Common Interests, Uncommon Responses

Originally posted on February 9, 2015

Last month, Jan Philipp Albrecht, Member of European Parliament (Greens/EFA) and rapporteur for the EU’s Data Protection Regulation stated, “There is an urgency to build a common interpretation of national security.  It is on our common security interest.” 

It caught my attention because I have been writing about the correlation among threat perception, counter-terrorism, and data-sharing.

It is important to build a common interpretation of national security for a number of reasons. Governments are more likely to cooperate when they share similar perceptions of a treat. However, because of their experiences with political violence, the US and EU have developed different institutions and procedures to deal with terrorist threats, which have heavily influenced their views and laws on privacy, surveillance, and data-sharing.

In short, they understand why it is important to confront political violence, but disagree about how to do so.

Today President Obama and Chancellor Merkel recognized how historical experience had produced divergent approaches to government surveillance. Mr. Obama stated, “Given Germany’s history, there are going to be sensitivities around this issue…There are going to be irritants like there are among friends.”  Merkel concured, “There are still disagreements on some points.” [Es gibt da nach wie vor unterschiedliche Auffassungen in einigen Punkten.”]

First, neither the US nor Europe will be able to completely alter the way they confront terrorism because their experiences have produced different methods and institutions to counter these threats.   (And even here we cannot lump Europe into one EU basket either.)

Second, the US and European have little choice but to get along because of the transnational nature of the terrorism.   Their differences, however, have not halted data-exchange among intelligence and police networks.  That’s also because there’s a shared sense of purpose and duty among these groups across the Atlantic. There are numerous examples of bilateral and multilateral cooperation, but the one that comes easily to my mind is the Terrorist Finance Tracking Program, TFTP.

To me, the TFTP, Safe Harbor, (and even the limited SIGINT reform) demonstrates something else – that cooperation on the collection and transfer of transatlantic data (both public and privately held) is slowly (and painfully) producing a hybrid system that takes the histories, values, and institutions of the US and EU into account.

Whatever the result, it’s going to be bumpy ride, and sure to displease everyone.

The “Weaponization of Finance” is more than Sanctions – It’s Data

Originally posted on January 12, 2015

I am always happy when I see people address the links between finance and security because it is so rare.

Last month, Daniel Drezner, of Tufts University and the Brookings Institute, wrote about the “hard limits of economic statecraft” regarding the use of sanctions against Russia’s actions in the Ukraine (interview here too).  This week, Ian Bremmer and Cliff Kupchan, of the Eurasia Group listed “The Weaponization of Finance” as a “Top Risk of 2015.”

Bremmer and Kupchan correctly assert that the US’s global financial position affords American policymakers powerful means to influence behaviors beyond its borders.  Specifically, they note access to capital markets and sanctions as “tools of coercive diplomacy.”  They cite the US influence on norms in international organizations, the dollar’s role as the premier reserve and investment currency, and the vulnerability of the private banking sector to cyber-attack as further evidence of its power resources.

Sanctions deserve a place in the statecraft toolbox, but as Business Insider’s @elenaholodny summarized, it is difficult to employ successfully (See also David Baldwin’s classic Economic Statecraft, Meghan O’Sullivan Shrewd SanctionsCortright and Lopez Smart SanctionsandDrezner’s own Sanctions Paradox).

Restricting the use of finance to sanctions limits its value to foreign affairs. The technological revolution in banking, which has ditigialized the industry, finance’s multinational presence, and the increase in recordkeeping and reporting requirements after 9/11 and the 2008 crisis, has provided policymakers with an opportunity to harness financial data to map behaviors, networks of violence, and illicit economies across borders.

The Eurasia Group hints to this, “The United States is expanding its ability to track the financial transactions [my emphasis] of government leaders of concern, as well as their state and private sector allies, in order to close their access to capital and property.”

But governments use financial data for more than sanctions. They do it to detect weaknesses in the system and to track networks of illicit crime and political violence.

Thus, financial data’s ability to help map networks of behavior when combined with other types of information mean that finance’s role in foreign policy extends well beyond economics.

That is, of course, if government agencies can acquire that data – legally or otherwise.

I argue (briefly explained here and here) that financial data intelligence is one example of a new type of statecraft suited to the digital age; Information Statecraft – the attempt to influence through the acquisition, control, or presentation of data, information, or knowledge.

However, financial data isn’t solely held by governments; it’s held by private financial institutions, which presents numerous challenges to using financial data for sanctions or other policies.  Bremmer and Kupchan also allude to this point – “the weaponization of finance is a tool that can be use with minimal cooperation from other governments.”  While it oversimplifies the relationships involved, it does highlight the importance of private sector compliance.

Financial institutions have always treasured data for their own purposes, but now states are demanding they record, maintain, and report more of it to authorities (e.g. FATF recommendations for Politically Exposed Persons, Beneficial Ownership, Know Your Customer rules, Suspicious Action/Activity Reports, among others). For decades, and more so after 9/11, governments expect bankers to be AML/CTF sentinels, which is very far from their primary business, to make money.

The weaponization of finance is real, and has been evolving for a while.  We need to expand our views of statecraft to accommodate the new realities of the digital world, and this is especially true of the relationship between finance and foreign policy.

A Note on Extraterritoriality

Originally posted on November 10, 2014

“Extraterritoriality” keeps coming up in interviews and conversations, and as I write about the legalities of data sharing I find this concept has a curious pedigree.

In some instances it is exclusionary.  Diplomatic immunity is the most often cited example, where a host country cannot prosecute foreign dignitaries’ misdeeds under local law, but in certain circumstances his/her native land will waive this right.  The term can also denote inclusion, where states claim national law applies beyond its sovereign borders citing the ‘effects test.’

In both, boundaries are defined and crossed.  They perfectly illustrate the legal and physical dichotomies in the world(s) of information communications technologies, finance, and data, which may be geographically and legally defined, yet transnational in their virtual and physical existence.  As I have been told, “Banking is local” – regulations, attitudes about money and investing reflect local expectations, but in the last 40 years the technologies and many of the staffing and services on which we depend to facilitate these relationships, are not.  This is also a problem for international organizations like the IMF that worry about interstate cooperation and enforcement in a regulatory world – “How are they (the G20) are going to deal with extraterritoriality?” The suggested answer – “They only cooperate when they are scared.”  The danger is that instead of compromise and adaptation, states and corporations will resort to a tug of war mentality of interests based on strict definitions and boundaries.

Extraterritoriality asks, “Whose rules apply, to whom, and when?” It addresses setting standards and enforcing them.   In the end, I do not think that that the corporate world or governments will be entirely successful in avoiding a battle of territorialities, but I do hope that there is enough ‘fear’ to motivate them to recognize the importance of compromise to everyone’s interests. Too often, in the aftermath of crisis (whether it be the national security or financial kind) policy-makers and practitioners fall into a lull of comfort, lose sight of the big picture, and start aggressively pushing politics into areas that desperately demand practical solutions.

The Tension between the Private Individual and Technology

Originally posted on September 5, 2014

The recent hacking of celebrity iCloud accounts (which happens to others) and the Home Depot data breach, has the media once again chirping about the importance of secure data systems.    There’s a lot of talk about how these events bring privacy issues into the light, but I think it is safe to say that most of us live in a digital spotlight now. Long gone are the days where data security and privacy issues reside in darkness.

However, these events are reminders of two realities in the digital world; 1) technological advances are both freeing and limiting to individuals; and directly applicable to 2) the evolution and expectations of personal spaces.

As I’ve been writing about business and governmental viewpoints on data, I haven’t really touched up the individual.  The individual, you and I, are at the very core of data – we provide it to banks and governments when we use services.   But we use communications technology for personal reasons in ways that are not meant to be public or seen/used by others, or at least no one outside of our choosing. Intimate thoughts and pictures obviously fall under this umbrella.

The expectation of privacy in personal spaces is not new, but technology has altered how we must think about personal space and our expectations of privacy and who is ultimately responsible for protecting privacy.

What is the difference between an envelope containing a private letter stashed in a drawer, and a personal email with its code held on a server or your home computer?  The letter could be intercepted in the mail or stolen from our homes or briefcase, but there was a sense of privacy in those spaces.  The email though could be held on a home pc, on the cloud, accessed from work, or on a mobile phone via public or private network.  Is there an expectation of privacy in all these spaces?

The digital word has physically separated us from our data and made interception easier from people we will never know or meet.  The expectation of what constitutes private spaces has been expanded, which is why it is so difficult to control  our data, or to prosecute those who steal it.  The account might be managed by a multinational corporation with offices and servers in several countries, where anyone can access it.  Having what we want or need at any time and anywhere is a wonderful convenience, but it challenges us to think about how we maintain those parts of ourselves we do not want others to see.

Recently we have seen a barrage of headlines asking “Can you trust the cloud?” This question really suggests many things – Can you trust technology to care as much as you do about your data?  Can you trust that you own and control your data? Can you trust that you will be the only one to access your data (Insert a million links to the importance of authentication here)?

Technology is not full-proof.  Like the locks on your front door, there are services that are more difficult to get into (but still vulnerable), while others are there to keep people honest.  It is important to keep these limitations in mind because whether we like it or not, we are not in control of them, there are inherent weaknesses (just like the lock on the door can be picked), and adata breach can impinge on how others see us.

Simply speaking, as individuals we present ourselves in certain ways to certain people.  We tell them things we want them to know, and withhold other details for various reasons. (The Germans call it Persönlichkeit, add Recht to it and you get the legal basis for privacy – “the right to personality”). In a professional atmosphere talking about your home life might not be acceptable so you don’t share it.  You also might feel more comfortable talking about one part of your life with a friend, and another person not so much.  Your relationships are constructed by the type of information that people know about you.

When someone steals your private information and puts it on the web, or controls who has access to it, they are also shaping others’ perceptions about you.  Using technology to store or transmit our thoughts can make data, or behaviors, our view, our beliefs, and our bodies, vulnerable to exposure when others maliciously break into our accounts and steal our data – the bits of information that compose the multifaceted existence of our identities.   They are in control of our personas, not us.

So we have choice I suppose.  We can stop using technology because we cannot be certain that we are protected.  That seems like an unfair and unnecessary option.  Free flow of information can be a good thing and it can expose fraud or ill-intent.  However, I’ve been thinking about how security, or the lack thereof, also has the power to limit my ability to utilize technology in a manner of my choosing.  “If you don’t want something to get in the hands of someone not intended to see it, then don’t post it to the cloud.” Individuals, and companies then, are faced with a dilemma which involves a calculation of risk.  I want to use this service, but by doing so I’m exposing myself too.

A recent interviewee commented that my knowledge about privacy issues was unique and that most people  were fine with allowing others (government, corporate etc.) to control and use their data for the sake of convenience.  While this might be true, he also mentioned that this made me a lucrative niche market for innovation – providers will create services to cater to people like me. As I wrote in Harvard Business Review, I agree with this, but I wonder how much of this is a constraint on my access to technology.

We love technology but our decision to use it and the consequences of doing so increasingly fall under the discretion of others who may not hold our personal interests in mind.  Why should anyone have to find a special service in order to feel safe from prying eyes no matter who that might be? I do not pretend to have these answers, but it is something that should make everyone a little uncomfortable.  It’s a choice, of course. In the meantime, I’d suggest to keep those intimate records a little closer to home because there are few protections.