Amazon may well be one of the companies with the strongest data security in the world. The company has never been responsible for a major, public breach of customer data (unless you count the recently revealed breach of Whole Foods, purchased by Amazon this summer). Even the CIA relies on Amazon Web Services for secure data storage. So it’s striking, though not surprising, to read last week’s inevitable announcement that the company is selling the hardware component of its cloud computing business in China in order to comply with the country’s new cybersecurity law, which went into effect earlier this year. Amazon isn’t getting out of China altogether—according to CNBC, “Amazon said that it is only selling ‘certain physical assets’ and still owns the intellectual property for AWS worldwide”—but this is nevertheless a big change for the company.
So why would a country want to diminish a company with an incredible security record in the name of strengthening its data security?
The law focuses, in part, on data localization, requiring that all sensitive data about Chinese citizens or national security be stored domestically on servers within China. This could be an onerous requirement for international firms, like Amazon, that regularly move and copy data across their network of data centers. In light of the law, Amazon’s move to sell its China-based infrastructure to Beijing Sinnet Technology Co. Ltd, a Chinese firm, hardly came as a surprise. Other U.S.-based tech firms, including Apple, Oracle, and Microsoft, had already taken similar steps to transfer control of Chinese data to Chinese firms.
There are two broad reasons a country might be interested in localizing its data within its own borders. One is that data might be less secure if it’s stored in or transmitted through other countries, either because those nations could place less stringent security requirements on companies and infrastructure, or because their governments might themselves intercept or collect that data stored on servers within their jurisdictions. The other reason data localization sometimes appeals to governments is because it means that any of their citizens’ data will be squarely within the reach of their own jurisdictions, should they want to collect or access it for investigations.
There’s some truth to both of these arguments—that foreign governments may have an easier time seizing data flowing through their own countries and that data within your own borders is more accessible. But localizing data to specific countries can actually undermine security protections. Of course, shifting Chinese data off servers owned and operated directly by Amazon, Microsoft, and Apple almost certainly makes that data more accessible to the Chinese government—presumably that’s part of the point. But the law may not help protect sensitive Chinese data against foreign espionage or cybercriminals, either.
For instance, U.S. intelligence agencies can, in many cases, collect data much more freely overseas than they can within the United States. That’s because they can assume that any overseas data belongs to foreigners unless they’re specifically targeting someone they know to be a U.S. person. Within the United States, the government often has to clear more legal hurdles in order to collect data. Outside the United States, those legal hurdles largely disappear and the government doesn’t have to go through courts to access stored data. But that also means the U.S. government can’t rely on courts to force companies to turn over stored data.
The most compelling reason to trust companies like Amazon with sensitive data is their proven record at providing and maintaining the necessary technical measures and monitoring to protect that data from intruders. Indeed, several U.S. tech companies have been at the forefront of beefing up their security to protect against U.S. government espionage efforts in the aftermath of the leaks by Edward Snowden about U.S. surveillance programs.
The Chinese companies that have now taken control of the China-based hardware operations as partners of U.S. cloud companies may or may not have equally strong technical security measures in place. But they can more easily ignore policy-based attempts on the part of the U.S. government to obtain data through legal mechanisms such as warrants. Whether U.S.-based companies can refuse to comply with warrants that request access to data stored in foreign countries and belonging to foreign citizens is still uncertain—it hinges on the outcome of a case to be heard by the Supreme Court this term about Microsoft trying to fight a warrant to turn over data stored in a data center in Ireland.
If the Supreme Court agrees with Microsoft that the government cannot access foreigners’ data stored in overseas data centers, more countries may begin to request or require that data stay within their borders, where it is effectively out of reach of U.S. law enforcement. They could work with foreign companies to make that happen. But if the Supreme Court instead sides with the Justice Department, those countries may instead decide they would rather rely on domestic companies for data storage, as China is now doing.
Either way, regulations about how and where data is stored would detract in some ways from the promised efficiency and security benefits of cloud computing. Part of the point of cloud computing is that resources can be reallocated, and data shifted around, to allow for fluctuations in different customers’ activity. Similarly, part of the point of entrusting your data to Amazon Web Services is being able to rely on a big company with the resources to employ an expert security team to provide security for you. Making it harder for cloud computing companies to move data between countries also makes it more difficult for them to make efficient use of their servers by allocating resources to different customers depending on when they most need them, or storing data wherever it is cheapest to do so. Moving that data out of the hands of those providers would mean losing their technical security expertise.
China’s willingness to harness Amazon to a domestic hardware operator suggests just how much fears of foreign cyber espionage have shifted from technical concerns to policy-based ones. If China were trying to protect its data from technical maneuvers by the U.S. government, there is almost no one better poised to guard against those efforts right now than the major U.S.-based tech firms that have invested considerable time and resources in demonstrating their commitment to securing data against their own government. Instead, China appears more concerned about the U.S. government using legal means, like warrants, to seize data stored by those companies. To protect against that possibility, they’re willing to sacrifice all the technical security of companies like Amazon for the reassurance of domestic companies beyond the legal reach—if not necessarily the technical reach—of foreign governments.