Views of data and privacy vary from country to country. But former Homeland Security Secretary Michael Chertoff says the internet was made to be global. The Cipher Brief’s Kaitlin Lavinder talked with Chertoff, who is the co-founder and executive chairman of The Chertoff Group, about differing approaches to data in liberal democracies and authoritarian regimes and the overarching privacy versus national security debate.
The Cipher Brief: A lot of countries are requesting data localization laws, especially after the Snowden revelations in 2013. Why is this, and is this justified?
Secretary Michael Chertoff: A lot of countries use it to some degree as a device to promote their local companies, in terms of hosting data. And some of it is basically ideological – that somehow keeping the data in the country gives them more legal control over the data. In both cases, you have a counterproductive result, because the essence of the internet is to have an efficient movement of data around the globe, and that should be driven by engineering issues and not by legal or political issues. If you take localization to its extreme, you wind up with a fragmented internet, in which your access to each country or each area is going to be regulated. Then, the internet is no longer a network of networks but a series of more or less fragmented networks.
TCB: It’s no longer the world wide web, you could say.
Chertoff: Exactly. It becomes the local web. And that has much less value to everybody.
TCB: How are companies reacting to this? Do most companies fall in line with this kind of thinking that data localization will lead to a fragmented internet and thus should be avoided, or are a lot of them saying okay, if you’re a big market like Russia or China, we’ll comply with data localization so we can get our business there?
Chertoff: At one level, companies don’t necessarily have a choice, and they do comply with local laws. But more generally, there’s a push now from a public policy standpoint to see if we can reach some global uniform understanding about how you get lawful access to data, what rules apply to data, and how to avoid situations where a company that handles data globally is subjected to inconsistent legal obligations.
TCB: It seems like this kind of public policy push would be coming from countries like the United States, liberal democracies, as opposed to authoritarian regimes. Is that accurate?
Chertoff: It’s probably true to say that the more liberal democracies are certainly behind trying to maintain a global sense of stability in the internet. I’m on the global commission on stability in cyberspace, which is being sponsored by the Dutch and U.S. think tanks.
But even in some countries that may have a different political philosophy, there’s also value in recognizing that they benefit economically as well by having a true world wide web and not having fragmented networks.
TCB: Does that economic argument in authoritarian countries like Russia or China, which may want to keep data local to maintain control over their citizens, outweigh the political argument of why data should be local?
Chertoff: China’s an interesting example. In China, there’s an internal discussion. On the one hand, the Chinese are increasingly concerned about the kind of information and data that comes in from outside, and they worry to a considerable degree about issues of political stability. At the same time, you have some of the most dynamic e-commerce companies developing in China. Their ability to export, and even to import, is going to depend an awful lot on being connected to an internet; and therefore, from the Chinese economic standpoint, there are some strong arguments against localization. Ultimately, that government is going to have to decide how it wants to weigh the benefit of promoting political uniformity against the benefit of promoting economic growth.
TCB: And what about in Russia?
Chertoff: I have less of a sense about Russia. I’ve talked a little bit to the Russians about this. They seem to understand the value of the internet, but they also tend to be very nervous about two things. One is information that comes in from outside that they view as hostile or subversive. They are also concerned about getting access to information about their own citizens. But again, to the extent you have global enterprises – for example in energy – it’s going to be important for them to be part of the global economic community.
TCB: You mentioned that on the public policy side there’s this push now in really trying to navigate what kinds of laws and regulations we should have for the internet to ensure both privacy and national security. How is that developing right now in the United States?
Chertoff: There’s been a little bit of a back and forth between people who argue that privacy has to be elevated in terms of how we view the internet versus those who focus on security. I would argue actually that they’re not inconsistent, but they are rather complimentary. You can’t really have privacy, if you don’t have security, because then the promise of privacy is an empty promise. On the other hand, if you don’t have privacy as a value, what are you securing? Because ultimately we’re securing our values. So the question is to find a way to reconcile the demands of security in a way that does not unduly compromise people’s privacy. There are efforts now – both in the legal and in the technology areas – to find ways to be able to address both issues.
TCB: What are some of those initiatives?
Chertoff: For example, on the one hand, the U.S. government has moved toward more transparency in number of requests and the nature of the requests that are made of private parties with respect to information. There’s been a move to take some of the data that was being held by the government and have it held by the private companies. And the companies themselves, while being cooperative when they get a legal mandate to turn over information, have insisted that the legal i’s and t’s be dotted and crossed. So it doesn’t look like there’s an under the table arrangement.
One of the areas where we’re still working through the problem is the issue of encryption. On the one hand, some prosecutors and police authorities worry encryption means they won’t get access to information that would be useful. On the other hand, if you weaken encryption, you wind up weakening security for everybody, because criminals will be able to get into your data and steal it. And that’s going to put everybody at risk. This is still very much a work in progress.
TCB: Speaking of encryption and law enforcement needing access to data, one of the arguments for data localization is that it makes it a lot easier if an FBI-like agency, for example, needs information about one of its citizens and the data is hosted within the country. When we’re talking about data localization, is it pretty much across the board, that if the data is in your country, that country owns it and has access to it?
Chertoff: Certainly many countries believe that; but many countries believe, for example, if the internet service provider is in the country then that provider has to retrieve data from anywhere in the world. There may be some circumstances where data is housed in a country, but it involves citizens of another country, and perhaps the other country disputes whether the location of the services should be deposited. We’ve had circumstances where you have conflicting demands from different courts in different countries put on the technology platforms.
TCB: Can you give you an example of that?
Chertoff: In Brazil a couple years ago, a judge wanted some information from an internet service provider. The information was in the U.S. It would have been a violation of U.S. law to provide it. The judge in Brazil nevertheless said to the local representative, you’re going to go to jail if you don’t provide it. So that’s a dramatic example of that inconsistency.
TCB: Touching on the question of what information is fair game in today’s world, can you explain how data on social media platforms can be divided country by country?
Chertoff: You can shut down social media platforms in certain countries. The Chinese control to a large degree, access to IP addresses within their physical jurisdiction, so you can screen out certain things. I wouldn’t describe that as fair game. That is a limiting option with respect to the value of social media to people in that community.
TCB: What do you think the future of this privacy versus national security debate is going to look like? In your mind, what is the best outcome to ensure both?
Chertoff: First of all, it’s important that when the government is seeking legal authority to access information, it be done in a relatively transparent manner, according to some kind of legal or judicial process that is generally understood.
There are some agreements that could be reached globally that would come up with a uniform set of rules about what you have to do to get the information when it’s in a country different from the country of the authorities – and how do you do that through treaties or various other arrangements.
Also, the technologies themselves are going to continue to advance, and that’s going to result in changes of the technological landscape, which will also have an impact on how we protect data.
TCB: Are there any global treaties or arrangements being negotiated right now?
Chertoff: Right now, there’s an agreement reached between the UK and the United States about access to information when it happens to be held in one of the countries, but the other country has a request in court. Now that’s relatively easy because we have very similar legal systems and sets of values. It gets harder as you start to deal with countries where there’s a fundamentally different idea about what is criminal law and what is the legal process. But certainly with respect to many of the Western countries, these kinds of agreements are within reach.
TCB: Do you think agreements, like the one between the UK and the U.S., in Western countries will at some point spillover and inadvertently affect authoritarian regimes as well?
Chertoff: There will always be some limitation on the ability to reach an agreement on access to information when you’re dealing with a country that has a radically different system. For example, if a foreign country wants to get information in order to prosecute people who articulate ideas that they don’t like, probably the U.S. would not agree to that kind of an arrangement because it would violate our constitution. But there then might also be areas, for example with respect to credit card fraud or things of that sort, where there would be a willingness to have a stream-lined way of exchanging information.