With last week’s blizzard of Snowden leaks hitting the news, the EU parliament overwhelmingly passed a draft set of new EU data privacy rules with a fast-tracked time frame of implementation by mid April 2014. But, in a surprising twist, David Cameron just managed to do away with the fast tracking, arguing that the proposed rules would be an onerous burden on businesses. So the new EU data privacy rules are still coming, but not for at least another year and presumably with a lot of changes:
Bloomberg
EU Fails to Speed Up Privacy Rule in Spite of Merkel Spy Tension
By Stephanie Bodoni & Ian Wishart — Oct 24, 2013 7:43 PM CTEuropean Union leaders dropped a 2014 deadline to complete an overhaul of the bloc’s data privacy laws even as they condemned allegations that the U.S. eavesdropped on German Chancellor Angela Merkel.
Leaders called for a strengthened data-protection law to be introduced in a “timely” fashion. A draft version of their summit statement had language seeking its adoption next year. A U.K.-led group urged a slowdown to consider the effect of the legislation on businesses.
“We stressed that we have to speed up the work, but it is a complex task. It’s not only related to the already difficult issues of protecting privacy, but it is also an impact on business,” EU President Herman Van Rompuy said after the first day of a two-day summit. “We have to study this carefully.”
The overhaul of the privacy law, which could result in U.S.-based companies including Google Inc. (GOOG), Facebook Inc. (FB), and Apple Inc. (AAPL) facing fines as high as 100 million euros ($138 million) for data-protection violations, was endorsed by a panel of EU lawmakers this week. National governments have to agree to the proposals before they can become law. At the summit, leaders called for adoption of the law as part of the introduction of new telecom rules in 2015.
“We think there’s too much red tape in the proposal,” Markus Beyrer, director general of European business federation BusinessEurope, told reporters before the summit. “We think there are too many things which might hurt data flow, which might hinder growth.”
...
Hmmm...so what information do we have yet on the proposed anti-business rules Cameron is referring to? It must be pretty severe to warrant a delay on bill with so much momentum behind it. It certainly suggests there’s going to be a lot to discuss during the “secret trilogue”:
Infosecurity
European Civil Liberties Committee Approves Current Draft Data Protection Regulation22 October 2013
Edward Snowden’s leaked information on the character and extent of NSA surveillance brought new impetus to the European Commission’s proposed new General Data Protection Regulation, which had been floundering under the weight of extensive US government and business lobbying.For example, under the proposed legislation the transfer of data to third-country authorities (by companies such as Google, Facebook, Apple and Microsoft) can only occur under European law or an agreement based on European law. This would mean that regardless of FISA rules, such companies could not pass Europeans’ personal data to the NSA without facing European sanctions (which in theory could be a fine of up to 5% of global turnover).
This was part of the original proposal from the European Commission, but had been dropped in the face of extensive US government lobbying. Now, following Snowden’s revelations it has been re-introduced into the draft legislation (and the potential sanction increased from an original 2% to 5% of turnover).
The current draft proposal has now been approved by the European Parliament’s Civil Liberties Committee (LIBE). It was accepted by a vote of 51 in favor, 1 against, and 3 abstentions, after several postponements over the summer months. The proposal’s draftsperson and rapporteur, Jan Philipp Albrecht, called it “a breakthrough for data protection in Europe” that “would overhaul EU rules, ensuring they are up to the task of the challenges in the digital age.”
But the devil, as always, is in the detail – and much confusion remains. Ad Age reports, “ ‘It seems to provide for a complete block of cross-border data flows unless the US agrees to EU rules on NSA access to data,’ said Christopher Wolf, director of the Privacy and Information Management practice group at law firm Hogan Lovells, calling the proposal ‘draconian.’ ” But the same report quotes Justin Brookman, director of consumer privacy at the Center for Democracy and Technology: “The regulation looks pretty robust, though there are some workarounds that will let companies do a lot of what they already do.”
It is these ‘workarounds’ that are still heavily criticized by European civil liberties groups. Prior to the vote, La Quadrature du Net (LQDN) wrote to the LIBE committee, “we urge you to reject compromise amendments made on articles 6 and 20.”
...
“If allowed to stand,” said Joe McNamee, Executive Director of European Digital Rights, “this vote would launch an ‘open season’ for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder. This is all the more disappointing because it undermines and negates much of the good work that has been done,” he added.
LQDN has a further criticism. The LIBE committee also approved ‘trilogue negotiations’ in the run up to the final European vote. This means that further discussion on the proposed legal framework between the EU and national governments will now be held in secret. “That legal framework – geared to protect the fundamental right to privacy of the European citizens – deserves an open and transparent debate that is equal to the challenge represented by these issues,” LQDN said in its letter to the LIBE committee, urging “transparency and a proper, in-depth public debate.”
So while some of the amendments voted by the LIBE committee yesterday strengthen and bring forward the new European General Data Protection Regulation, there are many who believe it still contains enough loopholes – and potentially new loopholes introduced in secret – to mean business as usual in the collection and movement of European personal data by the big internet companies.
would launch an ‘open season’ for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder.
So there’s nearly 4000 amendments still to be worked out in the secret trilogue, but right now it’s sounding like the new rules potentially “provide for a complete block of cross-border data flows unless the US agrees to EU rules on NSA access to data” while at the same time containing loopholes that “would launch an ‘open season’ for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder” and “mean business as usual in the collection and movement of European personal data by the big internet companies”. And possible large fines if the rules are found to be broken in a way that falls outside the loophole. So hypothetical protection against spying by foreign governments but probably no real threat to data collection by private companies. This was probably to be expected because it’s not like EU tech giants wouldn’t like business as usual too.
With much left up to the secret trilogue it’s very unclear how beneficial the final legislation is going to be for average EU citizens. On the other hand, the new rules are also going to require that firms have a designated “data protection officer” and this is the closest to a jobs program we’ve seen from the EU in years at least there’s that.
What’s better than being one of the big fish in the ocean? Being an even bigger fish in global sea on ponds
Still, it has to be said that the implementation of EU-wide data-privacy laws are a great example of the usefulness that the EU can provide and exactly why something like the EU has value. When it’s not implementing far-right economic theories across the union the EU can actually be useful! Because there are some things in the world that really benefit from a standardized sets of rules and data-privacy laws for cross-border exchanges are one of them. If it’s possible to have a common set of rules that close trading partners can agree upon all the better.
The EU also helps to avoid situations like each nation having its own domestic internet that requires all internet traffic be kept within the nation. An internal internet for critical infrastructure certainly makes sense. And a larger national internet might work well for some services, like a national email service. But it also might break the internet and do very little to deal with the global threat of mass domestic surveillance or even exacerbate that threat if authoritarian governments use the balkanization of the internet to impose controls to censor access. So let’s hope nations with intranet ambitions proceed with caution:
Germany wants a German Internet as spying scandal rankles
By Leila Abboud and Peter Maushagen
PARIS/FRANKFURT | Fri Oct 25, 2013 11:36am EDT
(Reuters) — As a diplomatic row rages between the United States and Europe over spying accusations, state-backed Deutsche Telekom wants German communications companies to cooperate to shield local internet traffic from foreign intelligence services.
Yet the nascent effort, which took on new urgency after Germany said on Wednesday that it had evidence that Chancellor Angela Merkel’s mobile phone had been monitored, faces an uphill battle if it is to be more than a marketing gimmick.
It would not work when Germans surf on websites hosted on servers abroad, such as social network Facebook or search engine Google, according to interviews with six telecom and internet experts. Deutsche Telekom could also have trouble getting rival broadband groups on board because they are wary of sharing network information.
More fundamentally, the initiative runs counter to how the Internet works today — global traffic is passed from network to network under free or paid-for agreements with no thought for national borders.
If more countries wall themselves off, it could lead to a troubling “Balkanisation” of the Internet, crippling the openness and efficiency that have made the web a source of economic growth, said Dan Kaminsky, a U.S. security researcher.
Controls over internet traffic are more commonly seen in countries such as China and Iran where governments seek to limit the content their people can access by erecting firewalls and blocking Facebook and Twitter.
“It is internationally without precedent that the internet traffic of a developed country bypasses the servers of another country,” said Torsten Gerpott, a professor of business and telecoms at the University of Duisburg-Essen.
“The push of Deutsche Telekom is laudable, but it’s also a public relations move.”
Deutsche Telekom, which is 32 percent owned by the government, has received backing for its project from the telecoms regulator for potentially giving customers more options.
In August, the company also launched a service dubbed “E‑mail made in Germany” that encrypts email and sends traffic exclusively through its domestic servers.
BUGGING
Government snooping is a sensitive subject in Germany, which has among the strictest privacy laws in the world, since it dredges up memories of eavesdropping by the Stasi secret police in the former East Germany, where Merkel grew up.
The issue dominated discussions at a European summit on Thursday, prompting Merkel to demand that the U.S. strike a “no-spying” agreement with Berlin and Paris by the end of the year.
As the row festers, telecom and Internet experts said the rhetoric exceeded the practical changes that could be expected from Deutsche Telekom’s project. More than 90 percent of Germany’s internet traffic already stays within its borders, said Klaus Landefeld, a board member of the non-profit organization that runs the DE-CIX Internet exchange point in Frankfurt.
...
Note that Deutche Telekom’s “E‑mail made in Germany” campaign recently ran into a snag recently when it was reported that the BND has been reading foreign email flowing through the giant De-Cix data exchange center in Frankfurt where the “E‑mail made in Germany” service that was recently set up is run. German citizen’s traffic is reportedly safe from this snooping (uh huh) and now, presumably, foreign users of the service are supposed to favor the BND’s surveillance over the NSA’s. It’s a reminder of the strange reality that the internet has brought surveillance regime shopping to the masses. The marketing campaigns are going to be awesome.
Continuing...
...
Others pointed out that Deutsche Telekom’s preference for being paid by other Internet networks for carrying traffic to the end user, instead of “peering” agreements at no cost, clashed with the goal to keep traffic within Germany. It can be cheaper or free for German traffic to go through London or Amsterdam, where it can be intercepted by foreign spies.
Thomas Kremer, the executive in charge of data privacy and legal affairs for the German operator, said the group needed to sign connection agreements with three additional operators to make a national routing possible. “If this were not the case, one could think of a legislative solution,” he said.
“As long as sender and receiver are in the Schengen area or in Germany, traffic should no longer be routed through other countries,” Kremer said, referring to the 26-country passport-free zone in Europe.
A spokesman for Telefonica Germany said it was in early discussions on national routing with other groups. A spokesman for Vodafone said it was “evaluating if and how” to implement the Deutsche Telekom proposal.
Although Deutsche Telekom is positioning itself as a safe custodian of user data, its track record on privacy is mixed. In a 2008 affair dubbed Telekomgate, Klaus Trzeschan, a security manager at the group, was jailed for three and a half years for his role in monitoring phone calls of the firm’s own management and supervisory board mem0bers, as well as business reporters.
A spokesman for Deutsche Telekom said the affair was the reason why the group worked “so hard” on privacy and security issues in recent years. “We are now the leading company of our industry when it comes to customers’ trust,” he said.
DATA CENTRES
While the routers and switches that direct traffic can be programmed so data travel certain routes, the most popular online services are not built to respect borders.
Web companies often rely on a few large data centers to power their entire operation, and they don’t choose locations based on the location of their customers but on factors such as the availability of cheap power, cool climates, and high-speed broadband networks.
For example, if a Munich resident uses Facebook to chat with a friend sitting 500 kilometers (310 miles) away in Berlin, the traffic would go through one of the company’s three massive data centers 8,000 km away in Oregon or North Carolina, or one near the Arctic Circle in the Swedish town of Luleå. European users’ profiles are not necessarily stored in the Swedish centre; instead the website’s different functions such as games, messaging, and wall posts are distributed among the data centers to improve efficiency.
Similarly, emails sent by Google’s Gmail between two German residents would probably be routed through one of the company’s three data centers in Finland, Belgium and Ireland.
The only way to change this would be for Germany to require local hosting of websites, a drastic move according to experts that has not yet been pushed by German leaders. Deutsche Telekom declined to say whether it would lobby for such an approach.
Brazil’s President Dilma Rousseff, angered by reports that the U.S. spied on her and other Brazilians, is pushing legislation that would force Google, Facebook and other internet companies to store locally gathered or user-generated data inside the country.
One solution would be for European leaders to beef up a new data-privacy law, which has been in the works for almost two years. A greatly toughened version of the law was backed by the European Parliament on Monday, but it still requires agreement by members states.
France and Germany may succeed in getting member states to push ahead on talks to complete the new data rules by 2015.
...
While it’s possible that we could see a German-internet arise from all this, it seems much more likely that this will be used as a kind of diplomatic threat, much like the threat to revoke the data-privacy ‘safe-harbor’ agreements between the US and EU. IF there’s one thing the large multinational corporations that dominate the governments across the world love it’s large, unified marketplaces. And balkanizing the internet isn’t exactly a great way to create large, unified global marketplaces. A balkanized internet requiring global firms to utilize a global network of domestic server farms and follow an ever-changing set of local data-exchange rules probably isn’t going to be profit-maximizing scenario.
On the other hand, a balkanized internet does perform one very valuable service for the IT giants of the world: large multinational corporations with very deep pockets and the ability to build facilities anywhere in the world are going to be the only entities capable of providing global internet services, like cloud computing. In a world where multiple internets operate on multiple legal and possibly technical standards, we could find ourselves in a world where the big multinationals are the only entities that can facilitate the transactions required for the global e‑commerce/cloud-computing services of tomorrow. Avoiding foreign-spying isn’t just a business expense in the global e‑commerce/cloud computing marketplace of tomorrow: It’s also a big protective barrier to entry when balkanized internets are part of the solution:
Computing.co.uk
SAP to circumvent NSA spying in Brazil by building data centres in the country
By Sooraj Shah
17 Sep 2013SAP is to circumvent any spying by the US National Security Agency (NSA) in Brazil by building data centres in the South American country.
In documents aired by Brazil’s biggest television network, Globo, the NSA had a presentation dated May 2012 that was used to show new NSA employees how to spy on private computer networks.
The slides had suggested the NSA had tapped into the network of Brazilan oil firm Petroleo Brasileiro SA.
The firm is a major customer of SAP’s and SAP’s managing director of Southern Latin America, Diego Dzosan, suggested that as a result of recent revelations about the NSA’s involvement in Brazil, SAP will ensure that it keeps all of its Brazilian customer data within Brazilian territory; it is currently housed in the US.
Dzosan was speaking at SAP’s Innovation Tour in Brazil, and believes that the Brazilian government’s stance on the privacy of data, even prior to the NSA revelations, has always been clear.
“Brazil has had a very strong policy in recent years for both private and public companies, in how they store and access data securely. It has a long tradition of that, and our industry has been evolving in line with a lot of those government guidelines,” he said.
He claimed that SAP, which is headquartered in Germany, can fall in line with the Brazlian government’s regulatory framework with a cloud solution but that the first step for the firm is to work with local partners.
“We don’t currently have our own data centres in Brazil, so our first step is to work with local partners to give us a short-term solution, building data centres takes some time, so you need immediate capacity, and we will eventually own our own data centres ‚” Dzosan stated.
...
A significant balkanization of the internet, like the creation of a German-only or Brazilian-only internet that requires a dramatic rewriting of web-service software, is probably more of a diplomatic threat than a real plan at this point in time. But the soft balkanization of the internet via a growing patchwork of different national and regional data-privacy rules seems like a near certainty since it’s currently hapening. How this changing landscape is going to impact rapidly growing sectors of the global economy like global cloud computing and web-services will be something to watch. We can be sure the large web-service multinational giants will have a global web-service presence. How about the smaller and mid-sized companies? Because companies like Facebook might be currently complaining about new laws that require user data to be stored in Brazil but after the existing giants invest in these local data-storage services you also have to wonder who on earth is going to be able to compete with them? Other global giants capable of making the same investments will be able to compete in the area of global services with local storage requirements. Anyone else? These are going to be increasingly important questions to ask as the debate (and secret negotiations) over the EU’s data-privacy rules debate continues because whatever the EU decides upon is a likely template for multinational data-privacy agreements globally going forward. The concerns over ‘business as usual’ expressed by civil libertarians could morph into concerns over ‘big business as usual. everywhere’ if these new rules are screwed up.
And then there’s the new ‘no spying’ rules
Now that France and Germany are trying to publicly negotiate ‘no spy’ agreements with the US, we could also be looking at a situation where more and more governments want no spy agreements too. How this new era of public ‘no spying’ shapes the evolution of the internet and Big Brother 2.0 given how intertwined the internet is with modern spying will be something to watch:
Lawfare blog
I Spy, You Spy, We All Spy?By Ashley Deeks
Friday, September 6, 2013 at 4:06 PMAmong the documents that Edward Snowden released are reports showing that the NSA had been picking up email and phone conversations by and among foreign leaders. Among the alleged targets were officials from the EU, individual EU member countries, Brazil, and Mexico. While each subject of this reported surveillance has expressed outrage, perhaps no state has been more agitated than Germany. Revelations about NSA activity directed at the EU have posed significant problems for the German government, given East Germany’s history of widespread surveillance of its own citizens by the Stasi. Chancellor Angela Merkel is under political pressure as she runs for re-election, and opposition parties have threatened to delay US-EU trade talks unless and until they obtain greater clarity about these NSA allegations.
One way the United States has addressed Germany’s concern is by agreeing to negotiate an arrangement pursuant to which neither state will spy on the other for governmental or industrial purposes. We might suspect that Germany proposed the idea and the United States acceded to the request, although Germany’s Chancellery Minister Roland Pofalla (in charge of Germany’s secret services and its intelligence cooperation with other states) told the German parliament that the United States had offered to enter into these talks. Negotiations are to begin in September. Merkel’s primary challenger in the upcoming German elections called on her to seek a “binding pledge from the U.S. government” not to spy on Germany, though the United States does not seem to have indicated publicly precisely what kind of “agreement” it is prepared to negotiate.
In view of these pending negotiations, it is worth considering at least two things: (1) the potential impact on international law of an arrangement intended to regulate espionage; and (2) the strategic and practical effects such an arrangement might have on U.S. intelligence in the future.
(1) As to the first issue, there is something inherently odd—as Duncan Hollis noted over at Opinio Juris—about the idea of an international agreement not to do something that states largely decline to acknowledge that they do, and that many states already view as unlawful (at least as a matter of domestic law). But there are at least two ways to think about espionage and international law: you may believe that peacetime espionage violates international law, or you may take the view that international law simply does not purport to regulate espionage, an activity nearly as old as time. If you take the former view, you presumably would invoke customary international law norms such as non-intervention and respect for sovereignty, which the use of secret listening posts and wiretaps by one state in another state would contravene. If you take the latter view, you would argue that ideas such as non-intervention and sovereignty developed against a background understanding that states do and will spy on each other, thus establishing a carve-out within those very concepts that allows—or at least turns a blind eye to—espionage.
Because espionage fits uncomfortably with international law, it is unsurprising that there are few (public) precedents of states agreeing not to spy on each other. The most commonly cited example is the “Five Eyes” agreement among the United States, UK, Canada, Australia, and New Zealand. In a paper submitted by the Canadian executive branch to a Member of Parliament, Canada stated, “Five Eyes allies, in their own national interests as sovereign states, can lawfully collect intelligence in accordance with their own domestic laws while respecting the long-standing convention not to target the communications of one another.” Of course, this sounds like an “understanding” rather than a binding legal arrangement, and there is no way to know the extent to which the Five Eyes states honor such standing arrangements.
In 2010, then-DNI Director Dennis Blair sought a comparable arrangement with France. According to the Telegraph, “Mr Blair proposed an unprecedented written pledge even more binding than the post-war ‘gentlemen’s agreement’ between the US, Britain, Canada, Australia and New Zealand as trusted partners who do not spy on each other. The deal would also have given France access to a highly secure intelligence retrieval and exchange system.” President Obama ultimately scuttled the deal out of concern that the agreement might handcuff the United States if a less U.S.-friendly French government came into power in the future. (Note the underlying assumption that the United States would feel obliged to alter its behavior in the face of such an agreement, even if were not in U.S. interests to do so.) In short, I am unaware of any publicly available bilateral “no spy” agreements involving the United States. However, if the United States and Germany do come to an arrangement, it would illustrate the idea that international law can regulate espionage, however unnatural it may seem.
(2) As to the second issue, what are the potential implications for the United States in entering into such an agreement? In the first place, it depends what the “agreement” looks like. If it is a legally binding arrangement, the United States may find itself torn in the future between violating an international legal commitment and conducting espionage in Germany to pursue, say, reports of an imminent armed attack. If—as seems more likely—it ends up being an arrangement that binds as a political matter but not as a legal one, the United States would retain more leeway to act in ways that don’t strictly comply with whatever the final language is. But even political agreements raise the stakes when violations occur; if the United States were caught spying on Germany in violation of a political arrangement, Germany undoubtedly would be exercised. The specific wording of any such agreement also will be important, of course: a limitation on spying on German officials or industries is different from a limitation on spying in Germany at all (against known terrorist groups, for example).
One potential downside of concluding either a binding or non-binding agreement is that other states (including Brazil and Mexico, for instance) may clamor for comparable arrangements, and express outrage and suspicion if the United States proves unwilling to negotiate such deals with them. Another downside is simply the loss of intelligence if the United States agrees not to spy on Germany—or the loss of access to matters or third parties to which the German government might have unique access. The United States conceivably might be able to glean important intelligence via third parties (such as other Five Eyes states), however. Yet another reason such an arrangement might be undesirable is the reason given by President Obama in the French context: a future German government might prove less friendly to the United States than the current one is. Finally, we might think that the United States has more to lose in such a bilateral arrangement because the United States presumably has a broader capacity to collect intelligence on (and in) Germany than Germany does on the United States. So the quid and quo in the arrangement won’t be equivalent.
...
Part of what makes this new public initiative by France and Germany to work out ‘no spy’ agreements with the US so strange is that it raises a question of how governments would have acted differently in the past if they knew rival governments weren’t spying on them. Would they have behaved differently? If so, how? That’s something worth asking on a government by government basis because, while mass-surveillance of random people is obviously something that has to be stopped everywhere, the surveillance of governments by other governments is a very different situation. We need to start asking ourselves if this is ‘no spying between governments’ thing is actually a good idea because the ‘no spy’-agreement trend may not stop with France and Germany. The genie is officially out of the bottle and it would be incredibly tragic if a global drive to create a world safe from Big Brother became a world safe for Big Brother from the Other Big Brothers. Other Big Brother surveillance is pretty much the only surveillance a Big Brother is going to have in many cases. Big Brothers should spy on each other, it’s the spying on the rest of us that’s the problem. So are we sure these no spy agreements should apply to Merkel too? Do we want to be in a world where there are rules against trying to spy on the most powerful people in the world? Beyond the chilling rise of the far-right that we’re seeing across Europe, there’s one possibility that should be giving everyone pause regarding US/European ‘no spy’ agreements: President Ted Cruz. No spying on President Ted Cruz. Thems the rules.
And in the mean time, be sure to keep an eye on those EU data-privacy laws because the changes to the NSA’s policies over the next year might have an even bigger impact on the EU data-privacy rules than those 4000 amendments yet to be worked out and not in a good way. A lot will have to do with the NSA’s actual role in EU intelligence gathering and how that role could change. By introducing ‘no spy’ agreements to the public discourse, the ability of the NSA to act as the unofficial global spy-monger for both the US’s own interests (which includes general spy-mongering and very expensive Larping) and also spy on behalf of the US’s larger NATO/global alliances and all of their possible foreign-intelligence gathering interests might end up changing quite a bit. That also means we should expect a lot more foreign intelligence agencies to start gathering a lot more foreign intelligence themselves. And that includes the EU member nations, which could translate into the kind of future EU data-privacy rules that civil-libertarians may not enjoy. It’s somewhat counter-intuitive, but it’s very possible that the over-aggression of the NSA’s spying was simultaneously contributing to a temporary under-aggression by allied intelligence agencies around the world because, well, why bother developing global mass spy capabilities when your ally is already creating archive.org for everything and giving you access to it? As the NSA and “Five Eyes” get’s shut out of the data collection business (it could happen with the way the diplomacy is developing) someone else is presumably going to fill the mass-surveillance void and that someone else will probably be someone in the EU, perhaps France and/or Germany. All of that means the upcoming changes to the EU’s data-privacy might get a lot looser. It could be more ‘big business as usual’ and there might even be a few more little Big Brothers than before. Watch out.
Update 11/10/2013
Deutsche Telekom’s plans for a German-intranet appear to have expanded to potentially include the entire 26-country Schengen Area. All traffic would have to stay within the area. Bye bye global internet?
Deutsche Welle
Telecoms plan shielded European Internet
10.11.2013Deutsche Telekom says the scandal over US and British eavesdropping has prompted German providers to contemplate an inner-German or inner-European Internet. Data would no longer be routed and stored via other continents.
Germany’s state-backed Telekom confirmed on Sunday that German providers were discussing an Internet confined within Europe’s “Schengen” countries. One project code-named “Clean Pipe” would help firms to fend off industrial spies and hackers.
Schengen is the Luxembourg border town where in 1985 EU nations initiated a visa-free zone that now encompasses 26 European countries but excludes Britain.
A Telekom spokesman told the German news agency DPA that talks were taking place with “diverse, likely partners.” The project would be unveiled on Monday at an information technology (IT) conference in Bonn.
According to the news magazine Der Spiegel, Telekom managers see fewer technical setup problems than IT experts had at first anticipated.
Germany already has a project entitled “E‑Mail made in Germany” in which Telekom, United Internet and Freenet handle messages inside the national border.
Infiltration via LinkedIN?
The magazine also claimed that the British agency GCHQ had used a method code-named “Quantum Insect” to manipulate the online service LinkedIn and then infiltrate offices, namely the Belgian concern Belgacom and Mach, which handles mobile phone routing.
Computers of nine personnel at the Vienna headquarters of the Organisation of Petroleum Exporting Countries (OPEC) had also been infiltrated by GCHQ. The US National Security Agency (NSA) had also used the method to access OPEC’s general-secretariat, Spiegel claimed.
LinkedIn told Spiegel it would “never approve” such intrusion. Starhome Mach, a successor of Mach, said it would launch a “comprehensive security check.”
Telekom confirmed a report by the weekly Wirtschaftswoche that it together with the electronic security firm Lancom had begun testing “Clean Pipe” among pilot customers.
End in sight for global Internet?
Last month, US security researcher Dan Kaminsky told Reuters that if countries walled themselves off this would cripple the global, originally open structure of the Internet.
Electronic snooping is a sensitive subject in Germany due to the heavy surveillance of citizens in the former communist East and under Hitler’s Nazis.
Revelations of snooping by US and British secret services stem from documents leaked by fugitive and former NSA contractor Edward Snowden. Russia recently granted him one year’s asylum.
Der Spiegel reported in June that the US had tapped half a billion phone calls, emails and text messages in Germany in a typical month.
‘Krypto-handys’ safe
On Sunday, Spiegel said Germany’s Federal Office for IT security had urged Chancellor Angela Merkel’s Berlin bureau and government ministries to use new, reputedly secure “krypto-handys” — mobile phones with encryption.
...
The anti-hacker feature actually sounds pretty neat, although it will be interesting to see how well the EU’s intelligence agencies can avoid taking on more of an NSA-like character in their attempts to eliminate the hacking.
Also keep in mind that Germany’s interior ministry is looking into ways to ward off the EU’s internet from foreign intelligence services. So the main selling point for the new Schengen intranet isn’t just going to be that the traffic will stay within the Schengen area with some sort of EU-anti-hacker feature, but other spying services will be kept out of the area as well. It’ll be an EU-only spy zone:
Deutsche Welle
Germany looks to erect IT barrierAmid revelations concerning the NSA’s spying on the German government, Interior Minister Hans-Peter Friedrich is looking to erect an IT barrier in Germany and Europe. DW takes a look.
Date 04.11.2013
Author Gabriel Borrud
Editor Lori HerberGermany’s Interior Ministry is looking to force Internet Service Providers to keep European data out of the hands of third parties, including intelligence agencies, in the wake of an espionage scandal that has cooled relations between the US and Germany over widespread hacking.
Minister Friedrich told the weekly Welt am Sonntag that he wanted to “incorporate an IT-Security law in the upcoming coalition agreement that would provide a legal framework for hindering the interception of data exchanged [within Germany and Europe] by foreign intelligence.”
But what Friedrich didn’t mention was whether Germany was looking to protect data shared with servers outside Europe — where the vast majority of Internet activity in Germany takes place.
Setting up barriers
“The infrastructure needed to create an inner European network exists,” said Dirk Engling, spokesman of the Chaos Computer Club, Europe’s largest association of hackers.
“But the problem is: This is extremely counterintuitive,” he told DW. “By ‘ensuring’ citizens that they are only safe if they restrict their internet usage to within Europe, what is the Internet there for?”
...
‘We don’t want to cut connections’
Germany’s largest telecommunications company, Deutsche Telekom, has already begun planning a routing system that would restrict all Internet traffic within the country to domestic networks.
“This is just the first step,” said Philipp Blank, corporate blogger for Telekom, adding that eventually the company was looking to expand its routing system to the countries in the border-free Schengen Area.
Blank emphasized, however, that “Telekom does not want to cut connections or restrict users from navigating to sites based outside of Germany or the Schengen Area.”
“Why should email traffic be routed outside [the Schengen Area] if both the sender and receiver are located within its borders? If our system were realized, intelligence services from countries outside this area would find it much more difficult to access this data traffic.”
Safe haven Europe?
Telekom’s claims haven’t won over critics like Dirk Engling of the Chaos Computer Club, who pointed out to DW that spying also took place on data that was restricted to European networks.
“We know now that data was intercepted here on a large scale. So limiting traffic to Germany and Europe doesn’t look as promising as the government and [Telekom] would like you to believe.”
Amelia Andersdotter, who represents the Pirate Party in the European Parliament, told DW that the issue goes far beyond Internet security, dismissing Friedrich’s proposals as “trumped-up lip service.”
“Our politicians are making these claims now about IT security to enhance their popularity. It’s lip service, and it’s ineffective, and it’s hypocritical. Over the last decade governments have worked together with companies to build up infrastructure that creates insecurity, in effect preventing the Internet from serving its true purpose of communication and self-empowerment.”
And in the face of revelations of spying in Europe — not only by the NSA — Andersdotter called on the German government to focus more on the protection of human rights in its cyber security pledge:
“The spying we’ve seen is an egregious violation of human rights. Why should we believe that the limitation of internet traffic to Germany and Europe means the problem is solved? To me it seems very vague, if not suspect.”
A Schengen Area intranet would also imply that the GCHQ would also be barred from spying on EU traffic(since the UK and Ireland aren’t members). This also means that the Schengen Area intelligence services are going to be primary responsible for intelligence gathering (assuming the prohibition on foreign-intelligence gathering is truly feasible and isn’t just a farce for public consumption). Given this possibility of an EU spy-takeover of the Schengen Area, it’s good to see that the folks in the Pirate Party and Chaos Computer Club are skeptical of this proposal as a solution to mass-surveillance because whatever concerns they have regarding the proclivity of EU spy agencies to mass-spy now are about to get a lot worse once the EU takes sole ownership of the responsibility to Schengen Area spying (no GCHQ spyware allowed. That function will be in-housed). Even if the EU somehow finds a way to start out spying responsibly under this new system, it’s not too hard for a responsibility to spy responsibly to turn into a responsibility to spy irresponsibly when you’re the primary organization doing the spying partially on behalf of the entire global community. Mission creep can apply to continental intranets too. Especially when they start in-housing outsourced domestic spying responsibilities.
Something to consider regarding the potential costs and incentives the large multinationals might have to see a move like Germany or Brazil creating their own internal internet: Many of the changes that could be required if the internet starts fragmenting along national lines might be similar to the changes that would happen if net-neutrality is lost. In either case, the internet could break in very profitable ways:
In addition to the impact that the DC Appeals court ruling could have on net-neutrality, keep in mind that the EU is putting into place new net-neutrality laws too. The proposed rules announced in September sounded like they would protect net-neutrality, but that might be changing. In secret:
See the 11/10/2013 update in the OP on the new Schengen-Area intranet plans.
Heh, I had missed this: it turns out that David Cameron wasn’t the only EU leader that played a role in stalling the new EU data privacy rules overhaul:
Should we say ‘so long’ to the US-EU safe harbor data agreement? Maybe, because that’s what the EU panel investigating the NSA spying scandal is expected to recommend:
The EU just unveiled its proposed changes to the governance of the internet in response to the Snowden affair. The proposals mostly appear to focus on setting up a timeline for shifting control of ICANN out of US jurisdiction. But the EU is also opposing moving ICANN under the UN’s domain. No international control and no government control. Instead, it sounds like the plan is to continue the “open multi-stakeholder governance” model for ICANN, but under a new type of international “governance network”. If that sounds sort of nebulous it is because it is:
As EU Telecom Commissioner Neelie Kroes put it, in order “to avoid a split of the global political community” and an unravelling of the internet into “a series of regional and national networks,” there is a need to act urgently. So they’re acting urgently. Whether or not they’re acting appropriately too sort of depends on how the “open multi-stakeholder governance” model actually works. And that’s still an open question. The internet is currently operated under a multi-stakeholder model but it’s a model that still include US jurisdiction for some aspects of how the internet’s core works. In the interview of ICANN’s CEO below, however, the the multi-stakeholder governance model of the future “what you want instead is to create governance networks — a term I’m pushing. Not governance institutions, not governance regulations. What we need in the age of the Internet is governance networks. These are networks that are formed by multiple stakeholders to solve governance characteristics.” So the vision for the global internet governance is, like, government, but not government. That’s deep:
Once again: “what we’re going to do at a meeting on April 23 in Sao Paulo is propose an interconnected governance ecosystem. We’re creating a highly distributed but also structured way to address the issues by establishing new governance networks. We’ll make sure these are well coordinated at the global, regional, and national levels. It’s like a 21st century governance system for the Internet.”
So they’re proposing an “interconnected governance ecosystem” that won’t be run by governments or the UN. Assuming this isn’t some privatized-global-regulation trojan horse, this is potentially a big development, for good or ill. The multi-stakeholder model has worked pretty well at governing the internet so far, but there’s no guarantee of that going forward. In addition, whatever “interconnected governance ecosystem” model they agree upon could have applications beyond just sharing the governance of the internet. What other forms of global commerce might also lend themselves to the new 21st century “open multi-stakeholder governance” model and will these necessarily be situations where that model makes sense? We’ll see!
Following up on the EU’s proposed overhaul to how the internet is governed: Here’s an article from October that discusses a leaked document from the Seoul Conference on Cyberspace calling for the creation of a “Commission on the Future of Internet Cooperation” to “provide new ideas for transnational and multi-stakeholder proposals for Internet governance”. While the status of that proposal is a secret, the article points out that ICANN CEO, Fadi Chehade, gave a speech at the Bali Internet Governance Forum where he gave a hint of the structure of upcoming summit in Brazil. According to the author below, the model Chehade has in mind for deciding the fate of the internet might have an eery resemblance to another governance model: the corporatist governance model. And as the author also points out, the corporatist criticism of the summit in Brazil might also apply the multi-stakeholder model itself:
So every country will get three representatives at the upcoming summit that might shape the future of the internet: One from government, one from business, and one representing civil society’s interests. China and India won’t be too enthusiastic about it but the EU probably shouldn’t mind. And the seasteaders had better hurry up! As that author points out, “there has always been an unfortunate link between the concept of multstakeholderism and the corporatist mindset of the 1920s and ’30s” and that’s a scene the seasteaders really don’t want to miss.
While Angela Merkel has shown no sign of easing up on her desire to mandate EU citizens’ internet data to be stored in the EU, it still doesn’t look like meaningful protections for that data once it’s inside the EU are really on Merkel’s agenda:
The EU parliament just overwhelmingly backed the new set of data privacy rules, including a resolution to suspend the “Safe Harbor” agreement with the US and the Terrorist Finance Tracking Program. The European Commission still needs to approve that resolution (which it has so far resisted), and national parliaments still need to approve the package, but it sounds like the new EU data privacy rules are coming into force sooner or later:
So member states are still going to have the latitude to interpret cross-border law enforcement data-sharing rules as they see fit. This sets the EU up for an interesting dynamic because the new rules also allow for anyone to complain to data protection authority from any of the EU members states. The choice is up to the citizen so there’s potentially going to be a competitive market amongst EU member states for generous interpretations of data-privacy laws. Could that include a market for shielding data from law enforcement?
It sure sounds like the conservative MEPs tend to view the new law as allowing for the the restriction of legitimate law enforcement activities which suggests that we should expect a looser interpretation of those data-sharing rules in some countries than others. But could we see the emergence of EU states that embrace extremely tough data-privacy regulations as a national competitive advantage? A sort of Swiss vault for the EU’s citizens and corporations (that can afford the services)? Because it sounds like that could be possible under this new framework. Might Cyprus or Luxembourg become the Switzerland of data-privacy? Or Sweden? It’s kind of a hot market right now:
The EU’s data privacy member state market might almost open for business. What that market is going to look like and what impact it might have on the EU and larger global community is still an open question.
The EU parliament has been threatening to derail a US-EU free trade if the US doesn’t end mass data collection, but it looks like that threat has been extended to EU national governments too. If EU member states don’t also make steps to restrict surveillance the deal could be off:
Let the competition for competitive advantage in data-privacy rules begin! Indirectly!
How might enhanced data-privacy rules (that will presumably be most helpful to those with the resources to fully exploit them) enhance the attractiveness of an EU member for money-laundering purposes? Out with the old ‘European Bazaar’, in with the new one?
@Pterrafractyl–
Good find. The whole web/phone-snooping dynamic very much involves monitoring of illicit money flows by the %1 and allied corporate interests, not to mention crooks.
This has been largely eclipsed.
Also: note the EU and Germany’s behavior in the context of Serpent’s Walk.
If one is to truly remake the past and control “opinion-forming media”,
one must gain control of the internet.
I suspect that Germany’s and Brazil’s ramping up of their IT and internet sectors is ultimately directed at this.
Best,
Dave
With the EU’s historic data-privacy negotiations on track to be finalized this year the window of opportunity to shape the new law is steadily closing, which means we should probably expect a lot more reports like this:
So it’s pretty clear that Germany’s ISPs are going to be lobbying hard for some sort of rules designed to reduce the European market dominance of US internet giants. And it’s also pretty clear that the implementation of a strict new EU-wide data privacy regime is a central to that goal.
Still, don’t assume that the EU is merely determined to push the US tech giants out of Europe. This is about the world:
Is the EU’s new data privacy regime going to go global? That’s the plan. And, yes, you read that right, the EU pushed to get its new “Right to be forgotten” law to apply to ALL domains for search engine companies like Google and not just EU domains. It’s a reminder that the globalization of the EU’s data-privacy rules might not exclusively rely on persuasion.
Still, persuasion is going to be necessary and that means those new data-privacy rules are going to have to be the kind of thing that either voters outside the EU would like to see their governments adopt OR businesses outside the EU. Or both. It’s an interesting conundrum since so much of what consumer like about the proposed rules businesses hate and vice versa. It’s not obvious how to thread that needle.
Ok, there’s one obvious option: quietly gut the new data-privacy laws so that consumers think they gained all these new protections but businesses are still quietly allowed to proceed with business (collecting and selling your data) as usual. Maybe that’s what will happen:
“What’s more, the Council proposes that data can be processed under an “legitimate interest” exception. This means that consent is not needed if the company feels that they have a legitimate interest in processing personal data, and would allow data to be passed on to third parties.”
It would be legitimately interesting to learn what constitutes a “legitimate interest”, but perhaps even more legitimately interesting is what constitutes “other important objectives of general public interest”:
So the “important objectives of general public interest” can include something other than “national security, defense and public security reasons”, which raises the question of what on earth could the “other important objectives” be that don’t fall under the general “national security, defense and public security” umbrella? Is the EU about to make up a whole new category of justifications for citizen profiling? Ironically, if so, the EU’s new data-privacy rules are probably a lot more likely to go global than you might expect.
There was a pretty development in EU-US data privacy arrangement last week. It doesn’t guarantee that the the “Safe Harbor” data transfer agreement that allows US firms like Facebook and Google to transfer the personal data of EU residents back to their US operations will be overturned, but it definitely increases the likelihood of exactly that happening:
A top adviser to the EU’s top constitutional court cited NSA spying as the primary reason for his recommendation that the EU suspend “Safe Harbor”. It’s a non-binding resolution, but his advice is usually followed, so it’s a predictive non-binding resolution:
Note that this recommendation appears to be coming at a time when the EU and US have been attempting to finalize a deal for overhauling the existing Safe Harbor agreement:
But also note that the particular deal the US and EU were attempting to finalizing in recent weeks wasn’t the deal over a new Safe Harbor agreement, although closely related. It was a security/terrorism data-sharing agreement that places new limit US access to EU citizen data and opens US courts up to lawsuits by EU citizens if they feel their privacy rights have been violated and predicated on Congress passing some additional data-privacy laws:
So the US and EU agree to expand government-to-government data sharing on citizens, but in exchange for greater internal and legal safeguards. This seems like the kind of development that should be a rather big deal in the post-Snowden era. Then again, it’s all contingent on the US Congress passing Mr. Sensenbrenner’s bill that allows EU citizens to sue in US courts if they feel their privacy rights have been violated, so maybe this deal is assumed to be mostly symbolic:
Keep in mind that this agreement was worked out before John Boehner resigned as Speaker of the US House and potentially handed the keys to the Congressional car to the extra crazy wing of the extra crazy party. So it’s not really clear what to expect in terms of the passage of the bill by Congress as required by the deal going into an election year.
But if that bill isn’t passed, Safe Harbor might actually get repealed, which could create massive headache for at least parts of the the US tech sector operating in Europe. The large companies like Facebook and Google may not care very much since the giants already have EU-based data warehouses and operations. But for the tiny US firms with limited resources operating in the EU, the repeal of Safe Harbor may not be very fun. And the passage, or refusal to pass, by a GOP-controlled Congress of the Judicial Redress Bill could be about exactly one of those factors that determines whether or not Safe Harbor gets repealed.
So it’s very that the repeal of Safe Harbor is up to the yet to be determined GOP House leadership to shepherd the passage of the Judicial Redress Bill. The yet to be determined GOP House leadership.
But it’s also worth keeping in mind that the EU parliament has to pass the agreement too. And there is no shortage of questions about what the “Umbrella agreement” actually means, in parts because it’s still not known if the EU’s future data privacy laws that have yet to be worked out (the “future data protection directives” referred to below) will take precedence over the “Umbrella agreement”. So even when you ignore the institutionalized madness that has gripped the US congress, there’s going to be no shortage of questions from the EU too:
“This bill would put Europeans on a level footing with Americans in the US; US citizens already have data protection rights in Europe.”
That’s something worth keeping in mind: US citizens already enjoys the protections the EU citizens will receive if the “Umbrella agreement” is implemented.
And then there’s the addition question of whether or not the yet to be finalized EU data privacy directives will take prececent:
So there could be some significant legal barriers to US spying on Eu citizens coming up, which is especially notable since the “Five Eyes” is presumably doing much of the domestic spying, as a proxy, for the “Nine Eyes” and “Fourteen Eyes”, which includes a lot of the EU.
So the in-housing of EU domestic spying operations could be something to keep in eye on if the shakeup in how the US and EU divide up their spying labor and share the results. We’ll see what happens but it’s looking like a number of new data centers are probably about to be built in Europe. Filled with domestic data. Delicious domestic data.
In other news...
It looks like it’s time to say “so long” to Safe Harbour
Well that should teach US tech giants that are actually collecting the bulk of EU citizen private data a lesson:
So now we get to not only find out what, if any, agreement replaces Safe Harbour but also how individual EU governments that were outsourcing their domestic spying to the NSA are going to do now which may not be obvious because new methods used by governments for domestic surveillance aren’t necessarily discussed in the daily news. Although sometimes they are:
So if you’ve been a web service based in France it was probably spied on already, but now that spying should have more legal protections:
“If the French Parliament passes this bill, it will mean that France has decided to embody and excuse the same practices as the NSA in its own law”
With Safe Harbor no longer valid, the scramble is underway among US tech firms to figure how how to adapt. And as the article below points out, if firms are assuming that they’re going to now have to move their servers over to an EU nation they might be disappointed because based on the new ruling, each EU nation could decide to set up its own local storage requirement:
“The challenge of sharing data between Europe and the U.S. might become more complex. Tuesday’s ruling gives more power to local regulators to challenge the European Commission, the EU’s executive arm, on data-protection issues. Individual European countries could require local storage, said Mr. Babel of Truste.”
Keep in mind we don’t actually know if any EU members are going to specify that you have to store their citizen data in that specific country, but it sounds like that could be an option to national legislators going forward. And either way, a lot more of the data generated by EU citizens on US-owned internet services is going to end up being stored somewhere in the EU. All safe and sound.
US internet companies currently fretting over the collapse of the US/EU Safe Harbor data sharing agreement can fret a bit less. The EU recently announced an agreement in principle with the US on Safe Harbor 2.0:
“Ms. Jourova also said the new deal would establish an annual review mechanism run by authorities on both sides of the Atlantic that would monitor whether law enforcement and national security services complied with limits on access to Europeans’ data.”
So it sounds like an annual review mechanism might be a key part of the new Safe Harbor agreement. But it also sounds like Max Schrems, the Austrian law student and plaintiff in the case against Facebook that actually resulted in the European constitutional court ruling that killed Safe Harbor, remains skeptical that an agreement that meets the court’s standards will actually be achievable because that would require the end of US mass surveillance policies:
“The interest of a new Safe Harbor may be limited in the U.S. when they realize what they have to meet in a new Safe Harbor,...If you look at the [court’s] judgment…it would basically require the end of U.S. mass surveillance.”
That’s the view from Schrem, and if Germany’s data-protection authorities are any indication of the likelihood of this tentative Safe Harbor 2.0 framework, Schrem’s skepticism might be warranted:
Yes, Germany’s data-protection authorities “said they wouldn’t approve any new transfers of data to the U.S. — even for transfers based on arrangements different from the trans-Atlantic data-transfer pact knocked down by the European Union’s highest court.” And that’s something that could happen for years to come given the court’s ruling since national data-protection authorities are free to protect their citizens’ data as they see fit...
And how does Germany’s data-protection authorities recommend businesses deal with the all the legal and regulatory uncertainty? Just store the data on EU servers in the future:
Well, the EU data storage industry is probably ok with that suggestion. And if a new Safe Harbor agreement can’t be reach in the next few months it may not be just a suggestion. Shutting down EU operations or setting up data storage in the EU might be the only two remaining options for internet business operating in the EU.
Of course, this still leaves the question of which EU nation you should store your business’s data in since the data protection rules are going to vary from nation to nation. You have a number of options, although thanks to the array of new domestic surveillance laws that have being passed by nations across the EU that curiously don’t seem to be a part of the Safe Harbor debate, your many European options may not be great options:
So that’s where we are: the US and EU have a couple months left to work out Safe Harbor 2.0 or else all EU-to-US data transfers become illegal. And even if a new agreement in worked out, it looks like Germany’s data protection authorities are going to continue to ban Germany-to-US transfers unless the US basically adopts exactly the same surveillance laws as the EU and applies them equally to EU citizens.
How’s But as the article above points out, this entire debate is happening within the context of growing domestic surveillance powers in one EU country after another that don’t meet the EU standards either:
And that all may point us towards a likely long-term resolution to the “Safe Harbor” debate: the EU constitutional court ruled that US’s laws must meet EU privacy standards while, at the same time, EU members are passing laws that don’t meet those standards either. So there’s clearly a fight coming up between the EU’s constitutional court and EU member states, and there’s no guarantee that the constitutional court won’t rule in favor of allowing greater surveillance. After all, those future fights could very well be taking place in a very different security environment where the US has already dramatically scaled back its surveillance of EU citizens. And since the NSA has basically been acting as a proxy domestic surveillance agency for EU nations for decades, those future fights within the EU could be taking place when the choice really is between having domestic surveillance capabilities or not.
All indications right now are that EU members want to end their long-standing use of the NSA as Europe’s proxy-spy agency, but all indications are also that these same EU members want to simultaneously and dramatically ramp up their own domestic spying capabilities. So while it’s widely assumed that the US has to cut back on spying to get a new “Safe Habor” agreement, which might be the case in the short-run, the long-run implications of the EU court’s rulings may not be that significant on US surveillance laws if the EU is simultaneously increasing its own domestic spying.
So we probably shouldn’t be super surprised if a large number of US firms start transferring and keeping their EU data on EU servers next year. Whether or not that data is forced to stay there due to a lack of harmonization between US and EU privacy laws, however, seems like more of an open question.
If you manage a US-based IT company with a significant market in the EU and your company didn’t rely on the now-invalid US/EU Safe Harbor agreement for data-sharing but instead used one of the alternate mechanisms like Binding Corporate Rules or Model Clauses, you’re probably giving thanks this for those relying on those mechanisms instead of Safe Harbor during your Thanksgiving Day feast. And if your one of those thankful individuals and you need a little adrenline to knock you out of that Tofurkey-coma, this should do the trick:
Have fun digesting this one:
Yes, it is indeed hard to see anybody rolling back their surveillance following the Paris attacks. Maybe they’re even going to increase those efforts. *burp*
In other news...
Well, after almost three years of negotiations (a time frame that included the Snowden Affair and the following implosion of the US/EU “Safe Harbor” treaty) the EU’s new data privacy regulations are ready. This is following a four and a half month secret ‘trilogue’ negotiation that started in July 2015 and ended in December with the final negotiated text. But it’s here. The EU’s data privacy rules are finally finalized:
While internet firms everywhere that do business in the EU are probably at least somewhat pleased to see a final set of rules they can plan for, it’s going to be very interesting to see how much fear we see in the business community over potential fines of 4 percent of global revenues for non-compliance:
Yeah, Google, Facebook, Apple, and Microsoft probably weren’t super-enthusiastic about that part.
But something worth keeping in mind is that the internet giants of today may aren’t necessarily going to be the personal data giants of tomorrow. The “Internet of Things” (IoT) is going to provide an opportunity for a large chunk of the personal digital data we generate in the future to get splintered off into a variety of different businesses beyond the Silicon Valley giants of today.
Sure, Googles of tomorrow will probably play a role in sharing and processing data with the IoT manufacturers and might be the main holders of personal data as the IoT continues to get more and more inserted into the meat space. Or maybe there will be a radical change in how people handle their personal digital data and the internet giants of today lose their grip on the data streams of our lives. Either way, the IoT is only going to get more and more incorporated into our lives, and if Germany’s auto industry gives us a hint of what to expect, the new EU data privacy laws are about to become a giant IoT turf war over who gets to own the data collected by their products. Not surprisingly, Google is seen as the industry’s mortal threat that must be stopped before the data services giant gains too strong of a grip on the personal data collected via our future smart cars. And as the article below makes clear, Germany’s auto manufacturers want to use the EU’s data privacy laws to keep Google out of Germany’s (and presumably Europe’s) cars. And Merkel’s government is receptive. And that’s just one sector, albeit of big one, of the coming “Internet of Things”.
So with the new EU data privacy laws coming into effect in 2018 there’s no doubt going to be a growing number of questions that arise, especially as the IoT evolves. But one thing is clear: EU data privacy lawyers like the fellow that wrote the above article are going to be really busy for the next few decades:
“A car today is a second living room—and that’s private...customers want to be at the center [of the benefits that come from connectivity] and not exploited for it...They want to be in control of their data and not subject to monitoring.”
That was how Audi CEO Rupert Stadler put in last July when he about the potential damage the all seeing eye of Google could do to the digital car experience. And not surprisingly, the German government is on board with the idea:
As far as national branding goes, that’s not a bad move. At least assuming these auto manufacturers don’t get caught commercializing or otherwise abusing that data for their own ends. It’s something VW CEO Martin Winterkorn no doubt recognizes these days:
And when we consider VW’s ongoing fraud scandal, it highlights part of what’s going to make the new EU data privacy rules so fascinating to watch unfold: There’s clearly a push to make the EU the global personal data warehouse of choice under the premise that users will get greater personal data protections when its under EU jurisdiction. And who knows, maybe there’s going to be really vigilant enforcement of all the new EU data privacy laws, which would be amazing and great.
If that EU personal data haven does come to fruition we would expect a much larger share of the global personal data to fall under EU jurisdiction. But, of course, the more personal data EU businesses collect, the more tempted those businesses are going to be to find ways to make some money off that data. And if you listen to the just the fretting on the part of German auto manufacturers over the prospect of Google getting its hands on that data it might seem like the plan is to create internet-connected cars that are effectively personal data havens and use that “branding” as a way to sell more cars. But when you listen the all the other plans the industry has for the future it’s becoming increasingly clear that the auto manufacturers want to keep Google’s (and Apple’s) hands off that data mostly so the automakers are the only ones to profit on it:
“The more Google and other software makers manage to embed themselves in the ecosystem of a car, the more consumer money will go to technology companies instead of carmakers, said Juergen Reiner, a partner at consulting company Oliver Wyman.”
And with all that potential money at risk, it’s no surprise that the politicians of a country like Germany, where 1 in 7 jobs are auto-related, are keen on seeing an EU-made data-architecture become the industry standard:
And while it would be great to assume an EU-made “data architecture” for the future of internet-connected cars would be one where personal privacy is made a premium and all that potential money that could be made from exploiting that data is intentionally not made, it’s also pretty hard to believe that’s how it’s going to be. Especially when you read about studies like this:
“The car, a BMW 320d, also recorded the length of time the driver used different driving modes, and recorded when the seatbelt tightened due to sudden braking. More sinisterly, it also transmitted the latest destinations entered into the car’s navigation system, and personal information such as contacts synchronized from mobile phones.”
Wow, so the FIA decides to study what consumer information is getting sent back to manufacturers, they choose a single model to start their study, the BMW 320d, and it turns out the car sends personal information like contacts synchronized from mobile phones back to BMW. And what’s FIA’s recommendation? That internet-connected cars should offer owners the opportunity to switch service providers, which is basically the opposite of the “it our data!” attitude expressed by the manufacturers. And starting in 2018, the EU is mandating that ALL new cars be internet-connected and constantly streaming data:
So there’s a pretty massive conflict of interests emerging in the auto industry and it’s not just a conflict between consumers and a manufacturer. It’s a conflict between consumers and ALL the different manufacturer’s whose technology might have access to the personal data generated by the vehicle. And also a conflict between all those manufacturers who all have an economic incentive to be the sole collectors of that data.
But there’s another interesting potential conflict on the horizon and that involves each nation’s data privacy regulators. The way the new laws work, each nation is going to be in charge of enforcing the data privacy rules according to its own interpretations of those ruls and a company only needs to follow the rules of the EU country it’s headquartered in. This was seen as one of the biggest benefits from the new EU data privacy rules for companies operating in the EU.
But there’s a catch: since EU member states have the flexibility to interpret and enforce rules somewhat differently, a compromise was made where other the data privacy authorities of other EU member states can “object” to a particular member’s data privacy rulings. And if they can’t come to an agreement the whole dispute is arbitrated by the European Data Protection Board (EDPB). And as we saw with the Germany auto manufacturers and Google, there’s going to be A LOT of potential commercial disputes as various industries try to use data privacy rules to influence which firms can compete in different digital markets, whether its the traditional internet or the “Internet of Things”.
So while internet companies can be pleased to see the final rules EU data privacy rules finally take shape, questions of how the conflicts get worked out between EU members over the inevitably differing interpretation of those rules (that might involved conflicting commercial interests and digital turf wars) and which members’ desires end up getting favored by the EDPB that resolves those conflicts is going to be something data privacy advocates (and everyone else) really needs to watch:
“If there is disagreement between regulators the case will be referred to a European Data Protection Board (EDPB), yet to be created, to take binding decisions.”
Yep, regulatory disagreements are going to get sent to the yet to be created EDPB. So it’s going to be pretty critical to see how the EDPB finally takes shape. Especially since its rulings will presumably impact the rulings like the new fines that could reach 4 percent of global revenues for corporations. And note how the creation of the EDPB was apparently done to assuage concerns that members states wouldn’t be able to adequate investigate US tech firms for privacy violations of their citizens:
Yep, the the whole system involving “objections” between member states and the creation of the EDPB was set up because some national data regulators were keen on ensuring companies like Google and Apple couldn’t find an EU member that’s more lenient on privacy violations (like Ireland), and shield themselves from, say, German data privacy regulators while still operating across the EU.
But with the EDPB system set up to allow for fights between EU member states on data privacy issues that could have huge potential impacts on critical national industries, why would, for instance, Germany automakers be ONLY interested in keeping US or other foreign firms out of its internet-connected car markets? What about other potential EU competitors in the “digital cars” software that might be headquartered in, say, France? And don’t forget the mass surveillance policies of most EU member states have become much more mass surveillance friendly in recent years despite the the post-Snowden freak out (and despite the passage of big new data privacy regulations). so if compliance with US mass surveillance policies are viewed as a viable reason for fining or blocking companies like Google or Apple out the EU markets, what opportunities will the mass surveillance policies of individual EU states create for waged intra-EU commercial turf wars?
And keep in mind that this just the auto industry we’re talking about. Now imagine the rest of the “Internet of Things” that pops up going forward, all these digital things talking to each other, sharing data, and creating fun new data privacy headaches but also fun new opportunities for manufacturers to become the sole software provider (and sole data collector). Aren’t the manufacturers across the whole IoT going to have an interest in ensuring that they, and they alone, collect and profit from the personal data their devices collect? It’s hard to see why that wouldn’t be the case.
So there’s no shortage of major questions about how the EU’s new data privacy regime will unfold and reshape the digital economy of the future. But one thing is very clear: Google is going to get sued. A lot. And Apple and probably the rest of the Silicon Valley personal data giants operating in the EU are totally getting sued too. Repeatedly. That’s basically a given at this point. The EDPB was set up for that purpose.
Here’s a peek at all the fun new features currently under development by Audi for the next generation of internet-connected cars that will likely also be self-driving cars that allow the passengers to basically treat the car as a living room on the road (as Audi’s CEO once put it), with internet browsing and all sorts of other options. Also included is a system for measuring the passengers’ physical vital signs, like heart rate and skin temperature, and then using that information to make assessments about the passengers’ state of mind and modify the internal environment according to make it was relaxing and rejuvenating a trip as possible. And then there’s the feature that turns each car into one part of a larger “swarm” that’s constantly feeding information to the cloud for the purpose of updating everyone about changing road conditions. All pretty neat! It’s also a whole new data privacy nightmare:
“The Audi Fit Driver project is focusing on the well-being of the driver. Audi has a vision of drivers who step out of their cars at their destinations feeling more relaxed than when they stepped into them. A wearable – a fitness wristband or watch – monitors important vital parameters such as heart rate and skin temperature. The car’s sensors supplement them with information on driving style, breathing rate and relevant environmental data such as the weather or traffic situation. By analysing the combination of this data, the car can deduce the current state of the driver, e.g. whether the driver is stressed or overly tired. The vehicle systems then adjust their modes of operation to relax, vitalise, or even protect the driver.”
That’s quite a car. And while such features are cutting edge today, they’re probably going to be standardized over the next decade. And while passengers can presumably just not wear the wristband/watch if they aren’t super comfortable with a car that can “deduce the current stat of the driver”, it would be interesting to learn if this internal passenger-focused sensor data is part of the rest of the vehicular sensor data that’s getting streamed back to to Audi:
Could the “Audi Fit Driver” data get sent back to Audi too? We’ll have to wait for more product information to find out but it’s an example of the kind of data that cars are going to be generating in the future and it’s hard to see how accessing and commercializing that data isn’t going to be increasingly tempting. Let’s hope those data privacy regulators keep an eye on this.
Also keep in mind that the kind of personal data generating for these next generation cars isn’t just useful for potentially selling to third parties or more effectively marketing to your own customers. It’s also incredibly valuable to developing the next-generation of that same technology. Especially when it comes to the artificial intelligence systems that use “deep learning” to intelligently navigate the car’s environment:
Move over KITT!
Now your car is going to develop facial/auto recognition technology that gets “smarter” the more you let it observe the world. And this “deep learning” is intended to take place in the car itself and not rely on a constant internet connection and remote servers to process the data, which makes sense for something like a moving vehicle. But as Audi also points out, part of the improvement in artificial intelligence will come from using the data gathered in the early models and throwing it into “a database to foster future advances in such recognition.” That sure sound like all that data is getting sent back to Audi.
So in the not too distant future our cars could be equipped for “deep learning” technology that includes facial and vehicular recognition technology that’s constantly monitoring your car’s surroundings and sending that info back to your auto manufacturer for the purpose of developing the next generation of the technology. At least, let’s hope that’s all they use it for. As Audi points out above, ““When it comes to data protection, the usual strict regulations by Audi apply.” And technology like the “Audi Fit Driver” system that monitors the passenger’s mood is only available in Audi’s German models for the time being, and Germany, at least officially, has some of the strongest data privacy laws in the world. But at some point technology like that is going to be exported to countries with different data privacy standards which is going to make it very interesting to see just how much data our future cars start sweeping up as cars fitted with an array of sensors and “deep learning” artificial intelligence becomes the norm and what the laws are regarding who “owns” that data and how it can be used.
Also don’t forget that Audi is owned by VW. So while there are indeed laws that will determine how that personal data is used, whether or not those laws are respected is a very open question.
Here’s another look at how the issue of ownership over the data gathered by the vehicles we drive (or ride in while they drive themselves) is poised to become an increasingly complex question. Data ownership is going to be enough of a headache when you have car manufacturers fighting with digital service providers like Google over who owns what. But how about the cars you rent or lease? That’s a bigger headache:
“The data that we hold has a commercial value. We can access information on how thousands of different types of vehicles operate in real world conditions...From time to time, we have been approached by organisations who would like access to that data and we have refused, but it shows that there is an appetite for the kind of information that the connected car and van will provide.”
@Pterrafractyl
Thanks for all you do to shed the light that you shed. When it comes to big data and car fleets and big data in general the internet of things definitely and who controls the data are huge issues. I think Dave is right and it is mostly going to be the milieu Paul Manning wrote about and they are mostly going to run the show.
Sincere thanks,
GK
@GK: One of the things to keep in mind regarding who owns the data on car fleets is that the data privacy rights for the digital cars and the Internet of Things in general are almost certainly going to be weaker for devices that rented/leased vs privately owned. In other words, Google or Volkswagen might both potentially gain access to some of the private data privately owned by an individual who uses the car’s various digital tools. But Google, Volkswagen, fleet operators, and all sorts of other third-parties are potentially going to have access to a lot more car-derived private data if that digital car happens to be rented or leased.
So with that public vs private duality in data privacy protections in mind, it’s worth noting that General Motors just announced a partnership with Lyft to create a fleet of self-driving cars, and the president of General Motors later stated that self-driving car technology will first get released to the public in the form of car-sharing services operating by companies like GM and Lyft, as opposed to privately owned self-driving cars. He also predicted that these car-sharing fleets of self-driving cars will know you personally and be customized to your digital tastes. So the self-driving car revolution, as envisioned by the current major stakeholders, is going to start off as a self-driving car-sharing rental service:
“With your Lyft profile, the car will know who you are and your preferences and will arrive preset with all the things you like — think Spotify playlists and ideal seat settings. All you’ll have to do is tell it where you’re going within downtown Austin and it’ll take you there autonomously.”
For the car-sharers of the future, car-sharing services like what Lyft and GM are envisioning could become the more affordable version of a owning a personal car. And if fewer cars are needed to transport people that is a real increase in efficiency that’s exactly what a resource-constrained world need. But it’s an efficiency that’s going to potentially turn companies like Lyft and GM into new personal data collectors of a similar vein to what Google or your cellphone company already do. The “Lyft Profile” sure does sound like a Google-ish digital profile and it seems likely that GM has similar ambitions to the German auto manufacturers that made it clear they want to restrict access to the personal digital/internet information generated from the digital cars they manufacture to themselves.
And that’s just internet-connected car-sharing at the very expensive end of consumer products. Offering customized digital services like internet access when you’re in the car (but then also quietly tracking the usage of that service) could be one of those things that gets incorporated into all sorts of shared internet-connected physical objects going forward, especially at the free-or-nearly-free end of the spectrum because giving people digital devices because free devices offering internet usage services will eventually be able to pay for themselves by mining that usage. Sort of like what 21 Inc is doing with free bitcoin-mining devices, but instead of mining bitcoins, the devices could offer internet services in exchange for tracking your usage of those services. Who knows what’s going to be possible in that sector as wireless internet access becomes more and more available and the Internet of Things explodes. Mark Zuckerberg’s controversial Internet.org initiative to provide free access to poor Indians to a Facebook-selected subset of the Internet (Facebook also gets to track your usage on it) is a great example of the kind of “free” internet services that the internet content giants like Facebook are going to be interested in providing, but that’s just the content side of things. The Internet of Things is going to create opportunities to provide free (but spying) internet access, especially if its to a free (but spied on) internet walled-garden like Zuckerberg’s
At the same time, even if the Internet of Things explodes with free spyware, the digital cars really are going to be uniquely power sources of personal information simply because they’re going to be bristling with more and more sophisticated environmental sensing devices as self-driving technology advances that are going to be collecting data that goes far beyond your internet usage. Internet connected cars with cameras and “deep learning” facial recognition software turn every digital car into a something analogous to a Google-Maps car, except they’ll potentially be mapping the outdoor movements of the random people in your town as they get picked up on the cameras of growing fleets of self-driving internet-connected cars covered with sensors and facial recognition technology.
So in the future a number of us are probably going to be accessing the internet on our way to work as we ride in our shared autonomous car, with the internet device manufacturer, auto manfacturer, and car-sharing fleet operator like Lyft all potentially claiming access to that internet usage data. And your car will be constantly scanning and identifying people in your environment and potentially sending it back to a headquarters. The age of the smartphone data privacy nightmare is growing alarmingly quaint.
With the US and EU still trying to hammer out some sort of replacement for the Safe Harbor data sharing agreement, it’s worth noting that the Safe Harbor agreement with the EU wasn’t the only Safe Harbor agreement to dissolve in recent years following the Snowden affair. As the article below notes, the US-Swiss Safe Harbor agreement was also deemed invalid. And as a new US/Swiss data sharing agreement gets works out, one thing is clear: once Swiss data leaves Switzerland and travels to the US, the Swiss would like the replacement for Safe Harbor to minimize access to that data by US law enforcement and national security services to the greatest extent possible. And don’t forget that Swiss law also views business data as personal data, and personal data has extremely high legal protections in Switzerland. So if you’re an extremely high-net worth individual that doesn’t just have a lot of money to hide, but also a lot of personal or business data you’d really like to keep out of authorities’ hands, and you hadn’t already considered moving to Switzerland, it might be time to considering a life in Switzerland:
“We all know the United States like to enforce their laws abroad...the future will show if Swiss institutions will be able to resist them.”
Those were the words of the former Federal Data Protection and Information Commissioner chief Hanspeter Thür. It’s quite a sales pitch. On top of all the other sales pitches. Time to start packing those bags.
Now that the US and EU finally hammered out the “Privacy Shield” transatlantic data sharing agreement to replace the “Safe Harbor” agreement the EU cancelled in the wake of the Snowden affair the next step is reviewing the implementation of “Privacy Shield”. Forever. Annually. And the first review is coming up in September. That should be fun. Especially since, as the article below points out, one of the main reservations the EU still has with Privacy Shield is the bulk US data collection for potential use by US intelligence and law enforcement (and also potentially shared with the US’s EU partners...EU governments don’t complain about that as much). And in a motion passed by the EU parliament’s Committee on Civil Liberties, Justice and Home Affairs a couple weeks ago, the EU is still officially concerned about US bulk data collection. And as the article below notes, that EU parliament motion also includes a call for all members of the review team to have “full and unrestricted access to all documents and premises necessary for the performance of their tasks, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, for either law enforcement or national security purposes”. Which sounds like a call to make the various facilities used by US and EU governments to collect data open for inspection by US and EU review teams, along with a review of that actual bulk data collection policies. And the reviewers will then get to talk about what they saw and didn’t like. That’s what the EU’s committee that covers things like data privacy for the public is calling for going into the first review in September.
And this is going to keeps happening annually, so if that EU committee motion doesn’t pass this year, there’s always next year. And one of Trump’s first moves was to lower the barriers between data sharing between US government agencies. So it’s not like the EU won’t have plenty of stuff to complain about if it decides to make review team inspections a sticking point going into the first review. Or the second. So that’s all going to be rather fascinating:
“In addition, the motion called for all members of the review team to have “full and unrestricted access to all documents and premises necessary for the performance of their tasks, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, for either law enforcement or national security purposes”. The reviewers should also each be given the freedom to “express their own dissenting opinions in the final report”.”
Yep, this new annual review team thing is going to be interesting. Annually. Even when the review isn’t interesting, that’s sort of interesting.
And, again, who knows what more Trump will do to piss off the EU between now and September? Oh wait, we do know. Trump and the GOP will the FCC regulation that would have prevented internet service providers in the US from selling the personal data they collect on their customers. That should do wonders for the September Privacy Shield review:
“The bill repealing the FCC rules was signed by President Trump only days after a speech to the Center for Strategic and International Studies in Washington by Vera Jourovà, EU Commissioner for Justice, Consumers and Gender Equality in which she emphasized the potential of the Privacy Shield to strengthen the transatlantic economy while reaffirming shared values, but stressed at the same time the importance of ensuring that its key foundations remain in place. The repeal of the FCC rules and the removal of the privacy protection they entailed does indeed raise doubts as to whether some of the key principles of the Privacy Shield, including the Notice Principle, the Choice Principle and the Data Limitation and Purpose Limitation Principle can be upheld.”
Just a few days after the EU Commissioner for Justice, Consumers and Gender Equality gives a speech in Washington about concerns over ensuring the foundations of the new Privacy Shield agreement remain in place, Trump and the GOP unleash the ISPs.
So it looks like we’re headed towards a ‘nobody knew how complicated international data privacy protection agreements were’ moment for Trump (and his fellow GOP enablers) in September. Your ISP definitely knew it was coming.