Implications of Post-Snowden Internet Localization Proposals

2 September 2014 - A Workshop on Other in Istanbul, Turkey

Brief substantive summary of the workshop and presentation of the main issues that were raised during the discussions

Following the 2013-2014 disclosures of large-scale pervasive surveillance of Internet traffic, various proposals to "localize" Internet users' data and change the path that Internet traffic would take have started to emerge.

The session assessed the implications of such measures, looking at their efficiency in addressing concerns of foreign surveillance on Internet users, as well as the benefits and risks of such proposals on other areas including user choice, innovation and Internet resilience.

Discussions focused on three main buckets or localisation proposals:
o    Mandatory requirements to locate data/servers within country to serve that country’s customers
o    Development of state-run services/restrictions on foreign commercial services
o    Cables, IXPs and measures related to routing of Internet traffic

KEX TAKEAWAYS

*Geographical location of data to secure communications has limited efficiency
Many elements come into play by communicating with others though a network. Despite measures to localise data, many factors (protocols, types of equipment involved) can fail the security test along the path and expose communications to external surveillance.

*Mandatory data localisation: impact on innovation and entrepreneurship
Mandatory data localisation requirements could increase costs for companies, which might be reflected on consumers. Higher cost barriers might also discourage SMEs to innovate and operate in those countries. Most Internet companies are relying on the Internet’s global scale and interoperability.
Others felt that mandatory localisation would likely only target larger companies, as they are the ones that usually attract most government data requests.

*Mandatory data localisation: impact on user choice
Forced localisation might reduce user choice and users’ ability to locate their data in other countries. Users may have many reasons to locate their data abroad, including better privacy protections, risks of censorship/monitoring at home, better quality of service.

*Mandatory data localisation: risks of greater domestic surveillance
Mandatory data localisation could generate greater capacities for governments to undertake domestic surveillance.

*On national email systems as a response to foreign surveillance
Centralized national services (e.g. cloud, email) are likely as vulnerable to foreign surveullance as using an international service provider. Instead, there should be a multiplicity of both vibrant local markets and vibrant international service providers who can provide secure e‑mail, thus offering more choice to users.

*Internet Exchange Points & undersea cables
The development of Internet Exchange Points can be beneficial, at least for the development of more efficient traffic routing at the local level, if not much as a means to reduce foreign surveillance. The development of new undersea cables can add to the global resilience of the Internet, as long as they remain connected and interoperable with the global Internet. However, some called for caution in the case of mandatory requirements to route all national traffic through a national IXP, especially if its structure is heavily governmental.

*Location of data in a context of extraterritorial jurisdiction
Jurisdictions in country X are compelling companies headquartered in country X but operating in country Y to hand over data from overseas. Example was given of the Microsoft Ireland case, where the company is trying to push back on requirements from US Courts to hand over data from their Irish operations.
From a European perspective, data from European citizens belongs to them wherever this data is located. It is generally considered that there is European jurisdiction over data if it belongs to Europeans.
Brazil’s Marco Civil includes a provision that establishes Brazilian jurisdiction for every user data related to a Brazilian citizen, regardless of where the data is stored.
In 2008, an Indian Act claimed that if harm is caused to Indians or Indian property that Indian jurisdiction will apply. In practice, this won’t work unless law enforcement in another country accepts this jurisdiction claim.

*Hidden motivations: taxation & protectionism?
Beyond the alleged desire to protect citizens from foreign surveillance, some motivations related to forced data localisation may pertain to interests in taxation of foreign companies, which would be more easily applied to companies that operate within countries. Similarly, some assumed that this could also be a way to increase costs for foreign players, and therefore promote competing local services.

*Possible trade issues
Could forced localisation requirements generate trade disputes? Someone highlighted that there are exceptions in most trade agreements for national security purposes.

Changing focus?

*Cryptography rather than geographic localisation
A lot of the Internet’s value comes from its global nature, connecting people and business across different places.
Instead of geographic localisation of data, focus should be on encrypted communications; using technology to limit the particular number of people that access the data. In other words, not limiting the area, but rather the entities accessing the data.
Email server-to-server encryption was given as one such example.
The point was also made that cryptographic solutions may interfere with some national laws related to the right to information or public requirements that government should have access to everything that the bureaucrats do.

*Beyond encryption or localisation: users’ practices
Whether we focus on encryption or localisation, much comes down to users’ practices.
Tools exist, but many people aren’t using them. Many individuals are voluntarily signing up for geo-tracking tools, providing very sensitive data about themselves to different companies in different jurisdictions.

*Capacity building, awareness and informed user choice
Users should have a greater understanding of where their data is located and what rules apply on their use, in order to make informed decisions. Wish was made that users should have more choice in terms of the location of their data, considering privacy rules offered by different countries and regions (notion of data havens).
Similarly, even if technology can help making surveillance more difficult and expensive, it is important that users have the capacity to make informed choices on the way they use and share their data. The Internet is largely built on trust, and trusted relationships should be a focus as well.

*Countries should look at their internal markets first
Before looking at mandatory localisation rules for foreign companies, some argued that countries should first look at their internal markets and routing patterns, in particular in cases where most of the local traffic is transiting or stored abroad. Example was given of a country that only has 19% of its websites hosted in the country itself, and the rest abroad.
Conclusions drawn from the workshop and possible follow up actions

There clearly is no silver bullet to address concerns of foreign surveillance. Focus on the geographical location of data does not seem to provide satisfactory answers to that issue, whether from a technical (there are many ways to access the data without users’ explicit consent) or a legal perspective (extraterritorial application of laws). Many of the measures that would constrain data within national borders might also generate chilling effects, whether on user choice, users privacy in a domestic context, or in terms of permission-less innovation.

Voluntary measures that add local technical capacity to the network are generally welcome, as they can be beneficial for Internet development. Their impact on reducing surveillance is not conclusive however.

Alternatives to these measures were explored with the panel, including by focusing on encryption of data and reducing the number of parties that can access users’ data. It was however felt that an essential pre-requisite should be to build capacity and awareness of end-users, who should be better equipped with an understanding of how and where their personal data is processed.

Estimation of the overall number of participants present at the workshop

90

Estimation of the overall number of women present at the workshop

about half of the participants were women

Extent to that the workshop discuss gender equality and/or women’s empowerment

it was not seen as related to the workshop’s theme and was not raised

A brief summary of the discussions in case that the workshop addressed issues related to gender equality and/or women’s empowerment

No information provided

Reported by

Nicolas Seidler