People say they have no choice to justify choices they have already made.
Service providers say they have no choice to justify divulging their customers’ identities to the governments of the countries they want to do business with. For instance in this recent article about the Google vs Facebook flap Joe Kraus of Google said:
“Google lives and dies on protecting users’ privacy,” Kraus added. “We believe [Friend Connect] is good for users in terms of control and extremely protective of users’ privacy.”
Ironically this quote was published on the same day that it was reported that Google had given the Government of India the identity of a man who had criticized and posted vulgar comments about an Indian politician on Okrut using his GMail account. Apparently the “lives and dies” part is really more of a guideline that a rule.
Google’s defense (like Yahoo’s in an earlier more serious case with Chinese dissidents) was that they were just following the laws of the country they operated in. To bend Godwin’s law a little, this is a little like saying they are “just following orders”.
There are also conflicting reports about RIM giving the Government of India the ability to decrypt Blackberry traffic in India. If, in the end, RIM decides to compromise the security of its customers using their handsets in India, their defense will also be that they had no choice.
Of course these companies had choices. There are always choices. They could have refused the governments requests and taken the consequences. But when faced with choices like these most companies will do what’s best for their short term business interests. As consumers we need to be aware of this and take this into account when deciding what information to entrust our service provider with.
This security risk is also global. A country like China, where there is no effective restraint on government power, could demand from your service provider your information no matter where you live. They could further demand that your service provider not inform you of this. Why? Because they can.
Now here is a sobering thought. So far I have been discussing personal information and identity. But there is no reason to assume that your company’s data is not at risk if you use a SAAS provider that does business in countries like China.