Wednesday, 19 February 2014

Can Europe go its own way on data privacy?

The BBC have an interesting article that suggests that the German Chancellor Angela Merkel is trying to make a "cordoned-off portion of the internet".
In her weekly podcast to the German nation, Ms Merkel floated the plan to ensure European data stays on European networks. 

She suggested this required beefing up Europe's data networks and implementing policies and technologies to limit how much data crosses the Atlantic.

Her proposals have been prompted by revelations by whistleblower Edward Snowden about the extent of US spying.
The BBC did ask me for comments, thanks, but it is hard to try and explain the level of bat-shit insanity going on here in just a few quotes.

How the Internet already works

Let's start with a few simple lessons on the basics - how the Internet works.

For a start you have ISPs (Internet Service Providers). These can be large or small, and can even be part of international companies. They are usually nationally based, certainly in the UK. These are the people that connect the individual homes and businesses to the Internet.

Smaller ISPs will often make use of national carriers to connect from homes and offices to their network. Larger ISPs will have their own national networks.

Either way, these ISPs interconnect in various ways - often at peering points (like LINX and LONAP in London).

There are then transit providers - these are like the ISPs for ISPs. They operate global networks and interconnect lots of ISPs all over the world. They do not usually deal directly with individuals or businesses, but will do for large companies. They interconnect with each other and connect to their customers (usually ISPs).

This means that each ISP will have connections not only to other ISPs but to one or more transit providers.

For a packet to go from one house to another, even next door, it will usually travel some way. If the houses are on different ISPs it will have to go as far an interconnect between the ISPs. Even on the same ISP the packet will typically travel to a major node in their network and back. It is not uncommon for traffic in the UK to go via London, for example. This is largely down to the way the back-haul carriers like BT and TalkTalk offer services to ISPs via hub connections.

If the ISPs in question do not interconnect directly, then the traffic will go to a transit provider and then to the other ISP. If they do not have at transit provider in common then it will go via more than one. It is technically possible for the transit providers to only interconnect in a different country - but this would be unusual these days and normally only if there is a fault.

In practice, traffic from one place in a country to another in the same country would not leave that country. Traffic from one country in Europe going to another in Europe is unlikely to leave Europe.

This is largely for commercial and technical reason, but it cannot be guaranteed. There is a chance that some will go via the US, and this is more likely if there is a fault of some sort. It is certainly not normal and means that a cordoned off EU Internet is really not necessary - the US do not see the traffic normally. It also means that if we stopped traffic accidentally going via the US we would break the very back-up routing that makes the Internet work when there are faults.

People dealing with US companies and webs sites in the US

Of course this idea also makes no sense as people will routinely deal with companies in the US and access US web sites and services. Unless the Chancellor is suggesting actually unplugging the EU from the US and banning people from dealing with US web sites, then her proposals do nothing to help against the risk of snooping by the NSA in such cases.

Bear in mind that we regularly deal with US owned companies even when they have equipment in the EU. If any of these are in bed with the NSA the fact that they are within the EU Internet does not stop them sending data to the NSA.

We can't sensibly ban people from dealing with US companies.

Is there a real solution?

The question really is about what we can do to remove the threat of snooping by the NSA. Locking ourselves in a closed room is not the answer, so what is?

The answer is something we already know well - encryption. Most of us are familiar with the idea of a secure web site for when we access our bank, for example. This encrypts the data. There are ways to encrypt email in the same way, and these could be encouraged and supported by governments.

It may mean a few technical improvements to help people with key management and the like, but with some education and support a government could encourage much greater use of encryption for web pages, email and general Internet access.

When you use encryption you make it so that only you, and the other end, can see what you are doing. This raises some issues in itself.

Do you trust the far end?

A big issue here is how do you trust the far end. What if they are a US owned company or in the US anyway - they could be passing data to the far end anyway. Establishing trust is one of the biggest challenges with encryption systems. Just look at the list of Certificate Authorities in your browser. You have seriously trusted your browser supplier to give you a sensible list and you are trusting all of those companies you have never heard of in that CA list to authenticate people with which you deal via secure web sites. Scary!

There is always meta data!

Another big issue is that even when encrypted there is meta data - the information saying who you communicated with, and even subject lines in some cases. That data is an invaluable source of privacy invasion when collected on everyone. A lot of people use email provided by US companies, and use cloud services and all of these could be subject to snooping.

This comes down to trust again, and you would need better EU based and national services that people can use with the trust that they need.

The FaceBook problem

There is also the fact that people are often giving out lots of personal data freely. Creating more social networking sites is not easy - and nobody would join an EU version of FaceBook instead of the real thing where all of their mates are. This is a case where people freely agree to terms and conditions allowing their personal data to be used. As long as this happens, we will have to accept that a lot of privacy is lost and even that, for a lot of people, there is no longer any absolute concept of privacy as something they need in their lives.

The Chancellor needs to think carefully what is her objective, then consider whether that is a sensible and achievable objective before suggesting solutions.

9 comments:

  1. Surely the best thing she can do is set up an EU top level SSL certification authority and make all web traffic HTTPS by default

    ReplyDelete
  2. There are a few issues here:

    Firstly, the interconnects themselves - and you're quire right that *usually* domestic traffic isn't going to go via another country, with the main exception to this being where there is a major fault somewhere. And of course, in the case of a fault, we wouldn't want to prevent the rerouting of traffic since the alternative is for the networks on the other side of the fault to become unreachable.

    To my mind, the biggest issue is people using "cloud services" to store their data - whether this be using Gmail, MS Exchange Online, etc. for email, Dropbox, Google Drive, iCloud for files, etc. And we're increasingly seeing customers migrating from local servers to cloud services without any consideration for the data protection act - storing protected data on Exchange Online, for example, is almost certainly a breach of the DPA since there's no guarantee where in the world that data will be stored. From a data protection point of view, I don't think using these cloud services in any capacity is especially safe because I don't think you can rely on the employees using the services to ensure that protected data stays off them.

    There may be some way to legislate a bit to protect people though - companies like Google, MS, etc. do have presences in many countries, which may allow the governments of those countries to pressure them into ensuring data isn't routinely exported to foreign servers. I do wonder if it is possible to legislate about what these companies do when they receive a (possibly secret) court order from another country though - for example, can the EU pass laws that prevents Google from handing over EU data as a result of a US court order? Since Google has various EU offices, they need to comply with EU law so *maybe* this is possible, but I still wouldn't trust this kind of legislation to be effective.

    Regarding the Facebook problem, there are probably two separate issues here: the first is that a lot of people simply don't care that they are giving up privacy and many rights over their own data. The second is that there isn't a lot of choice due to network effects - if you want to connect with your friends on a social network then you must use the same network, irrespective of how much you might hate the T&Cs you have to agree to in order to use it. I would love to see a distributed social network in much the same way as XMPP provides a distributed IM network - I want to be able to post my photos on my own server but still have them integrate into my friends' social newsfeed, etc. In fact, that's about the only feature I can think that would make me switch from facebook(*) since all the other social networks such as Google+ are basically identical to facebook, with exactly the same problems, but without my friends on them.

    (* As it is, I do use Facebook, but I mostly avoid posting photos and suchlike because I have no interest in giving FB an unrestricted licence to use my works however they see fit)

    ReplyDelete
    Replies
    1. Indeed - I did wonder, by the way, if FaceBook could get unstuck on the whole photo licensing issue. It is not assigned copyright, only a licence, but I could later assign copyright in all of my photos to someone else, and that would make any licenses I have given invalid I assume. Just an idea.

      Delete
    2. That seems like pretty much the same problem as posting any copyrighted works to facebook for which you don't own the copyright. Basically, your "contract" with FB (their T&Cs which you've agreed to) says that you grant them a licence, if you don't own the copyright then you're unable to do this so you're breaking the T&Cs.

      Of course, this isn't always a perfect defense - we've seen that Youtube hasn't been able to hide behind the "but the uploader granted us a licence" defense when it comes to copyrighted material.

      I guess licenses assigned to Facebook aren't unique either - if I grant/sell you a licence to use some of my work and then I sell the copyright to that work, either that licence magically becomes invalid (which doesn't sound right to me, especially if the licence terms didn't include a revokation clause), or the new owner of the copyright must still allow you to use my work under that licence. Having never actually assigned copyright on anything I had already licenced to someone, I'm not sure what the answer is - probably the worst that could happen is the new copyright owner could sue me for not telling them that they had some unexpected obligations (due diligence)?

      Delete
    3. Oh, I should add that I think there's a massive difference between voluntarilly giving up privacy (e.g. Facebook) and being forced to give up privacy (government snooping). For one thing, I can stop posting on FB at any time - whilst they still have everything I posted to date, they will stop getting fresh updates; the same is not true of mandatory snooping unless I choose to drop off the face of the internet entirely (obviously with the notable exception of stuff like Tor, although even that is of questionable security these days).

      Delete
  3. And what about the big transit providers (Level3 etc) who interconnect a number of UK ISPs: since the transit provider is a US entity and therefore subject to US law, could the data be intercepted under US law but remain within the UK at all times?

    ReplyDelete
    Replies
    1. Is the UK side of the transit provider actually a US entity? Presumably the UK side also has employees and therefore would need to be a British company, so subject to British law?

      Delete
  4. What I would like to see is all major cloud service providers (Amazon, Google, Microsoft, etc...) storing regional data in regional data centers and maybe a guarantee to do so enforceed by the EU. EG: EU end user data is kept within the EU just as a US user would have their data stored in US data centers.

    This is probably already done to a degree due to ever increasing need for low latency, fast access to cloud data. I know that most Outlook, Skydrive(Ondrive) and Xbox account data for EU users is kept in Data centers in Dublin and Luxembourg.

    Hopefully the EU can work something out that doesn't discourage businesses and entering the EU market and provides a better quality of data security for data storage.

    ReplyDelete
  5. I think the biggest elephant in the room is that the USA already has a massive data interception in Europe already at places such as Menwith Hill.

    ReplyDelete