I was recently speaking with the leader of a US company who was seeking advice on where to put stakes down for an expansion of their international operations. He was weighing the pros and cons between Belfast in Northern Ireland versus Galway in the Republic of Ireland and sought my views as a US expat based in Dublin the past 8+ years. We spoke about all the usual motivating factors – talent attraction and availability, ease of doing business, infrastructure, the uncertainties that an impending Brexit brings, and of course the big pink elephant in the room that has dominated the conversation for years – TAXES. Something we didn’t talk about – but perhaps should have – was the storage, transit, and privacy of his company’s data.
Certainly the political, social, and economic implications of Brexit cast a grey cloud over the future of certain businesses within the UK, with more than a few already planning or executing moves of certain key staff to places like Ireland, Luxembourg, and the Netherlands. But while many of us might have been preoccupied with the uncertainty of Brexit and subsequently the election of Donald Trump, a somewhat shockingly transparent piece of legislation called the Investigatory Powers Act 2016 (IPA) was given royal assent and became law in the UK on 29 November 2016. This law legalized an impressive range of hacking options and bulk data collection to not only the UK’s security services, police, and major government departments, but to even the food services authority (‘Sorry pal, we’re closing your restaurant as we see you’re just poorly rehashing Jamie Oliver classics – I’ve got your browser history right here, mate’). Not only are these legal powers unmatched in the rest of western Europe or the US, the Home Secretary referred to the law as “world-leading legislation” providing “unprecedented transparency and substantial privacy protection”. Critics have labeled it as “more suited to a dictatorship than a democracy”.
Regardless of your personal beliefs as to the merits or risks of such legislation, businesses worldwide continue to embrace the revolutionary changes that cloud computing is bringing to IT infrastructures everywhere. As a former operations manager of one of the largest search infrastructures in the world at Amazon, I saw first-hand the simplifications and efficiencies that we gained by using AWS. Thousands of other companies have moved or are moving to the cloud, and the top 10 major concerns to business continuity professionals include cyber attacks, the threat of data breaches, security incidents, and uncertainty around the introduction of new laws or regulations. Factors such as whether the ultimate physical home of their cloud data might be in a politically corrupt country and the implementation of cross-border data flows (like those dismantled by Safe Harbor’s invalidation) become major factors in not only cloud migrations but FDI decisions.
There’s also the issue of companies themselves making smart choices in terms of design, and their handling of data both at rest and in motion. Even though top cloud providers like Amazon give customers control over where to physically store data and allow them to make their own choices around data encryption, in the IPA world your communication services provider (CSP) is mandated to track your activity and the UK government has a legal means to access that data without a warrant (in addition to just hacking/infiltrating devices). The UK government also has the right to force your CSP to hand over decryption keys. No, the UK government can’t force foreign companies like Apple or Amazon to decrypt data, but if you’re not smart enough to manage your own cloud data correctly (or just even make a mistake) that mightn’t matter. And with the rise of the Internet-of-Things (IoT) as an emerging market, meaning potentially billions more devices collecting and reporting data, there are even more concerns around data privacy and interception. Of course some companies are already looking to fill that void, though I suspect many might be sceptical in a product which emerged from a project ran by the same folks who created PRISM.
Certainly sceptics (or perhaps realists?) may hold the notion that the legislation is simply the UK government being more transparent about what they have already been doing for years; or even that someone somewhere has been and is listening to the internet for ages and one country’s legislation doesn’t really change anything. But in the face of legislation such as IPA, while some may debate the political corruptness of a government that collects such data on its citizens, it is difficult to ignore the new danger that exists not only to personal privacy but to business as well if the mechanisms to collect and query such data exist at all. As James Madison said, “There are more instance of the abridgment of the freedom of the people by gradual and silent encroachments of those in power than by violent and sudden usurpations.” Elected officials are not honest or moral by default. And what happens if the government itself is compromised by a rogue state or terrorist organization? Surely I’m not the only one who saw the “Black Mirror” episode where robotic drone bees designed to replace their extinct natural counterparts were compromised by hackers for use against the people they were designed to sustain through life-giving pollination.
Clearly IPA is an attempt by a first world, western nation to close gaps that have developed between law and technology – which is needed. But in the face of changing politics, a rise in nationalism, and the fear of terrorism, it appears that many nations may be moving towards a position that places what could be a potentially misleading belief in creating a sense of security at the sacrifice of liberty, freedom, and the privacy of its citizens. And, just as tax laws have proven to be a significant factor in where multinational corporations choose to establish their headquarters and operations, might data privacy and protection be the next big driver of movement? And with the UK taking such marked steps towards legalizing (and publicizing) practices many once believed to be only within the realm of the KGB or the Stasi, are they simply establishing a path towards autocracy, constant surveillance, and an Orwellian vision of the future for other nations to follow?
One thing is clear – corporate global market strategies must include robust data management and security practices to deal with the ever-shifting landscape that rapid political, legal, and technological changes bring to today’s world. Laws, for good or ill, are catching up; and customers understanding what this means to them and the companies they do business with won’t be far behind. And customers who feel wronged or find legal regimes unacceptable aren’t afraid to take their business elsewhere.