news

Book: Information security for journalists - V1.1

With journalist Silkie Carlo I have co-authored a 'handbook' on practical information security for journalists commissioned by the UK Centre for Investigative Journalism. The CIJ handbook 'Information Security for Journalists' was launched at the CIJ Summer School 2014 in London. The book will be forever freely available in a range of electronic formats - see download links below. In the four months after the initial publication in we have rewritten certain parts based on feedback from the initial readers and updated other parts to stay current with the latest software changes. Many thanks to all who gave us valuable feedback.

Altough this book was originally written for investigative journalists most of the described concepts and technical solutions are just as usable by lawyers or advisors protecting communications with their clients, doctors protecting medical privacy and of course politicians, activists or anyone else who engages powerful state and corporate organisations. Really, we're all journalists now. Inside the book is a mailadres for getting in touch, please let us know how your are using it and what we can do better.

If you have reasons to suspect your online movements are already under some form of surveilance you should not download this book using a computer or netwpork associated with your identity (such as your home or work systems).

Several participants of journalist training programs have written articles: Information security for journalists: staying secure online by Alastair Reid (from journalism.co.uk) - A day with the surveillance expert by Jason Murdock, Offtherecord.in - Valentina Novak wrote this interview after a lecture & workshop in Slovenia last November.

On Tuesday July 8th 2014 I was once more a guest on Max Keiser's programme 'The Keiser Report' to discuss the book. Video here on my blog, here on RT site and here on Youtube.

From the 'backflap' of the book:

RT.com interview on 'secure' smartphone apps

On Friday October 17th I was interviewed by Russia Today on the security of 'secure' smartphone apps that turn out to not be so secure. After 18 months of Snowden revelations that should be not news but for the Guardian newspaper it is.

Bankrupting the NSA with Tails & defeating TTIP

On Tuesday July 8th 2014 I was once more a guest on Max Keiser's programme 'The Keiser Report'. Max is a former Wall Street trader who foresaw the current economic crisis a decade ago. On his show he lets rip on the insane financial system and allows his guests to do the same.

Max asked me about the handbook 'Information Security for Journalists' I co-authored with journalist Silkie Carlo. The tools and methods it describes can help is slowing down the NSA by increasing the cost of surveiling individuals by a factor of about 1 million. We also discussed the latest US-inspired attempt-at-corporate-takeover-disquised-as-trade-agreement known as TTIP. I think this wil be defeated in the same way as its smaller precursors ACTA and SOPA before it because it is not in Europe's interest. This will require some serious action on behalf of Europeans since our politicians seem a tad slow in recognising the patterns here.

Full Keiserreport episode here on RT site and here on Youtube.

Book: Information security for journalists

With journalist Silkie Carlo I have co-authored a 'handbook' on practical information security for journalists commissioned by the UK Centre for Investigative Journalism. The CIJ handbook 'Information Security for Journalists' was launched at the CIJ Summer School 2014 last weekend in London. The book will be freely available in electronic format and in print after the summer. Just like last year I gave lectures (slides) and ran a hands-on workshop to get journalists 'tooled-up' so they can better protect their sources, themselves and their stories in a post-Snowden world.

From the 'backflap' of the book:

This handbook is a very important practical tool for journalists. And it is of particular importance to investigative reporters. For the first time journalists are now aware that virtually every electronic communication we make or receive is being recorded, stored and subject to analysis and action. As this surveillance is being conducted in secret, without scrutiny, transparency or any realistic form of accountability, our sources, our stories and our professional work itself is under threat.

After Snowden’s disclosures we know that there are real safeguards and real counter measures available. The CIJ’s latest handbook, Information Security for Journalists, lays out the most effective means of keeping your work private and safe from spying. It explains how to write safely, how to think about security and how to safely receive, store and send information that a government or powerful corporation may be keen for you not to know, to have or to share. To ensure your privacy and the safety of your sources, Information Security for Journalists will help you to make your communications indecipherable, untraceable and anonymous.

Although this handbook is largely about how to use your computer, you don’t need to have a computer science degree to use it. Its authors, and the experts advising the project are ensuring its practical accuracy and usability, and work with the latest technology.

Gavin MacFadyen,
Director of the Centre for Investigative Journalism

This handbook is being translated into Arabic, Chinese, French, German, Portugese, Spanish, and other languages

On Tuesday July 8th 2014 I was once more a guest on Max Keiser's programme 'The Keiser Report' to discuss the book. Video here on my blog, here on RT site and here on Youtube.

The other IT from another Europe

Also on Consortium News and Huffington Post

Over the last 10-15 years public IT in Europe has not developed in line with public interests, nor does it guarantee the fundamental rights of citizens such as privacy and freedom of expression. Tremendous opportunities in the field of economic development and employment have also been missed. Europe effectively outsources much of its information processing (software & services) to foreign parties at the direct cost of hundreds of billions of Euros (typically around 1% of GNP). The opportunity-cost to local economic growth and employment opportunities are much greater than that. Even more costly than either of these is the de-facto handing over of control of data of governments, businesses and individual citizens to foreign spies who use it for political manipulation, repression of citizens' freedoms and industrial espionage. Although the warnings about the negative consequences of current policies date back at least 15 years, these aspects have been documented in irrefutable detail over the last year by the revelations of Edward Snowden. 12 months later there has not even been the beginning of a policy response.

It could all have been so different ...

In the first 21 months of the 21st century, the dot-com bubble burst and then three skyscrapers in New York collapsed. Between these two events a largely forgotten report to the European Parliament appeared in the summer of 2001. This report described the scale and impact of electronic espionage in Europe by the U.S. and its 'Echelon' partners (Canada, UK, Australia and New Zealand). Besides a detailed problem analysis, the report also gave concrete examples of IT policies that governments could take to significantly limit foreign intelligence spying on Europe.

In the same period was U.S. government won one of the largest anti-trust cases its history, against Microsoft, and the EU followed this victory by launching a similar case that would also be won leading to the highest fine to a company for economic crimes in the history of the EU.

It was against this background that thinking about strategic versus operational aspects of IT in the public sector changed. The report on Echelon made it clear that reducing IT into a merely operational exercise had disastrous consequences on the sovereignty of European states with respect to, in particular, the United States (and perhaps in the near future, China, other technically capable countries or non-state organizations). The economic consequences of industrial espionage against many high-tech and R&D-intensive companies became a major concern for the government.

Kerckhoffs lecture: what Europe needs to do after Snowden

At 12:30 on Friday 13th of June 2014 I will give the Kerckhoff Lecture at the Radboud Universities Kerckhoffs Institute for information security in Nijmegen in room HG00.068. For an audience of students and faculty who probably know more about the maths of cryptography than myself I will talk about the tech-policy implications of the Snowden revelations and why Europe has been doing so very, very little.

Imagine a whistleblower releasing detailed documentary proof of a group of organisations that dump large volumes of toxic mixed chemical waste in European rivers and lakes. The documents describe in detail how often (daily) and how toxic (very). Now imagine journalists, civic organisations and elected representatives all starting furious discussions about how bad this is and what the possible horrible consequences theoretically could be for european citizens.

Now imagine that this debate goes on and on for months as slowly more documentation is published showing ever more detailed descriptions of the various compounds in the toxic chemicals and what rivers and lakes precisely they are being dumped into.

Now imagine that no journalist, civic organisation or elected representative comes up with a single concrete and actionable proposal to stop the actual and ongoing toxic dumping or to prevent future organisations getting into the habit of illegal dumping.

Imagine also that both governments and public-sector organisations, including the ones responsable for health- and environmental matters continue not only to procure products and services from above organisations but also continue to give them the licences they need to operate.

Imagine that this goes on for month after month after month for a full year.

Now Imagine it turns out that the Government not only already knew about this 13 years before but also had a detailed report on practical solutions to clean up the mess and prevent future poisoning.

Imagine that.

Sounds incredible does it not?

Except this is precisely how Europe has been not-dealing with the revelations by Edward Snowden on industrialised mass-surveillance of our government & civic institutions, companies and citizens.

The EU has spent most of a year holding meetings and hearings to 'understand' the problem but has not produced a single word on what concrete actions could regain the right to privacy for its citizens now. This while a July 2001 report on Echelon, the NSA/GCHQ precursor program to the current alphabet soup, explained the scope of the problem of electronic dragnet surveillance and made practical and detailed recomendations that would have protected Europeans and their institutions had they been implemented. Currently only Germany has seen the beginnings of policies that will offer some protection for its citizens.

On Friday the 13th of June I will discuss the full scope of the NSA surveillance problem, the available technological and policy solutions and some suggestions about why they have not and are not being implemented (or even discussed).

Slides from lecture are here in ODF and PDF

Speaking at Dataharvest+ conference

I will be speaking and workshopping at the 2014 Dataharvest+ conference in Brussels. This conference brings together investigative journalists, (big)data wranglers, coders & hackers to kick journalism into the 21st century.

My contribution will be a series of presentations about applied information security for investigative journalists and hands-on workshops to get security tools working on laptops. So bring yours! Slides I used are here: PPT, PDF. Some tips and links to tools. A video from a comparable worshop last year, since then the situation has turned out to be much more dire.

Many thanks to the Centre For Investigative Journalism for making this possible. Happy to be working with them again!

Letter to Parliamentary Committee on Gov. IT projects

Letter below has been submitted to the Temporary Committee on Government IT. This document is a translation from the Dutch original.

Dear Members of the Committee on ICT ,

On June 1st, 2012 I was invited by your predecessors to contribute to the expert meeting of the Parliamentary Working Group on ICT projects in government. The written submission that I made at that time is here, including a video of those hearings (in Dutch).

As an IT architect but also as a concerned citizen, I have been actively involved with the IT policy of the government since 2002, focusing on the areas of electronic health records, security and open standards / open source software. On the latter issue I was the initiator of the 2002 Parliamentary 'Motion Vendrik' that advocated greater independence from dominant software suppliers. Last year I also served as a technical expert on the Committee of Minister Plasterk who advised on the (im)possibilities of electronic support for the electoral process.

Although this motion Vendrik from 2002 was translated into the Heemskerk Action Plan in 2007, this policy was quietly killed in 2010/11 by the lobbying power of large software vendors and the U.S. government. Even the Court-of-Audit was pressured to *not* ask certain questions in its 2011 report on the policy. Since 2002, the Netherlands has spent about 60-90 billion on foreign software, for which in many cases free, equally good or better alternatives are available. Their use is, however, actively hindered by both the Ministries of Education and Interior, as well as the VNG supported by the lobbying apparatus of major suppliers and the U.S. government.

This despite Justice Minister Donner's 2004 letter to Parliament in response to the Motion Vendrik where he admitted that:

  • the government's dependence on Microsoft was very great;
  • that this was a problem ;
  • and that by introducing open standards and the use of open source that could be solved.

This dependence has since become much greater and more than one billion Euro was spent on Microsoft licenses over the last decade. That money would have paid for 10,000 man-years of expertise to migrate away from Microsoft products. A large part of the money spent would have remained in the Dutch economy and returned to the state through tax and VAT. Not that 10,000 man-years would have been needed. The Municipality of Ede did it against the odds for a fraction of the cost and now saves 92 % on software expenses (and 25% on overall budget). The rest of the government has yet to take steps. Why is an important question.

'Tinfoil Is The New Black', Keiser Report interview

I was a guest on Max Keiser's programme 'The Keiser Report' last Thursday jan. 16th for the second time. Max is a former Wall Street trader who foresaw the current economic crisis a decade ago.

Full Keiserreport episode here on RT site and here on Youtube.

Max caught me be susprise by asking about the NSA TURMOIL and TURBINE programs. I confused them with other programs (there are many). The TURMOIL and TURBINE programs are part of the 'Targeted Acces Operations' family (see this Spiegel article). These are programs for gaining acces to systems by other means than abusing their built-in weaknesses over internet connections (the NSA's favourite method because it can be automated to spy on everyone at very low cost). Targeted Accces Operations (TAO) deals with everything from intercepting & modifying electronic devices that people order online to the use of microwave beam weapons to identify, hack, break and manipulate computer systems from great distance. The latter method has also been used for targeting drone strikes. The talk by Jacob Appelbaum I mention in the beginning of the interview is here. Many more talks from the 2013 CCC conference in Hamburg can be found here.

The US Declaration Of Independence is one of the greatest political writings in history and can be re-written for more contemporary political problems as I did here. Accoring to US academics the US declaration was inspired by the Dutch declaration that preceded it by almost two centuries.

Blogpost on a previous interview last year.

Interview on London Real

Last year during my December visit on London I gave a 1 hour interview to London Real. This is great new free-form 1+ hr completly unscripted interview program that is available on Youtube and as a podcast. Tired of the superficial 3-minute interviews that stop just when things get interesting? London Real is your channel. If you want to keep up to date on the London startup/tech scene then checkout Silicon Real.

I was honored to be in a lineup that includes several of my current heroes including Max Keiser, Jared Diamond, Annie Machon and Rick Falkvinge.

Brian Rose and me spoke about NSA-spying, the nature of privacy, copyright, bitcoin and much more. The interview begins at 7:48. For more check out the London Real site. Compact mp3 for download here.

Committee report electronic voting

From April 26th until December 18th 2013 I was a member of the expert committee on voting computers. This committe was instituted to advise the Dutch Minister for the Interior on the feasability of re-introducing electronic voting methods.

In the past (2008, 2012) I have always been very critical about the way electronic voting was implemented in The Netherlands up to 2007. The lack of transparancy of this method and the impossibility of recounts made this fundamentally incompatible with real democracy and,
after some convincing by citizens
, even the government agreed on this.

Interview on The Keiserreport

On Moday december 2nd 2013 I was a guest on Max Keiser's programme 'The Keiser Report'. Max is a former Wall Street trader who foresaw the current economic crisis a decade ago. On his show he lets rip on the insane financial system and allows his guests to do the same.

O, and a PetaFLOP is 1.000.000.000.000.000 computations per second. I should have known that ;-)

Full Keiserreport episode here on RT site and here on Youtube.

Keynote & interview Eurapco Insurance

<on 26-09-2013 I gave the keynote at the Eurapco congres where top EU insurance firms share expertise>

We live in a world of rapid technological change. Keynote speaker and IT expert Arjen Kamphuis discusses the implications for the insurance industry and its customers, and what measures can be taken to ensure the best possible customer experience. The objective was to raise awareness of the rapid pace of socio-technical development today and what fundamental effects this will have on the insurance industry. Changes in customer behaviour and expectations will have an impact on customer satisfaction with our companies’ claims handling.

Future shock – are we prepared for change? Some of the topics discussed in the keynote

  • What if tomorrow’s world looks really different? The basic rules of our business can change at incredible speed because of changes in technology, national/EU/ international policies, environmental threats and other external factors. New technology can overtake existing business models, and even make them irrelevant. The insurance industry faces the challenge of combining the need to be stable, secure and reliable with being dynamic, fast and responsive.
  • Cyber security needs to be taken care of, both within companies and between companies and their customers. Privacy issues are of great importance for insurance companies. For instance, it would be damaging for the image of a stable, secure and reliable insurance company if it were to be revealed that all customer data had been fully exposed by hackers or the NSA.
  • Today, all large service companies need to balance industrialised processes with the human touch. As a customer, you do not want to be exposed to the internal processes of your service provider. The customer just wants to receive service in an uncomplicated way. Changes in customer behaviour and expectations will have an impact on customer satisfaction with our companies’ claims handling.
  • Our companies’ brands face increasing danger in a fast-paced world of social media. Our customers rely more on the experience of others than on the promises of the companies. Through social media, good and especially bad experiences can be shared easily and quickly. We can join the conversation about our brand, but not control it.
  • A fast-changing world offers opportunities and threats for your business and your position in the market. Are you ready to adapt to changes in customer expectations? Is your organisation positioned to deal proactively with change, or could you be caught off guard? Do you have a plan for what to do if an improbable case scenario does occur? By carrying out regular scenario planning, you can at least have contingency plans for different case scenarios.
In your keynote speech, you mentioned that it’s very hard for anyone inside the insurance industry to see the world the way a customer, or other outsider, sees it. Can you, as an outsider, give us some tips about what is needed to achieve excellence from a customer’s perspective?

NSA intell goldmine, who else has access?

<also on HuffPo UK>

The War Room, Dr. Strangelove - 1965 Shortly after the initial release of some documents from whistleblower Edward Snowden I wrote a little summary about the IT-policy implications for Europe based on earlier columns. A lot of additional documents have come out since then and we can basically conclude that almost every computer system on the planet is fully broken or at least very vulnerable to NSA interference or manipulation.

Nobody, including the NSA, Edward Snowden, Glenn Greenwald has a total oversight of all the in the tens of thousands of documents let alone the political or strategic implications of the info contained in them. Most of the news keeps focusing on the 'scandal' aspect and/or the person of Snowden. Being angry at the US government (practised by most opponents) and attacking the person of Snowden (a favorite of apologists of the US regime) distracts from defining adequate policy responses and so far there have been precisely none in Europe. This constitutes a massive failure of the various EU governments to protect their citizens' rights and the economic sovereignty of their nations. It is also strange in light of the fact that an adequate policy response had already been formulated in July 2001 and really just needs to be implemented.

But every now and them the disinfo spread by some apologists for the behaviors of the NSA is useful for understanding how much worse the situation may just turn out to be. This article by a former NSA employee is a nice example of an attempt at smearing the whistleblower while actually digging the hole the NSA (and the US regime) is in much, much deeper. The piece claims Snowden secretly worked for Russian intelligence all along. While I do not share the authors views on Snowden's motivations or allegiances the suggestion that outside organisations could have agents inside the NSA has some interesting implications.

The missed opportunity of avoiding PRISM

<originally a column for Consortium News>

On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months later across the Atlantic, they have never been implemented. Or even discussed further.

Under the heading "Measures to encourage self-protection by citizens and enterprises" lists several concrete proposals for improving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be "accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology".

Other gems are the requests to "take appropriate measures to promote, develop and manufacture European encryption technology and software and, above all, to support projects aimed at developing user encryption technology, which are open-source" and "promote software projects whose source text is published, thereby guaranteeing that the software has no "back doors" built in (the so-called "open source software")”. The document also mentions explicitly the unreliability of security and encryption technologies whose source code is not published. This is an issue that is a strict taboo in Dutch and UK discussions on IT strategy for governments (probably because certain major NATO partners might be offended).

Also, governments must set a good example to each other and their citizens by "systematic use of encryption of e-mails, so that in the longer term this will be normal practice." This should in practice be realised by "ensuring the training and publication of their staff with new encryption technologies and techniques by means of the necessary practical training and courses." Even candidate countries of the EU should be helped "if they cannot provide the necessary protection by a lack of technological independence".

That one paragraph from the summer of 2001, when rational security policies had not yet been completely destroyed by 9/11, describes the basis for a solid IT policy that ensures security and privacy of citizens against threats from both foreign actors and the government itself (historically always the greatest threat to its citizens and the reason why we have constitutions).

Had these policies been implemented over the last decade then the PRISM revelations of the last week would have been met mostly with indifference. European citizens, governments and companies would be performing most of their computing and communications on systems controlled by European organisations, running software co-developed in Europe and physically located on European soil. An American problem with an overreaching spy apparatus would have been just that, an American problem - like teenagers with machine guns or lack of universal healthcare, just one more of those crazy things they do in the colonies to have 'freedom'.

OHM and other Three-Letter-Agencies

<originally a column for OHM2013.org - also on HuffPo UK>

“Whatever you do will be insignificant, but it is very important that you do it.” - Mahatma Gandhi

This summer the Dutch hacker community, with help from friends all over the world, will organise the seventh hacker festival in a series that started in 1989 with the Galactic Hacker Party. The world has changed massively since then (we'll get to that) but the goal of these gatherings remains the same: to share knowledge and ideas about technology and its implications for our world, have heated discussions on what we should do about the problems we see (sometimes well before many others see them), generally have fun in communicating without keyboards, and being excellent to each other.

Four years ago a somewhat unknown Australian hacker with some new ideas about the future of journalism gave the opening keynote at HAR2009. His site was called Wikileaks and some of us had a hunch that this concept might be going places. We had no idea just how far that would be...

Not long after the first gathering in the Netherlands in 1989, the Berlin Wall came down. While we can claim no connection, the interminable Cold War had finally ended and many of us felt, with the optimism so typical of youth, that world peace might just be possible in our lifetimes. We would go back to making rockets that went up instead of straight-and-level and other great things would follow.

Icelandic porn filter is overkill

<Originally a Webwereld column - in Dutch>

In the middle of election season in Iceland a debate is raging about the need to protect young children from violent pornographic imagery that can be found on the Internet. Although it is unclear what the scale of this problem is, there is concern about the methods used by some in the porn industry to market their wares. There is an idea that some firms use the old tobacco industry method of 'get them while they're young'.

As I was in Iceland recently I was fortunate enough to be asked my opinions on these matters by government officials. The entire debate is being conducted during election season, so the local media are on top of every word uttered by anyone from either government or the local digital civil liberties organisations. What causes most of the (international) attention is the specific plan to put a national filter on all Icelandic internet connections. This would be a first for a western democracy (although such filters have been tried in various Asian countries from Iran to China). Proposing a method that could very well be called censorship is incongruous in a modern and progressive society such as Iceland (the only country to have convicted its bankers over their part in the current global financial crisis).

Within a few hours of setting foot on Iceland I was asked by Smari McCarthy of the Icelandic Modern Media Initiative to sign their letter of protest (by now published) against the filtering proposal.

During an informal dinner a few days later with officials it became clear that no decision on a filter, or any other policy, had been made. The government was looking into the problem and discussing possible solutions. The emotive nature of the debate causes the problems and solutions to get mixed up. I therefore attempted to structure the discussion over dinner:

Cyberwar: the west started it

<originally a Webwereld column - in Dutch - also on HuffPo UK, Consortiumnews en Globalresearch>

The War Room, Dr. Strangelove - 1965

A few years ago, Israeli and American intelligence developed a computer virus with a specific military objective: damaging Iranian nuclear facilities. Stuxnet was spread via USB sticks and settled silently on Windows PCs. From there it looked into networks for specific industrial centrifuges using Siemens SCADA control devices spinning at highspeed to seperate Uranium-235 (the bomb stuff) from Uranium-238 (the non-bomb stuff).

Iran, like many other countries, has a nuclear program for power generation and the production of isotopes for medical applications. Most countries buy the latter from specialists like the Netherlands that produces medical isotopes in a special reactor at ECN. The western boycott of Iran makes it impossible to purchase isotopes on the open market. Making them yourself is far from ideal, but the only option that remains as import blocked.

Why the boycott? Officially, according to the U.S. because Iran does not want to give sufficient openness about its weapons programs. In particular, military applications of nuclear program is an official source of concern. This concern is a fairly recent and for some reason has only been reactivated after the US attack on Iraq (a lot of the original nuclear equipment in Iran was supplied by American and German companies with funding from the World Bank before the 1979 revolution). The most curious of all allegations of Western governments about Iran is that they are never more than vague insinuations. When all 16 U.S. intelligence agencies in 2007 produced a joint study there was a clear conclusion: Iran is not developing a nuclear weapon (recent speech by the leader of this study here).

Dining with spies

<originally a column for Webwereld - in Dutch - also on HuffPo UK>

Foto van Israelische plutonium core, gemaakt door klokkenluider

At their yearly conference the Dutch The National Cyber ​​Security Center stated this week they want to listen more to the hacker community. It is fine that the government will at last listen to the people who have been ahead of the curve for decades, although the question remains - why it has waited to do this until 2013? Even if this had been done as recently as 5 or 10 years ago it would have saved an incredible amount of trouble and public money. I sincerely hope that the consultations with the hack(tivist) community are about more than just technical tricks, because most benefits to society are derived from discussing policy. For purely technical issues the usual consulting companies can always be hired and then simply pay hackers for their knowledge and advice, just like any other experts.

Meanwhile a big group of hackers were unhappy about the fact they were not welcome and organized an alternative meeting. If the NCSC's intentions for the coming year work out in practice, next time this might not be necessary. On the community side, these invitations to the table should be dicussed openly and in detail (who sits at the table and wearing what hat). Because when community contributions and possible commercial interests get mixed up, things quickly degenerate into bickering and arguing. I speak from experience ;-). Nobody is "representative" of the entire hacker community. The NCSC will have to adjust to the idea that we have no centralised organisation with a head office where you can meet up with the CEO/director/top-dog.

In memoriam: Aaron Schwarz 1986 - 2013

Not sure what to say about the sudden death of Aaron Schwarz, idealist, freedom-fighter-extraordinaire and friend of open access to information for all of humanity. Aaron spend his life fighting for humanity's highest ideals, contributing to technologies most of us use every day (even if we don't know it). It just feels like something is very, very wrong is the so-called 'free world' is killing its best and brightest for living up to its highest ideals. We've got big problems and cannot afford to lose people like Aaron.

Cory Doctorow has written a eulogy here, Prof Lawrence Lessig had an overview of the case the US Department of Justice (ha!) saw fit to launch against Aaron. Glen Greenwald wrote about his heroic work in helping to defeat SOPA over the last years. A digital memorial to Aaron will be here for as long as there is an Internet. The files that started the case can be found here. Spread them around as wisely as possible.

But mostly just watch Aaron's speeches and interviews, as many times as needed before you understand his ideas and ideals fully.

Update 28-06-2014: A documentary on the case Aaron Swartz - The Internet's Own Boy is now available online. Also on Archive.org.

Privacy, a decade on

<originally a column for Webwereld - in Dutch>

On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months after publication, they have never been implemented. Or even discussed further.

Under the heading "Measures to encourage self-protection by citizens and enterprises" lists several concrete proposals for inproving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be "accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology". So not just some abstract government infomercial on TV/radio but hands-on tips to get some actual work done please!

Votingcomputer: the zombie that just won't die

<originally a Webwereld column>

U heeft gestemd - of niet?

Last month the VVD and D66 political parties (the Dutch equivalent of the Conservatives and LibDems in the UK) again proposed that the Netherlands should re-adopt electronic voting. Earlier this year the Dutch Association of Mayors also called for their reintroduction (don't you just love it when non-elected officials comment on and interfere with the electoral process :-). While the use of voting computers in the Netherlands has been banned for over four years, even for water board elections, there remains a fundamental misunderstanding of the basic problem with electronic voting.

While the many clumsy security problems (video) or the absence of the source code of the software (in the case of Nedap and SDU voting computers), are excellent talking points for the media and political agenda, these issues are not the core of the problem. And although the voting computer dossier at the Ministry of Home Affairs is now labelled with a bright fluorescent sticker: 'radioactive, do not touch!", there is still a risk that local authorities or suppliers will continue to feel that voting by computer is best "if we can just iron out a few little bugs”.

The real objections are more fundamental and have little to do with security bugs or open source code. They are the fundamental principles underpinning our democracy, and are threatened by the use of voting computers. In the many discussions on mailing lists and web forums it seems that people have lost sight of these principles.

Windows 8 does not have to be a disaster

<originally a Webwereld column - in Dutch - also on HuffPo UK>

Klik voor grotere afbeelding

Gartner, IT-journalists and even former employees of Microsoft agree: Windows 8 will be a disaster. The Metro interface designed for tablets (a market that virtually does not exist in relation to MS-Windows) is unworkable on a desktop with a vertical non-touch screen, keyboard and mouse. Most office spaces still have this and most run legacy applications with interfaces that rely on a Windows PC using a keyboard and mouse. It is precisely the ongoing purchase of desktop PCs with the combination of MS-Windows and MS Office that has kept Microsoft financially afloat over the last 15 years

The combination of legacy applications (mostly proprietary) and familiarity with MS Office, led many IT organisations to automatically buy the new Windows platform, despite the high cost of licences and support. The inevitable result is a world of pain, with new interfaces, a lack of compatibility and the sudden cessation of support for critical components. IT policy is organised around coping with these problems instead of focusing on sustainable alternative solutions. And solving or mitigating these problems requires so much time and money that there is often little left over to plan further ahead. Thus, in many organisations the perfect vicious circle has existed for so long that many IT people can not even see it.

The Declaration of Independence of Internet

<Webwereld column>

(Orginal from 1776 here. Orginal from 1581 that is the inspiration for the original from 1776 here)

when in the Course of human events it becomes necessary for people to dissolve the commercial, legal and moral bands which have connected them with an industry and to assume among the powers of the earth, the separate and equal station to which their most fundamental principles entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.

We hold these truths to be self-evident, that all lives are enriched by the sharing of culture, that citizens are endowed by their democracies with certain unalienable rights, that among these are knowledge, true ownership of their property and the sharing of culture. That to secure these rights, laws are instituted among the people, deriving their just powers from the consent of the governed. That whenever any of these laws become destructive of these ends, it is the right of the people to alter or to abolish them, and to institute new laws, laying their foundations on such principles and organizing their powers in such form, as to them shall seem most likely to effect their safety and happiness.

IT and government, what to do?

<originally a Webwereld column in Dutch>

Klik voor grotere afbeelding

Friday a week ago I, along with other "experts", attended  a Parliamentary Working Group to answer questions about government IT projects. This was a Parliamentary group of MPs investigating the many IT failures of the government. After the summer (and the sept 12th elections), the investigation should begin with a sharp set of research questions. The invited experts were there to help formulate the right questions.

Here are my blog links to some of the available online advice written by the working group and the video stream (all in Dutch). It was striking how unanimous was the message presented by all the IT experts, given the variety of backgrounds.

Like other columnists and opinion writers, I also emphasised the failings of government and egregious damage to national security, privacy and general public funds. From available data, in terms of the government, the cost to the Dutch has moved from millions to billions of euros annually.

With such a government it is like shooting fish in a barrel for columnists. Therefore it was refreshing on this occasion to make a more constructive contribution. Although it was a pity that such meetings do not occur more frequently and are not better attended by the officials and suppliers who are responsible for all these projects. As 6 billion euros pour down the drain every year (and that is only the out-of-pocket costs - the social impact may be much higher) it might be a good idea to hold consultations more often. While I doubt that the gathering last week has any ready-made solutions for all the problems, I think there is a reasonable degree of consensus about their root causes:

Parliamentary hearing on IT-projects, security & privacy

On June 1st 2012 the Dutch government's Parliamentary working group on government IT-projects held a hearing of experts. My written contribution below. Capture of videostream... (in Dutch). Dutch journalist Brenno de Winter published his thoughts here. Column on this published the week after here.

Introduction - IT and the Dutch national government
Andromeda M31Universality is an assumption of astrophysics that states that all phenomena, everywhere, behave as we observe them from Earth. I'm assuming that phenomena I have observed in specific government IT projects also occur in government IT projects that I have less infromation about (this is usually caused by the poor implementation of Freedom Of Information Acts, see the notes of Mr de Winter).

IT project management is currently based on a rather naive model of reality - "smart entrepreneurs compete on a level playing field for the favours of the government, which then procures with insight and vision." However, this model does not adequately predict the observed outcome of the projects. Whence this group.

Another model would be "a corrupt swamp with the wrong incentives, populated by sharks and incompetent clowns". This model has the advantage of perfectly predicting the observed outcomes.

Doublethink and Zen

<originally a Dutch Webwereld column>

Doublethink is a concept that was introduced by George Orwell in his famous novel '1984 '. It is a mental mechanism that allows people to believe sincerely and simultaneously two completely opposing ideas without a problem.

In the ten years that I have been involved with open source and open standards in the Dutch public sector, I have encountered many double thinkers. So for years I have endured “experts” and insiders patiently explaining that the migration to open source desktops within that community would be impossible, because civil servants could not work with other platforms. Asking non-techies to use anything but the Windows + Office desktop they were taught at Dutch schools would lead to disaster. It Just Could Not Happen.

The certainty with which this (to this day) is  mouthed as an aphorism everywhere has always amazed me. Previously, the Netherlands had migrated from WP5.2 in DOS to Windows Word 6, yet the Earth kept turning, children went to school and there was water from the tap.

Multiple migrations, mostly outside the Netherlands, have also demonstrated that ordinary users can do their work well with alternative platforms, provided they are given some training and support (something, indeed, that is perfectly normal when migrating to new releases of the usual proprietary systems).

The same people who for years have claimed with great certainty that "It Just Could Not Happen” have been busily rolling out iPads to the many managers and directors, who for many and varied reasons discover they need one. Apparently the adoption of an entirely different platform with a totally different interface is not as problematic as was asserted for all those years. Huh?

Cybercrime; prevention vs. repression

<originally a Dutch Webwereld.nl column>

Cybercrime and cyber-warfare are currently the trendy terms the government throws around to acquire additional laws and powers. If it can also link cybercrime to the distribution of images of child abuse (also known as child pornography), the government has hit political pay dirt and can do pretty much what it wants. What continues to puzzle me is how all this focus on the distribution of such images actually protects the child victims themselves.

Bart Schremer published his opinion piece recently, providing an overview of the issues that law enforcement agencies are facing. On the one hand society (or at least the media) expects law enforcement to solved all crime immediately, preferably on a modest budget. On the other hand most Dutch people would still prefer to avoid a police state along the lines of the North Korean or American model.

But in all discussions on permissible methods of detection, hacking police officers and crime-fight-using politicians is missing, is why cybercrime has grown so enormously. The fact that our reliance on IT is increasingly complex will certainly have contributed. But one other important factor is the huge digital illiteracy among the vast majority of citizens. Aside from some half-hearted campaigns, the government has done little to teach citizens anything of real use or value.

ACTA; war over. We win. Again

<originally a Dutch Webwereld.nl column>

According to Dutch Economics Minister Maxime Verhagen, 'ordinary' people have nothing to fear from ACTA. This treaty is merely designed to shut down child pornography sites. Go to the link and have another listen (in Dutch), because he really does say this!

That's good because, although I quite like a good download, I tend to limit myself to movies and books that fall a little more within the acceptable media spectrum. However, this statement gives us a fascinating glimpse into the mind of our Minister-of-All. Apparently in the case of distribution of photographic evidence of actual child abuse he is first and foremost concerned with possible copyright infringement. Is this a professional contortion or is he simply exceptionally goal orientated? This is what journalists should be pouncing on. For the lulz.

But beauty emerges even from the surrealist farce that is modern western copyright policy. No, I'm not talking about more music, movies or books, for there is no evidence that more culture is created by fanatically prosecuting 14-year olds for downloading. However, the recent weeks have clearly shown the usefulness of a common enemy. Thanks to ACTA, more Europeans than ever are involved in a critical discussion of modern copyright law and the balance with civil liberties. That is a wonderful development. Furthermore, it now seems that ACTA is dying following the remarks of European Commissioner Viviane Reding (she senses the political climate). One European country after another is delaying signing the treaty. In the three years since the “crisis” citizens have developed a fairly sharp bullshit filter to detect the kind of neo-liberal nonsense that ACTA is full of, and they will take no more. Like Software Patents it always takes awhile for the protests to get going but once they go representatives tend to choose the side of the people who can get them in a seat by voting in a few years.

SOPA; not our problem

<originally a Dutch Webwereld.nl column>

SOPA protestYesterday was the big SOPA protest day. Wikipedia (in English), Boing Boing, Reddit and many other sites were blacked out. Other sites, and even google.com had one-line banners beneath the bar exhorting me to contact the US Congress. The link said: "millions of Americans Oppose PIPA and SOPA because these bills would censor the Internet and slow economic growth in the US". Even a classic song urges me "to call my congressman". But google.nl, did not show this - clearly indicating that it perceived the matter to be an internal American political problem.

In recent weeks there have been many calls for action outside the US against SOPA. These calls have been synchronized with outrage and protests as Bush Obama signed the NDAA anti-terrorism law. Under this law, anyone in the US "suspected" of involvement in "terrorism" (both nebulously defined) can be indefinitely imprisoned or even killed without trial or any other form of judicial review (think Stalin '30). The anger itself is justified, but more than ten years too late. Indeed the only new provision in the NDAA is that the US can now treat its own citizens in ways that have been enforced against the world's other 6.5 billion people since 2001.