Public-private partnerships will shape the future of data policy — an Insider’s look
From inside the machinery of government, Stefano finds that regulatory solutions for cyber security need multi-parties engagement. Here’s why
Disclaimer: the views and opinions expressed in this article are those of the author and do not necessarily reflect any official policy or position of any public institution or agency.
Distortions of the internet are inherent parts of our daily discussion. From network security to social media behaviours, problems that seemed to us too distant only a few years ago are now massively shaping our activities. Of course, this is because our interactions are more and more internet-based.
For this reason, cyber security is no more just a matter involving computer security people. It is now a hot trending topic for a number of other actors.
Policy makers and legislators are now involved more than ever before in defining the rules of the cyber world. Regulating the digital age is furthermore made more complex by the decreasing trust of citizens towards such stakeholders and their often lack of readiness in tackling these issues.
This piece aims to set out what the main challenges are for the future of data policy in Europe and the UK. As you will be able to read, I argue that a common pattern is arising from what I deem to be the biggest questions to answer from a data security viewpoint. I will give you two examples: the Internet of Things (IoT) and fake news/online propaganda. They may sound distant from one another, as they respectively embed issues relating to the security and the content of online information. In both policy areas, however, the need of engagement between public and private (legislators on one side, providers on the other) characterises a major accomplishment in achieving a fruitful legislation and increasing public trust in the long run.
The focus will particularly be on privacy and security implications, crucial for two such areas where consistent policy interventions will soon be needed.
I freely (but reliably) have drawn some of the concepts below from a notable source. For a cyber-geek like myself, having the guru Bruce Schneier in town was an occasion I definitely couldn’t miss. A few days ago, he intervened at the annual infoSec and I could not resist reserving a seat at Kensington Olympia to hear his views on the risk and opportunities of the IoT.
Internet of (every)Things
One of the most visible innovations is surely represented by what we call the Internet of Things. It is not an utopia anymore, and we are currently observing a massive increase. Drawing a parallel with a coarse definition of artificial intelligence (computers who think, sense and act), some consider IoT as domestic devices who think, sense and act. The potential of such devices, as well as complications, is that through a personal choice (conscious or not), all such things have the possibility to be interconnected with each other, with data collected by any such device and exchanged and, ultimately, transferred somewhere in the cloud.
The purpose of this is of course to facilitate people’s lives. Imagine your heater that lowers the temperature when it’s too hot in your living room, and that sends a signal to your kettle every time it senses you’ve just woken up. However, the challenges from both privacy and security perspective are enormous.
(Watch at 24:46 the intervention of Joe McNamee, Executive Director of European Digital Rights, speaking about IoT)
Paraphrasing McNamee, the purpose of this “incestuous flow of personal information” is to make our life easier. Almost all of us now own a fridge, a tv, a smart meter or any sort of domestic device that, in its latest version, is connected to the internet. Today, Internet of Things is already present everywhere. Seriously everywhere, even in your kid’s toys. Check this:
Now let’s break down a bit what the main policy issues are behind IoT.
From the point of view of our privacy, it does not take much to understand that the above scenario looks a bit creepy. And it is. Regulators will have to be strict in addressing those basic concerns arising from the potentially bulk data sharing between such smart devices and the cloud, and all the implications therein. European legislators already have something in place, the big privacy revolution that will apply in May next year:
From a broader perspective, GDPR (and the reform of the e-Privacy domain) may be not enough, though. Security will have to be addressed in a more strict and profound way. As pointed out by several computer scientists, with IoT confidentiality, integrity and availability (CIA, the three information security pillars) are probably for the first time to be considered at the same high level of risk by individual threats. Now, more than ever, such principles are interconnected with each other, whatever the harm is. We are experiencing a sort of turning point, where with the rise of connected devices, threats are able to harm the CIA scheme homogeneously. The magnitude and the extension of the risks that a small threat may cause throughout a device are enormous.
In order to mitigate IoT vulnerabilities, two primary issues need to be solved. First, the potential low security that many devices have, and the insufficient awareness of the inherent risks. It sounds redundant, but let’s think about it. Our tendency is not to buy a toaster at an excessive price simply because it embeds high-level security components. We would definitely go for the cheaper one, which would (maybe) have far too low security standards.
But, while we should probably start changing our mentality towards this, feasible regulatory solutions will have to be found in order to balance the competitiveness of a greedy and globalized tech market with imposing more on IoT producers. The policy consideration here is that the market alone is not enough. We cannot expect a self-regulatory approach which would balance American tech giants with small Chinese companies. Standards need to be settled in this context. The complexity of this is that the IoT can potentially mean all of our devices, therefore it is hard to regulate standards that ensure security and interoperability at the same time.
The role of Europe here is as crucial as it is terribly difficult, as many such interventions also measure the ability of legislators to balance liberalism and protectionism in the digital domain.
The second issue where private and public parties will have to confront each other is constituted by how the update issue will be addressed. Regular updates of the IoT by their producers are a pivotal step towards a more secure smart environment. Again, this may sound obvious or even naive, but it is crucially important.
We are not used to changing fridge every two years just because it is out to date and vulnerable to attacks. We just look for a long-lasting fridge. And it is for this reason that information security experts are calling for more participative interventions from producers. Binding updates may be not a satisfactory approach, as the ways to speculate on this may be infinite from the side of producers. The honesty of private parties is in this case crucial, and goes side by side with a smooth collaboration with regulators to try to tackle this issue.
Online propaganda and fake news
Online extremist propaganda and fake news are two sides of one same coin. Although one may reasonably argue that these conducts are impersonated by different players and that substantial elements differentiate from one another, these two areas share one crucial similarity: they can both be considered as deformations in the exercise of the right to freedom of expression. Both of them create big headaches to those who try to defend the openness of the internet, given the potential harmful impacts arising from such behaviours.
“The internet is proving to be one of the most powerful amplifiers of speech every invented”. These words from Vint Cerf (1999) were reported by Politico a couple of days ago, in the context of the rise of fake news after Brexit. Frances Robinson (author of the article), then continues by saying that Cerf “was right, and he also foresaw the downside: if internet users are not “mindful of the rights of others,” it could all become a lot less pleasant“.
The spread of fake news on the internet is just the latest topic of discussion for those busy trying to define the boundaries of this right in the digital environment, assuming that limitations should be drawn. It is clear that the world has acknowledged the impact of such a trend on our politics (as confirmed by the events of the past twelve months) and who knows how fake news may be used in the future for influencing sectors like financial markets, for instance. However, experts are now questioning whether a concrete intervention should be made, and if so, by whom. A lot is currently being discussed on whether Platforms should intervene on their contents, and to what extent. On the other hand, others argue that some sort of oversight and control should be in place by regulators.
Online radicalization is something we have been experiencing for a longer period than fake news. Violent extremism and terrorist propaganda have been widely used by radical groups for such a long time that we can even observe an evolution and a diversification of methods and purposes. We are now in an era where terrorists have acknowledged the potential of the propaganda and radicalization through the Internet for two different group targets: identifying new unknown adepts and recruiting them for terrorist purposes as well as cultivating relationships with established groups or cells. Furthermore, propaganda is conveyed throughout the net with varying levels of secrecy of the communications: from open platforms like Twitter, Facebook and social media, to encrypted lines such as Signal or Telegram. An interesting report of the intel think-tank Flashpoint Group pictures the problem in a broader and more detailed way:
In this context, a lot may also be said in terms of who the player in charge is to fix this. Law enforcement agencies are increasingly setting internet monitoring units. In this respect, we should always bear in mind that legislations worldwide generally put the bar of lawfulness to take down content at a very high level, as a safeguard of the freedom of speech. This is why the majority of work is done by the human eye of employees at such Platforms where these distortions take place.
However, as argued for the IoTs, in these circumstances the cooperation between tech firms and the public sector is crucial. And this should be happening proactively, by a prompt engagement with the legislator (who should consider the inputs of the platform in the phase law making), as well as reactively, in the enforcement of such laws by the authorities competent to monitor and prosecute such type of crimes.
The challenge in both cases (fake news and online propaganda) is not to lose nor to lower the protection of the freedom of expression, often overruled by the totalitarian aims of states where democracies are at serious risk, as reported by civil and digital rights advocates.
Which governance models?
The IoT and fake news/online extremism cannot be considered as the only two big topics where European policy makers will have to focus in the future. Many other areas will soon be under scrutiny by lawmakers and will have to be addressed as quickly as the two described in this articles. Think about big data or encryption for example.
We have been able to see how cyber security challenges behind the IoT and the topic of fake news are not so distant after all. The difference in the relationship between public and private parties may be that whilst in the IoT world, it is the market represented (by tech industries and producers) that needs the law(makers), in the context of online propaganda, it’s the state that needs the cooperation of private entities. However, from a policy perspective, public-private partnerships must be serious and effective. But most of all, they have to lead to an impartial system of oversight and control (and with the GDPR we will be able to test such mechanisms pretty soon).
The answer to the form of interaction which will be set out in the long run is yet unknown, since resolving the best way to build this relationship is the million dollar question for all players involved. We cannot foresee how this reciprocity will take shape in the future, although hybrid forms of cooperation are already starting to become effective.
It is useful to conclude by mentioning two examples of such established governance models, which can be fairly perceived as ways to respectively enhance cybersecurity and combating cyber crime. They both relate to initiatives which were started at the European level. However, nothing excludes that similar models may be drawn by national jurisdictions and international entities, should these models show high efficiency and acceptable results in terms of cooperation.
The first refers to the implementation of the widely discussed Network and Information Security Directive (NIS). In context, the European Commission contributed €450 million last year to boost the public-private partnership PPP with the European Cyber Security Organisation, under its well-known Horizon2020 funding program.
The ambitious aim should be to triple such a number over approximately the next ten years, with investments in R&I coming from private industries, universities and providers. Interestingly, two of the main key performance indicators of such a partnership are, on the one hand, the “(…)contribution to standards, use of testing, validation, certification infrastructures as well as EU trust labelling procedures, best practices and pilots for innovative elements of the supply chain”, and on the other the “evolution of cybersecurity revenues in the European and global market, including positioning and market share of the EU industry”.
(source: ECSO website)
Again, there needs to be a balance between a regulatory approach and industrial competitiveness in public-private engagements for the accomplishment of a twofold strategic objective: increasing the presence of continental industries in the cyber security community and ultimately, the protection from cyber threats of the Digital Single Market.
A second example of cyber-governance model aims at enhancing internet policing, recently highlighted by the European Law Enforcement Agency (Europol). At this year’s World Economic Forum at Davos, director Rob Wainwright called such an initiative ‘the Uberisation of international police work’, aimed at bringing together industries of the platform economy and police organizations, trying to achieve the “increasing information flows between the public and private sectors, building greater levels of trust and knowledge generally, and using the digital revolution to drive new value from the use of technology and data.” He continues by noting that “highly promising opportunities lie ahead if we can mobilise what is currently a disparate set of interests and capabilities”. The idea here is, like Uber and similar entities, data-driven platforms for information sharing can be created in the context of online policing with the added value that multiple actors (not only law enforcement bodies) can give their contribute towards the common goal of making the internet a safer place.
Of course, any sort of intervention will have to take into due account the internet-related battles that have been fought so far, and in this respect I will just mention two important but unsolved issues. On the one hand, crypto-wars delivered us an environment which currently laks of feasible and balanced solutions when it comes to lawful access by law enforcement agencies. On the other, net neutrality is still an elephant in the room for many. Interestingly, both design concepts seem now mature enough to truly become digital human rights principles, and who knows if, in a possible future, we will be able to set forth some concrete policy initiative declaring the protection of the right to encryption or the right of a neutral Internet, addressing what fathers of the internet like Sir Bernes-Lee or Mr. Wu largely voiced in the past.
