Snowden’s Europe and the lords of the spies

The exposure of NSA activity in Europe has created cause for concern for business, but stricter legislation may not be the solution in protecting private information

Feature image

The ongoing saga surrounding the National Security Agency’s (NSA) spying scandal has left a great many people feeling anxious about the safety of their personal information, with a furious public reaction in Germany. In an attempt to garner votes and distract the public from the economic woes of the eurozone, German Justice Minister Sabine Leutheusser-Schnarrenberger took a strong stance on the revelations. When speaking with German daily newspaper Die Welt she expressed the need for new pan-European legislation to protect against spying, data theft and industrial espionage by foreign entities. She even went as far as to say: “US companies that don’t abide by these standards should be denied doing business in the European market.” The superpower of Europe is once again dictating the pace of things, arguing that the other 27 member states must adopt its more comprehensive and far stricter set of data protection rules in order to address the problem. But, like many politicians, their rhetoric is often more impressive than the efficacy of their proposals.

When Snowden leaked information about the NSA he showed the world what can happen when transparency is not adequately provided

For starters, the minister’s recent comments require some clarification. “First of all, the data protection laws publicly discussed are mainly applicable for private companies only. In order to limit foreign government spying, new regulations at a government level would be required,” explains Dr Ulrich Baumgartner, an IT and data privacy specialist at Osborne Clarke in Munich. “In the public discussion, this is often not sufficiently clear.”

It is important to keep this distinction in mind. Before US whistleblower Edward Snowden went public the US and Germany were involved in a spy pact that dated back to some time during the Cold War. The ending of that agreement, along with the recent political theatrics, have allowed German officials to look like they are standing up to the US, attempting to protect citizens from foreign snooping. The reality is that Germany has come under heavy scrutiny over its own domestic intelligence policy. Over the course of the last few months, Angela Merkel’s Minister of Defence, Thomas de Maizière, has been the focus of much attention. He was required to respond to public outrage over the government’s Eurohawk drone programme. The unmanned aircraft was to be used for domestic intelligence gathering, but the programme ended up being axed over reported safety concerns. A harmonised set of stringent laws throughout Europe, therefore, is far more about restoring confidence for big business, than it is about citizens’ civil liberties.

Industrial espionage
Earlier in the summer, the US government expressed to the German Interior Minister, Hans-Peter Friedrich, that it had not committed acts of industrial espionage and ensures its actions are strictly and solely for the purposes of combating terrorism. To what extent such a statement can be verified is unknown, but the threat to Germany’s economy doesn’t just come from the NSA. Companies within the private sector and hackers for hire – armed with the skills to acquire sensitive information – are equally dangerous. The German economy is heavily dependent on high-tech industries, such as automobile manufacturing giants Mercedes-Benz, BMW and Audi, where innovation and being first to market are seen as irreplaceable competitive advantages.

This means that there is a real cause for concern over the circumventing of private security systems that could compromise design patents and other important information.

Worryingly, it would appear that many companies have become complacent or are simply unaware of the risks.

A recent survey carried out by Ernst & Young concluded that eight out of 10 senior managers in Germany feel reassured that they are not likely to become victims of industrial espionage or data theft. The reason for such blind optimism is that many believe their security systems are sufficient to prevent the unwarranted leakage of company information, but that confidence has taken a hit recently. “We always think it will not happen to me, but maybe it already has,” says Bodo Meseke, Leader of Forensic Technology and Discovery Services EMEIA Central Zone at EY. “At the moment we are facing techniques like advanced persistent threat, which allows hackers to hide perfectly in the victim’s systems and stay undetected for months.” To protect against such incidents occurring he advises the private sector to invest more money, especially larger hi-tech industries, into modern security systems that will allow them to safeguard sensitive information.

Data encryption
No matter how sound the security system, a professional data thief will eventually – with the appropriate tools at their disposal – be able to circumvent any security mechanism put in place to stop them. Although Meseke concedes this point, it is also why he stresses the importance of keeping security systems up-to-date to avoid data falling into the wrong hands. “Data custodians should always use the best technology available to increase the effort of cracking information so that it becomes uninteresting. If you want information about a competitor’s product and this information is encrypted it might take one year to break it and will become useless, because the product will be outdated by then,” he concludes.

New legislation will only be effective if authorities can find the person responsible for the attack and that is seldom the case

Data encryption, in its simplest terms, is the process of encoding information in a manner that restricts unwanted users from accessing information, while simultaneously allowing those with authorisation admittance. It also offers the best solution for the protection of sensitive information. “Legislation and sanctions have no power for protecting privacy and data,” explains Jun Isomura, a senior fellow at the Hudson Institute and pioneer in the cyber security field in Japan. New legislation will only be effective if authorities can find the person responsible for the attack and that is seldom the case. “The internet is used from amusement to national security. Governments want to control the internet with new laws and new regulations like a driving license, but since it is a global network it is impossible to fully control,” concludes Isomura.

The Black Budget
The Washington Post recently published ‘The Black Budget’, which at the time of writing is the most recent document to be made available by Snowden. The file shows the huge allocation of federal money to US spy agencies. It revealed that 21 percent – around $11bn – is allocated to the ‘Consolidated Cryptologic Programme’. The NSA is well-known for its advanced code breaking and made headlines after successfully cracking encryption codes protecting the UN’s internal videoconferencing system. This level of funding and the fact the US was able to bypass security measures of such a high-profile organisation brings into question the safety of encrypted traffic the world over. Unsurprisingly, such stories are having a serious knock-on effect for the US economy. The Information Technology and Innovation Foundation (ITIF) published a report that calculates the US cloud computing industry alone could lose up to $35bn over the next three years, as a result of the NSA’s electronic surveillance programmes. No doubt that figure will increase as the media reports continue to flood in about the complexity of America’s data mining operations.
On the flip side, it is important to remember that what the NSA has done is far from new.

Sovereign states have been engaged in intelligence gathering both at home and abroad for many years. What is new is the level of sophistication, and the unprecedented scope for building information and assimilating profiles. It has initiated a new discussion about security among government organisations, private business and the public – one that is long overdue. It has made business aware of the shortcomings of the security currently in place to protect against the threat of data theft and drawn public attention to the complexities surrounding data transfer. The subject may now have the attention it deserves, but a real dilemma is what to do about it.

Greater cooperation
The threat of terrorism is often cited as both the reason and justification for such sophisticated surveillance programmes. It is understandable and necessary in the eyes of many to grant substantial exemptions in regard to data protection to avoid potentially dangerous events taking place. On the other hand, a line in the sand must be drawn to provide clarity for and protect civil liberties. Transparency is one of the cornerstones of data protection law and is essential to make sure that governments do not commit civil rights violations. When Snowden leaked information about the NSA he showed the world what can happen when transparency is not adequately provided. He also made people and organisations aware of just how far-reaching surveillance programmes have become.

Many civil rights advocates have branded him a hero, which is understandable. There is a very real cause for concern about the level of sophistication the NSA has at its disposal and the potential for such a system to be abused. Government insiders will argue that these operations are now vital in order to provide the level of security necessary to tackle threats of terrorism and protection from data theft in the modern, digital world. “You get a real conundrum,” admits Erdos. “How do you ensure control when you need to provide quite a lot of discretion and you can’t be transparent with what is going on either?”

Governments tend to be one step behind when it comes to understanding the digital landscape, opting for the tougher legislation, which naturally grants them more control.

What is really needed now is pragmatism and foresight. Government legislation will never allow for a happy medium to be reached. There will always be an impossible balancing act arising between national security and the freedom of information, which is a core principle of the internet. The two are at completely opposing ends of the spectrum. The internet means very different things depending on where you stand in society. For ordinary people it provides unprecedented access to information, but to governments it is a frightening free-for-all that requires monitoring for potential threats to the power they do control.

The uninhabited nature of the internet provides a world without borders, and may eventually create a world where privacy is a thing of the past. In the G8 Open Data Charter it states: “The world is witnessing the growth of a global movement facilitated by technology and social media and fuelled by information – one that contains enormous potential to create more accountable, efficient, responsive, and effective governments and businesses, and to spur economic growth.” The recent revelations highlight both the need for greater cooperation and the inherent distrust between nations that threatens that cohesion. Technology is advancing at an alarming rate, but it would appear that our cultural, political and economic practices are still lagging far behind.