peshkova - Fotolia
Two weeks after European Court of Justice (ECJ) Advocate General Yves Bot called for the invalidation of the Safe Harbor agreement between the United States and the European Union, the high court ruled the policy unsound.
The safe harbor agreement, which has been in place since 2000, allowed U.S.-based companies to transfer the data of European citizens overseas to the U.S. as long as the company met EU privacy standards.
However, last year, Austrian law student Maximilian Schrems filed a complaint with the Irish Data Protection Commissioner, claiming Safe Harbor did not adequately protect his Facebook data that was stored in the U.S. and subject to government surveillance. Though the Irish Data Protection Commissioner rejected Schrems' claim, he appealed and the case was sent to the ECJ.
Two weeks ago, Bot wrote in an opinion that revelations by Edward Snowden of U.S. surveillance practices were a reason for "serious concern."
In a decision Tuesday, the ECJ agreed with Bot and overturned the 15 year-old Safe Harbor agreement.
While the decision does not automatically put an end to data transfers overseas, it allows national regulators to suspend transfers if the company does not adequately protect user data.
Privacy win, business woe?
While the overturning of Safe Harbor has been called a privacy and surveillance victory, its potential problems for companies are also of note.
"This is a big deal because it directly affects all the large American Internet companies," security expert Bruce Schneier said. "Expect much more pressure on the NSA to stop its indiscriminate spying on everyone."
Jo Lintzen, vice president of business development at security manufacturer Utimaco agreed.
"As global citizens in a post-Snowden world, the Safe Harbor ruling will bring better baseline protection of privacy," Lintzen said in a written statement.
"I very much welcome the judgment of the court," Schrems said, calling it a "major blow" for U.S. surveillance and saying it "makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights.
"The judgment draws a clear line," Schrems said. "It clarifies that mass surveillance violates our fundamental rights. … The decision also highlights that government and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it.
"At the same time," Schrems added, "This case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states."
Despite the privacy benefits, there are drawbacks on the business side of the house.
U.S. Secretary of Commerce Penny Pritzker released a statement in which she said, "Since 2000, the Safe Harbor Framework has proven to be critical to protecting privacy on both sides of the Atlantic and to supporting economic growth in the United States and the EU. We are deeply disappointed in today's decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy. Among other things, the decision does not credit the benefits to privacy and growth that have been afforded by this Framework over the last 15 years."
U.S. Senator John Thune (R-SD) said, "Today's unfortunate decision harms consumers who benefit from trans-Atlantic data flows under the U.S.-EU Safe Harbor Agreement. I strongly encourage the U.S. Department of Commerce to conclude negotiations on a new agreement with the European Union that allows the free flow of data to continue. Until those negotiations are complete, it is imperative that businesses [that] relied upon the Safe Harbor have clear guidance on how to continue operations."
So what's really in store?
According to the Wall Street Journal, larger companies such as Alphabet Inc. and Facebook Inc. are prepared for the aftereffects of Safe Harbor's collapse; Alphabet's Google will expand the size of its data center in Belgium and is going to build a new data center in the Netherlands, slated to open in the first quarter of 2016.
While large enterprises may survive, time will tell what it will do to smaller companies that do not have the time or money to build their own facilities in the EU or pay companies for them.
There are other options for overseas data transfers, of course, but reviewing data transfer processes, evaluating alternatives and putting a new strategy in place can exhaust resources.
Microsoft Corp., for example, is in compliance with the EU Model Clauses, which it says allows customers to move data between the EU and U.S. in the absence of Safe Harbor. Amazon Web Services is also model clause compliant.
Ken Westin, security analyst for Tripwire Inc. said to mitigate risk, a standard that will "avoid putting the onus on individual companies, as transferring data out of a region without approval can put a company at legal risk" is needed.
Pritzker said the U.S. is working on updating the Safe Harbor agreement.
"The court's decision necessitates release of the updated Safe Harbor Framework as soon as possible. … We are prepared to work with the European Commission to address uncertainty created by the court decision so that the thousands of U.S. and EU businesses that have complied in good faith with the Safe Harbor and provided robust protection of EU citizens' privacy in accordance with the Framework's principles can continue to grow the world's digital economy."
Many say little will be felt as an aftereffect of the ECJ's Safe Harbor ruling.
Schrems himself said that "despite some alarmist comments, I don't think that we will see major disruptions in practice."
Others say it could be a turning point in the surveillance debate.
Danny O'Brien, international director of the Electronic Frontier Foundation, said in a blog post, "There's only one way forward to end this battle in a way that keeps the Internet open and preserves everyone's privacy. Countries have to make clear that mass surveillance of innocent citizens is a violation of human rights law, whether it is conducted inside their border or outside, upon foreigners or residents. They have to bring their surveillance programs, foreign and domestic, back under control."
Lintzen says there are three plausible outcomes. "1. Organizations will invest in data centers and technology that allows them to store data in the same legislative environment it was sourced from; 2. Companies will still transmit data overseas, but under more costly, strict and time-consuming praxis; or 3. The European view of personal data as a fundamental right of their citizens will act as a driver for U.S. companies to invest in more secure infrastructures, not only in the data centers in Europe but also in the U.S. itself."
Organizations are being urged to explore alternatives for the time being, as the timeline for an updated Safe Harbor agreement is uncertain.
In other news
- Researchers published a paper Thursday detailing how real-world attacks compromising SHA-1 will be possible before the algorithm is retracted in January 2017. In what they dubbed a "freestart collision attack," researchers demonstrated the first practical break of all 80 steps of SHA-1, an attack which took only 10 days of computation on a 64 GPU cluster. While major browsers will stop accepting SHA-1 based signatures starting in January 2017, researchers Marc Stevens, Pierre Karpman and Thomas Peyrin are urging the industry to retire the standard more quickly. In 2012, Bruce Schneier predicted the SHA-1 collision attack to cost around $700,000 in 2015, but the researchers now suggest the attack could cost as little as $75,000, putting the possibility of an attack "already within the resources of criminal syndicates, almost two years earlier than previously expected." There is a proposal in the CA/Browser Forum to extend SHA-1 certificates another year, but researchers recommend it being marked unsafe sooner rather than later. Currently, more than 28% of digital certificates are signed using SHA-1.
- The National Institute of Standards and Technology announced two new projects in the battle for email security. The first is a draft document, currently open for comment, which provides guidelines to improve trust in email. Written for enterprise email administrators, information security specialists and network managers, the guidance applies to federal IT systems, but can be used for any organization. A complement to NIST's Guidelines on Electric Mail Security, it outlines email elements and protocols as well as security threats to email services, and describes how to authenticate email messages, protect email confidentiality, reduce spam and ensure end user security. The second initiative by NIST's National Cybersecurity Center of Excellence is called Domain Name Systems (DNS)-Based Secured Email project and aims to inform organizations how to use and build a secure email platform using commercially available tools. NCCoE is looking for collaborators to provide products and expertise to help build "a security platform that provides trustworthy email exchanges across organizational boundaries." The project will also create a publicly available NIST Cybersecurity Practice Guide with documentation on building a DNS-based email security platform.
- The Travelers Companies Inc. released its third annual Consumer Risk Index last week, which reached the conclusion that more people are worrying about cyberthreats nowadays than ever before. Concerns over cyber, computer and tech-related risks rose to 57% in 2015, up from 36% in 2014. Top risks include having financial accounts hacked, virus attacks, offline identity theft, online identity theft and losing personal data after a retailer attack. Twenty-five percent of the 1,029 Americans surveyed said they believed they had already been involved in a data breach or cyberattack. The worry may indeed be warranted when you consider the statistics: The FTC reportedly said the number of identity thefts has reached anywhere from 9.9 to 13.1 million, while others report it to be as high as 15 million, despite the fact that the FTC only recorded 332,646 identity theft complaints in 2014.