It’s time to think about jurisdictional data sovereignty

4 minute read

There are many ways to think about where your data is stored. The most popular today are centralized vs decentralized, and the other is where the borders are. Today, I'll only discuss the latter.

Here in Canada, this became prominent back when British Columbia added section 30.1 to B.C's public sector privacy law, "Storage and access must be in Canada".

The intent here was the early realization, in a US PATRIOT ACT world, that countries are starting to collect all of the data they legally can on foreigners. Hence in the information age, where people are collecting data for big data sake, this is not only useful for profit in terms of sharing and selling the data, governments will also now be able to use this data, forever.

Let's use a relevant example here in Canada. I live in B.C, where cannabis is legal. I live above Washington state, also where cannabis is legal. But if the U.S. government ever collects evidence as to my participation in cannabis, I can be rejected entry, as it's currently against federal U.S. law even though many states have legalized it.

So as we think about where the data rests in this case, the easiest way to legally purchase cannabis online is through the various provincial government stores. What is not clear is what their process is in terms of using American tech or digital services. For example, if you buy cannabis with a Mastercard or Visa, those American companies can now provide the government a list of cannabis purchasers in Canada.

This is not just a risk to Canadians today, but it could be a greater risk tomorrow, or in 15 years from now under a different political regime, as long as the data is still stored there.

While I’ve talked about this risk for over a decade, the political climate change between Obama and Trump makes it easy to understand this: If you were a Muslim or Mexican who visits the U.S, which data the American government has of yours now vs 4 years ago has changed a lot.

Even more recent, is the current discussions around the sale of Grindr, which describes itself as the world’s largest social networking app for gay, bisexual, transgender and queer people. If you are in that demographic, you are likely aware that the company's majority changed hands from Joel Simkhai to Kunlun Group Limited, a Chinese company. If you're in a vulnerable population such as this one, where your data is stored and can be accessed, this can affect your life and/or your livelihood.

In the last year, we've seen two notable laws pass here in the 5EYES region, most popular being the Australian AA Bill which passed last December, and with less attention, the US CLOUD Act before it. Under the Australian bill, their police can force companies to install a technical backdoor that would give them access to encrypted messages without a user's knowledge. This means you can no longer trust Australian employees, or Australian software. I professionally brought up jurisdictional sovereignty last year when explaining that the new US CLOUD Act which states that:

  • Primarily, the CLOUD Act amends the Stored Communications Act (SCA)
    of 1986 to allow federal law enforcement to compel U.S.-based
    technology companies via warrant or subpoena to provide requested data
    stored on servers regardless of whether the data are stored in the U.S.
    or on foreign soil. [source]
  • § 2523. Executive agreements on access to data by foreign governments. 

This means that you can no longer trust American tech companies as custodians of your data, and who knows which other countries have partnered with them on this.

This is no simple feat. If you do anything related to technology, you likely use some type of Google services, or Atlassian, but even more broad is to evaluate which of those products are storing your data on an American "cloud" server somewhere, or using an Australian chat software.

I'm working on solving some of these issues with PGKYC, where all of our data is stored in Canada only for our Canadian deployment, and it's architected with jurisdictional sovereignty in mind. In each country we deploy to, the data will only be stored on that country's soil.

This is a lot more expensive, as we can't use Amazon's AWS for example, or any cloud related products, except for our American users in the American deployment.

I haven't touched on centralized vs decentralized yet, as that's a deeper topic for another day, but my surface perspective is I like decentralization better, as long as it's using PKI and the user controls the private key. That's a long way from being trusted by first world governments, so I think centralized models are still the near future.

In the meantime, if you're looking for alternatives to American or Australian tech services, like an alternative to Gmail or Google docs for example, I'm always happy to share my ideas on Twitter, as well as engage in constructive dialogue on topics such as this, especially in the solution space.

Updated:

Leave a comment