The post-Snowden world is a little like a new parent suddenly worrying about the security of its baby… data. Governments, companies, and citizens alike are now wrestling with how to secure it. Over the past year, Europe has been discussing proposals intended to address foreign surveillance on governments, individuals, and companies. The problem is that many proposals, in fact, do not make data more secure while contributing to an Internet that is less free and open for all of us.
The term you need to know, the one that’s driving a lot of these proposals, is “technological sovereignty” – or the idea individual countries should have control of their citizens’ data and Internet traffic.
What these proposals all have in common is the premise that they can and will help secure the data of people, companies, and governments in Europe. And yet, from laying new undersea cables, and localized routing to data storage initiatives, the vast majority of these proposals lack the foresight to actually protect data.
Take the creation of new undersea cables, for example, which allow the transoceanic delivery of data. Justifying new cables by claiming that they’ll make data secure is misleading: new undersea cables have positive side effects for the Internet as a whole and can increase the general resiliency of the infrastructure, but they do not effectively protect against surveillance. What’s more, even if this was a plausible solution, government intelligence and law enforcement agencies have the well-documented ability to tap these cables –undersea or otherwise– and intercept the data.
Similarly, the alleged benefit of initiatives like “E-Mail Made in Germany” is that e-mails would be secure from foreign surveillance. However, the encryption of data in transit that E-Mail Made in Germany offers is not a new advancement. The latest version of this encryption was issued in 2008 and has been implemented by many e-mail providers long before Deutsche Telekom and United Internet made their announcement. These proposals create a false sense of security by claiming enhanced security features (that are actually not new at all) without protecting against surveillance.
And then there are the particularly worrisome proposals for localized European or Schengen routing. The idea is that as long as intra-European data traffic is exclusively routed through European or national infrastructure, citizens’ data will be secure. Such measures may raise the technical hurdle for intercepting data for certain foreign surveillance agencies, but may also lower the legal hurdle facing these agencies. For example, the U.S. legal authority under which U.S. intelligence and law enforcement agencies collect data outside of the U.S. is part of an executive order. But how the intelligence community interprets it is largely unknown, though it is more permissive than the section of the FISA Amendments Act that permits law enforcement agencies to collect data within the U.S. This dynamic prevails throughout several parts of the world where laws constraining domestic law enforcement are separate and distinct from, and often less restrictive than, those confining international intelligence agencies.
Moreover, localized routing could make it easier for domestic intelligence and law enforcement to access and control more Internet traffic than before – hence contributing to an Internet that is less open and free – and domestic agencies may still pass data on to foreign intelligence agencies that they cooperate with. Worse, such nationalized or bordered routing directly opposes the original construction of the Internet, which, was designed to allow data to flow by way of the most efficient route at that particular moment. To say that this would change the Internet as we know it is no exaggeration.
Here’s what many of these proposals are getting wrong: they’re focused too heavily on the physical location of data as a security mechanism, when, in fact, data privacy and security depends primarily on how it is stored and transmitted. In reality, few of the proposed measures actually protect data from surveillance. Moreover, governments outside of Europe, namely authoritarian regimes with poor human rights records, could rhetorically use these proposals to justify their own actions, weakening Europe’s human rights foreign policy.
Betting on these ill-conceived initiatives risks wasting important resources that could be used for more promising proposals to effectively make data more secure, namely greater use of and better encryption.
But encryption is controversial. In the United States and the United Kingdom the recent announcement by Apple and Google to strengthen encryption sparked a debate regarding the tradeoffs between encryption and security reminiscent of the Crypto Wars. On one side, law enforcement argues that broader use of encryption will severely hinder their efforts unless they are given backdoors into products. On the other, computer security experts argue that these backdoors will be just as easily accessed by nefarious actors and generally decrease the security of these products. This is a necessary and important debate. It is about virtual security and physical security. It is about the virtues and limits of encryption, which can protect data flows and stored data, but does not protect metadata.
This is the debate Europe needs to have if the goal is to secure data and what it contains.
And this is the debate the world’s democracies need to have. After all, calls for technological sovereignty have not been limited to Europe. In Brazil, data localization proposals were hotly debated. The Australian government has banned China’s Huawei from participating in building its National Broadband Network. And the United States has not been immune from this trend, exemplified by Congress’s creation of a cyber espionage review process to limit government procurement of Chinese IT equipment in 2013.
Pushes to border and wrest further control over the Internet are expected in some areas of the world like China and Russia. The question is what measures can be taken to keep data safe while safeguarding the free and open Internet and preventing further fragmentation. Europe is uniquely positioned to set the trend on how data is secured, as swing states and traditionally progressive countries like Brazil may see Europe’s movement as a signal to follow in their wake. But they cannot turn a blind eye to the openness and freedom of the Internet. In order to support an open, free, and secure Internet, European policymakers need to decisively and publicly disown and discard proposals that were made in the spur of the moment and that do not make data more secure. This will allow them to focus on the more promising proposals, such as encryption, and move the debate in a more productive direction. This is what Europe owes to everyone committed to an open, free and secure Internet.
For further discussion of the proposals examined here and more, go here.
Tim Maurer is a research fellow and Robert Morgus a research associate at New America’s Open Technology Institute focusing on international affairs and cyberspace. Isabel Skierka is a research associate with the Global Public Policy Institute in Berlin and a member of its Global Internet Politics Program. They wrote this article for New America Foundation.