On August 9, a Saudi woman was sentenced to 34 years in prison by the Kingdom of Saudi Arabia’s notorious specialized criminal court in Riyadh. Her crime? Having a Twitter account and following and retweeting dissidents and activists.
That same day, a federal jury in San Francisco convicted a former Twitter employee of money laundering and other charges for spying—on behalf of the kingdom—on Twitter users critical of the Saudi government.
These are just the latest examples of Saudi Arabia’s dismal track record of digital espionage, including infiltration of social media platforms, cyber surveillance, repression of public dissent, and censorship of those criticizing the government. Yet, against this backdrop of rampant repression and abusive surveillance, Google is moving ahead with plans to set up, in partnership with the state-owned company Saudi Aramco, a massive data center in Saudi Arabia for its cloud computing platform serving business customers.
These cloud data centers, which already exist in Jakarta, Tel Aviv, Berlin, Santiago, Chile, London, Los Angeles, and dozens of other cities around the world, are utilized by companies to run all aspects of their businesses. They store data, run databases, and provide IT for corporate human resources, customer service, legal, security, and communications departments.
As such, they can house reams of personal information on employees and customers, including personnel files, emails, confidential documents, and more. The Saudi-region cloud center is being developed “with a particular focus on businesses in the Kingdom,” Google said.
With Saudi Arabia’s poor human rights record, it’s difficult to see how or even if Google can ensure the privacy and security of people whose data will reside in this cloud. Saudi Arabia has proven time and again that it exploits access to private data to target activists, dissidents, and journalists, and will go to great lengths to illegally obtain information from US technology companies to identify, locate, and punish Saudi citizens who criticize government policies and the royal family.
Saudi agents infiltrated Twitter in 2014 and used their employee credentials to access information about individuals behind certain Twitter accounts critical of the government, including the account owners’ email addresses, phone numbers, IP addresses and dates of birth, according to the U.S. Department of Justice. The information is believed to have been used to identify a Saudi aid worker who was sentenced to 20 years in prison for allegedly using a satirical Twitter account to mock the government.
Meanwhile, a Citizen Lab investigation concluded with “high confidence” that in 2018, the mobile phone of a prominent Saudi activist based in Canada was infected with spyware that allows full access to chats, emails, photos, and device microphones and camera. And just last week, the wife of slain Saudi journalist Jamal Khashoggi announced that she is suing the NSO Group over alleged surveillance of her through Pegasus spyware. These are just a few examples of the Saudi government’s digital war on free expression.
Human rights and digital privacy rights advocates, including EFF, have called on Google to stop work on the data center until it has conducted a due diligence review about the human rights risks posed by the project, and outlined the type of government requests for data that are inconsistent with human rights norms and should be rejected by the company. Thirty-nine human rights and digital rights groups and individuals outlined four specific steps Google should take to work with rights groups in the region in evaluating the risks its plan imposes on potentially affected groups and develop standards for where it should host cloud services.
Google has said that an independent human rights assessment was conducted for the Saudi cloud center and steps were taken to address concerns, but it has not disclosed the assessment or any details about mitigation, such as what steps it is taking to ensure that Saudi agents can’t infiltrate the center the way they did Twitter, how personal data is being safeguarded against improper access, and whether it will stand up against government requests for user data that are legal under Saudi law but don’t comply with international human rights standards.
“The Saudi government has demonstrated time and again a flagrant disregard for human rights, both through its own direct actions against human rights defenders and its spying on corporate digital platforms to do the same,” the rights groups’ statement says. “We fear that in partnering with the Saudi government, Google will become complicit in future human rights violations affecting people in Saudi Arabia and the Middle East region.”
This isn’t the first time Google’s plans to do business with and profit from authoritarian governments has sparked outrage. In 2018, The Intercept revealed that Google was planning to release a censored version of its search engine service inside China. “Project Dragonfly” was a secretive plan to create a censored, trackable search tool for the Chinese government, raising a real risk that Google would directly assist the Chinese government in arresting or imprisoning people simply for expressing their views online.
Google eventually backed down, telling Congress that it had terminated Project Dragonfly. Unfortunately, we have seen no signs that Google is reevaluating its plans for the Saudi cloud center, despite the overwhelming evidence that dropping such a trove of potentially sensitive personal data smack dab into a country that has no compunction about accessing, by any means, information so it can identify and punish its critics will almost certainly endanger not only activists but everyday people for merely expressing opinions.
Indeed, in June company leadership at Alphabet, Google’s parent company, urged shareholders to reject a resolution that would require the company to publish a human rights impact assessment and a mitigation plan for data centers located in areas with significant human rights risks, including Saudi Arabia. It even asked the Securities and Exchange Commission to exclude the resolution from its 2022 proxy statement because, among other things, it has already implemented its essential elements.
But this was hardly the case. Specifically, Google has said it is committed to standards in the United Nations Guiding Principles on Business and Human Rights (UNGP) and the Global Network Initiative (GNI) when expanding into new locations. Those standards require “formal reporting” when severe human rights impacts exist as a result of business operations or operating contexts, transparency with the public, and independent assessment and evaluation of how human rights protections are being met.
Google has done the opposite—it’s claimed to have conducted a human rights assessment for the cloud center in Saudi Arabia and addressed “matters identified” in that review, but has issued no details and no public report.
The shareholder resolution was defeated at Alphabet’s annual meeting. The good news is that a majority (57.6%) of independent shareholders voted in favor of the resolution, demonstrating alignment with rights groups that want Google to do the right thing and show that it knows full well the risks this cloud center poses to human rights in the region by disclosing exactly how it plans to protect people in the face of a government hell-bent on punishing dissent.
If Google can’t live up to its human rights commitments and its claims to have “addressed matters” that literally endanger people’s lives and liberty—and we question whether it can—then it should back off of this perilous plan. EFF and a host of groups around the world and in the region will be watching.