New: Flexible service plans for Myra WAF. Learn more!
Home>
Our data is a suitcase – but who has the key?
SECURITY INSIGHTS | June 04, 2025
Like TSA-certified suitcases, SSL/TLS-encrypted data can also be temporarily opened with a master key. But what if providers from the US hold the key? An article about digital sovereignty and the question of who we should trust in uncertain times.
Similar to the master key for TSA suitcases, SSL/TLS termination allows access to sensitive content. (Image: Canva / AI-generated)
Similar to the master key for TSA suitcases, SSL/TLS termination allows access to sensitive content. (Image: Canva / AI-generated)
A suitcase rolls onto the conveyor belt at the airport. It has a combination lock. TSA-Approved is written on the plastic plate. This is reassuring for passengers. The lock, which was developed primarily for the US Transportation Security Administration (TSA), can be opened with a master key so that customs officials can check the contents of the suitcase without leaving any traces. The passengers won't notice a thing.
Access to encrypted data often works in a similar way in the digital world. The buzzword here is SSL/TLS termination. What sounds complicated determines who can read sensitive information – and who can't. In times of growing geopolitical tensions, especially in light of the current actions of the US government, this technical detail is becoming politically explosive.
Almost all websites use HTTPS. This protocol protects our data using SSL/TLS encryption. This is particularly important for critical applications such as health portals or citizen services that process sensitive data. The goal is to effectively protect data from prying eyes and manipulation. However, SSL/TLS encryption also makes it more difficult to detect threats.
In order for content delivery networks (CDNs) or web application protection systems to defend against attacks in encrypted data traffic, they must temporarily break the encryption. This is the only way for the services to detect whether an incoming data request is malicious or not. To do this, the provider decodes the data stream using a certificate key that it has previously received from the website operator. This process is called SSL/TLS termination.
At this point, things get tricky from a data protection perspective. Because whoever decrypts the data can theoretically see everything: content, metadata, communication patterns, and personal information. And whoever has access to the data also has access to the knowledge it contains. Trade secrets, medical diagnoses, strategy papers—everything that is sent via the systems passes through the service provider's protection infrastructure.
Back to the suitcase: Anyone who uses a TSA lock is – consciously or unconsciously – giving their consent for certain authorities to search its contents. The same applies to SSL/TLS termination. Anyone who uses US providers is transferring the key to a company that is subject to US law. And according to the CLOUD Act and FISA section 702, this obliges companies to hand over data to US intelligence agencies – regardless of where in the world the data center containing the relevant data is located.
It does not matter whether the provider cooperates voluntarily or not. It must comply with US law. For European customers of US providers, this means that even if their data is “securely” encrypted or stored in Europe, US authorities still have unrestricted access to it. And this is completely legal.
The idea is not new. However, current geopolitical developments are giving the issue of digital sovereignty a new urgency. Trust is not a technical parameter. It is a geopolitical decision.
Companies are facing a dilemma: they need to protect their critical web applications and data, and to do so they need powerful services. At the same time, they must ensure the integrity and confidentiality of their data in order to comply with regulations. European service providers already offer numerous options for optimally meeting these requirements. They operate in accordance with German and European legislation and, as local providers, are very familiar with the challenges faced by organizations in this region. Companies that rely on European providers not only gain legal clarity, but also genuine digital resilience.
The debate on cybersecurity must no longer revolve around buzzwords such as “cloud first” or “zero trust,” but must focus on the fundamental principles of data sovereignty: Who controls the infrastructure? Who has access to critical knowledge? And who do we trust in times of global uncertainty?
Anyone who thinks this is only an issue for IT departments is mistaken. The digital suitcase we are packing contains our economic, social, and personal future. Anyone who accepts foreign master keys is giving up a piece of control—and often realizes it too late.
That is why Europe needs more than just technological expertise. It has to have backbone. And it has to be willing to go its own way when it comes to IT security. If you want to keep control of your data, you have to think carefully about who you entrust with the key.
Katharina M. Schwarz
Head of Global Affairs
As Head of Global Affairs at Myra Security, Katharina M. Schwarz is responsible for establishing the public affairs division for Germany and the EU. She previously held various management positions in the German Bundestag and the Federal Ministry of the Interior. Her work in the field of internal security focused on the General Data Protection Regulation, counterterrorism, and cybercrime, among other areas.