Internet Anarchy: The Global March toward Data Localization

all right great well thanks everyone for coming i know this is uh the end of the day and the last one right before a party so um good on you guys for sticking and sticking it out and going through this um so i'll be talking about in our anarchy in the march towards data localization and explain even what that means because it probably is kind of a nebulous title for a lot of people who aren't uh in the weeds and a lot of the stuff so quick on my background i'm a quantitative social scientist at endgame and so in addition to running our technical blog which i'll give the one shout out for that if you guys want to take a look

at that a lot of good research on there um running that i do my own research on the geopolitics of uh early intersections geopolitics cyber security uh and technology and so you'll see a lot of that combined together today a lot of my research actually has stemmed more so on changes in adversarial behavior across you know state and non-state actors and then the integration of the information operations that are coming along with that and as i was doing a lot of that research this notion of data localization kept popping up and it's not something i've seen a lot uh within the security conference circuit it's talked about in the more of the legal realm uh and though i'm a political scientist

i'm not going to be you know boring to death a lot of the legalese and a lot of stuff i'm going to bring it up a level and really how it uh draw about how it relates to uh security privacy and a lot of concerns that we have within this community so i'll start off with a quote from eric schmidt i think we're all familiar with him this is a quote from 20 years ago he talks about the internet is the first thing that humanity has built that humanity doesn't understand the largest experiment and anarchy that we have ever had and so leaning on my political science background anarchy actually is one of the a key

tenant within political science and international relations so it's a lack of a central authority and so when he's talking about this you know translating that over there there's a lack of central authority within the internet and that's how it was built upon that foundation right so lack of uh any type of government control a lack of uh you know broader international government organization controlling all data flows and things along those lines but this was 20 years ago and austin's proceeded you know very much in line with this for quite some time but really over the last uh decade or so more and more countries are starting to try and contain this anarchy and try and

contain some sort of authority over the data flows within their borders and so there's really two different segments that we see going on uh in the us and more of the democracies we still see a big uh policy and technology to uh divide um policy does not innovate law doesn't innovate ethics uh changes don't tend to stay paced with technology and i think we all know that fairly well technology is uh exponentially growing at a very very rapid pace policy especially in the us has remained relatively stagnant um i think a lot the main laws that get discussed uh in the security conferences in the computer fraud and abuse act which is 30 years ago so not seeing a

ton of policy information yet on the on the u.s side and across some of the democracies authoritarian regimes though however have been innovating in this area and innovating some really interesting ways to help promote their own objectives and so that gap is decreasing quite a bit and so what i'll be talking about a lot is some of the innovations that the authoritarian regimes are doing as far as digital policy and contrast that with some of the democracies but as i do that let's first take a step back i have to do the definition so we're on the same page where data localization is and so from the more broad legal framework it's really requiring the data to be reflected

stored processed uh really everything you can do to it within the sovereign borders of a country and so that's sort of the really narrow lens of what data localization is but really i look at it as one one of many many policies that governments are pursuing right now to control information um both from the governments to control and to protect privacy from the individuals uh so it depends on which angle you're looking at and within that realm you have to look at data localization in a much broader context and so just um to step back a bit before we skip more into the weeds there's two different notions one is a cyber sovereignty model that's going on

um within the you know the international arena for the shaping of the of the internet especially within country's borders and so cyber cyber sovereignty is one of those terms that you know ostensibly it sounds great because it's you know governments to be able to have some type of control of what goes into other countries and very similar to what we see in the physical world uh sovereignty is a very big concept and the respect of it is basically a core tenant of the westphalian state system uh but when you go into the digital realm it's on the one hand a lot of the the terminology that's used you know it is to say to protect it to

protect data and provide some security but when it's in within within these autocratic regimes it's really much more so for governments to access that data and so it helps inform the surveillance state it can help inform various kinds of censorship and then it even goes into uh how they approach the various kinds of targets for cyber attacks it's whereas almost anything could become a target uh as opposed to more of the multi-stakeholder model which is trying to push forth more of a constrained realm of what uh is not within within the cyber norms with acceptable behavior for being targeting and so that's a cyber sovereignty model on one hand and on the other hand we've got the

multi-stakeholder model and that's where you see much more so in democracies you see this is the model that's being pushed forth at a lot of the international governmental organizations like the u.n um the g20 even opec and so it's not necessarily entirely democracies but it has a lot of the tenants that are that are underlying democracies pushing forth more so for freedom of information protection of data preventing countries from attacking perhaps critical infrastructure making that off-limits and so they're really two different mindsets and so at the end of the day countries fall somewhere along the spectrum you know it's not necessarily a black or white thing and so what we're continuously seeing are countries starting to line up somewhere along the

spectrum with the multi-stakeholder model on one end which is more of your utopian vision when you have the cyber sovereignty model on the other which is much more so the government control of data and so what i'd like to do is go into uh three different models that go into that and so the chinese model which you know china's really been the one who's been pushing forth cyber sovereignty the most internationally and domestically and has been doing so for a couple decades at this point the russian model and how they approach it and then the eu model which is much more so indicative of the the multi-stakeholder model so let's start with china so again it's

been several decades since china's first started notions of cyber sovereignty and talking and the way they look at data was much more so looking at cyber security as a national security issue and then from there transgressing that down where information control intelligence control all those things go into the broader national security imperative for for the government and so we you can trace back about 20 years and see some discussions along those lines um and even if you think about the great uh the great firewall and that was dubbed in the late 90s and so for quite some time china has been slowly implementing enacting various policies along these lines some of the most prominent themes the

cyber security law of the prc and this is the one that was passed a couple years ago and just went into effect last year and so on the one hand it really just tightens up a lot of the laws that were already uh ongoing during that time uh especially as when it comes to having data data being stored within the country and the the um the ability to access that kind of data and but also gets into uh the longer term focus on on the internet control uh what the government can access and then it hits into the very various themes it's the great firewall of controlling what goes in and out of the borders so

cross-border data flows definitely is one of those things um that includes uh what could potentially be state secrets and so again it's one of those things that becomes fairly uh it's vaguely worded and you'll see this actually throughout a law this one one of the challenges with a lot of these policies are that they are intentionally vague to help enable governments to have a greater flexibility in what they want to have fall under those areas and so you know what might be a state secret you know at the end of the day yeah i can imagine almost any of us could justify almost anything being a state secret so um it keeps it vague in that area

one of the key components though really and this is something that distresses the government as the core protector and manager of the digital content and data and this is really where you see sort of that cyber sovereignty notion where it is the government's job to control provide that security over and help manage and operate data and this is going to be very very different than how we see that in more of the gdpr from the eu it also fits into the notion of a you know indigenous development and growth ensuring that things that are they are made in china that that the chinese government has access to what is actually physically located in china and so uh

manchester united 2025 it's a big push going on right now for domestic innovation um and where you see a lot you see strong connections between the state-owned enterprises and the government within china which isn't actually what we see in other areas if you look at you know the facebook hearings that we went on in the u.s you know and seeing that you're the difference between the government and the in the private sector you know it's much more blurred lines uh in china in that area and so that also impacts uh data access and protections of data and so you think if companies are doing business in in china there are a lot more different concerns to think about and so i'll talk

about some of the individual and corporate impacts for as individuals in china and for the corporations as well uh one key area is you know increased censorship and surveillance that can come from all this you know additional data additional control of the data going on uh something that has popped up is also you know wired had a really great article on their social credit system i think they were about a month or two ago and i'd recommend reading if you uh have any interest in that it's basically a system that china is rolling the chinese government is rolling out for a ranking of individuals and corporations uh within china and so it's based on a whole series of things if you think

about like in the us we've got a credit rating system you know it's that on extreme steroids it includes your social media content that you're posting it includes whether you're in debt or not where you've um you know had any time in jail all those kind of things and who's with even within the scores of your own network itself can it all gets rolled into that and they've started having rolling this out a bit here and there across the country it's a system that they're going to be continually evolving and so again that and all that data will be locally stored within china and it will cover really almost every game of individual life within within

the country for corporations which is where probably a lot of us might want to wonder what's going on it puts intellectual property at risk and so especially with this new law that came out the one that rolled out 2017 has a particular emphasis on critical and critical infrastructure and again that remains somewhat vague how they're defining that but it really was an emphasis to try to give the chinese government the ability to access that personal data stored you know by critical infrastructure companies uh as they see fit and this also includes websites that are hosted within china as well and so it's impacting a lot of social media platforms too so that is one model and again one thing

to keep in mind actually with all these as i talk through them you know these are all evolving right so what i'm giving you now is somewhat a snapshot in time uh so all these laws are coming out over a period of time i imagine they'll continue to evolve and this is something that i'll highlight towards the end so the chinese mob i think probably is a bit more well-known and when we think about russia especially in the united states we think about just information operations and trolls and those kind of things that um the internet research agency but we don't really think much as much i don't think about uh the data localization aspects of it which all

does go into the the um the pursuit of information control from the government so i'll do the same thing walking through russia a little bit so russia also has a relatively recent law and it goes you know a bit further than the chinese law as far as requiring all data on russian systems be stored within russia and so it's a little bit different from the from the chinese model uh one of the things that also is actually interesting in comparing attracting the two russia has been much more proactive in this area and so if you think about a company like linkedin just a few years ago uh refused to adhere to some of these laws

and was banned and so there's much quicker repercussions that we're seeing as far as uh russian productivity encountering some of these um countering companies that are failing to comply to the laws it also includes prohibiting vpn access and analyzation and so wanting to ensure that they know who people are on the internet being able to track them down better and then the interesting one um i think especially for this audience as you're requiring source code for security products and there are security products already that have handed over source code to the russian government an attempt to for access to the to that market and that's something that you know as especially in the china case as well you

know there are all these repercussions that you know companies could potentially face when doing business in these company in these countries and it's not just china and russia i'll show some other ones as well um but you know it's a calculation that corporations are going to have to make as far as the the risk of loss of ip perhaps uh in return for you know immediate access to enormous markets right and so that's where you get some of the the business challenges come into play so it's not quite as simple as you know just whether or not you know countries want to hand over their ip um so similar to what's going on in china russia is

attempting to copy some aspects of the great firewall um you know it's not there yet but it definitely likes that idea it's trying to build towards that um within the information security doctrine as well there's a lot of emphasis on controlling data within the borders and so again this is something that you know again we think about more of the disinformation and you know the fake news and that kind of thing but russia also is really leading the way in many areas for trying to control data within their own borders as well and so for individuals again it's more censorship and surveillance but then there also is a disinformation internal societal divisions uh russia also

often uses within russia itself and some of its nearby neighbors uses it as a test bed for other tactics to be using to be used against other states um down the road so it also has a lot of testing that can go on as far as some of these tactics for corporations you know obviously there are costs of moving servers within the russian borders some data migration costs that come along with that and i think an interesting one uh that just came what i saw you within some of the russian experts uh were translating a series of russian news reports over the last week and russian state news media said all countries will build virtual borders

it's inevitable and it's very good for all of us so there already is starting to be this uh you know you know information disinformation campaign showing how great it is for the for further to be borders within the internet and for russia to control all data within so there also is a little bit of marketing going on as far as how great this is for uh for the russian population and finally get to the european union and so those again are one end of the spectrum falling under more the cyber sovereignty model now we're moving over to the multi-stakeholder model and the european union really is the one uh the farthest advanced political entity in this area i think a lot of us

probably have been getting inundated with gdpr compliance emails and you see lots of that popping up on vlogs across the security community um and it's interesting and still i think by the latest studies it shows that you know most companies still are not even close to being ready for compliance and so what taxi all that you know compliance even mean and what are they trying to do so the general data protection regulations come into effect in about four weeks uh around may 25th and so it's an expansion of some ongoing regulations that they already have really focused on individual privacy and this is where if you want to look at any of the two tenants

think about comparing and contrasting for data localization on the cyber sovereignty model it's in government control of the data on a multi-stakeholder model it's individuals having regaining better control of their data and again not saying that you know all these are going to be that the objectives are actually going to be achieved through some of these policies um i honestly think it's going to take some time to fine-tune all these policies to achieve the objectives that they want um but at least the gdpr is a step in the direction for putting more power back onto the citizens for having control of their data and it also puts more emphasis on corporations to be held more accountable

for maintaining the security of their data so again that's something that you know very much is relevant for this community as far as corporations are going to have to prove that they've taken you certain steps to help try and secure their data of the you know their users um there's you know additional aspects of express consent and i think we've seen a lot of this going on again something from the facebook uh discussions that have been going on this gets into some of the easier user experience aspects there's been actually a fair amount of user experience um you know blogs and so forth talking about how to gain express consent you know the often opting in versus opting out and they're

all these different kind of studies and so hopefully a lot of those that research and so forth may hopefully find its way into it to make it more of a seamless aspect algorithmic transparency is another one and i think this again is one that's really really interesting you know we had phil's and here he talked earlier about some of the the machine learning and support that's going on in our industry and so what the gdpr wants is to be able to identify what some of the driving factors are between behind some of those machine learning algorithms and so that's not actually as easy as it sounds very often uh it's very hard to identify with what

the the main core factor is underlying a lot of it but they're pushing towards that and so i think there will be a lot more research going on in this area i think it's a really interesting area to think about especially as you start start thinking about some of the algorithmic biases that have been popping up in research in that area so i think that's going to be one of those areas that does come into security as well and then for the data protection you know it's a bit more of an expansive notion on what uh your personal data is you know it's a person identify viable information but also adding in some more of the hard selectors and

content as well and so you remember we've had plenty of conversations i think at these conferences about your metadata and whether it matters or not they're including a lot of that other information in there as far as what can be protected so how does this impact individuals uh interesting one is the right to be forgotten um and so that's you know corp if you you know access to whatever you know platform it is and have your information erased um you also have the right to access it and so lobbies are already happening but it's becoming much more mandated it is again that focus on the individual privacy is really really important another one is a breach notification and

this is something that you in the u.s we have a breach notification and they had it in the eu as well but it's you such a minimal amount of money compared to what the corporations make it really doesn't matter and so you have to think about your incentivization and so for the gdpr when it rolls out it's going to be four percent of the global annual uh global anal annual uh funds that are coming in from the gov from the corporations and so something before you think about it was something that you know google made like in a in a second you know and so it doesn't really matter when you start start thinking about they're the

you know four percent that's a decent amount of money and it's so hopefully it's enough to stimulate corporations to do much more so be much more proactive in the um in the breach notification um the other thing that i think we forget about in the u.s is so it's any corporation that has data on eu citizens so it doesn't actually matter if you're if the corporation itself is located in the eu this is again where somewhat varies from some of these other data localization laws it's just any corporation that has eu citizens data and again defines for non-compliance and there's third-party compliance required as well so what about us you know usually the u.s uh has historically

led the way in shaping a lot of the the norms across international orders especially since 1945 but for the most part you know it's been a bit of a meandering story for the united states um you know we've got the cfa again from the mid 80s and since then we've really taken much more so of a sector-specific approach and so you can think about hipaa focusing more on healthcare you're protecting healthcare data and finance has their own areas we're protecting financial data but there isn't anything uniform so it's very much a patchwork approach um and then in addition to the patchwork by sectors it's patchwork by states and so these are just a couple of you

know new york tennessee ohio california all have uh either proposed or composed implementing various policies that uh protect either data like personal data going outside their borders um protecting um requiring access to our protection against personal data within their borders so it takes a bunch of different data localization aspects but takes them to the state level um and so those will be really interesting the again there's a current one in california it's a consumer privacy act that uh you're making a fair amount of um news but you know facebook google twitter a lot of the big tech platforms are have lobbied against it so again this is an area where we're crossing over a lot and from the

in the security realm and what we're seeing going on right now and changing honestly daily it seems another one that's you know on the governor's desk right now is one in georgia which i think is very relevant for this community isn't necessarily data localization a lot but impacts data security and privacy quite a bit because on the one hand it seems to on on reading it and uh enable hacking back and then also at the same time it seems to limit uh limit legitimate uses for uh you know testing defenses and so it kind of has a double whammy on what could be the outcome of that that's on the governor's desk right now and so

we'll have to see what happens with that there's a data security breach notification act so again stemming from the eu a little bit and those kind of notions but it includes jail time if corporations are deemed to not have uh actually done due diligence and trying to protect the data and then there's been other aspects of data localization that have been trying to be put into nafta and the tpp during some of those negotiations um department of defense looking at cloud computing and requiring those providers to be storing the data locally and then one just you throwing this in there showing just how much it impacts you know companies in the u.s or how about even though they're you

know companies are based in the u.s and also working abroad you know apple's now storing data on chinese citizens in china and so we need to look at you know what kind of policies the u.s is going to be doing to help uh and respond to that and help ensure security and privacy and so you know going through all this and does it seem that you perhaps boundaries do exist on the internet uh on the one hand there's a lot of protections data policies that we see going out there and this is a big impact on the we see very often as globalization ebbs and flows there always is a push back and so this is a

natural uh aspect in the rhythm of of how international politics works and so look at these and look at some of the ones that are darker over there as far as which countries block different kinds of data set or different kinds of data flows and you overlap that with you know this is the framehouse freedom of the net and which ones tend to be more censored and so again you see this overlap which highlights just how closely uh the broader strategies for information control you know how data localization fits into that within the um for government strategies really across the globe and if you know talking about those three countries wasn't enough those activities really are diffusing

down to other countries and so this is what happens you know if something seems to work at some of the major powers other smaller countries are going to start adopting some more policies as as it fits the needs of the government and so again keep in mind the government's one of their main objectives is to stay in power and of controlling data or protecting their citizens privacy or good means to help them stay in power help maintain their their regime type um they're going to do so and so kazakhstan's a good one are requiring data to be stored in the country vietnam know at least one serving country and ensure that the government is accessible

to it and from there goes canada has the right to be forgotten somewhere to ddpr uh south korea is blocking mapping data they don't want to allow amputated to leave the country and they're arguing for national security reasons and it kind of goes on and so forth um across various countries and this is just a partial list of it by the way you know a lot of countries across global are advocating for various aspects of data localization laws so that's a lot and that's where you know things currently are you know that's where our snapshot is right now but the key thing is to not assume this will be the current trajectory forever um there is a lot of ebbs and flows that

go on in international relations and as international systems evolve um democracy has had numerous waves three potentially four waves of democracies expanding and retracting a bit and so some of the themes that are actually going on right now and again going back to the pace of technology change that is also you're really instigating finally a tipping point where policies are starting to change as well and i think we're going to see a lot more expedited policies coming in i think really over the next decade and probably sooner than that so on one hand the u.s you know the u.s which is known for not wanting regulation really of much at all there's been a major push across parties

for regulating big tech and so this is something that a year ago we would not have seen that and for this to have happened over a three month time frame it's a pretty significant uh movement going on and that's the picture on the right is just you know the fixed facebook and which you know isn't a data localization issue but a data privacy issue and that's where i actually think a lot of the data localization laws and data privacy and security laws that come in they'll impact security as well maybe stemming from some of these social media challenges that the us is dealing with right now but it's not just in the u.s and there

have been two actually really interesting um events going on over the last two to three weeks everyone's been following the russia and the ban on telegram so russia the telegram is a messaging app and uh was not adhering to russia's data localization laws and so russia attempted to ban telegram and with that people immediately found proxies to try and circumvent the ban and from there russia then tried to block various ips ended up blocking millions of ips and ended up blocking access to taxi services grocery services various social media sites i mean it runs the whole game and one place that i saw was it was 18 million different uh ip addresses ended up getting blocked by

that act you know somewhat accidentally uh and there's been really big pushback within russia from that it's been called an internet civil war it's been it's led to you know the um the ministry of education the science division basically pointed out that this has blocked and hindered major research going on within a major scientific research within russia and then the latest articles over the last few days say you know the cost of this will be in the billions and so that's really uh it's amazing watching that happen right now and so again you know it's something to keep an eye on and see how this evolves somewhere just looking at you know protests and technology as well

uh over the last few weeks there was uh a notice that was written basically describing uh an assault back in about 20 years ago at pegging university you know the sensors and trying to try to take that down trying to control information but someone put it on the ethereum blockchain and so now it is there and so again it's interesting ways and and by many of the chinese watchers they're saying that some of these protests that are going on now at these universities have are they've not seen anything you know even remotely close to size since 89 and so it's really really interesting how this is going on again just something to keep an eye on

not sure which direction things will go but it's really uh interesting you know turn of affairs and that's why no matter how we think things are going and you know if it's going to stay in one direction other things can always happen when you look at this is a socio-technical system there's going to be a lot of different variation in movement and so at the end of the day internet anarchy is what states make of it and that's what we're seeing right now um you know anarchy is what makes states make of it is actually it's a very famous book in political science about the social construction of the international system i think the same thing is going on right now with a

lot of these various data laws and so we are seeing much more of a splinter net progressing right now doesn't mean that's the way it's going to go um but it is much more so that's more of this disjointed global system right now than what we've seen or anticipated in the past and so it is i think we're at the inflection point i think it's going to be some combination of these two so it's again something to keep an eye on and then why all this matters especially for those of us in the room i do think this has a major impact on democracy both perhaps perhaps helping move transitions into democracy and transitions away from democracy can go

both ways obviously very important impacts on privacy national security innovation and i think this is one that doesn't get talked about as much but for a lot of these countries that are really blocking off access to the data it is going to have an innovation impact on it which means they may have to try and get some of their innovation elsewhere so that's something to keep in mind uh obviously impact civil liberties and then global economy especially when you start thinking about the global data flows and whether uh what how much of those data flows will be blocked so really it crosses you know i think the majority of things that we care about within

this industry so that is it thank you everyone for sticking around for this last talk of the day