Last Wednesday, the traffic light coalition of SPD, FDP and Grüne presented the coalition agreement. Even though it is only a roadmap and many points are only touched upon, one thing is clear: the digital transformation, data protection and IT security topics are to become core issues in the coming legislative period.
We have taken a closer look at the results of the negotiations and want to shed light on various aspects in this blog article: What are the topics around IT security and data protection in the coalition agreement? Do they match with our understanding of and requirements for data privacy and data security? And what conclusion do we draw for Stackfield and the future of our tool?
The "right to encryption" and the "security-by-design" requirement
"We are introducing a right to encryption, effective vulnerability management, with the goal of closing security gaps, and security-by-design/default requirements."
What is the right to encryption all about? Already at the end of 2018, a proposal of the FDP was discussed, which, among other things, demanded this right. On the one hand, this is intended to strengthen the general acceptance of encryption technologies, and on the other hand, it is meant to safeguard fundamental rights such as privacy and the confidentiality of communications.
People need trust in digitalization - therefore, the question of security is crucial. In our view, the approach is an important step in the right direction. We, too, use end-to-end encryption to provide the best possible protection for corporate communications and data in Stackfield and to prevent access by unauthorized persons. However, while many providers "only" offer end-to-end encryption of communications - if at all - we encrypt not only chat messages, but the entire project management - including files, tasks or appointments. After all, digital collaboration means more than just communication. Another interesting point in the coalition agreement: the state must also offer "the option of genuine encrypted communication" on a mandatory basis. In our view, it remains unclear what is meant by "genuine" encrypted communication. It will be interesting to see whether, for example, backdoors are kept open for authorities so e.g., that the police can access relevant data when fighting criminality. This is because countries often want to read data, even though the communication is encrypted.
The term "security-by-design" can be explained relatively simply in comparison to the "right to encryption": It means that security strategies and requirements are already taken into account during development in order to minimize the risk of subsequent security vulnerabilities. For the end user, the principle has the great advantage that no stand-alone workarounds or subsequently implemented adaptations are necessary to achieve the desired level of security. This ensures secure use from the ground up, especially for users with less technical expertise.
In our view, this requirement is undoubtedly purposeful and is in line with our principle of "the highest standards of data protection and data security", which we have now been pursuing for over 10 years. In the past, many companies regarded these security issues as an annoying burden and the cause for higher development costs. For us, this fundamental decision has now turned out to be a decisive competitive advantage - and it confirms that we have been on the right track from the very beginning.
Legally identify, report and close security vulnerabilities
"Identifying, reporting and closing security gaps in a responsible process, e.g. in IT security research, should be legally feasible."
This result from the coalition negotiations is better known as the "Responsible Disclosure Procedure." A recent and prominent example: In August 2021, a security vulnerability in the CDU's election campaign app was discovered and responsibly reported. However, the discoverer was then sued by the party - in the end, the report was withdrawn.
We think it is right that such procedures should be legally enforceable. No one should have to worry about potential penalties if he or she confidently reports a security vulnerability. Companies and institutions are thus given the opportunity to securely fix vulnerabilities - otherwise, users would be given a false sense of security. We are also constantly developing Stackfield, optimizing existing functions and, of course, regularly fixing bugs within the tool. Security updates are also part of our daily business and are imperative for us to guarantee security, create an optimal user experience and remain competitive in the long run. In the future, it will be exciting to see to what extent identifying security gaps will be permissible and how the government will draw the line between white-hat hackers (hackers who are commissioned and observe the legal framework of an intervention) and grey-hat hackers (hackers who move in a gray area and attack systems to identify gaps, for example).
Data protection continues to gain relevance
"The General Data Protection Regulation (GDPR) is a good international standard. To improve enforcement and consistency of data protection, we are strengthening European cooperation, institutionalizing the Data Protection Conference in the Federal Data Protection Act and aiming to enable it to take legally binding decisions where possible."
In the section on "Use of data and data law," the traffic light coalition primarily envisions that there should be better access to data for companies, startups, science, the state and society, so that it can be better used and innovations can be driven forward. Data protection should not be an obstacle to this. Instead, it is to be enforced even better in the future and binding decisions are to be created by the federal and state data protection authorities.
In other words, data protection continues to gain relevance! From our point of view, it is imperative that clear legal decisions and guidelines are made - because this creates clarity and legal certainty for everyone. In the past, there have always been different legal statements by the authorities, and to this day the GDPR is interpreted differently. Data protection must not be "easier" for competitors from EU third countries - for example, from the US - and it must not slow down innovations in the EU. The rules must be the same for everyone as soon as personal data of EU citizens is processed, and at the same time allow progress.
International technical standards & end-to-end encryption
"We want a commitment to interoperability at European level [...]. This should ensure - based on international technical standards - the privacy of communications, a high level of data protection and IT security, and end-to-end encryption."
We do not want to dive too deeply into this section, but it does show the importance of the topics of encryption and data protection in the coalition agreement. The fact that interoperability refers to "international technical standards" that are intended to ensure a high level of data protection, among other things, is also a positive sign from our point of view. At the end of the day, however, what will be important is what these standards will look like and how terms such as "end-to-end encryption" will be defined - because this term alone is still often used incorrectly today.
Stackfield has been going the right way since its founding
The SPD, FDP and Grüne roadmap includes many important ideas around digitalization, data protection and IT security that probably would not have had the same priority in the old federal government. Whether it will be successfully implemented remains to be seen. But first and foremost, the approaches strengthen our confidence that the path we took with Stackfield 10 years ago was the right one. They show that data protection and data security are not just "hygiene factors". Issues like "security-by-design" or the right to encryption do not force us to take a new direction or to adapt or rethink the evolution of Stackfield. They are part of our everyday life - we want to make collaboration in companies not only as clear and simple as possible, but also as secure as possible.
Almost finished...Please click the link in the email and confirm your email adress to complete the subscription process.
Never miss a post. Get awesome insights in your inbox.