Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/11/2014
12:00 PM
Malte Pollmann
Malte Pollmann
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Privacy, Security & The Geography Of Data Protection

Data generation is global, so why do different parts of the world react differently to the same threat of security breaches and backdoors?

When Edward Snowden took center stage last summer exposing the NSA’s intelligence-gathering practices, he caused a wave that’s still rippling through the security industry. Snowden put his finger on the industry soft spot: Why do we protect data? From whom are we trying to prevent intrusion?

Snowden’s revelations and the backlash that followed also illustrate the dramatic international differences in privacy vs. security values. Working with customers in both the US and in Europe, I’ve seen firsthand how those differences impact how security systems are architected. Beginning with “what is the data being protected?” vs. “how do we keep the bad guys out?” will lead to two very different security solutions.

While Europe has some of the strictest data privacy protection rules worldwide, the US security design principle primarily seeks to protect and prevent attacks toward the system. In Europe, strict rules enforce how companies can and should disclose and store personal information. From a national level, governments are pushing for even stronger regulations, coming together within the European Union to sign a common statute that outlines privacy practices around the disclosure and storage of personal information along with remedies for violations and independent government agencies that provide oversight. Additionally, corporations commonly add an additional privacy layer by establishing employee councils with the purpose of safeguarding employee information.

By comparison, US companies are more autonomous in their ability to deal with the disclosure and storage of personal information. In comparison to Europe, the US government does little to limit companies from tracking people across the web and selling their information to third-parties. Additionally, US companies can decide at their own discretion how much information they wish to reveal about their data practices. As it would seem, US companies seek primarily to secure sensitive information with the intent to protect and prevent attacks toward the system, without as much regard for the privacy of their customers and employees.

It’s all about culture and history
Data generation is global, so why do different parts of the world react differently to the same threat of security breaches and backdoors? Part of the reason is the distinctly different cultural-political heritage between the US and Europe. While European culture is more conservative and risk-adverse, the US is more risk-taking and innovative. Some US technology experts claim that stricter privacy regulations would stifle innovation. As an individualistic society, the US has mostly left it up to companies to decide how people’s online data should be handled. By contrast, Europe’s policies highlight the significance of privacy being safeguarded by the government.

Historical differences in the US and Europe can help explain the subtle aspects of their different trust cultures. European countries, specifically Germany after WWII, became sensitive to secret services spying on their citizens. As a result, very strict privacy rules have been implemented and governments and larger organizations must adhere to these standards when handling any personal data. Whether it is a national census or new electronic ID cards, Telecom data retention or email marketing databases, in general Europeans have had strongly held beliefs about individual privacy rights for a much longer time period than in the US where government spying has only recently become a public concern.

The controversy around data privacy extends beyond individual companies and also focuses on how much access the government should have to people’s private information. The NSA documents that Snowden leaked to the press revealed how US intelligence agencies routinely demanded access to US companies’ troves of consumer data.

For example, Microsoft recently lost a ruling against a US court to turn over a customer’s data stored in a European data center because the data was judged within reach of US search warrants. This case shows that the US government believes that it has the right to access US companies’ information, even if that information is stored overseas. What’s at stake here is the privacy protection of individual data and this ruling is the perfect manifestation of how European and US privacy laws have come to clash. The outcome of this and subsequent rulings will have a significant impact on US cloud service providers doing business internationally.

Schengen Cloud
German Chancellor Angela Merkel is at the forefront of the European Union which is seeking to fight back against what the EU considers the overarching reach of US intelligence agencies. Some European countries are trying to move forward with a data protection policy dubbed the “Schengen Cloud,” a Europe-only integrated electronic communication network. The idea behind Schengen Cloud is to give European countries control over its own networks without the US being a middleman. However, the US has come out strongly against the proposal, saying that it provides an advantage to European-based information and communications technology (ICT) providers.

Data privacy differences between the US and Europe have already impacted business and political relations. Germany recently announced that it will not renew its contract with Verizon over fear that the company could turn over its communications to US intelligence agencies. The German government is now requiring telecom providers to sign contracts that confirm that they are not legally obligated to share information with foreign governments. In the face of such developments US companies run the risk of losing out on business deals if other governments follow suit and adapt to the German government’s stance on data privacy. In fact, the Information Technology & Innovation Foundation (IFTF) released a study in 2013 that estimated that the US cloud computing industry could lose up to $35 billion over the next three years as a result of the NSA spying revelations.Some US companies may even consider relocating their headquarters outside of the US to protect their data and their business contracts.

As more devices become Internet-enabled and the amount of data generated continues to skyrocket, organizations in the business of data protection will need to take a stance on privacy vs. security -- no matter what side of the geographical border they are on.

Malte Pollmann successfully spearheaded Utimaco's buy-out from the Sophos Group in September 2013. Prior to Utimaco's independence, he served as VP of Business Development and General Manager of the company's two business units: Hardware Security Module (HSM) and Lawful ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
0%
100%
Marilyn Cohodas,
User Rank: Strategist
9/12/2014 | 8:11:27 AM
Culture & history, commerce & security
Really interesting analysis of how culture and history impacts commerce.  In today's inter-conconnected world, the ramifications (particularly for US-based cloud service providers in the Europaon market) are quite serious. It will be interesting to see how this plays out. But I'm curious, Malte, do you see any signs of a global consensus on data protection policy emerging within the tech industry, or will it continue to be a battleground in the courts and national political institutions for the forseeable future? 
billsensei
0%
100%
billsensei,
User Rank: Apprentice
9/12/2014 | 2:02:50 PM
Japanese personal information protection system
As a bilingual specialist consultant on designing and dealing with Japanese personal information protection system and relevant laws, I find that the ones in Europe to show a lack of harmonization. The Japanese system is very deep and very thorough and it is the law for any organization with more than 5,000 names in their databases to ahere to the principles laid out. What's more, the Japanese system has been recognized as being so well thought out that both China and South Korea have been basing their own PIPS on the Japanese one.

 

If anyone is interested in knowing more on the Japanese system, then please feel free to contact me.
Malte_Utimaco
50%
50%
Malte_Utimaco,
User Rank: Apprentice
9/15/2014 | 9:52:25 AM
Re: Culture & history, commerce & security
Dear Marilyn,

thank you for your questions. It´s a really interesting and very relevant discussion whether we can establish in a foreseeable future a privacy and data protection minimum, accepted by most of major states worldwide. The EU discussions on the current data protection reform - a process already pending more than 2 years - are indeed expected to close within the next 12 months. There is a clear momentum now with the establishment of the new EU commission - and including the associated states, citizens and organisations will have then at least amongst those 28 nations a uniform and consistent data protection scheme at a significantly better level than the US today. The latest most interesting debates happened about the data exchange and safe harbor rules with states outside the EU, and Snowden, but more so the "US-vs-Microsoft case" in New York had a large impact on those. If the EU gets it right now, it will not only simplify the life of business within Europe, but also establish a strict privacy protection regulation level for more than 500mio citizens worldwide, having possibly a similar powerful impact as the US had with pushing for worldwide acceptance of their export regulation regime. The few discussions about a basic human right for privacy which happened at a United Nations level seem theoretical and abstract in that comparisions, so as often I would bet more on the power of establishing facts in one part of the world and leading therefore by example.

Best regards,

Malte
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/15/2014 | 9:55:30 AM
Re: Culture & history, commerce & security
Among those 28 nations you refer to, I assume US is not among them. Correct?
Malte_Utimaco
50%
50%
Malte_Utimaco,
User Rank: Apprentice
9/15/2014 | 9:56:40 AM
Re: Culture & history, commerce & security
That`s correct, the 28 are all the EU member states and a few associated particularly in Eastern Europe.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/16/2014 | 9:12:26 AM
Re: Culture & history, commerce & security
Sounds like the cultural/historical/political trends in Europe and the US are far from being resolved. In the US-vs-Microsoft case the initial ruling (requiring Microsoft to turnover docs) may yet be overturned on appeal, which illustrates the fact that there is (and has always been) an active civil libertarian pont of view in the US. This sentiment has grown stronger in the post Snowden era. but with not nearly the same fervor as in Europe. 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.