I would understand if they demanded both storage and processing be done in India. Then it's just about control, and the ability to sever MC's India operations from the mother ship in case things go really sour and the US tries to cut India off from the global financial system or something. But since it's just about data at rest, it's nonsensical.
Or am I missing something?
This is a country that switches off mobile data (3G and 4G) at the drop of a hat, and switched off an entire state’s mobile Internet access for 18 months.
This may appear unnecessary and capricious to some especially in the West. However I’m sure pro-Indian government commenters will say “we’re sovereign, our government can do as it likes as it has a democratic mandate” and that is of course true. And that is, in my view, the driver for India’s interest in data residency. Its laws allow its government an enormous degree of latitude to do what it likes. When it has to access foreign data it is often thwarted by EU or US privacy & legal rules, which it feels is unbecoming of a nation as geopolitically important as India.
What I feel about this is that of course India has the sovereign right to do as it pleases, but its messy, adhoc approach to digital governance won’t win it any laurels and will actually tarnish its reputation. Also, it would be on a much better footing if it passed a decent law on digital privacy, which many have been saying is long overdue — leading to a flourishing unregulated economy in selling Indians’ data.
"Oh, but the data is encrypted." Sure, but the country could literally seize all of the servers and shut down the payment processor. "Hey, American Express, if you don't give us the data we want, we'll simply take your whole payment network offline."
It's a lot harder to pressure a payment network when you don't have physical control - especially if that payment network can challenge you in court. It's easy for the government to shut off mobile networks that are physically present. It's harder for the government to stop traffic from routing to a payment processor whose servers are outside of the country - especially if they have a half-decent security/threat team ready to avoid blocks.
I don't know the laws of India, but it seems likely that the Executive has a certain amount of discretion that can be challenged. However, it's a lot harder to challenge that discretion if your business is offline for a year while you challenge it. Payment processors need to comply with local laws, but if you're a country where the Executive doesn't mind disrupting services, that gives them a huge amount of leverage to get your compliance beyond local laws. If the data is hosted outside of India, it's a lot easier to to simply comply with the laws rather than the laws plus whatever the Executive thinks they can claim the laws support.
Ultimately, if the data is stored within India, the Indian government can be an existential threat to their business in the country beyond what the law allows. A company will hand over data rather than seeing its servers seized for a year while a trial ensues. During that year, they'd lose all their customers to competitors and they'd be shut out of the market. Likewise, what if the government "accidentally" damages the data when they lose the trial? If you have 100M customers in a country and each is carrying a balance of $100, that's $10B that people owe. If the government has seized all those records and then damages them, your business is in a lot of trouble.
Data residency gives a government willing to bully companies a lot of power. It's simply a lot harder to access information stored abroad and you have a lot less leverage.
You have no clue how much uncontrolled power Indian government has today. This law is brought in to benefit telecom companies and real estate companies.
It is ok for Europeans to insist on data residency within their shores but not for India? It is ok for Americans to insist on no data to be hosted in Chinese servers but not India?
The amount of leverage you have with data being abroad is approximately the same - you can decree that your financial institutions or businesses are committing a crime when transacting with said company, and that is all.
I thought you were going to go further with that thought. I'm from an African country where the government tried to block social media during protests at DNS level. These efforts were trivially thwarted by using VPNs. The next trick was to cut off the internet entirely - unfortunately for the government, this broke electronic payments and ground the economy to a halt, so the internet blackout lasted a day.
I suspect one of the factors is that India wants to be able to cut itself off from the internet without breaking (payment) systems that have data stored offshore.
You seem to be on a general critique of Indian policy, and also applying it to this specific case. If we untangle those two for a moment, what exactly is messy, adhoc about this financial data residency requirement? It seems logical to me that local financial data should remain local for legitimate legal reasons (supervision of fraud/criminality being the most obvious ones). Why would this tarnish their reputation?
At risk of being incredibly inflammatory - this is the first I've heard of bulk Indian citizens' data being worth enough to harvest in the first place - what's changed?
If you're marketing to that demographic (e.g. potential ads for private colleges, or other courses), your budget won't be super high, but you might well spend a little for a bunch of emails of potential leads.
Storing data encryped in north korea, with the capability to fetch and decrypt that data in Sweden, is approximately equivalent to storing the unencrypted data in Sweden (as far as hackers, law enforcement, etc. are concerned), except you've now added the additional risk that north korea only needs to exfiltrate one encryption key to gain access to all your data.
More reasonably, if you're storing the data in north korea, that's also where you have the compute, and therefore the decryption keys, and therefore someone in north korea who knows what they are doing can quitely steal the decryption keys, make a copy of your data, and view all the data unencrypted.
Encryption is only foolproof(ish) when you are sending data between two trusted endpoints. That's not the case for the cloud, the place you are storing the data is also almost always one of the "trusted" endpoints. Encrypting the data at rest has some minor benefits (being a hurdle to accessing the data, meaning that theft of a single hard disk doesn't get data) but doesn't provide any form of unbreakable security.
Encrypting the data at rest has the major benefit of making its physical location completely irrelevant. Transmitting the data while encrypted has the major benefit of making the physical location of all the nodes through which it passes completely irrelevant. Hence the only thing that matters is the geographic location of where the data is processed, because that is where you decrypt it. All privacy laws should be written with that understanding, but they are not. They are written by people who are ignorant of this simple logic, because they don't understand how Internet works, how encryption works, how routing traffic works and how little it has to do with borders of countries, etc etc.
Healthcare privacy laws in my country, for example, have this exactly 100% backwards. They force me to store data in my country, but say nothing about where it is processed. And of course there's no hard requirement to encrypt data at rest. It's hard to imagine how you can get this kind of law more wrong.
The XKCD cartoon is another way of stating (part of) my point - it doesn't matter where the stuff is stored (provided you encrypt it properly), what matters is the point at which it can be accessed. A dead owner's encrypted iPhone in the FBI forensics lab is more secure from intrusion by the FBI than an unencrypted hard drive I locked in my basement. Even if I use, like, 10 locks, and they don't (yet) know it's there.
At some point, North Korea has copied the encrypted data for later data mining.
In 2021 that encryption scheme for some reason is no longer considered secure. Even if you stepped using it in 2014, the data from the time you used it up until you stopped may be compromised.
An unencrypted hard drive stored in a locked Chinese basement is probably quite a bit more secure from FBI intrusion than the encrypted iPhone that they physically possess.
Physical access still matters a lot.
Not if there is rate limiting, or other means of preventing the entire set of data being dumped. That is to say, storing it encrypted makes it harder to get the full set of data. Though, I guess in practice the client application would likely be able to request all of the data from storage.
I run a Filecoin node and I store the data of approximately 200 clients in my homelab. I don't know who they are, or what they store, because it's all end to end encrypted.
And no -- my clients don't trust me, it's crypto, it's trustless :)
What do you mean by "properly encrypted"? MasterCard is not going to let you be the sole holder of your encryption keys. And if you aren't holding them, then they they hold it, and then they must be holding in at least one given country. And that country has the power to force them to turn these keys over.
The power to do this is the goal of this game.
So now when picking services I am not allowed to host on any non Canadian servers if we are hosting personal information about staff/users etc. It can be a simple event registration system, survey, or just having to be really careful when using cloud services. I even have to watch out when sharing a innocuous file over Slack.
This really sucked when stuff was moving over to cloud and we wanted to use a lot of hot new stuff, but most providers get it now and provide Canadian servers so not as bad finding compliant vendors.
Another issue is establishing jurisdiction; if the server is held locally, then it's clear that local laws apply to things done on that server - the owner of the server can't claim that they e.g. got a US subpoena and did some stuff in USA that fulfills all the USA legal requirements and everything that's it; if the server was physically located in e.g. Canadian soil, then it means that the violation (if any) happened "in Canada" even if it was done by USA-located USA citizens of USA company.
There are bith advantages and disadvantages to protectionism I feel.
Sure, if it's properly encrypted, the North Korean government may not be able to access it, but nothing's stopping them from cutting you off and holding your data hostage.
I used to work for a company that made software for casinos. Many of them were on tribal land, and refused to use any cloud services because they didn't want any of their data on American soil. All their software was on-prem, all their data was on-prem. If Uncle Sam came a-knockin' with warrants and court orders, they'd tell him to take it up with the tribal elders.
Raw data we use for image processing at work (we will miss it if it's gone) is stored in three locations: server room, another server room in a different building, and on the cloud. Properly-as-of-2021-encrypted, of course.
Unless we really fuck something up with securing our storage servers or running a script that accidentally wipes it all at once, it's really hard to imagine a scenario under which all of that is gone at once.
If the cheapest and most reliable cloud storage provider was in North Korea, the only reason I wouldn't use them is the reaction I'd get from Very Important Privacy Peoples when they hear of it. (And also because I don't want to fund a criminal totalitarian regime responsible for sending people to the Gulag).
Silent, bulk, state-mandated surveillance.
Both for the at-home surveillance, as well as to counter the effect of storing it elsewhere, and permitting that state silent, bulk surveillance of the data of your own subjects/citizens.
How about it gets encrypted same way in North Korea or South Korea. Which one would you prefer?
What if North Korea says it is properly encrypted and gov has no easy access, but we all know that could be just as well wrong?
The U.S. Not exactly enjoys a lot of trust internationally when it comes to customer protection and privacy.
Whichever is cheaper and/or more reliable. If I trust encryption, all other answers are bogus.
>What if North Korea says it is properly encrypted and gov has no easy access, but we all know that could be just as well wrong?
In this scenario, I decide how to encrypt my data. The storage service is just dumb disk space for me to rent. Call it The People's Democratic B2. Otherwise, it's not really secure no matter who gives you assurances.
One of the government consultants spoke about "Data sovereignty". When someone asked what it meant he spoke for like 10 minutes without actually answering the question. "Data of Indians must belong to Indians", "Data is the gold of modern world" he then referred to various international reports without actually telling what those reports say.
"We must protect our citizens data" one official said as others nodded in agreement. What they imagined here (I think) was data sitting on a hard drive and protected by people with guns creating a parameter around it.
The files of these regulations moved across many tables and many offices. I am told the real estate companies in India had a big role and influence on these regulations.
Yes, ultimately it is a ridiculous law that does not help anyone. It does not protect anything.
You might feel comfortable with that as an individual, but geopolitically speaking, India would be giving North Korea a pretty bargaining chip by letting payment processors store their data there (if they were so inclined). Imagine the havoc that could be caused! By requiring data residency, it is instead India who gets a pretty bargaining chip against these huge multi-national corporations.
I think what they're doing makes sense.
Jurisdiction is huge thing, not a side show.
Data that sits overseas is subject to entirely different sets of laws which can conflict with local laws.
Those laws also relate to espionage, and even outside the framework of legality ... it matters as well.
It's a lot easier for the NSA to collect data on individuals if it's hosted in the US.
I have absolutely no doubt that financial, legal and health records should simply not leave the local legal jurisdiction without consent and a few more things.
1. If it's encrypted, it doesn't matter where it's stored.
2. If it's not encrypted, it can be easily stored in country X, processed in country X, but routed via SnoopHub in country Y. Country Y loves surveilling and is very happy about this state of affairs.
>I have absolutely no doubt that financial, legal and health records should simply not leave the local legal jurisdiction without consent and a few more things.
A very common attitude, usually held by people who "geographize" that which is not geographic in nature - the Internet.
There's no reason to believe that Visa/MC would simply use 'America' as a based to host dumb, encrypted data which enters and leaves the the US fully opaque. That would be pointless. Visa/MS are using services hosted in the US which will process customer data.
2) Statement #2 is also false. There is no arbitrary way for the US to snoop on data that doesn't flow through the US. For a whole variety of reasons - legal, operational, technical, political, cost etc.. Surely it can be done in a limited way, but at a level nowhere near the domestic capability.
3) Finally, you're statement on "geographizing" is also false.
Data, encrypted or not - falls under legal jurisdiction of the 'nation / geography' it's in, and this has many significant consequences. It makes a corporation subject to local laws, regulations, liabilities etc..
The internet is very geographic in nature.
Ah, a fan of cold storage, are we.
That encryption is pointlesss. North Korea can just demand the key and decrypt your data (assuming the company has presence in that country). Very few services have true end to end encryption. Currently it's not even feasible for healthcare data (homomorphic encryption is not practical yet).
For North Koreans, all encryption is indeed pointless if the goal is to hide it from the government, regardless of where they want to store data, for this very reason.
I can implement true end-to-end encryption in about 30 minutes (only because I gotta look up where I implemented it last). I will encrypt my data using well known and validated libraries, send it over to the cloud. Retrieve when I need it and decrypt it then. Not sure what about this is not feasible.
What use is end to end encryption for your healthcare data, if nobody except you can process that data? In that case, why don't you just put it on some external hard drive?
This is not a technical issue and has zero to do with tech. It’s political.
Ok, so you decide to store your nation's sensitive data in another country, $nation. If things get awry, there is a (pretty remote) risk that $nation will break your encryption. But there's also a much less remote risk that $nation will simply block all connections from your country and prevent you from accessing your own data. How do you deal with such a threat?
If it is a bit hard to digest, perhaps one needs to extend the same respect to India's sovereignty.
I have a bunch of subscriptions (App Store, JetBrains, AWS etc.,) which continue to seamlessly go through without me having to explicitly authorise each month.
I suspect there is a fine print/subtext to that subscriptions rule that isn't accessible to public.
EDIT: Another useful one: https://support.google.com/pay/india/answer/10710851?hl=en
It looks like existing subscriptions were grandfathered until Sept 30, which is why you haven't seen a change. But new accounts cannot use subscriptions until the company has properly implemented e-mandates.
But I have a gut feeling that international merchants are exempted from this rule. Because I can go to JetBrains even now and subscribe to their products.
It is not a surprise-everyone move. Indian central bank is following consistent long term policy. I feel overall it is good.
I think to be fair to the HN community on this topic, most of us are not lawyers and shouldn't be providing legal advice. And maybe more importantly, at least in the US, the most rational advice starts with step one being "have at least $500M in a legal fund", which precludes most people from being able to effectively execute a suit against Google.
Also, Ladakh is hardly a troubled area from within.
I mean if it is fair and reasonable that Indian transactions should be stored and processed in India, is it not also fair and reasonable that goods sold in India should be made in India, that movies that show in India should be made in India, that all news consumed in India should be written in India?
I get these are not the same, but what is the real difference here? Where does it become unreasonable in my examples and why?
EU, China and India all have areas where they want US based firms to store data in a specific way. This isn't changing anytime soon.
I'd be shocked if most big banks in Eastern Europe are owned locally.
The opposite of what you're saying is true for almost every average or small country, economically.
Besides which, India doesn't have a good track record of protecting privacy either.
Sure there are other ways, but India seems to like to go for the most radical solutions at times
So data is spied on just by being routed near them, it is not needed for them to be the destination.
Of course, thats what every country wants, and they develop policies that give tax breaks or concessions to local businesses. That's why tariffs were enacted.
I'm sorry, I don't really get your point, maybe you can restate it?
Your answer, as far as I can discern, is that it "Of course" it is "fair and reasonable that goods sold in India should be made in India, that movies that show in India should be made in India, that all news consumed in India should be written in India."
That's all there is to it, question asked, and answered.
It might not make sense for every country to demand things like this, but that doesn't mean it doesn't make sense for giant countries too, and it doesn't make it inefficient.
At India's scale costs are already amortized anyways, but worse, consider India's physical location. It's surrounded by hostile nations (Myanmar, China, Pakistan, make a wall around it). To get data out of the country you're talking about moving it through hostile territory, or moving it through vulnerable subsea cables. Not only is the bandwidth probably more wasteful than the extra compute needed to spin up another set of servers to serve the billion people in India, but the network cannot be relied on to keep working during any sort of crisis.
Luxembourg or whatever demanding all data processing happening internally would be meaningfully different. It's less than a million people to amortize over instead of more than a billion. It's next door to allies which the data could reasonably be stored and processed in, instead of isolated. But we're not talking about whether or not Luxembourg should demand this, we're talking about whether or not India should.
If pro-China government is installed in Myanmar it means that it automatically becomes hostile to India.
Controlling trade routes explains many wars and coups.
Whatever bandwidth is available would undoubtedly be quickly consumed if the land lines were cut...
And Netflix would not have data centers in virtually every ISP in the world.
Ohh poor Netflix, the bandwidth costs are so unfair to them!
I think the hard reality of it is data needs to be localized, to ensure companies comply with local laws. Every country has independent authority on how they want to run things, and whether it turns out to be good or bad, companies need to follow them.
To give you an example, companies operate in China, despite not having great labor laws or environmental protection laws, or the threat of facing the govt.'s wrath any moment. That's because they want to do business in that country. It's the same with any company or country.
It started with china. The moment the world accepted their firewall conditions, it was the moment that we said we are OK with letting you earn the benefits of the web, without the cost of openness.
Open countries could set a marker on this issue. Either you are open or your are not. And if you aren't , you will be dooned to rot in your protectionist web.
We didnt set the marker, so here we are.
Otherwise, it seems reasonable to me, but I'm not that knowledgeable in this area.
So yes, it is difficult - but it has been years since MasterCard knew about this.
Where it gets really hairy is routing. Example - handling payments of Indian international travellers; or card details entered on websites that are hosted outside of India.
I worked on a similar project but 1/10th of scale and even then it was extremely tricky to cover all the edge cases.
Nothing but yet another American company that would like India to behave like a colony.
In the grand scheme of things these news are kind of interesting to read. I see multiple ways to characterise these events but it's a bit tough to because the only words I'm able to use kind of project a moral judgement onto the sides which I do not intend to make because history will have to be the judge of that. Needless to say, though, that I assume extreme selfishness from all sides as a given.
With that said, you could say that this a fight between:
- freedom and authoritarianism /banning things -or- giving people the freedom to trade by allowing foreign companies to pave the way/,
- globalism and nationalism /promoting the interests of the local government -vs- a foreign one/
- or simply a battle of political interests.
Probably a strange mix of all of the above, in reality.. I have a hard time figuring out who to root for, though, as these western multi-nationals can act pretty maliciously, too. And so do governments that turn authoritarian. I'd kinda prefer neither with the freedoms of all myself, but I am being unrealistic, sadly.
According to the article, the banks are saying the reason it's much stricter than the equivalent EU data residency requirements is to ensure the Indian government can spy on customer data. Is there a more reasonable, less malicious reason they may have written the requirements this way?
> There is no bar on processing of payment transactions outside India if so desired by the PSOs. However, the data shall be stored only in India after the processing. The complete end-to-end transaction details should be part of the data.
So this only applies to the customer data, not the actual systems that do the transaction processing and verification. The systems that actually do the work could still be cut off from India, leaving them with nothing but a database of customer transactions.
Countries simply do not have the unilateral ability to avoid wars.
When a country can print itself out of debt (or more accurately, kick the can down the road for the next generation), war is inevitable. If we remove the ability to do this, a prolonged war becomes far less likely.
If a nation's neighbors have the capability to fight a years long war, but that same war would bankrupt the nation, then the
The game theory of the situation (again, from an individual nation's perspective) means no one nation will "remove the ability to do this" unless there's a massive collective action.
And I don't really see what a loose monetary policy could have anything to do with this. Before the 20th century countries rarely had the means to mobilize their economies by directing most of the output to the war effort, they had no capacity to enforce this and in any case there wasn't enough surplus produced to a wage total war without everyone starving to death and/or the central government collapsing.
When you cannot replace the capital spent on war via inflation, war is less likely to occur. I acknowledge this is a fringe philosophy, but time will tell.
Well the gold (or silver) standard had been a thing for thousands of years and I don't think there is much empirical evidence to suggest that a country's inability to control it's monetary policy somehow inherently disincentivizes it's government from waging wars.
Talking about inflation specifically, there was relatively little of it during both WW1 and WW2 since all countries implemented price controls and rationing and pretty much nationalized all the available production capacity.
I am arguing that if you remove the ability for a state to create money (or at least debase it), it removes the ability for it to wage war.
Continuous war requires continuous capital to wage. If this continuity is ended, wars end.
> There was the debasement of the currency of the Roman Empire,
War was the reason why Roman empire existed in the first place. In fact some argue that the Roman economy was only sustainable as long as Rome continued conquering new lands, enslaving their populations and taking away their property. As soon as the empire stopped expanding they were long able to maintain their army. Arguably, without debasement the collapse might have happened sooner they would have ran out of gold to pay their soldiers anyway.
A gun is useless against ECDSA. A government cannot stop a person holding, saving, spending or transacting in bitcoin. As long as there is a channel, anywhere in the universe that allows submission of valid, signed transactions to peers, the state cannot stop it.
"Should be sufficient" and "Will be sufficient" are different enough to cause anxiety for people who have to safeguard against those kinds of outcomes.
As for avoiding war: sure, but how should we conduct things until utopia arrives?
that's a silly remark. are you suggesting that countries can simply avoid wars and accept the consequences just because some credit cards will stop working ?
And GDPR had a long transparent process that in addition to the official implementation time, gave companies a lot of time to see what sort of rules they would likely be working under even before it was approved.
The worst government since liberalization, however, makes capricious rules, without input or deliberations, drops them on the world like they are a JayZ album, and then gives atrocious timelines for compliance.
More often than not they will then backtrack on those rules once enough time has passed so people will forget how atrocious those rules are (like during COVID), or in some cases (such as demonetization), they will double down never mind the generational economic damage and direct death toll.
This ruling came out in 2018 and they were given an extension until now, 3 years is sufficient enough to implement most things
GDPR is about privacy.
It will create job in India. The government doesn't allow multinational companies to get away with having all the market access and data control while evading taxes.
I do not think its not even concern if MC is entirely banned
I'm sure they'll raise the other fees later though. Probably just dipping their toes.
Anyone who have lived in india long enough will tell you how far from the truth this is.
The only Stick India has, besides their nuclear arsenal, is the size of their domestic market (aka population). I dont think the purchasing power of their domestic market is that lucrative compare to actual superpowers (Economic or Military). Buy just large enough for International companies to bother to invest.
The whole political platform for Modi is religious fanaticism, nationalosm and jingoism. Any sane, rational Indian leader would not be so Anti international investment. (I am not only talking about the incident mentioned in this article, but generally speaking).
If you can look past the billionaires and the prosperous cities of India (however few), it eirily feels like the whole country is for most part still stuck in the 80s.
Most people tout india as the largest democracy with diverse relious population. The reality on the ground could not have been farther from truth.
In reality the country feels like its always in the state of experiment by their political leaders, competing with each other to find the best way to fuck things up without actually blowing up the country. Yet.
The problem is that Modi has brought an insane blend of pre liberalization economic policy, centralized authoritarian control, and british inspired religion based divide and conquer policies that have set India back a couple of generations at least, possibly permanently if he remains in power and continues down this path.
FDI has actually increased since Modi became the PM and he was been actively courting foreign companies. I don't understand how he is "Anti international investment".
Also all the PLI schemes for companies are pretty anti international investment, so companies from Samsung to Apple are all investing big.
GST implementation has been quite successful, FDI has increased since Modi came to power. The pandemic, of course, has been pretty bad, with the GDP contracting 8% in 2020.