The reality of global Internet access means that U.S.-based Internet services often have a heavily foreign customer base. Consider Gmail, the popular e-mail service provided by Google. Google is headquartered in California, and its servers currently reside there. But Gmail’s business is truly international, and slightly less than 30% of Gmail’s users reside in the United States. This chart shows the percentage of Gmail’s users that are in a handful of different countries as of 2012:
Country % of Gmail Users
United States 29.7%
United Kingdom 2.9%
Facebook’s user base is even more heavily foreign than is Gmail’s user base. To be sure, using Facebook has become as American as apple pie: About 54% of Americans presently have a Facebook account. At the same time, only about 16% of Facebook’s users are located in the United States. The rest, about 84%, access Facebook from abroad. For United States-based services like Gmail and Facebook, United States users form a small subset of its global customer base.
From the standpoint of the National Security Agency the fact that U.S. online services companies have such large foreign customer bases is a huge opportunity. The legislative and judicial frameworks around surveillance do not appear to give foreigners anything in the way of protections. But foreign customers may not be very happy with that arrangement. Over and above the use of PRISM snooping as grounds for formal legal barriers to U.S. Web exports, there's just a great business opportunity here for someone to build a webmail service that's based in Berlin or Paris or Stockholm or someplace else where the local government is prepared to erect a firm privacy framework.
You might ask yourself why a program like PRISM needs to be secret, and I think this is part of the reason. When PRISM is known publicly, then non-participation in PRISM becomes a possible marketing point for non-American online services platforms. That's bad for American companies (who would therefore push for a high level of secrecy as a condition of involvement) and also bad for the NSA, whose ability to collect this data hinges on foreigners not abandoning American platforms.
Correction, June 7, 2013: This post originally misspelled Orin Kerr's first name.