98 comments

[ 3.2 ms ] story [ 175 ms ] thread
> control data produced within their perimeters

societies, and our regulatory frameworks, need to move beyond the idea that "data is produced and resides within a particular geo". Not only is it not, it is also holding us back from leaping forward / bootstrapping into the beyond-meatspace.

Good luck with that when if you’re going to be prosecuted for a felony or not depends on said meatspace location.
Take their point of view: why do they need to do any of those things? What is in it for them?
Here's the opposite point of view: if the bulk of value is created in the ether, why are they relevant at all? All a rich nerd needs is a protection from criminals - whether paid for publicly or privately.
The question I posed may speak to how it may be possible to get these entities to move toward a more preferable world view.

A rich nerd needs more than criminal protection, BTW.

Just a few basics:

Without the machinery of society running well, wealth becomes quite burdensome. The nerd needs said wealth recognized, means to transact, enforce contracts, currency to trade with, and all that depends on courts and governments of some kind. And there is more. I just sort of stopped.

There will be value in the "ether", but it will also intersect real space and there is the relevance.

Talking about this is sort of like those free energy machine discussions where everyone excited about the machine potential forgets about the initial energy input and how entropy will bleed it away however slowly.

Wealthy nerds do not just appear and create in a vacuum. And no judgement on the idealized nerd being discussed. Could be a wealthy anyone!

A poor nerd needs the same protection as well as the means to do all the basic human stuff needed to exist and practice nerdery. (I laughed at that being a defined word)

In terms of being a nerd and creating ethereal value, it looks to me like assuming wealth just makes it considerably easier to ignore where this stuff meets up with reality, a lot like some free energy machine presentations end up compelling enough to sideline the initial energy input...

Fair points all. I meant my comment mostly in terms of negotiation.

Rich nerds don't pop into existence out of a vacuum, but now that we exist, we can move to the country that suits each of us best and do the same work with roughly similar incomes.

Yes, we still need the common infrastructure, but for the most part, I need a fast internet connection and a lack of bullets coming my way. This drastically reduces the hold any one country has over me, which is what allowed me to wave goodbye to my country of birth and move to a country where I like the tax/spend pattern more (Canada).

Theoretically, one could site all earning, investing, and banking in some tax haven and just use a credit card to transact. We'll still need countries, but they will be more like regular infrastructure providers (civilization as a service?).

"for the most part"

Let's talk about farmers and fields for a moment:

Early on in human history, the first farmers began their work with fertile ground.

Mistakes were made, understanding gained, improvements were also made. And this is just humans being humans.

Over time, it was observed the earth can become parched when farmed too many times without putting some of the yields back into the soil. There are no free lunches. Every so often, it is necessary to invest in the earth so that it remains fertile and yields bountiful.

Farmers, having once learned this, continued to do it, and everyone is living in relative harmony.

Along comes big Ag. Good yields are not good enough. They want the maximum, and they ignore history and proceed to max the ground out, and of course it becomes parched.

Rather than invest in the maintenance of fertile ground, which requires some crops be grown to be turned back into earth, they treat the ground chemically and continue.

And now there is a top soil problem where there was once fertile ground. And so they basically mooch top soil from somewhere else, and on it goes.

Turns out those high yields are quite expensive for everyone else!

Now, let's look at what you say you need:

For example, what gives that fast Internet connection value?

A wealthy society in which to derive that income! This is fertile ground. See where I am going with this?

What happens when that wealthy society is not maintained? In other words, what happens when the ground becomes parched?

Bullets, among many other things like it being harder to get that income due to lower demand as greater numbers of people struggle due to growing economic problems and those are generally due to labor not paying what it costs for people to actually exist and show up for work and perform that labor, and also generally due to debt accumulation in the form of "parched" societies in serious need of reinvestment.

It's great to maximize it for you, thinking of only your considerations as if the rest of the world just comes gratis. It doesn't you know.

Really, this is all no different from the farmer who does not see the need to reinvest in their ground. What they do is get all they can and when that ground becomes parched, they call it someone else's problem and move to new, fertile ground where they wash, rinse, repeat, until they have a lot of wealth accumulated and have left behind a lot of parched ground for others to restore to being fertile, and doing that isn't cheap!!

That farmer could have invested in their ground, still could have accumulated considerable wealth, but would not be costing everyone around them very large sums of money while doing it.

Nobody exists in a vacuum. Everything costs something. And if you are not paying it, someone else is forced to, and or where it's not paid, other costs and risks, such as bullets, tend to follow soon after.

That's it. Ideally some food for thought regarding "needs" being far greater than the idealized picture you put here.

We did move beyond it, and what we got for it was covert operations infiltrating social media to influence national elections, along with various large organizations suffering ransomware and other hacking over the last few years.

Even if you could go back to the wild west days of the 90s, most people these days would just complain about how people could go ahead and say whatever they wanted without being cancelled.

We started with the dream you're referring to, and it couldn't stand up to the crappiness of reality.

Yeah, we said that in the 90s too, that was the thesis of high-minded bullshit from the era like the "Declaration of Independence of Cyberspace". Look where it got us.

There is no sphere that is outside the government's control. None. Create one, and the government will come round to enforce its will on it.

Copyrights, patents, censorship and other kinds of monopolies on information are to human civilization as plaques are to an Alzheimer's-afflicted brain.
Copyrights and patents are quite different to censorship.

Copyrights and parents provide assurances that spending large sums of money (millions/billions) to create new technology won’t be in vain. There are issues with both (too long copyright, patent trolls, obvious patents) but they are better than not having any protections.

Why would anyone make a movie or game if it’s going to be almost exclusively pirated? Would anyone invest in new camera technologies, computer graphics techniques/algorithms, motion capture tools, etc?

Why would anyone spend millions/billions creating new vaccines and medicines if anyone could copy them and they weren’t going to get paid for their research. Good will only goes so far.

You’d only do it if the budget (risk) was peanuts, and unfortunately innovation needs money. People need a roof over their head and food on the table. Which would leave only rich governments with the means to fund such advancements, and their ideology often won’t be aligned to such endeavours.

> they are better than not having any protections.

People keep saying that, but no one comes up with any data to back up the assertion.

> Why would anyone make a movie or game if it’s going to be almost exclusively pirated?

Because they like it? See: 0AD, Nexuiz, Battle of Wesnoth.

> Would anyone invest in new camera technologies, computer graphics techniques/algorithms, motion capture tools, etc?

I read someone posing this question and proposing the answer that yes, patrons are going to crowdfund what they want to see.

> Why would anyone spend millions/billions creating new vaccines and medicines if anyone could copy them and they weren’t going to get paid for their research. Good will only goes so far.

Wait a minute:

> they weren’t going to get paid for their research.

Lack of protection is not connected to lack of remuneration. US government spends millions/billions to get data from the outer space, despite that data not being protected.

> innovation needs money

Makes me wonder how the innovation of money came about before there was money to spur innovation.

> Because they like it? See: 0AD, Nexuiz, Battle of Wesnoth.

A drop in the ocean compared to all the other games out there. These people could afford to make the games because they have other income sources. So sure, if you can do it, great. They are the exception not the norm.

> I read someone posing this question and proposing the answer that yes, patrons are going to crowdfund what they want to see.

Most people wouldn’t contribute and just rely on others to donate. Limiting the amount of development and discovery.

> Lack of protection is not connected to lack of remuneration. US government spends millions/billions to get data from the outer space, despite that data not being protected.

Yes as I said it will then end up being the rich governments that get to pick and choose what’s important. Do you see the US government funding research into safer abortion techniques? Improved methods of detecting defects in babies (so you can consider aborting them?)

Just look at the lack of innovation in Soviet Russia vs America.

> Makes me wonder how the innovation of money came about before there was money to spur innovation.

Innovation needs money or barter or other form of remuneration.

> A drop in the ocean compared to all the other games out there.

You're moving the goalposts. You asked why, and I answered.

If you show why they can never possibly become the norm, you might have a starting point for more discussion.

> Most people wouldn’t contribute and just rely on others to donate.

And that's cool. Most people don't use any given product. It's those who care that are important here.

> rich governments that get to pick and choose what’s important

I fail to see how that's different from today. The rich are the ones who decide what kind of movies we see, Hollywood being a prime example. They decide what kind of intellectual property laws exist to favor which research or medicines, and they are responsible for ridiculous insulin prices (just look at USA versus anywhere else).

If anything, forcing people to self-organize by crowdfunding or following their hearts provides a chance to shift the balance.

> Innovation needs money or barter or other form of remuneration.

Have you never done anything because you got a kick out of it?

> Copyrights and parents provide assurances that spending large sums of money (millions/billions) to create new technology won’t be in vain. There are issues with both (too long copyright, patent trolls, obvious patents) but they are better than not having any protections.

That is th biggest lie of intellectual property.

Just having a patent or copyright on something does NOT guarantee income. The assurance is a perpetuated myth.

Either are only good if you can find someone willing to pay for licences.

In many cases, reality has proven that economic actors find it preferable to spend resources to avoid having to pay for licences. See all of the duplicate work in IT an patent proliferation in pharma.

Many many patents only ever had an impact on the world after they expired.

> Many many patents only ever had an impact on the world after they expired.

Many trade secrets were lost forever and didn’t impact the world.

Anything that is worth keeping as a trade secret is still being kept a trade secret.

Patents are a tool to disincentivise trade secrets and that is good, but they do a lot more than that and much of it is harmful.

> Either are only good if you can find someone willing to pay for licences.

Many more patents are created by companies that are producing the patented products themselves. They're not looking for anyone to pay for licenses, they're looking for protection against people copying what they're doing.

Reality is going to rudely awaken you in the not so distant future if that’s the way you think the tide is turning.
For this to happen, we would need all the world to have compatible laws.

Doing that without eroding national sovereignty is essentially impossible. We would need something like the European Union for all of humanity.

And even the somewhat limited powers delegated to the EU were enough to cause serious backslash as we have seen during Brexit.

While it's disappointing, it's not exactly a surprise. Doctorow's been talking about "the war on general computation" for years. For about the same length of time, I've been saying that governments would eventually seek a monopoly over computation in the same way as they currently hold a monopoly over violence: it doesn't disappear or become physically impossible, but it requires registration, licensing and reporting, along with suitable punishments to deter those who would seek to usurp the monopoly.
Yes, except that Doctorow has been promoting "the war on general computation" for years.

Who's waging that war if not the State?

Who has been calling for ever more regulation and (therefore) Big Government if not Doctorow?

One has to be a fool to think that giving more power to the government will result in more freedom.

When I learn about revolutions played out across the world, the recurring outcome seems to be measures to ensure citizens are not denied the means to usurp authority. Great men of the past seem to have concluded that the fundamental problem in any society is that power corrupts and the solution to a sane society is to provide citizens the means to put power in check. Just as freedom of speech, right to assemble or right to bear arms gives people the means to challenge authority, computation will be tomorrow's weapon of choice. More and more societal functions will rely on computation and those who have the means to compute will hold power. Data regulations might have good intentions, but it's a road to hell that will eventually deny citizens the right to "compute" and keep the balance of power titled.
As a privacy geek… good.
As a fellow privacy geek, I'd rather the laws applied universally rather than be split at the borders. Alas, it's the lesser evil.
The industry had a chance to self regulate. Multiple chances even. It just doesn't work.
Not a CEO in the world will exit a profitable legal business and not get fired.

Besides, the US also had multiple opportunities to fix their spying laws to give EU countries assurance their citizens data would be protected but actively chooses not to.

Yes, that's a bit what GDPR is about, so that's a good thing.
if you think this has anything to do with privacy, I've got another bridge to sell you
I have a genuine question about this. How are we supposed to isolate user data stored in, say Postgres, by region, and still do multi-region replication, and restoring correctly? And how is the application supposed to find which region a user's record is stored?

For example, if the user's data is only supposed to be kept in the EU, and if the user tries to login connected to a US node, should the app forward the request to the EU node (and how would it know?), which then accesses the EU database? If all nodes are connected to all regional databases, does it even make a difference?

Basically, I am very confused about regional separation of data while still running a single application.

In a very small number of cases, regional storage of data becomes regional restrictions. You see that already in how it's unlikely you will be able to access your consumer account from both Russia and the US at the same time unless you have a travel history to one or both countries. Similarly, an app storing data for EU citizens might indeed say, no, we can't share this data outside the EU, we're not allowed. How it figures out if you're outside a region is, of course, problematic.

But that's rare. Generally the data lives on a regional server and gets accessed by a CDN in a region near where the data will be delivered. If you're allowed to sign in from that region, then you're likely authorizing transfer of data (for the duration of that session) to that same region.

As for multi-region replication, it's often the case there are multiple regions in the same country - for example, us-east-1 and us-central-1. No jurisdictional problems to host the data in two regions in the same country, after all.

As to how you look up what region the user's data is stored in, well, you can keep a list of users and regions. Worst case, force the user to remember their region, and use separate copies of the website (and DNS) to pick a region to sign in on. For example, the same app/website, but at different country domains.

I understand that one way is to block users from logging in from other regions, or giving them a region selector at login (which is terrible UX IMO).

However, if any of these approaches are done, the operational complexity will be immense, and latency for requests much higher than they could have been. A lot of message passing would be required to build such an architecture, and a lot of bandwidth would get wasted, not to mention the unnecessary costs.

A simpler approach would to store core business data regionally, but peripheral data everywhere. For example, a todo app would store all user records, project lists, and other data everywhere, but the actual todos regionally. And yes this becomes infinitely complex will collaborative cross-region applications.

I don't think there are any good solutions yet to this, and governments should invest in creating better solutions before forcing to go down this route.

I have a genuine question about this. How are we supposed to isolate user data stored in, say Postgres, by region, and still do multi-region replication, and restoring correctly? And how is the application supposed to find which region a user's record is stored?

What part of your question is the concern of a bureaucrat? We can drop a couple 9s of uptime in the name of local data primacy right? (I specifically didn't say "data privacy") :)

I believe it'll lead to much higher costs, CO2 emissions, and other issues, simply because this architecture will require more message passing, wasted bandwidth, will be less reliable, and have higher operational complexity. I get that those in decision-making power aren't usually technologically adept at figuring out solutions for these issues, but they should invest in solutions first.
I would predict that data localization leads to data traveling shorter distances because most people access their local region rather than everything going to us-east-1.
The basic Problem is that if some CCP goon turns up at your Chinese branch and requests all data on your US/EU users and your local branch is able to do that you failed. Same if some goon from the US government wants to access all data on your EU users. Or some German guy looking for US data in your German data center.

You have to take steps to prevent this.

Difference is that your US and German branches have access to a justice system that can stop the government.

In China, the justice system is part of the CCP and if you don’t comply, your company is gone.

> Difference is that your US and German branches have access to a justice system that can stop the government.

Germany sure, but The US? Do you not remember the Snowden leaks at all?

Almost every company I've worked with the past several years has had a very strict No-US-Servers-Ever-policy, because people don't trusts the US government to not snoop around.

It should be “No US company, period” because the Cloud Act empowers the US government to compel, say Amazon Web Services to disclose information they hold on a server hosted in Germany even if this violates EU law.
(comment deleted)
The whole US / EU safe harbour provisions issue is because the EU is not satisfied that in the United States you don’t in fact have a justice system that can stop the government… that there are insufficient powers to stop certain parts of the government like the the NSA, CIA, DEA, FBI counter terrorism groups etc… who are granted extraordinary powers to do questionable shit like sucking up as much internet data as possible without a warrant in the name off “efficiency” using such flimsy reasoning as “it’s only a search for legal purposes when we run a database query on a US citizens data later” and “we’re legally allowed to do anything we like with the data of anyone who isn’t a US citizen… so these EU guys can fuck off” (or the appropriate US lawyer speak equivalent)
The CJEU explicitly ruled that the FISA courts are not independent, I.e. kangaroo courts. I think it’s a fair assessment.
> have access to a justice system that can stop the government.

Haha, good one.

> a justice system that can stop the government.

There might be a law that allows government to obtain the data if it is a matter of national security. And what is considered such a matter is up to government to decide.

My interpretation of what GP is trying to say that the way forward is to intentionally limit your own capabilities such that it is simply impossible to comply with government overreach. For an example see Signal and their subpoenas.
Encrypting data at rest and in transit will certainly reduce the risk. If a branch is deemed at risk, its employees would not be given access to any databases. Or don't have branches in regions where you have the risk of a government threatening your employees for other countries' users' data.
I am the believer of simple statement - if you don't control physical servers then your data is not secured, no matter what you do to secure it. Once vault is unlocked and you don't control physical hardware your game is over.
It seems a product opportunity might exist to ensure only encrypted copies are replicated out of region with the keys remaining in region. The side effect is a region might be down if something catastrophic happens but data could be restored
Encrypted copies for some isolated data is a good solution, but for a user record when you want to login a user, will not work. Then you would need to fetch the data from another datacenter anyway, increasing costs, latency, and operational complexity.
You're assuming the laws would allow for that. I wouldn't count on it.
If you need geographic redundancy beyond the European borders, what is your threat model trying to mitigate? E.g. Let's say you have servers in Norway, Germany and Spain, what would be solved by e.g. having an extra one in the US?

Roaming access can be handled through a VPN

Bonus question: what do you do if data needs to stay in the creating user's region by default, but users can share data across regions, including creating new data associated with a record from another region?

For example, American and EU users sharing documents and requesting comments be added. How do you manage both isolation and sharing? Do you copy such documents to both regions? Do comments live in the same region as the document, or in the region of the creating user? Do you just give up on foreign key integrity for documents, comments, and users because they could be in separate databases? If your American servers can request data out of the European region on demand (subject to business logic), are you really protecting data to the standard the law demands?

> are you really protecting data to the standard the law demands?

This assumes the law's purpose is to protect citizen's data and that it's not just a way to bully tech companies into submission by writing impossible to implement laws and selectively enforcing them.

The simple answer is that it's no longer a single application. It's a separate copy of the app per country/region.

should the app forward the request to the EU node (and how would it know?)

You have to add a home jurisdiction field to the account.

The word that jumps out (to me) with what you describe is "Partition".
A different point-of-view: on one side people and so some institutions who happen starting doing a very little part of their job start to wonder how "safe" is living on someone else computer-systems and want something "more local" under their control. On the other some wannabe dictatorships start to think that covering their back parts from others propaganda can be good for them.

That's NOT at all the end of borderless data, it's just the beginning of the end of GAFAM dominion since most States in the world and few Citizens start to want their own systems under their own control. Witch is actually mostly VERY good, the not good part is censorship but the west world authorities can only remain silent since their own censorship on their own people from Assange to present censorship and mud machines of "third parties" subjects they dislike (no matter the reasons), the missed part is popular reaction that so far AFAIK is hyper low.

My fellow HNers if we want, for good reasons, a homeserver with our data instead of someone else services that can be banned, changes overnight in unpleasant manner, ... why someone else should want differently? Does this means the end of borderless internet? IMVHO DEFINITIVELY NOT it means just the end of some hyper giant players witch can be observed elsewhere like the end of mega-ships, mega-planes, mega-projects etc or just the passage from mainframes to clusters.

The negative part is that we still not get much freedom simply because ways to control us are so many that even dropping smartphones and IT giants accounts to the bin (witch means GAFAM in the west, Yandex in Russia, Tancent in China etc) does not change anything since now digital controls is done by private parties (the aforementioned giants) under States laws like digital payment push, social scoring etc witch is the actual real dangerous and disastrous thing. For that the real missed point is: people need a basic IT culture to understand because now IT is a basic component of our society and to be Citizens we need to know a bit our society OR we can only be subjects/parasites. Only with such basic culture people in sufficient mass would push against certain dangerous aspects ON TIME.

This article is conflating pushes to control and censor data with pushes to provide privacy rights. Those are very different things that just happen, because they are enacted along nation boundaries, to both create these borders.

Providing privacy rights is very much not a "nation accelerating efforts to control data", and shame on the NYT for muddling this.

If a government can create privacy directives (which is not the same as a privacy right; rights cannot be legislated), they can legislate prior restraint at a level way worse than the DMCA.
I don't understand your comment. I think you're trying to argue something along the lines of law vs. policy, but what are you actually arguing?
“rights cannot be legislated”

How so?

The basic idea is that rights are given by God, as opposed to privileges granted by the legislator. A legislator may grant or revoke privileges at any time. A legislator may not lawfully take away a right which it did not grant in the first place. At least that is the theory. In real life, the water gets pretty muddy. This is a very US perspective of course.
The can't be created, but legislation can certainly protect rights.
Privileges and immunities are the analog to rights that legislation can create.
It's a tangent, but you can also subdivide rights into two categories: positive and negative freedoms.

Positive freedom is a right to do something. (e.g. free speech) Negative freedom is a right to be free of something (e.g. violence)

Actually, it just occurred to me that free speech could be categorized as both: positive freedom to engage in speech and negative freedom to be free of government-based silence of that speech. Interesting.

Edit: I guess this is saying the same thing as 'User23 with so many words; "privileges and immunities" are probably better terms to use.

That's a prescriptive view of what the rights should be. According to a more descriptive view, rights are just social constructs with an effective enforcement mechanism. That mechanism is often regulated by laws, which means the legislator can effectively create new rights and revoke old ones.

My pet hypothesis is that the US perspective is prescriptive, because the ability of the state to enforce the rights has not been seriously compromised in a long time. The rest of the world is more familiar with the idea that the guy with a bigger gun may one day show up and take your rights away.

The term is certainly ambiguous - I don't think anyone would argue that the right to legal counsel is 'God-given' and people arguing for universal single-payer healthcare aren't saying that the right to access a national healthcare system is an innate human freedom. And many things we call 'rights', like voting or owning a gun, can be revoked by the government under certain conditions.

In practice in the U.S. we pretty much call things 'rights' any time we believe that people should have them by default.

Ultimately this is about many nations pursuing "data sovereignty" in lieu of having ability to completely wrestle domestic platform supremacy from Silicon Valley / US. Whether nations choose to pursue privacy/control is matter of their governing interests. And sometimes they're not even mutually exclusive, i.e. PRC data regulations calibrated to increase privacy from companies but not government. But primarily it's national security considerations like no-US servers / exporting data directly to NSA pipelines.
In the public sector of Denmark we suddenly had to view the risk factor of America not remaining a safe harbour for data in the wake of the 2016 election. I’d like to point out by now that what I’m saying isn’t that we were seriously considering the US falling from democracy the way this may sound. Instead think of it along the lines of very long term planning in a very risk averse sector where you plan a back up for the back up of the back up. The process ended up raising some political concerns that I imagine were also raised by similar processes all over Europe in that what happens if we can no longer trust the American tech platforms with our data?

I think there are two sides to this, as you yourself point out, but I also think the concern over data sovereignty is a valid one. Just imagine what would have happened if Russia had relied as heavy on Azure and AWS as the Danish public sector. Now I’m not suggesting that we in Denmark are going to elect a dictator and invade Sweden, but as far as national sovereignty goes, you sort of have to consider a world where we would do something that insane.

Then there is the issue of the wider internet moving from a fun playground for geeks to becoming as much a part of our daily lives as crossing the street. Most countries have laws prohibiting you from crossing the street in your birthday suit, even very liberal countries like Denmark don’t allow that. It would be admirable, but perhaps a bit naive, to think the internet would not be affected by legalisation as it’s importance and influence grew. I think the fact that remains as free as it is, is mainly because the current western leadership is quite old. I don’t expect the coming generations of politicians to be as lenient toward the advertising industry that the previous ones have been. What the EU has done and is doing so far is only the beginning, we will se far more legislation on our rights in the future and I wouldn’t expect major advertising companies like Google and Facebook to have much of a future unless they adapt quicker than they are currently doing.

With legislation, however, comes complexity and sometimes side effects as you point out. We have a filter to guard against piracy and property rights in Denmark. As so many other countries, and while it was original intended to block the pirate bay, child protection NGOs lobbied and eventually got sites containing child pornography included in the filter. I’m in no way advocating that this was wrong, but maybe it should have been two desperate filters as stealing Independence Day and Coyote Ugly is hardly the same crime as abusing children. Because what followed was that other NGOs and political interest groups added more and more things to the filter. Leaving it a mixed box of things, most of which should very likely be banned, but I think you sort of get my point in that nobody really knows what can or cannot be added to it because it quickly stopped being a “anti-pirate” or “anti-child-abuse” filter and became a “anything the political majority agrees is bad filter”. Or a very good example of exactly what happens when legislators get involved. There are side-effects, but I don’t think you should fault the NYT for also mixing up things in something that is really far more complex, than what I have outlined here.

I think data sovereignty, privacy and censorship in general are interesting subjects that I hope established media will take more of an interesting so that we can have a proper public discourse about it that involves non-techies and non-technocrats.

Great writeup, thanks for taking the time to type out what I was too lazy to :)

I'd like to add/clarify/point out that there's two very different kinds of law/policy nations can go for here:

1. passing requirements that anyone processing data needs to meet some set of guarantees, e.g. privacy (including against state actors, e.g. CIA/NSA), cyberbullying handling, or copyright enforcement. This also includes (the absence of) safe harbor agreements.

2. passing requirements that data processing happen in a particular place, regardless of intent (could be in the belief that place X provides better privacy guarantees, could be because place X can censor/control data)

The latter doesn't solve anything from the citizen's perspective, even if that's the intention. But it does address the issue of "invading Sweden".

I personally consider the former much more important, but the latter is sometimes necessary too. But they need to be clearly identified in discussion. They are not interchangeable and sometimes issues better addressed by one are used to try to argue the other.

And how would either scenario work exactly? Who maintains jurisdiction over foreign-held data? How would such provisions be enforced without violating a counties sovereignty? Could the foreign country in question claim jurisdiction over all data in within its borders as well as businesses and related subsidiaries registered in it? Usually these questions would be solved with treaties, but how would that work if the other country refuses to play ball?
I would argue: an entity is liable for how it treats user data, in the country where that data is generated. This original country is where interactions and transactions take place.

If it chooses to move that data elsewhere, that is its choice, and also liability if moving that data runs afoul of regulations in the original country. The foreign country itself doesn't really matter, the entity is doing business in the original country, and would be held liable there by its users/business partners according to local laws.

How would you define "generated"? It's not necessarily the case that user data is generated in the country of origin. E.g. cloud computing, fully remote systems/edge computing, XaaS, MMOs, etc.

>The foreign country itself doesn't really matter

Of course it matters. Every country has legal differences on the definition of privacy and associated liabilities (if there any at all). In addition, it's unlikely that one country can establish jurisdiction over data in a foreign country without violating national sovereignty. Arguing that doing business establishes a legal nexus with someone of a particular citizenship opens up a massive can of worms about whose law applies where.

> How would you define "generated"?

Data is generated in the location where a human user interacts with the system, whether that be with a fully local system, some random website with a server in who-knows-where, or just configuring a domain for e-mail.

(Yes, AI actions are a separate can of worms.)

> > The foreign country itself doesn't really matter

> Of course it matters.

It doesn't for suing for rights, that's the point of generation-based legal authority. The legal transaction is taking place in the user's location, and by offering services there, you are agreeing to the local legal framework.

> Arguing that doing business establishes a legal nexus with someone of a particular citizenship opens up a massive can of worms about whose law applies where.

This is already the case, except with location and not citizenship. Safe harbor agreements just used to make this much less of an issue until they disappeared. You really can't expect to do business somewhere without adhering to the local legal framework.

> what happens if we can no longer trust the American tech platforms with our data

I'm not sure why anyone with "national security" concerns ever trusted American (or anyone else's) tech platforms to begin with. Everyone spies on everyone, and many current alliances are not even 50 years old---a blink of the eye in historical perspective. Even if some other nations have "better" privacy laws than the US, those are only laws. They can be changed rather quickly if the political winds start blowing differently.

>In the public sector of Denmark we suddenly had to view the risk factor of America not remaining a safe harbour for data in the wake of the 2016 election.

I honestly had to look this up since I did not believe you that Denmark would take until 2016 to realise that keeping public sector data in a foreign country was a bad idea. I mean what, Bush and Snowden didn't convince Denmark that the United States was not a safe place for data? All danish public data getting a nice look over by the NSA didn't alarm anybody?

Is business continuity more of a concern amongst the Danish than privacy? The only novel thing I can recall Trump doing is effectively barring Huawei from using things like Google Play Services. Or is Trump simply enough of an asshole that the higher ups got riled up about him? It's so strange to me to think a country would only be concerned about this after Trumps election, to me data sovereignty seems like something one should have been concerned about around the late 90s or early 00's.

This entire article just baffles me as if data sovereignty is some bizarre development instead of something you should have been thinking of from the start. Does the government of one country store its personnel files in the warehouses of another country? Seems kind of insanely naive to me.

There is a current “scandal” of sorts where the former minister of justice, and our until very recent chief of military intelligence were suggested arranged and arrested for treason. So far the details of the case are kept from the public, and our secret police even had a talk with all major editors beforehand, but what is know is that it is in part about these people revealing that there was a secret agreement with the NSA to keep surveillance on all Danish citizens in corporation with their Danish counterparts. Only revealed because of the Snowden leaks.

So you are sort of right, that our leadership trade away privacy. Similar to how they secretly allowed America to house Nuclear weapons at the Thule base doing the Cold War, and, how we typically participate in American lead wars in some form or another, as well as a range of other things.

You call it naive, but it’s quite frankly the reality of being a tiny western country. In a sense you can think of many European countries as you would vassal states to the Roman Empire. It’s obviously more complicated than that, and the comparison is a little daft, but in essence you dance when America tells you to Dance. What happened with Trump wasn’t America electing emperor Nero or Caligula, and then sort of doing business as usual, it was a sign that America might not keep on trucking.

I mean I guess this makes sense, but at the end of the day it seems like Denmark lost its confidence in Rome and had to move everything out of Rome anyways, so it also doesn't make sense. Maybe it gave Denmark time to roll its own infrastructure?
What if it’s both? What if it is muddled?

China has famously been aggressive at controlling data. We all know this and no one thinks it’s about privacy. But the EU has been pushing to on-shore their citizens data. They have been pushing it for privacy AND pushing it as a national security issue. The EU has strong privacy laws, but they also have aggressive tech laws generally. Cambridge Analytica proved that privacy could be security and the whole drama around FB and the elections made nations weary of leaving the US laws to manage platforms.

Everyone wants more privacy - it’s the sugar to the anti-us tech pill. On-shoring data or requiring local companies own the data (and CX) will help local industries at the expense of Silicon Valley bottom lines. Oh and local companies can be controlled by local government, which makes censorship much easier, a convenient win for power grabbing governments.

TLDR Privacy is one of digital “think of the children” phrases that lets governments power grab.

I like privacy. And I distrust Facebook and other big tech companies. I'm generally very happy that our democratically elected governments makes an effort to protect the citizens that elected it. I trust the government more than I trust the likes of Facebook, so I really don't see the issue here.
I don’t. Governments- even the best ones- have enslaved, killed, stolen from, lied to, and tortured millions of people. If you get on the wrong side of a government they’ll lock you in a metal cage for the rest of your life.

Facebook, on the other hand, has sold some of my advertising data, and if I piss off Facebook I won’t be able to share memes on a website. There is hardly a comparison.

There’s hardly a point to drawing lines between public and private in corporate state capitalism. The boundaries are becoming less important every day. It’s not like we’ve been at war because citizens were demanding it.
No, just to stop you right there. Allende's government, 1970-1976 (interrupted in 1973, but according to La República de Chile, a country which stopped existing having been effectively invaded, he was meant to continue in office until 1976) didn't meaningfully enslave, kill, or torture anybody. The argument that it stole and lied to people can in fact be constructed, but at that point they have to fight Henry Kissinger's monstruous and cowardly realpolitik with some realpolitik of their own.

You can't just say that, you can't just talk shit about every single government that ever existed, like there was no differences between them. That there was no difference in intent. Like if you were on a desert island with nine other people, would you say that about the organization among the ten of you?

Further, I honestly prefer the contracts the governments of the countries in which I am a citizen to the contracts of practically or literally all businesses and institutions I've encountered.

> What if it’s both? What if it is muddled?

If governments are muddling it, that makes it even more important for the NYT to un-muddle and call them out on it. And I absolutely agree some countries are using privacy as a dishonest argument.

Apologies for not being clearer here, it's the lack of distinction in the reporting that really riled me. Privacy requirements can — in theory — be met regardless of where the data is actually stored. It just needs to be a place that enables compliance with these requirements. Which just happens to frequently (and sadly) run afoul of "lawful intercept/access" laws.

And I really wish the NYT would have pointed that out.

"While the United States supports a free, unregulated approach that lets data zip between democratic nations unhindered, [...]"

I think it's no secret that nations with the most market power were always for "free trade" and calling it so.

What if we put data servers in space?
I remember gossip of The Pirate Bay people wanting to buy an unused offshore oil rig to obtain sovereignty. But the problem was, they needed to pay an ISP from some nearby country to get Internet access, making the project moot.
How I read this is now you need to put data servers in each country and follow the local rules related to data control. Says nothing about the insights you pull from the data. And the internet was built to withstand a nuclear war not some kind of utopia borderless data access.
Recently, I've received an email from Google saying that my account was going to be switched over from Canada to US. I created my account in Canada and moved to the US 7 years ago. Google determined that since I mainly access my account from the US now that the "ownership" of my account should be transferred to Google US from Google Canada.
No it isn't. The era of borderless data for normal people who don't have time to learn new things is ending. Those of us that aren't interested in Facebook and twitter and wechat and whatever else are going to keep on trucking along with this "universal information availability" thing. We have Tor, VPNs, open source communication protocols, encryption, distributed and decentralized networks, free publishing and more.
Startup idea: mini-datacenters that can be installed in someone's basement or apartment building. Residents can run SOLID pods on these computers. Instead of user data going to the cloud, the cloud providers run their workloads directly on the user pods.
Just use a regular data center.
Maybe I was too subtle. Let me fix it.

As an user, do I really care whether my data is in the US, Germany or New Zealand, if all of Big Tech can exploit anyway?

The only way for privacy is to have systems that never collect the data in the first place.

A lot of the applications that we use today do not need to take your data to offer you functionality, but they could simply push their code to a computing environment controlled by the user, and run from there.

Nope. No cloud providers.

My data, my network, my choice how it becomes available to me when I'm away from my home. I don't want cloud in between.

Decentralized cloud storage will keep data borderless