“Threats to the open Internet come from all sides….Today’s threat comes from a patent and international trade agency.” – Charles Duan, Public Knowledge
The post-Snowden era of digital communication has been characterized by a series of efforts around the world to exert local control over the Internet. From democracies to dictatorships, a raft of proposals have been put forward by governing bodies who see benefits in controlling data. One technique is to require data be physically stored on servers in the country where the data originated. Thanks to a recent ruling by the International Trade Commission, yet another mechanism for enforcing data localization is now in sight.
It’s difficult for national governments to enforce data localization in a freewheeling digital ecosystem. In the past, such efforts could be easily bypassed with proxy servers, mesh networks and other workarounds. But last April, the ITC added one more layer to the mess of tools that governments can use to splinter and restrict access to the global Internet, when it ruled that transfer of digital data between countries can be regulated in the same way as physical goods. The decision found that, under Section 337(a)(1)(B) of the Tariff Act of 1930, data may be subject to customs laws just like any other import.
As succinctly summarized by Charles Duan, director of the Patent Reform Project at Public Knowledge, the ITC’s decision “just raises more questions.” The ITC’s stated justification is that the digital data sets in the case were “directly representative” of physical models and “are processed or treated through a series of interpolations in a manner analogous to physical manipulation.”
But what classifies a digital dataset as a “direct representation” of physical reality? Will all digital photographs be subject to trade laws? Such an interpretation could wreak havoc on trade treaties currently under negotiation, such as the TTIP and TTP, whose negotiators already face great difficulty finding common grounds on contentious data transfer issues like privacy, antitrust and intellectual property.
Globally, the move toward data localization has been motivated by divergent concerns, in some states to censor Internet activity, while in others, due to fears of foreign surveillance. Russia recently moved to enforce a law passed in July that requires all personal data of Russian citizens to be stored on servers in Russia. Google, Facebook and Twitter have been notified that compliance must include storing all metadata about Russians’ communications on local servers. This is especially problematic, given that Russian data servers are required to use encryption algorithms certified by the Russian Federal Security Service, effectively giving the FSB access to all the data and metadata. It’s a blatant move to restrict Internet access, consolidate the Russian government’s control over the media and give the Russian government increased access to private data.
Authoritarian governments like Russia, China and Iran have used data localization laws to more closely monitor citizen activities, but they are not the only countries passing such laws. The European Parliament is strengthening and expanding privacy laws under the General Data Protection Regulation and some EU members openly advocate creating a “Schengen cloud” to store and process European data.
Andrus Ansip, one of the new vice presidents of the European Commission, has gone on record that the EU-U.S. Safe Harbor data transfer agreement “is not secure.” Unless the U.S. Federal Trade Commission agrees to abide by stringent European privacy standards, Ansip said, “we must consider suspending the agreement.” This would prohibit data about European citizens passing through servers on U.S. soil without explicit consent. It could even compel European countries to remove data from U.S. cloud services. To quote Dirk Engling,a spokesperson for the European hacker association called the Chaos Computer Club:
“By ‘ensuring’ citizens that they are only safe if they restrict their Internet usage to within Europe, what is the Internet there for?”
In India, a country with a growing economy and strong incentive to solidify its place as an emerging tech power, data localization is seen as a tool to increase the country’s influence in the global market. The Indian National Security Council has proposed a plan to store all data regarding communication between two Indian citizens on servers located in India, effectively restricting access to Google, Facebook, and Microsoft Outlook. The plan is meant to safeguard the security and privacy of Indians’ data in light of the NSA surveillance revelations, somewhat hypocritically given the Indian government’s launch of Netra, an Internet spying system.
Aside from curbing freedom of expression, data localization laws would also drive up inefficiencies, increase Internet costs for users, and ultimately degrade data security by making it easier for the NSA to obtain data by direct intrusion and for governments to monitor domestic data. According to Facebook General Counsel Colin Stretch, by adding to the cost of running a network, with local data centers around the world, data localization leaves consumers with a slower Internet experience, limits connectivity and prevents the Internet from reaching its full potential
Given these increased costs and the uncertain economic environment for Internet Service Providers who carry international data, the effects of the ITC ruling could slow the spread of Internet connectivity in developing countries, while erecting barriers to transactions and communications across national borders. It also spells major losses for the U.S. economy: an ITIF study puts potential losses to the U.S. cloud computing industry between $21.5 and $35 million over the next three years as a result of the loss of trust in U.S. data storage providers.
Unless we want to be left with a neutered Internet, hacked into regional slices, we must remain vigilant and ensure that decisions such as the ITC case are reversed. The fact that the word “global” is cropping up as a qualifying descriptor for the Internet, used to describe an integrated network that may be disappearing, is a clear indicator of the challenging work that lies ahead.
The motivations and methods vary, but the principle remains the same. The power of the Internet resides in its effective and efficient structure for transferring of massive amounts of information and computing data. Such technology is powerful. It is also disruptive. We need to devise new legal frameworks for the digital world we live in, rather than retrofitting Tariff Acts from 1930.