Will the PRISM revelations affect customer plans to move to Office 365?

If I were a local hosting provider operating in a country outside the U.S., I think I'd be talking to any company considering a move to Office 365 to make the case that a local provider can do a much better (if more expensive) job than Microsoft can - and keep data well away from those nasty three-letter agencies. But will the PRISM revelations have a long-term effect? We'll just have to see.

The revelations by Edward Snowden about the amount of data gathered by the U.S. government from various IT companies, including Microsoft, through their PRISM program has inevitably caused concern in companies who are considering moving some or all of their IT infrastructure to cloud services. It’s a fair concern as no one wants to have the government meddling in their affairs, even if the government assures all and sundry that everything is done through due process as dictated by the law, something of course that the government controls.

Given that Microsoft is a U.S. corporation, it is no surprise that their operations – even if conducted in places like Singapore and Ireland – come under the aegis of U.S. law, including the Patriot Act. This fact was acknowledged soon after the launch of Office 365 in June 2011 when the Managing Director of Microsoft in the U.K. confirmed that data stored in Office 365 could be made available to U.S. authorities. That access continues today. Microsoft General Counsel Brad Smith published a note (July 16) describing how Microsoft interacts with the U.S. government to respond to their requests for information. The applicable text relating to Office 365 is:

  • Enterprise Email and Document Storage: If we receive a government demand for data held by a business customer, we take steps to redirect the government to the customer directly, and we notify the customer unless we are legally prohibited from doing so. We have never provided any government with customer data from any of our business or government customers for national security purposes. In terms of criminal law enforcement requests, we made clear in our Law Enforcement Requests Report that throughout 2012 we only complied with four requests related to business or government customers.  In three instances, we notified the customer of the demand and they asked us to produce the data.  In the fourth case, the customer received the demand directly and asked Microsoft to produce the data. We do not provide any government with the ability to break the encryption used between our business customers and their data in the cloud, nor do we provide the government with the encryption keys.

I’ve received a lot of email (all of which is available to the U.S. government because I use Office 365) to ask what impact the revelations are likely to have on Office 365. My response is that I don’t think the situation has changed very much. Certainly more information has come to light and the general level of consciousness has been raised about privacy and control over customer data, but the salient fact remains that governments have been retrieving information through legal means (whatever they are) from IT providers for a long time now. Once investigators might have seized magnetic tapes (including those of the 1600 bpi 9-track variety), today they simply get the required data transferred to them electronically. Or they examine data as it passes across the major pipes that make up the Internet. Let’s face it, most email is transferred between servers in unencrypted form and is perfectly available to anyone who cares to eavesdrop using utilities that are easily found. Even 128-bit or 256-bit SSL-encoded traffic can be decrypted given sufficient computing power – and that power exists in abundance within government agencies.

The current situation creates an interesting opportunity for local hosting providers outside the U.S.  Hosted Exchange, SharePoint, or Lync is not the sole domain of Office 365. A local provider who can deliver these services will probably cost more than Office 365 because that company will not have the same advantages that Microsoft possesses. For example, their scale of operation will be much lower than exists in the massive Microsoft datacenters and their costs will be higher because they have to pay software licensing fees. On the other hand, a local hosting company in somewhere like the U.K., Australia, Germany or France can provide an assurance that customer data will remain in-country and will not come under the purview of the U.S. Patriot Act. And a local hosting company will probably provide better and more personal support than is available in Office 365 today. You get what you pay for.

It’s also probable that some companies will put a break on their dash to the cloud and keep more applications on-premises than they originally planned. I know of a couple of companies that have already decided to proceed with an on-premises deployment of Exchange 2013 rather than to create a hybrid environment with Office 365. This might turn out to be more of a holding pattern than a long-term decision as it's possible that they are simply waiting to see what other information comes into the public domain over time.

In a funny way, Microsoft might actually welcome a slow-down in the Office 365 pipeline as it would allow them to build out their infrastructure under less pressure and to resolve some of the other problems that people report with Office 365, such as poor first level support experience (especially when dealing with more complex aspects such as directory synchronization or hybrid connectivity) or a lack of knowledgeable resources in the field who can help customers to migrate to Office 365.

But at the end of the day, I suspect that economic pressures will win out and that the move to cloud services will resume at pace. Governments will clarify just what they monitor (as much as governments ever clarify anything) and sufficient reassurances will be given to assuage the concerns now being expressed. The European Union will demand better control over private data and the U.S. will make whatever reassuring noises are required to keep Brussels happy. But at the end of the day, the lure of predictable costs, ever-green software, and the offloading of mundane tasks like server maintenance to cloud providers will continue to exert an attraction, especially for companies operating in the small-to-medium category.

As for me? I’ll remain using Office 365 because I find it the most efficient and effective way to run applications that keep me productive. I don’t worry about spooks reading my email because I don’t have anything in my email that is likely to get me into trouble. At least, I don’t think so…

Follow Tony @12Knocksinna

Discuss this Blog Entry 2

on Jul 19, 2013

I have heard lots talk about this for the last month but unfortunately The cat is out of the bag.
I have talked to several companies that have cancelled move to the Public Cloud.
The damage has been done to the Public Cloud and most believe Public Cloud servers have backdoor access.

http://www.businessinsider.com/snowden-says-nsa-has-direct-access-to-tech-companies-2013-7

on Jul 19, 2013

Tony
We don't know the full extent of FISA "gag" order hence statement like this have to be carefully evaluated.

Please or Register to post comments.

What's Tony Redmond's Exchange Unwashed Blog?

On-premises and cloud-based Microsoft Exchange Server and all the associated technology that runs alongside Microsoft's enterprise messaging server.

Contributors

Tony Redmond

Tony Redmond is a senior contributing editor for Windows IT Pro and the author of Microsoft Exchange Server 2010 Inside Out (Microsoft Press) and Microsoft Exchange Server 2013 Inside Out: Mailbox...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×