|View in your browser or listen to audio|
By LAURENS CERULUS
With Vincent Manancourt, Tim Starks, Mark Scott and Nicholas Vinocur
TODAY’S TOP LINE — MUNICH WARMING UP: The Munich Security Conference puts technological sovereignty front and center this year. We bring you up to speed below.
WELCOME to Cyber Insights, POLITICO’s cybersecurity and data protection newsletter, giving you the daily lowdown on hacks, leaks and cybersecurity policy chatter in Europe.
|POSTCARD FROM MUNICH|
HOW TO START MUNICH’S SECURITY FEST LIKE A CYBER PRO: Start counting down. The Munich Security Conference is hours away and folks are making their way into town. POLITICO has half a dozen journalists present to bring you the latest on how Munich’s security establishment grapples with keeping control over technology and fighting off trolls and state-backed hackers.
The theme: The organizers published a paper ahead of the conference that puts the spotlight on “Westlessness” — a Monty Python-esque quip about the West’s restlessness as it sees its joint values slip in the global world order.
What it means to you: European cybersecurity officials can identify with feeling “Westless,” as they saw critical technology sectors move supply chains to outside the EU and saw its networks being compromised with eerie regularity by what French cybersecurity chief Guillaume Poupard described to us in a recent interview as a “first circle” of “cyber superpowers” — China, Russia and the U.S.
That’s why Munich is all in on the concept of technological sovereignty, which has put tech at the heart of geopolitics in the past year. It pitches a “digital Galileo” as an example of how Europe should have an industrial program to boost its security, defense and space industries.
The names: The final list of attendees is yet to be announced, but a couple of moments will make or break the success of this edition. Most notably, Facebook CEO Mark Zuckerberg is scheduled to speak Saturday afternoon and will surely have to answer some questions on the company’s handling of misinformation and hate speech, as security officials see extremism rising and disinformation rampant. We hear the Facebook chief will focus on digital tax, though.
We’re curious whether U.S. Secretary of State Mike Pompeo and Chinese Foreign Minister Wang Yi will catch up over a coffee break.
Heiko Maas, Germany’s foreign minister, is bound to address the issue of 5G security, and French President Emmanuel Macron is set to continue his efforts to sway European counterparts with his notion of tech sovereignty. Here’s the list of confirmed, high-level participants.
Warm-up: The cybersecurity community is warming up with a pre-summit that features OECD Secretary-General José Angel Gurría, national cyber chiefs like the U.K.’s Ciaran Martin, the Netherlands’ Patricia Zorko and the U.S.’s Chris Krebs. The Commission’s Margaritis Schinas, and ENISA’s Juhan Lepassaar are also there, as is Facebook’s former cybersecurity chief Alex Stamos (who usually makes for a nice, fired-up intervention).
**A message from Avaaz: President von der Leyen: next week, you can ensure Mark Zuckerberg acts effectively to tackle malicious disinformation that is threatening our societies, our health, and the planet. But thankfully, there is a solution: Correct the Record and Detox the Algorithm. Now it’s on you to lead and protect our democracies.**
HAMBURG HISSY FIT: One of data protection’s most outspoken figures, Hamburg privacy chief Johannes Caspar, is at it again. The regulator-come-activist today used the publication of his agency’s annual report to launch a stinging attack on the EU’s privacy regime.
Zing: Caspar reserved sharpest criticism for the so-called one-stop-shop mechanism, under which companies are regulated in the country where they establish European operations. The system is “cumbersome, time consuming and ineffective,” the regulator wrote.
“A lack of corrective action by inactive lead authorities, different national rules on the administrative procedure, and a concentration of companies in a few member states, all show: As well as the concept of the one-stop shop may be intended, it is not practical,” he said.
Though he did not name the Irish and Luxembourg authorities – which oversee the mammoth share of headline cases against Silicon Valley companies – his comments will be read as thinly veiled criticism of the pair.
Don’t delay: Caspar had a frank message for the EU’s executive arm, the European Commission, which is due to review EU’s privacy rules this year: legal reform.
“The deficits are structural and, in my view, cannot be remedied on a cooperative basis between the supervisory authorities alone. A legal reorientation is needed,” he said. “It would be fatal to wait until the next evaluation, because this evaluation will not take place until 2024.”
What would “legal reorientation” look like? Well, maybe something along the lines of a centralized European data protection regulator. Germany’s federal privacy chief, Ulrich Kelber, called for such a body to take the lead on cross-border cases last month.
Hold your horses. Any substantive reform of the EU’s 2-year-old privacy regime would likely encounter resistance, even within Germany. In an interview with POLITICO recently, the head of Bavaria’s privacy regulator said it was too early to speak of overhauling the current system.
For Vincent’s story, click here.
FACEBOOK DATING DELAY: Facebook was due to launch its dating product in Europe today — just in time for Valentine’s day. But it was forced to pull the roll out after the Irish data protection commission raised concerns over a lack of paperwork provided by the tech giant and the fact that it had only been told of the plan 10 days previously. Officials from the authority conducted an inspection of Facebook’s Dublin HQ on Monday.
AVAST MEETS REGULATOR: “The Czech data protection authority announced an investigation into anti-virus company Avast for harvesting the browsing history of over 100 million users via a subsidiary called Jumpshot and then selling products based on that data to Google, Microsoft and many others, Motherboard reported Wednesday.
FRANCE’S LIMITS, IN ONE QUOTE: ““Huawei will not be excluded from 5G in France, but we will put in a certain number of limits to protect our sensitive technologies … If there is critical infrastructure, like military zones or nuclear zones, we would have tools to protect our sovereignty.”
Who said it? French Finance Minister Bruno Le Maire this morning confirmed the government’s move to ban Huawei from providing base stations and antennas for 5G in critical and sensitive geographical areas. More by POLITICO’s Elisa Braun here.
BOUYGUES CONSTRUCTION TUSSLING WITH RANSOMWARE: French telecoms construction company Bouygues Construction (owned by the operator) has been fighting off hackers that hit it with a massive ransomware attack since the end of January, L’Obs reported. Hackers are asking €10 million in return for the company’s hijacked data.
EU ZEROES IN ON NEW RULES FOR SPYWARE EXPORTS: The European Union is closing in on agreeing on new rules for export controls on dual-use goods, which will impact tech companies’ exports of encryption and surveillance technologies. Negotiations on the reform, introduced back in 2016 by the Commission, are nearing their end. Two issues are still blocking a deal, though:
1. How national governments should report the licenses they give out for dual-use technology (transparency).
2. How Europe can impose restrictions on a longer list of items, including things like facial recognition technologies (an “autonomous” EU list).
Timeline: Officials will have two technical meetings, February 20 and March 5, ahead of a crunch-time meeting the morning of March 26, according to a draft agenda seen by Cyber Insights.
TALLINN INTELLIGENCE GOES HARD ON RUSSIA: The Estonian Foreign Intelligence Service found that “in 2019, Russian cyber operations were revealed that have been going on undiscovered for years,” it said in its annual public report that came out Wednesday.
No attribution but close enough: “In the summer of 2019, the European Union External Action Service [sic] identified leaks in the information systems of its Moscow delegation, which were traced back to February 2017,” the report reads. We reported the incident here. Mind that the Estonians aren’t directly attributing the attack, but the placing (in the middle of an exposé on Russian hacking operations) is, well, telling.
Path of least resistance: A graphic (here) shows what Estonia argues is Russia’s favorite hacking method, watering-hole attacks: State-sponsored hackers indirectly target diplomats by looking for websites they are likely to visit and tricking the target to fill in credentials on a mimicked version of that website. The ultimate goal is to hack people in diplomatic networks “that have a low level of cybersecurity and possess sensitive information of another country due to membership in an international organisation,” the report said.
|HEADLINE DU JOUR|
‘Give us a backdoor key to iPhones so we can keep you safe’: Garda Commissioner Drew Harris
— The Irish Independent has an interview with the country’s police chief.
|ELSEWHERE ON THE WEB|
— Hamas-linked hackers exploit current events to spy on rival Palestinian officials, researchers say. Cyberscoop
— Leaked report describes Australian parliament’s cybersecurity as having “low level of maturity.” ABC
— Parody account We Sell Your Data, which mimics a data-hungry app that takes all of your Facebook data, got told off by Facebook for “creating a negative experience” on the platform. Joke’s on them. @WeSellYourData
— As WhatsApp tops 2 billion users, its boss vows to defend encryption. Wall Street Journal
**A message from Avaaz: Disinformation is such an unprecedented threat because false information on social media spreads up to six times faster than the truth. So even when fake news is fact-checked and found untrue, there are millions of people who will never know they’ve been misled. But the solution is simple: platforms must show fact-checked corrections to each and every person that’s seen the false information. Newspapers publish corrections right on their own pages, television stations on their own airwaves; platforms should do the same on their own channels. President von der Leyen, commissioners Jourova, Vestager and Breton, Mr. Zuckerberg — you have a historic opportunity next week. Regulate now. #EuropeansDeserveIntegrity**
Here’s a recap of today’s news, along with Pro articles and alerts from overnight.
German watchdog blasts ‘ineffective’ European privacy system
Comments by Hamburg watchdog follows calls for new EU privacy regulator.
By Vincent Manancourt | 2/13/20, 12:48 PM CET
French minister confirms Huawei won’t be allowed at key sites
By Elisa Braun | 2/13/20, 11:20 AM CET
Pentagon set to backtrack on opposition to Huawei restrictions
The change in position would make it harder for US companies to get around an effective export ban that already applies to Huawei.
By Adam Behsudi | 2/12/20, 9:32 PM CET
Mobile World Congress canceled due to coronavirus fears
Tech giants Amazon, Sony, Ericsson and Nokia pulled out of conference in past days.
By Laurens Cerulus | 2/12/20, 8:10 PM CET
Google battles EU ruling as enforcers shift focus to data
Search giant’s court appeal comes as antitrust enforcers have shifted their focus to how Big Tech monopolizes data.
By Mark Scott | 2/12/20, 6:28 PM CET
Facebook delays dating feature over Irish watchdog concerns
By Vincent Manancourt | 2/12/20, 6:18 PM CET
European Parliament takes aim at UK data protection regime
By Vincent Manancourt | 2/12/20, 5:57 PM CET
UK privacy regulator under fire over online advertising
Privacy campaigners said they would sue the Information Commissioner’s Office if no action is taken over GDPR breaches by online ad companies.
By Vincent Manancourt | 2/12/20, 4:45 PM CET