In search of better data security? It’s not where, but how
In the wake of Snowden, governments scrambled to secure their data by regaining “technological sovereignty”. That approach misses the point.
When asked earlier this week to give advice to the every day Internet user, respected computer security researcher Bruce Schneier suggested we look beyond technical solutions to build a legal framework in order to protect our data and privacy. Nonetheless, last year, Schneier claimed that over 700 million people are taking steps to avoid foreign surveillance activities as a result of the Snowden revelations. While he expressed skepticism about the degree to which these steps make an “appreciable difference,” there is a clear momentum for individuals to increase their efforts to keep their online activities secure and private.
But it is not just individuals who are taking steps to protect themselves online. The private sector promptly reacted as well, as tech companies have begun to increase encryption efforts and are gradually becoming less and less beholden to the intelligence community. Companies and customers are gradually realizing that when it comes to data security, where data is stored and flows matters much less than how it is stored and flows.
While some companies and individuals around the world are making a greater effort to increase privacy and security of their data and online communications following the Snowden revelations, some reactions from political and industry thought leaders are missing the point. As we showed in a study last year, many proposals made by policymakers and industry leaders to lessen the NSA and other intelligence agencies’ ability to scoop up vast swaths of data go about it in the wrong way and seem to be thinly veiled initiatives to either engage in economic protectionism or promote greater government control over data.
The motivation for these proposals was to “take efforts to regain technological sovereignty,” as the German government wrote in its 2013 coalition treaty. Technological sovereignty is the vaguely defined concept that a state should have “autonomy and authority over information and telecommunication technology.” In the wake of Edward Snowden’s revelations, several states began to explore ways to wrest greater control over the data that flows through or is stored within their physical boarders and pertains to their citizens, often arguing that such measures protect data against foreign intelligence agencies. Such proposals included laying new undersea cables, altering routing to keep data flows within a geographically limited area, storing all data in local data centers, amongst others.
Unfortunately, many of these proposals dilute the ongoing debate on foreign surveillance and misleadingly create a false sense of security for the user. This is appealing for both policy makers and businesses, as there is a clear demand for data protection on the user side. And, unfortunately, many of the proposals included promises that they can’t live up to, and measures that are ineffective in protecting data from surveillance. For example, building a new undersea cable between Finland and mainland Europe improves existing infrastructure. But to do so with the purpose of avoiding Sweden — which allegedly gave the NSA access to data flowing through its country — does not take into account the ability of intelligence services to tap into the new undersea cable. Suggesting that efforts such as this and others that simply seek to alter the physical location of data flows and storage as an effective means to secure data is misleading.
Like building new undersea cables, the implementation of a national routing scheme, as proposed by the Deutsche Telekom, has major flaws. Unless American tech companies, like Google, are legally required to build up servers in Europe, any time German citizens utilize products provided by American companies, data will still flow via the U.S. or will still be stored on servers on American soil. Given the pervasiveness of U.S. social networks and email providers in combination with the fact that about 96 percent of German online searches are conducted via American companies, one can question the proposal’s effectiveness in protecting user data. Even if data was only routed within Germany, there is no guarantee that foreign agencies cannot intercept the data there, as it remains unclear in how far they have access to local internet exchange points and service centers.
If European politicians are really concerned about their citizens’ data, they should stop worrying about where data is stored or flowing, and focus on how traffic is secured. Instead of worrying about protecting data from a specific actor or actors, measures should take steps to protect data from all unauthorized actors. Enhancing efforts to develop and distribute user-friendlier end-to-end encryption represent such a step, but suggestions by government officials to outlaw certain types of encryption are once again missing the point, especially since so far they have failed to present a technically feasible solution to such calls.
Governments can play a role to increase data security — but it must go beyond the current window dressing. Politicians need to stop selling any individual solution as a silver bullet and start to take into account that both who is trying to protect data and what data is being protected matters. Governments often face different threats than companies, as do individual citizens, and there is not a single solution to increase data security.
At the same time they also need to recognize where their limits are. Active government involvement in encryption can ruin trust in the encryption by creating questions as to whether intentional holes were left in the code. And when the code is untrustworthy or easily cracked, it, like other proposals to protect data, will not be secure and therefore will not be adopted.
To protect government and industrial secrets as well as private data, we have to be willing to pay a price, both in terms of money and time. Developing secure soft- and hardware is expensive, and using secure channels of communication can be inconvenient. What governments can do is partly shoulder those costs. They can increase incentives for developers to continue creating better encryption; allocate resources to educate citizens, raise awareness, and encourage open debates.
Finally, they can enact policies that support the use of secure communication channels. But if policy makers are serious about protecting data — their own, their companies’ and their citizens’ — praising “technological sovereignty” and undermining encryption is not the way to go about it.