Saudi Arabia's brand new data protection law, which comes into force early 2023, doesn't allow data collectors to disclose personal data except when a government requests it for security purposes.

Data centre plans in Saudi Arabia
Google puts Saudi activists in danger

Internet giant Google is creating a "cloud region" in Saudi Arabia. It says it will protect users there. But digital rights activists say the firm will be putting the lives of government critics at risk. Cathrin Schaer reports

Saudi Arabia doesn't exactly have a positive track record when it comes to digital espionage. In 2018, the country's government reportedly used the notorious spy software Pegasus on devices belonging to the family of Jamal Khashoggi, the Saudi dissident and journalist who was killed that year in a gruesome assassination allegedly orchestrated by the government.

In 2019, two former Saudi employees of Twitter in the U.S. were charged with using the popular social media platform to unmask critics of the Saudi government. And last year, a Saudi aid worker who had used a Twitter account to make jokes about his government was jailed for 20 years. His case is believed to be connected to the government's infiltration of Twitter.

  

And then there's Google. The online giant has the most popular search engine and most-used, web-based email service in the world. Part of U.S. company Alphabet Inc., Google regularly boasts about how carefully it protects users' data. But it has also had some noteworthy run-ins with authoritarian leaders.

Problems in China

When the company first introduced its search engine to the Chinese market in 2006, it was criticised by activists for censoring search results critical of the Chinese government. Then, between 2009 and 2010, Google was targeted by "a far-­reaching hacking attack known as Operation Aurora that targeted everything from Google's intellectual property to the Gmail accounts of Chinese human rights activists," science publication MIT Technology Review reported in December 2018.

Google subsequently withdrew from the Chinese market. Despite that, it was only in 2019 that the U.S. company publicly confirmed it had abandoned a secret project code-named Dragonfly, a search engine created especially for China, that would filter out results about human rights, democracy, religion and political protest. 

Now Google claims it wants to set up a "cloud region" in Saudi Arabia. Given the two actors involved, the reaction from human rights organisations and digital privacy advocates has not been surprising. "This disturbing new step by Google raises … fears that this cloud centre could leverage more power to the government of Saudi Arabia in further facilitating human rights abuses," said a 2021 letter signed by 31 human rights organisations, including Amnesty International, the Oxford Internet Institute and Human Rights Watch.

"A cloud centre in Saudi Arabia will risk lives," said Laura Okkonen of Access Now, the online rights organisation that has been a prime mover behind the campaign.

Activist investors overruled

Most recently, a group of activists supported by Access Now filed a resolution so Google's investors could vote on the Saudi controversy at the annual general meeting of Google's parent company Alphabet, which was held on 1 June 2022. The proposal asked that Google "commission a report assessing the siting of Google cloud data centres in countries of significant human rights concern".

Spied on and murdered: Saudi journalists and human rights activist Jamal Khashoggi - pictured here as part of a memorial and protest installation in Washington 2021 (photo: Yazin Özturk/AA/picture-alliance)
Spied on and then murdered: Saudi Arabia also uses its digital capabilities against its own citizens – with sometimes deadly consequences. In 2018, the country's government reportedly used the notorious spy software Pegasus on devices belonging to the family of Jamal Khashoggi, the Saudi dissident and journalist who was killed that year in a gruesome assassination allegedly orchestrated by the government.

Although just over 57% of independent shareholders at the meeting voted for the resolution to be adopted earlier this month, Google's executive management outrank them in voting power and the resolution was rejected. When responding to inquiries, Google did not directly address the topic; the company sent an online link to its blog post from December 2021 announcing the Saudi data centre in Dammam would be going ahead. 

The political issues around setting up a data centre in Saudi Arabia are clear. But what are the technical concerns associated with cloud services?

More private and business users now operate their online devices using "the cloud". What this means is that your data – things like pictures, documents, music, emails and other messages – is stored somewhere other than the computer or phone in front of you. The software that lets you play music or post images is being run on larger computers in another location. You simply access them using the Internet. A "cloud region" is just a euphemism for the location where all those other computers are, in what is known as a data centre.

Security concerns

Up until recently, Saudi Arabia has lagged behind in cloud services, but industry insiders say it is now being seen as a major, new opportunity. Of the three biggest cloud operators in the world today, Google is likely to be the first to set up a data centre there. The other major players are Amazon and Microsoft. China's Alibaba already has two data centres in Saudi Arabia.

In terms of technology, there are several ways outsiders could gain access to information inside a data centre, said Bjorn Scheuermann, a research director at the Alexander von Humboldt Institute for Internet and Society. Hacking would be one. But as Scheuermann pointed out, "hacking can happen everywhere because, by its nature, it usually happens remotely". So it wouldn't matter if a data centre was in Saudi Arabia or not.

More specific to Saudi Arabia might be a physical breach at a data centre. "If somebody marches in there and gets physical access to the hardware, then it becomes very, very difficult – in many cases, impossible – to guarantee data will be protected," Scheuermann explained. Data centres do tend to have tight security. However, employees going into the centre would need to be vetted, or they could be pressured into extracting data, critics warn.

A greater concern than a physical breach of a centre occurs when authorities ask for the data by legal means. "For example, by a court order that says the data must be handed over," said Scheuermann. "The government says these servers are on our territory and subject to our legal system. In an authoritarian system, defence against legal orders quickly reaches its limits, when your physical assets are in the state's territory."

King Salman (right) and Crown Prince Mohammed bin Salman, seen here on a billboard in the Saudi port city of Jeddah (photo: AP Photo/picture-alliance)
Absolute rulers: King Salman (right) and Crown Prince Mohammed bin Salman, here on a billboard in the Saudi port city of Jeddah. In authoritarian Saudi Arabia, data collected in storage centres cannot be completely protected, says Bjorn Scheuermann, research director at the Alexander von Humboldt Institute for Internet and Society. "Take, for example, a court order that says the data must be handed over. The government says these servers are on our territory and subject to our legal system," Scheuermann continues. "In an authoritarian system, defence against legal orders quickly reaches its limits, when your physical assets are in the state's territory"

According to Saudi laws?

Google has several pages on its website about how it deals with requests for user information from governments. It follows several steps and every six months, provides reports showing how many requests it received and how many it responded to positively. There are no current statistics for Saudi Arabia. Google stresses that it also complies with local laws. But that's a problem in Saudi Arabia, Marwa Fatafta, policy manager for the Middle East at Access Now, explained, because "Saudi Arabia's Internet regulation laws are hazy and ripe for exploitation."

The country's brand new data protection law, which comes into force early next year, doesn't allow data collectors to disclose personal data except, Fatafta pointed out, when a government requests it for security purposes, among other reasons. The Saudi monarchy also oversees the country's legal system. "In such an authoritarian system, it's hard to imagine how Google, or any individual, would be able to challenge the government," said Fatafta.

Saudi Arabia's 2007 cybercrime law comes into it too. Google may be asked to block or remove content that violates the law, and then tell the Saudi telecommunications regulator about it. "The Saudi cybercrime law is one of the most repressive laws in the region," Fatafta noted. 

Using "the cloud" at all is actually a question of trust, said research director Scheuermann. After all, you're storing your personal or professional data with a company, which ostensibly could access it. Google, Microsoft and Amazon are careful not to do that because of the potential for serious public backlash or major financial penalties, he noted.

"But essentially, you're in their hands," said Scheuermann. "You have to trust in them to adhere to legal limitations, and also that these limitations are not turned against you."

Cathrin Schaer

© Deutsche Welle 2022

More on this topic