On the Biden administration’s first full day in office, three Chinese state-owned telecommunications firms asked to be relisted on the New York Stock Exchange. The firms had been the subject of controversy after a Trump administration last-minute executive order delisted them; yet each has also been the subject of scrutiny from the US government for national security reasons.
These companies—entangled at once with trade and national security issues, especially given Trump’s penchant for acting on the former under the guise of the latter—tell a much bigger story. Questions of how to write internet regulation, in a time where trade and security are increasingly entangled in the digital sphere, are hardly confined to Washington. Many governments worldwide are grappling with internet regulation, both trying to understand the relationship between trade and security online and often blurring together digital trade and security issues in the process. Threading those needles in regulation will be a defining tech policy challenge in the coming decades.
If trade and security issues could ever be cleanly separated, that is an increasingly difficult, if not outright impossible, proposition vis-à-vis the internet. The same communications infrastructure that supports global commerce and scientific research is the one through which governments electronically communicate with spies and on which malicious actors can peddle disinformation. Military secrets and corporate documents traverse the same networks day in and day out: a TikTok video uploaded one second, followed immediately by an energy company’s request to a cloud server. Further, much of this hardware and software is built and operated by the private sector, and yet it is governments (most often democratic) who are typically left cleaning up the messes of the sector’s drive for profit.
Governments in Washington, Berlin, Canberra, and elsewhere have long criticized the Chinese government for imposing trade barriers on foreign companies. A 1997 US trade report, for instance, cited Beijing’s “local content requirements, technology transfers, investment requirements, [and] counter-trade or other concessions” targeted only at firms incorporated outside China. Today, national security is frequently cited by many authoritarian governments as a reason for cracking down on the digital sphere (think of the term “cyber sovereignty”), but democracies are grappling more with the relationship between digital trade and security, too. Where the internet presents new challenges in drawing lines between trade and security, nations are forced to grapple with assessing the complex effects that regulation will have on both.
Take increasingly common data localization requirements—the required storage of data within a specified geography—as an example. Russia instituted such requirements in 2015, forcing companies to store data on Russian citizens within Russia. China’s draft Personal Information Protection Law prioritizes data localization. Vietnam’s 2019 cybersecurity law (which follows in Beijing’s footsteps) only bolstered the local data storage laws on the books. Brazil is weighing a 2020 bill that would make data localization rules part of its General Data Protection Law. Indonesia, Nigeria, Kenya: The list of countries exploring or enforcing these measures goes on.
Both trade and security motivate these requirements. The data localization proposals in India’s draft privacy framework are partly aimed at pushing back against Silicon Valley’s hegemony. When Indonesia relaxed its requirements in 2019, it exempted public entities operating in banking and financial services. Cross-border data flow limits in China are tied with foreign trade and investment considerations. The Reserve Bank of India and the Central Bank of Nigeria both have data localization requirements on financial information. When New Delhi subsequently asked the Reserve Bank of India to examine concerns about its data localization rules, that too was driven by the private sector’s trade and cost concerns.
Similarly, on the security side: After Edward Snowden leaked classified details of US global surveillance programs in 2013, calls rang out from European politicians to localize European citizens’ data within the European Union. Vietnam’s data localization uses claims of national security as a fig leaf for internet repression. Russia’s push for data localization also relies on claims of national security, nominally as well as in practice—the Kremlin’s zero-sum, conspiratorial worldview continues to cast an even greater shadow over Russia’s tech sector. Others yet blur the two, such as in Brazil, where the author of the data localization referred to free data flows abroad as a violation of the country’s sovereignty.
Yet all these actions capture the challenges of writing internet regulation when trade and security issues are more and more entangled. Data localization is a way to impose costs on foreign companies across legal departments, technology developers, and hard physical infrastructure. Compliance in policy and in code isn’t cheap. Whether it fundamentally degrades the influence of large, wealthy internet titans, however, is a different matter; US cloud firms partnering with Indian tech companies to build out their domestic infrastructure is one example of Silicon Valley continually leveraging its market power in the face of looming localization rules. Making firms store data locally can also slow the speed of cross-border data flows and impose costs not just on foreign giants but on local firms trying to get their feet off the ground too. It also raises questions of whether cross-border data flow restrictions violate World Trade Organization agreements.
Each of these trade dimensions is tied with security. Forcing companies to store data with local providers may result in weakened cybersecurity protections over that data. The likes of Amazon, Google, and Microsoft can certainly afford to build local data storage facilities; they can expand their infrastructure (as is already happening in India) and thus perhaps extend their security services offerings to markets that require data localization. But firms that must use local, smaller-budget data storage providers may be losing on cybersecurity what they gain in localization compliance. Data localization can also expose data to more cybersecurity risk because it broadens the attack surface: More copies of a piece of information stored on more systems means more vectors through which to steal it. Sophisticated intelligence services, for one, would certainly like that, as would any number of cybercrime groups.
For all that the Trump administration blurred trade and national security issues, there are fundamentally challenging questions to be unpacked around the internet’s relationship with the two. Regulations of everything from data localization to data collection to infrastructure security will impact trade and security, and the state agencies responsible for carrying out those rules may come from both trade and security domains. Japan’s notion of Data Free Flow With Trust, Brazil’s data localization considerations, and other in-progress frameworks only make this a more urgent question for the next decade. Pulling apart the entanglement of trade and security in the internet sphere is the first step.
WIRED Opinion publishes articles by outside contributors representing a wide range of viewpoints. Read more opinions here, and see our submission guidelines here. Submit an op-ed at opinion@wired.com.
- 📩 The latest on tech, science, and more: Get our newsletters!
- The unsettling truth about the “Mostly Harmless” hiker
- Worrisome new coronavirus strains are emerging. Why now?
- Want to write a book this year? These tools can help
- This Chinese lab is aiming for big AI breakthroughs
- White nationalism is far worse than a “disease”
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 💻 Upgrade your work game with our Gear team’s favorite laptops, keyboards, typing alternatives, and noise-canceling headphones
