Google has successfully defended a plan to keep links in countries other than where people live, as a court has just ruled a citizen’s national right to delete information does not automatically extend to data stored in another country.

“The balance between right to privacy and protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world,” the court said in its decision.

The court said the right to be forgotten “is not an absolute right.”

This ruling allows narrow legal loopholes for Google similar to how they avoid national tax requirements, rotating a global identity among Ireland, the Netherlands, and Bermuda.

While the EU has successfully upheld privacy as a human right (“UDHR Article 12. No one shall be subjected to arbitrary interference with his privacy…”), which is showing signs of being adopted by US states, Google is litigating for ways to delay or deny link deletion as part of that right.

And while I’m not a lawyer, I’m told the Court technically has stated there still can be a global application if ordered by the supervisory authority, but it is no longer considered an “automatism”.

The positive spin for the loophole is that Google doesn’t have to abide by a citizen’s request to be forgotten, even if that citizen has an entire nation backing their request as a legal one. Surveillance capitalism having a lack of responsibility to human rights means more money in Google’s pocket, just like if they avoid paying taxes or walk away from any other social-good contract that local markets require of them. In its most charitable light, a mechanism for preserving information against someone’s wishes could be justified if data loss would cause harms.

This, however, is not that case as the “loss” would be revenues Google wants to realize without getting authorization by owners of assets/data. Google litigates this as a “responsible actor” for preservation of data against censorship to appear interested in freedom of speech, yet there are far better ways to avoid censorship than litigating loopholes and havens for advertising revenue databases.

The negative spin for the loophole is that Google is using its ad-revenue warchest to fund its role as a freeloader, using infrastructure and collecting data in order to create high-walled hiding places where they can charge access. This is not unlike the colonial model designed to embed local “business networks” for exploitation and expropriation (theft) of local assets to remote locations to be held against the wishes of creators and owners.

Did the French or British ever argue its museum collections are really preserving speech against censorship in nations they colonized? Asking for a friend who worries their high salary at Google is dirty money.

…thousands of African cultural artifacts taken during the colonial period to be returned to their respective countries, if requested.

Update September 22:

“Man arrested in Greece had nothing to do with 1985 hijacking and murder, victim’s brother tells Military Times”

The FBI most wanted list since 2006 has included Mohammed Ali Hammadi, a Lebanese member of the Iranian-backed terror group Hezbollah. A $5m bounty was posted in 2007.

A TWA Boeing 727 flight in 1985 was hijacked by him and his associates, who assaulted passengers and crew members for 17 days. They also murdered a US citizen, Navy Diver Robert Dean Stethem.

[Pilot] Testrake’s urgent message to the Beirut control tower was broadcast around the world: “We must, I repeat, we must land, repeat, at Beirut. . . . Ground, TWA 847, they are threatening to kill the passengers, they are threatening to kill the passengers. We must have fuel, we must get fuel. . . . They are beating the passengers, they are beating the passengers.”

These hijackers demanded release of all Arab prisoners, particularly the over 700 Lebanese and Palestinians that were held by Israel in southern Lebanon (related to Reagan’s 1983 “aggressive self-defense” policy and the suicide bombing of US Embassy in Beirut).

Today Greek police announced on the island of Mykonos they had taken action two days ago on September 19th based on a warrant issued by German authorities:

…several Greek media outlets identified the detainee as Mohammed Ali Hammadi, who was arrested in Frankfurt in 1987 and convicted in Germany for the plane hijacking and Stethem’s slaying. Hammadi, an alleged Hezbollah member, was sentenced to life in prison but was paroled in 2005 and returned to Lebanon.

Germany had resisted pressure to extradite him to the United States after Hezbollah abducted two German citizens in Beirut and threatened to kill them.

He disembarked from a Turkish cruise ship and was held at island passport control. It appears to have been the result of a routine database check on tourists, during the peak cruise ship month for Mykonos (handling over 700,000 cruise passengers in 2019).

How could he be free and vacationing freely in Greece? Ronald Reagan, as mentioned earlier, failed in 1987 to convince Germany to extradite Hammadi. Germany instead by 1989 tried and convicted the terrorist of murder among other crimes (he had been caught walking liquid explosives through the Frankfurt airport) and put him away with a life sentence.

Then the sentence ended early in 2005 and Hammadi was escorted by Germany back to Beirut aged 41 (President Bush failed to extradite him). This prompted his placement on the FBI list for a decades-long hunt as he apparently enjoyed his freedom.

Conservative pundits in 2010 promoted a “Pakistani source” that the CIA killed Hammadi with a drone strike. So there’s still a chance reports today are wrong. Greek police news, for example, described the arrested man as aged 65. Hammadi would be 55 now (41 in 2005).

Cloud-hosted data sadly has been turning out to be more prone to breach than those run in a traditional private architecture, and now people are facing arrest for using database products without authentication enabled.

It’s a bitter pill for some vendors to swallow as they push for cloud adoption and subscriptions to replace licensing. Yet we published a book in 2012 about why and how this could end up being the case and what needed to be done to avoid it.

Despite our best warnings we have watched ransomware emerge as a lucrative crime model. Software vendors have been leaving authentication disabled by default, hedging on even the most basic security tenets as “questioned” or delayed. Unfortunately this meant since at least 2015 private data ended up being widely exposed all over the Internet with little to no accountability.

Cloud made this problem even worse, as we wrote in the book, because by definition it puts a database of private information onto a public and shared network, introducing the additional danger of “back doors” for remote centralized management over everything.

Take for example today on the Elasticsearch website you see an obvious lack of security awareness in their service offering self-description:

Known for its simple REST APIs, distributed nature, speed, and scalability, Elasticsearch is the central component of the Elastic Stack, a set of open source tools for data ingestion, enrichment, storage, analysis, and visualization.

They want you to focus on: Simple. Distributed. Fast. Scalable.

Safe? The most important word of all is missing entirely.

Normal operations must include safety, otherwise the products should fail any “simple” test. Is a steam engine still allowed to be defined as “simple” if use means a good chance of burning the entire neighborhood down?

Hint: The answer is no. If you have high risk by default, you don’t have simple. And “distributed, fast, scalable” become liabilities like how a dangerous fire spreads, not benefits.

Should vendors be allowed to sell anything called “simple” or easy to use unless it specifically means it is safe from being misconfigured in a harmful manner? For databases that deploy to cloud that means authentication must be on by default, no?

Ecuador quickly has leaped into global leadership on this issue by raiding the offices of an Elasticsearch customer and arresting an executive who used a big data product simply configured to be unsafe.

Ecuadorian authorities have arrested the executive of a data analytics firm after his company left the personal records of most of Ecuador’s population exposed online on an internet server.

[…]

According to our reporting, a local data analytics company named Novaestrat left an Elasticsearch server exposed online without a password, allowing anyone to access its data.

The data stored on the server included personal information for 20.8 million Ecuadorians (including the details of 6.7 million children), 7.5 million financial and banking records, and 2.5 million car ownership records.

The primary question raised in the article is how such a firm ended up with the data, as it wasn’t even authorized.

Yet that question may have a deeper one lurking behind it, because database vendors failed to enforce authentication it undermines any discussion of authorization. Could Ecuador move to ban database vendors that make authentication hard or disabled by default?

A hot topic to explore here is what vendors did over the past seven years to prevent firms like the one in this story from ending up with data in the first place, as well as preventing further unauthorized access to the data they accumulated (whether with or without authorization).

A broad investigation of database defaults could net real answers for how Ecuador, and even the whole world, can clarify when to hold vendors accountable for ongoing security baseline errors that are now impacting national security, highlighting the true economics of database privacy/profit.

Update October 2019: An unprotected Elasticsearch cluster contained personally identifiable information on 20 million Russian citizens from 2009 to 2016.