Update (February 3, 2021) — You can read Snap’s response to the civil society letter here. Access Now will follow up with Snap to inquire further about its technical and policy safeguards. In addition, since this post was first published, Google deleted references to Snap in its blog post about its plan to build a new Cloud region in Saudi Arabia. You can see the original and new versions here. Snap also commented to clarify that only cached “public content” passes through Google Cloud infrastructure.
Update (February 12, 2021) — Google has also replied saying that “an independent human rights assessment was conducted for the Google Cloud Region in Saudi Arabia, and Google took steps to address matters identified as part of that review.” You can see the full response here.
Access Now and CIPPIC are raising the alarm and requesting the immediate halting of Google’s plan to establish a new Google Cloud region in Saudi Arabia — a country with an appalling human rights record. Google has already announced it would be storing Snapchat data on the servers based in Saudi Arabia, placing millions of the Snapchat users’ personal information under the jurisdiction of a government with a longstanding record of surveillance.
“Saudi Arabia and human rights safeguards, historically, do not mix,” said Marwa Fatafta, MENA Policy Manager at Access Now. “A new Google Cloud region in the Kingdom is dangerous, and it is imperative that Google outlines, in no uncertain terms, how they plan to protect data and people’s rights from the prying eyes of the Saudi regime.”
The government of Saudi Arabia’s dismal human rights record includes silencing activists, human and women’s rights defenders, and journalists, and violating the basic rights of its citizens through extrajudicial killings, detention and torture, and the use of spyware to track and censor. This troubling history raises serious concerns about the possibility of facilitating and whitewashing future human rights abuses.
Notably, Snapchat’s parent company, Snap, Inc., has been named as one of the anchor tenants for the new Saudi-based cloud services. Considering the app’s prevalence in the region with over 17 million users, the potential for government demands for content data or metadata, and the increased opportunity to control online discourse, are both of particular concern.
“With data stored in Saudi Arabia, Google and Snap will find themselves with little ability to resist government demands for users’ personal information,” said Vivek Krishnamurthy, Director of the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa. “This directly places millions of people at risk, the consequences of which could be deadly.”
Through open letters addressed to Google CEO, Sundar Pichai, and Snap Inc. CEO, Evan Spiegel, Access Now and CIPPIC are asking the companies to address to the following questions:
- What due diligence did Google and Snap carry out, including on potential human rights impacts, with respect to establishing a cloud region and hosting Snapchat data in Saudi Arabia?
- What teams were involved, and who made the decision to move forward with a deal with Saudi Arabia?
- What apps or other clients hold – or might hold – their data in this center?
- What user data is being held or processed there, and from which countries?
- What security measures are in place to protect the data?
- What legal standards do Google Cloud and Snap consider necessary for secure and sustainable operations, and how does Saudi Arabia meet those indicators?
- What understandings exist between the Saudi government and the companies on government access to data?
The letters were delivered to Google and Snap on Tuesday, January 26, and the companies have been asked to respond publicly by Tuesday, February 2.
About CIPPIC
CIPPIC is a public interest technology law clinic based at the University of Ottawa’s Faculty of Law. CIPPIC’s team of legal experts and law students works together to advance the public interest on critical law and technology issues including privacy, free expression, intellectual property, telecommunications policy, and data and algorithmic governance.