海角大神

海角大神 / Text

Europe pivots between safety and privacy online

European countries lead a push for the right to anonymity in the Digital Age. But, in the wake of terrorist shootings in France, calls for greater surveillance rise, too. 

By Sara Miller Llana , Staff writer Isabelle de Pommereau , Correspondent

The following article was reported and written for 海角大神Weekly prior to the deadly Charlie Hebdo attacks. It has been updated in spots to reflect how the violence is altering the debate on surveillance and privacy in Europe.听

PARIS; AND BONN, GERMANY 鈥 A听dozen men and women sit in a dark room at a technology firm in downtown Bonn, Germany, hunched over laptops. Their concentration is intense. Ranging in age from Millennials to seniors born during World War II, they drink free sodas and eat chips as they watch the evening鈥檚 host, Jochim Selzer, pace at the front of the room. He has long black hair pulled back in a ponytail. He points to images on a big projection screen: a computer keyboard, cellphone, and a wireless network router.

鈥淓very step is a potential target for an attack,鈥 he says ominously to the group. 鈥淏ut we can defend ourselves from all of those attacks.鈥

It could be just another arcane seminar for a bunch of Digital Age nerds. But this, in fact, is one of the fastest-growing phenomenons in Germany 鈥 the 鈥渃ryptoparty.鈥 The participants have come out on this night for one reason only: to learn how to keep governments and big business from snooping through their computers.听

There is 20-something Fabian Schneider, who used to encrypt his hard drive for fun as a teenager but now codes his private e-mails and chats to prevent prying eyes from seeing them. There is 70-something Karl Conrad, a retired translator from Bonn who says his motivation for being here boils down to 鈥渁 bad feeling.鈥 Even though he鈥檚 from a generation that doesn鈥檛 do everything online, he鈥檚 unsettled by the information that former US National Security Agency staffer Edward Snowden revealed about the scope of American surveillance. 鈥淭he NSA, it鈥檚 like the Stasi, which wanted to know every single detail about you,鈥 he says, referring to the former East German secret police. 鈥淚t鈥檚 despicable.鈥

Many others feel the same way. Across the country, Germans are gathering 鈥 in university halls, in private homes, or, as here, in donated office space 鈥 to learn how to use technology with terminology that may have seemed as foreign as Mandarin or advanced mathematics just a year ago. They鈥檙e attempting to master the complexities of new Web browsers that aim to provide anonymity for users, or computer programs that seek to ensure e-mails are read only by the intended recipients. Encryption as a form of security 鈥 in e-commerce transactions, for example 鈥 has long been commonplace. But fueled by anger, frustration, and, for a few, a dose of paranoia, citizens are turning a deep form of self-encryption 鈥 once the fringe domain of government geeks and a few private hackers 鈥 into a mainstream movement.

The trend is being driven by far more than just fear of NSA snooping or government surveillance in general, which may now be tempered in the aftermath of the Paris attacks. Across Europe, concern runs deep about how and why private data is being used. It is leading to new rules and actions throughout the 28-member European Union, from a major push by Brussels to hand greater privacy rights to European citizens, to a landmark court case giving people an unprecedented 鈥渞ight to be forgotten鈥 from search engines in Europe, to a class action suit against Facebook in Austria.

It鈥檚 not that Europeans reject new technology. Despite the constant hand-wringing, they are still signing up for Gmail, Facebook, and Amazon in huge numbers. But the new laws and legal actions are being pushed by a new generation of computer techies, crusading bureaucrats, and privacy lawyers. They represent the front lines of a revolt that some call a clash of cyber civilizations 鈥 one that is moving Europe in a different direction than the United States on privacy and could set a new global standard against the unwieldy will of the Internet.

鈥淚t is probably true that in the future digital world people will ask for more privacy protection and more protection of personal data rather than less,鈥 says Paul Nemitz, a director in the European Commission鈥檚 justice department. 鈥淎s it was with the Green movement, which started in Europe and which led European industry to enormous competitiveness but had resistance in the beginning in the 鈥70s and 鈥80s, it is very well possible also with data we will see the same trend.鈥

* * *

When the US ambassador to Germany, John Emerson,is asked to explain to audiences the differences between American and German notions of privacy 鈥 which he is asked to do often 鈥 he uses Google Street View as a case study.听

鈥淲hat鈥檚 the first thing an American says when [he or she] sees Google Street View?鈥 he says on a recent day at the US Embassy next to the Brandenburg Gate. 鈥淎n American will go, 鈥楬ey, there鈥檚 Billy in the front yard.鈥 The German reaction is, 鈥極h my God, how can they do that?鈥 鈥

Across Germany, street views on the website are actually blurred by pixels at the request of German citizens.

It鈥檚 perhaps not surprising, then, that Germany in general and Berlin in particular are ground zero of the global privacy movement. The German capital, once the headquarters of Stasi surveillance, has become a destination for companies and individuals seeking precisely the opposite 鈥 a sense of digital autonomy.

New transplants include Jacob Appelbaum, one of the founders of the Tor browser, short for The Onion Router, which shields the identity of users, and Laura Poitras, a documentary filmmaker who was one of three journalists to meet Mr. Snowden and receive his NSA files.听

While Snowden is a wanted man in the US, he is a folk hero in Berlin. Posters decreeing 鈥淎sylum for Snowden鈥 and 鈥淎 Bed for Snowden鈥 abound, sentiments that grew after revelations about the extent of US eavesdropping 鈥 including on the cellphone calls of well-loved German Chancellor Angela Merkel.

But a jealous guarding of privacy predates the NSA scandal and extends across the Continent. The ethos is rooted in decades of dictatorship, repression, and one-party rule in 20th-century Europe. In Germany, the police states of the Gestapo and the Stasi in East Germany built a standard in which not only governments spied on citizens, but neighbors spied on neighbors. Snowden only reinforced the backlash against surveillance and big data. Many countries, from Spain to Italy to Portugal, lived under repressive regimes.

Europeans also simply feel less comfortable handing over personal information. As one privacy expert puts it: Companies just want to 鈥渇log them for more things they don鈥檛 want or need.鈥 Another derisively calls it the 鈥淕oogle-ization of the world.鈥 In fact, for a growing number of Europeans, the American tech giant has become the emblem of the war over privacy 鈥 the symbol of American hegemony the way Coca-Cola or McDonald鈥檚 or Disneyland were in the past.听

In France, where privacy is so tightly guarded that many citizens question whether an affair by their president should be front-page news 鈥 or news at all 鈥 anger was also widespread in the wake of the NSA revelations. The revulsion over surveillance runs deep even though the French government conducts extensive espionage of its own.听

Yet some of the resistance to the Googles of the world stems from the same protectionist sentiment that the French have long aimed at Hollywood: They, and other Europeans, simply want to preserve their own home-grown high-tech industries from big outside companies. An anti-technology element, also rooted in ambivalence about the sway of Silicon Valley, accounts for some of the French rebelliousness, too, says Ben Tonra, a professor of international relations at University College Dublin in Ireland.听

鈥淭here is something of a Luddite kind of perspective, certainly from the French perspective,鈥 he says.

And Europe is hardly monolithic in its views about privacy. In Ireland, where many of the European subsidiaries of the big American computer and Internet companies are based, the fear of a loss of investment and jobs counteracts concerns about electronic surveillance and encroachment. Similarly, in Britain, which is part of the 鈥淔ive Eyes鈥 intelligence alliance with the US, Australia, Canada, and New Zealand, citizens have a higher threshold for the actions of their spy agencies.

鈥淭ake a country like the UK with the surveillance and the issue of spying. The iconography is slightly different,鈥 says Claude Moraes, a member of the European Parliament. 鈥淵ou have Bletchley Park [where Britain broke German codes during World War II], you have James Bond, you have Britain being part of the Five Eyes.鈥

In the wake of the deadly Charlie Debdo attack in Paris, some European officials are calling for extending surveillance capabilities. Most notably, British Prime Minister David Cameron plans to propose sweeping anti-terror laws to give Britain a doorway into any encryption technology.听Since it's possible for the government to read letters or listen to calls, said Mr. Cameron, "are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not. The first duty of any government is to keep our country and our people safe.鈥

But that kind of听rhetoric may just be politics,听says Ian Brown, associate director of Oxford University's Cyber Security Centre. "I don't think it's a turning point," he says.听While the Paris attacks jarred Europe, when it comes to the privacy movement, "I don't think it'll听decisively听shift things." That community, says Professor Brown, "is not going to change its position post-Paris."

Still, Europe will have to resolve these new tensions 鈥 similar to those that reverberate in the US 鈥斕齜etween security and anonymity on the Web, especially if greater privacy听is viewed as making it harder to听fight terrorism. Recently authorities in Europe have been granted greater powers to monitor the use of the Web to deter their citizens from becoming jihadis alongside Islamic State. Too much anonymity concerns law enforcement authorities as well, who worry about pornographers, drug dealers, and other nefarious types flourishing on the Internet when there is less transparency.

Yet all of Europe, Mr. Moraes says, agrees on one point that sets it apart from the US: If Americans value freedom of speech as an inalienable right that sometimes must trump privacy, in Europe the right to privacy is so fundamental that all national laws must consider it. As Spiros Simitis, who is dubbed 鈥渢he godfather of privacy鈥 because he drafted Germany鈥檚 pioneering protection law, puts it: 鈥淭he protection of personal data, and restricted use of data, and right of people to decide what can be done is one of the most fundamental principles of a democracy,鈥 he says.听

* * *

Far away from the cryptoparty in Bonn, a privacy partyof another sort is taking place. The guests are not in jeans but dark suits, conservative ties, and polished shoes. The meeting is at the headquarters of UNESCO in Paris, in the shadow of the world鈥檚 most formidable erector set, the Eiffel Tower.

The gathering is being hosted by Isabelle Falque-Pierrotin, France鈥檚 data protection chief, who is also the president of the Article 29 Working Party, a body of data privacy regulators for the EU. Fifteen of the regulators are sitting in the room here. There is also Mr. Nemitz from the European Commission and plenty of EU Parliament members. They don鈥檛 call themselves radicals. And they certainly don鈥檛 look the part. But these are the titans of privacy in Europe.

鈥淲e feel we are losing control over our data,鈥 says Ms. Falque-Pierrotin, standing in front of the audience at the event in early December. She talks of Europe being at a 鈥渃rossroads鈥 and of an era of uncertainty that demands the Continent speak with one voice. For this group, 2015 is a pivotal year. The regulators hope to have in place a binding new privacy law to give citizens more say over what access companies have to their data and how it is used.

The EU already has stringent rules on privacy that date back to 1995, which were built upon tough laws crafted in European nation-states in the 1970s.

But the new regulation would be a law governing all EU states. It would also increase the enforcement powers of data regulators, potentially allowing them to impose fines of as much as $125 million on companies.听

In fact, EU bureaucrats may represent the biggest threat to American technology companies in Europe. US firms have lobbied hard to keep the new privacy regulation from being adopted. 鈥淭here may [be] some companies that fear for their competitiveness if Europe becomes a trust center for data like Switzerland is for money,鈥 says Nemitz.

European bureaucrats insist they are not anti-technology. They see the privacy law as a boon for business, saving companies the administrative costs and uncertainty of dealing with 28 different regulatory regimes, while giving Europeans the trust they need to sign on as new consumers. If anything, they believe the law will allow companies to guarantee a new standard of privacy and market it the way firms now do a 鈥済reen鈥 or 鈥渙rganic鈥 seal.听

Scores of boutique firms are popping up to cater to the new privacy culture. They range from Lavaboom, a 鈥渟ecure鈥 e-mail provider in Cologne, Germany, to Cozy Cloud, a French firm that allows users to store information on their personal cloud. Its motto, a play on Google鈥檚 鈥淒on鈥檛 be evil鈥 slogan, is 鈥淲e can鈥檛 be evil.鈥 鈥淭he EU is not against big tech. EU citizens, me included, really like using our devices,鈥 says Moraes, the European MP. 鈥淲e often appreciate the companies we are interacting with. The issue is about the principles of bulk collection, issues of trust, issues of mass surveillance, and issues of accountability.鈥

* * *

Max Schrems is dressed in a black button-downshirt and jeans, his hair trendily coiffed. His words jump out quickly and spontaneously when he talks, like popcorn in a popper. He often has to remind himself to slow down when he gives speeches at privacy conferences, which these days is frequently.

Mr. Schrems is the 20-something Austrian who catapulted from law school obscurity to the limelight when he filed a class action suit against Facebook鈥檚 European subsidiary in Ireland last summer, claiming several counts of violations of European privacy law.

He has since become a cause c茅l猫breamong data regulators and privacy advocates across Europe, the way French farmer Jos茅 Bov茅, who destroyed a McDonald鈥檚 in the 1990s, became the darling of the antiglobalization set. He represents another dimension of Europe鈥檚 privacy movement 鈥 use of the courts.

Schrems was studying on a semester abroad at Santa Clara University in California鈥檚 Silicon Valley in 2011, when an executive from Facebook broached the subject of Europe鈥檚 stringent privacy laws to the students. 鈥淵ou can violate their laws. Nothing is going to happen,鈥 Schrems recalls he essentially told them. 鈥淭hey didn鈥檛 know a European was in the class,鈥 he says.

Afterward, he formed an advocacy group, Europe v. Facebook; met extensively with Facebook executives; and filed several complaints with the data protection regulator in Ireland, where the social network鈥檚 European headquarters is located. That prompted an audit of Facebook, which resulted in the company having to delete data and deactivate its facial recognition capabilities, he says.

But Schrems, in an interview at the UNESCO conference, where he was frequently thronged by fawning admirers, says the data regulator wouldn鈥檛 go much further, in part because of concerns of how it might affect Ireland鈥檚 IT sector. So in August he filed the class action suit in a Vienna court. Some 25,000 users signed on to the suit within just a few days before he closed the case. Legal action is now the only way, he says, that the social networking giant will be forced to act.

Many privacy advocates agree and see enforcement of one uniform law as the most important element of the new regulation the EU is drawing up. While the US doesn鈥檛 have overarching privacy legislation like Europe鈥檚, Europe hasn't been able to enforce violations like the US Federal Trade Commission, according to Jan Philipp Albrecht, a German EU parliamentarian. If the regulation passes 鈥 and works 鈥 it would be a trailblazer.

鈥淔or the moment [companies] have had an easy way to circumvent existing laws in Europe by having these 28 different standards,鈥 says Mr. Albrecht, a leading player for privacy in Europe.

But many have their doubts about the efficacy of the regulation. David Erdos, an expert in privacy law at the University of Cambridge in Britain, says enforcement will be difficult. It will take huge resources to police the vast universe of applications and algorithms.听

鈥淒ata protection law is not managing to relate very well to digital reality generally, which [includes] thousands and thousands of app developers, hundreds and hundreds of Web platforms, and relates to hundreds of millions of individual users,鈥 says Dr. Erdos. 鈥淭here is a disproportionality between resources and the task Europe has set out for itself.鈥

听鈥 听 听 鈥 听 听 鈥

By far the decision that has rattled American technology firms the most has been in the so-called right to be forgotten case, which originated with an aggrieved calligrapher in Spain. In a decision that ricocheted around the world, the European Court of Justice in Luxembourg ruled in May that individuals have the right to have personal data removed from search engines such as Google if it is 鈥渋nadequate,鈥 鈥渋rrelevant,鈥 or 鈥渆xcessive.鈥澨

The case was launched by Mario Costeja Gonz谩lez, who fought to have two newspaper briefs from 1998 that contained details of his financial woes removed from the Internet. The references continued to top search results 15 years later, even though his problems had long since been cleared up.

Many Europeans hailed the decision as ushering in a new sense of empowerment. EU privacy regulators say they want it applied to search engines outside Europe, too. So far, Google has received more than 193,000 requests to be 鈥渇orgotten.鈥 These range from one from a German rape victim who wanted a newspaper article about the crime removed (Google expunged pages from the search results for her name) to one from an Italian man who wanted articles of his arrest on financial charges eliminated (Google refused). In all, Google has rejected 60 percent of the requests it has received.

The desire of people to control what鈥檚 said about themselves is certainly understandable. Even in the US, where the passion for privacy doesn鈥檛 run as deep as in Europe, polls show a majority of Americans wish they could be 鈥渇orgotten,鈥 too. In the worst cases, careers have been ruined by defamatory blogs. People have been traumatized or needlessly humiliated. But even the most mundane information can bring a sense of powerlessness.

One British writer, for example, feels that with the 鈥渞ight to be forgotten鈥 ruling she finally has the answer to a nagging problem: how to get her home address off the Web. Until now, she hasn鈥檛 been able to.

It began when her brother dreamed up a venture for a film company, using the family鈥檚 address as its headquarters, in 2001, before the Internet was pervasive. Once she realized the mistake, more than a decade later, she fought futilely to get her address removed from a British government database 鈥 and later from business directories. At best it was a nuisance. At worst it spooked her.听

鈥淚 felt a bit hopeless. I didn鈥檛 know what to do about it,鈥 she says. 鈥淚 don鈥檛 mind having my own website. I don鈥檛 mind having my e-mail address out there, but I don鈥檛 want my home address [publicly available].鈥

And yet the 鈥渇orgotten鈥 case has continued to stir controversy, especially because it put multinational corporations in the position of deciding what gets removed from the Web and what doesn鈥檛. The New York Times, in an editorial, criticized the court for its decision, saying that the desire to be forgotten is understandable but that the ruling could have ominous ramifications. 鈥淪uch a purge would leave Europeans less well informed and make it harder for journalists and dissidents to have their voices heard,鈥 it said.

Even in Spain, where the case originated, the decision hasn鈥檛 been embraced by all. When a Spanish news site published an article informing the public that Google had removed some references to members of the Basque terrorist group ETA, a victim rights group reacted angrily.

鈥淩ight to be forgotten advocates claim this is a human right, but that is arguable since it buries into oblivion all the actions against the most basic human right, which is the right to live,鈥 says Francisco Saenz, from the Association of the Victims of Terrorism in San Sebasti谩n in northern Spain. His father, a former police agent, was shot by ETA members in 1985.

It also is only one small slice of privacy control in the Digital Age 鈥 even though it has dominated global discussion. Leo Nu帽ez, a partner at the law firm Audens in Madrid that specializes in information technology, worked at Spain鈥檚 data privacy agency when the Costeja Gonz谩lez case was lodged, and he has long agreed with Costeja Gonz谩lez鈥檚 quest to be 鈥渇orgotten.鈥 But the ruling has helped only a fraction of the clients who have filed through their doors, requesting that defamatory or humiliating content about them be erased. In one case, a young woman who willingly agreed to have a television crew film her during a night out unwittingly became a national joke after the video, taken three years ago, went viral. In fact, if you type the equivalent of the word 鈥渢rashy鈥 in Spanish online, her image is one of the first to pop up. But because it鈥檚 her image, not her name, the 鈥渞ight to be forgotten鈥 would do nothing to help her cause.

For Viktor Mayer-Schonberger, author of 鈥淒elete: The Virtue of Forgetting in the Digital Age,鈥 the European court decision, while not perfect, has generated an important conversation. 鈥淚n the analog ages, we have always forgotten stuff. Forgetting is built into our society,鈥 he says. 鈥淚t is only in the Digital Age that it鈥檚 become much harder to do. And the default from forgetting to remembering has repercussions: We cannot disassociate from past events and past transgressions. We are tied to past events even though they no longer have a connection to who we are as a person in the present.鈥

Forgetting is central to making decisions, moving forward, and forgiving, he says. 鈥淩emembering and forgetting aren鈥檛 in balance anymore.鈥

* * *

Mr. Selzer, the host of the cryptoparty in Bonn, agrees. He doesn鈥檛 think societies fully grasp how much technology has eroded our power to forget, either.听

He was 14 years old when he got his first computer. The world of technology fascinated him. But its infinite possibilities also scared him. 鈥淚t was so extremely powerful, and I knew that if you interact with the machine in a proper way the machine does what you want, and it gives you a feeling of ultimate power,鈥 he says.

That鈥檚 what he says he鈥檚 working to keep in check. A Web administrator at the German postal service, he crisscrosses central Germany on his time off running these coding workshops. He says he lost count of the number of parties he has hosted after the 50th one.

听鈥淭he Snowden hype is over, but the good thing is that people who are interested are really interested,鈥 he says. 鈥淭hey come not because it鈥檚 hype but because they think privacy really matters.鈥 蟻