NSA intell goldmine, who else has access?

<ook op en HuffPo UK>

The War Room, Dr. Strangelove - 1965 Shortly after the initial release of some documents from whistleblower Edward Snowden I wrote a little summary about the IT-policy implications for Europe based on earlier columns. A lot of additional documents have come out since then and we can basically conclude that almost every computer system on the planet is fully broken or at least very vulnerable to NSA interference or manipulation.

Nobody, including the NSA, Edward Snowden, Glenn Greenwald has a total oversight of all the in the tens of thousands of documents let alone the political or strategic implications of the info contained in them. Most of the news keeps focusing on the 'scandal' aspect and/or the person of Snowden. Being angry at the US government (practised by most opponents) and attacking the person of Snowden (a favorite of apologists of the US regime) distracts from defining adequate policy responses and so far there have been precisely none in Europe. This constitutes a massive failure of the various EU governments to protect their citizens' rights and the economic sovereignty of their nations. It is also strange in light of the fact that an adequate policy response had already been formulated in July 2001 and really just needs to be implemented.

But every now and them the disinfo spread by some apologists for the behaviors of the NSA is useful for understanding how much worse the situation may just turn out to be. This article by a former NSA employee is a nice example of an attempt at smearing the whistleblower while actually digging the hole the NSA (and the US regime) is in much, much deeper. The piece claims Snowden secretly worked for Russian intelligence all along. While I do not share the authors views on Snowden's motivations or allegiances the suggestion that outside organisations could have agents inside the NSA has some interesting implications.

Info security workshop Centre for Investigative Journalism

The UK Centre for Investigative Journalism is a non-profit organisation dedicated to educating and training journalists to benefit the quality of journalism and thus public debates on important topics in society. Every year the CIJ holds a 3-day summer school where journalists can follow lectures, participate in workshops and meet with some of the foremost professionals in their field. Several months ago, when the CIJ asked me to help set up a workshop in information security, we had no idea then how hot the subject would become after the revelations by former NSA-contractor Edward Snowden. I was very happy to see the room at London City University was packed with journalists eager to learn both theory and practice of securing their communications and protecting their data. An overview of theory & tools for those who missed it, slides here, video below.

Being in London for a few days also allowed me to contribute to a cryptoparty (a workshop for teaching info security basics to anyone interested) that was kindly hosted and wonderfully supported by the London Hackerspace. Dozens of people from all walks of life showed up and we had a great time.

If you would like to attend such a workshop contact your local hackerspace and join or look at this list of upcoming cryptoparties. If nothing is planned in your area start a group yourself. The time for it has never been more propitious. The links above can get you started. If you get stuck mail me and I'll be happy to put you in contact with people near you.

Below a recording of the theory introduction part of the workshop at the 2013 summer school. After this intro the whole class worked together for several hours setting up software tools for email-encryption, anonymous browsing and testing these new capabilities with colleagues. By the end of the day over 30 journalists were tooled up to receive scoops from high-risk whistleblowers.

The missed opportunity of avoiding PRISM

<originally a column for Consortium News>

On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months later across the Atlantic, they have never been implemented. Or even discussed further.

Under the heading "Measures to encourage self-protection by citizens and enterprises" lists several concrete proposals for improving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be "accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology".

Other gems are the requests to "take appropriate measures to promote, develop and manufacture European encryption technology and software and, above all, to support projects aimed at developing user encryption technology, which are open-source" and "promote software projects whose source text is published, thereby guaranteeing that the software has no "back doors" built in (the so-called "open source software")”. The document also mentions explicitly the unreliability of security and encryption technologies whose source code is not published. This is an issue that is a strict taboo in Dutch and UK discussions on IT strategy for governments (probably because certain major NATO partners might be offended).

Also, governments must set a good example to each other and their citizens by "systematic use of encryption of e-mails, so that in the longer term this will be normal practice." This should in practice be realised by "ensuring the training and publication of their staff with new encryption technologies and techniques by means of the necessary practical training and courses." Even candidate countries of the EU should be helped "if they cannot provide the necessary protection by a lack of technological independence".

That one paragraph from the summer of 2001, when rational security policies had not yet been completely destroyed by 9/11, describes the basis for a solid IT policy that ensures security and privacy of citizens against threats from both foreign actors and the government itself (historically always the greatest threat to its citizens and the reason why we have constitutions).

Had these policies been implemented over the last decade then the PRISM revelations of the last week would have been met mostly with indifference. European citizens, governments and companies would be performing most of their computing and communications on systems controlled by European organisations, running software co-developed in Europe and physically located on European soil. An American problem with an overreaching spy apparatus would have been just that, an American problem - like teenagers with machine guns or lack of universal healthcare, just one more of those crazy things they do in the colonies to have 'freedom'.