Security Policy in Cyberspace: The Need for a Transatlantic Debate on the Protection of Data and Privacy
Brandenburg Institute for Society and Security
Dr. Constance P. Baban is a Senior Research Fellow and Project Leader at the Brandenburg Institute for Society and Security (BIGS) in Potsdam, where she heads the project “RiskViz – Providing a Risk Situation Picture of Industrial IT Security in Germany” funded by the German Federal Ministry for Education and Research. She is also a Non-Resident Fellow in the Foreign and Domestic Policy Program at AICGS at Johns Hopkins University. Moreover, she holds the position of Vice Chairman of the Young British Chamber of Commerce in Germany / Berlin-Brandenburg Region, a BCCG membership network of young business executives.
Constance has several years of professional experience in academia and research, the public sector as well as in the field of security affairs, technology and digitization. She holds a PhD (“summa cum laude”) and a Master of Arts (“magna cum laude”) in Applied Linguistics, Political Science, and Media & Communication Science from Leibniz Universität Hannover. Her PhD thesis on Germany’s political security discourse from 2001 to 2009 was published by Springer VS in 2013.
The recently revealed NSA (National Security Agency) surveillance program of the American government, “Prism,” and the criticism it raised not only in the U.S. but also in Germany once again made clear that cyberspace has become an essential field for law enforcement as well as for foreign and national intelligence gathering. Moreover, the revelation also demonstrated that democratic societies are still struggling to find a balance between new security policy instruments in cyberspace and citizens’ rights, such as the right to privacy and data protection as well as the protection of personally identifiable information. Yet, so far the debate about “Prism” has been narrowly conceived. To use this moment as a learning and dialogue opportunity in the transatlantic arena, “Prism” and other surveillance and data collection/mining programs for security purposes need to be seen in the broader context of two major trends in security policy and security culture: first, the digital trend in security policy and second, the paradigm shift in security policy toward a new way of prevention. This essay highlights these two trends in security policy and culture, their impact on classic security policy instruments, their consequences for data protection and privacy as essential principles for stable and free democratic societies, and their broader policy implications.
Trends in Security Policy I: The Digital Trend in Security Policy
The fact that “Prism” affected the data of thousands of German citizens revealed that balancing security policy instruments and freedom rights is a global, and specifically transatlantic, issue. Governing cyberspace can also affect other countries with different constitutional and legal settings and security cultures. With regard to Germany, data and privacy protection rights are derived from the German constitution and are manifested in the so-called right to self-determination concerning personal information (“Das Recht auf informationelle Selbstbestimmung”). Compared to other western countries, Germany has a very advanced body of laws when it comes to dealing with data protection and privacy issues, as these rights are seen as the guarantee for the realization of major constitutional principles such as the free development of the individual (“Persönlichkeitsrecht”) and human dignity (“Menschenwürde”).
Due to the historic experiences Germany has regarding the secret police systems of the Nazi Regime (“Gestapo”) and of the German Democratic Republic/GDR (“Stasi”), Germany’s security culture is characterized by an aversion to surveillance instruments and a strong appreciation of data protection and privacy, as they are viewed as essential principles of a free democratic society. However, “Prism” and other governmental data surveillance and collection attempts need to be seen in the broader context of political developments that have been triggered by the attacks on September 11, 2001 (9/11). Since then, we have seen a shift in classic national security policy instruments in Germany, the European Union, and the U.S. (even though with different accents and impacts), which has involved heightened use of information and communications technology (ICT) infrastructure—a process enabled by the digital trend affecting almost every part of our society today. The digital trend refers to the vast development of the ICT sector and the countless possibilities and risks that have emerged for politics, the economy, and citizens at the same time.
While quite a few analyses have been conducted on the impact of the digital trend on various parts of society, we are at an early stage in analyzing the impact of this trend on security policy instruments and their attendant societal consequences. Balancing law enforcement as well as intelligence gathering tools with citizens’ freedom rights is already difficult on the national level, but dealing with the global ICT infrastructure is even more complicated. In this new environment, transnational and transatlantic debates and approaches for handling security policy in cyberspace are imperative.
Until now “cybersecurity” has been one of the most popular terms when it comes to describing security and risks in cyberspace, and the topic is being discussed at all levels: in politics as well as in the business and academic sectors. However, the main focus regarding cybersecurity has so far centered on how to protect government and business ICT infrastructures from outside or inside attacks or other forms of third party harm (like hacking, espionage etc.). While efforts to raise the awareness for these crucial security issues are immense, debates on cybersecurity concerning the protection of citizens’ privacy in the political and business spheres are rather marginal. Data protection and privacy are too often viewed as inconvenient and cost-intensive barriers for security policy instruments and vibrant business processes. Nevertheless, to promote unique selling points, technology companies such as Microsoft have begun to identify and use the concept of privacy for marketing strategies.
When taken seriously, the protection of data and privacy can indeed be a unique selling point for companies. Initially, however, the concepts of privacy and data protection in Germany (and the U.S.) evolved as central democratic principles to constitute civil liberties and to ensure the free development of the individual by limiting the power of the state over its citizens. If we look specifically at the political sphere (the same also applies to the economic sphere), a major consequence of digitalization and of huge amounts of data being collected for security purposes is the issue of the fundamental vulnerability of ICT infrastructures. We are only in an early stage of discussing how safe the observed and collected data of citizens by governmental agencies and by companies (business and ICT providers) are. There can also be misuse or modification of data by third parties for multiple criminal purposes and scenarios that we might not even have yet considered. Data protection and privacy as shields against the power of the state need to be pondered more vigorously when data is being collected for national security purposes: Who ensures the information collected is gathered on a legal basis and used only for legal purposes, and who guarantees that the accumulated information is not hacked and/or misused by third parties in the future and used against its original purpose?
Trends in Security Policy II: The “New” Paradigm of Prevention
Although the “Prism” program in the U.S. has been criticized by the German public and German political leaders, it still stands pars pro toto for various developments in foreign and domestic security policy in both the U.S. and Germany that were catalyzed by the attacks on 9/11. The main goal has been the prevention of future terrorist attacks. In Germany, domestic security policy has undergone a major change since 9/11. In addition to structural changes in Germany’s security architecture, new questions have emerged about how to achieve a balance among freedom, foreign policy security and the role of the state in providing domestic security. As a response to strict anti-terrorism legislation passed in Germany since 9/11, critics in the media, academia and in politics identified a shift in security policy instruments toward the sole purpose of prevention, which subordinated constitutional principles, especially in the fields of security policy in cyberspace as described above. In order to understand this “new” paradigm of prevention, we need to appreciate what the term “prevention” means in the context of security policy. Prevention as a concept in domestic security was not initially associated with comprehensive surveillance strategies.
If we look at the history of law enforcement and intelligence before 9/11, it first becomes clear that new technologies always created new opportunities for supporting criminal activities while also enabling the creation of new tools for law enforcement and intelligence gathering to trace these activities (telephones and wiretapping; mobile phones and wiretapping, locating, etc.). Second, new technological developments also provided new possibilities for visually tracing criminal activities, such as discrete or public surveillance of suspects via photo or video camera. Every new development in surveillance instruments promised to be more efficient for criminal prosecution and was also used for public, private or business purposes to prevent actual crimes through deterrence (like camera surveillance of a public place, in a department store or around the house). The term prevention, as it has been conceptualized in Germany, has for a long time been associated with the prevention of a crime through deterrence that identifies a possible punishment for the specific crime within the range of the democratic constitutional state. Additionally, prevention has been conceptualized through other policies such as education and social policy programs.
The fact that instruments for security policy evolve alongside the development of technology is not a problem, per se. However, the digital trend in security policy has permitted the transfer of classical methods of criminal investigation and intelligence gathering into cyberspace. Here, the focus of investigators is no longer simply on the suspect or delinquent (and sometimes related third parties), but instead can be extended to the comprehensive surveillance of almost all internet and phone users without a given suspicion. As James B. Rule alerts in his article “The Price of the Panopticum” in the New York Times: “We must also ask how far we want government to see into our private lives, even in the prevention and punishment of genuine wrongdoing. The promise that one especially egregious sort of crime (terrorism) can be predicted and stopped can tempt us to apply these capabilities to more familiar sorts of troublesome behavior.” Continuing, Rule draws a picture of this possible future scenario: “Using surveillance for predictive modeling to prevent all sorts of undesirable or illegal behavior is the logical next step. These possibilities are by no means a fantastical slippery slope—indeed, the idea of pre-empting criminals before they act was envisioned by Philip K. Dick’s short story ‘The Minority Report,’ later a movie starring Tom Cruise.” Rule also highlights possible impacts on our society, especially on our communal trust in our democratic institutions: “How ready and able are we to fend off the overextension and abuse of that knowledge? Who watches the watchers? And how are we to weigh the prospective losses to communal bonds and trust in our communities and our institutions, in a world without the buffer against state intervention that privacy affords?”
Policy Implications: Reviving Data Protection and Privacy in Cyberspace
Some now try to compare the NSA to the Stasi (the GDR’s Ministry for State Security’s secret police). Others see the technological developments of the information age as inevitable and claim the end of privacy as we know it. Most comments, however, fail to highlight the genealogy and necessity of data protection and privacy for stable and free democratic societies. They also fail to identify the policy implications resulting from this conclusion. Therefore, the debate on security policy in cyberspace, which often culminates in the two poles of freedom and security, should not stop with posing the question of whether we have to be irritated or concerned about privacy and data protection consequences of security policy instruments. Rather, any such debate should continue by exploring the specific impacts that digitalization has on society, especially on our way of life and our norms and values, on business, and on security policies and our security culture. Therefore, this essay argues not for condemning cyberspace, new technologies and their use in politics or business, but rather for raising awareness of the vulnerability of our digitalized societies, and for assessing and shaping our digital security cultures through an open and transparent debate.
This perspective of accepting the reality of cyberspace while being mindful of its effects suggests advocacy of guiding legal principles in this specific policy area such as commensurability (“Verhältnismäßigkeit”), data parsimony, and data avoidance (“Datensparsamkeit” and “Datenvermeidung”). It also suggests freeing the data protection and privacy discourse from misleading arguments such as the “Nothing to Hide“ position described by Daniel J. Solove from the George Washington University’s Law School. Solove explains: “This [nothing to hide] argument permeates the popular discourse about privacy and security issues.“ He sees the main problem in a misconception of privacy: „Many commentators who respond to the [nothing to hide] argument attempt a direct refutation by trying to point to things that people would want to hide. But the problem with the nothing to hide argument is the underlying assumption that privacy is about hiding bad things.“ Therefore, equating privacy with “hiding bad things” overshadows the democratic purpose of privacy and silences advocacy for privacy and data protection rights as no one wants to be the one who has something to hide. However, as Germany’s Federal Commissioner for Data Protection and Freedom of Information stresses, data privacy is not only the basis for individual refuge (“Raum des individuellen Rückzugs“) but also a fundamental prerequisite for creating individual and public opinion (“unverzichtbare Voraussetzung einer freien Meinungsbildung“).
Democracy is not a given, but rather a dynamic, active and continuous process comprising the engagement of political leaders, society and a free press. This process correlates with our cultural values, norms and above all with our constitution. Clearly, bridging the gap between new and claimed-to-be-efficient security policy tools and the protection of data and privacy is a challenging goal for political leaders as they attempt to balance interests and priorities. Also, focusing on the promise of security in times of overcomplexity and uncertainty tends to be tempting for both politicians and the public. Viewed from a distance, it seems quite normal that, in light of the economic turmoil we have experienced in the last few years, well-off nations like the U.S. and Germany put a high emphasis on security issues in order to maintain stability. However, as Germany’s current Minister of Justice, Sabine Leutheusser-Schnarrenberger, from the Free Democratic Party, emphasized in a commentary on the “Prism” revelations: “In a constitutional democracy, security is not an end in itself but rather has to serve to protect freedom (“Sicherheit ist im demokratischen Rechtsstaat kein Selbstzweck, sondern dient der Sicherung von Freiheit”).
 I would like to thank Dr. Lily Gardner Feldman for her support and feedback especially on this essay.
 The same applies to the British surveillance program “Tempora,” which was revealed just a few days after the U.S. program became public.
 These findings are based in part on my recent doctoral dissertation on the domestic security policy discourse in Germany from 2001 to 2009. See Baban, Constance Pary, Der innenpolitische Sicherheitsdiskurs in Deutschland. Zur diskursiven Konstruktion des sicherheitspolitischen Wandels 2001-2009 (Wiesbaden: Springer VS, 2013).
 For further readings on data protection in Germany, see also Baban, Constance Pary, “Sicherheitspolitik versus Datenschutz? – Die Kontroverse um die Vorratsdatenspeicherung,“ BIGS Essenz, Vol. 11, November 2012 (Brandenburgisches Institut für Gesellschaft und Sicherheit, Potsdam). Available at
 Rule, James B., “The Price of the Panopticum,“ The New York Times, June 11, 2013. Available at: http://www.nytimes.com/2013/06/12/opinion/the-price-of-the-panopticon.html?_r=0 [June 28, 2013].
 See Solove, Daniel J., “I’ve Got ‘Nothing to Hide’ and Other Misunderstandings of Privacy,” San Diego Law Review, Vol. 44, 2007; GWU Law School Public Law Research Paper No. 289. S. 745-772. Availableat: http://ssrn.com/abstract=998565.
 Ibid, p. 748.
 Ibid., p. 764.
 Schaar, Peter, Das Ende der Privatsphäre. Der Weg in die Überwachungsgesellschaft (München: C. Bertelsmann Verlag, 2007), p. 15.
 Leutheusser-Schnarrenberger, Sabine, “Prism Skandal in den USA. Sicherheit ist kein Selbstzweck,“ Spiegel Online. Available at: http://www.spiegel.de/politik/ausland/gastbeitrag-leutheusser-schnarrenberger-ueber-prism-skandal-a-904884.html [June 28, 2013].