All around the world, governments are devising creative ways to torment American technology companies. It began last year after leaks revealed that the U.S. government basically uses services such as Google (GOOG) and Facebook (FB) as arms of the surveillance state. In response, some countries—including Germany, Brazil, and now France—have toyed with the idea of forcing Internet companies to route traffic or store data locally.
As public policy, this is inept technologically and economically. As symbolism, it illustrates the damage that overly ambitious espionage can cause. And it reinforces, yet again, how insecure the foundations of the digital marketplace are.
Since the intelligence contractor Edward Snowden began exposing surveillance programs by the National Security Agency last June, trust overseas in U.S. technology companies has plummeted. In some cases, sales have slowed. And foreign regulators have been licking their chops in anticipation of a crackdown. Estimates of the cost to these companies have ranged from $21.5 billion to $180 billion by 2016.
One measure being considered by more than a dozen governments is to require Internet companies to store information collected on their citizens at onshore data centers. Such a move would obstruct the free flow of trade (in this case, bits of data), inhibit innovation, increase inefficiency, raise business costs, and slow economic growth. If adopted widely, it could threaten the trust and openness on which the Internet is built.
One thing this idea will not do: offer much legal protection from spying. The NSA, under authorities granted by Executive Order 12333, has extremely broad latitude to conduct intelligence gathering outside the U.S. without oversight from the Foreign Intelligence Surveillance Court. And U.S. tech companies would still be required to turn over data on specific users at the government’s request, regardless of where they store the information.
Local data storage won’t offer a practical impediment, either. The NSA has shown itself quite capable of infiltrating foreign communications companies, and local spy agencies would undoubtedly find it convenient to have all their citizens’ data in one place. (The French government, it should be noted, is no slouch when it comes to surveilling its citizens’ digital habits.)
All of which suggests that the real reason governments want to require local data storage is to promote local businesses. Or, more perniciously, to control information a little more tightly within their borders. Both urges should be resisted. This very bad idea does, however, have the virtue of illustrating a deeper problem. Many tech companies have based their businesses on collecting precisely the kind of user information the spies are after. The architecture of the Internet makes sharing that information effortless, but protecting it effectively impossible. That dichotomy won’t go away.