Some of the TPP member-nation leaders posing for a picture. Image: Wikimedia Commons
With paranoia over NSA surveillance reaching a fever pitch, foreign governments are making a reasonable plea: bring our data home.
But the Americans are doing their best to ensure that the world’s Internet data stays on U.S. soil, well within the reach of their spies.
To do so, American negotiators are leveraging trade deals with much of the developed world, inserting language to ensure “cross-border data flows”—a euphemism that actually means they want to inhibit foreign governments from keeping data hosted domestically.
The trade deals they’re influencing—the Trans-Atlantic Partnership (TPP), the Trade in Services Agreement (TiSA), and the Transatlantic Trade and Investment Partnership (TTIP)—are all so secretive that nobody but the governments themselves are privy to the details.
But thanks to the Australians and Wikileaks, both of whom have leaked details on TPP, we have a pretty good idea of what’s going on in the latest Trans-Pacific Partnership—a trade agreement that will act as a sort of NAFTA for Asia-Pacific region nations.
America is, essentially, the world’s data server. Since the dawn of the internet itself, every database of import has been hosted in the grand US of A. But now, foreign governments are starting to see the benefit of patriating their citizens’ private information.
Canada was an early adopter of the idea. Federal procurement regulations often require government departments to insert local data requirements, stating that businesses who wish to administer or host Canadians’ information must keep the information within Canadian borders. Most recently, the Canadian Government put out a tender for a company to merge and host the email servers for all their departments. In doing so, they stuck in a national security exemption, forbidding foreign contractors from applying.
Nova Scotia and British Columbia went a step further, flatly requiring any government-hosted personal data to be physically located in Canada.
Australia has taken similar steps, including setting up firm requirements for how companies store offshore data.
But the American government is not having any of it and is using TPP negotiations to strong-arm new provisions that favour American hosted data.
“In today’s information-based economy, particularly where a broad range of services are moving to ‘cloud’ based delivery where U.S. firms are market leaders; this law hinders U.S. exports of a wide array of products and services,” reads a report on Canada from the office of the United States trade commissioner.
The only reason the world is aware of the provisions in TPP on data hosting, is because the Australian negotiators, facing American insistence on the matter, leaked it to the press. Along with the New Zealanders, the Aussies are proposing changes to the agreement to short-circuit America’s proposal.
The TPP negotiations are top-secret, and highly controversial. As VICE reported earlier this month, provisions of the agreement could force American anti-piracy provisions onto the signatory countries.
“We know there is an e-commerce chapter and the general understanding is that the U.S. is pressing for a provision that would bar the ability to require localization of data,” says University of Ottawa professor Michael Geist, who is also the Canada Research Chair in Internet and E-commerce Law. “That has big implications.”
The Americans aren’t even making secret their insistence on the matter. On the American website for the trade deal, it clearly states there’s a priority for the TPP to include: “requirements that support a single, global Internet, including ensuring cross-border data flows, consistent with governments’ legitimate interest in regulating for purposes of privacy protection.”
And they’re not taking their concerns lightly. An Access to Information Request obtained by the B.C. Freedom of Information and Privacy Association shows that the Americans were furious over the Canada email tender barring foreign bidders.
A representative from the U.S. trade office insisted on a meeting with Canadian representatives after the tender went online. They later forwarded angry responses from American industry entities, featuring a list of questions from a technology association:
“Why did Canada feel compelled to issue the blanket [Natural Security Exemption] on May 25, 2012? Who was involved in making this decision to invoke a blanket NSE?…How does Canada justify all of these e-mail, data center, and networking projects as rising to the level of national security?”
What makes the TPP agreement so extreme is that it could allow those corporations to sue governments that don’t respect the data flow provisions. For example, an American cloud server company could sue Canada for slipping in a “Canadians only” provision on the contract tender to merge its email servers.
What is unclear, thanks to the cloak-and-dagger approach that the twelve participating countries are taking on the matter, is if there are any exceptions carved out in the latest draft of the TPP.
Indeed, we don’t even know if the provision is in there at all but, given American determination on the matter, it seems almost certain that it is.
One analyst, working for a think tank monitoring the talks, said that there could be caveats stuck in the eventual agreement allowing for governments to claim national security exemptions. It could also allow sub-national governments—provincial or territorial—to still implement laws requiring local data hosting.
But there’s no indication one way or the other. “It’s undoing privacy laws through the back door,” said the analyst, who was not authorized to comment publicly. “British Columbia and Nova Scotia are in the U.S. Government’s sights.”
Even if it is eventually removed from the TPP agreement, talk is also swirling that the language is included in the TTIP—which is basically the Atlantic equivalent of the Pacific deal, tying in America and much of Europe. It, too, is secretly being negotiated.
For TiSA, there’s no doubt that the data flow provisions have been stuck in. We only know this, again, because of Wikileaks.
“No Party shall take measures that prevent transfers of information or the processing of financial information, including transfers of data by electronic means, into and out of its territory,” reads language in the agreement, which only affects certain financial transactions.
Ultimately, keeping data within reach of the NSA puts it under the jurisdiction of the secretive United States Foreign Intelligence Surveillance Courts—spoken in hushed tones among privacy activists as the all-powerful FISA courts that hand over blank cheques to the American spies for warrants and the like.
“It means that the NSA has a more direct line and fewer restrictions,” says Tamir Israel, lawyer at the Canadian Internet Policy & Public Interest Clinic. “If the server is in Canada, and I’m in Canada, it’s going to be harder for them to get.”
Practically, Israel points out, the NSA will have an easier time of installing physical signals interception hardware or software. Because, functionally, the server is closer and more accessible.
“The practical matters are what’s important, because the legal barriers mean nothing,” he says. “It’s a lot harder for them to set up a wire tapping machine in Canada.”
The second is that, for countries with limits on how their own intelligence agencies can operate, offshoring the data is an open invitation to perform bulk collection programs. For Canadian spy shop CSEC, it’s an easy side-step of the legal limits on their ability to snoop Canadians on home turf.
The Canadians, Israel points out, “can assume that it’s foreign because it’s transiting the border.”
Bill Robinson, a keen watcher of CSEC who runs the blog Lux Ex Umbra (“Light From Darkness,” in case you’re not fluent in Latin) has a similar theory on the cross-national sharing of data.
“When a Canadian is dealing with Google or Yahoo in the United States, is that considered communicating with a foreigner?” he said. “We don’t really know where the line is drawn, in that respect.”
Given that uncertainty, the sort of data that could be captured by both domestic surveillance programs and the NSA’s “bulk trolling,” as Robinson puts it, is limited only by your paranoia.
Police reports, emails, phone calls, health records, tax information, credit card details, and much more. Admittedly, some of this data is already susceptible, considering that America does host much of the world’s private data already.
Government data, however, is the real problem. And, as countries look to update their hardware, opting for the cheaper and more efficient option of cloud servers rather than sticking servers in their basement—the issue will be hugely important.
If a government agency tenders a cloud server contract, and it is awarded to an American company, there’s no turning back. While the NSA might be a big winner from these changes, it’s not the spies that are driving these changes.
The language of TiSA, especially the language around cross-border data flows, was “a bunch of companies’ wish list that they gave a government and the government said ‘let’s do it,’” says Israel.
TPP is much of the same. It basically awards American companies the luxury of pushing out smaller, local, cloud companies that offer governments and citizens a piece of mind, while making sure that the mega Yankee server farms are never required to set foot outside of Iowa.
But the language around allowing the free flow of data across borders is a bit of a straw-man argument, says Israel.
“Data can already flow freely across borders. That’s the point of the internet,” he says. The real question is whether countries should be able to put up trade barriers in order to leverage their citizens’ privacy.
“A ‘digital economy’ can only truly flourish without restrictive legislative boundaries,” says Robert Hart, CEO of the Canadian Cloud Council, which represents Canuck server companies.
“Canadian data centre companies have a unique opportunity to go to market with ‘data-safe’ cloud computing services, but how long will this opportunity truly remain?” said Hart.
Hart does believe there is cause for concern over language in the TPP. “A ban on such requirements could potentially place Canadian data at risk and run counter to the government’s own policies on the storage of its email data,” he says.
But, at the end of the day, governments might not care. Some, in fact, might relish the ability to dispatch their domestic spies to snoop their citizens’ foreign-hosted data.
“Maybe they’re using it as a way of policy laundering,” says Israel.
Problem is: we have no clue. The meetings may as well be held 20,000 leagues under the sea.
“The government has been so secretive with the text on these treaties that, by the time you provide input on any of these things, things may have already moved, or it’s too late: because there’s already a deal in place,” says Geist.
The last round of TPP negotiations, which just wrapped up in Ottawa, could be finalized at any time. Geist figures Prime Minister Stephen Harper would readily jettison privacy concerns if it means securing new markets for Canadian goods.
“We’re talking about a government that hasn’t been particularly sympathetic to a lot of privacy concerns, at least not lately, so the notion that somehow this would stand in the way of the deal strikes many as incredibly unlikely,” says Geist.
In the end, he’s not optimistic privacy concerns will outweigh economic benefit, especially with a ruling party championing the economy and the signing of several other monumental trade deals.
In other words, look out Canada, here comes the TPP.