In 2008 I dismissed my Czech colleagues concerns about email oversight, only to see their concerns be validated in 2013.
In 2008 when we were opening the US office for a European maker of membrane production equipment, we had all of the early IT choices someone has to make when first opening a business.
- How should we access email?
- What CRM tool should we use?
From our standpoint, that was easy. We should use a Google/Apps account and Salesforce.com, both of which we’d worked with quite a bit.
You could feel the head of our Czech IT team recoil in horror over the phone. “No, we will put a server in your office and here are the applications we’ll use.” We pushed back, talking about how while hosted solutions were then rare in Europe, they were commonly used here in the US. He sent us an email with highlights of the Google Terms and Conditions that would preclude us from working with them.
We sell heavy industrial equipment to entities all over the world, including some foreign governments. Any possibility that our emails could be remotely read in one jurisdiction would make it hard to work with governments in another.
My colleague went on to make another point, “As written, someone could go into our account and take confidential information, and we would never know. This way, they would at least have to come get our server – we would know that the information was out there and decide what to do next.”
I then argued that things don’t work that way in the US, that there is judicial oversight, extensive use of warrants and that the activities such email tracking programs pursue don’t pertain to our business. My colleague, who grew up under Communism and had lived through the Velvet Revolution in 1989 replied,
“On one hand I’m glad you have grown up in an environment where you’re able to trust your government so much, and on the other I’m sorry to tell you that governments can change.”
As more information comes out on Prism, two criteria consistently show up that we would have consistently triggered oversight:
- Almost all of our emails, phone calls or other digital correspondence have a participant outside of the US.
- Because of the sensitive nature of machine design, much of our work is sent encrypted.
Their concerns were sadly correct – they were right, I was wrong.
Edit: The Hacker News discussion thread covers most of these points in a better way than I can.
Fred Lybrand 
Kudos for writing this and (belatedly) acknowledging the validity of your team’s concerns. As a European, I’ve felt this way about US hosted services much longer than just the past 5 years. Governments can and do change, but while it may have grown exponentially since the 2001 attacks, I believe it’s a mistake to think this is something that happened recently. The only thing that is recent is that it is now common knowledge and that the world may need to admit that the conspiracy theorists are perhaps not such nutcases after all. Reports of things like Echelon and it being used for industrial espionage are much older. For you as a US citizen, that was probably not something you gave a lot of thought to, but for the 96% of the world that are outside the US, this hasn’t exactly been filling us with warm, fuzzy feelings about doing business with US service providers.
What’s interesting is how many X-aaS providers talk about how market penetration in the US is so much less, and how they expect that penetration to increase. I hope they are ready to put those growth expectations on hold.
Small type: Oversight, not over site.
Corrected – thank you.
I know the feeling–I have always been a pretty big apologist for responsible governments. I still haven’t quite shaken the feeling of distrust that formed when I read about Prism. I created a small project to help spread some awareness: http://www.prismbutton.com so that people outside the hacker news community are informed and reminded of the issues at hand.
I work for a vendor that has a SaaS option, and we offer not only on SaaS but also on Premise, largely for two reasons (control it affords certain clients who may for jurisdictional or compliance reasons to need such control, and for people who want to have levels of customization not otherwise allowed in a SaaS offering). I suspect there may be more interest in OnPremise from certain markets because of the fallout from PRISM.
I think this is a bit overblown. If you want to stay out of the cloud due to surveillance, fine. But there is nothing special about the US regarding this sort of data collection. It’s almost certainly happening all over the place.
Beyond that, unlike the communist governments, the NSA, even if it noticed the traffic, would decide pretty quickly it was uninteresting and would stop looking. And, there is judicial over-watch. It’s not like they’re fishing for commercial data for profit, or something like that.
Better to look at France, where the government bugged Air France planes to get commercial data which they handed over to companies in France, or China, where all sorts of spying is going on.
Frankly, I’m a lot more concerned that when I decided to use my Facebook account to make this response, the web site asked permission to grab all my Facebook info. Same with Twitter. Now *that’s* the kind of privacy violation I am more concerned about. Think about it.
When we had this conversation in 2008 I made many of your same points and closed with something along the lines of, “we don’t do that here in the US.” My apology is more about my own naivete than it is anything else. Prior to that conversation 5 years ago, I’d never really sat down and thought about it as it wasn’t my area of focus. I was wrong. He was right.
The problem is thinking that the other option is much more secure. It’s a false choice.
Pingback: An Apology to my European IT Team | BRYAN LENETT OFFICIAL WEBSITE - BryanLenett.com
Pingback: Epicene Cyborg
So you’re not swayed by the response stating that no one has access to Google servers and that any data retrieval by authorities comes after warrants or court orders?
https://plus.google.com/+google/posts/TMh6gUVrwMq
The error was in believing government propaganda, which your Czech friends knew well enough not to. They claim that PRISM is used for legitimate uses, but if that is the case then why are they doing it in secret, etc? A legitimate / honest government does not need to have secret courts.
The government has not changed– it has always been a gang of mafia thugs who have no regard for personal property or human rights…. this dates back to the american civil war, at least, when freedom of association was defeated in favor of a union created by violence.
Nonsense on stilts. There are lots of legitimate reasons for governments to do things in secret. A legitimate, honest government needs to keep secrets when it is defending its citizens – including, especially, secrets about means and methods of intelligence.
You write as if these secret courts are trying people who are then stuffed away in a secret cave somewhere.
The US is turning into stasi state. Even worst, because nobody knows about it and nobody expects it. We people are allowing it, participating in it and not doing anything about it. Example on this site, why it requires access to all my contacts to post a comment?
Pingback: Yes, I told you so. | Android Templar
Pingback: Links 24/6/2013: Cumulus Networks, More GNU/Linux Migrations in Germany, PHP 5.5.0 Released | Techrights