Modernizing Privacy and Security Policy in Germany


Rede von Ben Scott, Programleiter "Europäische Digitale Agenda", zu Privatsphäre und Sicherheit als Chance deutscher Politik im Rahmen der Konferenz zum Schutz von Privatsphäre und Daten in Zeiten von Big Data, staatlicher Überwachung und digitaler Grenzenlosigkeit.


Es gilt das gesprochene Wort

It has been almost a year and a half since the first stories broke about the revelations of Edward Snowden. This speech offers a retrospective on what we have learned about the problem of privacy and security in a digital age; and it will provide a look forward at what must be done to address it effectively with solutions grounded in democratic values.

First - I will offer an analysis of where reform efforts stand today, why we have achieved so little, and what the consequences of inaction will be.

Second - I will propose that the core of the problem is the collapse of public legitimacy in the way democratic governments apply power on digital communications networks.

And third, I will suggest a specific agenda for strategic interventions in Germany aimed directly at this problem that could bring important if incremental progress in what will be a long debate.

First, then - a look back. Almost immediately after the Snowden story appeared in the news, the public outrage in Europe created a serious and sustained disruption in the trans-Atlantic relationship. It opened a heated debate about human rights and civil liberties in a digital age -- not just in Berlin and Brussels, but also in Washington. And it triggered calls for rapid changes in law and policy to address these problems. And yet there have been no significant changes to law and policy. The heat of the moment appears to be fading. Germany is among the only countries still publicly challenging the US and the UK to change their ways. But those challenges are less frequent now. Most countries have made a quiet accommodation or simply chosen to keep discussions about the sins of intelligence agencies among intelligence agencies.

Tellingly, not a single European country has made serious efforts to address its own complicity in the NSA surveillance practices -- despite ample evidence. Even the limited reform bill in Washington -- endorsed by the White House -- failed to pass the US Senate and fell into oblivion in November. So what is the most likely political outcome to a scandal that sent a shockwave through the trans-Atlantic alliance? What will the Federal Republic deliver to the German people to demonstrate that the privacy concerns of the vast majority of the public are being met?

Nothing. The most likely outcome is that nothing will happen and we will return to business as usual. This is hugely frustrating to civil liberties and human rights advocates. It is demoralizing to public confidence in democratic government. And simultaneously, it is not especially surprising that realpolitik would prove a difficult obstacle for idealism. So far, it appears the political price of inaction is relatively low. The most immediate political, social and economic consequences all appear manageable. They do not appear to bend the present course of core national interests for any major Western government. This may be true in the short term, but not in the long term.

There are serious consequences to continuing with business as usual as if nothing had happened -- despite all the facts that are now public. For democratic societies, we are sending a damaging message to our own citizens as well as to the international community. If we fail to deliver legitimate controls to guard individual privacy against the abuse of digital technologies by governments, the message to our own citizens is that neither technology nor government is trustworthy. The rational reaction of the public will be to view both with skepticism and the combination of the two with cynicism if not hostility. If we fail to modernize surveillance practices to respect the rights and liberties internationally, we send a message to the world that undermines the moral authority of our principled, rules-based, global leadership.

And implicitly, we relativize the transgressions of despots and weaken our case for isolating these governments as intolerable. In short - doing nothing weakens trust that America and its democratic allies practice what they preach. What will this distrust look like? How will it change the role of connection technologies in modern life? How will it affect the relationship between the government and the public? How will it affect the way the international community views the legitimacy of human rights law? How will other nations evaluate the behavior of totalitarian governments against a wavering standard of our own idealism?

The full effect of the Snowden affair on public attitudes toward the Internet and “big data” are only in the early stages. Most observers point out that we have NOT seen major shifts in consumer behavior in the face of the NSA revelations. People still carry their mobile phones despite the fact that they are blinking, beeping tracking devices. People still search the web, shop online, and document their lives on social networks. Only a small fraction of Internet users bother with end-to-end encryption. Why is that? Why doesn’t outrage at the NSA translate into changes in behavior? It is a vexing paradox that suggests we aren’t as mad as we say we are. As I see it - there are three possible reasons to explain this paradox.

Reason #1 - I don’t know. In this category are the few people who have not heard about the NSA spying stories; or who do not comprehend that Internet usage translates into a track-able record of communications, geo-location, commercial activity, social network and demographics.

Reason #2 - I know. But I don’t care (or I’m glad). In this category are the people who have embraced the exhibition of the Internet or who genuinely do not find it objectionable that conventional ideas of personal privacy have been reduced by digital technologies. In addition, we can add people here who will gladly trade liberty for security or feel that the consequences of surveillance are irrelevant because they have nothing to hide.

Reason #3 - I know. I care. But what can I do? In this category are all the people who fully understand the implications of the Snowden revelations, are troubled by them, but have identified no logical recourse.

According to a recent poll (of American internet users) by the Pew Research Internet Project, we can get some insights into how many people fit into each category. 5% said they had not heard about the NSA surveillance programs. 91% agreed that they had lost control over how personal information is collected. 80% agreed that people should be concerned about government monitoring communications. This suggests that most people fit in category number 3.

And what that means is that we are watching a serious transition in the public’s normative understanding of digital technologies. What is emerging is a normative cynicism: I understand the problem; I’m upset about it; but I consider the solutions futile. I cannot tolerate the disruption to my life that disconnection from the Internet would require. And I cannot trust the government to put adequate controls on surveillance.The lack of obvious solutions leads to apathy, acceptance, and a new, normative cynicism. Consider how rapidly times have changed.

Just three years ago during the Arab Spring, the dominant narrative about digital technologies was positive and progressive. The Internet was a liberatory force; the world’s first decentralized communications system; a powerful catalyst to social, economic and political change that lowered barriers to entry for education, political engagement, and social mobility. This narrative was often exaggerated into utopianism and ignored concerns about privacy and security; but it was a deeply held conviction and contained clear elements of truth.

Now - the dominant narrative is shifting decisively. The Internet is now understood by many as a technology of political control and social manipulation in a Hobbesian digital world. This dystopian vision is equally exaggerated and monolithic; but it is also deeply held. What are we to make of this shift? It means that just because people haven’t stopped using technology doesn’t mean the NSA affair hasn’t changed public attitudes and altered the politics of the digital revolution. Attitudes have changed and continue to change. This change is not a transaction that involves abandoning digital communications. It is a systemic process that shifts normative understanding about the role of technology in modern life. It is difficult to predict changes in global attitudes - because they are obviously not monolithic.

But at least three results appear likely -- and all of them are disturbing: First - people will lose (even more) faith in democratic governments that respond to the NSA debate with zero reforms. And the loss of public confidence at home will translate into a loss of moral authority and credibility for democratic values in the international community. Second - people will lose faith in technology. While we may not give up the tools and services that are already integrated into our lives; we may hesitate to use new ones. This will slow the flow of innovation and check the progress of technologies that truly do embody some of the more utopian virtues of technological change. Third - with the decline in trust for all forms of digital technology, the soft power of the Internet as an open marketplace of ideas converged with an engine of economic growth will decline.

We should not underestimate this change because it is hard to measure, or because we see so many people using the Internet to do terrible things (see, e.g. ISIS propaganda). The true power of the Internet is not a mythical ability to cause democratic revolutions. The true power of the Internet is the daily access to information, communications and commerce that it provides to billions of people in small and subtle ways. Cumulatively - these are very powerful social forces that I believe are generally progressive. And they are the social forces that most democratic states support through policies of Internet Freedom. This vision of technological change is inconsistent with a Hobbesian view of the Internet and skepticism in the developing world that the Internet is a new form of colonialism. They cannot coexist. So that’s the bad news. The consequences of achieving no meaningful change in privacy policy in democratic societies are deeply worrying.

Here’s the good news. Despite all of this, I believe the post-Snowden world still offers an extraordinary opportunity to modernize privacy and security policy for the digital age. It is moment when the corrective forces of democratic self-government should rise to realign the practices of the state with the principles of the people. But this chance will not last long. And we cannot afford to waste more time. While reform may be challenging and politically volatile, the alternative is not acceptable either. Both the US and Europe should seize this opportunity for reform not only because it is the right thing to do; but also because it is in their common self-interest to sustain trust in the Internet as a progressive force in the world. This trust depends on whether users believe that the digital information networks bring more benefits than costs. It is short-sighted to sacrifice this trust in the Internet as a source of social/economic progress, if all we have to show for it is resuming the status quo in signals intelligence. So we begin solving the problem by restoring trust. This idea is a constant theme in the media coverage of the Snowden revelations.

But what does it mean to “trust” the Internet? What I mean by trust is tied to the application of power and control over the Internet. Who has power over me as an Internet user when I am online? The simple answer is two forces: 1) companies who provide access, content, and services in exchange for my data and attention; and 2) governments – and in particular law enforcement and intelligence agencies (often by instrumentalizing companies under their legal jurisdiction).

Of course, trust does not require the absence of power over Internet usage. That is neither realistic nor desirable. Trust requires legitimacy. Legitimacy is control over the application of power according to norms and social values. Legitimacy is at the center of any solution to our current problems. A successful alignment between European and American interests on privacy and security policy is not about eliminating power over the Internet – it is about restoring legitimacy. Even in a post-Snowden world, most people in Europe and the US do not seek a complete elimination of digital surveillance for law enforcement and intelligence. What they seek are stronger guarantees that the application of state power is clear, limited, and properly controlled within and among nations. That is a complicated problem for many reasons. Here are two important ones. First – no nation has fully modernized its laws governing digital surveillance – and no secret services have reformed their practices. We know a lot about the problems with the NSA. But we are recently learning more about the problems with the BND. This should not be a surprise.

European intelligence agencies are all dependent in large and small ways on the capability of American power. This has been the case for decades. A certain level of moral complicity is the price of that operational dependency. Second – even if nations conduct appropriate national reforms, there remain big differences between nations in how they define legitimacy. Consider - for example - the role that nationalism plays in evaluating the legitimate use of power. To understand the NSA, you have to understand American exceptionalism. American nationalism celebrates its own military power. Post 9/11 – this feeling has grown even stronger. This means the military and the intelligence agencies – even when they behave badly – enjoy relatively uncritical public support. And although many Americans are appalled at the vast system of NSA surveillance; others are proud that we are the best at what we do. And some Americans fit into both categories despite the contradiction.

Now consider “German exceptionalism.” German nationalism is a kind of anti-nationalism with respect to military power – for obvious reasons. This is rooted in the experience that democracy is not necessarily a self-correcting form of government. More simply put – the illegitimate use of power, even in democratic societies, can become uncontrolled radicalism. The powers wielded by the NSA would have been a recipe for even further horrors in 20th century German history. These understandable fears are the direct opposite of American political culture – which assumes radicalism will always be contained by the pendulum swing of democratic reform.

So – to recap. Americans see the potency of intelligence agencies as a reflection of American exceptionalism. And Germans see the control over these same powers as a reflection of their own exceptionalism. Does this mean our views are irreconcilable? I don’t think so. In important ways, this contradiction means we are dependent on one another. Europe supports and depends on the US for the application of hard power in the world. See, for example, Northern Iraq. But - and this is important - America wants to have the shared legitimacy of European support for that hard power. And that legitimacy comes with European constraints and caution on the use of power. And so – we are back to legitimacy - the public trust that power will be constrained. Here our problem is about how to build a shared legitimacy around the application of “digital power.” But for historical and cultural reasons, we define what is legitimate in very different ways. This is our challenge.

So what is the path forward? We must build a modernized framework of principles and laws to govern digital surveillance. This does not mean repudiating security interests. It means establishing legitimacy in the eyes of (at least) democratic publics that power is being applied with appropriate controls in the digital world. This must happen both at the national and international level. It begins at the national level. If Germany seeks bilateral, regional, or trans-Atlantic alignment on surveillance policy reform, it must get its own house in order first. You cannot ask other nations for changes you have not made yourself. The second step is assembling support from other EU member states.

This is unlikely to be done in Brussels because the UK is somewhere below the US when it comes to willingness to engage on these issues. And then at that point there will be opportunities to bring the ongoing trans-Atlantic dialogue to the more serious questions. This strategy must be implemented on the basis of common interests first in order to build a base of agreement from which to handle more controversial issues. A strategy based on threats of economic or political retaliation against an ally like the United States will not achieve good results. Leverage is too limited, and the consequences of such moves are mutually damaging -- a reality that is already well known to all parties and reduces the sincerity of these verbal “shots across the bow.” The ultimate answer is a solution based on common interests. This is a difficult bridge to get across for many people who feel that the United States is the only villain in this story.

But the truth is more complicated. Consider the results of the work done in the Bundestag’s inquiry committee on the NSA. It has uncovered very few new facts about the NSA. But it has uncovered a whole host of new facts about the BND and the relationship between two intelligence agencies. Meanwhile, the public calls for a “no spy” agreement have given way to very confidential meetings between security services exposing a dialogue between the foreign ministries as the only public channel for engagement. The plot of the story is now more complex. The full scope of American espionage has been uncovered. And yet Germany has also lost some of the moral high-ground. The Eikonal story weighs heavily against any claim to violations of sovereignty. The truth is that Germany’s own laws and practices are not sufficiently different than the US to justify sustained outrage or compel compromises. There are major differences in scale and capability; but there are common problems in what is authorized and how it is controlled.

To make a strong case for international change will require national reform first - at least on the core “rights-based” questions. Already, there is near consensus among senior voices in the legal community that the G-10 law has major weaknesses. The BND’s strategic surveillance of non-Germans without proper oversight through the G10 Commission is considered unconstitutional by former constitutional court judges as well as members of the G10 Commission. Germany should take this opportunity to construct new laws for itself regarding surveillance of non-Germans. The goal is not only to align law with public opinion at home. The goal is to construct the elements of a new legitimacy in the operation of digital power to bring into the international debate. Germany – because of German exceptionalism – possesses enormous international credibility on the topic of controlling the application of power. Germany should seek to be the legitimacy “Weltmeister”. With strong German leadership towards a realistic alternative, the realpolitik arguments about the Internet as a soft power and economic asset will be more persuasive to other states. Germany can present this as an alternative to normative cynicism -- a view that the German public stubbornly refuses to accept (because it is anathema to its concept of nationalism), perhaps uniquely among nations. After reform at the national level, the international level comes into play.

But finding permanent answers will take time. It is not possible to threaten or shame EU neighbors or the United States into reshaping their security policies. They must be persuaded that they want to do so. There is an analogue in the surveillance debate to the problems of arms-control that dominated the Cold War period of diplomacy. In the short term, the talks between the US and Europe should focus on a shared agenda for reform that is based on common interests rather than threats of retaliation. The first phase of work will not answer the bigger questions around international human rights – but it will lay the foundation so that we may reach them in the future. Here are four examples of reforms based on common interests that the Bundesrepublik could propose right away: Parliamentary Control and Executive Oversight: The current system of oversight in Germany is not sufficient to monitor the practices of the German security services. The Parliamentary oversight committee lacks technical know-how and sufficient staff capacity to even track BND activities properly, much less to scrutinize them. The G10 Commission has similar shortfalls in technical knowledge and very limited reach into the operational details of how the surveillance they authorize is conducted and to what effect. The recent debate over the constitutionality of foreign strategic surveillance points to an urgent need for better oversight. Germany could seize the opportunity to construct an ideal system for itself and hold that up as a blueprint for other democratic countries.

Extraterritorial Access to Data: A practical problem for Germany is the inherent distrust in using any American vendor of software or hardware for the storage, processing, or transmission of data from any critical information network. These US firms are compelled by US law to hand over data to the government when presented with a lawful order. It doesn’t matter, if that data belongs to a German or sits on a server in Germany. Yet the number of cases in which German data is compelled by the US government from American companies are likely limited in number. And the number in which it would be undesirable to share that information with German authorities is smaller still. We should explore a bilateral agreement that requires notification and authorization by the German government for extraterritorial data requests from American companies for German data or data stored in Germany. This would permit American companies to operate in Germany and legally reject any data request that does not come with a German authorization.

Industrial Espionage: Both the US and Germany insist they do not conduct industrial espionage – using intelligence agencies to steal from companies to benefit competitors. Yet there is widespread belief that it happens. We should explore a new legal framework governing industrial espionage with independent oversight and heavy penalties. Trust must be conveyed through zero tolerance. A legal and diplomatic regime governing industrial espionage would permit the formation of a transatlantic alliance against the practices of Russia and China in this regard - a political asset of considerable value to both the US and the EU. Cryptography and Certification: Intentionally weakened cryptographic standards, software backdoors, and manipulated hardware have damaged global trust in the Internet. The standards and implementation for cryptography and the security certification of hardware and software require new systems. Germany could play a leading role in developing these systems. The IT security bill offers an opportunity to debate and implement such a strategy. Here is an opportunity to assert the political will to achieve “IT sovereignty.”

It is unlikely (and almost certainly undesirable in the short-term) that Germany or any European country can replace international suppliers of hardware and software to enterprise and public sector customers. But by embracing leadership on setting compliance standards for cyber-security and operational integrity, Germany can leverage its position effectively and achieve a measure of influence on international technology markets that it lacks from the perspective of corporate market capitalization. Transparency: Germany should propose that nations publish the standards, criteria, and procedures under which they authorize surveillance of non-citizens. This transparency should also include regular public reporting by all government agencies and private sector companies about the number, type, and purpose of interception requests. Transparency is a step towards pushing governments to fish with a pole and not a net. And it is a metric that nations can use to hold companies accountable for the decisions they make vis-a-vis government data requests and the criteria by which they make them.

These strategies may not sound as sexy as “no spy agreement”. But they are a starting point in a debate that threatens to go nowhere. If no such steps are taken, it appears likely that the end-result of the NSA scandal will be the status quo pre-Snowden. By contrast, if these steps are successful, they will build the basis to begin asking the tougher questions that will require more time to answer. The core challenge for data privacy in the US/EU relationship is to find ways to rebuild legitimacy. Because of the striking differences in how Americans and Germans understand the criteria for legitimacy, this will not happen easily. If it happens, it will happen slowly and incrementally. The problem of establishing principled legitimacy for the application of digital power in the world will take decades to solve. So far, we haven’t made much progress. It’s time to change that.

December 03, 2014

Dr. Ben Scott