Google’s data plans in Saudi Arabia ‘will risk lives’: activists
Saudi Arabia doesn’t exactly have a positive record when it comes to digital espionage.
In 2018, the country’s government allegedly used the notorious Pegasus spyware on devices belonging to the family of Jamal Khashoggi, the Saudi dissident who was killed that year in a gruesome assassination allegedly orchestrated by the government.
In 2019, two former Saudi employees of Twitter in the United States were accused of using the popular social media platform to expose critics of the Saudi government.
The best of Express Premium
And last year, a Saudi aid worker who used a Twitter account to make jokes about his government was jailed for 20 years. His case is believed to be related to the government infiltration of Twitter.
And then there is Google. The online giant has the most popular search engine and the most widely used webmail service in the world. Part of the American company Alphabet Inc., Google regularly boasts about the care with which it protects user data. But he also had notable run-ins with authoritarian rulers.
Problems in China
When the company first introduced its search engine to the Chinese market in 2006, activists criticized it for censoring search results critical of the Chinese government.
Then, between 2009 and 2010, Google was the target of “a massive hacking attack known as Operation Aurora that targeted everything from Google intellectual property to the Gmail accounts of Chinese human rights activists. ‘man,” reported the scientific publication MIT Technology Review.
Google then withdrew from the Chinese market. Despite this, it was not until 2019 that the American company publicly confirmed that it had abandoned a secret project called Dragonfly, a search engine created especially for China, which would filter results on human rights. , democracy, religion and political protest.
Now Google says it wants to set up a “cloud region” in Saudi Arabia.
Given the two actors involved, the reaction from human rights organizations and digital privacy advocates was not surprising.
“This disturbing new step by Google raises … concerns that this cloud hub could empower the Saudi government to further facilitate human rights abuses,” said a 2021 letter signed by 31 human rights organizations. human rights, including Amnesty International, the Oxford Internet Institute and Human Rights Watch.
“A cloud center in Saudi Arabia will risk lives,” Laura Okkonen of Access Now, the online rights organization that was a key driver of the campaign, told DW.
More recently, an Access Now-backed activist group tabled a resolution for Google investors to vote on the Saudi controversy at the annual general meeting of Google’s parent company, Alphabet, held on Tuesday. June 1st.
The proposal asked Google to “commission a report assessing the location of Google’s cloud data centers in countries of high human rights concern.”
Although just over 57% of independent shareholders present at the meeting voted for the resolution that will pass earlier this month, Google’s senior management edged them out in terms of voting power and the resolution passed. been rejected.
In responding to DW’s requests, Google did not directly address the subject; the company sent an online link to its blog post from December 2021 announcing that the Saudi data center in Dammam would go ahead.
The political issues surrounding the creation of a data center in Saudi Arabia are clear. But what are the technical concerns around so-called cloud services?
More and more private and business users now operate their devices online using the “cloud”. This basically means that your data – things like pictures, documents, music, emails and other messages – is stored somewhere other than the computer or phone in front of you. The software that lets you listen to music or post pictures runs on bigger computers in another location. You access it simply by using the internet.
A “cloud region” is really just a euphemism for where all those other computers are, in what’s called a data center.
Until recently, Saudi Arabia was lagging behind in cloud services, but industry insiders say it is now seen as a major new opportunity. Of the three largest cloud operators in the world today, Google will likely be the first to install a data center there. The other major players are Amazon and Microsoft. The Chinese Alibaba already has two data centers in Saudi Arabia.
In terms of technology, there are a number of ways outsiders could access information inside a data center, said Björn Scheuermann, research director at the Alexander von Humboldt Institute for Internet and Society. .
Hacking would be one. But as Scheuermann pointed out, “hacking can happen anywhere because, by its nature, it usually happens remotely.” So it doesn’t matter whether a data center is in Saudi Arabia or not.
More specific to Saudi Arabia, it could be a physical breach in a data center. “If someone goes in and gets physical access to the hardware, then it becomes very, very difficult — in many cases, impossible — to guarantee that the data will be protected,” Scheuermann explained.
Data centers tend to have tight security. However, employees entering the center should be screened or they could be forced to extract data, critics have warned.
A greater concern than a physical breach of a center occurs when authorities request the data through legal means. “For example, by a court order that says the data must be handed over,” Scheuermann continued. “The government says these servers are on our territory and subject to our legal system. In an authoritarian system, the defense against legal orders quickly reaches its limits, when your material goods are on the territory of the State.
According to Saudi laws?
Google has a number of pages on its website about how it handles government requests for user information. It follows several stages and every six months provides reports indicating the number of requests received and the number of positive responses. (There are no current statistics for Saudi Arabia.)
Google stresses that it also respects local laws.
It’s a problem in Saudi Arabia, Marwa Fatafta, Middle East policy manager at Access Now, told DW, because “Saudi Arabia’s internet regulatory laws are unclear and ready to be exploited.” .
The country’s newest data protection law, which will come into force early next year, does not allow data collectors to disclose personal data except, Fatafta pointed out, when a government requests it. for security purposes, among other reasons.
The country’s legal system is overseen by the Saudi monarchy. “In such an authoritarian system, it’s hard to imagine how Google, or any individual, could challenge the government,” Fatafta said.
Saudi Cybercrime Law 2007 also comes into play. Google may be asked to block or remove content that violates the law and then notify the Saudi telecommunications regulator. “Saudi Cybercrime Law is one of the most repressive laws in the region,” Fatafta noted.
Using the “cloud” is actually a matter of trust, research director Scheuermann told DW. After all, you are storing your personal or business data with a company, which apparently could access it. Most of the time, companies like Google, Microsoft and Amazon are careful not to do so because of the risk of serious public backlash or major financial penalties, he noted.
“But essentially you’re in their hands,” Scheuermann said. “You have to trust them to abide by the legal limitations, and also that those limitations don’t work against you.”