Diplomatic immunity for data: Estonia creates a virtual embassy

Dec 14, 2017   |   Microsoft Corporate Blogs

What springs to mind when you think of an embassy? Grand buildings lining Avenue de Tervuren in Brussels, Massachusetts Avenue in Washington D.C., or dotted across Mayfair in London? Perhaps a black-tie reception? Probably not a line of server racks humming away in a data center.

But just as the nature of statehood and sovereignty is undergoing profound change in the digital age, the concept of the embassy is evolving as well. And as with so many other aspects of digital transformation, Estonia is at the leading edge of this change. With no paper records for laws, the land registry or other key national records, digital continuity is crucial for the Baltic state. That’s why next year they’ll open the world’s first data embassy in Luxembourg.

“At the moment, the server room is waiting for its equipment. It’s just like furnishing a traditional embassy,” says Laura Kask, Chief Legal Officer from the Government CIO Office at Estonia’s Ministry of Economic Affairs and Communications. “Like many other digital innovations, in reality the data embassy will look like a regular server room. Its value stems from its unique concept.”

The project requires new thinking both in terms of legal structures and of technological resources. Estonia and Luxembourg signed a bilateral agreement in June. “This is the first time this has been done between two governments”, notes Kask. “In October, we signed a lease agreement and service level agreement, and in 2018 it will be up and running.”

Although it’s new territory in cyberspace, the project is built on solid foundations. “Three years ago, [Estonian President] Toomas Ilves and the country’s Chief Information Officer Taavi Kotka contacted us saying they had a concern about digital continuity,” recalls Microsoft’s Tyson Storch, who led the initial research project on hyperscale cloud usage for government. With no paper backup, the country cannot afford for services to go offline. “We thought, can the cloud enhance digital continuity? And what if, in addition to physical embassies, data in the cloud could enjoy the same diplomatic immunity, like documents in a diplomatic pouch?”

The virtual data embassy project had three core findings: First, it is largely consistent with Estonia’s existing domestic legal framework. Second, migrating and running selected government services is technically feasible. Third, it is crucial for the government to be flexible to benefit from the latest technological advances and protections to ensure digital continuity.

The Estonian data embassy in Luxembourg will look like a regular server room.

In practice that means that backups of non-sensitive government data, such as the country’s official legal records – known as the State Gazette – can legally be held in private companies’ public cloud. This also includes websites which have symbolic importance, like the President of Estonia, which was backed-up on the Microsoft Azure cloud computing platform during the pilot project.

Estonia also maintains data backups and live services within its own borders in the government-operated cloud. “We have a multi-layer approach,” explains Taimar Peterkop, Director-General of the RIA, the Estonian Information System Authority. “We have backed up our most sensitive data here in Estonia, but because of the size of our country, we need to store some data outside of our jurisdiction as well.”

It’s the legal setup which makes it different from a standard disaster recovery center. “It’s not just a Luxembourg data center that we’re storing it in,” says Peterkorp. “We have jurisdiction over that data.”

Under the Vienna Convention, embassies, ambassadors, and the diplomatic pouches they carry are given special protections. For a data embassy to be meaningful, that same protection needs to be applied — effectively creating a corner of Estonian sovereign territory in cyberspace, via a data center in Luxembourg. And that’s not as straightforward as it seems.

“The legal issues are less clear than the security issue,” says Ian Walden, Professor of Information and Communications Law at Queen Mary University of London. The Vienna Convention was written over half a century ago and could clearly be interpreted in a way that “really underpins the virtual data embassies and the concept of being able to place data remotely but securely,” explains Professor Walden. However, “the point with the Vienna Convention is there are a set of rules, but their enforceability is somewhat doubtful.” Much depends on the recipient state: would they really treat a server rack as equivalent to a consular post?

This uncertainty about the applicability of laws drafted in the last century to the internet age means the small Baltic state is taking no chances. “Estonia didn’t want to be the first to go to court and see if the Vienna Convention applies or not,” says Laura Kask. “That’s why we have a bilateral agreement for that kind of embassy, hosting Estonian data and information systems abroad.”

Luxembourg’s willingness to enter such a bilateral agreement with a strong flavor of the Vienna Convention to protect Estonia’s virtual crown jewels was just one reason they worked with the Grand Duchy, Kask adds. “Luxembourg has a very high certification level for data centers,” she notes. In addition, the Luxembourg government is “small and agile like us — we’ve had very direct contacts with the officials, meaning the process was really easy.”

From the earliest stages of the data embassies project, this willingness to do things differently was essential. “Normally, you have lawyers talk to lawyers, and engineers to engineers” says Microsoft’s Storch. “What made this partnership with Estonia different was working with a multi-disciplinary team on both sides.”

With different systems for storing data inside and outside of Estonia’s physical borders, the use of those systems can be tailored to the situation. “When it’s business as usual, it may be fine to have an approach where less sensitive data may be backed up in the cloud and highly sensitive data stays in the country. However, in the case of a crisis, for example a natural disaster or a cyber attack, a government may want the option to hit the emergency button” notes Storch. If something goes wrong, then all types of data is moved to another location in the cloud — a process known as failover. And once normal service is back up and running, it returns there — called failback. Storch and his team checked how safely and effectively various critical services could go through this sequence.

Estonia is more aware than most countries of the importance of cybersecurity and digital continuity. In April 2007, the country was the victim of a cyberattack which shut down government, bank and media websites. Crucial internet infrastructure ground to a halt — in a country with no paper backup.

“Being close to Russia we know that we have to pay attention to cybersecurity,” says the RIA’s Peterkop. “All our digital services have to be secure to work — our resilience is built through not having all our data in only one or two sites.”

Throughout the 20th century, diplomats from countries at war would board a steam train carrying a diplomatic pouch full of documents, seeking refuge in a sympathetic capital. In the 21st century, governments need to stay online as well.

Take the President’s website. “If that were defaced, it would be a reputational blow,” hence its importance to the data embassy project, notes Storch. “When it comes to the State Gazette, if you have people changing laws in an unauthorized way, that could be problematic.”

Estonia held the presidency of the Council of the EU for the second half of 2017.

Estonia’s approach to data sovereignty could set an influential precedent in a world where international legal frameworks pre-date the digital age.

“Cyberspace will be an area for future wars and the UN and international law of war needs to be looked at and updated for the modern era,” says Professor Walden. “We’ve got the capability to consider particular conduct an act or war — for example, under UK law disturbing electronic information systems is an express form of terrorism.”

The omnipresence of digital communications and systems in our lives is something Estonia is uniquely well-placed to consider, being at the forefront globally when it comes to adapting digital technologies. The data embassy could one day be as commonplace as the diplomatic passport: it’s just one example Estonia has been setting during its six-month tenure of the EU’s rotating presidency. “The theme of the presidency was digital and I think we’ve succeeded in raising awareness,” concludes Laura Kask. “Digital is not a pillar of something, it’s horizontal and affects every single aspect of what we do.”

Microsoft Corporate Blogs