State and Politics in Germany

The state, large enterprises, Internet companies and social networking sites collect huge quantities of data – and they profess to handle this data with care. Data protection commissioners sound a warning.

The Internet company Google not only invests in browser, e-mail and mapping services. Completely altruistically, it is also interested in people’s health. The Internet giant takes steps to promote this on several fronts. In the spring, the search engine provider made a financial donation to the Personal Genome Project 23andme run by Harvard University. This autumn, the company announced that it would be evaluating search enquiries made by users relating to flu in its own Google Watchblog. The company claims that this will enable it to provide an early warning of flu epidemics. Furthermore, Google is currently in the process of setting up a new service: The aim of Google Health is to create a database in which patients can store their records and retrieve them via the Internet.

As all of this together perhaps gives the impression of too much meddling, in recent weeks the company has sent its commissioner for data protection out to Europe’s media organisations to put the record straight in a whole series of interviews. Google’s most senior data protection official, Peter Fleischer, was able to make the following prompt announcement: “Google takes data protection, the security of the data which we collect and the privacy of our users extremely seriously. One of our best-known core principles on which our business is based is probably that we firmly believe in the idea that ‘You can earn money without doing bad things in the process’. This conviction is the foundation of everything we do,” said Fleischer in October to the German business news magazine Wirtschaftswoche.

Data quantities which are hard to control

Experts have their doubts about this. The IT journalist Gerald Reischl, whose book Die Google-Falle [The Google Trap] is available in shops and has already been reprinted five times in the space of just a few months, says: “Google is the world’s largest data mining company.” Reischl, head of the Technology section for the Austrian daily newspaper Kurier, does in fact go one step further: “If Google is already able to forecast flu epidemics, one must ask oneself what else Google is able to forecast. Stock market prices? Real estate prices? The level of demand for certain products? Where does it all stop?“

Examples from the recent past demonstrate that personal customer data is not always safe not only on the Web but also in the databases of small and large companies. Companies which inadvertently publish their customer data on the Internet or attacks by hackers accessing account or personal login data regularly cause a public scandal. The recent “Deutsche Telekom scandal” highlighted what can happen to customer data even in large German companies: In October it was revealed that as far back as 2006, 17 million items of customer data were stolen from Deutsche Telekom, including names and addresses, in some instances people’s date of birth and in a number of cases also the e-mail address of customers of the mobile phone subsidiary T-Mobile. The criminal energy of data thieves appears to know no bounds.

Naive users

The immense quantities of data collected on the Internet by online stores such as Amazon and ebay, or on social networking sites such as Facebook or MySpace, are particularly difficult to control. “Every service conforms to the requirements of data protection to the extent that it is compelled to do so,” says Thilo Weichert, commissioner for data protection for the German state of Schleswig-Holstein. The options for state control are good in Germany though; by contrast, the situation is often very different with sites which are hosted abroad.

The commissioner for data protection, Weichert, in no way wishes to denounce the Internet in general as a hotbed of data misuse. “The Internet is as dangerous as people’s use of it is,” he says. But the majority of people using the Internet are very naive in the way they handle their personal details, says the head of the Independent Centre for Data Protection in Kiel. One example of this, says Weichert, is the all-too casual approach of many people to the information they post on the Internet. They boast about their most recent pub crawl and they are then asked about this very episode by a personnel manager in their next job interview.

Striving for the greatest possible security

Weichert makes a distinction between two major areas of risk on the Internet: The traffic data, the data tracks which every user leaves behind on the Internet, and the content, i.e. the information you reveal in e-mail programs or in communities. The Frauenhofer Institute for Secure Information Technology in Darmstadt recently investigated whether social networking sites display any deficiencies when it comes to issues of data protection: The researchers found images from communities in use openly on the Internet even though these images were not approved for public use. In some cases, the personal status or even the political views of members of communities were also found outside of the relevant networks. Weichert says: “With many providers, the boundary between internal and external services is not adequately safeguarded.”

German network providers at least are striving to achieve the greatest possible level of security. There is particular focus on the Stuttgart-based Holtzbrinck Group, whose social networking sites StudiVZ, SchuelerVZ and MeinVZ currently boast over 12 million members. The publishing house collects a correspondingly huge amount of data every single day. StudiVZ spokesman Dirk Hensen vehemently refutes the suggestion that the data obtained from the networking sites is also used elsewhere. Hensen says: “Each of our members has the option of setting exactly who is allowed to see what. This includes data, content, photos and links to them. This means that every user has full control over how much information about themselves they want to reveal.”

Personalised advertising

However, when a year ago the community introduced new general terms and conditions and the impression was conveyed that the provider was demanding too much personal information from its members even during the registration process, there was a great outcry, including from people outside of the community. The managing director of StudiVZ at the time, Marcus Rieke, was quick to seek to clarify the situation: “StudiVZ does not sell any user data relating to its members to any third parties.” The manager explained in some detail that the community was instead introducing to its network the facility to use targeted advertising, which means for example that female StudiVZ members no longer receive any more advertising for men’s shaving cosmetics. Companies seeking to advertise can now select characteristics such as age, gender, place of residence or subject of study at StudiVZ and target their advertising accordingly.

Personalised advertising based on the information that the operator of a portal has about its users is standard practice today on many websites. However, the appropriate advertising of nappies for young fathers or the trainers promotion for the passionate female jogger are probably nothing more than harmless manifestations of modern data processing. This is now even being pushed forward by the state – for it can be used as an effective weapon in the battle against terrorism.

The state as a collector of data

Although it is not just bloggers and Internet experts but also liberal and left-wing German politicians who are rebelling against the efforts to use online screening and pooled data storage to track down suspected terrorists, the government is sticking to its plans. For instance, since the start of this year, the law on the re-regulation of telecommunications surveillance has been in force. This makes the state itself one of the largest collectors of data around.

The law obliged telecommunications companies, from 2008 onwards, to store the data detailing the telephone calls made by all citizens. At the turn of 2009, the intention is that the data providing details of Internet connections should also be stored for six months. According to the law, this will then chronicle who used the Internet when and who sent e-mails to whom. It was only at the start of November that the German Federal Constitutional Court again imposed tighter limits on the state in this respect. In an accelerated decision, the court ruled that data access should be restricted to cases in which a serious crime has been committed. However, a final decision on the law is still pending.

Public discussion of the issue of data protection in the digital age is likely to remain a hot topic in Germany for the foreseeable future. And with good reason. Google critic Reischl says: “The more I know about somebody, the greater the likelihood that I will make use of my knowledge.” Commissioner for data protection, Weichert, backs up this view: “The amount of data on the Internet is increasing every single day. This also means that the possibilities of using this data to get up to no good are increasing too.”