Connect to share and comment
By Leila Abboud and Peter Maushagen
PARIS/FRANKFURT (Reuters) - As a diplomatic row rages between the United States and Europe over spying accusations, state-backed Deutsche Telekom wants German communications companies to cooperate to shield local internet traffic from foreign intelligence services.
Yet the nascent effort, which took on new urgency after Germany said on Wednesday that it had evidence that Chancellor Angela Merkel's mobile phone had been monitored, faces an uphill battle if it is to be more than a marketing gimmick.
It would not work when Germans surf on websites hosted on servers abroad, such as social network Facebook or search engine Google, according to interviews with six telecom and internet experts. Deutsche Telekom could also have trouble getting rival broadband groups on board because they are wary of sharing network information.
More fundamentally, the initiative runs counter to how the Internet works today - global traffic is passed from network to network under free or paid-for agreements with no thought for national borders.
If more countries wall themselves off, it could lead to a troubling "Balkanisation" of the Internet, crippling the openness and efficiency that have made the web a source of economic growth, said Dan Kaminsky, a U.S. security researcher.
Controls over internet traffic are more commonly seen in countries such as China and Iran where governments seek to limit the content their people can access by erecting firewalls and blocking Facebook and Twitter.
"It is internationally without precedent that the internet traffic of a developed country bypasses the servers of another country," said Torsten Gerpott, a professor of business and telecoms at the University of Duisburg-Essen.
"The push of Deutsche Telekom is laudable, but it's also a public relations move."
Deutsche Telekom, which is 32 percent owned by the government, has received backing for its project from the telecoms regulator for potentially giving customers more options.
In August, the company also launched a service dubbed "E-mail made in Germany" that encrypts email and sends traffic exclusively through its domestic servers.
Government snooping is a sensitive subject in Germany, which has among the strictest privacy laws in the world, since it dredges up memories of eavesdropping by the Stasi secret police in the former East Germany, where Merkel grew up.
The issue dominated discussions at a European summit on Thursday, prompting Merkel to demand that the U.S. strike a "no-spying" agreement with Berlin and Paris by the end of the year.
As the row festers, telecom and Internet experts said the rhetoric exceeded the practical changes that could be expected from Deutsche Telekom's project. More than 90 percent of Germany's internet traffic already stays within its borders, said Klaus Landefeld, a board member of the non-profit organization that runs the DE-CIX Internet exchange point in Frankfurt.
Others pointed out that Deutsche Telekom's preference for being paid by other Internet networks for carrying traffic to the end user, instead of "peering" agreements at no cost, clashed with the goal to keep traffic within Germany. It can be cheaper or free for German traffic to go through London or Amsterdam, where it can be intercepted by foreign spies.
Thomas Kremer, the executive in charge of data privacy and legal affairs for the German operator, said the group needed to sign connection agreements with three additional operators to make a national routing possible. "If this were not the case, one could think of a legislative solution," he said.
"As long as sender and receiver are in the Schengen area or in Germany, traffic should no longer be routed through other countries," Kremer said, referring to the 26-country passport-free zone in Europe.
A spokesman for Telefonica Germany said it was in early discussions on national routing with other groups. A spokesman for Vodafone said it was "evaluating if and how" to implement the Deutsche Telekom proposal.
Although Deutsche Telekom is positioning itself as a safe custodian of user data, its track record on privacy is mixed. In a 2008 affair dubbed Telekomgate, Klaus Trzeschan, a security manager at the group, was jailed for three and a half years for his role in monitoring phone calls of the firm's own management and supervisory board members, as well as business reporters.
A spokesman for Deutsche Telekom said the affair was the reason why the group worked "so hard" on privacy and security issues in recent years. "We are now the leading company of our industry when it comes to customers' trust," he said.
While the routers and switches that direct traffic can be programmed so data travel certain routes, the most popular online services are not built to respect borders.
Web companies often rely on a few large data centers to power their entire operation, and they don't choose locations based on the location of their customers but on factors such as the availability of cheap power, cool climates, and high-speed broadband networks.
For example, if a Munich resident uses Facebook to chat with a friend sitting 500 kilometers (310 miles) away in Berlin, the traffic would go through one of the company's three massive data centers 8,000 km away in Oregon or North Carolina, or one near the Arctic Circle in the Swedish town of Luleå. European users' profiles are not necessarily stored in the Swedish centre; instead the website's different functions such as games, messaging, and wall posts are distributed among the data centers to improve efficiency.
Similarly, emails sent by Google's Gmail between two German residents would probably be routed through one of the company's three data centers in Finland, Belgium and Ireland.
The only way to change this would be for Germany to require local hosting of websites, a drastic move according to experts that has not yet been pushed by German leaders. Deutsche Telekom declined to say whether it would lobby for such an approach.
Brazil's President Dilma Rousseff, angered by reports that the U.S. spied on her and other Brazilians, is pushing legislation that would force Google, Facebook and other internet companies to store locally gathered or user-generated data inside the country.
One solution would be for European leaders to beef up a new data-privacy law, which has been in the works for almost two years. A greatly toughened version of the law was backed by the European Parliament on Monday, but it still requires agreement by members states.
France and Germany may succeed in getting member states to push ahead on talks to complete the new data rules by 2015.
Deutsche Telekom's Kremer said the new law could help: "Of course customers need to be able to use any web services they like, anywhere in the world. But we need to make this safer."
(Additional reporting by Harro Ten Wolde in Frankfurt, Joseph Menn in San Francisco, Paul Sandle in London; Editing by Will Waterman)