Jul 30 2014
Well, this should be interesting. The Russian Communications Minister suggested, rather strongly, that Apple and SAP share their source code with the Russian government so that it could be reviewed to make sure it wasn’t being used to spy on Russian citizens. Yes, Russia is playing the privacy card to sneak a peek at the crown jewels of two of the biggest high tech companies in the world. Who says Russian politicians don’t have a sense of humor?
On the surface, the request for source code review in order to protect the privacy of Russian citizens from US spying has some merit. Since the Snowden revelations last year, I think anyone not familiar with Apple and SAP would be willing to entertain the idea that either or both companies might have backdoors in their software. But anyone who knows these companies understands they’re big enough that they can and would strongly resist any effort to introduce spy technologies into their software, probably vocally. Beneath the surface of the request, what Russia is more likely looking for is a way to compromise this software themselves and get access to company secrets in order to share them with their own corporations. Historically speaking, there’s a fair amount of evidence to support this theory. Or maybe I’m simply too cynical.
Irony aside, between recent laws requiring traffic to be logged inside Russia and additional laws requiring all Russian data to be stored in Russia, this shouldn’t be a surprising move. In fact, I won’t be at all startled if the next move is a law requiring any software that’s being installed on hardware within Russia to require testing by the Russian government before deployment. The two current laws are already going to make any cloud deployment that relies on global distribution (meaning all of them) nearly impossible, but adding a code audit to those requirements will make doing business in that location unviable, to say the least.
Apple and SAP could make their source code available for ministry code review, but I find that idea extremely unlikely. The difficulties of doing such code review in environment that is acceptable to both of these companies and the Communications Ministry is going to be next to impossible to create. Apple is well known for how jealously they guard both their source code and their developing hardware and SAP isn’t all that far off the mark, philosophically speaking. It’s unlikely either company would be willing to allow their software to be shared for review off of the company premises, or even reviewed in an environment that would allow for the reviewer to copy the code in some way. And it’s unlikely that any Russian officials are willing to settle on the compromises that will be mandated by the companies before a review is allowed.
The Reuters article suggests that the code review that is being requested by the Russian Communications Minister is politically motivated and being done in response to the sanctions that are being put in place by the European Union and the US in response to the situation in the Ukraine. While there might be an element of this in the timing, I believe that this request is part of a larger movement within Russia to tighten their control over all data within their borders instead. So far, the disclosure of source code is merely a request, without force of law behind it. But don’t be surprised if that request changes to a legal requirement within the next year and it encompasses any software being sold into Russia.
This situation has layers of complexity that I’m not comfortable covering in a blog post, and in fact I don’t believe I have the background to understand many of the political implications involved. Russia has made many moves recently that seem to be inherently opposed to the openness of the Internet and to any sort of Cloud deployment. Both of these seem like self-limiting actions by the Russian government that will keep the country from prospering in the future. How many companies will decide the market in Russia is simply not big enough to take the risks of sharing source code or storing information inside of the country? And how long will the companies that do share code be able to keep it secret without it being shared with Russian companies?
I strongly suspect both Apple and SAP are currently telling the Russian Communications Minister to go pound sand in very nicely worded, politically correct ways. And that the Minister is calmly telling them both that his request will soon carry the force of law behind them, so they’d better play nice or there will be sanctions involved in the future. I would not want to be an employee of either of these companies who works in Russia right now, that much I’m sure of.