26 Mar 2016

Keeping Our Data Safe From Foreign Governments

(Disclosure: I work for Google, but these are my personal view.)

When the Snowden scandal happened, most of the debate in the US was about the rights of Americans. People of other countries weren’t even mentioned in many discussions. This was a “fuck you” to the rest of us. Now, with the FBI demanding that Apple creating an insecure version of iOS, the debate has again focused on the rights of Americans.

Americans don’t care about people of other countries, who have no say in this debate and no rights when they store their data with American companies. What can we do to safeguard ourselves from the Americans?

The EU is at the forefront of this, with the Data Protection Directive, which guarantees the rights of European citizens. It seems simple and clear and covers a comprehensive set of rights:

You should be given notice when your data is collected. And you should be asked for your consent, not just be informed. As part of consent, you should be informed who is collecting your data, and for what purpose. Then, the data should be used only for that purpose. It should be kept secure from any potential abuses. You should be able to access your own data. Mass surveillance of the sort the US (or India) practices is not allowed.

The crucial aspect is that law is that it applies to non-European companies as well. If only European companies were subject to the law, it would be of limited use. But any company that wants to do business in the EU should adhere to it. If a company can’t adhere to these rules, perhaps because its own government is the problem, it can’t do business in the EU. As simple as that.

This is an effective bulwark against over-reaching US laws or practices. Like the Patriot Act, which requires US companies to hand over data about non-US users to the US government. Even if the servers are located outside the US.

Too much of the debate has focused on the physical location of the servers. But that doesn’t matter. I don’t care whether my data is stored in the US or in Singapore. What I care about is who can access my data, and under what circumstances, and what rights I have.

More countries should pass such data protection laws. Importantly, these should increase the amount of privacy citizens have, not water them down. Unfortunately, many laws do the opposite. Especially in India, where the government is predatory, far worse than the US government at guaranteeing its own citizens’ rights.

Countries should try to pass data protection laws that provide stronger privacy protections to their citizens, and not take away any right that they already have. There should be no restriction on where the data is stored or where the company is headquartered. For example, I as an Indian should be able to use Google, a US company, which should be able to store my data either in the US, in India, or in a third country. None of that should matter, as long as the rights specified in the law are adhered to.

The real power is with our governments, not with the Internet companies or individual citizens. US Internet companies have to comply with US law, and likewise for Internet companies headquartered in other countries. Internet companies don’t have the upper hand in this discussion. Governments do [1].

More countries should pass such strong, beneficial laws that protect their citizens from overreach by foreign governments. This will force foreign governments to fix their laws, or see their companies lose business outside their home country.

Governments should add exceptions to their laws so that their companies aren’t excluded from doing business in other countries. For example, let’s take the case of a German user [2] who stores their data with an Indian company. Indian law requires companies to decrypt user data and hand it over to the Indian government if the government asks. This prohibits the Indian company from doing business in Germany, so German citizens should have an exception. This exception would be limited to the minimum needed for Indian companies to do business in Germany.

It wouldn’t prevent the Indian government from doing what the German government can do. If the German government can access data for a particular reason, say to prevent money laundering, then the Indian government would also be able to access German citizens data stored with Indian companies to prevent money laundering [3].

This wouldn’t apply to Australian citizens whose data is stored in India, for example, assuming that Australia doesn’t have an EU-style data protection law. Australia may have a law that restricts what Australian companies can do, but that’s not relevant here. If Australia doesn’t restrict what non-Australian companies can do with Australians’ data, and an Australian citizen uses an Indian Internet service, then the Indian government would have whatever access it has under the law.

This does the minimum needed for companies to do business internationally. It ensures that citizens don’t lose their rights when they store their data outside their borders. Companies aren’t prevented from doing business internationally. It prevents the Internet from becoming fragmented into a number of fiefdoms, as phone systems and banking is. Users will be able to use the best product or service for a given task, no matter which country the company is from.

This law should protect not just Indian companies but datacenters located in India, whether owned and operated by foreign or Indian companies. When a German user’s data is stored in an Indian datacenter, it should be protected as above. Because the alternative is that German users’ data won’t be stored in Indian datacenters, in which case the Indian government won’t have access, anyway, and Indian companies are hurt in the process.

In summary, governments worldwide should adopt strong data protection laws that safeguard their citizens’ rights no matter where the data is stored or where the company is headquartered. If a company can’t comply with a country’s data protection law (because of a conflicting law in the country where it’s headquartered), it should be prevented from doing business in that country. Governments should react to this by rolling back laws that would hobble their own companies, or discourage investment in their country, like building datacenters.

This will be a simple, fair, consistent system that provides strong privacy guarantees to people, doesn’t unduly hobble international business, and reduces conflicts between governments.

[1] There’s one thing companies can do today without relying on any government: When I as an Indian user stores my data with Google, for example, assume that both the Indian and American governments can get access to the data. But maybe Google should avoid storing my data in Taiwan if doing so means that the Taiwanese government can access the data. If storing my data in a datacenter in a third country reduces my privacy, then don’t store the data there. Store it only in countries whose laws don’t risk my privacy. Or if there are no such countries, store it in only the US. The only thing worse than the US and Indian governments accessing my data is the US, Indian and some other country’s government accessing my data.

Limiting where data can be stored increases costs and degrades performance, so it needn’t be the default. It could be an option for privacy-sensitive users, accompanied by a fee to offset the increased costs.

[2] A foreign user could be defined as one whose IP address, at least 95% of the time, is outside the country. If someone has an Indian phone number, credit card or postal address, they are no longer a foreign user.

[3] In this case, the definition of money laundering would be whatever it is under German law. That prevents the Indian government from doing whatever it wants and then claiming that it’s doing so to prevent money laundering.

No comments:

Post a Comment