Is Data Balkanization the End of the World Wide Web?
Data balkanization is the compartmentalization of the internet. In its pristine state, the World Wide Web is a uniform package wherever it is accessed. All of its webpages and information are present and accessible to anyone. Data balkanization represents deviations from this uniform internet. There are several ways in which the deviation happens. Some governments restrict inward access to certain content (censorship), some governments restrict outward dissemination of certain content (privacy rights enforcement), and some governments run a parallel intranet.
By default, the entirety of the internet is available to users, and users can access any web asset on the internet. However, governments are able to alter the internet browsing experience of their residents within their internet domain. When a government wishes to restrict the inward flow of content, they will block certain web content or IP ranges through IP blocking, DNS tampering, URL blocking using a proxy, etc.
Governments that restrict outward dissemination typically limit the flow of certain types of data to certain countries in the service of privacy rights enforcement. They typically don’t directly control the flow of information, they rely on legal/civil penalties to enforce the restriction in flow. The entities that are typically doing the restricting are businesses, though it can be any entity with an accessible webpage. It is a much leakier approach to the control of data than the straightforward blocking used in the censorship approach. Basically, the restricting governments fine or penalize any covered organization that is responsible for the transmission of data into a country that the restricting governments haven’t approved of.
Plenty of organizations have intranets. These are self-contained, generally not publicly available networks. They are basically mini-internets that are intended to only be accessible to people within the organization. National intranets are comparably rare. They are costly in terms of time and money.
THE COSTS OF BALKANIZATION
As highlighted above, there are several different ways in which data balkanization occurs. It is important to note that data balkanization has real-world costs.
The Costs of Censorship
Censorship imposes obvious costs on the residents of the country where censorship is imposed. It also often picks winners and losers among organizations involved in commerce.
Residents of censoring governments are the primary victims of the censorship. Their world becomes a little smaller. Information, products, ideas, tools, and social groups that they would otherwise have access to and be able to enjoy are unavailable to them because of their government’s censorship. Even worse, completely innocuous content gets blocked due to coming from the same IP address as undesirable content.
Whether or not this is bad is ultimately a philosophical debate. Some people may be happier not knowing what the wider world is like and are perfectly content to live in a curated bubble, but likely most people would prefer to enjoy all the richness of human knowledge regardless of what their government deems appropriate.
Foreign organizations are more likely to be losers in the censorship lottery. Domestic organizations are more likely to be winners. China, for instance, has established a pseudo-intranet that promotes economic protectionism.1 They do so through slowing cross-border internet traffic and in some instances, they outright block the websites of foreign organizations. Domestic organizations are also generally more attuned to avoiding taboo topics that could result in their being blocked.
The Costs of Privacy Rights Enforcement
There is no direct cost to residents resulting from the provision of privacy rights. It could of course lead indirectly to behavior from organizations that will impose a cost on these residents. For example, the limitations imposed by data privacy laws can reduce the value of website ads/marketing. This in turn may change the business models for some organizations. Some content may need to be paywalled to make up for a reduction in the value of ads on their webpages. Paywalled content is generally less appealing to the average user than getting access to the same content amidst advertisements. As most users prefer free content amidst ads as opposed to paywalled content without ads, privacy rights enforcement can indirectly lead to worse outcomes for users.
There are significant costs for organizations to comply with the obligations imposed by data privacy laws. Data mapping, often an essential first step to compliance, can cost thousands of employee hours to complete. Data Subject Requests (DSRs) have been found to cost on average $1,406 per DSR fulfilled. The number of DSRs that can pour in are essentially limitless. When an organization violates data privacy rights through non-compliance or through a breach, that can be very costly too with statutory damages imposed. Thankfully, Clarip’s Data Risk Intelligence Scan makes data mapping easy and affordable. Clarip offers cost-effective end-to-end DSR fulfillment. Our platform can also help to keep you compliant with data privacy laws and identify risks to help prevent breaches and mitigate the damages resultant from breaches.
The Costs of National Intranet
Residents who only have access to a national intranet are really limited in their access to global knowledge and in their understanding of the outside world. The access to information that many people take for granted is merely a dream for them.
Foreign organizations are often outright excluded from access to national intranets. Domestic organizations have a cornered market. This is harmful for foreign organizations, but very beneficial for domestic organizations.
National intranets can be costly to maintain. National intranets can also be costly to develop. After being first introduced, Cuba’s intranet languished for 15 years, partially due to a lack of funding.2 Even though it has been in place for around 20 years, the number of websites on the North Korean intranet is estimated to be between 1,000 and 5,000.3
CENSORSHIP CASE STUDIES
Why would a government censor the information flowing to its residents? Put simply, they want to limit the information and resources their residents have access to. It is usually about control.
The Great Firewall of China allows China to control the websites that its residents have access to. It is operated by the Cyberspace Administration of China. The Great Firewall is used primarily to censor the internet available to residents of China. China is currently connected to the World Wide Web, though many foreign websites are blocked. With the Great Firewall, China has created a pseudo-intranet. They can slow, modify, and prevent information that comes in. They also slow, modify, and prevent some information from leaving. The main reasons for censorship in China are social control, controlling sensitive content, and economic protectionism. Websites critical of China’s relationship to Xinjiang, Hong Kong, Tibet, and Taiwan are often quickly blocked.
In 2019, Russia instituted the “sovereign internet” law. One effect of which is that Internet Service Providers (ISPs) are obliged to install equipment that includes Deep Packet Inspection (DPI) technology. DPI is an advanced method of examining and managing network traffic. It is a form of packet filtering that locates, identifies, classifies, reroutes, or blocks packets with specific data or code sequences that conventional packet filtering, which examines only packet headers, cannot detect. Russia already blocks tens of thousands of websites, and DPI makes it easier to find and block more. Russia shuts down a significant number of websites related to vice. They specifically target sources of child pornography, drug abuse and production, and suicide. In addition, to these social issues, they also block websites related to political and cultural issues. Publications supporting Ukraine are blocked because they are considered to “incit[e] hatred” and Islamic publications are blocked for being “extremist”.
Iran blocks a significant amount of content. In 2013, almost 50% of the top 500 websites worldwide were blocked in Iran. In 2019, Iran unveiled the National Information Network (NIN). It is similar to the Great Firewall of China, but with more strict monitoring of users. It allows the Iranian government to filter internet content. A concise statement of Iran’s approach to filtering comes from the Director of the National Cyberspace Center of Iran, Abolhassan Firoozabadi, “if the operating system do [sic] not comply with Iranian law” or if the content can “create cultural, social, political and security problems” for the government, they will be filtered. Content that is deemed to be anti-Islamic is blocked and its originator can be potentially punished.
De-balkanizing the censors?
There are commonalities in what the censors choose to censor. Child pornography is a common one, for instance. The commonalities beg the question: Would it be feasible for the various censors to use a universal approach to censorship? A one-size-fits-all Censored Wide Web? Not likely. Much of the content that is censored is very particularized and the diversity of issues within each of the censoring governments would lead to glaring contradictions. With the three censoring countries at issue, Islam is a very polarizing issue. China and Russia block pro-Islamic content, whereas Iran blocks anti-Islamic content and wants to promote pro-Islamic content. Russia and China don’t see eye to eye on things either. China cares a lot about the perception of Xinjiang, Hong Kong, Taiwan, and Tibet and very little about Ukraine or Crimea, while Russia’s concerns are reversed. Ultimately, the special-interest focus of censorship is such that a unified Censored Wide Web will be impossible.
Each of these three censorship exemplars use censorship to maintain control. Internet censorship can be used to control national culture, society, politics, and security.
Enough about censorship, let’s take a look at privacy rights.
HUMAN PRIVACY RIGHTS CASE STUDIES
Q: Why would a government restrict the flow of information from within its borders?
A: Many governments recognize a human right to privacy. Accordingly, they have enacted laws to protect their residents’ data. In general, these data protection laws serve to limit what organizations can do with consumer data. This can lead to limiting data collection and data flow.
The European Union’s General Data Protection Regulation (GDPR) went into effect May 25, 2018. Its stated goal is to protect “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” The GDPR grants a variety of rights to EU residents and also imposes obligations on organizations that control and/or process data about them. The GDPR, among other things, requires DSR fulfillment, records of data processing activities, and places significant limitations on the processing and transfer of data.
GDPR prohibits cross-border data flows unless specific pre-conditions have been met. These include an adequacy determination, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), approved codes of conduct, approved certification mechanisms, or a legally binding and enforceable instrument between public authorities or bodies. Suffice it to say that without an adequacy decision (which itself requires significant investment of time and resources) there are significant transaction costs associated with cross-border data flows.
Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) was signed into law by Brazilian President Jair Bolsonaro on September 18, 2020. Interestingly enough, it went into effect with a retroactive applicability date of August 16, 2020. However, these past dates carry less weight than August 1, 2021 because that is the date that LPGD’s sanctions provisions will go into effect.
LGPD provides for the processing of personal data with the purpose of protecting the fundamental rights of freedom and privacy. LGPD grants a variety of rights to residents of Brazil and imposes obligations on natural persons or legal entities that process data in Brazil, process data in order to offer goods or services in Brazil, or process data from residents of Brazil.
LGPD prohibits international transfer of personal data unless there is an adequacy determination, SCCs, BCRs, specific contractual clauses, approved of stamps, certificates, and codes of conduct, when the national authority authorizes the transfer, or when the transfer is necessary for another qualifying reason. Similar to GDPR, qualifying to receive transfers of personal data from Brazil will add transaction costs to organizations and in some instances may simply not be possible.
De-balkanizing the privacy rights enforcers?
GDPR and LGPD both restrict transfers of data across national borders. This creates a similar but different effect as compared to censorship. Censorship keeps data from flowing into a country. Privacy rights keep data from flowing out of a country. This results in a different kind of balkanization, but balkanization, nonetheless.
Among the countries that enforce data privacy rights, there is a lot of commonality. They have similar access to the World Wide Web and a common objective in providing data privacy rights to residents, but is there enough commonality to de-balkanize the World Wide Web amongst and between privacy rights enforcing countries? Maybe. There is already a proposal for a multilateral privacy agreement.4 It would allow for relatively free flow of information to organizations that comply with the laws of their signatory nations. It would be economically beneficial for the countries involved and for the organizations operating in those countries. In some ways, it would decrease overall privacy, in other ways it would increase overall privacy.
The decrease in overall privacy stems from more entities having access to personal data. Foreign organizations can access personal data and can even transfer the data across borders. Likely, too, the governments of foreign organizations will access personal data from time to time as well. However, the use of the data should still be limited to the types of uses that it is already used for domestically (by commercial or state actors.) Additionally, the foreign actors (commercial or state) should be observing data privacy laws and accordingly should be taking precautions with the personal data for the benefit of consumers.
The increase in overall privacy stems from the greater appeal of buying in. Right now, the United States doesn’t have a national data privacy law. The allure of being part of the World Wide Web of Privacy Rights Enforcers could be enough to pressure countries such as the US to pass the necessary legislation to become a part of the community of privacy rights enforcing countries. As more countries observe privacy rights, privacy rights will become the norm and expected internationally and even in day-to-day interactions. It has the potential for a global cultural shift around privacy expectations.
National intranets are like censored internets on steroids. The governments behind them also have the goal of filtering what information makes it to their residents. Ostensibly, these governments think it is an easier task to start from scratch rather than block and filter in a piecemeal fashion. They are focused on cultural, social, political, and security control.
De-balkanizing the national intranets?
There is no feasible possibility of de-balkanizing national intranets. These are homegrown intranets that were put in place specifically to be isolated. Balkanization is core to their identity.
Large swaths of the planet have only limited access to the collective knowledge of the human species. Due to censorship in their home countries, they receive a censored, curated understanding of the world around them.
Meanwhile, persons in other countries have largely full access to the World Wide Web. Some of these people additionally have protection of their personal data preventing harms such as targeted advertisements and sophisticated algorithms meant to profile them and exert influence on them based on their observed online behavior.
The combined impact of both of these approaches is that there isn’t a singular, universal World Wide Web. There are curated versions of the Web. Depending on where you are located and where the data that you are interested in is located you may not be able to access it.
Data balkanization can result in the creation of echo chambers. Certain beliefs and opinions are amplified and insulated from rebuttal. This is more dangerous where there is more censorship going on. Echo chambers lead to very differing perceptions of reality, which fundamentally leads to conflict as persons coming from different echo chambers will struggle to see eye-to-eye.
Data balkanization also increases transaction costs. Organizations have to learn what issues are taboo in the countries in which they wish to maintain a market presence. They have to handle taboo topics in such a way that they don’t get into trouble and become blocked out of certain markets. Organizations also have to comply with data privacy laws, which may include standard contractual clauses or simply not transferring data out of certain countries. This can be a costly endeavor.
The more restrictions there are on data flow, the greater the balkanization of the World Wide Web will become and the more important it will be for you to understand where your data flows. Clarip can’t prevent the balkanization of the internet, but we can provide you with solutions to automatically comply with DSRs and keep you informed about where your data flows. Let Clarip bring Clarity in Privacy to you.
2The state of the Internet in Cuba, January 2011, Larry Press, Professor of Information Systems at California State University, January 2011