Posts

digital sovereignty

Sovereignty and digital technology: controlling our own destiny

Annie Blandin-Obernesser, IMT Atlantique – Institut Mines-Télécom

Facebook has an Oversight Board, a kind of “Supreme Court” that rules on content moderation disputes. Digital giants like Google are investing in the submarine telecommunications cable market. France has had to back pedal after choosing Microsoft to host the Health Data Hub.

These are just a few examples demonstrating that the way in which digital technology is developing poses a threat not only to the European Union and France’s economic independence and cultural identity. Sovereignty itself is being questioned, threatened by the digital world, but also finding its own form of expression there.

What is most striking is that major non-European digital platforms are appropriating aspects of sovereignty: a transnational territory, i.e. their market and site where they pronounce norms, a population of internet users, a language, virtual currencies, optimized taxation, and the power to issue rules and regulations. The aspect that is unique to the digital context is based on the production and use of data and control over information access. This represents a form of competition with countries or the EU.

Sovereignty in all its forms being questioned

The concept of digital sovereignty has matured since it was formalized around ten years ago as an objective to “control our own destinies online”. The current context is different to when it emerged. Now, it is sovereignty in general that is seeing a resurgence of interest, or even souverainism (an approach that prioritizes protecting sovereignty).

This topic has never been so politicized. Public debate is structured around themes such as state sovereignty regarding the EU and EU law, economic independence, or even strategic autonomy with regards to the world, citizenship and democracy.

In reality, digital sovereignty is built on the basis of digital regulation, controlling its material elements and creating a democratic space. It is necessary to take real action, or else risk seeing digital sovereignty fall hostage to overly theoretical debates. This means there are many initiatives that claim to be an integral part of sovereignty.

Regulation serving digital sovereignty

The legal framework of the online world is based on values that shape Europe’s path, specifically, protecting personal data and privacy, and promoting general interest, for example in data governance.

The text that best represents the European approach is the General Data Protection Regulation (GDPR), adopted in 2016, which aims to allow citizens to control their own data, similar to a form of individual sovereignty. This regulation is often presented as a success and a model to be followed, even if it has to be put in perspective.

New European digital legislation for 2022

The current situation is marked by proposed new digital legislation with two regulations, to be adopted in 2022.

It aims to regulate platforms that connect service providers and users or offer services to rank or optimize content, goods or services offered or uploaded online by third parties: Google, Meta (Facebook), Apple, Amazon, and many others besides.

The question of sovereignty is also present in this reform, as shown by the debate around the need to focus on GAFAM (Google, Amazon, Facebook, Apple and Microsoft).

On the one hand, the Digital Markets Act (the forthcoming European legislation) includes strengthened obligations for “gatekeeper” platforms, which intermediate and end-users rely on. This affects GAFAM, even if it may be other companies that are concerned – like Booking.com or Airbnb. It all depends on what comes out of the current discussions.

And on the other hand, the Digital Services Act is a regulation for digital services that will structure the responsibility of platforms, specifically in terms of the illegal content that they may contain.

Online space, site of confrontation

Having legal regulations is not enough.

“The United States have GAFA (Google, Amazon, Facebook and Apple), China has BATX (Baidu, Alibaba, Tencent and Xiaomi). And in Europe, we have the GDPR. It is time to no longer depend solely on American or Chinese solutions!” declared French President Emmanuel Macron during an interview on December 8 2020.

Interview between Emmanuel Macron and Niklas Zennström (CEO of Atomico). Source: Atomico on Medium.

The international space is a site of confrontation between different kinds of sovereignty. Every individual wants to truly control their own digital destiny, but we have to reckon with the ambition of countries that demand the general right to control or monitor their online space, such as the United States or China.

The EU and/or its member states, such as France, must therefore take action and promote sovereign solutions, or else risk becoming a “digital colony”.

Controlling infrastructure and strategic resources

With all the focus on intermediary services, there is not enough emphasis placed on the industrial dimension of this topic.

And yet, the most important challenge resides in controlling vital infrastructure and telecommunications networks. The question of submarine cables, used to transfer 98% of the world’s digital data, receives far less media attention than the issue of 5G devices and Huawei’s resistance. However, it demonstrates the need to promote our cable industry in the face of the hegemony of foreign companies and the arrival of giants such as Google or Facebook in the sector.

The adjective “sovereign” is also applied to other strategic resources. For example, the EU wants to secure its supply of semi-conductors, as currently, it depends on Asia significantly. This is the purpose of the European Chips Act, which aims to create a European ecosystem for these materials. For Ursula von der Leyen, “it is not only a question of competitiveness, but also of digital sovereignty.”

There is also the question of a “sovereign” cloud, which has been difficult to implement. There are many conditions required to establish sovereignty, including the territorialization of the cloud, trust and data protection. But with this objective in mind, France has created the label SecNumCloud and announced substantial funding.

Additionally, the adjective “sovereign” is used to describe certain kinds of data, for which states should not depend on anyone for their access, such as geographic data. In a general way, a consensus has been reached around the need to control data and access to information, particularly in areas where the challenge of sovereignty is greatest, such as health, agriculture, food and the environment. Development of artificial intelligence is closely connected to the status of this data.

Time for alternatives

Does all that mean facilitating the emergence of major European or national actors and/or strategic actors, start-ups and SMEs? Certainly, such actors will still need to show good intentions, compared to those that shamelessly exploit personal data, for example.

A pure alternative is difficult to bring about. This is why partnerships develop, although they are still highly criticized, to offer cloud hosting for example, like the collaboration between Thales and OVHcloud in October 2021.

On the other hand, there is reason to hope. Open-source software is a good example of a credible alternative to American private technology firms. It needs to be better promoted, particularly in France.

Lastly, cybersecurity and cyberdefense are critical issues for sovereignty. The situation is critical, with attacks coming from Russia and China in particular. Cybersecurity is one of the major sectors in which France is greatly investing at present and positioning itself as a leader.

Sovereignty of the people

To conclude, it should be noted that challenges relating to digital sovereignty are present in all human activities. One of the major revelations occurred in 2005, in the area of culture, when Jean-Noël Jeanneney observed that Google had defied Europe by creating Google Books and digitizing the continent’s cultural heritage.

The recent period reconnects with this vision, with cultural and democratic issues clearly essential in this time of online misinformation and its multitude of negative consequences, particularly for elections. This means placing citizens at the center of mechanisms and democratizing the digital world, by freeing individuals from the clutches of internet giants, whose control is not limited to economics and sovereignty. The fabric of major platforms is woven from the human cognitive system, attention and freedom. Which means that, in this case, the sovereignty of the people is synonymous with resistance.

Annie Blandin-Obernesser, Law professor, IMT Atlantique – Institut Mines-Télécom

This article was republished from The Conversation under the Creative Commons license. Read the original article here (in French).

zero-click attacks

Zero-click attacks: spying in the smartphone era

Zero-click attacks exploit security breaches in smartphones in order to hack into a target’s device without the target having to do anything. They are now a threat to everyone, from governments to medium-sized companies.

“Zero-click attacks are not a new phenomenon”, says Hervé Debar, a researcher in cybersecurity at Télécom SudParis. “In 1988 the first computer worm, named the “Morris worm” after its creator, infected 6,000 computers in the USA (10% of the internet at the time) without any human intervention, causing damage estimated at several million dollars.” By connecting to messenger servers which were open access by necessity, this program exploited weaknesses in server software, infecting it. It could be argued that this was one of the very first zero-click attacks, a type of attack which exploits security breaches in target devices without the victim having to do anything.

There are two reasons why this type of attack is now so easy to carry out on smartphones. Firstly, the protective mechanisms for these devices are not as effective as those on computers. Secondly, more complex processes are required in order to present videos and images, meaning that the codes enabling such content to be displayed are often more complex than those on computers. This makes it easier for attackers to hack in and exploit security breaches in order to spread malware. As Hervé Debar explains, “attackers must, however, know certain information about their target – such as their mobile number or their IP address – in order to identify their phone. This is a targeted type of attack which is difficult to deploy on a larger scale as this would require collecting data on many users.”

Zero-click attacks tend to follow the same pattern: the attacker sends a message to their target containing specific content which is received in an app. This may be a sound file, an image, a video, a gif or a pdf file containing malware. Once the message has been received, the recipient’s phone processes it using apps to display the content without the user having to click on it. While these applications are running, the attacker exploits breaches in their code in order to run programs resulting in spy software being installed on the target device, without the victim knowing.

Zero-days: vulnerabilities with economic and political impact

Breaches exploited in zero-click attacks are known as “zero-days”, vulnerabilities which are unknown to the manufacturer or which have yet to be corrected. There is now a global market for the detection of these vulnerabilities: the zero-day market, which is made up of companies looking for hackers to identify these breaches. Once the breach has been identified, the hacker will produce a document explaining it in detail, with the company who commissioned the document often paying several thousand dollars to get their hands on it. In some cases the manufacturer themselves might buy such a document in an attempt to rectify the breach. But it may also be bought by another company looking to sell the breach to their clients – often governments – for espionage purposes. According to Hervé Debar, between 100 and 1,000 vulnerabilities are detected on devices each year. 

Zero-click attacks are regularly carried out for theft or espionage purposes. For theft, the aim may be to validate a payment made by the victim in order to divert their money. For espionage, the goal might be to recover sensitive data about a specific individual. The most recent example was the Pegasus affair, which affected around 50,000 potential victims, including politicians and media figures. “These attacks may be a way of uncovering secret information about industrial, economic or political projects. Whoever is responsible is able to conceal themselves and to make it difficult to identify the origin of the attack, which is why they’re so dangerous”, stresses Hervé Debar. But it is not only governments and multinationals who are affected by this sort of attack – small and medium-sized companies are too. They are particularly vulnerable in that, owing to a lack of financial resources, they don’t have IT professionals running their systems, unlike major organisations.

Also read on I’MTech Cybersecurity: high costs for companies

More secure computer languages

But there are things that can be done to limit the risk of such attacks affecting you. According to Hervé Debar, “the first thing to do is use your common sense. Too many people fall into the trap of opening suspicious messages.” Personal phones should also be kept separate from work phones, as this prevents attackers from gaining access to all of a victim’s data. Another handy tip is to back up your files onto an external hard drive. “By transferring your data onto an external hard drive, it won’t only be available on the network. In the event of an attack, you will safely be able to recover your data, provided you disconnected the disc after backing up.” To protect against attacks, organisations may also choose to set up intrusion detection systems (IDS) or intrusion prevention systems (IPS) in order to monitor flows of data and access to information.

In the fight against cyber-attacks, researchers have developed alternative computing languages. Ada, a programming language which dates back to the 1980s, is now used in the aeronautic industry, in railways and in aviation safety. For the past ten years or so the computing language Rust has been used to solve problems linked to the management of buffer memory which were often encountered with C and C++, languages widely used in the development of operating systems. “These new languages are better controlled than traditional programming languages. They feature automatic protective mechanisms to prevent errors committed by programmers, eliminating certain breaches and certain types of attack.” However, “writing programs takes time, requiring significant financial investment on the part of companies, which they aren’t always willing to provide. This can result in programming errors leading to breaches which can be exploited by malicious individuals or organisations.”

Rémy Fauvel

Data collection protection, GDPR impact

GDPR: Impact on data collection at the international level

The European data protection regulation (GDPR), introduced in 2018, set limits on the use of trackers that collect personal data. This data is used to target advertising to users. Vincent Lefrère, associate professor in digital economy at Institut Mines-Télécom Business School, worked with Alessandro Acquisti from Carnegie Mellon University to study the impact of the GDPR on tracking users in Europe and internationally.

What was your strategy for analyzing the impact of GDPR on tracking users in different countries?

Vincent Lefrère: We conducted our research on online media such as Le Monde in France or the New York Times in the United States. We looked at whether the introduction of the GDPR has had an impact on the extent to which users are tracked and the amount of personal data collected.

How were you able to carry out these analyses at the international level?

VL: The work was carried out in partnership with researchers at Carnegie Mellon University in the United States, in particular Alessandro Acquisti, who is one of the world’s specialists in personal digital data. We worked together to devise the experimental design and create a wider partnership with researchers at other American universities, in particular the Minnesota Carlson School of Management and Cornell University in New York.

How does the GDPR limit the collection of personal data?

VL: One of the fundamental principles of the GDPR is consent. This makes it possible to require websites that collect data to obtain users’ consent  before tracking them. In our study, we never gave our consent or explicitly refused the collection of data. That way, we could observe how a website behaves in relation to a neutral user. Moreover, one of the important features of GDPR is that it applies to all parties who wish to process data pertaining to European citizens. As such, the New York Times must comply with the GDPR when a website visitor is European. 

How did you compare the impact of the GDPR on different media?

VL: We logged into different media sites with IP addresses from different countries, in particular with French and American IP addresses.

We observed that American websites limit tracking more than European websites, and therefore better comply with the GDPR, but only when we were using a European IP address.  It would therefore appear that the GDPR has been more dissuasive on American websites for these users. However, the American websites increased the tracking of American users, for whom the GDPR does not apply.  One hypothesis is that this increase is used to offset the loss of data from European users.

How have online media adapted to the GDPR?

VL: We were able to observe a number of effects. First of all, online media websites have not really played along. Since mechanisms of consent are somewhat vague,  the formats developed in recent years have often encouraged users to accept personal data collection rather than reject it. There are reasons for this: data collection has become crucial to the business model of these websites, but little has been done to offset the loss of data resulting from the introduction of the GDPR, so it is understandable that they have stretched the limits of the law in order to continue offering high quality content for free. With the recent update by the French National Commission on Information Technology and Liberties (CNIL) to fight against this, consent mechanisms will become clearer and more standardized.  

In addition, the GDPR has limited tracking of users by third parties, and replaced it with tracking by first parties. Before, when a user logged into a news site, other companies such as Google, Amazon or Facebook could collect their data directly on the website. Now, the website itself tracks data, which may then be shared with third parties.

Following the introduction of the GDPR, the market share of Google’s online advertising service increased in Europe, since Google is one of the few companies who could pay the quota for the regulation, meaning it could pay the price of ensuring compliance. This is an unintended, perverse  consequence: smaller competitors have disappeared and there has been a concentration of ownership of data by Google.  

Has the GDPR had an effect on the content produced by the media?

VL: We measured the quantity and quality of content produced by the media. Quantity simply reflects the number of posts. The quality is assessed by the user engagement rate, meaning the number of comments or likes, as well as the number of pages viewed each time a user visits the website.

In the theoretical framework for our research, online media websites use targeted advertising to generate revenue. Since the GDPR makes access to data more difficult, it could decrease websites’ financing capacity and therefore lead to a reduction in content quality or quantity. By verifying these aspects, we can gain insights into the role of personal data and targeted advertising in the business model for this system.   

Our preliminary results show that after the introduction of the GDPR, the quantity of content produced by European websites was not affected, and the amount of engagement remained stable. However, European users reduced the amount of time they spent on European websites in comparison to American websites. This could be due to the the fact that certain American websites may have prohibited access to European users, or that American websites covered European topics less since attracting European users had become less profitable. These are hypotheses that we are currently discussing.

We are assessing these possible explanations by analyzing data about the newspapers’ business models, in order to estimate how important personal data and targeted advertising are to these business models.  

By Antonin Counillon