This week has seen an interesting move by Russia - the passage of legislation requiring all Internet-based data about Russian citizens to be hosted on servers physically hosted in Russia.
The effects of the bill, if passed, would be wide-ranging, touching just about every international service used by Russians. Essentially, it would mean that Facebook, Google or any other international online service – including apps – used by people in Russia would need to have physical servers inside Russia’s borders.[ref]Russia Moves To Ban Online Services That Don’t Store Personal Data In Russia[/ref]
I say "interesting" because of both the triggers and ramifications of this move. The potential precedents set by this legislation are enormous!
Causes
This move by the Russian government is undoubtedly a direct response to (not so) recent revelations of American government spying. Companies like Google, Facebook, and Yahoo store massive warehouses of consumer data - sometimes on Russian servers, sometimes on American servers. This data is so comprehensive that companies have been able to use advanced analytical tools to predict everything from purchase behavior to teen pregnancy.
It's a chilling amount of data that, in the wrong hands, could be used for all sorts of nefarious purposes. Knowing that American agencies like the NSA likely are those wrong hands has many people up in arms. The NSA's ability to reach into the data vault of American companies (with warrants issued by secret courts) means they have the ability to grab data not just about American citizens but Russian ones as well.
Hosting Russian data physically in Russia means the government there can better block American agents' access to their citizens' information. It's a play by Russia to protect its citizens and, while I might disagree with the legislation itself, I can understand and even admire the sentiment that built it.
Effects
Unfortunately, the effects of this law are somewhat paralyzing for web developers.
Already, we must alert European visitors if our sites use cookies to store personal information - and present visitors with the ability to opt-out of such storage. Forcing Russian data to be stored on Russian servers will require us to:
- Maintain separate physical servers in Russia (in addition to any servers we set up elsewhere in the world)
- Determine the citizenship of site visitors so we can direct Russians to Russian data stores regardless of the network location from which they access the site
The first challenge is easy. The second is nearly insurmountable. The legislation at hand is meant to protect all citizens of the Russian Federation, and it will do so, but perhaps at the risk of merely blocking Russians from accessing new (read: bootstrapped) network tools. Other countries are likely to follow Russia's lead to protect their citizens from American overreach.
I can't blame them. The NSA infuriates me as well. But there must be better ways to protect our information from prying eyes. Blocking the NSA from spying on Russians by merely forcing Russian data to live in Russia will help block non-Russians from spying. But it doesn't solve the problem of keeping that data safe, just in the country.