Data security scandals of this scale are scarce, but issues about private firms violating their users' data privacy occur on a regular basis. The Big Brother Awards point at those companies and government agencies that are best at violating data and find violations annually and across different countries. In April, the German edition just handed out their 2018 prizes to Microsoft Germany, Amazon Alexa and others, because they are wiretapping their users, saving the thereby taken data in clouds and sending user data out for analysis with scarcely any possibility to stop this.
Elsewhere in Germany, the Chaos Computer Club discussed "Security Nightmares" at its 34th Chaos Communication Congress with 15.000 visitors at the end of 2017 getting quickly to the issue of state surveillance. Data protection is a worldwide issue with both governments and private companies exchanging security and service with their citizens' and customers' right to privacy. At the latest in 2013, it became obvious that this issue cannot be tackled within state borders, when Edward Snowden revealed: "The NSA specifically targets the communications of everyone, ingests them by default; it collects them in the system, filters them, analyses them, measures them and stores them... sitting at my desk, I certainly had an authority to wiretap anyone."
In April 2016, the EU has finally approved a new "General Data Protection Regulation" (GDPR) which tackles the issue for the whole union and is hoped to set a worldwide example. This regulation puts the customers' right to determine how their personal data is being used in focus. Users are supposed to know and decide what is being done with any personal data such as names, addresses and birth dates, how and where this info is stored, transferred and deleted.
This regulation has become enforceable on the 25th of May. Germany is one of the few EU member states, which already has its own privacy regulations up to date. In Germany, not a lot of changes needed to be made, since newly implemented GDPR closely resembles German privacy laws, which partly have been in place for decades. The "right to be forgotten", meaning that everyone has the right to have their personal data deleted, was included in Germany's constitution since 1983, with a Federal Constitutional Court ruling over the right to informational self-determination. The world's first data protection act was already adopted in 1970 in German state Hessen, which was brought to a national level in 1977. A court, ruling in 2010, decided that general data preservation was against Germany's constitution, which lead to the EU regulation being changed in the same way four years later.
Germany is usually not regarded as a pioneer in digital matters — how come it's so up to date in data privacy rights? With its history in critical violation of citizens' data by the state both during the Holocaust by the so-called Gestapo (short for Geheime Staatspolizei — Secret State Police) and later in Eastern Germany by the Stasi (GDR's Ministry for State Security) shows a strong need for protection of citizens' private data against the state. However, a historical background only cannot lead to strict and up-to-date regulations, especially in such a constantly changing environment as Internet.
The re:publica is Germany's biggest event in digital matters. In 2017, nine thousand visitors came to Berlin for this event. Digital matters are inherently about the future, about where technology can go, and where it should. "Re:publica gathers people who would like to see technology lead us to a better world, but with a much more critical eye", Mushon Er-Zaviv, a designer and activist said at the re:publica 2017. In line with this, at the re:publica 2018, the question of how the GDPR can be implemented is a point of discussion next to the latest media trends and how technology should be regulated. Well established media organizations, such as the BBC, encounter start-ups as well as marketing experts, politicians, journalists, bloggers, civil rights activists and whistle-blowers, such as Chelsea Manning, are to discuss and envision a better future in the digital sphere.
Data privacy regulations are often regarded as restrictions for digital development, those who care about them — as conservatives towards their advancements. Padeluun, an artist who co-founded the data protection organization Digitalcourage, however, says: "We just don't want technology that is against people. For a free society, we need a different technology, free platforms and more open source model instead of flawed systems."
He knows what he is talking about. When the 1987 founded organization Digitalcourage started using its own providers for their net activity, Padeluun and his team realized how much power they had over those who used it. As long as they did not want to abuse this power, they thought a lot about data privacy within their own and others' systems and still want to establish structures and give information to those, who are the only users of the providers. For this reason, they have been handing out the German Big Brother Awards for 18 years — with success.
For instance, after getting Big Brother award, the German company Payback had to change their terms and conditions in 2000. The RFID-technology was basically paralyzed worldwide and the German start-up co-driver went bankrupt. "We don't want to ruin companies, but they should come up with something acceptable", Padeluun explains. What kind of measures Microsoft and Amazon will take after their awards this year remains to be seen. Netzpolitik.org has been reporting on the Big Brother Awards amongst other related issues for more than a decade.
The 2002 founded blog also wants to push the issue of data privacy into media and society: "We wanted to warn about disproportionate state surveillance from the start", says Alexander Fanta, a journalist at netzpolitik.org. Whereas it was first read by the interested readers and journalists, the platform for digital rights has been subject to mass media reporting itself in 2015, when it published internal government documents about a proposition in surveillance expansion in social networks and was investigated for treason.
Since then, the blog gained in popularity, but Alexander still sees problems in informing about digital rights: "When you say 'data protection', most people immediately stop listening, but direct examples such as the recent scandals or stories about an acquaintance ruining their job or relationship because of what was found on the Internet, emotionalizes and thus reaches people." Data privacy, however, is not just a personal story about the wrong pictures found on the Internet, but a driver of global inequality with a few big companies and states having power over any user, he continues. This is why Alexander finds the issue so important to discuss in the public arena.
The Chaos Computer Club (CCC), on the other hand, collects numerous experts within its organization. It is Europe's largest organization of hackers with several local branches and meetings across Germany. Plushkatze, who has been active in the Hamburg branch of CCC for around five years, says: "Of course, there is a notion of mystery around the organization, but we're all quite nice and open for anyone to come by." CCC started in 1981, long before the Internet was used widely, and it laid the foundation for making these technical issues popular: "Germany is lucky to have this organization through which a lot of brainpower was facilitated and pushed over decades", Padeluun, who started Digitalcourage after an artistic cooperation with CCC, says.
Throughout the year, the different branches organize their own meetings, take part in hacking contests and hack public domains to test their security. Within this, they accord to strict hacker ethics, one of them being: "Make public data available, protect private data". Plushkatze, for example, is in the security contest division of CCC, and checking the security of the public Internet is his responsibility as a technical professional and volunteer at CCC. In order to inform the public privacy issues and self-protection, he also recently co-founded the podcast Sicherheitshinweise (security advice). "I think most people do care about their privacy on the Internet, but they don't know how to protect themselves", he says.
This podcast and further information on self-data-protection on the Internet should give a solution to this. Plushkatze does not think governmental data protection regulations are sufficient: "Laws are important, but I would not trust only in them", he says. "Data can be spread indefinitely and cannot be caught back once they're out there. Unfortunately, not everyone sticks to the rules of law." This is why he welcomes legislators discussing the topic but does not want to stop there.
The digital affairs lobbyist and software developer André Rebentisch, however, sees the responsibility to ensure data privacy not at individual level, but in politicians and legislators: "There is a very active data privacy scene in Germany", he says. They are also very present in the media, due to bloggers and experts writing articles and columns for bigger media and a lot of activism and public protest. However, André Rebentisch does not think this accurately represents public interest — and they don't need to be interested: "Citizens should not be expected to ensure their own data security, instead the state should do enough to safeguard this basic right", he says. For this reason, the professional software developer and advisor is involved in various organizations and media surrounding digital rights, and pushed for the GDPR in Brussels. "The awareness for these issues is high in Germany and even though there is a very active scene, unfortunately, up until now, this activism was mostly within our borders", he says.
Yet, many German data privacy organizations are already part of the European Digital Rights organization (EDRi) to cooperate, hold international meetings and influence the agenda in Brussels. EDRi representatives have been speaking at several conferences, preparing documents and analyses and having meetings with policy-makers for multiple European digital rights organizations in the GDPR legislation process. Six of EDRi's member organizations are German.
German organizations do not only push their agenda in Brussels through EDRi. The above mentioned court, ruling against data preservation in Europe, was preceded by a class-action lawsuit and extensive protests covered by the media in Germany. Patrick Breyer, who was part of the class-action lawsuit and is now politician for the German Pirate Party in digital rights matters, says: "It is a good process, to bring ideas in political discussion though parties. But activism builds public pressure in the matter."
Germany does not only have a shocking history in state violation of data, but also a long-standing history of data protection, organization and activism to get this issue into the public and legislative regulation — beyond its own borders. Due to its strict privacy regulations, the GDPR is now even making German regulations less strict. But activists are already waiting to push further.
All persons are quoted here with the names they like to reveal publically or as they are known in their circles. Thus, some are referred to by their nicknames or artist names.