News hit Tuesday (Feb. 2) that the U.S. and the European Union had agreed to a deal on data transfers. The deal, according to an initial report from The Wall Street Journal, had the U.S. agreeing to “binding assurances that personal information about Europeans wouldn’t be subject to mass surveillance when it is copied to U.S. servers.” (Read the IDG News Service story here.)
I hoped that something had been lost in translation from the Brussels agreement, but apparently that is indeed the gist of the deal. What it means is that the U.S. has promised something that it absolutely can’t deliver.
The U.S. negotiators almost certainly knew that. But the EU negotiators had to know it just as well. This is all politics and diplomacy, my friends, where both sides can agree to something that neither side believes, while hoping that their citizens won’t notice.
So the EU gets a solemn promise of privacy protections, which its voters want. And the U.S. gets no delays in data transfers, which U.S. companies want — a win-win in diplomatic terms, but a lose-win in reality, though one that the Europeans can stomach. Why? Because the inevitable privacy invasions will happen very quietly.
Let’s start with the basics. Even if we assume — which I don’t — that the U.S. can control every tentacle of its military and intelligence operations, it certainly can’t control private businesses, Congress (which would have to pass deals to punish those private businesses, which won’t be happening) or private citizens (some of whom are cyberthieves).
Hence, U.S. assurances that “personal information about Europeans wouldn’t be subject to mass surveillance when it is copied to U.S. servers” is simply not something that any government official can honestly promise. Indeed, it’s not something that anyone can promise.
For starters, there are no laws (yet) that would prohibit any company from analyzing and mining all data about its customers, as well as anyone who interacts with that company, whether it’s a Web/mobile visit, a call to a call center, a conversation with an employee or anything else.
And if there’s nothing to stop corporate employees and private citizens from whatever snooping they want to pursue, although there are laws that make it illegal — assuming any of them realistically think they’ll get caught. And the rules don’t say that the data won’t be sniffed by Americans, but that it simply won’t be sniffed. What if Chinese, Russian or Iranian cyberthieves hit the servers and bring the data back to their corporate backers?
But this goes further than that. What kind of data are we talking about? All kinds. Indeed, the Journal story specifically referenced that this deal was intended to address earlier concerns including “Web-browsing habits” and “salary details.”
Whoa! Browsing habits? Even if, in some alternative universe, companies like Google and Amazon were somehow convinced to exclude from analysis any activity coming from a European IP address, this deal is about data transfers, with the content ultimately residing on U.S. servers. If someone with access to those servers and that data goes surfing, how can we possibly offer the promise that it won’t be accessed or analyzed by anybody?
This has echoes of companies that promise, for example, that payment data won’t go anywhere — until someone remembers that marketing grabbed a full copy and that Sydney dumped a copy onto a thumb drive and worked on it at home over the weekend. And he used the desktop he shared with his teen-aged son, who likes video games that tend to drop viruses.
Let’s get back to those U.S. government intelligence agencies. They have been told to look for evidence of terrorist activity wherever they can. We simply can’t label any area of data “unsearchable,” because that’s where bad guys will go.
To be more precise, we can certainly say that we won’t look there, but what self-respecting NSA analyst wouldn’t? Both sides know this, but they play the game. In effect, the message is “I am glad you agree to not look at these files. And when you do look at them, make sure you don’t let us catch you.”
Steve Hunt, an industry analyst with Hunt Business Intelligence, initially reacted to the news with sarcasm. “That announcement makes me smile. I am actually thrilled about it,” he said. “I finally have a way to protect corporate secrets from government surveillance.” His tongue-in-cheek plan was to throw all sensitive data into a server, label the folder “European personal information” and “they’ll have to bypass.”
Hunt, turning serious, said that such an agreement “would require policy and oversight that extends far beyond traditional government reach” and added that it would be “so costly and difficult that it would be practically impossible. It’s a promise without any possible weight behind it.”
One of the many problems with such a move is audit efforts, confirming compliance. “Even a self-assessment would be prohibitively expensive and 100% gameable,” Hunt said. “The apparatus required to confirm a deeper audit would be so vast and expensive” as to be unworkable.
CIOs must not make these same mistakes. As Americans make greater privacy demands, don’t promise what you can’t deliver. If that’s what you want to do, go join marketing.
This story, "EU, U.S. data-transfer deal will never work" was originally published by Computerworld.