Category: EU

Kerckhoffs lecture: what Europe needs to do after Snowden

At 12:30 on Friday 13th of June 2014 I will give the Kerckhoff Lecture at the Radboud Universities Kerckhoffs Institute for information security in Nijmegen in room HG00.068. For an audience of students and faculty who probably know more about the maths of cryptography than myself I will talk about the tech-policy implications of the Snowden revelations and why Europe has been doing so very, very little.

Imagine a whistleblower releasing detailed documentary proof of a group of organisations that dump large volumes of toxic mixed chemical waste in European rivers and lakes. The documents describe in detail how often (daily) and how toxic (very). Now imagine journalists, civic organisations and elected representatives all starting furious discussions about how bad this is and what the possible horrible consequences theoretically could be for european citizens.

Now imagine that this debate goes on and on for months as slowly more documentation is published showing ever more detailed descriptions of the various compounds in the toxic chemicals and what rivers and lakes precisely they are being dumped into.

Now imagine that no journalist, civic organisation or elected representative comes up with a single concrete and actionable proposal to stop the actual and ongoing toxic dumping or to prevent future organisations getting into the habit of illegal dumping.

Imagine also that both governments and public-sector organisations, including the ones responsable for health- and environmental matters continue not only to procure products and services from above organisations but also continue to give them the licences they need to operate.

Imagine that this goes on for month after month after month for a full year.

Now Imagine it turns out that the Government not only already knew about this 13 years before but also had a detailed report on practical solutions to clean up the mess and prevent future poisoning.

Imagine that.

Sounds incredible does it not?

Except this is precisely how Europe has been not-dealing with the revelations by Edward Snowden on industrialised mass-surveillance of our government & civic institutions, companies and citizens.

The EU has spent most of a year holding meetings and hearings to ‘understand’ the problem but has not produced a single word on what concrete actions could regain the right to privacy for its citizens now. This while a July 2001 report on Echelon, the NSA/GCHQ precursor program to the current alphabet soup, explained the scope of the problem of electronic dragnet surveillance and made practical and detailed recomendations that would have protected Europeans and their institutions had they been implemented. Currently only Germany has seen the beginnings of policies that will offer some protection for its citizens.

On Friday the 13th of June I will discuss the full scope of the NSA surveillance problem, the available technological and policy solutions and some suggestions about why they have not and are not being implemented (or even discussed).

Slides from lecture are here in ODF and PDF


Privacy, a decade on

<originally a column for Webwereld – in Dutch>

On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months after publication, they have never been implemented. Or even discussed further.

Under the heading "Measures to encourage self-protection by citizens and enterprises" lists several concrete proposals for inproving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be "accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology". So not just some abstract government infomercial on TV/radio but hands-on tips to get some actual work done please!

Appropriate measures

Other gems are the requests to "take appropriate measures to promote, develop and manufacture European encryption technology and software and, above all, to support projects aimed at developing user encryption technology, which are open-source" and "promote software projects whose source text is published, thereby guaranteeing that the software has no "back doors" built in (the so-called "open source software") ". The document also mentions explicitly the unreliability of security and encryption technologies whose source code is not published. This is an issue that is a strict taboo in Dutch and UK discussions on IT strategy for governments (probably because some major NATO partners might be offended).

Also, governments must set a good example to each other and their citizens by "systematic use of encryption of e-mails, so that in the longer term this will be normal practice." This should in practice be realised by "ensuring the training and publication of their staff with new encryption technologies and techniques by means of the necessary practical training and courses." Even candidate countries of the EU should be helped "if they cannot provide the necessary protection by a lack of technological independence". Unfortunately to this day I cannot send encrypted mails to officials and the vast majority of them do not even digitally sign their emails to allow me to verify the integrity of the content. Despite the fact the software that makes this possible has been available as open source since before publication of the report in 2001.

That one paragraph from the summer of 2001, when rational security policies had not yet been destroyed by September 11th, decribes the basis for a solid IT policy that ensures security and privacy of citizens against threats from both foreign actors and the government itself.

What a difference a decade makes …

Last Monday Privacy First organised a lecture & discussion evening on cyber security and the relationship with terrorism. Will van Gemert, director of National Cyber ??Security for the Coordinator for Counterterrorism and Security gave a lecture on the relationship between privacy and security. In this lecture there was much talk about consumers, little about people/citizens (perhaps the difference is a bit foggy from the windows of government skyscrapers in The Hague). He also insisted that the Government is very much working with ‘the market’ and private parties. It was probably meant to be reassuring but had the opposite effect on most attendees. Ideas from the EU document mentioned above, such as better IT education, open source encryption and technological diversity as defensive tactics, were unfortunately completely unknown concepts. The ribbon on the doors of the Cyber ??Security section of the National Counter Terrorism organisation had just been cut ,so perhaps things will be better in a year. We can but hope*.

A few weeks earlier, another of our government speakers defending even more colourfully the Clean IT project at a meeting of RIPE (the organization that distributes IP addresses for Europe and Asia). Clean-IT is a European project of Dutch origin which aims to combat the use of the Internet for terrorist purposes.

Terrorism is not defined

The problem with this goal is that ‘internet’, ‘use’ and ‘terrorism’ remain undefined, nor is anyone very interested in sorting this out. This in itself can useful if you are a government because you can then take a project in any direction you like. A bit like when data retention was rammed through the EU parliament in 2005 with the promise that it would be used only against "terrorism" – a promise that within a few months was broken. In Germany, data retention has now been declared unconstitutional and been abolished, while in the Netherlands we have rampant tapping, despite a total lack of evidence of the effectiveness of these measures. That all the databases of retained telecommunications data themselves become a target is not something that seems to be seriously taken into account in the threat analyses. All rather worriying for a government that is still usually unable to secure its own systems properly or ensure that hired private parties do so.

Also, during the lecture on Clean-IT much emphasis was placed on the public-private partnership to reassure the audience, yet this had a predominantly opposite effect. It’s strange that a government first proves itself incompetent by outsourcing all expertise, then it comes back after ten years and claims it cannot control those same comapnies, nor indeed their sub-contractors. The last step is then to outsource to companies that used as reassurance to citizens commented: "We let by companies do it! That you as a citizen do not think that we ourselves with our sausage fingers sit! Come all good". After Diginotar my confidence in the guiding and supervisory capacity of the government has dropped to just above absolute zero.

What a difference in approach between the summer of 2001 and today.

Terrorism is obviously the "access all areas pass" – but many more Europeans die slipping in the shower or from ill-fitting moped helmets than from "terrorism". Moreover, we as Europeans have experience of dealing with terrorism. ETA, IRA and RAF were rendered harmless in previous decades by police investigations, negotiations and encapsulation. This was done without jeopardizing the civic rights of half a billion European citizens. Even when weekly IRA bombs exploded in London nobody suggested dropping white phosphorous on Dublin or Belfast.

Hope

I hope* that the pre-9/11 vision of the EU Parliament will finally penetrate the Dutch Ministry of Security and Justice (formerly just ‘Justice’ soon ‘Love‘?). Perhaps a new cabinet will lead to new initiatives and opportunities? It would be nice if the ‘free West’ could develop a policy that would justify our moral superiority towards Russia, when we demand that they stop political censorship under the guise of "security".

* Hope: the desire for a future situation over which you have little or no influence: "I hope my plane does not crash."