ECPR

Install the app

Install this application on your home screen for quick and easy access when you’re on the go.

Just tap Share then “Add to Home Screen”

ECPR

Install the app

Install this application on your home screen for quick and easy access when you’re on the go.

Just tap Share then “Add to Home Screen”

Regulating security decision-making by private tech companies

Cyber Politics
European Union
Governance
Business
Technology
Big Data
Anke Sophia Obendiek
University of Vienna
Anke Sophia Obendiek
University of Vienna

Abstract

Tech companies’ growing responsibilities are well established in diverse areas including infrastructure, education, or health. Similarly, there is substantial research on the role of private security companies in border management, defence, and cybersecurity. Yet, this paper suggests that these different branches of literature do not speak to each other sufficiently, creating a gap between the branch that explores the diverse power sources of tech companies and the branch that investigates the challenges of capacity and accountability of private security companies. Insights on public-private interactions in digital security are typically limited to single areas such as cybersecurity or illegal content. To understand the challenges public actors face in regulating them, this paper suggests that we need to grasp the role of tech companies as security agents more comprehensively. To bridge the existing gap, this paper analyses different types of tech companies and their security decision-making in the European context. Conceptually, it distinguishes between reactive and proactive tech security companies. Reactive companies hold data or content that is relevant to law enforcement agencies and have to judge on the legitimacy of cooperation requests, such as Microsoft. Proactive companies develop software or technologies that enable security decision-making, such as the Israeli NSO Group or the US company Palantir. The paper shows that while reactive companies may have more to gain from regulation, both types create similar regulatory difficulties. The informal and/or opaque nature of cooperation as well as asymmetrical dependencies incentivize security actors to limit rather than extend regulation. The paper discusses a third, hybrid type of companies that both develop technologies for security decision-making and hold significant amounts of data, such as Amazon or Google. It argues that for these hybrid companies, regulatory difficulties are intensified because of the multiple roles they assume in the negotiation of regulation. The paper illustrates the typology in the context of three key areas that represent typical challenges of regulating tech companies in security: electronic evidence, private surveillance technologies and spyware, and the use of artificial intelligence in law enforcement and defence. Three qualitative case studies focus on key controversies and regulation attempts in Europe. These areas are subject to ongoing processes of negotiation and political debate, making their thorough understanding a key objective for the development of adequate regulatory responses.