Into the grey: the US and data sovereignty

Into the grey: the US and data sovereignty

10 March 2021 | Natalie Bannerman

Cover

Sparked by rumours that Parler was set to reroute user data to Russian servers, a bigger question around US data sovereignty was asked. Natalie Bannerman investigates

Very few could forget 6 January 2021, when the world watched the storming of the United States Capitol, but who knew this event would have so many long-lasting effects in the realm of technology and data.  

Two days after the riot, social networking and microblogging app Parler was dropped from its various cloud and distribution services, which accused the platform of being used by extremists to coordinate the attack on the Capitol.

Google's Play Store was first, claiming that it was Parler’s lack of "moderation policies and enforcement" which, in turn, posed a "public safety threat". Apple followed suit, dropping it from its App Store, saying that, "the app also appears to continue to be used to plan and facilitate yet further illegal and dangerous activities."

Twilio stopped service to Parler, ending its two-factor authentication system, Okta denied it access to its identity management service, and ScyllaDB revoked Parler’s access to its Enterprise database.

Probably the biggest blow came when Amazon suspended the app from using Amazon Web Services, stating that Parler was “a very real risk to public safety". Now, without its cloud computing services and quickly losing the support of many US hyperscalers, Parler is in the fight of its life to get back up and running again.

On 17 January, Parler came back online as a static webpage with industry analysts and security experts claiming that it is now working with DDoS-Guard, a Russian company offering cybersecurity services and web hosting.

Further to that, there have been accusations that “Parler’s data flows through a DDoS-Guard server registered to an address in Belize, which cybersecurity experts believe is a tool to protect the true identity and location of Parler’s web host,” according to Bloomberg.

The same was also claimed by Chris Vickery, director of cyber-risk research at US cybersecurity firm UpGuard, who tweeted: “Parler is back online now by routing 100% of its user traffic through servers located within the Russian Federation…”

At the time, Capacity reached out to network intelligence company ThousandEyes, and though it couldn't confirm or deny these claims, director Angelique Medina said: “After being offline for nearly seven days, Parler came back online on 17 January as a single, static web page.

“None of the functionality previously associated with its messaging application exists on the page. For example, there's no ability for users to login or post messages. Given the current state of Parler’s web presence, there doesn't appear to be any sensitive user data in question at this point.” 

As of 17 February, the company relaunched as a fully functioning website, returning its operation back onto US soil by selecting SkySilk, an LA-based cloud hosting provider and reseller of OVHcloud, as its new cloud host.

Whether the accusations of previously using Russian servers are true or not remains to be seen, and regardless of the political affiliation of any such social networking company, it raises the question of what exactly are the rules around US data sovereignty and would such a thing even be allowed?

The letter of the law

It’s fairly common knowledge that the US has no general consumer data privacy law at the federal level. It does, however, have a number of federal protection laws that are industry specific — for example, the 1994 Driver’s Privacy Protection Act and the Video Privacy Protection Act.

Probably the piece of legislation with the broadest jurisdiction is the Federal Trade Commission Act, which has the authority to prevent unfair or "deceptive trade practices". This includes acting against companies that violate consumer data privacy rights by collecting, processing or sharing consumer information, as part of Federal Trade Commission’s (FTC) consumer privacy framework or national privacy laws and regulations.

Further to this, there also exists the Patriot Act and the Cloud Act, which add further layers of ambiguity to the subject.

“The former allows the US government to ask businesses for any records they hold relating to certain individuals,” explains Sophie Chase-Borthwick, vice president of data ethics and privacy at Calligo, an end-to-end managed data services provider.

“The latter expands that to include data located outside the US with any provider who is subject to US jurisdiction, this includes all major US cloud companies. In summary, data can be stored outside the US, but the government has the right to demand it with the appropriate warrants.”

Whichever law you read, it certainly doesn’t directly prohibit a company from rerouting user data outside of US borders; in fact, it's quite commonplace.

“Rerouting and storing user data outside of the United States would be entirely lawful,” says digital security expert, David Janssen.

“Amazon’s AWS, Microsoft Azure and Google all store user data in numerous different countries around the world. Microsoft, for instance, allows users to choose from various data residency options and assures that it will not “store or process customer data outside the geography you specify, except for certain non-regional services”.

But although the act of rerouting data to somewhere like Russia is not unlawful, Chase-Borthwick adds that, “attempting to bypass the Patriot and Cloud Acts is, and there may be specific local laws dictating this transfer”.

It is also important to remember that — unlike Europe’s GDPR, which adopts more of a rights-based model, or the slightly more control-based approach of China and Russia — the US has taken more of a harms-based model.

“The applicable law has to be violated and allow for a private right of action. If not, the individual doesn't really have much recourse (other than to have their data corrected or deleted in certain jurisdictions) and it’s just up to the attorney general or the FTC, if applicable, to take action,” says Catherine Dawson, general counsel at data privacy platform Osano.

According to the FTC’s overview of its investigative, law enforcement and rulemaking authority, an act or practice is “unfair” if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition” (15 USC Sec. 45(n)).

Probably the only exception to this approach to US data privacy is the California Consumer Privacy Act (CCPA), which adopts more of a GDPR rights-based approach. In November 2020, the CCPA was amended and expanded to include such things as a consumer’s right to stop businesses from sharing their personal data and use of "sensitive personal information".

Speaking of the GDPR, we know that many notable UK conservative politicians, such as Nadine Dorries, James Cleverly and Michael Gove, were found to have joined apps like Parler — so would that in and of itself require it to comply with GDPR rules?

“Simply processing personal data of an EU individual alone is not sufficient to trigger GDPR for organisations outside the EU. It also requires the element of ‘targeting’ individuals in the EU, either by offering goods or services to them or by monitoring their behaviour,” says Chase-Borthwick.

“In fact, it goes on to state that, when goods or services are inadvertently or incidentally provided to a person in the EU, the related processing of personal data would not fall within the territorial scope of the GDPR. So, the question becomes whether or not they are targeting EU users.”

Janssen adds that in order to be under the rules of the GDPR, a company merely has to have processed the personal data of a person residing in the EU at the time the data is/was accessed — also raising some questions about the term “process” and the fact that there’s no precedent for a rumoured Russian manoeuvre.

“EU governments might argue that, yes, Parler’s involvement in the transaction constitutes ‘processing’ and therefore it falls within the purview of GDPR regulations,” he says. “Parler would obviously argue it is merely acting as a conduit between its users and its Russian host.”

So, are we making this topic a bigger deal than it needs to be? Surely if there are no rules against it, this must be ok for businesses to do.

Well ultimately it comes down to who is in control of that environment and the data being stored there. If what Janssen says is true, there is legitimate cause for concern.

“The security implications are potentially massive because the Russian government, like the Chinese, essentially has carte blanche to do what it wants with any and all data stored in the country,” he explains.

“Moscow can request access to Russian DDos-Guard’s data whenever it feels like, without a subpoena. Knowing how the FSB operates, the data might not even be requested, simply accessed — to say nothing of non-government-affiliated hackers in the region. You can imagine the potential treasure trove of scandalous information this all represents to the Kremlin and the threat posed to global Parler users.”

As concerning as this may seem, President Trump during his last full day in office signed an executive order requiring that “American cloud providers must keep names, physical and email addresses, national identification numbers, sources of payment, phone numbers and IP addresses of foreign clients, to aid US authorities track down cyber criminals,” explains John Vestberg, president and CEO of  Swedish cybersecurity company, Clavister.

In his view, not only should businesses stick to European-based providers to house their data, but they should also ensure that all the third-party software and services providers are also based in the region and have no infrastructure links or partnerships with the US.

“Only then can they achieve peace of mind that data remains fully protected by GDPR, one of the most stringent regulations in existence,” he says.

We remain on the fence as to whether or not a Europe-only approach needs to be taken in order to ensure the best security, but we are firm believers that technological issues should adopt technological solutions — one of which is open source.

“Businesses that embrace open source benefit from greater control and transparency over their software, processes and — crucially — their data. In turn, this enables more flexibility, innovation and drives the economy,” shares Dale Murray, CEO at SalesAgility.

“If we have companies utilising open source, as well as governments funding open source projects, we are removing the dependencies on large firms that consume data as a business model and outsource data storage like we have seen recently with Parler. Doing this will allow the US to take back ownership of data and how it is gathered, processed and distributed.”

One thing is for sure, with each city or state, country or region taking a slightly different approach to data sovereignty and privacy, there will always be some uncertainty about what is or isn’t permissible. It is in many ways impossible for privacy laws to cover every situation, or as Dawson puts it, “what people don't realize about data privacy is that there's just a lot of grey area.”

However, it’s this grey space that provides those who seek to exploit these technical loopholes with the perfect level of doubt.