Hrm I wonder what are the chances that someone at the NSA or doing contract work for the NSA has a buddy at a company and that person decides to use their NSA powers to get their buddy's competitor's emails from Google Apps and send those emails to their friend. If there are safeguards in place from keeping this from happening how was Snowden able to take so many documents with him when he went to Hong Kong. Ok so maybe he didn't take any of that kind of data, maybe I'm reaching. If this kind of thing did happen would they let the affected company know? Would anyone know?

Seems odd that someone wouldn't have understood that even 10-15 years ago. Outsourced means being exposed to risk from your supplier -- by the company itself, by its employees, or by governments. Gmail has somewhat better technical security to protect from outside non-state hackers than your average self-hosted exchange server, and from insiders (the IT guy, like Snowden, may not have the same goals as the organization...), but that may or may not make up for the ease of serving a third-party communications service provider.

I still prefer well-run self-hosted mail unless:

* You have a <6 month retention policy (i.e. so ECPA's weaker protections are a non issue) (which can be specified in Google Apps for Your Domain)

* You don't have the technical competence to run your own mail server (which gets complicated in a larger organization due to HR risk), or don't have the business competence to hire a contractor to run it in-house in such a way that their staff don't become a huge risk.

There's a third way which would be a lot better for everyone, but it's not technically feasible yet -- a way to outsource some aspects of the server without giving up control.

While OP's apology is appreciable, there was more than enough information available in 2008 to understand that his Czech colleagues were right.

The Prism scandal may have come as a surprise to US citizens, but the US has been spying foreign nationals and companies for years, and we've long known about it - haven't you heard of Echelon? It was also well known that these systems were used for industrial espionage.

Sadly the NSA programs are strongly anti-business as it is based on 'trust in me'.

American businesses could and should lobby Congress to fight this and to find ways to protect US stored data, I know I wouldn't trust a Chinese cloud company not to snoop or steal business/corporate ideas and trade secrets.

But if there were assurances for US cloud businesses that this doesn't affect their business ideas accidentally or deliberately then we could set a global example on how to run cloud data storage that is safe and business friendly. There is an opportunity here for Google, Amazon, Apple etc for cloud data.

Lots of damage control to be done here for international clients. As an American I would always trust our systems more but international companies may have a very hard time trusting without the US being a shining example of how to correctly protect business data in clouds here, especially encrypted data that is automatically subject to storage/filtering if international.

It doesn't take much reading of the literature to understand industrial espionage or any of the other substantive risks of outsourcing. Prism or not, when you put your intellectual property on someone else's networks you are taking a risk.

Yet most of the managers I see who make this decision just don't care. They ignore the advice of their systems admins and follow the old adage "you can't get fired for buying IBM" like sheep to a slaughter. It's typical of the short-term mindset that drives so many business decisions.

I chalk this up to a lack of education, both in business and IT. While CS professors obsess over data structures and algorithms, and non-IT departments preach about the relevance of the next quarter's results, "Rome is burning".

I just wonder why telcos I've been dealing with have always required to encrypt all information which is not classified as public information. All customer, project, system, configuration, documentation, contracts etc. must be encrypted before transit. - Surely they must have known about this. So if telcos won't trust privacy of telecommunication, why should anyone else think that telcos are trustworthy?

The author is overlooking one major flaw in his discussion: security (and possibly also reliability). His implication is that they can run internal servers more securely than Google and Salesforce. While government collection of encrypted emails is problematic, securing your own server and making it reliable is an entirely different issue. Unless they have an absolutely top notch security team they'd be better off on someone else's servers.

How nice that finally there is understanding, that web-based services are good for providers and third parties not users.

It's so obvious.

Hosting the email on a server in your office is no protection if the data is being captured at your ISP unless all email is transmitted using SSL, and even then govt probably has that cracked long ago.

I wonder if this problem is particularly acute for Eastern European companies who often sell their products to despicable despotic regimes.