The academic version of my thesis — titled ‘Securing Private Communications’ — is available online. I already committed it to the web in my previous blogpost on my public Ph.D. defense on 25 November 2015 (open to the public). But a friend of mine told me to once again post my abstract and download link for my thesis separately and make that clear in the title of the post. And make it BREAKING news. Ha! Here goes.
The full title of my thesis is Securing private communications – Protecting private communications security in EU law: fundamental rights, functional value chains and market incentives. The academic version is available open access, here. Below there’s a short summary of the book.
The print edition will be published by Kluwer Law International in a few months. It includes rigorous editing and a few substantial updates to include recent developments such as the CJEU safe harbor judgement. I wasn’t allowed to change my academic version since sending it to my Committee in the start of September 2015. By the way, it’s the first time Kluwer ever publishes a work in their legal series under a Creative Commons license.
Communications security has become a major concern for law- and policymakers around the world. The continuing string of Snowden disclosures, breached iCloud accounts of megastars and successful hacks of cars cruising the highway are just some of the countless prominent examples of severe incidents, that illustrate our dependence on private communications security and make us realize that our private communications are systematically insecure. In response, the EU lawmaker has launched several sweeping reforms of EU communications security legislation in the last two years. Against this background, the study chose as its central research question: how should the EU lawmaker protect private communications security?
The study contains the first in-depth historical analysis in the legal literature of over three decades of EU communications security law (Part I). Subsequently, the study researched concepts and tools for the EU lawmaker in fundamental rights law, computer science and the political sciences (Part II). The study then developed a procedural model for EU communications security legislation, which was tested in two case studies on communications protocol HTTPS and ‘cloud’ communications through the lens of the Snowden disclosures, operation MUSCULAR in particular (Part III).
The study concludes (Part IV) that the EU lawmaker can and must augment private communications security, but fails to integrate several crucial fundamental rights, socio-technical and market developments outlined in this study. The study therefore recommends a fundamental reconceptualization of EU communications security law and offers five suggestions on how to reorganize its very foundations:
- Afford basic and comprehensive protection to meet new positive obligations from EU fundamental rights law;
- Make explicit the implicit and covert capture of the EU policy agenda by national security interests of the Member States and align these with fundamental rights;
- Afford protection along the entire functional value chain of networked communications, rather than merely to ‘personal data’ or a narrow set of market actors.
- Correct deep and persistent market failures in networked communications;
- Use the analytical model of Part III as a new departing point for protecting private communications.
If the EU lawmaker fails to integrate the first four recommendations, EU law is at serious risk of repeating the conceptual shortcomings of the past, of reinforcing existing systemic vulnerabilities and market failures, as well as leaving the fundamental rights of 500 million citizens insufficiently protected.
The study adopted a multi-disciplinary approach, combining legal research methods with insights and original research from computer science, security economics and the political sciences. It is the first academic study of its kind on the thorny conundrum of securing private communications through EU law.