How to restore trust in the digital economy?
Confidence in the digital economy has been shaken by a series of high profile data breaches and by the continuous misuse of user data by service providers. People are increasingly realizing that they pay with their data for services that appear to be free. A recent Eurobarometer survey demonstrates well the new dynamics between users and digital service providers: only 3% of Europeans trust email and cloud storage providers to protect their personal information.
Major tech companies whose revenue is mainly coming from advertisements seem to have little interest in self-regulation and keep looking for loopholes to bypass rules that would force them to protect and handle users’ personal data in a transparent manner. It’s time for regulators to show their teeth and crack down on these services before user mistrust proliferates to the entire digital economy.
Let me draw a parallel here. It’s only after that the world woke up to the 2007-2008 financial crisis that it became clear that there was a high need to regulate the banking sector. As trust has declined in financial services, legislators saw the need to introduce strict regulations to restore the proper functioning of the economy and to ensure that people return to financial institutions.
We should not repeat the same mistake when it comes to the digital economy. We should not wait until trust is so broken that it takes years to repair.
Some steps have already been taken. The EU’s new data protection regulation (GDPR) entered into force in May this year, and EU legislators are now updating the rules on the privacy and the confidentiality of communications to fit today’s digital era in the so-called ePrivacy regulation proposal.
In an open letter, together with other secure service providers, we already expressed our support for this initiative. Last week, we had the chance to discuss our position with the European Commission in person. Let me summarize our thoughts on this and how we believe legislation should evolve in the future.
The ePrivacy proposal is very welcome as it guarantees privacy not only for communications content but for the metadata of the content as well. Metadata can include very sensitive information just like personal data and deserves the highest level of protection. That said, I believe that, in order to achieve its intended purpose, certain elements of the proposal merit further considerations.
It is key to ensure that end-users are aware of the potential results of the use of certain services. Therefore, they should be informed and educated about the potential security risks and the measures (end-to-end encryption for example) the service providers takes to address them. In this regard, the text should be complemented with provisions that require electronic communications services to ensure that there is sufficient protection in place against unauthorized access or alterations to the electronic communications data and that the confidentiality and integrity of the communications are guaranteed by cryptographic methods such as end-to-end encryption. Encryption plays a crucial role in safeguarding the security and integrity of networks and services and protecting users’ data. However, there are different types of encryptions and end-to-end encryption is the one that can provide the most privacy and security as it makes it impossible for any third-parties to access the data.
The Telefónica data breach this week, which exposed customers’ identity and payment information – including land line and mobile numbers, full names, national ID numbers, addresses, banks, records of calls and other data – demonstrates well the necessity of protecting data by end-to-end encryption. Surprisingly, in the case of Telefonica, customer data could easily be downloaded in an unencrypted format. Had these data been encrypted, all the leaked information would be in an unintelligible format making it useless for anyone accessing it.
Let me also share a couple of thoughts on another issue that we discussed with the Commission: the proposal on European Production and Preservation Orders for electronic evidence in criminal matters. The idea behind this proposal is to make it easier and faster for law enforcement and judicial authorities to obtain electronic evidence.
The draft regulation presupposes that the evidence looked for is at the service providers’ disposal and does not precise what means the provider has to take to provide the evidence. In this regard, it is important to note that in certain cases it is technically impossible for service providers to deliver the content asked for. This is the case with end-to-end encryption, where only the user has access to the decryption key. End-to-end encryption service providers would only be able to comply with a law enforcement request to decrypt the data if they violated the guarantee of their end-to-end encryption and introduced backdoors into their software. However, I firmly oppose backdoors and therefore, I deem it crucial that the proposal is complemented to specify that no obligation can be placed on end-to-end encryption service providers to decrypt data that they have to hand over to authorities.
Regarding backdoors, I have already enumerated the reasons against them in a previous thought piece. Backdoors raise serious technical and moral questions, but most importantly, they compromise the essence of the right to respect one’s private life and endanger our ability to formulate opinions and express them in the digital age. We would simply shoot ourselves in the foot if we took away this protection shield from individuals and allowed governments to have backdoors to our communication when trust in digital communication services is already so low.