Google’s data plans in Saudi Arabia ‘will risk lives’: activs
Saudi Arabia doesn’t exactly have a positive track record when it comes to digital espionage.
In 2018, the country’s government reportedly used the notorious spy software Pegasus on devices belonging to the family of Jamal Khashoggi, the Saudi dissident who was killed that year in a gruesome assassination allegedly orchestrated the government.
In 2019, two former Saudi employees of Twitter in the US were charged with using the popular social media platform to unmask critics of the Saudi government.Best of Express PremiumPremiumPremiumPremiumPremium
And last year, a Saudi aid worker who had used a Twitter account to make jokes about his government was jailed for 20 years. His case is believed to be connected to the government’s infiltration of Twitter.
And then there’s Google. The online giant has the most popular search engine and most-used, web-based email service in the world. Part of US company Alphabet Inc., Google regularly boasts about how carefully it protects users’ data. But it has also had some noteworthy run-ins with authoritarian leaders.
Problems in China
When the company first introduced its search engine to the Chinese market in 2006, it was criticized activs for censoring search results critical of the Chinese government.
Then between 2009 and 2010, Google was targeted “a far-reaching hacking attack known as Operation Aurora that targeted everything from Google’s intellectual property to the Gmail accounts of Chinese human rights activs,” science publication MIT Technology Review reported.
Google then withdrew from the Chinese market. Despite that, it was only in 2019 that the US company publicly confirmed it had abandoned a secret project codenamed Dragonfly, a search engine created especially for China, that would filter out results about human rights, democracy, religion and political protest.
Now Google says it wants to set up a “cloud region” in Saudi Arabia.
Given the two actors involved, the reaction from human rights organizations and digital privacy advocates was not surprising.
“This durbing new step Google raises … fears that this cloud center could leverage more power to the government of Saudi Arabia in further facilitating human rights abuses,” said a 2021 letter signed 31 human rights organizations, including Amnesty International, the Oxford Internet Institute, and Human Rights Watch.
“A cloud center in Saudi Arabia will risk lives,” Laura Okkonen of Access Now, the online rights organization that has been a prime mover behind the campaign, told DW.
Activ investors
Most recently, a group of activs supported Access Now filed a resolution so that Google’s investors could vote on the Saudi controversy at the annual general meeting of Google’s parent company Alphabet, which was held on June 1.
The proposal asked that Google “commission a report assessing the siting of Google cloud data centers in countries of significant human rights concern.”
Although just over 57% of independent shareholders at the meeting voted for the resolution to be adopted earlier this month, Google’s executive management outrank them in voting power and the resolution was rejected.
When responding to DW’s inquiries, Google did not directly address the topic; the company sent an online link to its blog post from December 2021 announcing the Saudi Arabian data center in Dammam would be going ahead.
The political issues around setting up a data center in Saudi Arabia are clear. But what are the technical concerns around what are known as cloud services?
More private and business users now operate their online devices using “the cloud.” What this basically means is that your data — things like pictures, documents, music, e-mails and other messages — is stored somewhere other than the computer or phone in front of you. The software that lets you play music or post images is being run on larger computers in another location. You simply access them using the Internet.
A “cloud region” is really just a euphemism for the location where all those other computers are, in what is known as a data center.
Business opportunities
Up until recently, Saudi Arabia has lagged behind in cloud services but industry insiders say it is now being seen as a major, new opportunity. Of the three biggest cloud operators in the world today, Google is likely to be the first to set up a data center there. The other major players are Amazon and Microsoft. China’s Alibaba already has two data centers in Saudi Arabia.
In terms of the technology, there are a number of ways outsiders could gain access to information inside a data center, said Björn Scheuermann, a research director at the Alexander von Humboldt Institute for Internet and Society.
Hacking would be one. But as Scheuermann pointed out, “hacking can happen everywhere because, its nature, it usually happens remotely.” So it wouldn’t matter if a data center was in Saudi Arabia or not.
More specific to Saudi Arabia might be a physical breach at a data center. “If somebody marches in there and gets physical access to the hardware, then it becomes very, very difficult — in many cases, impossible — to guarantee data will be protected,” Scheuermann explained.
Data centers do tend to have tight security. However employees going into the center would need to be vetted or they could be pressured into extracting data, critics warned.
A greater concern than a physical breach of a center occurs when authorities ask for the data legal means. “For example, a court order that says the data must be handed over,” Scheuermann continued. “The government says these servers are on our territory and subject to our legal system. In an authoritarian system, defense against legal orders quickly reaches its limits, when your physical assets are in the state’s territory.”
According to Saudi laws?
Google has a number of pages on its website about how it deals with requests for user information from governments. It follows several steps and every six months, provides reports showing how many requests it received and how many it responded to positively. (There are no current statics for Saudi Arabia.)
Google stresses that it also complies with local laws.
That’s a problem in Saudi Arabia, Marwa Fatafta, policy manager for the Middle East at Access Now, told DW, because “Saudi Arabia’s internet regulation laws are hazy and ripe for exploitation.”
The country’s brand new data protection law, which comes into force early next year, doesn’t allow data collectors to disclose personal data except, Fatafta pointed out, when a government requests it for security purposes, among other reasons.
The country’s legal system is overseen the Saudi monarchy. “In such an authoritarian system, it’s hard to imagine how Google, or any individual, would be able to challenge the government,” Fatafta said.
Saudi Arabia’s 2007 cybercrime law also comes into it. Google may be asked to block or remove content that violates the law, and then tell the Saudi telecommunications regulator about it. “The Saudi cybercrime law is one of the most repressive laws in the region,” Fatafta noted.
Using “the cloud” at all is actually a question of trust, research director Scheuermann told DW. After all, you’re storing your personal or professional data with a company, which ostensibly could access it. Most of the time, businesses like Google, Microsoft and Amazon are careful not to do that because of the potential for serious public backlash or major financial penalties, he noted.
“But essentially, you’re in their hands,” Scheuermann said. “You have to trust in them to adhere to legal limitations, and also that these limitations are not turned against you.”