Not performed verbatim. See also slides
Ladies and gentlemen,
[Intro] It's an honour to be here, in a room full of such distinguished guests, many of whom I know will have reflected on the topic of digital colonies I want to raise for much longer than myself, and to some of whom I am equally in debt to for letting my develop my own thoughts on European strategic independence.
[Main points] My main points today are
1. Europe lacks a clear capacity to build inspiring technology narratives.
2. We should think about ways of fixing that.
[Me] Some words about myself, perhaps.
I have worked on information policy issues with a certain emphasis on civil and political rights, and economic, social and cultural rights, since about 2006 when I was recruited into the Pirate Party of Sweden by a friend. I have a served as a publicly elected official in the European Parliament on behalf of the Pirate Party for two and a half years, contributed to Swedish policy development and understanding in the area of data protection and identity management for a couple of years, and for the past couple of years I have dedicated my time to the effect of technical design choices on individuals' ability to exercise their human rights in technical standards, collaborating in this endeavour with UK-based freedom of speech organization ARTICLE19.
Well, I could mention I was for some time in India, seeking an experience of internet policy that was distinctly non-European yet also not North American. I discovered to my surprise (or perhaps relief) that policy debates grounded in social and economic justice cause regulators and legislators to make more sensible decisions on liability. I won't get back to this, you'll have to ask later.
[Dun dun dun] .
[Strategy] Just this spring, I was sent an e-mail by a Swedish government representative asking the organization I run with a few of my friends, Dataskydd.net, to contribute its views on a digital strategy for the European Union in 2019-2024. The Swedish government had kindly formulated a smaller set of questions, like a survey. It was a deeply frustrating experience to read these questions: should the EU have rules on data collection, retention and storage? How should the EU promote artificial intelligence? How should the EU guarantee cybersecurity or change intermediary liability?
[3 DP] We responded that the EU already has three laws on data collection, retention and storage, all adopted in the past five years.
[2+1 CS] We also responded that the EU has two already adopted acts and one other in the pipe-line on cybersecurity.
[6 DT] In addition, the EU has adopted six acts in the past five years alone that in various ways touch on intermediary liability.
[Strategy] If by now there is no strategy, we wrote, it is unlikely that even more laws in any of these areas will clarify the situation. It's an interesting word, strategy. What does it mean? Someone blessed me with the insight that a strategy is what politicians in Sweden develop when they have no idea what to do - my time working on Swedish policy issues introduced me to the concept of a nested strategy -
[StrategyNest] a strategy which promises the development of more strategies.
[Context] But to get back on topic - is the EU a digital colony? Can the EU achieve strategic autonomy? What would autonomy mean, if strategy is not straight-forward? I want to introduce a few thoughts in your minds.
- Human-centrism and fundamental rights are at the core of EU tech policy.
-National security is not an EU competence. Any policy which is introduced into the field of national security is no longer EU competence and thus cannot benefit from EU coordination, trust or scale advantages.
-EU companies are stuck between the direction of human-centric, rights-based technologies, and national security-inspired technologies. They, we, are also stuck between human-centric, rights-based laws and national security-inspired laws.
-EU citizens and companies are stuck between the force of tradition in many member state-based corporate and political power houses, and the grand idea of European unification.
[Origin of colony] The idea of a European digital colony comes from a French senate report in 2013, authored by senatrice Catherine Desailly-Morin. Mme Desailly had correctly identified that most digital infrastructures come from the Americas: starting from the backhaul networks, to our networking equipment to the platforms we use every day. Mme Desailly asserted that the European Union must shape up and break free - in particular, there was a need to invest more in French technologies!
It's a humorously French idea, and some of you recognise it from our local Swedish setting too: it's a big bad world out there, so buy local. It overlooks that many Europeans may not at all feel strategically independent from being dependent on France. More significantly, perhaps, it elevates IT procurement to the level of defence procurement.
[Apps and missiles] In such a setting, the choice of emergency service communications is equal to the choice of a missile defence system.
It has proven itself to be a powerful narrative in a charmingly dysfunctional European way. We are getting used to local and European legislators and media companies slamming Google, Apple, Facebook and Amazon - collectively known to the French as
[GAFA] ``GAFA''. Sometimes Microsoft is tossed in the mix -
[Not us] But while in the commercial setting, European legislators guided by their media industries, try to define the EU tech future with walls against the Wild West Americans coming to savage our European way, in national security it is different.
[Natsec] In national security discussions we are told by the French Conseil d'Etat in 2014 that European fundamental rights must be put aside to ``assure the cooperation with third parties necessary for strategic independence [of France]''.
[Hatespeech] With a recent hate-speech proposal, fundamental rights can also be, apparently, compromised ``safe-guard against unsavoury rhetoric'' - especially if it is advanced on US-owned social media services.
[Narrative] I'll try to make a brief summary of the strategic narrative suggested to Europeans by France:
-American companies are bad for Europe. We (Europeans) must domesticate them to our rules-based governance.
-We must covertly cooperate with the Americans to have independence, even at the expense of our own citizens' rights.
This narrative is
[Oddly] oddly self-deprecating.
The very idea of digital colonialism speaks of defenselessness, worthy of Max Havelaar and George Orwell. It is like returning to the 1890s.
[Quote] ``We have created Europe - now how do we create Europeans?''
(This quote was originally uttered by a desperate Italian member of parliament after the unification of 1860, and in relation to Italians rather than Europeans.)
[SDOs] So let me tie back into some real technical examples that I have experienced in the past couple of years working on technical standards, against the backdrop of European moral leadership.
[Moral] The European Union aspires towards a human-centric internet.
[Identity] For Swedish members of the audience, I want to clarify that the EU also aspires towards protecting the right of identity for any of its citizens. Unlike ``integritet'', the Swedish word often used to describe the impetus of privacy laws, which signals robustness and reliability, the right to identity gives to an individual the right to be dynamic, to change, and to evolve- think of the right to be forgotten: the solace of oblivion, or opportunities to start anew.
[Dataminimization] 120 countries around the world have data protection laws according to the UN Agency UNCTAD. Many of these are inspired by the European legislation - in fact, perhaps, written for the purpose of facilitating trade with European countries.
European data protection laws promise to leverage up to 4\% of annual turnover in fines on companies unwilling or unable to adequately protect European citizens' data. Among the obligations thus codified is data minimization - not generating, collecting, or storing personally identifiable information for other than very specific purposes, to a greater extent than absolutely necessary, nor for longer than is necessary.
There's a number of security adages that capture this principle.
You can't leak data you don't have.
You have the right to remain silent.
And so forth.
[Collection] It turns out data minimization is an active focus of security research for a long time, alongside cryptography. It's reliable: you cannot abuse data you don't have. You cannot leak data you don't have. You cannot lose control over what you did not give.
[List] Many technical standards bodies have taken long, hard looks at both data minimization and cryptography in the past few years. The Internet Engineering Task Force adopted Privacy Considerations in 2013 that emphasize data minimization. The same body has also invested a lot of time into keeping each layer of the internet secure by encryption.
[IEEE] I present to you some advances from the Wireless Local Area Network or WiFi community.
[3GPP] Finally, there's a bunch of really exciting developments in mobile networks. End-to-end encryption, reduction of centralized control, mobile networks being squeezed right into the central European Union narrative of human-centrism and local empowerment.
[Captain] If I didn't know better, I'd be optimistic. The EU set a course with the adoption of the General Data Protection Regulation, which purported to protect individuals' rights, autonomy and empowerment in the digital age, and the tech companies are following.
[Pit] But it's never so simple. Recall that national security is not an EU competence, and that we're heading straight back down the modernist reality of the 1890s.
[Holtmanns] I mean, here's an interesting dilemma for our good friends over in the mobile network equipment vendor sector: member state law enforcement officials have written multiple angry letters to the political powers of the EU to lament the increasing security of mobile networks.
They make sustained and aggressive efforts to reduce the prevalence of end-to-end encryption, whether in apps, in the IETF or in VoLTE
[TugofWar] But I'm anyway suggesting its a tug-of-war: there is a high-level European narrative consisting of human-centrism, fundamental rights and somewhat clear, and very expensive, imperatives, and a different high-level member state narrative consisting of nation-centrism, state protection and somewhat clear, and very expensive imperatives.
European technology makers are caught in the middle.
[Consequences] 5G security consequences
[Not easy] Being threatened by ministers
[Pit] Twitter-politics and badly coordinated EU policy are not the only challenges facing European companies either. Some in this room will have as their profession implementing the European Network and Information Security, or NIS, Directive. I want to give this some political context:
[Smthg] The European Union has power to legislate on issues that are relevant to the inner market. It has no power to legislate on issues that concern national security. When the EU passes a NIS Directive, therefore, it is to advance the EU digital single market and it has normally approached IT security issues from a security economics perspective.
What is security economics?
It's the idea that any security measure costs resources and time, which must be commensurate to the security gain derived therefrom. Security economists spend their time working out models and doing empirical studies on cost-benefit.
State security does not work like this. The imperative of state security is to maintain the trust of citizens in the institutions of the state, at any cost.
[NIS1] So the EU Commission proposed the NIS directive, which was heavily diluted by the member states in negotiations, and
[NIS2] rejected by the Swedish minister of interior affairs in Swedish national media the day after he voted in favour of the directive in Brussels.
[NIS3] The Swedish minister of interior affairs went on to pass a new Swedish law, called Säkerhetsskyddslagen, which is a direct competitor of the NIS Directive.
NIS Directive is security economics. Säkerhetsskyddslagen is state security.
[NIS4] So far so confusing on the Swedish front, but for transnational European companies this quickly translates into 28 different national security laws - similar, but different, expensive in their vast numbers and with no regard for cost-benefit analyses either.
[Empty] One of EU founding fathers, Paul-Henri Spaak, said that there are two kinds of small European countries: small European countries that understand that they are small and that cooperation is in their interest, and small European countries who do not yet understand that they are small.
Let's do a quick counting exercise: if every member state implements the NIS directive and a national security information security laws, how many laws in total could a European company have to comply with before it was in a secure legal position on a hypothetical European market? (56)
In practice, that's what it means to dive back into modernism.
[Empty] I think these are relatively high-level strategic issues that should reasonably constitute part of any endeavour to map out the future of digital Europe. There is a conflict between the consumer and market-oriented security advanced by the EU, and the state-centric security advanced by member states.
[Johansson2] I feel like adding there's an additional strategic challenge posed by Europeans being inherently disloyal with their own IT industries.
[Other challenges] emission, bank fraud, network surveillance
[Empty] But it's more interesting whether something can be done about this sorry situation. Personally, I think there are a few options. Some of you will wince seeing the first.
One option is to actually just leave the EU.
Let me clarify why this is not just an off-hand suggestion: the tug-of-war between Europe and Sweden translates into monetary costs for companies, and into trust deficiency for citizens. I have already exemplified the difficulties of diverging laws in cybersecurity, but consider also the situation of citizens - who get told by their Minister of Justice that the Supreme Court of their land is contemptible and detached from reality.
Never mind the fact that fixing many of the European idiosyncrasies would require more than Swedish action. Let's pretend you acknowledged some of the issues I've brought up: it may actually be easier to solve them legitimately on a per-country basis, even if it costs more money.
A different option is buying into the idea of Europe.
So let me clarify what I mean with ``buying into''. Firstly, I don't think of this as a political process, but as a marketing exercise. Secondly, I think it's fair to say that these power conflicts between the EU and the member states will not go away: you can pick sides, on a per-issue basis, if you so will, but it's really difficult to please everyone.
[Cohesion] The European Union is not a functioning political entity, and beyond the copyright industry, there is no one creating cohesive stories about what it means to be European.
[Cohesion] Not just our lack of interaction with the EU as citizens, but perhaps more so the lack of interactions of European companies with the EU shows this. Let me give some example:
[Cohesion] I saw recently that big US web companies were recruiting Government Relations Spectrum persons to their Brussels office. It's a fairly specific government relations role to recruit for - I'm not aware of any European company that recruits for such specific roles in Brussels!
[Cohesion] It's a public secret that European companies of sufficient size get the national delegations of their member state to advance their views in the Council of Ministers. And if you're looking at getting your specific product endorsed in Annex 10 of a regulation on food safety as the one and only European product, I guess that's fine - but if you're building polity it's really not.
[Cohesion] What is more shocking to me is that Swedish company associations take little interest in European affairs. Collaborations on European dossiers with other EU companies is ad-hoc, if at all.
[Cohesion] I checked if there are any big lobby groups in Brussels which has only European IT companies in it, and it turns out with some good will there are two: EuroISPA and EUTA. Neither of them are very big actually.
[Cohesion] Let's reflect upon what this means in the construction of polity, conducive to the harmonized and stable regulations that we all appreciate and want for our facilitated corporate activities:
[Cloud] The cloud, other people's computers, is a fad that began in the US somewhere in the mid-2000s. It moved to the EU by 2010 and is now thoroughly endorsed by Sweden.
[AI] Artificial intelligence, is a hype that started in the US around 2014 maybe, and continued into a High Level Expert Group in the EU around 2016, and now we have an entire public authority in Sweden tasked with investigating its speedy deployment in the public sector!
[Empty] So I think there is a case for saying that too much European effort goes into getting things right in the details, and too little European effort goes into get it right in the grand scheme of things. There were a few things that were going the right way for Europe: connectivity, we have the best reach of connectivity to all socioeconomic classes of Europeans in almost all European countries, a vibrant infrastructure deployment industry - in fibre-to-the-home not the least. In the grand scheme of things, Europe created the very first global social networks: Demonoid, Oink and The Pirate Bay capitalized in full on the European invention of the mp3 file. Connectivity, capacity and infrastructure also benefitted from these social tech pioneers.
It was a compelling, global story where the EU was the centre-piece. Unfortunately it's illegal now and the vast majority of all people in society would not publicly support this story-building anymore - including myself.
It's a problem for both companies, citizens and politicians - I've started trying to notice 5G ads and the messages they carry for me as a European.
Yes, if I were an elite tennis player I could, I'm told, optimize my training with the help of 5G connected sensors. I could bulk authenticate my sensors!
I think this is nowhere close to being as compelling as the peer-to-peer paradigm. I am not a tennis player, and I wouldn't be one even if I bulk authenticated sensors.
And practically speaking, we're somehow dependent on the big European companies to develop compelling narratives that both our leaders and we ourselves can sign up to - otherwise it seems relatively clear that we'll be dragging our feet behind ourselves.
It is surely a chicken-and-egg problem too: who will be the first mover? I argue that the tech and network industry is in a good position to move first, not the least because it already.. A-haha.. Connects people. And it's not just about not losing the advancements towards a better Europe - indeed a better world - that have already been made, but exactly about recognising that we can all be part of ensuring that tomorrow is a brighter future.