Privacy, Security & The Geography Of Data Protection

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/cloud/privacy-security-and-the-geography-of-data-protection-/a/d-id/1315480

When Edward Snowden took center stage last summer exposing the NSA’s
intelligence-gathering practices, he caused a wave that’s still rippling
through the security industry. Snowden put his finger on the industry soft
spot: Why do we protect data? From whom are we trying to prevent intrusion?

Snowden’s revelations and the backlash that followed also illustrate the
dramatic international differences in privacy vs. security values. Working
with customers in both the US and in Europe, I’ve seen firsthand how those
differences impact how security systems are architected. Beginning with
“what is the data being protected?” vs. “how do we keep the bad guys out?”
will lead to two very different security solutions.

While Europe has some of the strictest data privacy protection rules
worldwide, the US security design principle primarily seeks to protect and
prevent attacks toward the system. In Europe, strict rules enforce how
companies can and should disclose and store personal information. From a
national level, governments are pushing for even stronger regulations,
coming together within the European Union to sign a common statute that
outlines privacy practices around the disclosure and storage of personal
information along with remedies for violations and independent government
agencies that provide oversight. Additionally, corporations commonly add an
additional privacy layer by establishing employee councils with the purpose
of safeguarding employee information.

By comparison, US companies are more autonomous in their ability to deal
with the disclosure and storage of personal information. In comparison to
Europe, the US government does little to limit companies from tracking
people across the web and selling their information to third-parties.
Additionally, US companies can decide at their own discretion how much
information they wish to reveal about their data practices. As it would
seem, US companies seek primarily to secure sensitive information with the
intent to protect and prevent attacks toward the system, without as much
regard for the privacy of their customers and employees.

It’s all about culture and history
Data generation is global, so why do different parts of the world react
differently to the same threat of security breaches and backdoors? Part of
the reason is the distinctly different cultural-political heritage between
the US and Europe. While European culture is more conservative and
risk-adverse, the US is more risk-taking and innovative. Some US technology
experts claim that stricter privacy regulations would stifle innovation. As
an individualistic society, the US has mostly left it up to companies to
decide how people’s online data should be handled. By contrast, Europe’s
policies highlight the significance of privacy being safeguarded by the
government.

Historical differences in the US and Europe can help explain the subtle
aspects of their different trust cultures. European countries, specifically
Germany after WWII, became sensitive to secret services spying on their
citizens. As a result, very strict privacy rules have been implemented and
governments and larger organizations must adhere to these standards when
handling any personal data. Whether it is a national census or new
electronic ID cards, Telecom data retention or email marketing databases,
in general Europeans have had strongly held beliefs about individual
privacy rights for a much longer time period than in the US where
government spying has only recently become a public concern.

The controversy around data privacy extends beyond individual companies and
also focuses on how much access the government should have to people’s
private information. The NSA documents that Snowden leaked to the press
revealed how US intelligence agencies routinely demanded access to US
companies’ troves of consumer data.

For example, Microsoft recently lost a ruling against a US court to turn
over a customer’s data stored in a European data center because the data
was judged within reach of US search warrants. This case shows that the US
government believes that it has the right to access US companies’
information, even if that information is stored overseas. What’s at stake
here is the privacy protection of individual data and this ruling is the
perfect manifestation of how European and US privacy laws have come to
clash. The outcome of this and subsequent rulings will have a significant
impact on US cloud service providers doing business internationally.

Schengen Cloud
German Chancellor Angela Merkel is at the forefront of the European Union
which is seeking to fight back against what the EU considers the
overarching reach of US intelligence agencies. Some European countries are
trying to move forward with a data protection policy dubbed the “Schengen
Cloud,” a Europe-only integrated electronic communication network. The idea
behind Schengen Cloud is to give European countries control over its own
networks without the US being a middleman. However, the US has come out
stronglyagainst the proposal, saying that it provides an advantage to
European-based information and communications technology (ICT) providers.

Data privacy differences between the US and Europe have already impacted
business and political relations. Germany recently announced that it will
not renew its contract with Verizon over fear that the company could turn
over its communications to US intelligence agencies. The German government
is now requiring telecom providers to sign contracts that confirm that they
are not legally obligated to share information with foreign governments. In
the face of such developments US companies run the risk of losing out on
business deals if other governments follow suit and adapt to the German
government’s stance on data privacy. In fact, the Information Technology &
Innovation Foundation (IFTF) released a study in 2013 that estimated that
the US cloud computing industry could lose up to $35 billion over the next
three years as a result of the NSA spying revelations.Some US companies may
even consider relocating their headquarters outside of the US to protect
their data and their business contracts.

As more devices become Internet-enabled and the amount of data generated
continues to skyrocket, organizations in the business of data protection
will need to take a stance on privacy vs. security -- no matter what side
of the geographical border they are on.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!