Restoring Trust in Internet Privacy and Data Security
WASHINGTON—In response to revelations concerning global surveillance by the U.S. National Security Agency, Germany and Brazil have drafted a non-binding resolution at the United Nations calling for the protection of civil and political rights in the digital era. The resolution reaffirms the International Covenant on Political and Civil Rights, to which the United States is a party, and also calls for rights enjoyed offline to be protected online, in particular the right to privacy. Last week, the United States indicated that it intends to support the resolution after language was softened regarding human rights violations resulting from “extraterritorial surveillance of communications.”
This appears to reflect a new willingness to engage on what will be a contentious global debate regarding restraints on the uses of modern information and communications technology for surveillance and warfare. The proposal suggests a profound loss of trust not just between the United States and its allies, but between representative governments and their people. While there are legitimate requirements for NSA spying on security and law enforcement grounds, there are also consequences. In Europe, there has been an increase in government and public mistrust of U.S. intentions. Germany has already set up an NSA Surveillance Unit.
The EU is considering holding U.S. tech firms accountable to European law. The European Parliament is demanding that the Terrorist Finance Tracking Program (SWIFT) be put on hold. Some have suggested reconsidering Transatlantic Trade and Investment Partnership negotiations. The European Commission is debating the establishment of a European intelligence agency. And subsidies are being considered for European firms to challenge the technological advantages of their U.S. competitors and to retain European data on European soil. This could spell the end of global cloud computing.
The German government has also been pressing in recent months to grant to German — and, by implication, European — citizens the same rights of judicial redress as U.S. residents if their personal data is mishandled. It has also reactivated the notion of “technological sovereignty,” emphasizing stronger data protection and reducing cyber vulnerability. The new policy will likely make transatlantic cooperation in intelligence-sharing subject to new negotiations and dependent on the conclusion of a “no-spy” agreement, as well as the inclusion of France and Germany in the Five Eyes group (constituting the United States, United Kingdom, Canada, Australia, and New Zealand).
In Brazil, the debate about how to respond to espionage and mass surveillance has centered on a bill known as Marco Civil da Internet (“Civil Rights Framework for the Internet”). Often referred to as a “constitution” for the Internet, the bill was introduced in 2011 after two years of consultation, and it is now a priority. It deals with issues such as legal liability, net neutrality, and other considerations, but President Dilma Rousseff is pushing hard for a provision that would allow the executive branch to require major tech companies such as Google and Facebook to store Brazilian user data on servers located in Brazil, at great cost.
The provision was included in a new version of Marco Civil presented by Rousseff’s administration on November 5, but the bill is still being fiercely debated. Rousseff has also ordered the creation of a secure national email system and even floated the idea of a cyberdefense pact with Argentina. Meanwhile, Brazil is scrambling to upgrade its own encryption technologies and cybersecurity measures. U.S. allies clearly no longer trust the United States and its companies as much as they did before the NSA revelations.
Thus, they are taking it upon themselves to seek alternatives and to protect their citizens as they see fit, even at the risk of building new trade barriers and fracturing the Internet into separate nationalized internets. Trust is paramount to the exercise of power as much as to economic prosperity. U.S. tech companies estimate that the NSA revelations will cost them up to $35 billion by 2016 in the cloud-computing market as individuals and businesses around the world forgo their services amid skepticism about data security and privacy.
The effects will inevitably ripple throughout the broader economy, given how integral cloud computing and other tech services are to modern business and innovation. The Obama administration and U.S. businesses have an enormous stake in restoring trust in Internet privacy and data security. Doing so will require concrete policy changes and strong leadership in the pressing debate about new international norms for a mutually dependent world characterized by unprecedented interaction capacity. Current jurisprudence and law enforcement cooperation methods must adapt to modern technology, which is transnational by nature.
Given that the proposed non-binding UN resolution echoes fundamental U.S. values, including the right “not to be subjected to arbitrary or unlawful interference with privacy, family, home or correspondence,” voting in favor of it is a very good first step, but there needs to be an action plan to implement these principles.
Annegret Bendiek is a Fellow with the EuroFuture Project of The German Marshall Fund of the United States, based in Washington, DC and a Senior Associate and Deputy Head of the EU External Relations Division of the German Institute for International and Security Affairs. Tim Ridout is a Wider Atlantic Fellow at the German Marshall Fund of the United States.
The views expressed in GMF publications and commentary are the views of the author alone.