Most of us share huge amounts of personal information online, and Big Tech companies are in many ways the gatekeepers of this data. But how much do they share with the authorities? And how often do governments request user data?
According to new research by VPN provider SurfShark, the answer is a lot, and a lot again.
As detailed in SurfShark’s new report which analysed user data requests that Apple, Google, Meta, and Microsoft received from government agencies of 177 countries between 2013 and 2021, Tech giants get a lot of requests for user data, and the majority of the time, they comply.
Of the four Big Tech companies studied, Apple was the most forthcoming, complying with 82% of requests for user data, compared to Meta (72%), Google (71%), and Microsoft (68%). Interestingly, Big Tech was more compliant in the UK than when compared to global figures, disclosing user data 81.6% of the time.
The report shows that the US and Europe make the most requests for user data, making up 60% of all cases between 2013 and 2021. Germany came in second globally after the US, with 648 requests made per 100k people. The UK government stands at fourth place, requesting seven times more user data from Big Tech companies than the global average. Looking at the top 10, five countries are from the EU, with the US, Singapore, the UK, Australia, and Taiwan comprising the rest.
Governments are requesting this information more and more, presumably in response to the spike in online crime in recent years: the number of accounts requested more than quadrupled from 2013 to 2021, totalling 6.6 million. This data is often used to aid criminalinvestigations, but it can also help settle civil or administrative cases where digital evidence is needed. This can include specific user information, from IP addresses to locations of devices.
Besides requesting data from technology companies, authorities are now exploring more ways to monitor and tackle crime through online services, says Gabriele Kaveckyte, Privacy Counsel at Surfshark.
Last year, the EU proposed a regulation that would require internet service providers to detect, report, and remove abuse-related content. While a noteworthy cause, some expressed concerns that the new laws would undermine end-to-end encryption and, hence, user privacy.
“On one hand, introducing such new measures could help solve serious criminal cases, but civil society organisations expressed their concerns of encouraging surveillance techniques which may later be used, for example, to track down political rivals,” says Kaveckyte.
Over the past few years, Big Tech has engaged in a tit for tat between each other and the authorities over the confidentiality of data. Fears of state surveillance prevail, as do doubts over tech companies’ ability to keep data safe – especially in light of a number of high profile leaks.
Ioanna is a writer at TNW. She covers the full spectrum of the European tech ecosystem, with a particular interest in startups, sustainabili Ioanna is a writer at TNW. She covers the full spectrum of the European tech ecosystem, with a particular interest in startups, sustainability, green tech, AI, and EU policy. With a background in the humanities, she has a soft spot for social impact-enabling technologies.
Greece has become the seventh EU country to introduce a principle called “router freedom.” This means consumers of any Internet Service Provider (ISP) can now use a modem or router of their choice, instead of equipment provided by the ISP.
The freedom of choice for routers and modems is regulated in the EU by two primary sets of rules. The first one comes from the Net Neutrality Regulation in 2015, which establishes the people’s right to choose their own digital equipment. The second one is is a set of guidelines to identify the network termination point (NTP) in different network topologies, provided by the Body of European Regulators for Electronic Communications (BEREC).
These are to be implemented by the member states’ National and Regulatory Agencies (NRAs) through respective legislation — a process that’s prone to delays, political, external interference, and regulatory bottlenecks.
In Greece, thenational telecoms regulatorbegan to implement the necessary legal reforms back in 2020. This month, the regulator finally adopted new rules for router freedom in the country.
Marking a pivotal moment for Greece, the new rules give end-users the right to use the terminal device of their choice and separate the routers from the ISPs’ optical network equipment (ONT). They exempt, however, fiber (FTTH) connections, which are still under the domain of ISPs.
The latter has triggered concerns over consumer, security, and data protection, as well as the digital sustainability of the telecoms sector — especially as other EU countries such as Finland and the Netherlands have set higher standards by allowing consumers to plug the fiber router directly into the public network.
Nevertheless, Router Freedom represents a vital step all EU countries need to take in order to safeguard consumers’ digital sovereignty. Forcing consumers to use an ISP provided device not only compromises their security and privacy, but also creates a monopolised market.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
The UK has finally unveiled plans for its GDPR replacement: the Data Protection and Digital Information Bill (DPDIB). Introduced in Parliament last week, the bill aims to boost economic growth while protecting privacy.
The proposed rules promise to reduce paperwork, slash costs, foster trade, and (please, Lord) cut down on cookie pop-ups. They also controversially claim to produce savings of more than £4 billion over 10 years (more on that later).
The shadow of the UK’s withdrawal from the EU looms large over the plans. In its pitch for the bill, the government pledges to unleash an elusive Brexit dividend.
“Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain,” said Technology Minister Michelle Donelan in a statement. “No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR.”
That’s the plan, at least — but it’s already proved divisive.
Cutting red tape
Data-driven trade makes a massive contribution to the UK’s coffers. In 2021, it generated an estimated £259 billion and 85% of British service exports.
The DPDIB envisions further rewards from simplified legal requirements.
“Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next-generation technologies, create jobs, and boost our economy,” said Donelan.
All data regulations have to balance protecting people and promoting innovation. Under the GDPR, many companies became frustrated with the bureaucratic burdens. The DPDIB aims to tip the scales back towards business benefits.
“It was essential to clarify confusion and simplify administrative burdens.
Chris Combemale, CEO of the Data and Marketing Association (DMA), collaborated with the government on the new rules. He expects the bill to provide “a catalyst for innovation,” while maintaining the privacy protections needed for consumer trust.
“It was essential for the bill to safeguard the key ethical principles of existing laws, while clarifying areas of confusion and simplifying onerous administrative burdens on small businesses,” Combemale tells TNW via email.
The lighter regulatory load is proving popular. Businesses have welcomed the simplified requirements for recordkeeping, processing personal data, and automated decision-making, as well as the ability to reject data access requests that are “vexatious or excessive.” Praise has also been heaped on the new framework for digital IDs, extra resources for the UK’s data watchdog, andincreased fines for nuisance calls and texts.
Chris Vaughan of Tanium, an endpoint security company, says the new rules are more straightforward than the GDPR.
“One major benefit brought by the new law is the reduction in business costs that GDPR creates — made even more welcome as organisations continue to struggle in the current economic landscape,” Vaughan tells TNW.
Relaxing rules, however, can also increase risks.
Privacy dangers
Critics warn that the new laws will endanger citizens.Upwards of 30 civil society groups have called for the bill to be dropped over concerns it will weaken data protection and harm marginalised groups.
Colin Hayhurst from Mojeek, a privacy-based search engine, is particularly troubled by the reduced accountability for “low-risk” data processing. He also worries that the bill is legislating too many complex issues at once.
“My concern is that critical issues around innovations like AI will simply not get enough scrutiny or thought,” says Hayhurst. “It’s worth noting that the EU considers AI regulation such a complicated and important subject that it has an entirely separate bill dedicated to the matter.”
Hayhurst is particularly struck by the implications for AI in research. The new bill gives commercial organisations the same freedoms as academics for any data processing for research “that can reasonably be described as scientific.”
This could create big opportunities for businesses building AI with data collection. But it could provide even more power to large companies with research arms, such as Google’s DeepMind and Meta’s FAIR.
“Big tech companies with research groups can continue to harvest and use all the personal data they have, to train AI in their research activities,” says Hayhurst. “All of this comes with risk; and unfortunately, this risk is overwhelmingly going to be shouldered by those whose data is fed into the machine, rather than the companies themselves.”
To mitigate the risk, rules on responses to data access requests could be tightened — particularly when the data creates profit. A one-month deadline for replies may be appropriate for small companies, but not for global corporations with warehouses full of supercomputers.
“There is an irony that companies are able to make it incredibly easy for themselves to collect data on a person and then very difficult for the person who owns the data to find out what data a company holds on them!” says Hayhurst. “This is one area where a ‘one size fits all’ approach doesn’t deliver for consumers.”
The digital economy
Despite his misgivings, Hayhurst acknowledges that the government has responded to feedback. Notably, a proposal to drop the balancing test for a “limited, generic, but exhaustive list of activities” has not made it into the final text. However, concerns remain that businesses will be held to lower ethical standards.
Critics are particularly wary of the reduced requirements for oversight, recording, and user control of data processing. There is also extra room for data processing without an individual’s consent. These changes could leave the public both more at risk and less confident in the digital economy.
“The government is selling out personal privacy for business benefits.
“If businesses aren’t aware of how much data is being collected, what for, and the implications of its use, how can they expect consumers to trust them with such information?” asks Angel Maldonado, CEO of e-commerce firmEmpathy.
Michael Queenan, CEO and co-founder of Nephos Technologies, takes the criticisms a step further.
“The government has decided to sell out personal data privacy for business benefit and innovation,” Queenan tells TNW. “Why else would it remove important, already adopted, global data protection steps?”
One motivation may be the potential savings. As previously mentioned, the reforms are predicted to unlock £4.7 billion for the UK economy. But evidence for this claim is hard to find.
The government references the figure with a link, which has been broken since we first saw the announcement. The source can be found via the Wayback Machine, but the estimate it links was published back in July 2022 — when a different version of the bill was introduced. Critics suspect that the £4.7 billion estimate has little basis in reality.
“Contrary to saving businesses billions, the bill could result in higher compliance costs and administrative burdens for businesses that operate in multiple jurisdictions,” says Shaun Hurst, Principal Regulatory Advisor at regtech firm Smarsh.
GDPR arrangements
Divergences from the GDPR are a recurring theme in pitches for the DPDIB. The government has emphasised the benefits of these deviations, but they also threaten data transfers with the EU.
The UK currently has EU data adequacy status, which protects the flow of data between both jurisdictions. MEPs, however, have taken issue with Britain’s planned reforms. If they decide that the new bill doesn’t meet the requisite standards, the adequacy agreement could be lost.
As a result, companies selling in both the UK and EU would have to comply with two sets of laws. Tech giants may be reluctant to develop product and policy variations for a new regime, while domestic firms could consider relocating to the union.
“Being released from red tape will only be a benefit if business continues to be able to work with European citizens and their data across borders by taking advantage of the adequacy ruling that has applied to the UK since Brexit,” says Amanda Brock, CEO at OpenUK, a non-profit that represents open technology.
The government has, however, publicly stressed the importance of maintaining data adequacy. Some privacy experts are also confident that the new measures will fulfil the EU’s requirements. Yet even if the UK retains data adequacy, firms that trade in the EU must meet the GDPR standards. Consequently, the main beneficiaries of the new regime may be companies that only operate in the UK market.
“I think these so-called ‘savings’ will never materialise for most businesses,” says Farhad Divecha, founder of AccuraCast, a London-based digital marketing agency. “If you have visitors from Europe or do business with Europe, you still have to comply with GDPR. So if anything, we’ll end up having more complicated requirements that differ for your customer base in the UK versus in Europe.”
Nonetheless, the departure from the GDPR could have positive global outcomes. Ilia Kolochenko, the founder of security firm ImmuniWeb and a member of Europol’s Data Protection Experts Network, hopes the bill can influence the EU’s rules.
He fears that businesses are struggling with GDPR fatigue, inconsistent enforcement across member states, and the growing costs of formalistic compliance.
“European companies would gain a significant competitive advantage on the global market if European GDPR goes through a similar set of improvements and simplifications,” says Kolochenko.
“If the trend of overregulation persists, we will probably see massive and deliberate non-compliance, as costs and penalties for non-major infringements will likely be much less important than costs of a holistic implementation of the mushrooming EU cybersecurity regulations and directives.”
It’s a valiant call for balance, but one that’s unlikely to gain consensus approval — just like every other argument on data protection. Despite these deep divisions, there’s surely at least one thing on which we all can agree: “DPDIB” is a hideous acronym.
Cyber attacks on critical infrastructure have become a growing concern since war broke out in Ukraine.
After the 2014 annexation of Crimea, a sustained barrage by Russian-linked groups pummelled infrastructure in Ukraine. The next year, the country endured the first confirmed hack to take down a power grid.
The attacks have continued since Russia’s full-scale invasion began in February 2022. According to a recent report from Google’s Threat Analysis Group, Russia’s military intelligence agency has repeatedly used destructive malware to degrade Ukrainian civilian infrastructure.
Analysts are now increasingly worried about the threats spreading across the globe. In November, a general who commanded US Army forces in Europe from 2014 until 2017, said cyber protection had become as important as missile defence systems in the defence of German ports.
The EU is also expressing growing alarm. Last month, a watchdog for the bloc warned members to improve their defences due to heightened risks of hacks by foreign states.
To mitigate the threats, cybersecurity firms are experimenting with various defensive methods. Darktrace, one of the UK’s biggest tech companies, has elected to apply AI to a natural mindset: thinking like an attacker.
This approach is embedded in Prevent/OT, a new product that identifies routes adversaries take to target critical infrastructure.
The software visualises potential pathways to the assets. Defenders can then harden their environments to prevent attacks before they can happen.
“A lot of industry folks lose sight of what they need to do on a day-to-day basis.
A crucial component of the product is Darktrace’s self-learning AI, which detects deviations in assets that point to cyber-threats. The company says the software allows overstretched staff to prioritise the needs of their unique environments.
“It’s really maximising the value of their time and implementing controls,” Jeffrey Macre, Industrial Security Solutions Architect at Darktrace, told TNW.
“A lot of folks in the industry are so focused on what the next major attack will be that they lose sight of what they need to do on a day-to-day basis to implement really good cybersecurity.”
The new capability is part of Darktrace’s operational technology (OT) product family. According to the firm, the solutions are already used by hundreds of critical infrastructure companies.
Those numbers were recently bolstered by several new deals. Darktrace said these include the business’ largest contract to date with a critical infrastructure organisation.
There are signs, however, that the new product is already improving Darktrace’s business. Analysts at investment bank Jefferies said the firm is now making progress despite the short-seller’s attack — and that the launch of Prevent/OT has helped attract new business.
On the one-year anniversary of Russia’s invasion, Ukraine is commemorating horrific losses — and remarkable defiance.
The country’s fierce resistance on the battlefield has been echoed on the digital front — where Kyiv has unique experience. The conflict with Russia has become the world’s first full-scale cyberwar, but Ukraine was a test bed for digital weapons long before the invasion of 24 February, 2022. Since Putin’s troops began flooding across the border, the cyber tactics have shifted dramatically.
These developments have made Ukraine a bellwether for digital warfare. And to the surprise of analysts, cyber attacks have had a limited impact over the past year.
“We’re going to see cyber activity as a pre-emptive tactic to physical war.
In the lead-up to the invasion, cyber assaults were prominent. On 15 February, Russian hackers launched the most powerful DDoS attack in the history of Ukraine. A day before the full-scale invasion, several government and banking websites were struck once again.
Yet in the months that followed, reports of major cyberattacks declined. Zachary Warren, Chief Security Advisor EMEA atTanium and a regular advisor to NATO, regards this as a portent for digital warfare.
“Moving forward, we’re going to see cyber activity as a pre-emptive tactic to physical war… it’s a tool to weaken a target before moving in,” he said.
Ukraine’s government, meanwhile, asserts that Russia’s targets have changed. In a January report, security officials said the cyberattacks initially centred on Ukraine’s communication department, which aimed to disrupt military and government operations. But after Russia’s first defeat at the front, the focus shifted to maximising damage to civilians.
Notably, the officials found that all the assaults had harnessed previously known techniques.
“The attacks used by Russia have long been categorised and have straightforward solutions for counteraction,” said the report’s authors.
Many analysts expected cyberattacks to be more prevalent and devastating. Adam Meyers, Head of Intelligence at security firm CrowdStrike, believes Russia had expected a quick and decisive victory. As a result, the Kremlin may have initially avoided destructive cyberattacks, because it would have needed Ukrainian infrastructure to prop up a friendly government.
“As Russian operations failed to take Kyiv and make advances as rapidly as planned, we saw more tactical cyber operations paired with kinetic effects targeting Ukraine and did not see broad attacks against the West — as we all had prepared for,” said Meyers.
The modest impact of Russia’s cyber weapons has not been for want of trying. In January, Viktor Zhora, a senior figure at Ukraine’s cybersecurity agency, said cyberattacks in the country had tripled over the past year. Zhora wants the digital assaults to be prosecuted as war crimes.
Despite the onslaught, Ukraine’s networks have remained remarkably resilient. Analysts give much of the credit to Ukraine’s repair crews, its widespread connectivity to networks outside the country, and its large number of internet exchange points.
Some pundits argue that digital weapons are simply less effective than physical warfare, while others believe Russia’s capabilities were overrated.
Another factor is Ukraine’s persistent efforts to strengthen its defences. The lengthy conflict with Russia have provided immense experience of mitigating cyberattacks.
“This made us stronger,” Zhora said last year. “We took our lessons from this cyber aggression.”
There will be more more lessons to come, but Ukraine already has much to teach its allies about cyber warfare.