Is Europe creating a false sense of data security?
post-Snowden world is a little like a new parent suddenly worrying about the security of its baby…data. Governments, companies, and citizens alike are now wrestling with how to secure it. Over the past year, Europe has been discussing proposals intended to address foreign surveillance on governments, individuals, and companies. The problem is that many proposals, in fact, do not make data more secure while contributing to an Internet that is less free and open for all of us.
The term you need to know, the one that’s driving a lot of these proposals, is “technological sovereignty” – or the idea individual countries should have control of their citizens’ data and Internet traffic.
What these proposals all have in common is the premise that they can and will help secure the data of people, companies, and governments in Europe. And yet, from laying new undersea cables, and localized routing to data storage initiatives, the vast majority of these proposals lack the foresight to actually protect data.
Take the creation of new undersea cables, for example, which allow the transoceanic delivery of data. Justifying new cables by claiming that they’ll make data secure is misleading: new undersea cables have positive side effects for the Internet as a whole and can increase the general resiliency of the infrastructure, but they do not effectively protect against surveillance. What’s more, even if this was a plausible solution, government intelligence and law enforcement agencies have the well-documented ability to tap these cables –undersea or otherwise– and intercept the data.
Similarly, the alleged benefit of initiatives like “E-Mail Made in Germany” is that e-mails would be secure from foreign surveillance. However, the encryption of data in transit that E-Mail Made in Germany offers is not a new advancement. The latest version of this encryption was issued in 2008 and has been implemented by many e-mail providers long before Deutsche Telekom and United Internet made their announcement. These proposals create a false sense of security by claiming enhanced security features (that are actually not new at all) without protecting against surveillance.
Related: Why we need a new definition of cyber threats.
And then there are the particularly worrisome proposals for localized European or Schengen routing. The idea is that as long as intra-European data traffic is exclusively routed through European or national infrastructure, citizens’ data will be secure. Such measures may raise the technical hurdle for intercepting data for certain foreign surveillance agencies, but may also lower the legal hurdle facing these agencies. For example, the U.S. legal authority under which U.S. intelligence and law enforcement agencies collect data outside of the U.S. is part of an executive order. But how the intelligence community interprets it is largely unknown, though it is more permissive than the section of the FISA Amendments Act that permits law enforcement agencies to collect data within the U.S. This dynamic prevails throughout several parts of the world where laws constraining domestic law enforcement are separate and distinct from, and often less restrictive than, those confining international intelligence agencies.
Moreover, localized routing could make it easier for domestic intelligence and law enforcement to access and control more Internet traffic than before – hence contributing to an Internet that is less open and free – and domestic agencies may still pass data on to foreign intelligence agencies that they cooperate with. Worse, such nationalized or bordered routing directly opposes the original construction of the Internet, which, was designed to allow data to flow by way of the most efficient route at that particular moment. To say that this would change the Internet as we know it is no exaggeration.
Here’s what many of these proposals are getting wrong: they’re focused too heavily on the physical location of data as a security mechanism, when, in fact, data privacy and security depends primarily on how it is stored and transmitted. In reality, few of the proposed measures actually protect data from surveillance. Moreover, governments outside of Europe, namely authoritarian regimes with poor human rights records, could rhetorically use these proposals to justify their own actions, weakening Europe’s human rights foreign policy.
Betting on these ill-conceived initiatives risks wasting important resources that could be used for more promising proposals to effectively make data more secure, namely greater use of and better encryption.
But encryption is controversial. In the United States and the United Kingdom the recent announcement by Apple and Google to strengthenencryption sparked a debate regarding the tradeoffs between encryption and security reminiscent of the Crypto Wars. On one side, law enforcement argues that broader use of encryption will severely hinder their efforts unless they are given backdoors into products. On the other, computer security experts argue that these backdoors will be just as easily accessed by nefarious actors and generally decrease the security of these products. This is a necessary and important debate. It is about virtual security and physical security. It is about the virtues and limits of encryption, which can protect data flows and stored data, but does not protect metadata.
This is the debate Europe needs to have if the goal is to secure data and what it contains.
And this is the debate the world’s democracies need to have. After all, calls for technological sovereignty have not been limited to Europe. InBrazil, data localization proposals were hotly debated. The Australiangovernment has banned China’s Huawei from participating in building its National Broadband Network. And the United States has not been immune from this trend, exemplified by Congress’s creation of a cyber espionage review process to limit government procurement of Chinese IT equipment in 2013.
More: These 30 countries could shape the future of the open Internet.
Pushes to border and wrest further control over the Internet are expected in some areas of the world like China and Russia. The question is what measures can be taken to keep data safe while safeguarding the free and open Internet and preventing further fragmentation. Europe is uniquely positioned to set the trend on how data is secured, as swing states and traditionally progressive countries like Brazil may see Europe’s movement as a signal to follow in their wake. But they cannot turn a blind eye to the openness and freedom of the Internet. In order to support an open, free, and secure Internet, European policymakers need to decisively and publicly disown and discard proposals that were made in the spur of the moment and that do not make data more secure. This will allow them to focus on the more promising proposals, such as encryption, and move the debate in a more productive direction. This is what Europe owes to everyone committed to an open, free and secure Internet.
This article is published in collaboration with New America. Publication does not imply endorsement of views by the World Economic Forum.
To keep up with Forum:Agenda subscribe to our weekly newsletter.
Author: Tim Maurer is a Research Fellow at the Open Technology Institute. Robert Morgus is a Research Associate at the Open Technology Institute. Isabel Skierka is a research associate with the Global Public Policy Institute.
Image: European Union flags fly outside the European Commission headquarters in Brussels June 15, 2005. REUTERS/Thierry Roge.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Innovation
Related topics:
The Agenda Weekly
A weekly update of the most important issues driving the global agenda
You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.
More on Geo-Economics and PoliticsSee all
Spencer Feingold
November 20, 2024