Where You Are Is Who You Are Even If It Is China

Editor’s note: Paul Rosenzweig is a senior adviser to The Chertoff Group, a global security advisory firm that advises clients on information security, including cloud computing, and former Deputy Assistant Secretary for Policy at the U.S. Department of Homeland Security.

Where your cloud data is stored is, increasingly, critical to determining who controls it. Though many around the globe have become concerned about data storage in the United States, there are worse alternatives. Imagine, for example, if your personal data were stored on a cloud server in China, a nation-state actor well known for conducting cyber espionage against U.S. businesses and surveillance of its own population. Soon, you will not have to imagine any longer – that will be reality.

For the past year, the world of cloud computing has been in a state of turbulence, mostly caused by the various Edward Snowden revelations about American surveillance activities. One of the recurrent topics is the growing requirement for data localization – that is, the idea that data must be stored in a particular geographic location so that it is subject to the laws and jurisdiction of that country. The localization requirement is thought by some to be a way of resisting external surveillance by other nations.

Because of these concerns, there have been proposals in Europe and Brazil to require the domestic storage of data. In a related effort in the United States, Microsoft is fighting a battle to resist American government efforts to access data stored on Microsoft servers overseas. In short, the trend is, haltingly, toward a rule that where your cloud data is physically stored defines who controls it.

Thus far that battle has, principally, been a struggle within Western countries and couched as a question of law for the benefit of civil liberties and consumer privacy. But that’s not the only reason data storage requirements are being implemented. More authoritarian countries are using data localization to their own ends – as a means of control over civilian populations; continuing the status quo; and maintenance of a despotic monopoly on power. Though Western companies doing business in authoritarian states instinctively resist these requirements, in the end, data localization in a repressive country is often the cost of doing business.

Apple’s recent experience in China is a cautionary tale. According to TechCrunch, Apple has agreed to use Chinese-based servers to store iCloud data in China. In public, Apple put a brave face on the move, asserting that Chinese-based data storage is intended to “increase bandwidth” and “improve performance” for its mainland China customers. Perhaps so. But observers are justifiably skeptical.

The Chinese government, after all, has voiced national security concerns about Apple’s overseas storage of data, raising the specter of NSA surveillance. While a useful sham, these expressed concerns allow China to advance its own domestic policy agenda. Chinese law already requires the domestic storage of local bank and telecom data for security purposes – and as a means of monitoring the domestic population. Apple’s agreement to domesticate its data in China is part of that larger trend.

To be sure, Apple says it encrypts the data that it stores on Chinese telecom servers. But we know that encryption by a cloud service provider is only as effective as its ability to resist government demands for decryption. In Western nations, those demands typically come in the form of legal process where the cloud service provider has an opportunity to protest before a neutral judicial officer. In more despotic systems, like China, the decryption order will often take a more coercive form. Hence the promise of encryption is, at best, a modest road block and, at worst, a chimera.

Apple’s decision is, as a business matter, completely understandable. When the largest country in the world demands particular structures as a condition of market access, it is unreasonable to expect any corporate actor to resist.

Nevertheless, the consequences of Apple’s move to domestic storage need to be carefully examined. It is already standard policy for most corporate executives traveling to China to leave their personal electronics at home. But until now the concern has been with the surreptitious installation of malicious software and the theft of intellectual property by semi-official government hackers.

Now, for Apple users in China, the architecture of the data storage has cut out the middleman. Data uploaded to the iCloud is vulnerable to exploitation without the need for malicious infiltration. Instead, users who bring their own iPhones or iPads may have their data copied directly from Chinese telecom servers at the behest of the Chinese government.

The vulnerability is particularly acute for U.S. government officials who bring their own devices to China for personal use. The temptation, as always, is the convenience of a readily accessible device. But for the unsuspecting government official, even the compromise of seemingly insignificant personal data can, in the end, have adverse impacts. Sadly, Apple’s decision means that BYOD in China must end.

Whereas China was previously a “wild west” of malicious activity, it is becoming a “closed shop” of digital storage and exploitation. The trend toward data localization increasingly metastasizes into aberrant pathologies that support authoritarian regimes. And, in the end, Internet freedom and privacy suffer.