Europe pivots between safety and privacy online
European countries lead a push for the right to anonymity in the Digital Age. But, in the wake of terrorist shootings in France, calls for greater surveillance rise, too.
Staff illustration by John Kehe
The following article was reported and written for The Christian Science MonitorWeekly prior to the deadly Charlie Hebdo attacks. It has been updated in spots to reflect how the violence is altering the debate on surveillance and privacy in Europe.
PARIS; AND BONN, GERMANY — A dozen men and women sit in a dark room at a technology firm in downtown Bonn, Germany, hunched over laptops. Their concentration is intense. Ranging in age from Millennials to seniors born during World War II, they drink free sodas and eat chips as they watch the evening’s host, Jochim Selzer, pace at the front of the room. He has long black hair pulled back in a ponytail. He points to images on a big projection screen: a computer keyboard, cellphone, and a wireless network router.
“Every step is a potential target for an attack,” he says ominously to the group. “But we can defend ourselves from all of those attacks.”
It could be just another arcane seminar for a bunch of Digital Age nerds. But this, in fact, is one of the fastest-growing phenomenons in Germany – the “cryptoparty.” The participants have come out on this night for one reason only: to learn how to keep governments and big business from snooping through their computers.
There is 20-something Fabian Schneider, who used to encrypt his hard drive for fun as a teenager but now codes his private e-mails and chats to prevent prying eyes from seeing them. There is 70-something Karl Conrad, a retired translator from Bonn who says his motivation for being here boils down to “a bad feeling.” Even though he’s from a generation that doesn’t do everything online, he’s unsettled by the information that former US National Security Agency staffer Edward Snowden revealed about the scope of American surveillance. “The NSA, it’s like the Stasi, which wanted to know every single detail about you,” he says, referring to the former East German secret police. “It’s despicable.”
Many others feel the same way. Across the country, Germans are gathering – in university halls, in private homes, or, as here, in donated office space – to learn how to use technology with terminology that may have seemed as foreign as Mandarin or advanced mathematics just a year ago. They’re attempting to master the complexities of new Web browsers that aim to provide anonymity for users, or computer programs that seek to ensure e-mails are read only by the intended recipients. Encryption as a form of security – in e-commerce transactions, for example – has long been commonplace. But fueled by anger, frustration, and, for a few, a dose of paranoia, citizens are turning a deep form of self-encryption – once the fringe domain of government geeks and a few private hackers – into a mainstream movement.
The trend is being driven by far more than just fear of NSA snooping or government surveillance in general, which may now be tempered in the aftermath of the Paris attacks. Across Europe, concern runs deep about how and why private data is being used. It is leading to new rules and actions throughout the 28-member European Union, from a major push by Brussels to hand greater privacy rights to European citizens, to a landmark court case giving people an unprecedented “right to be forgotten” from search engines in Europe, to a class action suit against Facebook in Austria.
It’s not that Europeans reject new technology. Despite the constant hand-wringing, they are still signing up for Gmail, Facebook, and Amazon in huge numbers. But the new laws and legal actions are being pushed by a new generation of computer techies, crusading bureaucrats, and privacy lawyers. They represent the front lines of a revolt that some call a clash of cyber civilizations – one that is moving Europe in a different direction than the United States on privacy and could set a new global standard against the unwieldy will of the Internet.
“It is probably true that in the future digital world people will ask for more privacy protection and more protection of personal data rather than less,” says Paul Nemitz, a director in the European Commission’s justice department. “As it was with the Green movement, which started in Europe and which led European industry to enormous competitiveness but had resistance in the beginning in the ’70s and ’80s, it is very well possible also with data we will see the same trend.”
• • •
When the US ambassador to Germany, John Emerson, is asked to explain to audiences the differences between American and German notions of privacy – which he is asked to do often – he uses Google Street View as a case study.
“What’s the first thing an American says when [he or she] sees Google Street View?” he says on a recent day at the US Embassy next to the Brandenburg Gate. “An American will go, ‘Hey, there’s Billy in the front yard.’ The German reaction is, ‘Oh my God, how can they do that?’ ”
Across Germany, street views on the website are actually blurred by pixels at the request of German citizens.
It’s perhaps not surprising, then, that Germany in general and Berlin in particular are ground zero of the global privacy movement. The German capital, once the headquarters of Stasi surveillance, has become a destination for companies and individuals seeking precisely the opposite – a sense of digital autonomy.
New transplants include Jacob Appelbaum, one of the founders of the Tor browser, short for The Onion Router, which shields the identity of users, and Laura Poitras, a documentary filmmaker who was one of three journalists to meet Mr. Snowden and receive his NSA files.
While Snowden is a wanted man in the US, he is a folk hero in Berlin. Posters decreeing “Asylum for Snowden” and “A Bed for Snowden” abound, sentiments that grew after revelations about the extent of US eavesdropping – including on the cellphone calls of well-loved German Chancellor Angela Merkel.
But a jealous guarding of privacy predates the NSA scandal and extends across the Continent. The ethos is rooted in decades of dictatorship, repression, and one-party rule in 20th-century Europe. In Germany, the police states of the Gestapo and the Stasi in East Germany built a standard in which not only governments spied on citizens, but neighbors spied on neighbors. Snowden only reinforced the backlash against surveillance and big data. Many countries, from Spain to Italy to Portugal, lived under repressive regimes.
Europeans also simply feel less comfortable handing over personal information. As one privacy expert puts it: Companies just want to “flog them for more things they don’t want or need.” Another derisively calls it the “Google-ization of the world.” In fact, for a growing number of Europeans, the American tech giant has become the emblem of the war over privacy – the symbol of American hegemony the way Coca-Cola or McDonald’s or Disneyland were in the past.
In France, where privacy is so tightly guarded that many citizens question whether an affair by their president should be front-page news – or news at all – anger was also widespread in the wake of the NSA revelations. The revulsion over surveillance runs deep even though the French government conducts extensive espionage of its own.
Yet some of the resistance to the Googles of the world stems from the same protectionist sentiment that the French have long aimed at Hollywood: They, and other Europeans, simply want to preserve their own home-grown high-tech industries from big outside companies. An anti-technology element, also rooted in ambivalence about the sway of Silicon Valley, accounts for some of the French rebelliousness, too, says Ben Tonra, a professor of international relations at University College Dublin in Ireland.
“There is something of a Luddite kind of perspective, certainly from the French perspective,” he says.
And Europe is hardly monolithic in its views about privacy. In Ireland, where many of the European subsidiaries of the big American computer and Internet companies are based, the fear of a loss of investment and jobs counteracts concerns about electronic surveillance and encroachment. Similarly, in Britain, which is part of the “Five Eyes” intelligence alliance with the US, Australia, Canada, and New Zealand, citizens have a higher threshold for the actions of their spy agencies.
“Take a country like the UK with the surveillance and the issue of spying. The iconography is slightly different,” says Claude Moraes, a member of the European Parliament. “You have Bletchley Park [where Britain broke German codes during World War II], you have James Bond, you have Britain being part of the Five Eyes.”
In the wake of the deadly Charlie Debdo attack in Paris, some European officials are calling for extending surveillance capabilities. Most notably, British Prime Minister David Cameron plans to propose sweeping anti-terror laws to give Britain a doorway into any encryption technology. Since it's possible for the government to read letters or listen to calls, said Mr. Cameron, "are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not. The first duty of any government is to keep our country and our people safe.”
But that kind of rhetoric may just be politics, says Ian Brown, associate director of Oxford University's Cyber Security Centre. "I don't think it's a turning point," he says. While the Paris attacks jarred Europe, when it comes to the privacy movement, "I don't think it'll decisively shift things." That community, says Professor Brown, "is not going to change its position post-Paris."
Still, Europe will have to resolve these new tensions — similar to those that reverberate in the US — between security and anonymity on the Web, especially if greater privacy is viewed as making it harder to fight terrorism. Recently authorities in Europe have been granted greater powers to monitor the use of the Web to deter their citizens from becoming jihadis alongside Islamic State. Too much anonymity concerns law enforcement authorities as well, who worry about pornographers, drug dealers, and other nefarious types flourishing on the Internet when there is less transparency.
Yet all of Europe, Mr. Moraes says, agrees on one point that sets it apart from the US: If Americans value freedom of speech as an inalienable right that sometimes must trump privacy, in Europe the right to privacy is so fundamental that all national laws must consider it. As Spiros Simitis, who is dubbed “the godfather of privacy” because he drafted Germany’s pioneering protection law, puts it: “The protection of personal data, and restricted use of data, and right of people to decide what can be done is one of the most fundamental principles of a democracy,” he says.
• • •
Far away from the cryptoparty in Bonn, a privacy party of another sort is taking place. The guests are not in jeans but dark suits, conservative ties, and polished shoes. The meeting is at the headquarters of UNESCO in Paris, in the shadow of the world’s most formidable erector set, the Eiffel Tower.
The gathering is being hosted by Isabelle Falque-Pierrotin, France’s data protection chief, who is also the president of the Article 29 Working Party, a body of data privacy regulators for the EU. Fifteen of the regulators are sitting in the room here. There is also Mr. Nemitz from the European Commission and plenty of EU Parliament members. They don’t call themselves radicals. And they certainly don’t look the part. But these are the titans of privacy in Europe.
“We feel we are losing control over our data,” says Ms. Falque-Pierrotin, standing in front of the audience at the event in early December. She talks of Europe being at a “crossroads” and of an era of uncertainty that demands the Continent speak with one voice. For this group, 2015 is a pivotal year. The regulators hope to have in place a binding new privacy law to give citizens more say over what access companies have to their data and how it is used.
The EU already has stringent rules on privacy that date back to 1995, which were built upon tough laws crafted in European nation-states in the 1970s.
But the new regulation would be a law governing all EU states. It would also increase the enforcement powers of data regulators, potentially allowing them to impose fines of as much as $125 million on companies.
In fact, EU bureaucrats may represent the biggest threat to American technology companies in Europe. US firms have lobbied hard to keep the new privacy regulation from being adopted. “There may [be] some companies that fear for their competitiveness if Europe becomes a trust center for data like Switzerland is for money,” says Nemitz.
European bureaucrats insist they are not anti-technology. They see the privacy law as a boon for business, saving companies the administrative costs and uncertainty of dealing with 28 different regulatory regimes, while giving Europeans the trust they need to sign on as new consumers. If anything, they believe the law will allow companies to guarantee a new standard of privacy and market it the way firms now do a “green” or “organic” seal.
Scores of boutique firms are popping up to cater to the new privacy culture. They range from Lavaboom, a “secure” e-mail provider in Cologne, Germany, to Cozy Cloud, a French firm that allows users to store information on their personal cloud. Its motto, a play on Google’s “Don’t be evil” slogan, is “We can’t be evil.” “The EU is not against big tech. EU citizens, me included, really like using our devices,” says Moraes, the European MP. “We often appreciate the companies we are interacting with. The issue is about the principles of bulk collection, issues of trust, issues of mass surveillance, and issues of accountability.”
• • •
Max Schrems is dressed in a black button-down shirt and jeans, his hair trendily coiffed. His words jump out quickly and spontaneously when he talks, like popcorn in a popper. He often has to remind himself to slow down when he gives speeches at privacy conferences, which these days is frequently.
Mr. Schrems is the 20-something Austrian who catapulted from law school obscurity to the limelight when he filed a class action suit against Facebook’s European subsidiary in Ireland last summer, claiming several counts of violations of European privacy law.
He has since become a cause célèbre among data regulators and privacy advocates across Europe, the way French farmer José Bové, who destroyed a McDonald’s in the 1990s, became the darling of the antiglobalization set. He represents another dimension of Europe’s privacy movement – use of the courts.
Schrems was studying on a semester abroad at Santa Clara University in California’s Silicon Valley in 2011, when an executive from Facebook broached the subject of Europe’s stringent privacy laws to the students. “You can violate their laws. Nothing is going to happen,” Schrems recalls he essentially told them. “They didn’t know a European was in the class,” he says.
Afterward, he formed an advocacy group, Europe v. Facebook; met extensively with Facebook executives; and filed several complaints with the data protection regulator in Ireland, where the social network’s European headquarters is located. That prompted an audit of Facebook, which resulted in the company having to delete data and deactivate its facial recognition capabilities, he says.
But Schrems, in an interview at the UNESCO conference, where he was frequently thronged by fawning admirers, says the data regulator wouldn’t go much further, in part because of concerns of how it might affect Ireland’s IT sector. So in August he filed the class action suit in a Vienna court. Some 25,000 users signed on to the suit within just a few days before he closed the case. Legal action is now the only way, he says, that the social networking giant will be forced to act.
Many privacy advocates agree and see enforcement of one uniform law as the most important element of the new regulation the EU is drawing up. While the US doesn’t have overarching privacy legislation like Europe’s, Europe hasn't been able to enforce violations like the US Federal Trade Commission, according to Jan Philipp Albrecht, a German EU parliamentarian. If the regulation passes – and works – it would be a trailblazer.
“For the moment [companies] have had an easy way to circumvent existing laws in Europe by having these 28 different standards,” says Mr. Albrecht, a leading player for privacy in Europe.
But many have their doubts about the efficacy of the regulation. David Erdos, an expert in privacy law at the University of Cambridge in Britain, says enforcement will be difficult. It will take huge resources to police the vast universe of applications and algorithms.
“Data protection law is not managing to relate very well to digital reality generally, which [includes] thousands and thousands of app developers, hundreds and hundreds of Web platforms, and relates to hundreds of millions of individual users,” says Dr. Erdos. “There is a disproportionality between resources and the task Europe has set out for itself.”
• • •
By far the decision that has rattled American technology firms the most has been in the so-called right to be forgotten case, which originated with an aggrieved calligrapher in Spain. In a decision that ricocheted around the world, the European Court of Justice in Luxembourg ruled in May that individuals have the right to have personal data removed from search engines such as Google if it is “inadequate,” “irrelevant,” or “excessive.”
The case was launched by Mario Costeja González, who fought to have two newspaper briefs from 1998 that contained details of his financial woes removed from the Internet. The references continued to top search results 15 years later, even though his problems had long since been cleared up.
Many Europeans hailed the decision as ushering in a new sense of empowerment. EU privacy regulators say they want it applied to search engines outside Europe, too. So far, Google has received more than 193,000 requests to be “forgotten.” These range from one from a German rape victim who wanted a newspaper article about the crime removed (Google expunged pages from the search results for her name) to one from an Italian man who wanted articles of his arrest on financial charges eliminated (Google refused). In all, Google has rejected 60 percent of the requests it has received.
The desire of people to control what’s said about themselves is certainly understandable. Even in the US, where the passion for privacy doesn’t run as deep as in Europe, polls show a majority of Americans wish they could be “forgotten,” too. In the worst cases, careers have been ruined by defamatory blogs. People have been traumatized or needlessly humiliated. But even the most mundane information can bring a sense of powerlessness.
One British writer, for example, feels that with the “right to be forgotten” ruling she finally has the answer to a nagging problem: how to get her home address off the Web. Until now, she hasn’t been able to.
It began when her brother dreamed up a venture for a film company, using the family’s address as its headquarters, in 2001, before the Internet was pervasive. Once she realized the mistake, more than a decade later, she fought futilely to get her address removed from a British government database – and later from business directories. At best it was a nuisance. At worst it spooked her.
“I felt a bit hopeless. I didn’t know what to do about it,” she says. “I don’t mind having my own website. I don’t mind having my e-mail address out there, but I don’t want my home address [publicly available].”
And yet the “forgotten” case has continued to stir controversy, especially because it put multinational corporations in the position of deciding what gets removed from the Web and what doesn’t. The New York Times, in an editorial, criticized the court for its decision, saying that the desire to be forgotten is understandable but that the ruling could have ominous ramifications. “Such a purge would leave Europeans less well informed and make it harder for journalists and dissidents to have their voices heard,” it said.
Even in Spain, where the case originated, the decision hasn’t been embraced by all. When a Spanish news site published an article informing the public that Google had removed some references to members of the Basque terrorist group ETA, a victim rights group reacted angrily.
“Right to be forgotten advocates claim this is a human right, but that is arguable since it buries into oblivion all the actions against the most basic human right, which is the right to live,” says Francisco Saenz, from the Association of the Victims of Terrorism in San Sebastián in northern Spain. His father, a former police agent, was shot by ETA members in 1985.
It also is only one small slice of privacy control in the Digital Age – even though it has dominated global discussion. Leo Nuñez, a partner at the law firm Audens in Madrid that specializes in information technology, worked at Spain’s data privacy agency when the Costeja González case was lodged, and he has long agreed with Costeja González’s quest to be “forgotten.” But the ruling has helped only a fraction of the clients who have filed through their doors, requesting that defamatory or humiliating content about them be erased. In one case, a young woman who willingly agreed to have a television crew film her during a night out unwittingly became a national joke after the video, taken three years ago, went viral. In fact, if you type the equivalent of the word “trashy” in Spanish online, her image is one of the first to pop up. But because it’s her image, not her name, the “right to be forgotten” would do nothing to help her cause.
For Viktor Mayer-Schonberger, author of “Delete: The Virtue of Forgetting in the Digital Age,” the European court decision, while not perfect, has generated an important conversation. “In the analog ages, we have always forgotten stuff. Forgetting is built into our society,” he says. “It is only in the Digital Age that it’s become much harder to do. And the default from forgetting to remembering has repercussions: We cannot disassociate from past events and past transgressions. We are tied to past events even though they no longer have a connection to who we are as a person in the present.”
Forgetting is central to making decisions, moving forward, and forgiving, he says. “Remembering and forgetting aren’t in balance anymore.”
• • •
Mr. Selzer, the host of the cryptoparty in Bonn, agrees. He doesn’t think societies fully grasp how much technology has eroded our power to forget, either.
He was 14 years old when he got his first computer. The world of technology fascinated him. But its infinite possibilities also scared him. “It was so extremely powerful, and I knew that if you interact with the machine in a proper way the machine does what you want, and it gives you a feeling of ultimate power,” he says.
That’s what he says he’s working to keep in check. A Web administrator at the German postal service, he crisscrosses central Germany on his time off running these coding workshops. He says he lost count of the number of parties he has hosted after the 50th one.
“The Snowden hype is over, but the good thing is that people who are interested are really interested,” he says. “They come not because it’s hype but because they think privacy really matters.” ρ