Should You Trust US Companies with Your Data?

When the secure email provider known as Lavabit, which National Security Agency (NSA) intelligence leaker Edward Snowden had used, abruptly ended its service, founder Ladar Levison couldn't go into details of the shutdown for legal reasons.

However, the message Levison posted on the Lavabit home page on Aug. 8 strongly implied that he'd been pressured by the U.S. government, which can compel Internet companies to hand over confidential user data. The companies must also comply with gag orders forbidding them to even reveal the existence of the government demands.

Levison's message ended with a cryptic warning: "I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States."

MORE: 13 Security and Privacy Tips for the Truly Paranoid

Mikko Hyppönen, a Finland-based security researcher, has also warned non-U.S. persons not to trust U.S. products.

"Frankly, U.S. cloud providers do not deserve foreign business as long as U.S. intelligence has legal right to do wholesale surveillance on them," Hyppönen tweeted.

Levison and Hyppönen are far from the only people whose trust in U.S.-based data companies has been shaken by recent revelations that the NSA "covertly influence[s]" these companies to gain access to their communications, according to formerly top-secret NSA documents leaked by Snowden and subsequently published by the New York Times and The Guardian.

The evidence of this loss of trust is in the numbers: the fallout from revelations about the NSA's massive communications-gathering program could cost U.S.-based cloud-computing providers such as Google, Apple and Microsoft up to a collective $35 billion in revenue over the next three years, according to a report by financial analyst Daniel Castro of the Information Technology and Innovation Foundation.

James Staton of market research firm Forrester predicts that the widespread mistrust of U.S.-based data companies is much higher, and could cost the industry as much as $180 billion, equivalent to a 25% revenue loss.

These numbers also account for increased competition from non-U.S. data companies, but even so, they clearly predict a growing mistrust of the U.S. government and, by extension, the companies under its jurisdiction.

However, the U.S. is not the only country to perform surveillance. "My view is that if you move your data to foreign servers, then you could open yourself up to surveillance by that country without necessarily avoiding surveillance by the NSA," said Jennifer Granick, the Director of Civil Liberties for the Center for Internet and Society at Stanford Law School.

So if you're concerned about your online privacy, what should you do?

NSA data requests

Section 215 of the PATRIOT Act of 2003 gives the government the ability to request that U.S. communication companies turn over information such as business records, metadata, and other "tangible things" pertaining to people involved in an investigation.

Section 702 of the FISA Amendments Act of 2008 gives the Foreign Intelligence Surveillance Court broad powers to target any non-U.S. person (defined as anyone who's not a U.S. citizen or a legal U.S. resident) located outside the U.S.

Some companies protested the Section 215 requirements, but the law dictated that they were not allowed to even disclose to their customers that these requests were happening.

For example, Yahoo CEO Marissa Mayer recently told the audience at the TechCrunch Disrupt conference in San Francisco that in 2007, Yahoo had filed a lawsuit against "the Patriot Act parts of PRISM and FISA" but lost the case.

So are both companies and customers better off looking abroad for non-U.S. data-storage options?

"It isn't that simple," said Jon Callas, chief technology officer and co-founder of secure communications company Silent Circle, which is based in National Harbor, Md. and offers encrypted text and voice conversation services called Silent Text and Silent Phone.

"Our servers are in Canada because we like their privacy laws," Callas told Tom's Guide. "We like that their legal infrastructure has privacy considerations in it. But other countries have other issues. The [European Union (EU)] has data-retention laws that cause their own privacy issues. There's no place that's perfect."

"The US can issue information requests to other countries," Granick pointed out. "There are both law enforcement and national security procedures for that. It may be that some non-US companies would be more resistant to US requests, however, and challenge them rather than meekly comply."

The EU currently has a data-sharing agreement with the U.S., but in the wake of the Sept. 5 revelation that the NSA has compromised huge swaths of Internet security, several European politicians are calling for an end to that agreement.

But many European countries issue data requests of their own, at rates comparable to the U.S.' requests when adjusted for population size, according to a report by Christopher White, director of the Privacy and Information Management practice at Hogan Lovells international law firm.

In fact, despite everything that's been revealed about the NSA's surveillance habits, U.S. law still guarantees its citizens' privacy far more than many other countries do.

"The Patriot Act is nothing special," wrote International Data Corp. research manager David Bradshaw in 2012. "Indeed, data stored in the U.S. is generally better protected than in most European countries, in particular the U.K."

In Germany, a law called the G-10 Act allowed German intelligence services to monitor and record telecommunications pertaining to a serious crime or national security threat. The G-10 Act also established an information-sharing network among Germany, the U.S. and the U.K.

On Aug. 2, however, Germany repealed the G-10 Act. "The abolition of [the G-10 Act]…is a necessary and proper consequence of the recent debates on the protection of privacy," German Foreign Minister Guido Westerwelle said in a statement.

MORE: Can You Hide Anything from the NSA?

Switzerland, a neutral country that is not part of the EU or NATO, may be even better equipped to ensure online privacy.

Within a month of the first Snowden leaks, Swiss Web hosting company Artmotion saw a 45 percent increase in revenue, presumably because companies around the world suddenly saw Switzerland as a more secure alternative.

"[Switzerland] is politically neutral," Artmotion CEO Mateo Meier told ITProPortal." Also, Switzerland is not a member of the European Union and, therefore has not been affected by the Euro crisis. As the country is outside of the EU, it is not bound by pan-European agreements to share data with other member states, or worse, the U.S.

Finland, also a neutral country that isn't part of NATO (though it is part of the EU), is currently considering a law called "Yes We Can" that would criminalize excessive surveillance from both Finnish and foreign governments.

Does that mean Finnish commercial security software, such as the security and anti-virus software F-Secure, can better protect your privacy?

Hyppönen, a security expert and F-Secure's chief research officer declined to comment for this article, saying, "I'm obviously biased."

"There's nothing we could do to assure you except to take our word as an independent software vendor coming from an independent country," Hyppönen also tweeted, though he later added on Twitter, "As a user, where do you want your cloud services to be? For most users, it would be in their own country."

That's because countries usually have no laws against surveilling other countries. "The US law has some privacy protections for people inside the US which outside storage may nullify," Granick told Tom's Guide.

Your privacy is most protected — in a legal sense, at least — in your home country.

Getting around the law

The U.S. government, particularly the NSA, has broad legal powers to acquire information from around the globe. But when legal requests fail, formerly top-secret documents leaked by Snowden suggest that the NSA has more covert options at its disposal that it can use to acquire the information it wants.

For example, another leaked document suggests that British intelligence agency GCHQ performs surveillance on over 200 fiber optic cables that carry information in transit, and shares the data with the NSA.

The fact remains that if the NSA wants to read a U.S. citizen's communications, and can prove to an internal review board that it has good reason to do so, then there's probably little in the way of technical limitations stopping the agency from doing so.

"The surveillance the NSA does over fiber optic cables is not technologically dependent on where data being transmitted is stored, though again, the rules are more liberal for the NSA if it reasonably believes that one of the communicants is abroad," said Granick.

"Going to [non-U.S.] companies doesn't really help you," said Nasir Memon, a professor of computer science at the Polytechnic Institute of New York University.

Memon pointed out that no matter what types of systems you use, "at some point, the traffic does get unencrypted… [The NSA has] to find a way into the point where it's getting unencrypted. So if I have the ability to do that, I would have a global ability to do it."

So, what's the bottom line? If you're a U.S. citizen and an average Internet user, you're probably better off using U.S.-based cloud-computing services.

If you're not a U.S. person, however, there's very little stopping the U.S. government from accessing any and all data you've stored with a U.S. company.

But that doesn't mean you can't encrypt the data you put on these sites using open-source services like GnuPG, which encrypts email, or TrueCrypt, which creates secure file containers, kind of like zip folders, or encrypts whole sections of a hard drive or disc.

Ultimately, if you really want your communications to be private and secure, encryption is your best (and probably only) answer. As security expert Bruce Schneier said in an op-ed for The Guardian, "Trust the math."

This story was provided by Tom's Guide, a sister site to LiveScience. Email jscharr@techmedianetwork.com or follow her @JillScharr. Follow us @TomsGuide, on Facebook and on Google+. Originally published on Tom's Guide.

• Hacking the Internet of Things

• Germans Give Out Linux to Windows XP Die-Hards

• Beat the FBI: How to Send Anonymous Email Without Getting Caught

Copyright 2013 LiveScience, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.