Enormous risk to privacy and human rights if Microsoft stores cloud data center in Saudi Arabia
The full text of the statement can be read below.
Microsoft should suspend its plans to invest in a new cloud data center in Saudi Arabia until it can demonstrate how it will mitigate potential rights abuses, 18 human right groups said today. There is an enormous risk that Saudi authorities may obtain access to data stored in Microsoft's cloud data center, thus posing unique and direct threats to human rights and privacy, the human rights groups said.
The Saudi government's abysmal human rights record, history of infiltrating technology platforms to spy on human rights activists, deployment of sophisticated cyber surveillance software – including spyware – against dissidents, and vague and broad provisions of its anti-cybercrime and data protection laws call into serious question the ability of Microsoft to uphold its human rights responsibilities in the country.
"The Saudi government's record of violating privacy rights with impunity poses a grave danger to data stored within its borders," said Joey Shea, Saudi Arabia researcher at Human Rights Watch. "Microsoft needs to conduct a thorough human rights due diligence process and publicly detail how it will mitigate the potential adverse human rights impacts associated with Saudi Arabia hosting the data center."
Microsoft announced in February 2023 its plans to invest in a cloud data center in Saudi Arabia to offer enterprise cloud services, despite the country's lack of legal protections, laundry list of human rights abuses, and extensive record of spying on dissidents through illegally accessing personal data.
Human Rights Watch wrote to Microsoft in February 2023 highlighting these concerns. Microsoft responded to questions from Human Rights Watch and noted Microsoft's commitment to the Trusted Cloud Principles and its approach for operating data centers in countries or regions with human rights challenges, but said that its responses needed to remain off the record.
Since Crown Prince Mohammad bin Salman's rise to power in 2017, Saudi authorities have unleashed a wave of arrests targeting human rights defenders, prominent women's rights activists, leading businessmen, senior royal family members, and government officials.
The country's new data protection law and executive regulations grant sweeping powers to government agencies to access personal data, while the 2007 anti-cybercrime law criminalizes the "production, preparation, transmission, or storage of material impinging on public order, religious values, public morals, or privacy," which could be used by Saudi authorities to force Microsoft to hand over user data on people accused of such broad, ill-defined, and abusive charges.
Furthermore, Saudi Arabia's Cloud Computing Regulatory Framework requires all cloud service providers to remove or geo-block "unlawful" content upon the request of the Saudi authorities. Microsoft would also need to notify the Saudi government "without undue delay, if they discover the existence of any content or any other information in the cloud computing system which may be violating the laws and legislations of the Kingdom," including the anti-cybercrime law.
Saudi authorities have repeatedly sought to identify anonymous dissidents and spy on its citizens through their digital communications. In 2018, Citizen Lab, a Canadian research center, concluded that a Canada-based Saudi activist's phone was infected with spyware, allowing full access to personal files, messages, contacts, microphone, and cameras. Another investigation published by Citizen Lab in January 2020 also revealed that two other exiled Saudi dissidents, a New York Times journalist, and a staffer from Amnesty International had been targeted. In July 2021, the Pegasus Project revealed that the Saudi government was possibly one of NSO Group's government clients for its Pegasus spyware.
In 2019, two Twitter employees were accused of accessing the personal data of Saudi dissidents who used the platform, and later charged with spying for Saudi Arabia. Saudi authorities also created an app called Kollona Amn (We Are All Security) and encouraged citizens to use it to monitor online activity and report any criminal activity.
In August 2022, Saudi authorities sentenced a Saudi national, Salma al-Shehab, a doctoral student in the UK, to 34 years in prison based solely on her Twitter activity. Two months before her arrest, al-Shehab's tweets were reported to the authorities through the Kollona Amn app, according to the Guardian.
Currently, three members of the Howeitat tribe are facing the imminent risk of execution, under terrorism-related charges, for resisting their forced eviction to make way for the construction of the giga-city of NEOM. Five UN Special Rapporteurs, in addition to UN human rights experts, have raised their alarm and urged "all companies involved, including foreign investors, to ensure that they are not causing or contributing to, and are not directly linked to serious human rights abuses" in Saudi Arabia.
Saudi Arabia's habitual violations of fundamental rights, including the right to privacy and the right to freedom of expression and opinion, raise serious concerns about Microsoft's ability to uphold its human rights responsibilities under the UN Guiding Principles on Business and Human Rights.
Microsoft has a responsibility to respect human rights that exists independent of a country's willingness to fulfill its human rights obligations. Microsoft's global statement on human rights states its commitment to implement human rights in its business and technologies and respect the UN Guiding Principles across Microsoft's offices and supply chain throughout the countries and territories in which it operates.
Microsoft should conduct a comprehensive, thorough human rights due diligence process, the organizations said. It should include meaningful consultation with at-risk or potentially affected groups, including human rights organizations from the region. It should also publish, in full, the findings, including the steps Microsoft will take to mitigate the risk of facilitating human rights abuses associated with its Saudi data center operations.
Microsoft should also clarify what types of government requests concerning personal data in the cloud data center Microsoft will not comply with in the event that they conflict with human rights obligations.
Human Rights Watch and other rights groups previously urged Google to halt its decision to establish a cloud data center in Saudi Arabia until it can clearly outline the steps it will take to prevent or mitigate adverse rights impacts.
"Microsoft should prove that its public commitment to upholding human rights standards is not just empty rhetoric by publicly detailing its due diligence measures and safeguards for upholding rights," Marwa Fatafta, MENA Policy and Advocacy Manager at Access Now said. "Microsoft must utilize the opportunity to demonstrate leadership among the tech industry in responsible market entry in such extreme risk markets and in countries with dismal human rights records like Saudi Arabia."
List of Signatories:
ALQST for Human Rights
Democracy for the Arab World Now (DAWN)
Euro-Med Human Rights Monitor
Front Line Defenders
Gulf Centre for Human Rights (GCHR)
Human Rights Watch
MENA Rights Group
Project on Middle East Democracy (POMED)
Ranking Digital Rights
Red Line for Gulf (RL4G)
The Yemeni Archive