In June 2013 Edward Snowden, a former National Security Agency (NSA) contractor for Dell, leaked thousands of classified documents to several major media outlets. Revelations of mass surveillance programmes – most notably overseas rather than domestic – by intelligence organisations including the NSA and the UK's GCHQ have since seriously damaged trust in US businesses, US foreign policy and cybersecurity in general. It has also thrown into question the integrity of the telecoms industry.
As well as accessing information stored by major US tech companies, intelligence agencies intercepted data from fibre-optic cables. The repercussions of this are still being felt in 2014. At the end of June, Verizon lost at least one contract with the German government following allegations of NSA surveillance of government communications.
"There are indications that Verizon is legally required to provide certain things to the NSA, and that's one of the reasons the co-operation with Verizon won't continue," German interior ministry spokesman Tobias Plate commented.
Confident cloud revenues
Cloud services have been one of the largest casualties of the Snowden files. A recent survey by NTT Communications suggests 31% of surveyed information technology decision-makers have decided to move their business data "to where they know it will be safe".
The survey – which was conducted among 1,000 IT and communications decision-makers in France, Germany, Hong Kong, the UK and the US – also found that 88% of respondents are changing their cloud-buying behaviour. Many decision-makers now prefer buying a cloud service which is located in their own region, particularly in the EU (97%) and the US (92%). Significantly, 82% of all decision-makers surveyed agreed with proposals to localise regional or national networks, "ring fencing" networks to keep intra-country or intra-region data from traversing global networks.
Among non-US residents responding to a 2013 survey by industry consortium the Cloud Security Alliance, 56% said they are less likely to use a US cloud provider, while 10% said they had already cancelled a project with a US supplier over security concerns. But so far, no public US firms with significant cloud operations have noted threats to their core revenues from such moves. Far from it: recent 2014 financial reports show robust revenue growth.
Microsoft's Azure commercial cloud services revenue grew 147% on an annual basis in the second quarter of 2014. Google's non-advertising revenues – notably Nexus devices and revenue from its apps and cloud services – were up 53% year-on-year in the second quarter of 2014, but cloud revenues are not separately reported.
Amazon does not report Amazon Web Services revenue, but some might see significance in "international" revenue reported in the "other revenue" segment, which was up about 2%, year-on-year. That relatively miniscule revenue growth could represent the "Snowden effect".
Maybe, but there are other explanations for softer revenue. Amazon reported "very substantial price reductions for AWS customers starting in second quarter" of 2014, ranging from 28% to 51%, depending on the service. Likewise, Google slashed its cloud computing service prices by about 53% in March 2014, as did AWS. Any weakness could represent those price reductions, more than anything else.
Amazon does confirm that AWS is by far the biggest part of the "other" category of its reported revenue. For the second fiscal quarter, that segment represented $1.2 billion in revenue, up 37% from a year earlier. Also, in the second quarter, Amazon Web Services saw usage growth close to 90% year-on-year, Amazon reported.
Outgrowing the threat
There is an argument that the cloud market is yet to receive the full impact of the leaked NSA files. That is possible, but if the cloud market grows fast enough, even some shifts of activity might be hard to discern.
Equally, there are limited signs that the data centre segment has been directly impacted. US wholesale data centre real estate giants DuPont Fabros Technology and CoreSite Realty, for example, announced strong second-quarter results in 2014.
CoreSite data centre revenues grew 14.5% year-on-year, while the company also raised its guidance for the balance of 2014, suggesting it sees higher growth for the year. DuPont Fabros Technology reported revenue growth of 11% for the second quarter of 2014, and also raised its cash flow forecasts for the second half of 2014.
Facebook, Microsoft, Yahoo! and Rackspace Hosting accounted for 62% of DuPont Fabros revenue, with another 29 large global corporations representing the balance of revenue. One might argue that DuPont Fabros's results do not reveal much about a shift of cloud services buying away from US firms.
On the applications side of the business, SAP reported second-quarter 2014 revenue growth of 39%, year-on-year. Oracle reported a 25% increase in second-quarter 2014 revenue, while Salesforce reported a 36% increase in its most-recent quarter. Workday reported 74% first-quarter 2014 revenue growth.
It seems logical enough that spying revelations might be motivating some customers to move data to non-US facilities, but fast overall market growth could disguise the impact of such losses.
All quiet this quarter
No US cloud services or data hosting firms contacted for this story chose to comment, nor have public company financial reports included any warnings about potential sales resistance as a result of the spying issue. Mikko Hypponen, chief research officer at security firm F-Secure, has argued the spying "might" have damaged US firms financially, but he also thinks the damage has been relatively slight.
Nevertheless, surveys since 2013 have consistently found that buyers are concerned about keeping sensitive data in the cloud. But at least a couple of surveys suggest those concerns predated the Snowden revelations. A third of IT security professionals do not keep corporate data in the cloud because of fears of government surveillance, with the majority of them preferring to store sensitive corporate data within their own networks, a survey sponsored by Lieberman Software found in March 2014.
Ironically, an earlier Lieberman Software study in November 2012 – prior to the Snowden revelations – found 48% of respondents were discouraged from using the cloud because of fear of government snooping, while 86% said they preferred to keep sensitive data on their own network, rather than the cloud.
"These findings indicate that trust in the security of the cloud has increased over the past year," Lieberman Software says.
To be sure, a few US firms reported an initial sales dip after the Snowden revelations. One can point to a few instances where firms such as Cisco have reported significant sales slowdowns, but the Edward Snowden revelations might not have been the primary and principal cause of the sales dips.
Cisco reported a second-quarter 2013 sales drop of 10% in China, a development Cisco attributed to the impact of revelations about NSA spying. But the dip in sales in China also could also be an act of retaliation by the country's government against the US ban on purchases of services and equipment from Huawei and ZTE. Brazil and the EU, which had used US subsea cables for intercontinental communication, decided to build their own cables between Brazil and Portugal, and gave the contract to Brazilian and Spanish companies. Brazil also went one step further, abandoning plans to use Microsoft Outlook for its own email system at its Brazilian data centres.
Runbox, a Norwegian email service that markets itself as an alternative to services such as Gmail, says it does not comply with foreign court orders seeking personal information. It reported a 34% annual increase in customers after news of the NSA surveillance.
The Indian Infosec Consortium, a government and private sector-backed alliance of cybersecurity experts, opposed a proposal by India's Election Commission to use Google to improve voter access to information. The Election Commission dropped those plans.
But these examples aside, the impact of the spying scandal has so far be limited and transitory, even if that is not the widespread impression.
According to Reuters, Google and Facebook privately claim they have not seen significant and negative revenue implications. Google employees told Reuters that the company has seen no significant impact on its business, and a person briefed on Microsoft's business in Europe likewise said that company had had no issues.
At Amazon – which was not named in Snowden's documents, but is seen as a likely victim as it is a top provider of cloud computing services – a spokeswoman said global demand "has never been greater", without specifically addressing any "Snowden effect".
How has the industry fought back?
On a broader level, virtually all cloud services firms might have been negatively affected, as new concerns about the security of cloud data have emerged. US providers are taking steps to limit the damage. At the World Economic Forum, Microsoft said it would allow firms to house their data on servers located only outside the US. IBM is also building 15 new data centres internationally to serve companies sensitive about the security of data housed in US facilities, while Salesforce has similar plans.
Company responses to customer concerns take a number of forms. Microsoft and Google are encrypting communicated data. Privately and in public, cloud computing firms are telling US officials that the surveillance policies must be limited.
Google, Microsoft, Facebook, Apple, AOL, LinkedIn, Twitter and Yahoo! have all called for sweeping reforms to how US intelligence agencies go about gathering data in bulk and restrict the ability of service providers to inform their customers on the extent and nature of government requests for such data. Greater transparency about US government surveillance practices, as well as new limits on such surveillance, are viewed as the key steps to restore the reputations of US-based firms.
Google also has moved to make access to Google-stored and processed data more difficult, such as by encrypting Gmail. Though it is hard to quantify, some non-US firms indicate they are gaining business that might otherwise have gone to US suppliers.
Thales, for example, won a contract to supply secure internet connections to 900,000 future users of the French government's inter-ministerial network. Concern about security "has had an impact on the business", says Cyril Autant, Thales' space and information systems security manager.
Just how big that impact has been is the issue. Some observers privately argue that public estimates of lost revenues are impossible to verify, but those estimates are significant.
The US cloud computing industry, for example, could lose between $22 billion and $35 billion in worldwide sales between 2014 and 2016, the Information Technology & Innovation Foundation (ITIF) has estimated. That is based on a loss of half of cloud computing services market opportunities.
Others think that estimate is too low. "We think this could be as high as $180 billion or a 25% hit to overall IT service provider revenues in that same timeframe," says James Staten, Forrester Research VP and principal analyst. In other words, the global impact could extend far beyond the fortunes of US-based suppliers.
Collateral damage
Suppliers in other countries than the US could also be affected, losing $35 billion in revenue by 2016. Also, losses in the rest of the hosting and outsourcing market – estimated by Forrester Research at three times the size of the cloud market – would bring total revenue losses up to $100 billion for non-US providers.
The latest forecast by the Telecommunications Industry Association (TIA) is inconclusive on that matter. Arthur Gruen, principal at Wilkofsky Gruen Associates, points out that there is an overall shift of spending by enterprises from "in-house" to outsourced or cloud-supplied services.
But the possible impact of spying concerns is hard to discern in forecasts released by the TIA for US revenue growth. The TIA's 2014 US cloud computing revenue forecast calls for $67.8 billion in revenue, up from $56.2 billion in 2013 and $47 billion in 2012. Those years cover the 2013 Edward Snowden revelations, as well as the year before and after.
The TIA forecast calls for $107 billion in cloud computing revenues in 2017. In that view, even if the portion of the market addressable by US firms is affected by security concerns, the overall market is likely to grow enough to allow firms to offset potential share losses through access to a larger market.
The bottom line is that, despite many predictions that the Snowden revelations will harm US cloud suppliers, the latest financial reports do not show the impact, at least in part because the overall market is growing fast enough to compensate.
That does not mean US firms are not losing business, but simply that they are not talking about it.
