The False Promise of Data Localization

It is important to remember that GCHQ and the NSA are not the only agencies engaging in interception, analysis, and manipulation of internet traffic. Trying to localize all your product's data storage and communications to within a single country, for example, might somewhat reduce the risk of the US government obtaining your users' data. It probably won't, thanks to legislation such as the CLOUD Act and the infrastructure realities of the Internet: traffic between two servers in the same country is often routed through a third country. Moreover, data localization ultimately contributes to Internet fragmentation, a.k.a. the Splinternet. Sat in Austria, I don't want to see a different version of the Internet to my friend in Ghana. Sadly, this is already the case in countries such as Russia and China. It's important to keep this conflict between privacy and Internet health in mind when developing solutions: make sure that if you do localize data, everyone still has equal access to your services and to public information. Don't just hole up your data in one country and shut everyone else out.

What Can We Do?

• The most effective defense against mass surveillance of the content of Internet traffic - no matter who is conducting the surveillance - is the use of Privacy Enhancing Technologies (PETs), starting with end-to-end encryption. We will cover these in more detail later in the course.
  
• Meanwhile, you can also try to obfuscate or limit the reach of the metadata of your user's Internet traffic. For example, the encrypted messaging app Signal's optional Sealed Sender feature attempts to conceal the sender of a message from anyone but the intended recipient. Remember, governments kill people based on metadata. Protecting the content of communications is not enough, because even the fact you communicated something to a person under suspicion can get you arrested or put on the US drone kill list.
• Not all metadata can be obfuscated: when users visit your site, they have to load the page and all its content (images, videos, JavaScript libraries...) from some server somewhere, and that reveals both the fact they visited your site (which may in itself be incriminating, for example if you provide advice on safe access to abortion or on ways to bypass government firewalls) and their IP address (indicating their approximate location). While it is impossible to fully prevent network traffic being routed through other countries, you can at least reduce the number of entities you reveal this to by hosting content yourself. For example, if you include a font from Google Fonts instead of hosting the font yourself, you are sharing your users' visits to your site and their IP addresses with Google - and with the US government. We discuss this further later in the course.
• Remember that cryptography is typically bypassed, not penetrated (Adi Shamir). Secure your encryption keys - including your physical supply chain, if you have one. To compromise mobile / cell-phone communications encryption, the NSA and GCHQ hacked into a global SIM card provider producing 2 billion SIM cards a year, Gemalto, and stole their entire database of encryption keys.

Further Reading

• There and back again: a look at international routing detours - Anant Shah, APNIC
• The "Real Life Harms" of Data Localization Policies - Discussion Paper 1 March 2023 - The Centre for Information Policy Leadership (CIPL) and Tech, Law & Security Program (TLS)
• What Is the Splinternet? And Why You Should Be Paying Attention - Dan York, Internet Society
• Technology preview: Sealed sender for Signal - Joshua Lund, Signal Blog
• New Signal privacy feature removes sender ID from metadata - Dan Goodin, The Register. This article includes examples of prosecutions based on metadata about encrypted communications.