Like money stored under a mattress, data kept at home may be less safe than data stored with services fighting for customers in a global mkt
Our parents left India and Vietnam in search of opportunities abroad. Today, a young programmer in Vietnam can create the most popular app in the world, as Dong Nguyen did with his game Flappy Bird, without leaving home. The Internet allows people from Bangalore to Silicon Valley, and from Nairobi to Rio de Janeiro, to offer services to the world. Many of these services, even Flappy Bird, involve the transfer of personal information across the globe—from payment details to high scores.
But even as we celebrated its 25th birthday on March 12, the free and open web is at risk. As our just released study, Breaking the Web: Data Localisation vs. the Global Internet, lays out, governments around the world are trying to keep information about their people from leaving their borders, citing concerns about foreign surveillance, privacy and security, domestic law enforcement and economic development.
What is the “data” that they would prevent from leaving? Australia says that health data about Australians cannot be taken offshore if it is personally identifiable. Brazil is considering a law that would give the executive power to designate what information can and can’t leave the country. Vietnam wants all data about its citizens, from their Facebook updates to their lists of friends, to remain available on computer servers in the country.
Governments argue that by keeping data at home, they are improving the privacy and security of their citizens. The reality, however, is that data localisation probably won’t achieve any of these goals, and is likely to undermine them. The underlying assumption of governments is that data kept abroad is data kept unsafe and that data kept at home is data that’s more secure.
But, like money stored under a mattress, data kept at home may in fact be less safe than data stored with services fighting for customers in a competitive global market. Data kept on a government computer in Vancouver isn’t necessarily any more safe than data kept on IBM computers just a few miles further south in Seattle. The information is almost certainly less safe than data distributed between multiple locations, ensuring that a natural disaster that affects one data center won’t result in a permanent loss.
After all, even if you don’t let your data leave, that doesn’t stop hackers from getting in. Criminal hackers have shown a talent for operating across borders. The code used to break into the computer systems of the American retailer Target, for example, appears to have been written partly in Russian. Keeping information at home does not keep it hidden from the prying eyes of foreign governments either. In fact, the U.S. National Security Agency has far fewer constraints when it operates abroad than when it operates at home.
So the location of data isn’t a guarantor of its security and governments shouldn’t act as if it is.
Governments also assume that data localisation mandates will force global companies to build local infrastructure, thereby stimulating local investment. But let’s not forget that many of these global services are cheap precisely because they’re able to offer global scale to small companies without building extra infrastructure. Many service providers may find it too expensive or too risky to offer their services, and avoid the jurisdiction entirely. Yet other services may simply ignore the mandate, and continue to serve the local population. Most worrisome for these countries, companies may intentionally avoid locating their operations in countries with cumbersome data localisation requirements. Rather than stimulate investment, such measures may thus steer it elsewhere.
Not only will these measures likely fail to accomplish their objectives, they threaten some of the most important innovations made possible by the Internet. In an Information Age, data is the lifeblood of commerce. Efforts to corral that data within borders dramatically alter the way that the Internet works, from shuttering the astonishing new kinds of trade made possible by the Internet to making it difficult to use cloud-based services such as Dropbox or Apple’s iCloud, or even new fitness trackers such as Samsung’s Gear Fit.
Because of the Internet, individuals and companies from Silicon Valley to Bangalore can supply their services to the world without needing the resources or visas to set up shop across the world. This has been especially good for small businesses and innovators across Asia, who suddenly have the same global reach and market access that only the largest of companies had a decade ago. Data localisation requirements will close this window to them, and Asia and the rest of us will be poorer for it.
This article is written by Anupam Chander and Uyen Le.
Chander is the Director of the California International Law Center and professor of law at the University of California, Davis. He is also the author of The Electronic Silk Road: How the Web Binds the World Together in Commerce, and the recipient of a Google Research Award.
Le is a free speech and technology fellow at UC Davis.