The Price of Privacy in the Cloud: the Economic Consequences of Mr

The Price of Privacy in the Cloud: The Economic Consequences of Mr. Snowden∗

Hyojin Song† Simon Wilkie‡

This Draft: February 2017. First Draft: November 2015.

Abstract

Cloud computing involves distributed and shared use of computing facilities in a network. This offers end users new flexibility and lower sunk costs. As a result, the cloud computing market has exhibited phenomenal growth. However, Edward Snowden’s revelations of the NSA’s spying program in 2013 degraded the privacy reputation of the US-based cloud service providers. We examine the economic impact of the Snowden revelations using a panel dataset of global cloud revenues across service types and vendors. We assume that the Snowden revelations are a negative demand-shock “treatment” for US-based providers, and regard non-US-based firms as the control group. We find that the revelations decreased the growth rate of revenues of US providers by 11% from Q3 2013 to Q4 2014. The expected losses to the US cloud industry are at least $18 billion. Following the treatment there is a significant price cut. We then evaluate how users and cloud service providers changed their behavior using Microsoft’s free trial database and 18 online service providers’ privacy policies. We show that firms’ strategic reactions led to lower prices with a higher quality of privacy protection. Hence paradoxically, Snowden may have lead to greater US market share in the long run.

∗The views expressed are those of the individual authors and do not necessarily reflect official positions of Microsoft Corp. We would like to thank John Conley, Amit Gandhi, Dawoon Jung, Daniel Klerman, Ryan Martin, John Matsusaka, Preston McAfee, Ricardo Perez-Truglia, Brijesh Pinto, Brian Quistorff, Justin Rao, Geert Ridder, Goufu Tan, Catherine Tucker, Microsoft Chief Economist team, and Microsoft Azure development team. We would like to thank seminar or conference participants at Microsoft Research (Economics Team Lunch Seminar), Microsoft Windows Privacy Offsite, USC Law School Class Workshop, and ACM Workshop on Economics of Cloud Computing 2016. †[email protected]. Address: Microsoft Research, Office of Chief Economist, Office 4617, 14820 NE 36th St, Redmond, WA 98052, United States ‡[email protected]. Microsoft Research, Address: Microsoft Research, Office of Chief Economist, Office 4618, 14820 NE 36th St, Redmond, WA 98052, United States; Dep. of Economics, University of Southern California; Law School, University of Southern California, Los Angeles, CA 90089

1 JEL Classiﬁcation: D78, E65, H56, M38, O14 Keywords: Privacy; Snowden Revelation; PRISM; Cloud Industry; Government Surveillance

2 1 Introduction

The transition to cloud-based computing services is widely believed to be the most signiﬁcant technological change since the advent of the Internet. In particular, the adoption of cloud computing lowers sunk costs to end users and facilitates rapid innovation and the development of new businesses.1 As a consequence, the cloud computing market has exhibited phenomenal growth since 2009.

On June 5, 2013, the Guardian published a bombshell. Edward Snowden, a National Security

Agency (NSA)2 analyst, had leaked thousands of classified documents that revealed the existence of the NSA’s domestic spying program.3 Snowden revealed that US telecommunications firms handed over meta-data on every international phone call to and from the US to the NSA. He also revealed the existence of a surveillance program called PRISM4 through which major US technology firms, including AOL, Google, Microsoft, and Yahoo! handed over emails in response to requests by the NSA. Perhaps even greater concerns was the revelations that the NSA, with the British Government Communications Headquarters (GCHQ),5 had tapped into 200 undersea optic fiber cables handling 600 million telephone events each day.6 Since most of the world data

ﬂowing through these pipes, this amounted to spying on an unprecedented scale.7

The international legal blowback8 was signiﬁcant. In particular, several countries including

Brazil9 and Russia10 passed “data sovereignty” laws requiring that their citizens’ and corporations’

1For example, companies such as Netﬂix, Uber and Airbnb all reside on AWS, Amazon’s cloud platform.Amazon Web Service has a dominant market share which accounts for 31% in the worldwide public cloud market in 2015. https://www.srgresearch.com/articles/aws-remains-dominant-despite-microsoft-and-google-growth-surges This is because cloud services enable users to both store their data and access software with computing power on “virtual machines” that exist in remote data centers. 2https://www.nsa.gov/ 3http://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order 4http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data 5US and UK intelligence jointly shared collected data with Australia, Canada and New Zealand as the Five Eyes partnership. http://www.theguardian.com/world/2013/jun/22/nsa-leaks-britain-us-surveillance 6NSA and GCHQ have a joint surveillance program from 2008. http://www.theguardian.com/uk/2013/jun/ 21/gchq-cables-secret-world-communications-nsa 7Appendix A.1 provides more details about the Snowden revelations. 8Florek (2014) summarized legal issues related to the PRISM revelations. 9On April 23, 2014, the Marco Civil was passed in law and the law includes the ability to require that data about Brazil be stored in Brazil. https://www.insideprivacy.com/international/ brazil-enacts-marco-civil-internet-civil-rights-bill/ 10Russia’s new data localization law, Federal Law No. 242-FZ, was adopted in July 2014 and is in eﬀect from September 1, 2015. Under the data localization law, personal data of Russian citizens must be collected, stored,

3 data be housed in data centers within their territorial borders. The European Court of Appeals struck down “safe harbor” agreement11 which by default allowed EU data stored in the servers of US ﬁrms to meet EU privacy regulations. We would certainly expect ordinary citizens and other users to respond to the revelations as an individual.

The aim of this paper is to evaluate the economic impact of the Snowden revelations on the cloud computing industry and in doing so shed light on the value of privacy. We examine whether the Snowden revelations affected the rate of adoption of US-based cloud computing services relative to non-US-based services. To isolate the causal effects, we use difference in differences

(DID) analysis using a unique panel dataset of firm revenues. We hypothesize that the US-based providers are the treated group and the non-US-based firms are the control group, where the treatment is the Snowden revelations. Due to customer lock-in and the rapid rapid growth rate of the cloud computing industry, we use the growth rate as the dependent variable rather than the level of revenues. One of our challenges is fluctuations in prices arising from the price war given the rapid growth of the global cloud industry. Our paper includes various specifications around the price war and we also examine Microsoft’s free trial cloud usage patterns to isolate the price changes. We then show changes in privacy polices of 18 US technology companies comparing before and after the Snowden revelations.

The results suggest that the Snowden revelations decreased the growth of revenues of US providers by 11.3%. The corresponding expected losses to US cloud providers are $17.74 billion in the Q3 2013 to Q4 2014 period.12 Our finding is robust to the results from alternative techniques, the fixed effects estimation and the synthetic control. We find that firms’ strategic reactions to the Snowden revelations led to lower prices with a higher quality of privacy protection.

This paper contributes to a series of recent studies on the economics of privacy.13 The most

and processed in/from databases located in Russia. 11On May 31, 2000, the US and the EU reach the “Safe Harbor” agreement on the terms under which privacy of personal information can be guaranteed in a context of international data flows. Safe Harbor implies that data held by US firms was sufficiently secure to comply with the EU “right to privacy.” The details about the origins are explained by Farrell (2003). 12The Q3 2013 to Q4 2014 period is 6 quarters after the Snowden revelations. 13Acquisti et al. (2015) summarized various streams of theoretical and empirical issues on the economics of privacy. Beresford et al. (2012) and Preibusch (2013) measured the value of privacy using a field experiment approach. The recent studies on the value of privacy include Savage and Waldman (2013), Bonneau and Preibusch (2010), and Acquisti et al. (2006)

4 relevant study on the value of privacy is Marthews and Tucker (2014). The authors estimate how the Snowden revelations changed users’ search behavior using Google search terms. They

find a significant short-term reduction in the number of sensitive Google search terms such as various illicit drugs. Although the evidence suggests that privacy concerns affect behavior, it does not address the impact on the economic agents’ purchasing decisions. Our paper fills the gap by providing the empirical evidence of economic impact in both consumers’ cloud adoption decision and firms’ strategic decision changes.

There are a few recent studies about the magnitude of the economic impact of the Snowden revelations on the US cloud computing industry. Castro (2013) argues that the US cloud computing industry will lose $21.5 to $35 billion over the period 2014 to 2016. In contrast,

Ferrara et al. (2015) argues a negligible eﬀect of the Snowden revelations using Forrester’s

Business Technographics Global Infrastructure Survey, 2014. Unfortunately, both lacks any sophisticated research design. Castro (2013) calculated the magnitude based on ad hoc hypothesis and Ferrara et al. (2015) used subjective survey data. To the best of our knowledge, our paper is the ﬁrst to provide economic research design to measure the impact of the Snowden revelations.

The paper is organized as follows. Section 2 presents an overview of the cloud computing industry and the two main events in the cloud industry relevant to our study. In Section 3, we specify a discrete choice model of cloud adoption. Section 4 describes the data and our empirical strategy. Section 5 details our estimation results. Section 6 investigates non-price eﬀects. Our conclusions are presented in Section 7. Finally, the Appendix shows further empirical evidence supporting our results.

2 Background

2.1 A Primer on Cloud Computing

While different cloud computing professionals may disagree on the exact definition of cloud computing, the essential component of the definition is shared access to infrastructure and computing capabilities. The US National Institute of Standards and technology (NIST) defines cloud computing as “. . . a model for enabling ubiquitous, convenient, on demand network access

5 to a shared pool of conﬁgurable computing resources.” Often cloud service providers are divided into three categories; Software as a service (SaaS) which include oﬀerings such as Google Apps or salesforce.com, Infrastructure as a service (IaaS) providing computing infrastructure such as

Amazon’s AWS or Telefonica Cloud, and Platform as a Service (PaaS) which includes network, operating system and storage access for sale. Examples include Amazon’s AWS Database

Services, Microsoft’s Azure and Google’s Cloud Platform. Cloud offerings are often also broken into categories of public, private and hybrid. In the public cloud, many users’ workloads are shared on the common servers and hardware, application and bandwidth costs are covered by the provider. In the private cloud, a single user has dedicated private racks of servers and thus, users have the control of maintaining their own data center. Hybrid offering is a mixture of public and private. Users maintain control of an internally managed private cloud but still rely on the public cloud. Without a modifier, “cloud” refers to the public cloud.

There are two key developments that have driven the adoption of cloud computing. The

ﬁrst is the increase in availability and falling price of high capacity connectivity such as gigabit

Ethernet (and higher). The second is the development of “virtualization,” which allowed the creation of virtual machines that may reside across several physical machines in a data center.

Virtualization yields significant economies of scale: larger server farms with more machines have a lower marginal cost of adding virtual machines due to scale efficiencies. Thus, the adoption of cloud computing allows client firms to rent computing power “on demand” rather than incurring sunk capital costs. Because usage demands are random and heterogeneous, the cloud operator can, by virtualization, reap increasing returns to scale by “reselling” capacity and computing powers. Although this ability varies across data centers, the reader could assume that a cluster of 24 servers can be resold as up to 300 VMs. Papers with relevance to cloud-computing include

Lerner and Rafert (2015), Lerner (2011), Yoo (2011), and Bayrak et al. (2011).

Because of lowered sunk costs and increased ﬂexibility for end users, the introduction of cloud computing lowers barriers to entry in many industries. According to Etro (2009), the adoption of cloud computing could lower economy-wide ﬁxed costs by up to 5%, resulting in an increase in GDP growth of 0.3% across 27 European countries and the creation of around

430,000 new small and medium enterprises. Thus, any impact of the Snowden revelations on the

6 rate of cloud adoption could potentially have signiﬁcant macroeconomic impacts. These impacts are of particular concern to European governments, given the lag of new technology adoption in

Europe compared to US-based enterprises, as documented by Bloom et al. (2012). They find that the greater adoption and more efficient use of information technology by US firms explains much of the difference in growth between US and Europe in the 1990s.

2.2 Snowden Revelations and Price War

2.2.1 The Snowden Revelations: PRISM

In June 2013, Edward Snowden revealed the existence of a government surveillance program code-named PRISM.14 The PRISM program collects “audio and video chats, photographs, e- mails, documents and connection logs”15 via direct access through the servers of US Service

Providers, AOL, Apple, Facebook, Google, Microsoft, PalTalk, Skype, Yahoo, Youtube.16

Historically, PRISM was used as a foreign surveillance program implemented to monitor terrorists’ communications more eﬃciently following the September 11 attacks.17 The purpose of this data aggregation program was to allow law enforcement oﬃcials to obtain targeted communications without having to request data from the service providers. However, the

PRISM revelations have raised a number of privacy concerns. There has been signiﬁcant policy blowback since then. Several countries, including Brazil, Germany, and Russia, have passed

“data sovereignty” laws which require that citizens’ and domestic corporations’ data are stored within their national boundaries and thus insulated from the known NSA intrusion points in the telecommunications infrastructure. More recently, the European Court of Appeals struck down the privacy “safe harbor” agreement between the US and the EU. In particular, the Court ruled that it could not be presumed that US-based ﬁrms such as Google, Facebook or Microsoft could

14The Snowden revelations contain several disclosure including the PRISM and Tempora starting from June 6, 2013. However, we consider the PRISM revelations as a direct causal mechanism to distort people’s bahaviors toward the cloud computing services. 15Barton Gellman and Laura Poitras, US, British intelligence mining data from nine US Internet companies in broad secret program, Washington Post, (June 6, 2013). 16NSA Slides explain the PRSIM data-collection program, Washington Post, (June 6, 2013) http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/?tid=a_inl 17PRISM was authorized under the 2008 Amendment of Section 702 of the Foreign Intelligence Surveillance Act of 1974 (FISA).

7 suﬃciently guarantee to protect an European individual’s right to privacy.18

2.2.2 Price War

Our data set contains estimates of firm revenues by class of cloud services. However, within a class, there may be many product categories and associated prices. We do not have times series of firm level prices by product line. However, we do observe one significant price change event.

Isolating the reduction in cloud service utilization from the Snowden revelations is complicated by changes in prices. However, in this paper, the price war refers to the substantial reduction in prices of cloud services in the March to May, 2014 period by the major US cloud service providers

- Amazon, Google and Microsoft.19 The price war started from Google’s decision on March 25,

2014 to cut prices 32% across all regions, sizes and classes. On the next day, Amazon matched

Google’s price. The price changes of Google and the AWS were eﬀective on April 1. On March

31, Microsoft cut prices on compute by up to 35% and storage by up to 65%, and the lower price were eﬀective on May 1.20 Controlling for these steep price cuts is important in estimating the impact of eroded privacy on the adoption decisions of cloud service consumers.

This reduction in prices is consistent with models of intertemporal competition such as Green and Porter (1984) and Abreu et al. (1986). When the Snowden revelation occurs, the negative demand shock hits the cloud computing market. The negative shock lowers demand and the cloud industry entered a reversionary episode and cut prices. Although this effect is significant, it is of course a “one off” event.

18Most recently the EU and US have negotiated “Safe Harbor Two” which develops a new framework for moving data to the US. See https://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s. -eu-safe-harbor-framework 19https://www.battery.com/powered/the-real-story-behind-the-awsgooglemicrosoft-cloud-price-war/ 20https://azure.microsoft.com/en-us/blog/microsoft-azure-innovation-quality-and-price/

8 3 The Model

3.1 Privacy and Discrete Choice Model of Cloud Adoption

In this section, we specify a simple dynamic model of consumer preferences and explain our research design. Cloud services are a relatively new technology, beginning in 2009 and are thus subject to signiﬁcant uncertainty in the optimal decision rule to delay many ﬁrms’ adoption.

Firms face a dynamic decision to adopt a new technology (cloud computing) with costly transition.

In each period, t, the alternatives are to adopt a cloud platform such as AWS or Orange. The outside option is to remain with current in-house server-based technology. This class of problems

– the choice of when to adopt a new technology has a long history in economics.

Notable contributions include Bernanke (1983) who examines the role of uncertainty in irreversible investment decisions. Although here the choice is not formally irreversible, there are signiﬁcant adjustment costs, in particular, porting data out of a platform and any application incompatible across platforms. Bernanke shows that uncertainty increases the value of waiting for new information and thus, it decreases the current rate of investment. The Bernanke optimal decision rule is as follows:

“Invest in an irreversible project in period t if and only if: Cost of delays ≥ Probability that a current commitment will be revealed to be a mistake in t+1 times expected cost of the mistake, given that a mistake is revealed in t+1.” Bernanke (1980)

There is a large empirical literature applying this real option logic based to individual choice data. Signiﬁcant contributions include Kellogg (2014), Gowrisankaran and Rysman (2009) and

Dub´eet al. (2014).

If ﬁrms are concerned about NSA spying and data breaches, we can think of the Snowden revelations as an unexpected shift in the distribution of costs. Hence, both the probability that a commitment to a US cloud platform is a mistake and the expected cost of that mistake are increased. Thus we would expect a slowdown in cloud adoption and substitution from US to non-US cloud platforms.

9 3.2 Full Information Case

Consider a consumer who is deciding whether to invest in cloud platform i at time t. The net utility per period uit is composed of a beneﬁt fit representing the consumers’ valuations toward product i, a disutility from price pit, and a disutility from privacy concerns qit.

uit = fit − pit − qit

If a consumer chooses the outside option (i.e. i = 0), none of the cloud products are chosen and

1 we assume that the corresponding utility is normalized to zero (i.e. u0t = 0). Let β = 1+r denote the real discount factor. There is an adjustment cost, A of changing platform:

  A if you swith in time t A(t) =  0 if you do not switch

The expected utility U from investing in cloud platform i is as follows:

∞ X t U = β [uit − A(t)]. t=1

Consider the case where a fully revealing signal arrives at time 1 and prices are constant. Thus, net utility is constant for each option. As a simple example, let us consider two cloud platforms, x and y. The net utility per period, ux and uy, are ux = fx − px − qx and uy = fy − py − qy. If a consumer chooses the cloud platform x, the expected utility Ux will be given by

∞ X t Ux = β ux − A t=1 u = x − A r

10 Similarly, if y were chosen, the consumer would receive:

∞ X t Uy = β uy − A t=1 u = y − A r

Recall utility is zero (i.e. u = 0) if the outside option is chosen. Notice that if utility ﬂows are constant, you will never switch more than once. Under full information, x is chosen if and only if ux ≥ rA and ux ≥ uy. The optimal platform choice rule at time 1 is

x, if and only if ux ≥ uy and ux ≥ rA

y, if and only if uy ≥ ux and uy ≥ rA outside option, otherwise

Let us deﬁne ci as ci = pi + qi + rA for i = x, y. Due to the Snowden revelations, the threshold

0 0 moves from cx to cx (cx > cx) while holding cy constant. To illustrate, consider the case where all consumers’ valuations fit for the good are uniformly distributed on [0, 1]. There are three cases

0 0 0 with respect to the relative prices of cx, cx and cy: (1) cx < cy and cx < cy, (2) cx > cx > cy and 0 (3) cx < cy and cx > cy. The optimal rule, illustrated in Figure 1(a) and Figure 1(b), shows the impact of the Snowden revelations.

11 0 Figure 1: Case 1 (cx < cy and cx < cy)

f y1 Y2 Y1 X2 cy

(a) O1 X1

0 cx 1 fx f y1 Y3

(b) O2

0 0 cx cx 1 fx

The area Y3 represents the size of consumers’ migration from platform x to platform y. The area O2 represents the size of consumers moving from platform x to the outside option.

0 Area(O2) = (cx − cx)cy

0 Area(Y3) = (cx − cx)(1 − cy)

Case 2 and 3 are illustrated in Appendix A.2.

3.3 A Model with Signals

More generally, suppose that the true value, (cx, cy) is not known till the last period, T .

Consumers receive a signal, (xt, yt) about the relative value of each platform in period t where

12 t ≤ T . x = c + x t x tn y = c + y t y tn

u x, y ∼ (m, m)

We assume that x and y are uniformly distributed over (m, m). The shaded regions in Figure 2 show the potential area that a signal (xt, yt) can arrive in period t. A deviation from the true value depends on time t and the speed of convergence, n. xt and yt approach the true value, cx and cy as t goes to ∞. That is,

xt → cx and yt → cy as t → ∞

As t increases, the size of the shaded region shrinks. This illustrates that the level of accuracy increases via the updating process.

Figure 2: Shrinkage of Regions

f f f y1 y1 y1

cy cy cy

0 cx 1 0 cx 1 0 cx 1 fx fx fx

t increases

13 Figure 3: Shrinkage of Regions

f y1

0 cx 1 fx

To illustrate the Snowden revelations with signals, we consider two characteristics of the demand shock in a two platform market: (i) Negativity and (ii) Asymmetry.

(i) Negativity

The Snowden revelations are a negative demand shock to both platform x and y which increases the thresholds for platform x and y to be chosen over outside good. That is,

x > 0 and y > 0

(ii) Asymmetry

The shock to each platform is asymmetric and thus the size of a negative shock to platform x and the size to y are diﬀerent. Suppose that the negative eﬀect to platform x is greater than platform y, i.e.

x > y

In our empirical analysis, x is the US-based cloud platform and y is the non-US-based platform.

The shaded triangle in Figure 4(a) is the region satisfying the two above conditions.

14 Figure 4: The Eﬀects of Snowden Revelations at time t

f y1

(a)

0 cx 1 fx f y1

n cy + y/t cy

(b)

n 0 cx cx + x/t 1 fx f y1 yy yx

cy 0y

0 cx 1 fx

* (a) implies represents two conditions: negativity and asymmetry. (b) shows when the signal arrives in the shaded region and (c) describes the impact of the Snowden revelations.

Once a signal arrives, consumers choose a platform which reveals their preferences. At T ,

(cx, cy) will be revealed at which time regret among some consumers may ensure. We can deﬁne the following choice set by consumers’ decision at t and their true value at T :

15 {xx, yy, 00, 0x, 0y, x0, y0, xy, yx} xx, yy, and 00 are the case that adoption in period t is consistent with the true value. Delay is deﬁned by the subset of choices, {0x, 0y} and Regret is deﬁned as {x0, y0, xy, yx}. The Snowden case is illustrated in Figure 4(c). In our simple example, the area of Delay can be calculated as follows: Size = x c + y c + x y Delay tn y tn x t2n

Thus, as in the full information model there will be two eﬀects (i) a slow down in the adoption of cloud services (increased delay) and (ii) substitution to non-US providers.

4 Data and Empirical Strategy

We use data on cloud service providers’ total revenues collected by Synergy Research,21 a sister company of Telegeography.22 Synergy publishes quarterly market share reports for the cloud service market using the Synergy Interactive Analysis Data Base and Research Tool. Their estimates are based on quarterly surveys and data from service providers as well as Telegeography’s service provider databases, research, and analysis of ﬁnancial reports.

We construct a unique panel dataset of 111 cloud service providers from the first quarter of 2009 to the fourth quarter of 2014. We categorize cloud firms based on the location of each service provider’s headquarters. According to this categorization, there are 51 US-based firms and 60 non-US-based firms in our dataset.

Synergy breaks the cloud service industry into four sectors: (a) Cloud Infrastructure which includes IaaS, PaaS and Private/Hybrid, (b) Rental colocation, (c) Managed hosting, and (d)

CDN. Colocation refers to a common space where ﬁrms can install cloud hardware such as server racks. Managed hosting goes beyond colocation to providing the hardware. CDN refers to content delivery networks such as Akamai. Content delivery networks provide local hosting of

21https://www.srgresearch.com/ 22https://www.telegeography.com/

16 content in a distributed server network to accelerate the delivery of web-based content (e.g., New

York Times). Table 1 presents total revenues summary statistics in four sectors.

Table 1: Summary Statistics of Quarterly Total Revenues ($million)

Worldwide

Variable Mean Std. Dev.

Total Sample 73.83 120.749

Cloud Infrastructures 12.989 62.186

IaaS 6.657 45.335

PaaS 3.389 18.469

Private & Hybrid 2.943 9.000

Rental Colocation 22.695 48.679

Managed Hosting 30.981 60.216

CDN 7.165 34.142

Observations 2664

Source: Synergy Quarterly data between Q1,2009 and Q4, 2014.

We now address the three challenges in estimating the economic impact of the revelations. To isolate the causal effects, we use difference in differences (DID) analysis. The Snowden revelations are an exogenous shock to cloud service providers. If the Snowden revelations affected public trust in the integrity and security of data held with the US-based cloud firms, consumers would purchase products less from the US-based cloud firms. In this research, we consider the US-based cloud computing companies as “treated firms” and the non-US-based cloud computing companies as the set of control firms. Some may concern if the control group contains affected units as the Snowden revelations include the Five Eyes’ international surveillance programs. The Five

Eyes is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States and has developed a series of bilateral agreements from 1946. Members of this group shared certain classiﬁed information on an expedited basis. We constructed the

17 alternative control group excluding 19 ﬁrms which have their headquarter23 in four countries,

Australia, Canada, New Zealand and the United Kingdom.

Table 2: Size of Cloud Industry over Time ($ billion)

2009 2010 2011 2012 2013 2014

World-wide 31.037 36.908 43.188 49.766 55.984 63.794

US 9.643 11.534 14.636 17.847 21.949 27.193

Non-US 11.550 13.117 15.263 16.784 17.763 19.403

Cloud Services 1.191 2.010 4.169 6.995 10.855 16.078

IaaS 0.660 0.916 1.963 3.298 5.307 7.939

PaaS 0.270 0.631 1.198 1.915 2.868 4.329

Private & Hybrid 0.260 0.464 1.009 1.782 2.680 3.810

Rental Colocation 10.698 12.536 14.437 16.088 17.308 18.919

Managed Hosting 16.751 19.330 20.972 22.326 22.732 22.892

CDN 2.396 3.032 3.611 4.357 5.089 5.905

Source: Synergy quarterly data from Q1,2009 to Q4, 2014.

To address the rapid growth of the cloud computing industry and the lock-in due to high adjustment costs, we use the growth rate of cloud provider’s revenue as the dependent variable in our DID analysis. Table 2 shows how fast the cloud computing industry has grown during the period, 2009-2014.

Using the level variable of total revenues is likely to violate the parallel trend assumption.

The main underlying assumption of the DID estimator is the parallel trend of the treated and untreated. Figure 5 presents the total revenue patterns of the US-based ﬁrms and non-US-based

ﬁrms before the Snowden revelations and shows that the US-based ﬁrms have much steeper trend24. If we used the growth rate, the trends would be more likely to be the parallel and pass

23The location of headquarter plays an important role to distinguish between the control group and the treatment group in this paper. The Snowden revelations contain the NSA’s surveillance activities with Five Eyes. 24As a falsification, we added the result of the difference in differences using the level variable in Appendix B.1.5. The coefficient of our interest is strictly positive and statistically significant. In other words, there is a positive

18 the parallel trends test. Figure 6 shows the growth rate patterns and Figure 7 presents the residual of growth rate patterns25 before the Snowden revelations. A series of robustness and speciﬁcation checks about the parallel trend assumption are included in our Appendix B.1.

Figure 5: Total Revenue Patterns

* The ﬁgures are plotted using only Pre Snowden period (i.e. t ≤ 18)

effect of the Snowden revelations to the US cloud industry. We argue that this is an example of falsification as we included the lagged dependent variable, the effect became not significant and the size dropped dramatically. 25Different set of control variables are tested and Figure 7 includes only sector fixed effects.

19 Figure 6: Growth Rate Patterns of Total Revenue

Figure 7: Mean of Residual of Growth Rate

(1) Control variables include sector fixed effects (dummy variables for each sector), trend adjusted country fixed effects (i.e. dummy variable for each country multiplied by time, t).

(2) The ﬁgures are plotted using only Pre Snowden period (i.e. t ≤ 18)

There are two main events in the cloud computing industry: (a) the Snowden revelations in June, 2013 and (b) the price war occurring towards the end of March, 2014. Based on the

20 two main events, we deﬁne three diﬀerent periods: (a) Pre Snowden, (b) Post Snowden and Pre

Price War (Pre PW) and (c) Post Price War (Post PW). We deﬁne Pre Snowden as the period prior to June 2013, Post Snowden and Pre PW as the period from July 2013 to March 2014, and

Post PW as the period from April 2014 to December 2014. We consider Pre Snowden as the baseline period and the post-intervention periods of interest are Post Snowden period and Post

Snowden X Pre PW.

Figure 8: Timeline: Snowden Revelations and Price War

In the following section, we estimate the impact of Snowden revelaions using difference in differences. In addition to DID analysis, we added model-free analysis to provide insights and also use the fixed effects estimation and the synthetic control method to check the robustness.

5 Empirical Analysis

5.1 Model-Free Analysis

Simple non-parametric methods yield insight into the impact of the Snowden revelations before proceeding to econometric models. Figure 9 is the histogram-style conditional mean before and after the Snowden revelations and presents that the US-based cloud ﬁrms have slowed down after the Snowden revelations while the non-US-based ﬁrms used the revelations as a chance to recover.

We should be cautious in interpreting the ﬁgure as we only focus on three quarters before and after the Snowden revelations. However, the overall patterns still provide us the entire story and are consistent with the survey results from Castro (2013). He shows that 56 percent of non-US

21 residents would be less likely to use a US-based cloud computing services as a reaction to the

NSA leaks using a survey by the Cloud Security Alliance.

Figure 9: Conditional Mean of Total Revenue

(1) T=18 indicates Q2 2013 and T=19 indicates Q3 2013 (2) Histogram-style conditional mean; based on cmogram command by STATA. (3) Using linear spline regresssion, the kinked point is tested. The kinked point at the Snowden revelations is signiﬁcant at 5%. See Appendix A.5 for further details. (4) Pre Snowden in this Figure is three quarters before the Snowden and Post Snowden is three quarters after Snowden and before the price war.

5.2 Diﬀerence in Diﬀerences

To evaluate the impact of the Snowden revelations, we calculate the differences in outcomes of the treated firms compared to the control firms. In our baseline results, the US-based cloud

firms are the treated and the non-US-based cloud firms are the control firms. We define the dependent variable to be the quarterly growth of the cloud firm’s revenue. The baseline period is

Pre Snowden described in Figure 8, and the post-intervention periods are Post Snowden.

The speciﬁcation is as follows:

4log(TRit) = β0 + β1USi + β2P ostSnowdent + β3USi × P ostSnowdent + γj + tγj + θk + δt + i

22 where i denotes ﬁrm, t denotes quarter, j denotes cloud sector, k denotes country, US denotes

US-based firm, and β3 is the DID coefficient. Table 3 presents the baseline results, along with a series of robustness checks. The results suggest that there exist a negative and significant impact of the Snowden revelations on the

US-based providers. Results in Column (2) presents that the coefficient of US X Post Snowden is -0.113 and statistically significant at the 1% level. The results indicate that the growth rate of the US-based cloud firms was lowered by 11.3%. The difference between Column (1) and Column

(2) is the inclusion of the trend adjusted country fixed effects which are controlling tγj. Since Post Snowden contains the price war, the effects in Column (1) and Column (2) would be underestimates. During the price war, consumers face a trade-off between price and the value of privacy. Estimating the model using only data up to Pre Price War (Column (4) and Column

(5)), we ﬁnd that the growth had been slowed down by 18.9%.

We already mentioned the possibility that the control contain aﬀected units. This also colud be a source of underestimation. In Column (3) and Column (6), we excluded 19 ﬁrms which have their headquarter in four countries (Five Eyes), Australia, Canada, New Zealand and the

United Kingdom. Results in Column (3) present that the coeﬃcient of US × Post Snowden decreases by 2.3% compared to Column (2). Similarly, a comparison of Column (2) and column

(6) indicates that the Snowden eﬀect increases by 1.2% by adjusting the control group. To answer more questions related to the adequate control group, we use the synthetic control methods as a robustness check.

Column (7) presents the robustness test including the pre-treatment variable followed by Autor

(2003). The coefficient of Pre Snowden is positive and not statistically significant. Additional pre-treatment effects are tested in Appendix B.1.3. Column (8) in Table 3 presents the results with the lagged variable of the dependent variable. Compared with column (2), the coefficient of

US × Post Snowden is consistent.

The next question is how we can convert the damage in the growth rate to revenue losses in dollars. Our strategy is to construct the hypothetical revenue under the circumstances that there is no Snowden revelations. Appendix A.6 provides more details about the methodology.

The expected revenue losses in the US cloud computing industry over 6 quarters (from Q3 2013

23 to Q4 2014) are $17.742 billion, based on a 11.3% reduction in the growth rate (Column (2)).

Similarly, the expected losses are $22.723 billion when the growth rate was damaged by 13.6%

(Column (3)).

The magnitude of the economic impact of the Snowden revelations can be compared with previous literature. Castro (2013) argued that the US cloud computing industry would lose $21.5 to $35 billion26 over the period 2014 to 2016. Forrester Research27 estimated the US losses as high as $180 billion over the same period. In contrast, others28 hypothesize that firms reacted to the news by beefing up encryption and security, at a relatively low incremental cost, and that the resulting losses are therefore negligible. Ferrara et al. (2015) also argues a small effect of the

Snowden revelations based on Forrester’s Business Technographics Global Infrastructure Survey,

2014. Thus, the question remains whether there are any broader and lasting economic impacts of the NSA’s actions. Some may consider the comparison with the magnitude of other privacy breaches (e.g., Acquisti et al. (2006), Garg et al. (2003))

26$21.5 billion is calculated under the assumption that the US loses about 10 percent of foreign market to European or Asian competitors and retain the current market share in the US. Similarly, 20 percent of losses in the foreign market assumption derives $35 billion losses for three years. 27Article, ”The Cost of PRISM Will Be Larger Than ITIF Projects” by James Staten, Aug 14, 2013, http: //blogs.forrester.com/james_staten/13-08-14-the_cost_of_prism_will_be_larger_than_itif_projects. 28Article, “Revelations of N.S.A. Spying Cost U.S. Tech Companies,” by Claire Miller, March 21, 2014, New York Times, http://www.nytimes.com/2014/03/22/business/fallout-from-snowden-hurting-bottom-line-of-tech-companies. html?_r=1

24 Table 3: Results: Diﬀerence in Diﬀerences

Variable (1) (2) (3) (4) (5) (6) (7) (8) US × Post Snowden -0.088*** -0.113*** -0.136*** -0.190*** -0.189*** -0.202*** -0.104*** -0.114*** (0.023) (0.024) (0.022) (0.010) (0.012) (0.013) (0.024) (0.022) US -0.037*** -0.131*** -0.126*** -0.062*** -0.048*** -0.114*** -0.126*** -0.135*** (0.008) (0.010) (0.009) (0.004) (0.004) (0.004) (0.011) (0.012) Post Snowden -0.003 0.035 0.066* -0.133** -0.135** -0.137* 0.022 0.042 (0.030) (0.033) (0.030) (0.061) (0.062) (0.068) (0.036) (0.039) Pre Snowden 0.038 (0.024) ∆log(TRt−1) 0.499** (0.224) 25 Sub-Period Pre PW Pre PW Pre PW Sub-Group Non FVEY Non FVEY Trend Adjusted Country Fixed Eﬀects No Yes Yes No Yes Yes Yes Yes Observations 2413 2413 1998 2102 2102 1742 2413 2302 Expected Losses ($Billion) 13.569 17.742 22.723 7.339 7.296 7.861 16.469 18.357

(1) The dependent variable is the growth rate of total revenue, i.e. ∆log(TR). (2) ***, **, and * respectively denote significance at the 1 percent, 5 percent, and 10 percent levels. (3) Following Bertrand et al. (2004), we use clustered standard errors at the group level to protect against false positives and robust standard errors clustered by continent are provided under the OLS estimates. (4) All columns include sector fixed effects, country fixed effects and quarter fixed effects. See Appendix B.1.1 for additional results with/without fixed effects. (5) Pre Snowden is defined as 1(t = 18) where t=18 denotes one quarter before the Snowden revelaions (Q2, 2013). We test additional Pre Snowden effects (e.g. 1(t = 17), and 1(t = 16)) in Appendix B.1.3. (6) Trend Adjusted Country Effects are defined as t ∗ 1(countryID = i) for t = 1, ..24 5.3 Fixed Effects Estimation

The difference in differences analysis cannot include firm fixed effects because our variable of interest would cancel out. So, to check the robustness of our analysis against firm level trends, we model the growth of total revenue for firm i in quarter t using the following specification:

4log(TRijt) = β0 + β1P ostSnowdent × P reP Wt + β2P ostP Wt + αi + i

The results of this estimation are presented in Table 4. The first three columns focus on the effects of two main events on the cloud industry for all sectors (cloud infrastructure, rental colocation, managing hosting and CDN). Column (1) presents the results for all countries. The results suggest that the growth rate of all cloud firms has been damaged by 12 %. Column (2) shows the results for the US-based firms. The coefficient of Post Snowden X Pre PW equals

-0.233 and is statistically significant at the 1% level. Similarly, Column (3) presents the results for the non-US-based firms and the coefficient of Post Snowden X Pre PW is -0.02, which is much smaller, consistent with our results from the difference in differences results in section 5.

The coefficient of Post PW is negative in Columns (1), (2), and (3) but only significant in the case of the non-US-based firms (Column (3)).

Columns (4), (5) and (6) present results for the cloud infrastructure sector only. We find that restricting the analysis to this sector yields greater effects of the two events. The coefficient of Post Snowden x Pre PW period demonstrates a negative and significant effect of the period on US-based cloud firms relative to non-US-based firms.

26 Table 4: Results: Fixed Eﬀects Estimation

Cloud Infrastructure Sector Only

All US NonUS All US NonUS

Variable (1) (2) (3) (4) (5) (6)

Post Snowden × Pre PW -0.122*** -0.233*** -0.024 -0.287*** -0.397*** -0.191*

(-3.70) (-3.57) (-1.06) (-4.61) (-3.98) (-2.45)

PostPW -0.103** -0.105 -0.100*** -0.203** -0.211* -0.196*

(-3.12) (-1.62) (-4.42) (-3.25) (-2.12) (-2.51)

Observations 2553 1196 1357 2553 1196 1357

(1) Standard errors are provided under the fixed effects estimates. (2) The dependent variable is the growth rate of total revenue (i.e. ∆log(TR)). (3) ***, ** and * respectively denote significance at the 1 percent, 5 percent and 10 percent levels.

5.4 Synthetic Control Approach

A natural concern in our difference in differences results is if the control group contains affected units. In the quasi-experimental research, selecting a comparison group would be subjective. In this subsection, we applied synthetic control methods (SCM) (Abadie and Gardeazabal, 2003;

Abadie et al., 2012) as a robustness check. SCM uses a weighted average of control groups and constructs synthetic control units. We can estimate the counterfactual outcome by employing a weighted average of the past observable characteristics of the countries before the Snowden revelations took place.

Figure 10 plots the impact of the Snowden revelation on the US cloud industry. The estimates display per company total revenues in the US cloud industry and its synthetic counterpart during the period 2009 Q1-2014 Q4. Our SCM results show that there exists a negative and signiﬁcant eﬀect of the Snowden revelations on the US-based cloud providers.

27 Figure 10: Synthetic Control Approach: US versus Synthetic US

(1) Per company total revenues for each country were aggregated as a country-level using the main dataset from Synergy (2) The natural logarithm was applied to consider the adoption patterns. (3) Predictors include ln(GDP), broadband subscription rates, telephone subscription rates, percentage of Internet users, the number of secured Internet, legal right, inﬂation, the number of labor force, total population, four lagged dependent variables. (4) See Appendix B.2.1 for the details including the synthetic weights, the sources of data and predictor variables.

Another concern is if the eroded privacy is the main channel of the Snowden revelations. We applied SCM to the other industry’s revenues as a placebo test. Results in Figure 11 present that there are no signiﬁcant diﬀerences between US and Synthetic US using all industry’s sales data.

28 Figure 11: Placebo Test (All Industry): US versus Synthetic US

(1) The main variable is Production and Sales from OECD and The natural logarithm was applied to consider the adoption patterns. (2) Predictors include ln(GDP), broadband subscription rates, telephone subscription rates, percentage of Internet users, the number of secured Internet, legal right, inﬂation, the number of labor force, total population, four lagged dependent variables. (3) See Appendix B.2.2 for the details including the synthetic weights, the sources of data and predictor variables.

6 Non-price Eﬀects

6.1 Free Trial: A Cross Check with Prices Fixed

As we described earlier, one complicating factor in isolating the impact of the Snowden revelations is the subsequent price war between the major US platforms - AWS, IBM, Google and Microsoft

Azure. Consistent with the repeated game literature, we suggest that the quality shock- by lowering demand - may have been causal in triggering the price war, but it is impossible to test

29 this hypothesis with limited observations. However, we can gain further insight into the eﬀect of the Snowden revelations by examining the usage and adoption of free trials. In particular, we may adopt this strategy because the trials remain priced at zero over the entire period and thus concentrating on them, we eliminate the eﬀect of the price changes.

We obtained data on free-trial usage patterns from Microsoft’s Azure platform. Microsoft allows new users to have a free virtual machine and gives them credits that can be used for computing services. Amazon AWS and Google Compute have similar oﬀerings, although the length of the free-trial diﬀers across the platforms. The data below is the normalized value of free trial usage. That is, we multiply the used Gigabyte by a shadow internal cost under the free trials and then normalize the data on a 0-100 scale. The shadow prices are constant across time and so invariant to the price war in the market.

The data clearly shows a significant and dramatic “impulse effect” after the Snowden revelations. Indeed, usage almost plummets to zero, -even at a price of zero. We also use the data to estimate the delay in adoption rates, i.e., the amount of time until usage recovers to the pre revelation levels. The recovery time varies across continents, and equals roughly 6 months on average. The length of this delay is significant in that it is a shorter span than the time until the price war, the price war onset at roughly 9 months. Thus, it provides an estimate of the counterfactual; i.e., how much would cloud adoption have slowed down without the confounding effect of the price war.

30 Figure 12: Free Trial Usage Patterns

Source: Microsoft Azure

Table 5: Average Delays in Adoption Rates

Continent Recovery Period (Months)

All 6.33

US 6.58

Asia 5.61

Europe 6.02

Source: Microsoft Azure

31 6.2 Privacy and Encryption

To explore changes in privacy and transparency practices, we investigate reports by the Electronic

Frontier Foundation (EFF).29 The EFF publishes annual reports to evaluate major tech companies’ privacy and transparency practices regarding government access to user data from 2011 (Cardozo and Reitman, 2015; Cardozo and Reitman, 2014; Cardozo and Reitman, 2013). We consider the

EFF’s annual evaluations in 2013 as Pre Snowden period evaluations, and those in 2014 as Post

Snowden period evaluations. The EFF used the same evaluation criteria for both years and, moreover the EFF’s 2013 report was released on April 30, 2013, a month before the Snowden revelations.

Table 6 summarizes the changes in 18 online service providers’ privacy and transparency policies before and after the Snowden revelations. The average number of practices increased from 3.33 to 4.72 stars out of 6, with the biggest changes for Apple, Verizon, and Yahoo!. In particular, Verizon started to require a warrant for content, publish transparency reports and law enforcement guidelines, and ﬁght for users’ privacy rights in Congress just after the Snowden revelations.

In contrast, the average number of practices increased by only 0.38 (from 1 to 1.38 out of

4)30 for 13 tech companies between 2011 and 2012.

29The Electronic Frontier Foundation (EFF) publishes variety of reports regarding technology, privacy and innovation as a leading nonproﬁt organization. www.eff.org 30Appendix A.7 provides more details.

32 Table 6: Privacy and Transparency Practices: Pre Snow- den vs Post Snowden

Company Pre Snowden Post Snowden Changes

Amazon 2 2 0

Apple 1 6 5

AT&T 1 2 1

Comcast 2 3 1

Dropbox 5 6 1

Facebook 3 6 3

Foursquare 4 3 -1

Google 5 6 1

Linkedin 5 5 0

Microsoft 4 6 2

Myspace 3 3 0

Sonic.net 6 6 0

SpiderOak 5 5 0

Twitter 6 6 0

Tumblr 3 5 2

Verizon 0 4 4

Wordpress 4 5 1

Yahoo! 1 6 5

Mean 3.33 4.72 1.39

* EFF’s 2013 and 2014 annual reports, Cardozo and Reitman (2013) and Cardozo and Reitman (2014).

The details of the changes before and after the Snowden revelations can be found in Table 7.

The most frequent two changes were publishing transparency reports and telling users about government data requests.

33 Table 7: Privacy and Transparency Practices (Criteria): Pre Snowden vs Post Snowden

1 2 3 4 5 6

Company Pre Post Pre Post Pre Post Pre Post Pre Post Pre Post

Amazon 0 1 0 0 0 0 0 0 1 1 1 0

Apple 0 1 0 1 0 1 0 1 0 1 1 1

AT&T 0 0 0 0 0 1 0 1 0 0 1 0

Comcast 0 0 0 0 0 1 1 1 1 1 0 0

Dropbox 1 1 1 1 1 1 1 1 0 1 1 1

Facebook 1 1 0 1 0 1 1 1 0 1 1 1

Foursquare 1 1 1 1 0 0 1 1 0 0 1 0

Google 1 1 0 1 1 1 1 1 1 1 1 1

Linkedin 1 1 1 1 1 1 1 1 0 0 1 1

Microsoft 1 1 0 1 1 1 1 1 0 1 1 1

Myspace 1 1 0 0 0 0 1 1 1 1 0 0

Sonic.net 1 1 1 1 1 1 1 1 1 1 1 1

SpiderOak 1 1 1 1 1 1 1 1 0 0 1 1

Twitter 1 1 1 1 1 1 1 1 1 1 1 1

Tumblr 1 1 0 1 0 1 1 1 0 0 1 1

Verizon 0 1 0 0 0 1 0 1 0 0 0 1

Wordpress 1 1 1 1 0 1 1 1 0 0 1 1

Yahoo! 0 1 0 1 0 1 0 1 1 1 0 1

Mean 0.7 0.9 0.4 0.7 0.4 0.8 0.7 0.9 0.4 0.6 0.8 0.7

* EFF’s 2013 and 2014 annual reports, Cardozo et al (2013) and Cardozo et al (2014). * Criteria: (1) requires a warrant for content, (2) tells users about government data requests (3) publishes transparency reports (4) publishes law enforcement guidelines (5) ﬁghts for users’ privacy rights in courts (6) ﬁghts for users’ privacy rights in Congress.

The importance of cryptography has been increased after the revelations of the NSA’s spying on international ﬁber-optic communication lines. The EFF started to evaluate 18 online service

34 providers’ level of encryption from November, 2013. The evaluation results are in Appendix A.7.

7 Conclusion

We present empirical evidence about the eﬀect of the Snowden revelations on the cloud computing industry. We ﬁnd that the revelations decreased the growth rate of US providers’ revenue by

11.3%. The corresponding expected losses are signiﬁcantly, around $18 billion. We also examine the non-price eﬀects of the Snowden revelations using Microsoft’s free trial usage database. Even at a price of zero, cloud adoption and usage plummeted. Many US providers such as Amazon,

Google and Microsoft responded by increasing privacy and security, and cutting prices. Following these changes, the growth rate of the US cloud revenue recovered relatively quickly.

Our empirical approach has some limitations. Although underlying mechanism is based in real option theory, we do not see individual choices under the data and could not estimate a structural dynamic model. Instead, our strategy is to use DID analysis along with the ﬁxed eﬀects estimation and the synthetic control method. Although our estimate is large, it is still conservative and likely underestimated because we do not include other costs such as legal liabilities, restructuring and dislocation of users’ data.

The main justification of the government surveillance program was to protect US citizen from potential terrorism. We are of course unable to assess social benefits of such an exercise, not least because any such information is classified. However, there were real costs to these policies which induced users to seek alternatives to the US cloud providers. This paper presents evidence that due to the revelations US providers changed policies enhancing privacy and security. Many

US providers approached this problem by increasing transparency to rebuild users’ trust. Thus, the transitory losses imposed on US providers may very well be small compared to the longer term welfare gain enjoyed by consumers due to lower prices and enhanced security.

35 References

Abadie, A., Diamond, A. and Hainmueller, J. (2012), ‘Synthetic control methods for comparative

case studies: Estimating the eﬀect of california’s tobacco control program’, Journal of the

American statistical Association .

Abadie, A., Diamond, A. and Hainmueller, J. (2015), ‘Comparative politics and the synthetic

control method’, American Journal of Political Science 59(2), 495–510.

Abadie, A. and Gardeazabal, J. (2003), ‘The economic costs of conﬂict: A case study of the

basque country’, American economic review 93(1), 113–132.

Abreu, D., Pearce, D. and Stacchetti, E. (1986), ‘Optimal cartel equilibria with imperfect

monitoring’, Journal of Economic Theory 39(1), 251–269.

Acquisti, A., Friedman, A. and Telang, R. (2006), ‘Is there a cost to privacy breaches? an event

study’, ICIS 2006 Proceedings p. 94.

Acquisti, A., Taylor, C. R. and Wagman, L. (2015), ‘The economics of privacy’, Journal of

Economic Literature, forthcoming .

Autor, D. (2003), ‘Outsourcing at will: The contribution of unjust dismissal doctrine to the

growth of employment outsourcing’, Journal of Labor Economics 21(1), 1–42.

Bass, F. M. (1969), ‘A new product growth for model consumer durables’, Management Science

15(5), 215–227.

Bass, F. M., Krishnan, T. V. and Jain, D. C. (1994), ‘Why the bass model ﬁts without decision

variables’, Marketing science 13(3), 203–223.

Bayrak, E., Conley, J. P., Wilkie, S. et al. (2011), ‘The economics of cloud computing’, The

Korean Economic Review 27(2), 203–230.

Beresford, A. R., K¨ubler,D. and Preibusch, S. (2012), ‘Unwillingness to pay for privacy: A ﬁeld

experiment’, Economics Letters 117(1), 25–27.

Bernanke, B. S. (1980), ‘Irreversibility, uncertainty, and cyclical investment’.

36 Bernanke, B. S. (1983), ‘Irreversibility, uncertainty, and cyclical investment’, Quarterly Journal

of Economics 98(1), 85–106.

Bertrand, M., Duﬂo, E. and Mullainathan, S. (2004), ‘How much should we trust diﬀerence-in-

diﬀerences estimates’, Quarterly Journal of Economics 119(1), 249–275.

Bloom, N., Sadun, R. and Van Reenen, J. (2012), ‘Americans do it better: Us multinationals

and the productivity miracle’, American Economic Review 102(1), 167–201.

Bonneau, J. and Preibusch, S. (2010), The privacy jungle: On the market for data protection in

social networks, in ‘Economics of information security and privacy’, Springer, pp. 121–167.

Cardozo, Nate, C. C. H. P. H. M. and Reitman, R. (2013), Who has your back?: Which

companies help protect your data from the government?, the eﬀ’s third annual report on online

service providers’ privacy and transparency practices regarding government access to user data,

Technical report, Electronic Frontier Foundation.

Cardozo, Nate, C. C. H. P. O. K. and Reitman, R. (2014), Who has your back?: Protecting

your data from government requests, the eﬀ’s fourth annual report on online service providers’

privacy and transparency practices regarding government access to user data, Technical report,

Electronic Frontier Foundation.

Cardozo, Nate, O. K. and Reitman, R. (2015), Who has your back?: Protecting your data from

government requests, the eﬀ’s ﬁfth annual report on online service providers’ privacy and

transparency practices regarding government access to user data, Technical report, Electronic

Frontier Foundation.

Castro, D. (2013), ‘How much will prism cost the us cloud computing industry?’, Information

Technology and Innovation Foundation .

Dub´e,J.-P., Hitsch, G. J. and Jindal, P. (2014), ‘The joint identiﬁcation of utility and discount

functions from stated choice data: An application to durable goods adoption’, Quantitative

Marketing and Economics 12(4), 331–377.

37 Etro, F. (2009), ‘The economic impact of cloud computing on business creation, employment

and output in europe. an application of the endogenous market structures approach to a gpt

innovation’, Review of Business and Economic Literature 54(2), 179–209.

Ferrara, E., Staten, J., Burris, P. and Blackborow, J. (2015), ‘Did prism cause an exodus from

us clouds?’, Forrester Research .

Florek, A. (2014), ‘The problems with prism: How a modern deﬁnition of privacy necessarily

protects privacy interests in digital communications, 30 j. marshall j. info. tech. & privacy l.

571 (2014)’, The John Marshall Journal of Information Technology & Privacy Law 30(3), 5.

Garg, A., Curtis, J. and Halper, H. (2003), ‘Quantifying the ﬁnancial impact of it security

breaches’, Information Management & Computer Security 11(2), 74–83.

Gowrisankaran, G. and Rysman, M. (2009), Dynamics of consumer demand for new durable

goods, Technical report, National Bureau of Economic Research.

Green, E. J. and Porter, R. H. (1984), ‘Noncooperative collusion under imperfect price informa-

tion’, Econometrica 52(1), 87–100.

Kellogg, R. (2014), ‘The eﬀect of uncertainty on investment: evidence from texas oil drilling’,

The American Economic Review 104(6), 1698–1734.

Lerner, J. (2011), ‘The impact of copyright policy changes on venture capital investment in cloud

computing companies’, Computers and Communication Industry Association (CCIA). Available

at http://www. ccianet. org/CCIA/ﬁles/ccLibraryFilesFilename/000000000559/Cablevision%

20white% 20paper .

Lerner, J. and Rafert, G. (2015), Lost in the clouds: The impact of changing property rights

on investment in cloud computing ventures, Technical report, National Bureau of Economic

Research.

Marthews, A. and Tucker, C. (2014), ‘Government surveillance and internet search behavior’,

Available at SSRN 2412564 .

38 Preibusch, S. (2013), ‘Guide to measuring privacy concern: Review of survey and observational

instruments’, International Journal of Human-Computer Studies .

Savage, S. and Waldman, D. M. (2013), ‘The value of online privacy’, Available at SSRN 2341311

Yoo, C. S. (2011), ‘Cloud computing: Architectural and policy implications’, Review of Industrial

Organization 38(4), 405–421.

39 Appendix

A Additional Material

A.1 Further Details about the Snowden Revelations

On June 5, 2013, the Guardian published a bombshell. Edward Snowden, a National Security

Agency (NSA)31 analyst, had leaked thousands of classiﬁed documents that revealed the existence of the NSA’s domestic spying program using the telecommunications infrastructure.32

First Revelations

The ﬁrst revelations showed that since late 2001, US telecommunications ﬁrms handed over meta-data on every international phone call to and from the US to the NSA. The Foreign

Intelligence Surveillance Act (FISA) courts had granted this unlimited authority to the FBI under a secret interpretation of the 2001 USA PATROIT Act. The NSA argued that they did not look at content. However, critics argued that having access to huge volumes of data on every individual citizen is an invasion of privacy.

Second Revelations: PRISM

The existence of a surveillance program called PRISM was revealed next.33 The PRISM program allowed the NSA to obtain targeted communications without having a court request. The goal of

PRISM was to overcome the shortcomings of FISA and track suspected foreign terrorists within the US.34

31https://www.nsa.gov/ 32http://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order 33http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data 34FISA required both the sender and receiver of a communication were outside of the US.

i Figure A1: PRISM Slides

Under PRISM major US technology ﬁrms, including AOL, Google, Microsoft, and Yahoo! handed over emails after requests by the NSA.35

Third Revelations: GCHQ

Further leaks revealed that the NSA, with the British Government Communications Headquarters

(GCHQ),36 had tapped into 200 undersea optic ﬁber cables handling 600 million telephone events each day since 2008.37 With most of the world data ﬂowing through these pipes, such tapping amounted to spying on an unprecedented scale.

35A 41-slide PowerPoint presentation obtained by the Guardian shows the details. http://www.theguardian.com/world/interactive/2013/nov/01/prism-slides-nsa-document 36US and UK intelligence jointly shared collected data with Australia, Canada and New Zealand as the Five Eyes partnership. http://www.theguardian.com/world/2013/jun/22/nsa-leaks-britain-us-surveillance 37http://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa

ii A.2 Further Details on Model

0 In Chapter 3.2, we present three cases with respect to the relative prices of cx, cx and cy. Figure 0 1 shows Case 1 where cx < cy and cx < cy. Figure A2 and Figure A3 shows Case 2 and Case 3 respectively.

Figure A2: Case 2 : cx > cy

Y1 Y2 (a) X2 cy

O1 X1

0 cx 1 1

(b) Y3

cx 0 0 cx 1

iii 0 Figure A3: Case 3: cx < cy and cx > cy

1 Y2 Y1 X2 cy

(a) O1 X1

0 cx 1 1

B3 cy

(b)

cx 0 0 cx 1

A.3 Bass Model

We consider the Snowden revelations as a negative and unexpected quality shock to the US-based

ﬁrms and focus on how the adoption patterns can be slowed down using a Bass diﬀusion model.

The Bass model (Bass, 1969 ; Bass et al., 1994) is widely used to show how new products or technologies are adopted by consumers.

The model breaks consumers into two types. First, ”innovators” are those consumers who try the new technology regardless of who else may be using it. Second, ”imitators” are those who decide to purchase the good only after a number of other people are already using it. The general shape of adoption is that of an S-curve: adoption is slow early on while only innovators are buying; it picks up rapidly as imitators join in; and then it tapers oﬀ as the market becomes saturated.

iv The adoption patterns are determined by the following equation:

f(T ) = p + qF (T ) 1 − F (T ) where f(T ) is the likelihood of purchase at T , p is the coeﬃcient of innovation and q is the coeﬃcient of imitation.

Figure A4: Adoption Patterns by the Bass Model

(1) p denotes the coefficient of innovation and q denotes the coefficient of imitation, and N denotes the normalized accumulated adopters. (2) To back up the number of adopters, we divided the revenue by the average prices changes. (3) Scenario 1 is calculated using the Bass model and data prior to the Snowden revelations setting p=0.0101, q=0.1435 and N=38110 by Nonlinear least squares. (4) Scenario 2 is the case when the coefficient of imitation rate, q, drops to 0.08 and p and N are unchanged.

Results in Figure A4 suggest that the cloud computing industry is still growing but the snowden revelations shift the adoption curve. Due to the shock by the Snowden revelations the curve moves from Scenario 1 to Scenario 2. To illustrate the shift, we assume that the innovators

v behavior is unchanged by the Snowden revelations but the adoption rate of imitators entering the market is slowed down. In other words, the coeﬃcient of innovation, p is the same but the coeﬃcient of imitation, q decreased.

A.4 Descriptive Statistics about the Cloud Industry

Table A1: Summary Statistics of Quarterly Total Revenues ($million)

US Non-US

Variable Mean Std. Dev. Mean Std. Dev.

Total Sample 82.374 142.122 66.3 97.561

Cloud Infrastructures 21.042 89.119 5.892 13.075

IaaS 10.868 65.735 2.946 5.518

PaaS 6.607 26.435 0.553 2.987

Private & Hybrid 3.587 11.131 2.375 6.523

Rental Colocation 23.081 61.961 22.354 32.803

Managed Hosting 27.968 61.117 33.636 59.304

CDN 10.283 48.612 4.418 9.753

Observations 1248 1416

Source: Synergy Quarterly data between Q1,2009 and Q4, 2014.

A.5 Spline Regression: Snowden Revelations and Price War

In the body of the paper, we present conditional mean of total revenue before and after the

Snowden revelations. Table A2 shows the results of spline regression. The kinked point at the

Snowden revelations is signiﬁcant at 5% and the kinked point at the price war is signiﬁcant at

10% level.

vi Table A2: Spline Regression

Variable Coeﬃcient St. Dev t stat

Pre Developed -0.004 0.005 -0.81

Pre Snowden 0.003 0.009 0.33

Post Snowden X Pre PW -0.051** 0.026 -1.95

Post PW 0.083 0.047* 1.78

Constant 0.112 0.031** 3.61

(1) Pre developed period is deﬁned as “2009 Q1-2012 Q2.” (2) Pre Snowden is deﬁned as “2012 Q3-2013 Q1.” (3) Post Snowden X Pre PW is “2013 Q2-2014 Q1.” (4) Post PW is “2014 Q2- 2014 Q4.” (5) Dependent variable is ∆log(TR)

A.6 Methodology: Converting the Damage in Dollars

To convert the damage in the growth rate to revenue loss in dollars, we use the following methodology.

Suppose that the Snowden revelations occurs at time t0. The actual flows of total revenues for the US-based cloud firm i are defined as {. . . , yi,t0−1, yi,t0 , yi,t0+1,... }. We define the hypothetical sequence of revenues, {y˜i,t} for t = t0, t0 + 1,... assuming no Snowden revelations. The expected loss brought about by the Snowden revelations is the differences between the hypothetical flows of total revenues and the actual flows of total revenues. Let L denote this loss. Then

N T N T X X X X L = y˜i,t − yi,t i=1 t=t0 i=1 t=t0

Let gi,t denote the the actual growth rate and g˜i,t denote the hypothetical growth rate that would would occur if there were no Snowden revelations. Then

yi,t − yi,t−1 gi,t = ≈ ∆log(yi,t) yi,t−1

vii yi,t0 = yi,to−1(1 + gt0 )

yi,t˜ 0 is the hypothetical total revenue for ﬁrm i when the Snowden revelations arrive.

yi,t˜ 0 = yi,t0−1(1 +g ˜t0 )

= yi,t0−1(1 + gt0 + γ) where γ is the growth lost by the Snowden revelations. Based on the results of Table 3, our estimates for γ are 11.3% (Column (2)) and 18.9% (Column (5)) respectively. The expected revenue loss in the US cloud computing industry due to the Snowden revelations can thus be calculated as $18.072 billion, based on a 11.3% reduction in the growth rate. Similarly, the expected loss from Q3 2013 to Q1 2014 is $11.094 billion when the growth rate was damaged by

18.9% before the price war.

A.7 Further Details on the Changes in Practices, Policies and Encryption

In this subsection, we provide further details on the changes in practices, polices, and encryption.

There are slight changes in EFF’s criteria between 2012 and 2013 and listed in Table A3.

In Table 7, there was a huge improvement in privacy and transparency practices before and after the Snowden revelations. Table A4 presents the changes between 2011 and 2012. The evaluations have been conducted by the EFF and the changes are negligible.

The EFF started to evaluate 18 online service providers’ level of encryption from November,

2013. Table A5 shows the evaluation results based on ﬁve criteria: (1) encryption of data center links, (2) supporting HTTPS, (3) supporting HTTPS Strict (HSTS), (4) forward secrecy, and (5)

STARTTLS. The results reveal that only 44 % of 18 tech companies encrypt data center links, and that “supporting https” has been relatively well completed.

viii Table A3: EFF’s Criteria to Access Company Practices and Policies

2011 & 2012 2013 & 2014

1 Tell users about data demand Requires a warrant for content

2 Be transparent about government requests Tells users about government data requests

3 Fight for user privacy in the court Publishes transparency reports

4 Fight for user privacy in Congress Publishes law enforcement guidelines

5 Fights for users’ privacy rights in courts

6 Fights for users’ privacy rights in Congress

ix Table A4: Privacy and Transparency Practices: 2011 vs. 2012

2011 2012 changes 1 2 3 4 1 2 3 4

Amazon 2 2 0 0 0 1 1 0 0 1 1

Apple 1 1 0 0 0 0 1 0 0 0 1

AT&T 1 1 0 0 0 0 1 0 0 0 1

Comcast 0 1 1 0 0 0 0 0 0 1 0

Dropbox 1 3 2 0 0 0 1 1 1 0 1

Facebook 1 1.5 0.5 0 0 0 1 0 0.5 0 1

Google 3 3 0 0.5 0.5 1 1 0.5 0.5 1 1

Microsoft 1 1 0 0 0 0 1 0 0 0 1

Myspace 0 0 0 0 0 0 0 0 0 0 0

Skype 0 0 0 0 0 0 0 0 0 0 0

twitter 2 3.5 1.5 1 0.5 0.5 0 1 0.5 1 1

Verizon 0 0 0 0 0 0 0 0 0 0 0

Yahoo! 1 1 0 0 0 1 0 0 0 1 0

Mean 1.00 1.38 0.4 0.1 0.1 0.3 0.5 0.2 0.2 0.4 0.6

EFF’s Annual Report in 2012: https://www.eﬀ.org/who-has-your-back-2012 EFF’s Annual Report in 2011: https://www.eﬀ.org/who-has-your-back-2011

x Table A5: Crypto Survey Results from EFF’ encrypt the web report

1 2 3 4 5 Score

Encrypt data Supports HTTPS Strict Forward STARTLS

center links HTTPS (HSTS) Secrecy

Amazon 0 0 0 0 0 0

Apple 0 1 0 0 0 1

AT&T 0 0 0 0 0 0

Comcast 0 0 0 0 0 0

Dropbox 1 1 1 1 1 5

Facebook 1 1 1 1 1 5

Foursquare 0 1 1 0 0 2

Google 1 1 1 1 1 5

Linkedin 0 1 1 1 1 4

Microsoft 1 1 1 1 1 5

Myspace 0 1 0 0 0 1

Sonic.net 1 1 1 1 1 5

SpiderOak 1 1 1 1 1 5

twitter 1 1 1 1 1 5

tumblr 0 1 1 1 0 3

Verizon 0 0 0 0 0 0

Wordpress 0 1 0 0 0 1

Yahoo! 1 1 1 1 1 5

Mean 0.44 0.78 0.61 0.56 0.50 2.89

* Source: EFF’s encrypt the web reports

xi B Additional Results and Robustness Checks

B.1 General Robustness and Speciﬁcation Checks

This section provides a series of robustness and speciﬁcation checks to our baseline results.

Robustness and speciﬁcation checks mainly focus on testing DID’s underlying assumptions including parallel trends.

B.1.1 Additional Results to the Main Results

Table B1: Results: Diﬀerence in Diﬀerences (Entire Periods)

Variable (1) (2) (3) (4) (5)

US 0.001 -0.026* -0.037*** -0.037*** -0.131***

(0.011) (0.014) (0.008) (0.008) (0.010)

Post Snowden -0.054** -0.052** -0.053** -0.003 0.035

(0.022) (0.022) (0.023) (0.030) (0.033)

US × Post Snowden -0.075*** -0.088*** -0.087*** -0.088*** -0.113***

(0.022) (0.023) (0.023) (0.023) (0.024)

Sector Fixed Eﬀects No Yes Yes Yes Yes

Country Fixed Eﬀects No No Yes Yes Yes

Quarter Fixed Eﬀects No No No Yes Yes

t × Country Fixed Eﬀects No No No No Yes

Observations 2413 2413 2413 2413 2413

(1) Robust standard errors clustered by continent are provided under the OLS estimates.

(2) The dependent variable is the growth rate of total revenue, i.e. ∆log(TR).

(3) ***, **, and * respectively denote signiﬁcance at the 1 percent, 5 percent, and 10 percent levels.

xii Table B2: Results: Diﬀerence in Diﬀerences (Pre PW Periods)

Variable (1) (2) (3) (4) (5)

US 0.001 -0.025* -0.062*** -0.062*** -0.048***

(0.011) (0.013) (0.004) (0.004) (0.004)

Post Snowden -0.017* -0.016* -0.016* -0.133** -0.135**

(0.008) (0.009) (0.009) (0.061) (0.062)

US × Post Snowden -0.178*** -0.190*** -0.190*** -0.190*** -0.189***

(0.008) (0.010) (0.010) (0.010) (0.012)

Sector Fixed Eﬀects No Yes Yes Yes Yes

Country Fixed Eﬀects No No Yes Yes Yes

Quarter Fixed Eﬀects No No No Yes Yes

t × Country Fixed Eﬀects No No No No Yes

Observations 2102 2102 2102 2102 2102

(1) Robust standard errors clustered by continent are provided under the OLS estimates.

(2) The dependent variable is the growth rate of total revenue, i.e. ∆log(TR).

(3) ***, **, and * respectively denote signiﬁcance at the 1 percent, 5 percent, and 10 percent levels.

B.1.2 Robustness to the Inclusion of the Lagged Dependent Variables

The DID estimator requires the average outcome for treated and untreated have the same parallel trends. One of our concerns is that diﬀerences in observed characteristics create non-parallel outcomes dynamics for the treated and controls. To test it, we included lagged dependent variables as robustness checks. If the variable of our interest changes signiﬁcantly, we can consider the semi-parametric DID suggested by Abadie et al. (2015).

Table B3 presents the results for robustness checks to the inclusion of the lagged dependent variables. Column (1) is the main results with the baseline specification. In Column (2), we included ∆log(TRt−1). The coefficient on US × Post Snowden slightly decreases but there is no noticeable difference between Column (1) and (2). In Column (3), both ∆log(TRt−1) and ∆log(TRt−2) are included and in Column (4), we include ∆log(TRt−1), ∆log(TRt−2),

xiii ∆log(TRt−3). In terms of the statistical signiﬁcance and the size of coeﬃcient on US × Post Snowden, The results are robust.

We conducted the similar robustness checks focusing on Pre PW. Table B4 presents the results for the robustness to the inclusion of the lagged dependent variables. The diﬀerence of the coeﬃcients on US × Post Snowden is even smaller and the results are robust.

Table B3: Robustness to the Inclusion of the Lagged Dependent Variables (Entire Periods)

Variable (1) (2) (3) (4)

US -0.131*** -0.135*** -0.145*** -0.188***

(0.010) (0.012) (0.013) (0.015)

Post Snowden 0.035 0.042 0.043 0.101

(0.033) (0.039) (0.033) (0.032)

US × Post Snowden -0.113*** -0.114*** -0.118*** -0.127***

(0.024) (0.022) (0.020) (0.020)

∆log(TRt−1) 0.499** 0.466 0.516 (0.224) (0.278) (0.303)

∆log(TRt−2) 0.168* 0.189* (0.096) (0.093)

∆log(TRt−3) -0.025 (0.074)

Sector Fixed Eﬀects Yes Yes Yes Yes

Country Fixed Eﬀects Yes Yes Yes Yes

Quarter Fixed Eﬀects Yes Yes Yes Yes

t × Country Fixed Eﬀects Yes Yes Yes Yes

Observations 2413 2302 2191 2080

(1) Robust standard errors clustered by continent are provided under the OLS estimates.

(2) The dependent variable is the growth rate of total revenue, i.e. ∆log(TRt).

(3) ***, **, and * respectively denote signiﬁcance at the 1 percent, 5 percent, and 10 percent levels.

xiv Table B4: Robustness to the inclusion of the Lagged Dependent Variable (Pre Price War)

Variable (1) (2) (3) (4)

US -0.048*** -0.044*** -0.037*** -0.061***

(0.004) (0.005) (0.005) (0.006)

Post Snowden -0.135** -0.137*** -0.142** -0.093*

(0.062) (0.045) (0.057) (0.054)

US × Post Snowden -0.189*** -0.187*** -0.191*** -0.196***

(0.012) (0.014) (0.013) (0.013)

∆log(TRt−1) 0.444 0.399 0.445 (0.257) (0.322) (0.355)

∆log(TRt−2) 0.168* 0.185** (0.094) (0.085)

∆log(TRt−3) -0.032 (0.060)

Sector Fixed Eﬀects Yes Yes Yes Yes

Country Fixed Eﬀects Yes Yes Yes Yes

Quarter Fixed Eﬀects Yes Yes Yes Yes

t × Country Fixed Eﬀects Yes Yes Yes Yes

Observations 2102 1991 1880 1769

(1) Robust standard errors clustered by continent are provided under the OLS estimates.

(2) The dependent variable is the growth rate of total revenue, i.e. ∆log(TRt).

(3) ***, **, and * respectively denote signiﬁcance at the 1 percent, 5 percent, and 10 percent levels.

xv B.1.3 Robustness Check: Pretreatment

To check the robustness, results in Table B5 present the pre-treatment effect. Column (1) presents our baseline results. In Column (2), we evaluate if there exists any pre-treatment effects one quarter before the Snowden revelations took place. The coefficient of US × Pre Snowden (T=18) is 0.038 and it is not statistically significant. Similar results are shown in Column (3) and (4).

Table B5: Robustness Check with Pretreatment

Variable (1) (2) (3) (4)

US -0.131*** -0.126*** -0.123*** -0.123***

(0.010) (0.011) (0.012) (0.013)

Post Snowden 0.035 0.022 0.015 0.014

(0.033) (0.036) (0.039) (0.043)

US × Post Snowden (t > 18) -0.113*** -0.104*** -0.098*** -0.097***

(0.024) (0.024) (0.025) (0.028)

US × Pre Snowden (t = 18) 0.038 0.043 0.044

(0.024) (0.026) (0.031)

US × Pre Snowden (t = 17) 0.021 0.022

(0.014) (0.017)

US × Pre Snowden (t = 16) 0.002

(0.022)

Observations 2413 2413 2413 2413

(1) T=18 implies Q2, 2013, T=17 denotes Q1, 2013 and T=16 is Q4, 2012.

(2) Robust standard errors clustered by continent are provided under the OLS estimates.

(3) The dependent variable is the growth rate of total revenue, i.e. ∆log(TR).

(4) ***, **, and * respectively denote signiﬁcance at the 1 percent, 5 percent, and 10 percent levels.

(5) All results include sector FE, country FE, quarter FE and trend adjusted country FE

xvi B.1.4 Robustness Checks without the Five Eyes

In this section, we have a diﬀerent control group as robustness checks. Some concern that the

Snowden revelations include the Five Eyes’ international surveillance programs. The Five Eyes is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States and has developed a series of bilateral agreements from 1946. If a fraction of the control group is under eﬀect of the Snowden revelations, our baseline results would be underestimated. In our data, there are 19 ﬁrms which have their headquarter in four countries,

Australia, Canada, New Zealand and the United Kingdom and we excluded them from the control group in the following table.

Table B6: Robustness Checks with Non-Five Eyes from the Control group

Entire Pre PW

Control NonUS NonFVEY NonUS NonFVEY

Variable (1) (2) (3) (4)

US -0.131*** -0.126*** -0.048*** -0.114***

(0.010) (0.009) (0.004) (0.004)

Post Snowden 0.035 0.066** -0.135** -0.137*

(0.033) (0.030) (0.062) (0.068)

US × Post Snowden -0.113*** -0.136*** -0.189*** -0.202***

(0.024) (0.022) (0.012) (0.013)

Observations 2413 1998 2102 1742

(1) Robust standard errors clustered by continent are provided under the OLS estimates.

(2) The dependent variable is the total revenue.

(3) ***, **, and * respectively denote signiﬁcance at the 1 percent, 5 percent, and 10 percent levels.

(4) All results include sector fixed effects, country fixed effects, quarter fixed effects and trend adjusted

country ﬁxed eﬀects.

xvii B.1.5 Speciﬁcation Checks: Alternative Regression Model

In our baseline results, we use the growth rate of total revenues instead of level variables since the total revenue patterns are different between US-based firms and non-US-based firms before the

Snowden revelations. Table B7 and Table B8 present the results with the level variable of firm’s total revenue as the dependent variable. Due to a violation of the parallel trend assumption, the results are opposite and there is a positive and significant effect of the Snowden revelations on the US-based firms. This is one example of the incorrect specification. Table B9 also provides some evidence of the incorrect specifications as the results change dramatically with the lagged dependent variables.

Table B7: Speciﬁcation Check with the Diﬀerent Dependent Variable (Entire Periods)

Variable (1) (2) (3) (4) (5)

US 12.685 24.490** 55.282*** 55.900*** 27.404***

(14.798) (9.641) (5.277) (5.321) (7.783)

Post Snowden 18.513*** 17.813*** 17.785*** 54.177*** 89.251***

(5.532) (5.054) (5.195) (12.124) (10.670)

US × Post Snowden 43.066*** 50.804*** 51.101*** 51.744*** 29.461***

(7.070) (5.444) (5.587) (5.561) (9.244)

Sector Fixed Eﬀects No Yes Yes Yes Yes

Country Fixed Eﬀects No No Yes Yes Yes

Quarter Fixed Eﬀects No No No Yes Yes

T × Country Fixed Eﬀects No No No No Yes

Observations 2524 2524 2524 2524 2524

(1) Robust standard errors clustered by continent are provided under the OLS estimates.

(2) The dependent variable is the total revenue

(3) ***, **, and * respectively denote signiﬁcance at the 1 percent, 5 percent, and 10 percent levels.

xviii Table B8: Speciﬁcation Check with the Diﬀerent Dependent Variable (Pre PW Periods)

Variable (1) (2) (3) (4) (5)

US 13.110 27.420*** 59.765*** 59.765*** 31.622***

(13.988) (8.920) (5.308) (5.308) (5.864)

Post Snowden 17.522*** 17.032*** 44.188*** 44.188*** 76.255***

(5.199) (4.676) (8.216) (8.216) (3.376)

US × Post Snowden 26.885*** 34.542*** 35.579*** 35.579*** 14.877***

(5.181) (4.605) (4.675) (4.675) (4.156)

Sector Fixed Eﬀects No Yes Yes Yes Yes

Country Fixed Eﬀects No No Yes Yes Yes

Quarter Fixed Eﬀects No No No Yes Yes

Trend Adjusted Country Fixed Eﬀects No No No No Yes

Observations 2102 2102 2102 2102 2102

(1) Robust standard errors clustered by continent are provided under the OLS estimates.

(2) The dependent variable is the growth rate of total revenue.

(3) ***, **, and * respectively denote signiﬁcance at the 1 percent, 5 percent, and 10 percent levels.

xix Table B9: Speciﬁcation Check with the Lagged Dependent Variable of TR (Entire Period)

Variable (1) (2) (3) (4)

US 55.900*** -2.232 -2.564* -2.400

(5.321) (1.681) (1.345) (1.394)

Post Snowden 54.177*** -1.144 -2.909 -2.628

(12.124) (1.062) (1.964) (2.054)

US × Post Snowden 51.744*** 1.020** 1.095 0.796

(5.561) (0.464) (0.730) (0.625)

∆log(TRt−1) 1.057*** 0.969*** 0.986*** (0.018) (0.212) (0.179)

∆log(TRt−2) 0.094 0.203 (0.207) (0.251)

∆log(TRt−3) -0.133 (0.084)

Sector Fixed Eﬀects Yes Yes Yes Yes

Country Fixed Eﬀects Yes Yes Yes Yes

Quarter Fixed Eﬀects Yes Yes Yes Yes

Observations 2524 2413 2302 2191

(1) Robust standard errors clustered by continent are provided under the OLS estimates.

(2) The dependent variable is the total revenue.

(3) ***, **, and * respectively denote signiﬁcance at the 1 percent, 5 percent, and 10 percent levels.

B.1.6 Patterns of Firm Entry and Exit and Additional Results

During the periond from Q1, 2009 to Q4, 2014, there are 9 exiting ﬁrms. Among 9 exiting ﬁrms,

7 firms (2 Non-US-based firms and 5 US-based firms) exited after the Snowden revelations. When

ﬁrms exit the cloud computing market at time t, the total revenue at time t is captured as 0 in our data set. In that case, the dependent variable, ∆log(TRt) is a missing variable as log(TRt)

xx cannot be defined. We consider that firm’s decision to exit the cloud computing market could be affected by the Snowden revelations. In the baseline results, we treat the dependent variable for the exited firms as −log(TRt−1). In this robustness section, Table B10 presents additional results to treat the exited firms’ growth as missing values. The results show the Snowden effect is still negative and statistically significant to the US cloud computing industry. However, the size of losses is smaller than our baseline results.

xxi Table B10: Additional Results without Exiting Firms

Variable (1) (2) (3) (4) (5) (6)

US × Post Snowden -0.021** -0.017 -0.030*** -0.028** -0.015* -0.019*

(0.009) (0.010) (0.008) (0.012) (0.008) (0.010)

US -0.036*** -0.036*** -0.110*** -0.114*** -0.033*** -0.033***

(0.005) (0.005) (0.003) (0.003) (0.005) (0.006)

Post Snowden -0.007 -0.006 0.010 0.011 -0.015 -0.011

(0.019) (0.024) (0.016) (0.027) (0.017) (0.015)

Pre Snowden 0.024

(0.021)

∆log(TRt−1) 0.149 (0.103)

Sub-Period Pre PW Pre PW

Sub-Group Non FVEY Non FVEY

Observations 2404 2096 1990 1736 2404 2293

(1) Robust standard errors clustered by continent are provided under the OLS estimates.

(2) The dependent variable is the growth rate of total revenue, i.e. ∆log(TR).

(3) ***, **, and * respectively denote signiﬁcance at the 1 percent, 5 percent, and 10 percent levels.

(4) All columns include sector fixed effects, country fixed effects, quarter fixed effects and trend adjusted country fixed effects.

(5) Pre Snowden is deﬁned as 1(t = 18) where t=18 denotes one quarter before the Snowden revelaions

(Q2, 2013).

xxii B.2 Further Details on the Synthetic Control Method

B.2.1 Additional Results on the Synthetic Control Method

In Section 6.2, we used synthetic control methods as the robustness checks. We construct the aggregated country-level data using the original ﬁrm-level dataset from Synergy. Table

B11 describes the number of firms in each country and revenue per firm. In our analysis, natural logarithm was used to consider the characteristics of adoption patterns and mitigate the differences between the control and the treated.

xxiii Table B11: Summary Statistics for Synthetic Control Method (Pre Snowden)

Country Number of Firms Revenue per Firm (TR) log(TR)

Australia 7 22.16 6.12

Canada 3 22.76 7.61

China 8 42.44 7.45

France 2 121.27 8.45

Germany 2 120.40 7.89

Hong Kong 1 13.59 7.03

India 5 20.67 7.48

Italy 3 55.81 7.90

Japan 9 135.16 8.97

Korea (South) 2 43.51 8.14

Luxembourg 1 9.59 6.76

Netherlands 2 100.75 9.18

Russia 1 1.29 4.70

Singapore 1 134.53 9.46

Spain 1 117.69 9.34

Switzerland 1 60.82 8.59

Taiwan 1 19.48 7.50

United Kingdom 9 58.13 7.20

United States 52 75.00 7.15

Table B12 presents the synthetic weights for the US cloud industry and Table B13 shows the predictor variables.

xxiv Table B12: Synthetic Weights for the United States

Synthetic Synthetic

Country Control Weight Country Control Weight

Australia 0.157 Korea 0

Canada 0 Luxembourg 0

China 0.18 Netherlands 0

France 0 Russia 0.007

Germany 0 Singapore 0

Hong Kong (China) 0 Spain 0

India 0 Switzerland 0

Italy 0 Taiwan 0

Japan 0.16 United Kingdom 0.656

xxv Table B13: Predictor Means Before the Snowden Revelations

US Average of

Variables Real Synthetic 18 control countries

Ln(GDP) 30.38 28.64 28.00

Broadband Subscription 28.04 27.41 27.05

Telephone Subscription 45.65 46.31 43.86

Internet Users 74.58 76.01 70.10

Secured Internet 448166.30 66249.95 30985.95

Legal Right 9.25 8.72 6.27

Inﬂation 1.86 3.13 2.62

Labor Force (million) 312 164 134

Total Population (million) 312 288 259

Ln(Total Revenue), 2013 Q2 7.97 7.87 8.11

Ln(Total Revenue), 2013 Q1 7.89 7.75 8.08

Ln(Total Revenue), 2012 Q4 7.62 7.70 8.08

Ln(Total Revenue), 2009 Q3 6.34 6.51 7.46

Sources of Data: OECD

xxvi B.2.2 Additional Results: Placebo Test

Some may concern if the channel of our results would not be the eroded privacy due to the

Snowden revelations. As a robustness check, we applied the Synthetic Control Method to the all other industry’s revenues.

Table B14: Synthetic Weights for the United States

Synthetic Synthetic

Country Control Weight Country Control Weight

Australia 0 Korea 0

Canada 0 Luxembourg 0

France 0 Netherlands 0

Germany 0.807 Russia 0.007

India 0.184 Spain 0

Italy 0 Switzerland 0

Japan 0.009 United Kingdom 0

xxvii Table B15: Predictor Means Before the Snowden Revelations

US Average of

Variables Real Synthetic 14 control countries

Ln(GDP) 30.375 28.774 28.130

Broadband Subscription 28.044 26.761 28.082

Telephone Subscription 45.650 50.978 46.654

Internet Users 74.580 68.587 73.366

Secured Internet 448166.300 64724.670 64749.530

Legal Right 9.250 7.026 6.406

Inﬂation 1.855 3.115 2.580

Labor Force (million) 158 121 66.3

Total Population (million) 312 291 150

Ln(Revenue), 2013 Q2 4.678 4.676 4.613

Ln(Revenue), 2013 Q1 4.675 4.669 4.611

Ln(Revenue), 2012 Q4 4.668 4.667 4.641

Ln(Revenue), 2009 Q3 4.548 4.513 4.548

xxviii