October 07, 2015

Europe's Big, Big, Big Lie About Data Privacy

By now you may have heard about a European court's new decision against the so-called data "Safe Harbour" (over here we'd spell it "Safe Harbor") framework, involving where various Internet data for various users is physically stored.

You can easily search for the details that explain what this could effect, what it potentially means technically and legally, and generally why this dangerous decision is a matter of so much concern in so many quarters.

But here today I'm going to concentrate on what most of those articles you'll find won't be talking about -- what's actually, really, pushing the EU and various other countries around the world to demand that user data be kept in their own countries.

And you can bet your bottom dollar, euro, or ruble, it's not for the reasons they claim.

We have to begin with an unpleasant truth.

All countries spy. All of them. Every single one. No exceptions. They always have spied, they always will spy. Humans have been spying on each other since the caves.

And demands for "data localization" in reality have virtually nothing to do with privacy, and virtually everything to do with countries wanting to be sure that they can always spy on their own citizens and other residents.

Generally (but not always) intelligence and law enforcement services around the world draw some sort of (often muddy) line between domestic spying and spying on the activities of other countries. The rules and laws any given nation uses in-country can be different from their "beyond their borders" spying laws. In some countries, domestic spying is simply considered a normal police function, and in some nations the dividing line between law enforcement and intelligence agencies is nearly or completely nonexistent.

Even when regulations related to surveillance exist in an individual country, they are often officially ignored in many contexts, with nebulous "national security" concerns taking precedence.

Again it's important to emphasize: All countries spy. They spy to the maximal extent of their technical and financial abilities.

It has not been uncommon for nations to consider spying outside their borders to be a completely open game, not subject to any effective rules or limits. After all, those you're spying on out there aren't even your citizens!

But this is not to say that domestic spying isn't a major component of many countries' intelligence apparatus, and we're talking about entrenched domestic surveillance regimes in some countries outside the U.S. that make Edward Snowden's "revelations" about NSA look like a drop in the bucket.

Ironically, Snowden's new adopted home under the kindly influence of Czar Putin is one of the world's worst offenders in terms of domestic surveillance. China is another.

And coming up close behind is Europe.

The clues as to why Europe is now in this pitiful pantheon can be discerned clearly if you pay attention to what EU politicians and other EU officials have been saying publicly, even if we ignore the known revelations about their own spying activities.

Terrorism. It's on almost all their lips, almost all the time.

And this drives not only horrendous concepts like the EU (and now other countries) attempting to impose global censorship via "Right To Be Forgotten" (RTBF) regimes, but their demands for ever greater surveillance capabilities. Their rising tide of ostensible panic over strong encryption systems also plays into this same "rule by fear" mindset.

Which brings us back around to "safe harbour" and data localization.

The real reason you have countries demanding that the data of their citizens and other residents be stored in their own countries is to simplify access to that data by authorities in those countries, that is, for spying on their own people.

Notably, while U.S. authorities are indeed making a lot of noise trying to condemn strong encryption systems, you don't see serious calls for U.S. residents' data to be stored only on U.S. servers.

So what's the deal with the EU, and Russia, and various other countries about data localization? Clearly, having the servers in-country doesn't increase privacy -- it merely provides easier physical access to those servers and their associated networking infrastructures for law enforcement and intelligence operations.

True privacy protection isn't based on where data is located, but on the privacy policies and technologies of the firms maintaining that data, no matter where it physically resides.

So in many ways it's the EU/Russian politicos' worst data nightmare to have user data stored by companies like Google who won't just hand it over on any weak pretext, who are implementing ever stronger encryption systems, and who have incredibly strict rules and protections regarding access to user data -- and in particular regarding the legal processes required for access to that data by governments or other outside parties.

I'll note here once again that NSA or other U.S. intelligence agencies never had the ability to go rummaging around in Google servers as some of the early out-of-context clickbait claims of Snowden were inaccurately touted to imply. I've seen how Google handles these areas internally. I know many of the Googlers responsible for these systems and processes. If you don't want to believe Google or myself on this, that's your prerogative -- but you'd be wrong.

But in many other countries, law enforcement or intelligence services can get physical access to servers in those nations without any significant legal process at all -- just a nod and a wink, if that much.

That, dear friends, is what's actually going on. That's what exposes the big, big, big lie of data localization demands.

It's not about privacy. It's exactly the opposite. It's all about spying on your own people. It's about censorship. It's about control.

And like it or not, that is the sad and sordid truth.

I have consulted to Google, but I am not currently doing so.
All opinions expressed here are mine alone.

Posted by Lauren at October 7, 2015 11:12 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein