, not because of any lack of order in nature.
– Albert Einstein
It does, however, change the nature of the global IT landscape.
In the end these efforts merely force companies creating and selling secure IT products and services and Cloud services to either establish their companies outside the U.S., or move them elsewhere. It moves those dollars, jobs, innovations, inventions, facilities and more elsewhere. The effects will ripple throughout the economy as local restaurants around the IT campuses go out of business, construction contractors can’t get new data center work, lawyers and accountants within the U.S. are no longer relevant because the company is now subject to another country’s laws, and so on.
Will other countries use this as an opportunity? Will they create stronger data protection laws to lure corporations that are currently based within the U.S?
These efforts will cripple the U.S. IT economy and will ultimately and completely fail to meet their stated goal. IT companies in other countries will pop up and fill this new, lucrative, gap in services and security throughout the rest of the World.
So, will we see companies move outside the U.S.?
I don’t know. Perhaps. It depends on how far this goes and how the world reacts. But billions (trillions) of dollars are at stake, and with stakes that high anything can happen…
So, that is what I wrote. It seemed a bit hyperbolic so I didn’t post it, but in hindsight maybe I should have. Granted, Box isn’t moving its company outside the U.S. (today), but its recent move is a move in the direction of the hypothetical scenario above. Is it a harbinger of things to come?
Hopefully these efforts will subside and we can go back to being a country which encourages innovation, privacy, and security. Hopefully there hasn’t been too much damage to the image of U.S. IT corporations already. Hopefully everyone will regain their senses.