On Monday a senior German official tried to put a lid on the persistently pesky NSA espionage affair. It’s election time soon, and the government can’t quite shake off the allegations that the U.S. has been spying on the Germans (a lot) and that the German authorities, which professed shock at said news, actually knew about this and maybe even helped using NSA tools.
Ronald Pofalla, the chief of staff at Angela Merkel’s chancellery, was testifying before a parliamentary committee. Pofalla pursued an interesting strategy: he maintained that the U.S. and U.K were absolutely respectful of German law, and claimed the U.S. had offered talks with Germany around a no-spying agreement. “This offer could have never been made if the Americans’ assurances that they will stick to German law in Germany wasn’t actually true,” he said.
As some have quite logically noted, the idea that there’s any point formulating a no-spying agreement suggests the German government has permitted a degree of espionage up until now. But there are deeper problems with the notion that a meaningful deal may be struck.
The first is one of simple political common sense: is the NSA really going to stop poking around German data when a terrorist might be holed up there? How else are they going to inform the German authorities when someone in Germany says on Facebook that he’s going to take a stroll near an NSA facility? The second, though, is technological: how on earth do you avoid scooping up data on a specific country?
If Edward Snowden’s leaks are true (and no-one’s disproved them yet) the NSA and its partners basically run a dragnet operation that takes in most of the world’s internet data. Even if no one chooses to query it (see the political-common-sense problem above), Tempora, PRISM or some other element of the hydra-like surveillance beast will record and at least temporarily store data generated by German citizens – almost certainly breaking German data protection law in the process.
It’s hard to tell at this stage precisely what sort of agreement the U.S. and German authorities might put together – if indeed there is more to this than desperate pre-election nonsense — but the practice of spying on Germans certainly can’t be stopped with a handshake.
Pofalla’s not the only one promising the unlikely here. A few days ago Deutsche Telekom and United Internet, the company behind popular local email services Web.de and GMX, announced the launch of their “Email Made In Germany” initiative, which claims to offer “secure email communication across Germany”.
“Germans are deeply unsettled by the latest reports on the potential interception of communication data,” Deutsche Telekom CEO Rene Obermann solemnly said in a statement. “Our initiative is designed to counteract this concern and make e-mail communication throughout Germany more secure in general. Protection of the private sphere is a valuable commodity.”
What “Email Made In Germany” actually entails is the automatic switching-on of SSL/TLS encryption during data transmission, the ability to see which email contacts also use SSL/TLS-encrypted connections, and a promise to store emails in German data centers.
Gmail has come with default SSL/TLS encryption since 2010, so there’s not much new there. Indeed, as the Netzpolitik blog (auf Deutsch) has pointed out, no self-respecting email provider should be allowing non-encrypted transmission in 2013.
And as for storing emails in Germany, the country’s rather intense data protection laws mean this was happening anyway. Deutsche Telekom also confirmed to me on Tuesday that it doesn’t store emails in encrypted form.
The hackers at the Chaos Computer Club have argued that the whole model of a centralized email provider is broken from a security standpoint, and that end-to-end-encryption is the best shot anyone has at keeping the NSA’s noses out of their business. Although I’d add the caveat that we can’t be sure what encryption techniques are still secure, they probably have a point.
In short, anyone promising safety from surveillance at the moment should be treated with suspicion. Whether it’s a politician trying to make out that the surveillance behemoth can be trained to ignore a significant country, or a bunch of web service providers trying to paint an overdue security move as a leap forward in the protection of their customers, there’s a lot of hokum flying around at the moment.
And that’s a problem all web and cloud service providers are going to have to overcome in this post-PRISM era: how to engender trust while genuinely earning it.
This will be the topic of a panel I’m moderating at our Structure:Europe conference on 18-19 September in London, and I look forward to seeing what thoughts the panellists (author and academic Dan Gillmor, Joyent CTO Jason Hoffman, ownCloud CEO Markus Rex and cloud researcher Simon Wardley) have on the matter.