Armin Ronacher's Thoughts and Writings

The End of Safe Harbor and a Scary Path Forward

written on Tuesday, October 6, 2015

In the Austrian internets the news about the end of the safe harbor act has been universally welcomed it seems. Especially from non technical folks that see this as a big win for their privacy. Surprisingly many technical people also welcomed this ruling. And hey, if Snowden says that's a good ruling, who will argue against.

I'm very torn about this issue because from a purely technical point of view it is very tricky to follow the ruling and by keeping to the current state of our data center environments in the light of some other rulings.

I'm as disappointed as everybody else that government agencies are operating above what seems reasonable from a privacy point of view, but we should be careful about what how this field develops. Fundamentally sharing information on the internet and the right to privacy stand in conflict to each other and the topic is a lot more complex than to just demand more privacy without considering what this means on a technical level.

What Was Safe Harbor?

The US-EU Safe Harbor laws declared US soil as a safe location for user data to fulfill the European Privacy Directive. In a nutshell: this was the only reason any modern internet service could keep their primary user data in the United States on services like Amazon EC2 or Heroku.

In essence Safe Harbor was a self assessment that an American company could sign to make itself subject to the European Data Protection Directive. At least in principle. Practically very few US companies cared about privacy which is probably a big reason why we ended up in this situation right now. The second one is the NSA surveillance but I want to cover this in particular separately a bit later.

What Changed?

Maximillian Schrems, an Austrian citizen, has started an investigation into Facebook and its data deletion policies a while ago and been engaging with the Irish authorities on that matter ever since. The Irish rejected the complaint because they referred to the Safe Harbor act. What changed now is that the European Court of Justice ruled the following:

In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive.

[…]

For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

The detailed ramifications of this are a bit unclear, but if you were relying on Safe Harbor so far, you probably have to move servers now.

Why Was Safe Harbor Useful?

So if you take the internet three years ago (before the Ukrainian situation happened) the most common of legally running an international internet platform as a smallish startup was to put the servers somewhere in the US and fill out the safe harbor self assessment every 12 months.

To understand why that was a common setup you need to consider why it was chosen in the first place. The European Data Protection Directive came into effect quite a long time ago. It's dated for the end of 1995 and required user data to be either stored in EFTA states or optionally in another country if it can be ensured that the same laws are upheld. This is what safe harbor did. In absence of this, all data from European citizens must be stored on European soil.

After the Ukrainian upraising and after Crimea fell to the Russian Federation a few things changed. International sanctions were put up against Russia and Russia decided to adopt the same provision as the European Union: Russian citizen's data has to be stored on Russian servers. This time however without an option to get exceptions to this rule.

It's true that the US do not yet have a provision that requires US citizen data to be stored in the States, but this is something that has been discussed in the past and it's a requirement for working with the government already. However with both Russia and Europe we now have two large international players that set the precedent and it can only get worse from here.

Privacy vs Data Control

The core of the issue currently is that data is considered power and privacy is a secondary issue there. While upholding privacy is an important and necessary goal, we need to be careful to not forget that the European countries are not any better. While it's nice to blame the NSA for world wide surveillance programs, we Europeans have our own governmental agencies that act with very little supervision and especially in the UK operate on the same invasiveness as in the US.

A European cloud provider will have to comply with local law enforcement just as much as an American cloud provider will have to be with federal US one. The main difference just being the institutions involved.

The motivation for the Russian government is most likely related to law enforcement over privacy. I'm almost sure they care more about keeping certain power over companies doing business in Russia to protect themselves against international sanctions than their citizens privacy.

Data Locality and Personal Data

So what exactly is the problem with storing European citizens data in Europe, data of Americans in the states and the data of Russians somewhere in the Russian Federation? Unsurprisingly this is a very hard problem to solve if you want to allow people from those different countries to interact with each other.

Let's take a hypothetical startup here that wants to build some sort of Facebook for climbers. They have a very niche audience but they attract users from all over the world. Users of the platform can make international friendships, upload their climbing trips, exchange messages with each other and also purchase subscriptions for "pro" features like extra storage.

So let's say we want to identify Russians, Americans and Europeans to keep the data local to each of their jurisdictions. The easy part is to set up some servers in all of those countries and make them talk to each other. The harder part is to figure out which user belongs to which jurisdiction. One way would be to make users upload their passport upon account creation and determine their main data center by their citizenship. This obviously would not cover dual citizens. A Russian-American might fall into two shards on a legal basis but they would only opt into one of them. So let's ignore those outliers. Let's also ignore what happens if the citizenship of a user changes because that process is quite involved and usually takes a few years and does not happen all that commonly.

Now that we know where users are supposed to be stored, the question is how users are supposed to interact with each other. While distributed databases exist, they are not magic. Sending information from country to country takes a lot of time so operations that affect two users from different regions will involve quite a bit of delay. It also requires that the data temporarily crosses into another region. So if an American user sends data to a Russian user, that information will have to be processed somewhere.

The problem however is if the information is not temporarily in flux. For instance sending a message from Russia to America could be seen as falling as being a duplicated message that is both intended for the American and Russian jurisdiction. Tricker it gets with information that cannot be directly correlated to a user. For instance what your friends are. Social relationships can only be modelled efficiently if the data is sufficiently local. We do not have magic in computing and we are bound to the laws of physics. If your friends are on the other side of the world (which nowadays the most likely are) it becomes impossible to handle.

Credit card processing also falls in to this. Just because you are British does not mean your credit card is. Many people live in other countries and have many different bank accounts. The data inherently flows from system to system to clear the transaction. Our world is very connected nowadays and the concept of legal data locality is very much at odds with the realities of our world.

The big cloud services are out, because they are predominantly placed in the US. Like it or not, Silicon Valley is many, many years ahead of what European companies can do. While there are some tiny cloud service providers in Europe, they barely go further than providing you with elastically priced hardware. For European startups this is a significant disadvantage over their American counterparts when they can no longer use American servers.

Privacy not Data Locality

The case has been made that this discussion is not supposed to be about data locality but about privacy. That is correct for sure, but unfortunately data centers fall into the jurisdiction of where they are placed. Unless we come up with a rule where data centers are placed on international soil where they computers within them are out of government's reach, a lot of this privacy discussion is dishonest.

What if the bad player are the corporates and now the governments? Well in that case that was the whole point of safe harbor to begin with: to enforce stricter privacy standards on foreign corporations for European citizens.

How to Comply?

Now the question is how to comply with what this is going into. These new rules are more than implementable for Facebook size corporations, but it is incredibly hard to do for small startups. It's also not quite clear what can and what cannot be done with data now. At which point data is considered personal and at which point it is not, is something that differs from country to country and is in some situations even not entirely clear. For instance according to the UK DPA user relationships are personal information if they have "biographical significance".

A Disconnected World

What worries me is that we are taking a huge step back from an interconnected world where people can share information with each other, to more and more incompatible decentralization. Computer games traditionally have already enforced shards where people from different countries could not play together because of legal reasons. For instance many of my Russian friends could never play a computer game with me, because they are forced to play in their own little online world.

Solutions will be found, and this ruling will probably have no significance for the average user. Most likely companies will ignore the ruling entirely anyways because nobody is going to prosecute anyone unless they are Facebook size. However that decisions of this magnitude are made without considering the technical feasibility is problematic.

The Workaround

For all intents and purposes nothing will really change for large companies like Facebook anyways. They will have their lawyers argue that their system cannot be implemented in a way to comply with forcing data to live in Europe and as such will refer to Article 26 of the Data Protection Directive which states that personal data to an untrusted third country on either a user given consent to this or there being a technical necessity for fulfilling the contract between user and service provider. The TOS will change, the lawyers will argue and in the end the only one who will really have to pick up the shards are small scale companies which are already overwhelmed by all the prior rules.

Today does not seem to be a good day for small cloud service providers.

This entry was tagged europe, security and thoughts