Cyber Security and Privacy

Parke Nicholson

Parke Nicholson was previously the Senior Research Associate at AICGS. He was selected to participate in the Munich Young Leaders 2016 program at the 52nd Munich Security Conference. Previously, he worked at the Center for the National Interest and the Council on Foreign Relations. In 2008, he served on the foreign policy staff at Hillary Clinton’s presidential campaign headquarters. He has also worked abroad in Austria and Germany: in 2005 through the Fulbright Program in Klagenfurt and in 2010-2011 as a Robert Bosch Foundation Fellow working in the German Foreign Office for the Coordinator of Transatlantic Cooperation and for Daimler AG’s Political Intelligence unit in Stuttgart.

Parke has recently published in Foreign Affairs, The National Interest, The Baltimore Sun, and the Frankfurter Allgemeine Zeitung. He received his MA in International Relations from The Elliott School of International Affairs at The George Washington University and a BA in History and Violin Performance at The College of Wooster in Ohio.

Patrick Schmitz

The ongoing debate about cyber security and its implications for privacy has once again exposed major cultural and legal differences between the United States and Germany. The interplay between German society’s demand for privacy and the state’s implementation of legal structures ensuring its protection has developed throughout a long period of challenges and adjustments marked by the tragic experiences of the Third Reich, East Germany’s systematic use of domestic informants to spy on citizens, and the threat of international terrorism. Germany’s strict approach to data privacy reflects these many historical, social, and legal factors. In the United States, however, there is a broader consensus on the importance of providing the U.S. government the tools to preserve national security (e.g., Patriot Act, FISA). While preserving individual liberties and freedoms are at the core of each democracy, the United States and Germany differ when it comes to handling the balance between liberty and national security in the cyber age.

Legal Right to Anonymity

The value Germans place on anonymity and privacy is evident not only in the country’s history, but also in its citizens’ use of the internet and social media. A study in 2009 showed that 65 percent of Germans used either none or only one of the major American platforms—Facebook, Twitter, and YouTube.[1] Around the same time, Facebook was only just able to edge past its German-based competitors in the market of social media services. The long-lasting use of German networks reflected the population’s hesitancy of sharing personal information on internet platforms and the need to build a relationship of trust with certain brands. This trend has also been evident in corporate use of social media and of the great demand for communication experts at companies. German companies are clearly behind U.S. firms in their use of social media: while about a quarter of the hundred biggest companies in Germany report social media use, only 5 percent of them take advantage of Twitter, Facebook, or YouTube on a regular basis compared to approximately 58 percent in the United States.[2] At the same time, a study in 2010 highlighted the need for privacy and trust in the United States as well: less than half of social media users used their real name on platforms in 2010. While citizens have privacy concerns in both countries, statistics suggest a greater willingness to accept risks in the United States. There is a general acknowledgement of the need to discuss privacy issues, but each population has a different way of dealing with the issue.

The same difference is present in the two legal systems: Germany’s acknowledgment of privacy in its constitution automatically implies its protection.[3] The Grundgesetz, the Basic Law of Germany, was developed as a response to the Third Reich era, when basic human rights were “legally” undermined by the Nazi party. The first article of the Basic Law refers to the protection of “human dignity” as “inviolable,” and that “to respect and protect it shall be the duty of all state authority.” There are also major variations in legal phrasing of privacy law in Germany and the United States. While the U.S. Constitution uses the term “privacy,” Germany uses the term Datenschutz (data protection). Additionally, the agencies responsible for data protection in Germany are independent data protection agencies, while the Federal Trade Commission handles privacy cases along with many other regulatory issues for the entire United States. While U.S. citizens have a certain right to privacy and the legal basis to protect themselves against violations, similar rights in Germany imply the automatic protection of the state.[4]

Balancing Privacy and Security

Accordingly, the German government reacted strongly toward perceived privacy violations by major U.S. companies like Google and Facebook. In April of this year, a German state filed charges against Google’s Street View program and fined the company $189,225.[5] Google reported in 2010 that it had received 244,000 requests for deletion of information on Street View since the introduction of the program in Germany.[6] Even though German courts declared Street View as legal after Google offered to delete collected data upon request, the company chose to cease expansion of the program in Germany in 2011. Until this point, Google had collected Street View data on twenty German cities.[7] As a response, Microsoft launched its Street Side project in Germany in 2011, cooperating with government institutions and officials prior to its start.[8] Simultaneously, Facebook engaged in a conflict with German courts regarding its privacy issues: the facial recognition feature of the social network was criticized for saving the data of people without accounts as well.[9] Consequently, Germany has had a history of friction between the government and private American internet companies in the last decade.

The PRISM case has caused German and European institutions to demand explanations from major U.S. companies and the U.S. government about the scope of their activities. Prior to President Obama’s recent visit to Berlin, German officials sought information on the National Security Agency’s (NSA) surveillance program while Chancellor Merkel announced she would address the issue directly with Obama. In fact, Germany benefits from cyber security in the fight against terrorism, though perhaps to a lesser extent than the United States. Cases of attacks prevented through cyber surveillance have shown the significance of internet governance: in 2006, for instance, German intelligence benefited from NSA information regarding an exchange between German Islamists and connections in Pakistan.[10] Acknowledging the need for surveillance in the web, Germany released a cyber security strategy in 2011 and plans to invest about $133 million in cyber security over the next five years. This new strategy is a response to the range of corporate and strategic cyber-espionage activities that cost Germany approximately $22-66 billion annually. Such attacks often originate from outside Europe, especially from Russia and China.[11] Given ongoing cooperation between governments and the private sector and the constant need for information to keep up with various transnational threats, Germany, like the United States, will continue to face these external challenges as well as the internal challenge of balancing security and privacy.

Policy Implications

This past week, the Obama administration has struggled to respond to allegations published by the German magazine Der Spiegel that the NSA bugged European Union offices in Washington and New York. Regardless of the scope of the program and whether other capitals were affected, the issue has caused considerable concern among the European public.

The potential fallout from this episode may have far-reaching consequences not only on Washington’s relationship with its European partners, but also EU relations with U.S. private actors and industry. To date, media reporting has run far ahead of the diplomatic community’s ability to respond and clarify the issues:

• Intelligence Cooperation: The most immediate concern is perhaps the easiest to address. Counter-terrorism cooperation between the United States and its European allies has been critical to stopping terrorist plots and identifying suspects around the globe. However, security measures called for by the Council of Europe’s Convention on Cybercrime have been ratified by only 39 countries, including the United States—Russia and China are among dozens of other countries that have not signed the agreement. The EU and the United States both have a continuing interest in bolstering inter-governmental dialogue to examine the impact of recent revelations and their implications for ongoing intelligence and law enforcement cooperation.

• Trade: Despite the recent threat by French President Francois Hollande to stall negotiations in response to the alleged U.S. spying, governments on both sides of the Atlantic will likely keep the current debate from negatively affecting initial talks on the Transatlantic Trade and Investment Partnership (TTIP). However, long-standing EU/U.S. differences on the exchange of financial and commercial data and other issues pertaining to privacy concerns may still become a factor in the trade negotiations. The forthcoming U.S. Commerce Department’s Internet Policy Task Force and the U.S. Trade Representative’s office will need to address a range of issues with their international counterparts, including privacy concerns, copyright protection, and the global free flow of information.

• Business: Major U.S.-based tech companies with operations in Europe such as Microsoft, Google, and Facebook will continue to be scrutinized by EU regulators and the public. The European Union is currently developing new standards on critical infrastructure, reporting, and preparedness. Proposed revisions to the 1995 Data Protection Directive, which regulates the processing of personal data within the European Union, may impose additional restrictions on small business and multinationals. Companies operating in both the United States and Europe could also now face specific challenges to their growing cloud computing businesses and their access to and use of Europe’s largest data centers such as in Frankfurt.

• Public Opinion: The public outcry in Europe against the NSA’s programs is unlikely to reach the level seen before the Iraq War and will likely subside in Germany following national elections on September 22. However, lingering resentment may have a subtle long-term effect on relations and limit European politicians’ flexibility on other policy issues. Political leadership is necessary in both Europe and the United States to more directly engage their domestic constituencies and the international community.

AGI Publications and Events on Cyber Security and Privacy:

Jan Neutze, Cybersecurity in Germany: Toward a Risk-Based Approach (AGI, 2012)

Michael Rühle, “NATO and Emerging Security Challenges” (American Foreign Policy Interests, 2011)

Thomas Dapp, “Digital Society” (Deutsche Bank, 2011)

Russell A. Miller, “Balancing Security and Liberty in Germany,” Journal of International Security Law & Policy (2010, Vol. 4: 369)

Edna Dretzka, Stormy-Annika Mildner, “Anything but Swift, Why Data Sharing is Still a Problem for the European Union” (AGI, 2010)

Axel Spies, “A Reasonable Expectation of Privacy? Data Protection in the United States and Germany” (AGI Policy Report, 2006)

Transatlantic Risk Governance: New Security Risks (2012)