On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months after publication, they have never been implemented. Or even discussed further.
Under the heading "Measures to encourage self-protection by citizens and enterprises" lists several concrete proposals for inproving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology. So not just some abstract government infomercial on TV/radio but hands-on tips to get some actual work done please!
Other gems are the requests to "take appropriate measures to promote, develop and manufacture European encryption technology and software and, above all, to support projects aimed at developing user encryption technology, which are open-source" and "promote software projects whose source text is published, thereby guaranteeing that the software has no "back doors" built in (the so-called "open source software") ". The document also mentions explicitly the unreliability of security and encryption technologies whose source code is not published. This is an issue that is a strict taboo in Dutch and UK discussions on IT strategy for governments (probably because some major NATO partners might be offended).
Also, governments must set a good example to each other and their citizens by "systematic use of encryption of e-mails, so that in the longer term this will be normal practice." This should in practice be realised by "ensuring the training and publication of their staff with new encryption technologies and techniques by means of the necessary practical training and courses." Even candidate countries of the EU should be helped "if they cannot provide the necessary protection by a lack of technological independence". Unfortunately to this day I cannot send encrypted mails to officials and the vast majority of them do not even digitally sign their emails to allow me to verify the integrity of the content. Despite the fact the software that makes this possible has been available as open source since before publication of the report in 2001.
That one paragraph from the summer of 2001, when rational security policies had not yet been destroyed by September 11th, decribes the basis for a solid IT policy that ensures security and privacy of citizens against threats from both foreign actors and the government itself.
What a difference a decade makes ...
Last year Dutch civil liberties group 'Privacy First' organised a lecture & discussion evening on cyber security and the relationship with terrorism. Will van Gemert, director of the Dutch National Cyber Security for the Coordinator for Counterterrorism and Security gave a lecture on the relationship between privacy and security. In this lecture there was much talk about consumers, little about people/citizens (perhaps the difference is a bit foggy from the windows of government skyscrapers in The Hague). He also insisted that the Government is very much working with 'the market' and private parties. It was probably meant to be reassuring but had the opposite effect on most attendees. Ideas from the EU document mentioned above, such as better IT education, open source encryption and technological diversity as defensive tactics, were unfortunately completely unknown concepts. The ribbon on the doors of the Cyber Security section of the National Counter Terrorism organisation had just been cut ,so perhaps things will be better in a year. We can but hope*.
A few weeks earlier, another of our government speakers defending even more colourfully the Clean IT project at a meeting of RIPE (the organization that distributes IP addresses for Europe and Asia). Clean-IT is a European project of Dutch origin which aims to combat the use of the Internet for terrorist purposes.
Terrorism is not defined
The problem with this goal is that 'internet', 'use' and 'terrorism' remain undefined, nor is anyone very interested in sorting this out. This in itself can useful if you are a government because you can then take a project in any direction you like. A bit like when data retention was rammed through the EU parliament in 2005 with the promise that it would be used only against "terrorism" - a promise that within a few months was broken. In Germany, data retention has now been declared unconstitutional and been abolished, while in the Netherlands we have rampant tapping, despite a total lack of evidence of the effectiveness of these measures. That all the databases of retained telecommunications data themselves become a target is not something that seems to be seriously taken into account in the threat analyses. All rather worriying for a government that is still usually unable to secure its own systems properly or ensure that hired private parties do so.
Also, during the lecture on Clean-IT much emphasis was placed on the public-private partnership to reassure the audience, yet this had a predominantly opposite effect. It's strange that a government first proves itself incompetent by outsourcing all expertise, then it comes back after ten years and claims it cannot control those same comapnies, nor indeed their sub-contractors. The last step is then to outsource to companies that used as reassurance to citizens commented: "We let by companies do it! That you as a citizen do not think that we ourselves with our sausage fingers sit! Come all good". After Diginotar my confidence in the guiding and supervisory capacity of the government has dropped to just above absolute zero.
What a difference in approach between the summer of 2001 and today.
Terrorism is obviously the "access all areas pass" - but many more Europeans die slipping in the shower or from ill-fitting moped helmets than from "terrorism". Moreover, we as Europeans have experience of dealing with terrorism. ETA, IRA and RAF were rendered harmless in previous decades by police investigations, negotiations and encapsulation. This was done without jeopardizing the civic rights of half a billion European citizens. Even when weekly IRA bombs exploded in London nobody suggested dropping white phosphorous on Dublin or Belfast.
I hope* that the pre-9/11 vision of the EU Parliament will finally penetrate the Eurpean Ministries of Security and Justice (formerly just 'Justice' soon 'Love'?). Perhaps a new cabinet will lead to new initiatives and opportunities? It would be nice if the 'free West' could develop a policy that would justify our moral superiority towards Russia, when we demand that they stop political censorship under the guise of "security".
* Hope: the desire for a future situation over which you have little or no influence: "I hope my plane does not crash."