Rebuilding: Lessons from Nehemiah Rebuilding Requires Good Leadership.
Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
-
Upload
german-marshall-fund-of-the-united-states -
Category
Documents
-
view
215 -
download
0
Transcript of Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
1/22
TRANSATLANTIC DIGITAL DIALOGUE
Rebuilding Trust through Cooperative Reform
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
2/22
CC BY-SA 2015 Te German Marshall Fund o the United States/stifung neue verantwortung
Tis paper is subject to a Creative Commons license (CC BY-SA). Te redistribution, publication, transormation or transla-
tion o publications which are marked with the license “CC BY-SA,” including any derivative products, is permitted under
the conditions “Attribution” and “Share Alike.” More details on the licensing terms can be ound here: http://creativecom-
mons.org/licenses/by-sa/4.0/
Please direct inquiries to:
Te German Marshall Fund o the United States
1744 R Street, NW
Washington, DC 20009
1 202 683 2650
F 1 202 265 1662
Te ransatlantic Digital Dialogue was supported by a grant rom the German Federal Foreign Office.
Tis publication can be downloaded or ree at http://www.gmus.org/listings/research/type/publication.
Te views expressed in GMF publications and commentary are the views o the author alone.
About GMF
Te German Marshall Fund o the United States (GMF) strengthens transatlantic cooperation on regional, national, and
global challenges and opportunities in the spirit o the Marshall Plan. GMF contributes research and analysis and convenes
leaders on transatlantic issues relevant to policymakers. GMF offers rising leaders opportunities to develop their skills and
networks through transatlantic exchange, and supports civil society in the Balkans and Black Sea regions by ostering demo-
cratic initiatives, rule o law, and regional cooperation. Founded in 1972 as a non-partisan, non-profit organization through
a gif rom Germany as a permanent memorial to Marshall Plan assistance, GMF maintains a strong presence on both sides
o the Atlantic. In addition to its headquarters in Washington, DC, GMF has offices in Berlin, Paris, Brussels, Belgrade,
Ankara, Bucharest, and Warsaw. GMF also has smaller representations in Bratislava, urin, and Stockholm.
About stiftung neue verantwortung
Te stifung neue verantwortung (snv) is a Berlin-based non-profit think tank that brings together expert ise rom politics,research institutions, NGOs and businesses in order to oster the development, discourse, and publication o non-par-
tisan policy proposals to address current political debates. Te policy research at snv is organized around three central
themes: Digitalization, Energy and Resources, as well as the Future o Government. Te snv produces analysis, publishes
policy recommendations, and builds inter-sectoral coalitions. Te goal is to combine the knowledge and experience o
governmental, business, academic, and civil-society stakeholders in order to inorm and co-create policy solutions. Te
independent approach o the snv is made possible by a mix o unding rom non-profit oundations, public institutions, and
businesses as well as oversight by a diverse and representative board o directors.
mailto:info%40gmfus.org?subject=http://www.gmfus.org/listings/research/type/publicationhttp://www.gmfus.org/listings/research/type/publicationmailto:info%40gmfus.org?subject=
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
3/22
T D D
R T C R
N
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Framework of Deliberation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Oversight and Transparency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Extraterritorial Access to Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Cyber-Security Cooperation and Strong Encryption. . . . . . . . . . . . . . . . . . . . . 16
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
4/22
T G M F U S2
E S
The Transatlantic Digital Dialogue is a multi-stakeholder working group of experts fromGermany and the United States. It was
assembled and stewarded by the Stiftung NeueVerantwortung and the German Marshall Fundof the United States to develop a constructiveagenda for the modernization of privacy/securitypolicy that begins to address the global debate overdigital surveillance.1 The findings presented hereare rooted in three convictions shared by all of theparticipants in the project: 1) that transatlanticrelationships have weakened as a result of the
fractious and inconclusive debate between the EUand the U.S. over surveillance practices; 2) thata multinational modernization of a rights-basedframework for privacy and security policy is neededto address these challenges; and 3) that solutionsshould be aligned with principles of human rights,responsive to the complex political economy ofsurveillance policy, and premised on commoninterests and values.
The Transatlantic Digital Dialogue presents thisreport as a framework of analysis for re-building
trust and democratic legitimacy in the transatlanticrelationship in cyberspace. The agenda we presenthere offers three areas of policy recommendationswith clear opportunities for reform. In some cases,the primary objective is a bilateral or multilateralagreement on international standards of practice.In some cases, the focus is more specifically onharmonizing domestic law around a commonframework.
1) Oversight and Transparency — In orderto restore trust and legitimacy to the law
1 Participants are listed in the appendix of this report. Allof the participants in this working group contributed ideas,analysis, and intense deliberation to this process. This reportis a summary of the discussion and conclusions of the workinggroup sessions prepared by rapporteurs in the hosting institu-tions. However, participation by a company, institution orindividual in the working group does not imply endorsement ofany particular proposal or statement in this report.
governing surveillance practices in all securityservices, standards for authorization, oversightand transparency need to be modernized. Inthis area, the U.S. government has publishedseveral expert reviews and enacted practicalreforms that could serve as the baseline for anew framework for both sides of the Atlantic.Most important here are new restrictionson the scope of authorized data collection,transparency in decision-making, and strongerindependent review. To inform what newelements a transatlantic framework might
include, we conclude that reform proposalsunder consideration in the German Parliamentwould represent groundbreaking stepstoward strengthening democratic oversight.At the center of this proposal are a majorexpansion in the judicial review of surveillanceauthorization and greatly increased capacityfor oversight bodies. These initiatives on bothsides of the Atlantic call for a greater exchangeof ideas and could position Germany and theU.S. as global leaders in the development ofnew international standards for oversight and
transparency.
2) Extraterritorial Access to Data — Nationallaws and international agreements regulatinggovernment access to commercial data, such asMutual Legal Assistance Treaties, have failedto adapt effectively to technology developmenton the Internet. As the recent EU court rulingon data exchange with the U.S. shows, there aredivergent views on the alignment of law andtechnology. Consequently, there is an urgentneed to resolve conflicting national laws by
developing common rules among countries forhow law enforcement practices in one nationwill apply to the data of citizens from othernations. Both government and businessesneed a clear framework for how to handlerequests for legitimate access to user data.
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
5/22
T D D 3
And citizens deserve to know how and whenthe law is applied. The existing agreements onlaw enforcement cooperation — including theBudapest Convention on Cybercrime, the EUsystem for law enforcement coordination, andthe newly signed U.S./EU Umbrella Agreement— could provide a useful foundation for thisprocess of harmonizing policy. However,both sides must agree to modernize standardsfor which laws will apply when, how, and towhom.
3) Cyber-Security and Strong Encryption — Boththe United States and European Union sharean interest in establishing stronger frameworksfor collaboration in cyber-security to protectcritical infrastructure and data assets fromcyber-attack and espionage. Technologistsargue that strong cryptography is crucial toprotect communications from digital assailantswith increasing sophistication. Thus manyexperts in the U.S. and Germany regard strongencryption as a central element of cyber-security. The German government in particular
has made commitments to strong encryptionthat — if adopted by the United States — couldserve as the trust anchors for the cooperativedevelopment of new transatlantic systems ofsecure communications. We conclude that acommon position on strong encryption createsthe basis for more collaboration on a variety ofissues from security certification standards tothreat intelligence to protection against cyber-crime and industrial espionage.
Taken as a package of issues, there is a symmetry ofcorresponding strengths and weaknesses betweenthe two countries. A focused bilateral engagementcould seek to set standards based on the strengthsof each side and in so doing raise the quality ofpolicy for both as well as establish a model forother nations to follow in their own modernizationefforts. The bilateral engagement between theUnited States and Germany is a test case in thisregard for the possibility of broader agreement atthe EU level (both within the EU and between theEU and the United States).
The discussion and recommendations providedhere reflect the views of the working group thatrestoring trust in transatlantic digital practice willrequire policies drawn from principles of humanrights, civil liberties, security, and the rule of law.Moreover, we emphasize that the controversy oversecurity and privacy policy has strong economiccomponents as well — with costly consequencesfor both the United States and the EU if theyremain unresolved. Although we expect there willlong remain areas of disagreement between the
United States and Germany (as well as the broaderEuropean Union), these will be vastly outweighedby common values and common interests. Themore constructive the policy engagement andcooperation we can build in the areas where weagree, the more likely it is we will be able to addressthose areas where we do not.
The discussion and
recommendations
provided here refle
the views of the wo
group that restoring
trust in transatlant
digital practice willrequire policies dra
from principles of
human rights, civil
liberties, security, a
the rule of law.
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
6/22
T G M F U S4
In the course of the debate over rights, liberties,and security in the two years since the Snowdendisclosures, public opinion and national politics
in Europe and the United States have been sharplydivided. While the initial outrage over U.S.surveillance activities in Europe has largely passed,it is clear that the breach of trust will pose anenduring challenge for transatlantic cooperation.The relationship rests on decades of close alignmentand partnership, but in cyberspace this allianceis now fraught with concerns that will not easilybe resolved. These concerns are about the U.S.
surveillance practices that continue (relativelyunabated) despite the political debate; but they arealso about the consequences of Europe’s response tothose practices. In some ways, the current challengesreflect a broader strategic and historical context inwhich the United States has taken a more offensiveapproach to cyber-capabilities while the EU hasfocused on strengthening its internal security.
The central political issue is the expectation of dataprivacy rights and an apparent divergence of valuesover the rights-based limits on surveillance for
security purposes. This is not only about the scaleof data collection enabled by modern technology,it is also about the norms of legitimacy and theenforcement of laws governing surveillance. Thesecritiques are directed at governments in the EUas well as in the United States, particularly asthe extent of transatlantic cooperation betweensecurity services becomes more evident. The gapbetween the growing power of digital technologyand the inadequacy of existing laws to contain ithas emerged as a common theme on both sides ofthe Atlantic. However, the size and scope of U.S.
capabilities revealed in the Snowden documentsfocuses most of the attention on Washington.
This debate has led to a variety of proposals inEurope to push back on U.S. surveillance. Severalof these have fostered a second set of concernsshared by both U.S. and EU stakeholders. Some
of the policy responses contemplated in Europeancapitals would decisively change the marketsfor transnational data flow, the architectures ofdistributed computing, and the legal regimes thatgovern them within and between countries. Forexample, the recent decision from the EuropeanCourt of Justice invalidates existing agreementsfor transatlantic data flow and demandsmodernization.2 This ruling creates renewedurgency for negotiating new agreements andrevisiting a discussion about norms. Embeddedin any such reform process are high-level
disagreements over the application of internationallaw, violations of sovereignty, and the appropriatecriteria to legitimize surveillance as necessaryand proportionate in democratic nations. Boththe critique of current surveillance practicesand the proposed reactions to them boil downto deep concerns about how the laws governingsurveillance on one side of the Atlantic will treatthe rights of citizens on the other.
Despite the intensity of the debate, the mostsignificant reforms of U.S. surveillance practice
enacted in the last two years have not directlyaddressed the core issues in the dispute with theEU. However, neither the EU or any member stateshave taken major countermeasures against theUnited States — though this may change in thewake of the court decision on transatlantic dataflows. Meanwhile, the impact of the distrust is feltin market distortions and in an increasingly cynicalpublic opinion. The most recent TransatlanticTrends survey of the German Marshall Fundreported a “cooling” relationship between Germanyand the United States since 2013. From 2013 to
2014 the approval rating of President Obamain Germany fell by 20%. At the same time, theshare of German respondents who called for a
2 Court of Justice of the European Union. Case C-362/14. Maximillian Schrems v Data Protection Commissioner. October6, 2015.
F D
1
The central political
ssue is the expectation
of data privacy rights
and an apparent
divergence of values
over the rights-based
limits on surveillancefor security purposes.
This is not only about
the scale of data
collection enabled by
modern technology, it
s also about the norms
of legitimacy and the
enforcement of laws
governing surveillance.
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
7/22
T D D 5
The United States a
Europe need to reb
a common strategy
for the Internet — a
harmonization of fo
policy through para
domestic policy chaQuiet acquiescence
to the status quo w
not suffice to realig
interests and bridg
the divides that hav
opened in the last t
years. The United S
and the EU will ben
from a resolution
both politically and
economically.
more independent approach in the transatlanticrelationship rose from 40% to 57%.3 And whilethe transatlantic alliance proceeds with business asusual in many respects, the signs of fracture overdata policy appear consistently — for examplein the public debate over the Transatlantic Tradeand Investment Partnership.4 The lack of interestin Washington and the impotence of Europeto produce a viable reform agenda deepens anormative pessimism about the Internet that willbe difficult to reverse, if it remains unaddressed.Organized efforts within civil society and business
on both sides of the Atlantic have begun seekingchange in the courts and in market practice —as well as before legislatures. Meanwhile, thediscussions between governments on surveillancepolicy have gone relatively quiet.
The United States and Europe need to reboota common strategy for the Internet — aharmonization of foreign policy through paralleldomestic policy change. Quiet acquiescence tothe status quo will not suffice to realign interestsand bridge the divides that have opened in the
last two years. The United States and the EU willbenefit from a resolution both politically andeconomically. But conversely, political leaders onboth sides are wary of the political risks involvedand the consequences of trying and failing. Thisproject seeks to assemble the voices of civil society,academia, and business from the United States andGermany to serve as a catalyst for this necessaryengagement. We intend here to set an agenda of
3 German Marshall Fund of the United States. 2014. “Transat-lantic Trends: Key Findings 2014.” p23-24. http://trends.gmfus.org/files/2012/09/Trends_2014_complete.pdf
4 Jeremy Fleming. 2013. “TTIP: Data is the elephant in theroom.” EurActiv. http://www.euractiv.com/specialreport-eu-us-trade-talks/ttip-data-elephant-room-news-530654 ; EuropeanParliament. 2015. “TTIP: Trade agreements must not under-mine EU data protection laws, say Civil Liberties MEPs.” CivilLiberties Committee. http://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPs
constructive policy recommendations that unite theUnited States and the EU around common interestswhile achieving reform of data privacy/securitypolicy.
We start from the premise that modernizingdata policy for the digital age must begin withthe human rights and civil liberties that embodyour democratic values. These principles must beapplied in practice in ways that support securityinterests without being eclipsed by them. Hereinlies the essence of democratic legitimacy — the
assurance that the power of the state will be applied judiciously, with transparent adherence to the law,and within the constraints of liberal social values.Further, we recognize that the practice of securitypolicy in the digital age necessarily implicateseconomics. The owners of most digital networksand the controllers of most of the world’s data areprivate companies. And sustaining the growth ofdigital commerce (which requires restoring trustin secure communications) is a strong transatlanticinterest, joined as we are by a multi-national supplychain and networked global markets.
The stakes of these debates are therefore veryhigh — testing our commitments to democraticprinciples, public safety, and economic prosperity.These challenges will not be solved quickly — andthey will not be solved by governments alone.We believe the inclusion of multi-stakeholderparticipants in these dialogues and a transparentprocess of deliberation will give governmentsimpetus to act, strengthen the quality of proposedsolutions, and achieve that which has eluded usfor over two years — progress toward common
goals. Therefore, we present this analysis and policyagenda with the intention to initiate a reformprocess around the three major issues of oversight/transparency, extraterritorial access to data, andcyber-security and encryption, which combinepolitical, economic, and social interests at thecenter of the transatlantic relationship.
http://trends.gmfus.org/files/2012/09/Trends_2014_complete.pdfhttp://trends.gmfus.org/files/2012/09/Trends_2014_complete.pdfhttp://www.euractiv.com/specialreport-eu-us-trade-talks/ttip-data-elephant-room-news-530654http://www.euractiv.com/specialreport-eu-us-trade-talks/ttip-data-elephant-room-news-530654http://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.euractiv.com/specialreport-eu-us-trade-talks/ttip-data-elephant-room-news-530654http://www.euractiv.com/specialreport-eu-us-trade-talks/ttip-data-elephant-room-news-530654http://trends.gmfus.org/files/2012/09/Trends_2014_complete.pdfhttp://trends.gmfus.org/files/2012/09/Trends_2014_complete.pdf
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
8/22
T G M F U S6
In both the European
Union and the United
States, there are
structural weaknesses
in the legal systems
for authorization and
review of surveillancepractices because the
laws and institutions
established to govern
these powers predate
the advent of digital
technology. Technical
expertise is often in
hort supply; resources
are insufficient to
provide for meaningful
accountability; andansparency is avoided
in pursuit of efficacy
and secrecy.
Summary
Germany and the United States should usethe work of this Dialogue as a startingpoint to develop best practices regarding
the structure and methods of oversight andtransparency. These policies hold security agenciesto the standards, criteria, and procedures underwhich domestic laws authorize surveillance andrestrict the operation of such programs. Oversightand control over the application of “digital power”are critical for restoring legitimacy in the publiceye. In both the European Union and the United
States, there are structural weaknesses in the legalsystems for authorization and review of surveillancepractices because the laws and institutionsestablished to govern these powers predate theadvent of digital technology. Technical expertiseis often in short supply; resources are insufficientto provide for meaningful accountability; andtransparency is avoided in pursuit of efficacy andsecrecy.
The most significant public policy reforms inthe post-Snowden era have been initial steps to
address these problems. We find that contraryto popular representation, U.S. laws on oversightof surveillance contains myriad constraints onthe security services. And while they may beconsidered modest in impact, they are morecomprehensive than similar laws in Germany.Further, the Obama administration has expandedthese oversight provisions to tighten restrictionson authorization and operation of surveillancepractices as well as to increase transparency. Noneof these reforms has yet been pursued in Europe.However, the German government is debating a setof procedural reforms that would set a new globalstandard for democratic oversight of surveillanceprograms.5 We conclude that these efforts represent
5 Georg Mascolo. 2015. “Dem BND droht eine Revolution.”Süddeutsche Zeitung . http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411
an alignment of interests and should function asa basis of further modernization and subsequentharmonization of law governing surveillancepractices across all security services — includingintelligence agencies.
Discussion
Pragmatic discussions over domestic legal reformin both the United States and Germany havefocused on issues of standards, oversight, andtransparency of digital surveillance programs.Among the commitments in Presidential Policy
Directive 28 (the Obama administration’s formalresponse to the Snowden debate), the White Houseordered U.S. intelligence agencies to improvestandards of transparency, internal oversight andaccountability.6 The White House Review Group7 and the Privacy and Civil Liberties OversightBoard8 have been only the most prominent ofnumerous expert inquiries offering sharp critiqueand practical recommendations for reform onprocedural issues. These reforms are also corecomponents of the USA Freedom Act — thelegislation signed into law by U.S. President BarackObama in June 2015.9 For example, the USAFreedom Act creates a panel of experts on privacy,civil liberties, and technology to offer consultationand guidance to the FISA Court (the panel of
judicial review for surveillance authorized by theForeign Intelligence Surveillance Act). The new law
6 The White House. 2014. “Presidential Policy Directive —Signals Intelligence Activities.” https://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities
7 The White House. 2013. “President Obama’s Meeting with the
Review Group on Intelligence and Communications Technolo-gies.” https://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-t
8 Privacy and Civil Liberties Oversight Board. https://www.pclob.gov/about-us.html
9 USA Freedom Act. H.R. 2048. http://judiciary.house.gov/index.cfm/usa-freedom-act
O T
2
http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411https://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttps://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttps://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.pclob.gov/about-us.htmlhttps://www.pclob.gov/about-us.htmlhttp://judiciary.house.gov/index.cfm/usa-freedom-acthttp://judiciary.house.gov/index.cfm/usa-freedom-acthttp://judiciary.house.gov/index.cfm/usa-freedom-acthttp://judiciary.house.gov/index.cfm/usa-freedom-acthttps://www.pclob.gov/about-us.htmlhttps://www.pclob.gov/about-us.htmlhttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttps://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttps://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttp://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
9/22
T D D 7
requires the declassification of FISA Court opinionsthat contain novel interpretations of law, includingthe defined scope of search terms. These proceduralreforms are important and could serve as a modelfor parallel efforts in Europe.
In Germany, oversight and transparency are centralthemes in the debate over surveillance. Ironically,the German parliamentary investigation into theNational Security Agency (NSA) has uncoveredlittle new information about the NSA, but agreat deal about the cooperation of the German
intelligence agency (BND) with the NSA. Manyof the critiques leveled at BND practices focuson oversight and accountability. Warnings aboutthe inadequacy of the oversight mechanisms inGermany have come directly from the members(past and current) of the oversight bodies (G10Commission and Parliamentary Control).10 Inaddition, prominent legal scholars and former
judges have concluded that the application ofsurveillance policies on non-citizens is likelyunconstitutional.11 Finally, scrutiny of thecooperation between the BND and the NSA
(now a central issue in the German debate) isfundamentally concerned with whether theseprograms were properly authorized and reviewed.12 At issue is the legitimacy of surveillance programsthat operate with the imprimatur — but not thereality — of informed and competent oversight.
10 Berthold Huber. 2013. “Die strategische Rasterfahndung desBundesnachrichtendienstes – Eingriffsbefugnisse und Rege-lungsdefizite.” Neue Juristische Wochenschrift 2013. p. 2572
11
Matthias Bäcker. 2014. “Erhebung, Bevorratung und Über-mittlung von Telekommunikationsdaten durch die Nach-richtendienste des Bundes.” Stellungnahme zur Anhörung desNSA-Untersuchungsausschusses am 22. Mai 2014. https://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdf
12 Stefan Wagstyl. 2015. “Revelations of role in spying on alliesturn tables on Berlin.” Financial Times Europe. http://www.ft.com/cms/s/0/3bf16734-fd5d-11e4-b072-00144feabdc0.html
In the last months, the German governmenthas begun a serious debate about whether totake steps to set the world’s highest standard ofsurveillance oversight.13 In response to the workof the Inquiry Committee, the Social DemocraticParty (the coalition partner of the ruling ChristianDemocrats in the current government) publisheda policy paper outlining a reform agenda.14 Central elements of the proposal focus on a broadexpansion of the capacity in the authorization andoversight of BND surveillance. Some parliamentaryleaders have called for quasi-judicial review of
all surveillance programs, including the foreign-to-foreign communications that do not currentlyrequire external authorization. Increased oversightand transparency is seen as a direct path back tolegitimacy. Thus far, these efforts have not resultedin a legislative draft, but that is expected eitherlater this year or in 2016. Representatives fromboth parties in the coalition government are stillnegotiating main components of the reform. Theyhave already agreed to strengthen parliamentaryoversight. The parliamentary oversight committeewill be supported by a commissioner with staff
consisting of legal, data protection, and technicalexperts who will be responsible for examiningany aspect of the work of the intelligence agencieson behalf of the parliament. Other issues suchas a broader application of constitutionalprivacy protections and higher standards for theauthorization and review of surveillance programsare more controversial and still hotly debated.
Recommendation
The similarities between the German and U.S.
systems of legal authorization for surveillance —
13 Georg Mascolo. 2015. “Dem Bundesnachrichtendienst drohteine Revolution.” Süddeutsche Zeitung. http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411
14 SPD-Bundestagsfraktion. 2015. “Rechtsstaat wahren – Sicher-heit gewährleisten!.” http://www.spdfraktion.de/sites/default/files/2015-06-16-eckpunkte_reform_strafma-r-endfassung.pdf
https://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdfhttps://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdfhttps://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdfhttp://www.ft.com/cms/s/0/3bf16734-fd5d-11e4-b072-00144feabdc0.htmlhttp://www.ft.com/cms/s/0/3bf16734-fd5d-11e4-b072-00144feabdc0.htmlhttp://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.spdfraktion.de/sites/default/files/2015-06-16-eckpunkte_reform_strafma-r-endfassung.pdfhttp://www.spdfraktion.de/sites/default/files/2015-06-16-eckpunkte_reform_strafma-r-endfassung.pdfhttp://www.spdfraktion.de/sites/default/files/2015-06-16-eckpunkte_reform_strafma-r-endfassung.pdfhttp://www.spdfraktion.de/sites/default/files/2015-06-16-eckpunkte_reform_strafma-r-endfassung.pdfhttp://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.ft.com/cms/s/0/3bf16734-fd5d-11e4-b072-00144feabdc0.htmlhttp://www.ft.com/cms/s/0/3bf16734-fd5d-11e4-b072-00144feabdc0.htmlhttps://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdfhttps://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdfhttps://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdf
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
10/22
T G M F U S8
The similarities
between the German
and U.S. systems of
legal authorization for
surveillance — and the
rallels in the oversight
structure — open anopportunity for working
on common types
of reform proposals.
Drawing from the ideas
and actions of the
Obama administration
as well as the current
debate in the German
parliament, the options
n the table are already
very significant.
and the parallels in the oversight structure — openan opportunity for working on common types ofreform proposals. Drawing from the ideas andactions of the Obama administration as well asthe current debate in the German parliament, theoptions on the table are already very significant.The two governments should explore a variety ofproposals for the improvement of oversight as ameans to limit surveillance and to reestablish publiclegitimacy. These could include:
• Governments should publish an official
interpretation of legal authority underspecific statutes to authorize specific typesof surveillance. This should include alist of the delimited purposes for whichsurveillance is authorized. It should identifythe procedural/operational restrictions onauthorized surveillance programs. And itshould clarify the requirements for reportingto oversight bodies, the rights/duties of thoseoversight bodies, and the mechanisms forcorrecting noncompliant practices. Even if thispublication represents no change to existing
practices, the act of codification is beneficialbecause it establishes an opportunity for publicevaluation.
• The institutions of authorization and oversightof surveillance programs should receivesubstantial increases in the size of staff andbudget allocations. In particular, decision-makers should have access to technologists,attorneys, and analysts (with appropriatesecurity clearances) sufficient to evaluate fullythe claims made by the requesting agency
concerning the necessity and proportionality ofa particular surveillance operation.
• Governments should create/enhancemechanisms for permanent, independentoversight. These might include examples suchas the Privacy and Civil Liberties Oversight
Board in the United States or the commissionerfor the oversight of security services proposedin Germany. The professionalization andmaintenance of oversight activities that informpolicy decisions will support evolving reformover time.
• Authorization and oversight proceedingsshould include adversarial counsel so thatdecision-makers may hear views independentof those offered by the government.
• Governments should set and implement public
standards for the publication of all non-classified elements of authorizing decisions andoversight reports — including the numbersof errors in the minimization process. Inparticular, all novel interpretations of law inthe authorizing process should be availablefor public review (with appropriate redactionsfor sources and methods). Elements of thesestandards were codified in the USA FreedomAct.15
• Governments should require regular public
reporting by all public agencies (and stronglyencourage the practice in the private sector)about the number, type, and purpose ofinterception requests, the number of people/communications affected, as well as the criteriacited to authorize surveillance.
• Governments should have explicit andpublished restrictions/rules on intelligenceacquisition from foreign agencies in order torespect national laws. Raw intelligence may notbe accepted from a partner country that would
have been illegal to gather at home, and vice versa.
15 USA FREEDOM Act of 2015. TITLE VI: FISA Transparencyand Reporting Requirements. Section 602.
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
11/22
T D D 9
• Governments should define public standardsfor the rights of non-citizens subjected tosurveillance programs. Ideally these standardsshould be identical to those offered to citizens.However, if there is differentiation, that shouldbe explicit in the law.
• Governments should establish an effectiveform of judicial (or quasi-judicial) review ofall surveillance requests evaluated against thesame rights-based standard and interpreted onnecessary/proportionate criteria.
• Governments of allied countries that shareintelligence and defense resources shouldinitiate inter-parliamentary dialogue betweenoversight committees of surveillance programs.These exchanges should be designed to sharebest practices and to anticipate emergingproblems.
If a number of these policies were implemented bycountries on both sides of the Atlantic, this wouldrepresent a major reform of surveillance policy.It would also mark significant progress towardaddressing the issue of adequate fundamental rightsprotections identified in the ECJ decision on SafeHarbor. What we propose here is that the startingpoint for bilateral engagement is to identify abaseline of practices that already exist in at least onecountry, engage directly on common incrementalreforms, and contemplate a path forward tosystematic change and harmonization of standards
for authorization, oversight, and transparency.
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
12/22
T G M F U S10
The problem of access
data is a fundamental
one for U.S.- EU
economic relations.
Firms on both sides of
the Atlantic routinely
share data withincorporate subsidiaries,
to vendors, suppliers,
and customers.
Moreover, in modern
cloud computing
architectures, data
may not be exclusively
stored in one location
— but rather in many
locations.
Summary
Germany and the United States shouldexplore a bilateral (or multilateral)framework to regulate governmental access
to extraterritorial commercial data for legitimatelaw enforcement purposes.16 This frameworkshould first seek to address two problems.
The first is Europe’s concern that U.S. lawenforcement may access the data of Europeancitizens (even when on servers located in Europe)by presenting a U.S. company with a lawful order.
The criteria for this warrant are a matter of U.S. law.Notification (much less preauthorization) to theEuropean government is not required. The resultis often a conflict between national laws that putsthe data-holding company in a difficult positionand triggers calls for the localization of data storageand routing. The central question here is how toharmonize the laws from different countries thatgovern the legitimate interception or retrievalof data associated with a particular end user,originating from a particular location, regardinga national or transnational law enforcement
investigation.
The second problem is in some ways the reverse ofthe first. EU law enforcement authorities seekingaccess to the data held by U.S. firms (on servers inthe United States) must proceed through MLATs(Mutual Legal Assistance Treaties). These require aprocess of coordination with U.S. law enforcementto reach the data-holding company. The critique
16 In this section, we are explicitly excluding the governance ofsignals intelligence (SIGINT) collection from this recommenda-tion. This not because the problem does not apply to SIGINT.However, intelligence agencies are governed by different legalregimes in this respect. And we conclude nations are unlikelyin the near term to reach bilateral or multilateral agreementon transparent standards for data privacy restrictions appliedto extraterritorial access to data by intelligence services. Bycontrast, law enforcement cooperation has a clear precedent.However, we strongly encourage the United States and Germany(and other nations) to discuss a similar type of agreement withrespect to SIGINT through appropriate channels.
of this system is that it is far too slow andoverwhelmed by the quantity of requests. This leadto pressure for data localization and a short circuitof the MLAT process by companies that in theoryshould require an MLAT proceeding (because datais stored abroad) but in practice do not. Substantialreforms to the MLAT process — or its replacement— will be required to resolve the problem.
The rules governing national law enforcementagencies’ access to the data of foreign citizensrequire urgent reform. Both government and
businesses need a clear framework for how tohandle requests for legitimate access to user data.And citizens deserve to know how and whenthe law is applied. The following questions areat the center of the reform effort. What are thecircumstances under which transnational data isdetermined to be subject to the national law ofone country versus another? What laws apply todata that is stored outside of the jurisdiction ofgovernments that seek access to it? When and howshould law enforcement agencies be permitted toaccess the data of foreigners? What are the criteria
deemed legitimate to grant that access?
The problem is a fundamental one for U.S.-EU economic relations. Firms on both sidesof the Atlantic routinely share data withincorporate subsidiaries, to vendors, suppliers, andcustomers. Moreover, in modern cloud computingarchitectures, data may not be exclusively storedin one location — but rather in many locations.For many companies, it is no longer accurate orrelevant to discuss a single location for particulardata as the trigger for engagement of a specific
national legal regime. As these technologiesdevelop further, it will become more and moreurgent to define a common legal regime betweencountries. Otherwise, we should expect to see thenationalization of cloud infrastructures to optimizefor security interests at the expense of technical
E A D
3
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
13/22
T D D 11
innovation, commercial efficiency, and the freeflow of information.
To avoid this balkanization of the Internetinfrastructure, nations will require a functional setof standards to govern extra-territorial access todata. We find that the EU has an existing systemof law enforcement coordination that — whileimperfect and in need of improvement— couldserve as a baseline for transatlantic reform. Inaddition, the Budapest Convention on Cybercrimeoffers a decade of cooperation in related practices.
Furthermore, the recently signed “UmbrellaAgreement” — setting the terms for US and EUlaw enforcement data exchanges — offers anotheravenue to develop constructive, harmonizingreforms.17 However, there remains much work tobe done.
Discussion
We are now experiencing an international legal,commercial, and moral dispute over whether andhow global IT companies must respond to the legalrequests from one government for data stored in
an international location and/or belonging to aninternational customer. The debate has two keyelements — 1) clarity/legitimacy in the laws thatapply; and 2) effective procedure for the transparentimplementation and enforcement of the law.
The problem of legitimacy in the laws that apply toextraterritorial data access begins with asymmetryin the global digital market of data storageand processing. The simple fact is that a smallnumber of American companies control a vastlydisproportionate quantity of global data than any
other nation. As a result, the U.S. government has
17 European Commission. 2015. “Agreement between TheUnited States of America and The European Union on theprotection of personal information relating to the prevention,investigation, detection, and prosecution of criminal offenses.”http://ec.europa.eu/justice/data-protection/files/dp-umbrella-agreement_en.pdf
access to much of this data through lawful courtorders issued to these U.S. companies. U.S. courtshave also held that US companies are compelled toprovide data to law enforcement even if it is storedabroad, provided they have technical access to it.This requirement holds irrespective of whetherdoing so violates the law of the country in whichthe data is stored and absent any notification ofthe foreign law enforcement authorities. (Thisinterpretation of the law is currently beingchallenged.18 And some argue that companiescan evade this requirement by structuring foreign
operations as independent subsidiaries.19) Thisasymmetric access of U.S. law enforcement to thedata of foreigners is seen by other countries as achallenge to their sovereignty and a violation ofdomestic law. They have no role in the compulsionof data that belongs to their own citizens; they haveno influence over the criteria used to judge the lawenforcement purpose for the data request; and theyhave no recourse in U.S. courts.
The implications of these circumstances wereamplified in the public eye by the Snowden
disclosures. The consequent debate fueled apush to reach an agreement — at least on the lawenforcement issues, if not the intelligence agencies— between the EU and the United States to settlesome of the issues involved. The result was theso-called Umbrella Agreement. This agreementoffers a new baseline of transatlantic rules andexpectations for law enforcement access to data.However, it only applies standards of privacy
18 This interpretation of the law is currently being challengedby Microsoft in a high profile case in the United States Courtof Appeals for the Second Circuit, see: Alex Ely. 2015. “Second
Circuit Oral Argument in the Microsoft-Ireland Case: An Over- view.” Lawfare. https://www.lawfareblog.com/second-circuit-oral-argument-microsoft-ireland-case-overview
19 For an interesting analysis of this question of separatelegal entities, see: Orin Kerr. 2015. “Does it matter who winsthe Microsoft Ireland warrant case?” The Washington Post. https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/
The debate over
access to data held
by companies has
two key elements:
clarity/legitimacy in
the laws that apply
and effective procefor the transparent
implementation an
enforcement of the
http://ec.europa.eu/justice/data-protection/files/dp-umbrella-agreement_en.pdfhttp://ec.europa.eu/justice/data-protection/files/dp-umbrella-agreement_en.pdfhttps://www.lawfareblog.com/second-circuit-oral-argument-microsoft-ireland-case-overviewhttps://www.lawfareblog.com/second-circuit-oral-argument-microsoft-ireland-case-overviewhttps://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.lawfareblog.com/second-circuit-oral-argument-microsoft-ireland-case-overviewhttps://www.lawfareblog.com/second-circuit-oral-argument-microsoft-ireland-case-overviewhttp://ec.europa.eu/justice/data-protection/files/dp-umbrella-agreement_en.pdfhttp://ec.europa.eu/justice/data-protection/files/dp-umbrella-agreement_en.pdf
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
14/22
T G M F U S12
protection to data exchanged between U.S. andEU law enforcement authorities; and it does notfocus on the reach of U.S. warrants to foreign data
via U.S. companies. Further, recent legal analysesof the Umbrella Agreement have presented astrong critique that the new rules do not meetEU standards of data protection.20 The need toaddress this gap has been highlighted by the recentEuropean Court of Justice decision that effectivelyinvalidates the Safe Harbor agreement governingcommercial data exchange with the United States.The ruling emphasizes that data transfers between
the EU and the US can only occur if U.S. law meetsthe EU standards of protection of fundamentalrights.
To be clear, the violations of rights cited by theCourt involve a mix of laws and practices in theUnited States that the judges found insufficient.These include both law enforcement access to dataand surveillance by national security agencies.We expect that the issues of law enforcement andintelligence agency data collection will be addressedseparately. However, a common framework for
law enforcement access to data (governing dataexchanged between agencies as well as foreign dataacquired via a domestic company) would constitutea significant step forward. We do not underestimatethe significance of the challenge to achieve evenmodest progress. According to a recent legalanalysis prepared for the European Parliament,even if the U.S. government were to give Europeansthe privacy protections granted to US citizens, thesewould still be insufficient to meet EU standards.21
20 Douwe Korff. 2015. “EU-US Umbrella Data Protection
Agreement : Detailed analysis by Douwe Korff.” European Areaof Freedom Security & Justice http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/
21 Franziska Boehm. 2015. A Comparison Betwen US and EUData Protection Legislation for Law Enforcement , Preparedfor the LIBE Committee, European Parliament, http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdf
Harmonizing transatlantic data protection rulesis a complex enterprise because it involves theinteraction of laws that apply to commercialentities, law enforcement agencies, and intelligenceservices. The system established by the U.S. andEU for commercial data protection rules — SafeHarbor — essentially came undone before theCourt because of the methods of U.S. governmentaccess to commercial data. Under Safe Harbor, U.S.companies that do business in the EU can transferdata of European citizens to the U.S. for storage andprocessing, if they certify compliance with the Safe
Harbor agreement. The Safe Harbor rules catalogthe measures of privacy and security protectionthat must be provided for commercial data in theU.S. in order to meet EU standards. However, theSafe Harbor framework grants primacy for nationalsecurity, public interest, or law enforcementrequirements over the Safe Harbor principles. TheCourt of Justice of the EU ruled that such generalexemptions are invalid as they provide no adequateprotection of the fundamental rights of EU citizensfrom the U.S. government.
At the center of the Court’s arguments aboutthe violation of European rights are surveillancepractices (revealed in the Snowden documents)conducted by U.S. national security agencies forintelligence collection purposes. However, theCourt also cites problems with the rules governinglaw enforcement access to data. Though related,of course, these can be treated as separatelyaddressable problems. For the purposes of therecommendations in this paper, we will set asidethe SIGINT issues — even as we recognize theirimportance — and focus on the rules governing law
enforcement access. With regard to the operationof their intelligence agencies, it seems questionablewhether all members of the EU would meet thestandards laid out by the Court with respect toother member states. A comprehensive resolutionof the problem would require a multilateral
Harmonizing
transatlantic data
protection rules is a
complex enterprise
because it involves
the interaction of
laws that apply toommercial entities, law
enforcement agencies,
and intelligence
services. The system
established by the U.S.
and EU for commercial
data protection
rules — Safe Harbor
— essentially came
done before the Court
ecause of the methodsof U.S. government
access to commercial
data.
http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
15/22
T D D 13
agreement on rules for data collection andprocessing for national security purposes. Such anagreement requiring changes to domestic securitypolicy does not seem feasible in the short term.However, a starting point would be the rules of theroad governing extraterritorial access to data andthe coordination of international law enforcement.
When it comes to the process of internationallaw enforcement coordination, there is a longhistory with respect to accessing internationalcommunications data as a part of an investigation.
In the telephone era, law enforcement data requestswith targets outside the legal jurisdiction of anation were coordinated through Mutual LegalAssistance Treaties (MLATs). In the Internet era,technology has changed faster than the law. Thescale of data requests by law enforcement hasexpanded dramatically, and the traditional MLATprocess is easily overwhelmed. These channelstend to be slow, intransparent, and cumbersomefor all parties involved. In their current form,MLAT procedures are no longer viable instrumentsto coordinate law enforcement across borders.
However, the function they were designed to serveis perhaps more relevant than ever before. And ifit were reformed into an effective regime for lawenforcement coordination, such a solution couldhelp solve for the problem of extraterritorial accessto data in this context by establishing commonrules.
Recommendations
The objective of government engagement on theseissues should be to establish a path to resolve at abilateral (and ultimately multilateral) level how lawenforcement requests for extraterritorial privatesector data should be treated under the law. Asuccessful transatlantic solution could establish acommon policy to address these underlying issues.
Governments must coordinate and set commonpolicies to determine how the law applies
in circumstances with conflicting laws. Thealternative (currently the status quo) is placingprivate sector companies in the position to decidefor themselves which laws to honor and whichto violate. This is poor policy, undemocratic, andunsustainable. This conflict should not be left toIT companies to adjudicate. Instead, it needs to beaddressed and resolved on an inter-governmentallevel to restore legitimacy and trust. In part, thisproblem must be solved through coordination and
notification among governments. But, it will likelyalso require a harmonization of national standardsand criteria for when law enforcement access todata is deemed legitimate under the law. Oneapproach is represented in the LEADS Act— a billintroduced in the U.S. Senate that would permitU.S. law enforcement to reach content outsidethe United States (with a lawful warrant) only ifthe data is in an account held by a “U.S. person”(defined as a U.S. citizen or permanent resident).22 If the account is held by a non-US person, the USlaw enforcement agency would have to comply with
the laws of the country where the data resides viaan MLAT (the bill also provides for streamliningthat procedure from the US side). There are verylegitimate concerns about the bill, and it will likelyundergo significant change if and when it movesthrough the Congress.23 However, its introductionhighlights support for a solution in Washingtonfrom a bipartisan group of lawmakers and a host ofbusiness and civil society interests.24
22 Law Enforcement Access to Data Stored Abroad Act. S.512.https://www.congress.gov/bill/114th-congress/senate-bill/512
23 See, for example: Greg Nojeim. 2014. “LEADS Act ExtendsImportant Privacy Protections, Raises Concerns.” Center forDemocracy and Technology. https://cdt.org/blog/leads-act-extends-important-privacy-protections-raises-concerns/
24 Grant Gross. 2015. “Lawmakers introduce two bills to protectemail privacy.” Computerworld. http://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.html
In the Internet era,
technology has cha
faster than the law
scale of data reque
by law enforcemen
expanded dramatic
and the traditionalMutual Legal Assis
Treaties process is
easily overwhelmed
These channels ten
be slow, intranspar
and cumbersome f
parties involved.
https://www.congress.gov/bill/114th-congress/senate-bill/512https://cdt.org/blog/leads-act-extends-important-privacy-protections-raises-concerns/https://cdt.org/blog/leads-act-extends-important-privacy-protections-raises-concerns/http://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttp://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttp://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttp://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttp://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttp://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttps://cdt.org/blog/leads-act-extends-important-privacy-protections-raises-concerns/https://cdt.org/blog/leads-act-extends-important-privacy-protections-raises-concerns/https://www.congress.gov/bill/114th-congress/senate-bill/512
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
16/22
T G M F U S14
Governments must coordinate on amodernization (or the replacement) of MLATs.An obvious starting point is the current systemthat exists among EU countries. Currently,law enforcement agencies across the EU are(relatively) efficiently coordinated when it comesto extraterritorial data access. This is donethrough different mechanisms, including theEuropean Judicial Network, which establishespoints of contact for law enforcement that facilitateinvestigation and prosecution of criminal activitiesacross the member states.25 Another important
institution is Eurojust — which actively coordinatesthe exchange of information between memberstate law enforcement systems.26 Eurojust alreadycoordinates with the United States, and this systemshould be examined for ways in which the existingcooperation might be extended between theUnited States and the European Union to addressmore specifically the data access and privacyissues. The goal should be accelerating the processof legitimate data request and retrieval acrossborders while maintaining common standardsof privacy protection. The Budapest Convention
on Cybercrime offers another model of existingcooperative agreement to examine and build upon.
Governments should build on the U.S.-EU
“Umbrella Agreement” for the protection of data
shared between EU and US law enforcement
agencies. This agreement — completed inSeptember 2015 — establishes rules of the roadfor how law enforcement agencies will handledata transferred to them during the course ofa transatlantic criminal investigation.27 Theserules include limits on how the data may be used,
25 European Judicial Network (EJN). http://www.ejn-crimjust.europa.eu/ejn/EJN_StaticPage.aspx?Bread=2#
26 History of Eurojust. http://www.eurojust.europa.eu/about/background/Pages/History.aspx
27 European Commission. 2015. “Questions and Answers on theEU-US data protection ‘Umbrella agreement’.” http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm
restrictions on data transfer and retention, rights toaccess/verify/correct data, notification of securitybreaches, and judicial redress for citizens of theEU in U.S.courts if data is mishandled. This rightof legal redress already exists for U.S. citizens inEU courts. In order for EU citizens to enjoy thisright in U.S. courts, Congress must pass legislationknown as the Judicial Redress Act.28 This billremains pending in the U.S. Senate (after passage inthe House of Representatives); it has the support ofboth business and civil society stakeholders.29
Taken together, these recommendations (either atthe bilateral or multilateral level) would establisha set of mutually granted privacy rights amongnations, offer certainty to both companies andconsumers in the market, and set clear rules andexpectations among law enforcement agenciesabout which laws apply in different circumstances.As a concluding note, we emphasize here that thisanalysis and recommendations deal only withthe question of law enforcement access to data,rather than intelligence agencies. But that does notmean that such reforms would be irrelevant for
signals intelligence. With policy changes vis-a- vis law enforcement, we are resetting norms andexpectations across a sector of security servicesthat will alter practices that have carry-over effectsto intelligence agencies over time. Further, westrongly encourage governments to have bilateralreform efforts along similar lines to deal withextraterritorial data access outside of the lawenforcement context.
28
Judicial Redress Act. H.R.1428. https://www.congress.gov/bill/114th-congress/house-bill/1428
29 Open letter from the Information Technology IndustryCouncil to the Judiciary Committee in support of the JudicialRedress Act. http://www.itic.org/dotAsset/d/6/d6445b59-2508-45ab-a4ba-6d731bb53b39.pdf ; Sarah St. Vincent. 2014. “PrivacyAct Reforms Would Promote US Respect for Human Rights.”Center for Democracy & Technology. https://cdt.org/blog/privacyact-reforms-would-promote-us-respect-for-human-rights/
http://www.ejn-crimjust.europa.eu/ejn/EJN_StaticPage.aspx?Bread=2http://www.ejn-crimjust.europa.eu/ejn/EJN_StaticPage.aspx?Bread=2http://www.eurojust.europa.eu/about/background/Pages/History.aspxhttp://www.eurojust.europa.eu/about/background/Pages/History.aspxhttp://europa.eu/rapid/press-release_MEMO-15-5612_en.htmhttp://europa.eu/rapid/press-release_MEMO-15-5612_en.htmhttps://www.congress.gov/bill/114th-congress/house-bill/1428https://www.congress.gov/bill/114th-congress/house-bill/1428http://www.itic.org/dotAsset/d/6/d6445b59-2508-45ab-a4ba-6d731bb53b39.pdfhttp://www.itic.org/dotAsset/d/6/d6445b59-2508-45ab-a4ba-6d731bb53b39.pdfhttps://cdt.org/blog/privacy-act-reforms-would-promote-us-respect-for-human-rights/https://cdt.org/blog/privacy-act-reforms-would-promote-us-respect-for-human-rights/https://cdt.org/blog/privacy-act-reforms-would-promote-us-respect-for-human-rights/https://cdt.org/blog/privacy-act-reforms-would-promote-us-respect-for-human-rights/http://www.itic.org/dotAsset/d/6/d6445b59-2508-45ab-a4ba-6d731bb53b39.pdfhttp://www.itic.org/dotAsset/d/6/d6445b59-2508-45ab-a4ba-6d731bb53b39.pdfhttps://www.congress.gov/bill/114th-congress/house-bill/1428https://www.congress.gov/bill/114th-congress/house-bill/1428http://europa.eu/rapid/press-release_MEMO-15-5612_en.htmhttp://europa.eu/rapid/press-release_MEMO-15-5612_en.htmhttp://www.eurojust.europa.eu/about/background/Pages/History.aspxhttp://www.eurojust.europa.eu/about/background/Pages/History.aspxhttp://www.ejn-crimjust.europa.eu/ejn/EJN_StaticPage.aspx?Bread=2http://www.ejn-crimjust.europa.eu/ejn/EJN_StaticPage.aspx?Bread=2
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
17/22
T D D 15
If the encryption de
concludes with a
transatlantic alignm
around strong
encryption and sec
communications, th
cryptographic standand implementatio
could become a
plank in a platform
of cooperation on
cybersecurity.
Summary
Germany and the United States shouldconduct bilateral engagement on twosets of related cyber-security issues: 1)
common policies of cooperative cyber-securityfor critical infrastructure; and 2) the dilemmaof strong encryption. Recent intrusions into thenetworks of the Office of Personnel Management30 in Washington and the servers of the GermanParliament31 have re-emphasized the vulnerabilityof sensitive data and communications for bothgovernments. In the private sector, the estimated
losses of cyber-espionage is measured in the billionsof dollars/euros per year.32
Meanwhile in the United States, the strongencryption technologies that could prove the bestprotection for sensitive data in our informationsystems are the focus of a dispute between lawenforcement,33 technology companies, and otherparts of the government.34 Technologists arguethat strong cryptography is crucial to protectcommunications from digital assailants withincreasing sophistication. However, widespread
30 Kim Zetter. 2015. “The Massive OPM Hack Actually Hit 21Million People.” Wired. http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/
31 Anton Troianovski. 2015. “German Parliament Strugglesto Purge Hackers From Computer Network.” The Wall Street
Journal. http://www.wsj.com/articles/german-parliament-strug-gles-to-purge-hackers-from-computer-network-1434127532
32 Ellen Nakashima and Andrea Peterson. 2014. “Report:Cybercrime and espionage costs $445 billion annually.” TheWashington Post. https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html
33 Cyrus R. Vance Jr. et al. 2015. “When Phone EncryptionBlocks Justice.” The New York Times. http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryp-tion-blocks-justice.html?_r=2
34 Terrell McSweeny. 2015. “Worried About Your Data Security?How Encryption Can Help Protect Your Personal Informa-tion.” Huffington Post. http://www.huffingtonpost.com/terrell-mcsweeny/worried-about-your-data-s_b_8083756.html
implementation of strong encryption effectivelylimits some forms of legitimate law enforcementaccess to data. Governments must decide howto maximize the economic and security benefitsof encryption while managing competing lawenforcement priorities. Recently, after deliberation,the Obama administration announced it wouldnot seek legislation to mandate backdoor accessto communications technologies with strongencryption.35 This indicates de-escalation of thisdebate and a move toward common ground withGermany — which has long argued for strong
encryption without mandatory backdoors.
If the encryption debate concludes with atransatlantic alignment around strong encryptionand secure communications, these cr yptographicstandards and implementations could becomea plank in a platform of cooperation on cyber-security. Security policy is ultimately a nationalconcern, but building resilient defenses againstglobal threats is a mutual interest and could be aconstructive arena for reestablishing trust. In thiscontext, the United States brings to the table strong
capabilities in Information Assurance that wouldbenefit European partners. Meanwhile, the Germangovernment’s policy commitment to strongencryption is exemplary and the global credibilityof German data security could lay the groundworkfor new standards that benefit all participatingcountries.
Discussion
The debates over global surveillance in the lasttwo years have driven two important trends incyber-security — a political focus on so-called“technological sovereignty” in cyber-security policyand an increase in the commercial deployment
35 Nicole Perlroth and David Sanger, 2015. “Obama Won’t SeekAccess to Encrypted User Data,.”The New York Times.http://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.html
4C-S C
S E
http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/http://www.wsj.com/articles/german-parliament-struggles-to-purge-hackers-from-computer-network-1434127532http://www.wsj.com/articles/german-parliament-struggles-to-purge-hackers-from-computer-network-1434127532https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttp://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2http://www.huffingtonpost.com/terrell-mcsweeny/worried-about-your-data-s_b_8083756.htmlhttp://www.huffingtonpost.com/terrell-mcsweeny/worried-about-your-data-s_b_8083756.htmlhttp://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.htmlhttp://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.htmlhttp://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.htmlhttp://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.htmlhttp://www.huffingtonpost.com/terrell-mcsweeny/worried-about-your-data-s_b_8083756.htmlhttp://www.huffingtonpost.com/terrell-mcsweeny/worried-about-your-data-s_b_8083756.htmlhttp://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttp://www.wsj.com/articles/german-parliament-struggles-to-purge-hackers-from-computer-network-1434127532http://www.wsj.com/articles/german-parliament-struggles-to-purge-hackers-from-computer-network-1434127532http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
18/22
T G M F U S16
of strong encryption technologies. The first ofthese trends has been especially prominent inGermany where outrage over the transgressions ofallied intelligence services and foreign companiesdrives a new focus on national-level solutions.Meanwhile, the question of sovereignty in cyber-security policy is not a prominent debate in theUnited States. The second trend, however, has beencentral in the U.S. debate as major Silicon Valleyfirms (e.g. Apple and Facebook) have implementedstrong encryption on popular services as a meansto restore confidence with customers that data is
secure. By contrast, in Germany, a commitment tounbreakable encryption is the stated position of thegovernment (although concerns have been raised athigh levels).36 Moreover, the German cyber-securityagency (BSI) has issued recommendations onpersonal communications and strong encryption.37 While most implementations of encryption leavemetadata open for intercept, the increase in securityprovided by increased use of these technologieswould be substantial.
If governments join together in a common embrace
of encryption policy for data security (coupled witha commitment to expanding other methods of lawenforcement), this policy could release some of thepressure to create nationalized regimes of security(i.e. technological sovereignty) by establishing abasis of trusted computing on mathematics ratherthan on nationality (e.g. sourcing hardware andsoftware exclusively from domestic providers). Arobust agreement on technical standards couldfacilitate greater cooperation in conventionalcyber-security policies such as threat intelligencesharing, resilience in critical infrastructure,
mutual protection against industrial espionage,
36 Deutscher Bundestag. 2015. Drucksache 18/5144. http://dip.bundestag.de/btd/18/051/1805144.pdf
37 Bundesamt für Sicherheit in der Informationstechnik. 2015.“Wie verschlüsselt kommunizieren.” https://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommu-nizieren/Einsatzbereiche/einsatzbereiche.html
and stability through norms and codes of conduct.Differentiated national level defensive strategies wilalways be a priority for both countries (includingagainst one another’s cyber capabilities), but a farhigher security policy concern for both nations isthe common threat they face from hostile actors.
Recommendation
Acknowledging the needs of citizens, firms,and governments to communicate securely, wefocus on strong encryption solutions as a tenetof a cyber-security strategy and a basis for a
cooperative cyber-security policy. Recognizing thatthe dilemma of encryption and law enforcementaccess does not have a technical solution, theclear path forward is to embrace the technology.This is not to dismiss the central challenges andgrave threats faced by law enforcement agencies,but it does mean that increasing the capacityof security agencies will require other methodsbeyond communications intercept. While nationalgovernments could mandate that companiesprovide keys for legitimate law enforcementinquiries (and some are considering this),it appearsunlikely that the genie will return to the bottlebecause so many products are already availablein the market.38 Moreover, if one governmentmandates a backdoor to digital services, allgovernments are likely to do so — placingtechnology service providers on untenable legal andmoral ground.39 And finally, the near-consensus
view of cryptography experts is that vulnerabilitiescreated for law enforcement access will ultimately
38
David Kravtes. 2015. “U.K. prime minister wants backdoorsinto messaging apps or he’ll ban them.” ars technica. http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/
39 Kevin Bankston. 2015. “Hearing on ‘Encryption Tech-nology and Possible U.S. Policy Responses’..”US CongressIT-Subcommittee. http://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdf
We focus on strong
encryption solutions
as a tenet of a cyber-
security strategy and a
basis for a cooperative
cyber-security policy.
Recognizing that thedilemma of encryption
and law enforcement
ccess does not have a
technical solution, the
clear path forward is to
mbrace the technology.
http://dip.bundestag.de/btd/18/051/1805144.pdfhttp://dip.bundestag.de/btd/18/051/1805144.pdfhttps://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttps://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttps://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttp://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/http://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/https://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttps://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttps://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttp://dip.bundestag.de/btd/18/051/1805144.pdfhttp://dip.bundestag.de/btd/18/051/1805144.pdf
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
19/22
T D D 17
be exploited by adversaries as well.40
Consequently,we recommend the following steps:
First, rather than arguing for “master key”government access to encrypted data, the Germanand the U.S. government should explore howthey can strengthen cryptography and thus makeeveryone’s communications more secure —including their own. This should include robustengagement with technology experts to raise thelevel of informed debate and to help policy-makerscoalesce around realistic options.
Second, a unified approach to strong encryption(normative practice, standard setting, andinteroperability) would provide a basis for bothcommon security and economic policy as thesetechnologies will be a central part of the globalcloud computing market. Different regimes ofsecurity standards in the United States and Europewould introduce costs for both sides. Here, theGerman geopolitical brand (backed up by itstechnical track-record) for data privacy suggeststhat Berlin could deliver a strong contribution to amultilateral standard for secure communicationsthat carries global credibility.
Third, for both governments the discussion aboutstrong encryption could provide a jumping offpoint for a broader engagement about cybersecurity cooperation, including:
• Threat Intelligence: Effective mechanisms topromote the transatlantic sharing of criticalinformation about cyber incidents;
• Industrial Espionage: Coordinated protection
against common threats of cyber-attacksagainst private sector targets;
40 Ellen Nakashima. 2015. “Tech giants don’t want Obama togive police access to encrypted phone data.” The WashingtonPost. https://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.html
• Transnational Cybercrime: Coordinatedapproach to updating the Budapest Conventionon Cybercrime to match technologicaldevelopments in the ten years sinceimplementation;
• Critical Infrastructures: Policies and practice toincrease resilient security and thwart attacksmore efficiently through closer cooperation;
• Certification standards: Commoncommitments to building trust in IT-securityproducts through revised security certification
processes;
• Norms: Partnership in promoting internationalcyber norms and codes of conduct to fightcybercrime and cyberespionage;
• Zero-days: Commitments betweengovernments to reject agency stock-piling ofzero-day vulnerabilities (undiscovered securityholes), a practice that only strengthens the
viability of the zero-day black market.
https://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.html
-
8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform
20/22
T G M F U S18
C
The central conclusion of the TransatlanticDigital Dialogue working group is that thereis broad support in both countries across
the private sector, academic, and civil society fora pragmatic reform agenda. Furthermore, thereform agenda we propose squarely addressesthe economic consequences of the transatlanticdivision while grounding its recommendationsin a rights-based framework. The breadth ofsupport that unites the private and civic sectors ofthe United States and Europe contrasts with thedivision between the governments and indicates the
opportunity for viable political discussions that leadto policy change.
Our major conclusions are organized around threeareas of policy reform — oversight/transparency,extraterritorial data access, and cyber-security.Taken as a whole, we demonstrate that each sidehas something to offer to the other; and each sidehas comparative advantages and disadvantages inthe current state of law and policy with respect tomodernization and reform.
On the issues of oversight and transparency ofsurveillance practices, it is EU states that mayfind useful examples of reform in the U.S. system.Though to be clear, we see substantial work to bedone to modernize the U.S. system as well, even ifit offers a useful starting point. We offer a varietyof steps that both countries could take in parallel— ranging from simple methods of enhancingoversight to comprehe