Google’s Perilous Plan for a Cloud Center in Saudi Arabia is an Irresponsible Threat to Human Rights

On August 9, a Saudi woman was sentenced to 34 years in prison by the Kingdom of Saudi Arabia’s notorious specialized criminal court in Riyadh. Her crime? Having a Twitter account and following and retweeting dissidents and activists.

That same day, a federal jury in San Francisco convicted a former Twitter employee of money laundering and other charges for spying—on behalf of the kingdom—on Twitter users critical of the Saudi government.

These are just the latest examples of Saudi Arabia’s dismal track record of digital espionage, including infiltration of social media platforms, cyber surveillance, repression of public dissent, and censorship of those criticizing the government. Yet, against this backdrop of rampant repression and abusive surveillance, Google is moving ahead with plans to set up, in partnership with the state-owned company Saudi Aramco, a massive data center in Saudi Arabia for its cloud computing platform serving business customers.

These cloud data centers, which already exist in Jakarta, Tel Aviv, Berlin, Santiago, Chile, London, Los Angeles, and dozens of other cities around the world, are utilized by companies to run all aspects of their businesses. They store data, run databases, and provide IT for corporate human resources, customer service, legal, security, and communications departments.

As such, they can house reams of personal information on employees and customers, including personnel files, emails, confidential documents, and more. The Saudi-region cloud center is being developed “with a particular focus on businesses in the Kingdom,” Google said.

With Saudi Arabia’s poor human rights record, it’s difficult to see how or even if Google can ensure the privacy and security of people whose data will reside in this cloud. Saudi Arabia has proven time and again that it exploits access to private data to target activists, dissidents, and journalists, and will go to great lengths to illegally obtain information from US technology companies to identify, locate, and punish Saudi citizens who criticize government policies and the royal family.

Saudi agents infiltrated Twitter in 2014 and used their employee credentials to access information about individuals behind certain Twitter accounts critical of the government, including the account owners’ email addresses, phone numbers, IP addresses and dates of birth, according to the U.S. Department of Justice. The information is believed to have been used to identify a Saudi aid worker who was sentenced to 20 years in prison for allegedly using a satirical Twitter account to mock the government.

Meanwhile, a Citizen Lab investigation concluded with “high confidence” that in 2018, the mobile phone of a prominent Saudi activist based in Canada was infected with spyware that allows full access to chats, emails, photos, and device microphones and camera. And just last week, the wife of slain Saudi journalist Jamal Khashoggi announced that she is suing the NSO Group over alleged surveillance of her through Pegasus spyware. These are just a few examples of the Saudi government’s digital war on free expression.

Human rights and digital privacy rights advocates, including EFF, have called on Google to stop work on the data center until it has conducted a due diligence review about the human rights risks posed by the project, and outlined the type of government requests for data that are inconsistent with human rights norms and should be rejected by the company. Thirty-nine human rights and digital rights groups and individuals outlined four specific steps Google sho