Google′s data plans in Saudi Arabia ′will risk lives′: activists | Middle East | News and analysis of events in the Arab world | DW | 18.06.2022

Visit the new DW website

Take a look at the beta version of dw.com. We're not done yet! Your opinion can help us make it better.

  1. Inhalt
  2. Navigation
  3. Weitere Inhalte
  4. Metanavigation
  5. Suche
  6. Choose from 30 Languages
Advertisement

Middle East

Google's data plans in Saudi Arabia 'will risk lives': activists

Internet giant Google is creating a "cloud region" in Saudi Arabia. It says it will protect users there. But digital rights activists say the firm will be putting the lives of government critics at risk. Who's right?

Interior of Google's data center in Atlanta, US

Google has 34 cloud regions around the world, with data centers like this one in the US city of Atlanta

Saudi Arabia doesn't exactly have a positive track record when it comes to digital espionage.

In 2018, the country's government reportedly used the notorious spy software Pegasus on devices belonging to the family of Jamal Khashoggi, the Saudi dissident and journalist who was killed that year in a gruesome assassination allegedly orchestrated by the government.

In 2019, two former Saudi employees of Twitter in the US were charged with using the popular social media platform to unmask critics of the Saudi government.

And last year, a Saudi aid worker who had used a Twitter account to make jokes about his government was jailed for 20 years. His case is believed to be connected to the government's infiltration of Twitter.  

And then there's Google. The online giant has the most popular search engine and most-used, web-based email service in the world. Part of US company Alphabet Inc., Google regularly boasts about how carefully it protects users' data. But it has also had some noteworthy run-ins with authoritarian leaders.

Problems in China

When the company first introduced its search engine to the Chinese market in 2006, it was criticized by activists for censoring search results critical of the Chinese government.

Then, between 2009 and 2010, Google was targeted by "a far-­reaching hacking attack known as Operation Aurora that targeted everything from Google's intellectual property to the Gmail accounts of Chinese human rights activists," science publication MIT Technology Review reported in December 2018.

Google then withdrew from the Chinese market. Despite that, it was only in 2019 that the US company publicly confirmed it had abandoned a secret project code-named Dragonfly, a search engine created especially for China, that would filter out results about human rights, democracy, religion and political protest. 

Pedestrians walk past the Google AdWords center in Shanghai, China, 1 September 2016. .

Despite past challenges, Google still has a presence in China, working mostly with local partners to provide its services

Now Google says it wants to set up a "cloud region" in Saudi Arabia.

Given the two actors involved, the reaction from human rights organizations and digital privacy advocates has not been surprising.

"This disturbing new step by Google raises … fears that this cloud center could leverage more power to the government of Saudi Arabia in further facilitating human rights abuses," said a 2021 letter signed by 31 human rights organizations, including Amnesty International, the Oxford Internet Institute and Human Rights Watch.

"A cloud center in Saudi Arabia will risk lives," Laura Okkonen of Access Now, the online rights organization that has been a prime mover behind the campaign, told DW.

Activist investors overruled

Most recently, a group of activists supported by Access Now filed a resolution so Google's investors could vote on the Saudi controversy at the annual general meeting of Google's parent company Alphabet, which was held on June 1.

The proposal asked that Google "commission a report assessing the siting of Google cloud data centers in countries of significant human rights concern."

Exterior of Google datacenter in Atlanta.

Data centers use a wide variety of physical security measures to prevent intruders from entering

Although just over 57% of independent shareholders at the meeting voted for the resolution to be adopted earlier this month, Google's executive management outrank them in voting power and the resolution was rejected.

When responding to DW's inquiries, Google did not directly address the topic; the company sent an online link to its blog post from December 2021 announcing the Saudi data center in Dammam would be going ahead. 

The political issues around setting up a data center in Saudi Arabia are clear. But what are the technical concerns around what are known as cloud services?

More private and business users now operate their online devices using "the cloud." What this basically means is that your data — things like pictures, documents, music, emails and other messages — is stored somewhere other than the computer or phone in front of you. The software that lets you play music or post images is being run on larger computers in another location. You simply access them using the Internet.

A "cloud region" is really just a euphemism for the location where all those other computers are, in what is known as a data center.

Hand is holding a smartphone with the Google logo displayed and dark blue background

US tech giant Google is one of the three leading cloud services providers in the world; the others are Amazon and Microsoft

Security concerns

Up until recently, Saudi Arabia has lagged behind in cloud services but industry insiders say it is now being seen as a major, new opportunity. Of the three biggest cloud operators in the world today, Google is likely to be the first to set up a data center there. The other major players are Amazon and Microsoft. China's Alibaba already has two data centers in Saudi Arabia.

In terms of the technology, there are a number of ways outsiders could gain access to information inside a data center, said Björn Scheuermann, a research director at the Alexander von Humboldt Institute for Internet and Society.

Hacking would be one. But as Scheuermann pointed out, "hacking can happen everywhere because, by its nature, it usually happens remotely." So it wouldn't matter if a data center was in Saudi Arabia or not.

Commemoration ceremony held in front of the US Congress on the 3rd anniversary of the death of Saudi journalist Jamal Khashoggi

Saudi Arabia allegedly spied on the family of murdered dissident Jamal Khashoggi

More specific to Saudi Arabia might be a physical breach at a data center. "If somebody marches in there and gets physical access to the hardware, then it becomes very, very difficult — in many cases, impossible — to guarantee data will be protected," Scheuermann explained.

Data centers do tend to have tight security. However, employees going into the center would need to be vetted or they could be pressured into extracting data, critics warned.

A greater concern than a physical breach of a center occurs when authorities ask for the data by legal means. "For example, by a court order that says the data must be handed over," said Scheuermann. "The government says these servers are on our territory and subject to our legal system. In an authoritarian system, defense against legal orders quickly reaches its limits, when your physical assets are in the state's territory."

According to Saudi laws?

Google has a number of pages on its website about how it deals with requests for user information from governments. It follows several steps and every six months, provides reports showing how many requests it received and how many it responded to positively. There are no current statistics for Saudi Arabia.

Google stresses that it also complies with local laws.

That's a problem in Saudi Arabia, Marwa Fatafta, policy manager for the Middle East at Access Now, told DW, because "Saudi Arabia's internet regulation laws are hazy and ripe for exploitation."

The country's brand new data protection law, which comes into force early next year, doesn't allow data collectors to disclose personal data except, Fatafta pointed out, when a government requests it for security purposes, among other reasons.

A banner showing Saudi King Salman, right, and Crown Prince Mohammed bin Salman, hangs outside a mall in Jiddah, Saudi Arabia

Saudi Arabia is a monarchy run by de facto leader Crown Prince Mohammed bin Salman (left)

The country's legal system is overseen by the Saudi monarchy. "In such an authoritarian system, it's hard to imagine how Google, or any individual, would be able to challenge the government," said Fatafta.

Saudi Arabia's 2007 cybercrime law also comes into it. Google may be asked to block or remove content that violates the law, and then tell the Saudi telecommunications regulator about it. "The Saudi cybercrime law is one of the most repressive laws in the region," Fatafta noted. 

Using "the cloud" at all is actually a question of trust, research director Scheuermann told DW. After all, you're storing your personal or professional data with a company, which ostensibly could access it. Most of the time, businesses like Google, Microsoft and Amazon are careful not to do that because of the potential for serious public backlash or major financial penalties, he noted.

"But essentially, you're in their hands," said Scheuermann. "You have to trust in them to adhere to legal limitations, and also that these limitations are not turned against you."

Edited by: Stephanie Burnett

DW recommends