By: Michael Chertoff, Executive Chairman and Co-Founder
Today we stand at a crossroads. Will the internet continue to be a global system for commerce, politics, and social discourse, or will that world-girding network fracture into component parts? The road we take will help to define the vitality of the cyber network for the foreseeable future.
There are many policies that contribute to internet balkanization. Pervasive government surveillance, content limits, and even censorship all inhibit the free flow of information across the network. However, one of the most insidious causes of splintering is the phenomenon known as data localization – the all-too-reasonable-seeming idea that data about a country’s citizens should mandatorily be stored only in that country. While sensible in theory; in practice, it foreshadows the death knell of the global network as we know it.
Last week Tom Bossert, Assistant to the President for Homeland Security and Counterterrorism, spoke at the CSIS Cyber Disrupt 2017 conference. His remarks focused, in part, on the harms that would come from breaking the network through requiring data to be stored locally across the globe. As he said, “I think those countries that are seeking data localization are misguided. . . . [You] have tendencies surrounding data localization and the exclusion from our markets of other services and goods from other countries. Those are two things that are antithesis to our – to our fundamental U.S. values . . . .”
Bossert is right. His early focus on this issue is one that reflects the Trump Administration’s welcome commitment to a free and open global network.
Data localization is misguided for a host of reasons. First, as Bossert noted, data localization is used by authoritarian countries to keep or control citizen data within their borders. Though the idea of localization has its origins in Europe, it is a god-send to countries like China, Russia, and Iran.
Second, localization is used by protectionist countries as a means of excluding non-domestic offerings from their economies, protecting local industries. As President Trump has said, we want free trade that is fair. It is not fair trade if data storage has to be done on a “buy local” basis (for example, using only French service providers). Competitors from other countries are excluded.
To be sure, for some nations data localization is also a way to address legitimate privacy concerns as a means of protecting their own citizens. Indeed, the earliest motivation for localization was distrust of government surveillance (particularly by the U.S.).
But no matter the justification, localization erodes the open nature of Internet. It also imposes significant costs by decreasing efficiency and creating protectionist monopolies. If widely implemented, data localization will diminish many of the benefits of the network that we know today – international commerce and trade, freedom of speech, instantaneous global communication, and political freedom – by reducing access and making it more expensive to deliver services.
Worse, nations that think data localization improves privacy protections are, simply, mistaken. While domestic storage rules may constrain law enforcement and law-abiding allies, it will never serve as a barrier to espionage, theft, or commercial exploitation by those with malicious intent. Indeed, local storage options may be less secure precisely because they are offered by less sophisticated providers.
One particularly vexing problem is the burden of conflicting legal obligations. Global companies serve customers across the globe, with operations in many jurisdictions. They face the challenge of complying with many different laws – a challenge that is only exacerbated by the trend toward data localization.
These concerns are not parochial. The U.S. has, of course, benefitted from a strong technology sector. Investments by American firms bring constant innovation in services, greater efficiency, and security, all of which benefit consumers, industry and the public sector – not just for Americans but for individuals around the world. So too do the efforts of innovative companies everywhere else on Earth. For very little gain, data localization advocates impose huge costs on the network, service providers, and consumers by creating uncertainty in the application of law.
We must act to preserve the network benefits we have today. A good first step would be for Congress to adopt legislation that provides reciprocal protections for U.S. citizens and our allies. In other words, adopt an agreement between like-minded nations that localization requirements are not applicable between allies who have equivalent legal systems. Doing so would ensure a clear understanding of which country’s law applies and give consumers transparency about data access rules.
Second, we need to modernize our IT systems and update how we respond to requests from allies for digital legal assistance. Today, when one of our allies seeks access to digital data held by an American company (or when the U.S. seeks access overseas) the response can take months. It can and should take minutes.
The future of the network hangs in balance and we face a choice of directions. One choice, the path of data localization, is, indeed, “misguided.” The Trump Administration is right: We should choose the other path – the one that would benefit Americans and other citizens; reinforce American values; and strengthen the open, free Internet that fosters America’s economic and national security.
Michael Chertoff was Secretary of Homeland Security from 2005 to 2009. He is now Co-Founder and Executive Chairman of The Chertoff Group, a premier advisory firm focused exclusively on security and risk management.