Editor’s note: Paul Rosenzweig is a senior adviser to The Chertoff Group, a global security advisory firm that advises clients on information security, including cloud computing, and former Deputy Assistant Secretary for Policy at the U.S. Department of Homeland Security.
“Who says A must say B…”
The aphorism, often attributed to the conservative philosopher James Burnham (though it originated in the fable of Hansel and Gretel), is a short-hand phrase that is intended to capture the requirement of intellectual consistency. Or, put more colloquially – don’t be an intellectual hypocrite. American cyber policy makers may well rue not paying heed to Burnham. The legal interpretations they currently espouse may soon turn around to bite them in the proverbial hypocritical posterior.
The issue is put in stark relief by the recent announcement from Alibaba, the Chinese technology company that plans to open up a new data center in Silicon Valley. From a business perspective, the decision makes perfect sense. The center will allow Alibaba to expand one of its product lines — cloud services for businesses — into the American market. It portends an effort by Alibaba to go head-to-head with other cloud service providers, like Amazon, that lease computing systems to businesses. Where, before, Alibaba’s clientele was almost exclusively Chinese, the new data center is part of an effort to become more multinational.
And that will give American law enforcement heartburn. Because if they don’t want to be intellectual hypocrites, they are going to be obliged to acknowledge that Alibaba’s entry into the American market also means that the Chinese government will have direct access to American data – because the U.S. government says the exact same thing about American companies operating in China. And that can’t be a comfortable conclusion.
The most notable example of this legal theory is a case pending in New York. In December 2013, Microsoft, received a warrant issued by a magistrate in the Southern District of New York that ordered the company to turn over information relating to a user whose data was stored at the company’s Dublin, Ireland, data center.
The user’s content was assigned to the Ireland data center based on its geographic proximity to the user’s sign-up location. In the Department of Justice’s view, which the district court adopted, the U.S. government can compel any U.S.-based cloud provider to disclose a user’s content data stored outside the United States simply because the U.S. company is subject to American control and jurisdiction. An appeal of the case is pending and, candidly, the law is indeterminate and ambiguous. That’s why Senator Hatch has introduced a bipartisan bill, the LEADS Act, to clarify the law.
But let’s assume, for a moment, that the American government’s view of the current law is right – that is, that the government has the legal authority to compel an American company to disclose any information in its control, wherever in the world that information may actually be stored. And, more to the point, that the U.S. government may do so regardless of potentially contrary foreign law – such that, in our example, the laws of Ireland are irrelevant to the question of what to do with data about an Irishman stored in Ireland.
If we accept that view then, of necessity, we must be logically consistent and say that the same is true of American data stored on the Alibaba server in Silicon Valley. The Chinese government is legally free to compel a Chinese company, like Alibaba, to disclose any information in the company’s control, even if that data is stored in America. And, by the logic of our own government’s argument, the laws of the United States are irrelevant, even if the data is on American soil and pertains to American citizens or business dealings. One can imagine that most American citizens would be surprised to learn that American privacy and civil liberties laws were inapplicable to their own data housed on America soil.
So the Alibaba announcement highlights a conundrum for citizens and for CEOs who might use cloud services. The current legal structure creates perverse incentives. Data center locations are selected on the basis of practical criteria, including the availability of infrastructure, climate, and proximity to the end customers. Law should foster that efficiency, but not at the cost of loss of an individual or corporation’s rights and privileges. We do not want a world where some jurisdictions, perhaps out of an authoritarian interest in control, see this legal rule as a license to interfere with efficient local storage requirements.
Nor do we want a world in which there is a “race to the bottom” as nations create data access rules that are favorable to their own domestic interests while disregarding the globalized nature of the network. These competing interests among nations need to be replaced with an agreed-upon international system to harmonize existing rules within an agreed upon framework of law.
That’s an ambitious, perhaps impossible, undertaking. But the alternative is worse. Who says A must say B. Who says Amazon, must say Alibaba.