Photo: ozrimoz/Shutterstock
Advertising, fraud or the optimization of business models: consumer data are a precious commodity that is just as much of interest to lenders and insurers as to retailers or criminals. Kai Rannenberg, Professor for Mobile Business & Multilateral Security at Goethe University Frankfurt and an expert in business IT, is conducting research into cybersecurity. Dirk Frank spoke to him about data protection, hacker attacks and cars as “mobile phones on wheels”.
Dirk Frank: Professor Rannenberg, aren’t we already at the very heart of data protection and data security, as it were, just by using an online conferencing system for our meeting today?
Kai Rannenberg: To consent to the recording of our conversation, you had to click through quite a few prompts. This is in line with the rules of the General Data Protection Regulation (GDPR), which are valid throughout the EU. Not all conferencing systems go to the same lengths to make it clear to their users what data are being recorded and how. In many cases, and unlike this system, data are not processed and stored under the GDPR’s scope of protection, but instead elsewhere – “somewhere in the cloud”. Or it remains unclear who can access the data because the systems are managed from outside Europe, or it’s not clear in the first place where the systems are managed. With the BigBlueButton server implemented and configured by our project partner TU Delft, which we are using to record this meeting, the CyberSec4Europe project showed very quickly after the start of the pandemic that you can operate a high-performance conferencing system in Europe reliably, with open source software and in compliance with the GDPR – for meetings, large public conferences, teaching and even for official project reviews. This helped us decide in favor of the BigBlueButton server, which has since been set up at Goethe University Frankfurt. Overall, this was important for data protection as well as cybersecurity because, of course, web conferencing systems also make a significant contribution – or not as the case may be – to cybersecurity and thus to digital sovereignty.
At the latest since the coronavirus pandemic, many people have had to deal with these issues at work; before that, it was probably limited to a smaller circle of users.
Here in Hesse we have a very vigilant data protection commissioner, who has stipulated that educational institutions in the state, especially the schools, must work with systems that clearly indicate where the data are located and which guarantee that the data remain within the scope of the GDPR. A provider in France or Denmark, for example, might be okay. But transferring the data to China, for example, where rule of law principles do not apply according to our way of thinking nor foster compliance with the GDPR, would be prohibited.
How do you handle this in online conferences with colleagues from the US?
When I talk to colleagues in the US, I can invite them to our conferencing system. They (or more precisely their data) must, however, reach the conferencing system, and this path might be just as secure or insecure as any path in the US. Discussions in this context are not about claiming that there is no rule of law in the US. However, there is a special regulation there that obliges service providers to enable wiretapping for national security reasons without informing customers. Lawsuits have already been filed against this in the US, also because of the competitive disadvantage associated with it, but so far without success. The exemplary role that Europe plays in the area of data protection and data security with the help of the GDPR, for example, naturally also has the advantage that companies and organizations worldwide can refer to it. This European regulation has set a trend in some countries: in India, for example, they have understood that complying with the relevant regulation is essential if you want to succeed in the European market.
When talking about cybersecurity at the present time, we cannot ignore the war against Ukraine. Most people then think primarily of cyberattacks on critical infrastructure. Does that perhaps not overlook the fact that data security and data protection already play a role in our everyday use of IT?
We already had attacks on critical infrastructure before the war, for example on the German Bundestag, on energy utilities, on universities in Giessen and Berlin, as well as on the City of Potsdam. According to what we know from colleagues in Ukraine, the fear of attacks on critical infrastructure is currently often greater than that of spying on the internet or on mobile networks because the damage caused by attacks on critical infrastructure is more immediate. But more and more people there now know that one facilitates the other. How far people in Germany are aware of this relationship is an interesting question.
Cybersecurity for Europe
CyberSec4Europe, as a pilot project for the European Cybersecurity Competence Centre and Network (ECCC), designs, tests and demonstrates governance structures for the ECCC, using best practice examples, knowledge and experience of its 42 partners. At the same time, CyberSec4Europe is working on secure software components that close gaps in research and are linked to real-world use cases, such as within the vertical sectors of digital infrastructure, finance, government and smart cities, healthcare and transportation.
CyberSec4Europe’s long-term goal is a European Union that has all the necessary capabilities to safeguard and maintain its democratic society, that lives according to European constitutional values, for example with regard to the protection of privacy and the use of data, and that has a world-leading digital economy.
Visit www.CyberSec4Europe.eu/our-results/books for e.g. two easy-to-read e-books that summarize the project results.
A variety of apps have been at our disposal for many years, most of which are available free of charge. But we also pay with our data, of course. Is there still a lack of awareness here?
Yes, unfortunately. Even careless users sometimes become aware of it, but mostly only after a nasty shock. There was an outcry when it became known that Cambridge Analytica had access to data from Facebook. And that included both data stored on the Facebook server as well as data collected with the Facebook app.
But even in “adult” life and consumer worlds, apps are everywhere. Just think of cars.
In principle, the car is meanwhile also a mobile phone on wheels. Even more information can be collected in the car: How do drivers react to stress? How do they accelerate, how do they brake, etc.? People’s motion profiles, which are already tracked through their mobile phones, are even more handily available when they travel by car. The German newspaper DIE ZEIT once set up a website that displayed politician Malte Spitz’s movements over a period of six months. For that, he had requested from Deutsche Telekom the positioning data which it had collected in relation to his mobile connection. On the website, you can see exactly where Spitz was because the data on the sometimes rather small cell sizes were also incorporated into the animation. This made a lot of people take note. We also use the animation in our lectures so that our students gain an understanding of what digital infrastructures already track now.
Photo: Elio Germani/Representation of the State of Hessen to the EU
An Ihrem Lehrstuhl wurde vor einigen Jahren eine App entwickelt, die Datenschutzrisiken aufgespürt hat, um damit den NutzerinSo that users could take back control of their apps’ behavior, a few years ago your chair developed one that detected data protection risks.
This app also made it into the news at the time, especially as a result of our team’s findings with regard to sports apps. These record data on the human body and its functions via additional sensors worn by the user, for example on wristbands. We need more education in this area: data protection is like brushing your teeth. It’s a chore, not exactly sexy, sometimes it even hurts, but it pays off in the long run. We often hear people say: “I have nothing to hide.” In fact, everyone has something to hide because everyone has weaknesses that could be disadvantageous if they are exposed at a certain point in time. We also need to weigh up whether we should share data or not and what the implications might be. For example, if I need urgent help, the fact that someone can find me is not really my biggest problem.
SCHUFA, the credit rating agency, recently made a point of saying that it does not process data from social networks.
But they only announced this under public pressure. What’s more, we don’t know what other credit rating agencies are doing. Insurance companies are, of course, very interested in becoming privy to all kinds of data. If you disclose more information about yourself, you can get cheaper car insurance. Some people say that this actually contradicts the idea of insurance, that you should not be penalized for a weakness. If you are offered this kind of data trade-in, you should be aware that you are the weaker side in a “partnership” or deal. The European consumer protection association BEUC has a special department that takes care of data protection, particularly with regard to household items and services that consumers use every day. These can be toys, for example: with the Internet of Things, such devices are connected to the internet. This turns toys into clients of cloud services, but customers are not sufficiently informed about this, especially in the case of cheap devices.
At the beginning of December, the “Momentum! Cyber Security for Europe” event was held in Brussels. What was on the agenda?
Some cybersecurity pilot projects have so far focused on high-security applications in the military domain. In our CyberSec4Europe project, however, we have specifically targeted civil applications of information and communication technologies and addressed seven areas: the exchange of medical data, as more and more therapies are based on this; online shopping; bank data, especially “Me and my bank account”; education and certification of education achievements or admission to education and training institutions. Two other areas, also in the civil sector, but not as directly relevant to individual citizens, are the protection of maritime infrastructure, especially communication between ports and ships, and digital value chains in production. These value chains are getting longer and longer, which is why the parties involved must be able to trust each other. The seventh area is smart cities, where digital technology is being used in an ever-increasing number of applications and scenarios.
Always connected: today’s cars collect large amounts of data – for manufacturers, the state and the garage.
Photo: Gabriel Nica/Shutterstock
You were quoted in the run-up to the event as follows: “Cybersecurity must remain linked to European values such as freedom and respect for each individual and the protection of the most vulnerable.”
Just imagine: your new dentures are produced somewhere in an automated or semi-automated industrial process using smart manufacturing. First, your head must be measured, and all kinds of personal data, including previous problems with your teeth, must be transmitted to the manufacturer. Looking at the areas of application mentioned above, we can see that European values are not only treated in the abstract but also with a view to people in their everyday lives. How does this affect “normal” people, what exactly is happening to them in the respective situation? Certainly, the manufacturer of the dentures has an interest in producing them as accurately as possible, otherwise they cannot sell them in the end. But there is a temptation to use customers’ highly personal data for other things as well. What is important is that people can not only decide on this themselves but also trust that suppliers respect their decisions and implement them in a technically reliable way.
The interview was conducted by Dr. Dirk Frank, Press Officer at Goethe University Frankfurt.
