Wednesday, November 20, 2013

The Splinternet, from a pool in Istanbul


Look, I'm a swimmer, and here I'm swimming in the gorgeous pool in Istanbul at the Ciragan at sunset on the Bosphorus.  Things are simple: there's me, and there's water.  I'm hyper-aware of where each little piece of my body moves through the water.  I spend endless hours learning how to slice through the water.

Online, there's me, and there's the cloud.  I'm hyper-aware of each of my little blogs, or emails, or posts, spending endless hours living online.  But I have no clue where all this data actually resides. It's like water, it's all around me, and yet I can't say where it is, or whether it's still or flowing.    

In the pool, and online, I don't really have much choice except to trust it.  I trust the pool water to be clean and healthy.  I trust the online cloud to be safe and reliable.  Honestly, I don't have a clue about who keeps them that way.  I just trust, or hope, that they are.  

Of course, the cloud is cool.  Whatever your question, you can find the answer in seconds.  I have more knowledge than Faust, and I get to keep my soul too:  with a little device and an Internet connection, I can access trillions of pages of human knowledge in seconds.  It's so awesome and so ubiquitous that it already seems banal.  Data is everywhere, accessible anywhere, anytime, all thanks to the global flow of data through the cloud.  And this marvel of human ingenuity and sharing evolved before anyone could try to slice the cloud into little boxes that they could control and regulate, for purposes good and ill.  

But I get why people are uncomfortable with all this.  Where does all my precious, personal data actually go?  Does anyone other than systems engineers even know?  Do they even know?  So, I can't blame governments for trying to rein this in, for trying to create clarity out of cloudiness, or at least to create little zones that they think they can control.  Attempts are back:  to balkanize the Web, to slice the cloud, to put data into boxes.  Governments are using a fancy new name for it, "data sovereignty", although the rest of us are calling it the Splinternet.   Data sovereignty has re-emerged as a big theme in global privacy debates, largely as a result of the recent spate of government surveillance revelations. 

Let's take a moment to ask, though, what is the motive behind this Splinternet stuff. Governments often use the vocabulary of privacy to militate for more data sovereignty, but the truth is more complicated.  Sometimes data sovereignty is about privacy, and sometimes it's not. 

"Privacy" is about protecting personal data about an individual.  "Data sovereignty" is about governments increasing their local control over the data of their citizens.  

There are many different reasons why governments may want more data sovereignty:

Governments may want more data sovereignty to protect their citizens' personal data, or they may want it to monitor it more closely:  e.g., many governments around the world, take Russia as just one example, want more data sovereignty to reduce the ability of a foreign (e.g., US) government to monitor their citizens' data, while at the same time to make it easier to monitor it themselves.  

Sometimes data sovereignty is a economic, or protectionist, issue. Governments may want companies to invest and hire locally, e.g., by building and staffing local data centers.  Or they may want to encourage their citizens to use the services of local companies.  This has nothing to do with "privacy", but rather with pure local trade and investment goals. You see this sort of government trade protectionism rhetoric in France every day, to take one example. 

Sometimes data sovereignty is a issue of government control in unrelated areas, like censorship.  Countries that operate national firewalls, like China, want more data sovereignty to increase their ability to censor, monitor and control the contents of communications within their borders.  

Sometimes data sovereignty is about applying local rules, customs and regulations.  e.g., Europe is debating a legally-mandated "right to be forgotten", and trying to define how/when a user should be able to delete personal data about themselves from the Internet, even when that personal data was legally published by a third-party, such as a newspaper.  While the debate continues within Europe, it is clear that such a "right to be forgotten" could at best be implemented within the sub-set of the Internet that is subject to European jurisdiction, such as perhaps local domain addresses, or in other words, within a limited universe of data sovereignty. The same could be said for dozens of other local and regional-specific laws and regulations (like the Thai law making it a crime to insult their King).   Absent data sovereignty, such local variations would be virtually impossible to implement on the global Internet, setting aside whether all this is for good or ill.  

"Privacy" is often the vocabulary you'll see governments use to militate for more "data sovereignty."  One of the tools used to try to achieve this data sovereignty is restrictions on international data transfers, once again, setting aside whether this is good or even possible.  My point is simply that governments want many different things under the guise of "data sovereignty."  Sometimes governments want more "privacy," and sometimes "privacy" is just a pretext for unrelated government goals.  

When governments say they'll create their safe little Splinternets for their citizens, I know this does little more than put lane lines in a pool, keeping the swimmers in their lanes, while the water continues to flow everywhere, as it always has and always will, as every swimmer knows.