Since the Charlie Hebdo attacks last month, the French government is considering requiring greater website blocking by Internet companies, U.K. Prime Minister David Cameron has suggested banning encrypted messaging services like WhatsApp, and multiple countries are talking about increased surveillance powers. Put these scenarios in Russia or China and American tech companies would be up in arms.
There’s another demand that European governments and repressive regimes alike are making and, in the long run, it’s more dangerous: data localization—requiring foreign companies to store citizens’ data within a country’s borders.
We should be concerned at the number of governments proposing this type of “data sovereignty” and how some companies—rather than pushing back—are rushing to comply.
Internet experts have long criticized localization requirements, which suggest that data should be stored based on political needs, rather than technical efficiency. These requirements contribute to a trend of atomizing today’s global Internet into country-level networks. They put a burden on companies, and pose risks to political activists and human rights defenders by making their information more accessible to authorities.
Yet, according to the general counsel of online storage company Dropbox, more than 20 governments proposed localization in the last year. For many, the stated reason has been not domestic monitoring, but rather protection against foreign government (read: American) spying. Germany has led efforts in Western Europe arguing measures like local storage and Europe-only routing as protection from the NSA’s reach. This may be politically attractive, but it’s doubtful whether localizing actually affords that protection technically—while instead giving a new government more access to user data.
It’s concerning how major U.S. tech companies are responding to these requests. Hurting from lost sales in the wake of the Snowden leaks, Amazon, Salesforce, IBM and Oracle are responding to this climate by proactively setting up data centers in Germany—absent a requirement. To be fair, some companies need servers closer to customers for performance and efficiency. But companies like Amazon admit that they are driven, in part, by political pressure to regain trust with European customers. For some companies, enabling data sovereignty is now a selling point.
In December, Russian President Vladimir Putin signed a bill mandating that foreign companies store Russian citizens’ data on servers within Russia and give Russian security forces greater access to user information. This is just one more tactic in years of efforts to invade Russian citizens’ privacy, which U.S. tech companies have been caught up in before. Similarly, when Apple gained access to China—which Tim Cook predicts will be the company’s biggest market—the company agreed to store user data on mainland servers, assuaging government stated fears over data security and NSA access. Almost immediately Apple’s iCloud data was hacked in a likely state-sponsored attempt to intercept citizens’ usernames and passwords.
U.S. companies’ eagerness to please the EU affects their leverage in a place like Russia or China, and undermines their principled calls for a global Internet. Just as we’ve seen the emergence of company best practices to minimize how information is censored, we need best practices to minimize risks in where it is stored. Companies should take the following steps:
- Avoid localizing in a repressive country whenever possible. When Yahoo! entered Vietnam, to meet performance needs without enabling the government’s Internet repression, it based its servers in Singapore.
- Explore global solutions. Companies like Apple and Google have started encrypting more data by default to minimize inappropriate access by any government. This doesn’t solve everything, but it’s a step forward for user privacy.
- Minimize exposure. If you must have an in-country presence, take steps to minimize risk by being strategic in what staff and services you locate there.
- Embrace transparency. A growing number of companies have increased transparency by issuing reports on the number of government requests they receive. They should also publish legal requirements like localization, so that people understand the underlying risks to their data.
- Work together. Companies should coordinate advocacy in difficult markets through organizations like the Global Network Initiative. Tech companies can take a proactive, collective approach, rather than responding reactively when their case hits the headlines.
We can only expect localization demands to increase—and business pressures to pull in the opposite direction. While the political dynamics have shifted, companies should still have respect for human rights—and the strength of the global Internet—at the forefront of decisions over where to store their data.
