Nederlands
English
Categorie: nieuws
Rapport Commissie elektronische stemmen in stemlokaal
Van 26 april tot 18 december 2013 was ik, samen met diverse andere experts, lid van de Commissie elektronisch stemmen in het stemlokaal.
In het verleden (2008, 2012) heb ik mij zeer kritisch uitgelaten over de fundamentele bezwaren tegen elektronisch stemmen zoals dat tot 2007 in Nederland was gerealiseerd met ontransparante en oncontroleerbare systemen.
De commissie adviseert het papieren stembiljet centraal te houden en met zeer streng te selecteren apparatuur de twee bezwaren van het huidige proces te verbeteren. Ten eerste is er de beperkte toegankelijkheid voor mensen met lichamelijke (visueel, motorisch, enz..) of verstandelijke beperkingen of z.g. ‘laaggeletterden’: door de stem te printen kan het zelfstandig uitbrengen van de stem voor deze groepen vergroot worden. Ten tweede de ‘late’ uitslag: door het fysieke format van het stembiljet te reduceren tot A4 of kleiner en deze te tellen met een optische scanner kan ieder stemlokaal binnen een uur na sluiting de uitslag aanleveren aan de centrale stembureau’s. Of deze voordelen de geschatte kosten van 250 miljoen Euro (elke 8 jaar) plus 10 miljoen per jaar waard zijn is een vraag die Kabinet en Tweede Kamer moeten uitvechten.
Hier links naar het eindrapport, de bijlagen, de perspresentatie en het persbericht. Documenten staan ook bij MinBzK.
Iinterview op BNR nieuwsradio hier op BNR.nl en hier als mp3. Artikel en video van interview op nu.nl.
VVD Kamerlid Joost Taverne op NOS radio met opmerkelijke uitspraken – Rop Gongrijp’s NOS radio interview met wat stevige kritiek en terechte zorgen over de uitvoering – In ‘Met het ook op morgen‘ Kamerlid Joost Taverne en IT-student Ruud Verbij die allen duidelijk nog geen tijd hadden gehad de volledige 400 pagina’s rapport + bijlagen te lezen. In een toekomstige blogpost zal ik nog eens ingaan op geschiedenis van stemcomputers en de technische waarborgen die de Commissie voorstelt om vertrouwen in techniek of de overheid overbodig te maken. De Commissie wil geen technieken of processen voorstellen die macht verder centraliseren of het kiesgeheim ter discussie kunnen stellen.
Andere pers: Webwereld – Tweakers – NRC – NU.nl – Computerworld – Volkskrant – NOS – Omroep Gelderland – RTL – Automatiseringsgids – Joop.nl – Binnenlands Bestuur – Security.nl – Opinie NRC Herbert Blankenstein – meer video’s na de break…
Update 28-01-2014: Het rapport van VKA “Internetstemmen voor kiezers in het buitenland” staat hier. Nu.nl vat het rapport samen als ‘Riskant en duur’.
Privacy ‘howto’ artikel voor Geenstijl
<geschreven op uitnodiging van Geenstijl.nl en dus in een wat andere stijl dan mijn gebruikelijke. Niet dat Geenstijl dus geen stijl heeft maar wel anders dus. Dat dan weer wel.>
Je kan je boos maken over je overheid die je mail wil lezen, je kan ook wat doen om te zorgen dat dat heel moeilijk wordt. Hieronder een stoomcursus email-beveiliging voor iedereen die niet wil wachten tot BOF en Brenno de glorieuze eindoverwinning behalen. Artikel 12 van de Universele Verklaring voor de Rechten van de Mens is tenslotte er niet alleen om je pr0n-habits te verbergen. Tenzij je blank, man, Europees en nazaat-van-een-adelijke-familie-met-grondbezit bent zijn jou burgerrechten bevochten door mensen die dat konden doen omdat ze niet in een stasi-achtige ‘uberwachungs staat’ leefden. Zonder privacy geen vrijheid van meningsuiting of zelfs maar meningsvorming en dus geen maatschappelijke verandering (zoals afschaffing van de slavernij, kinderarbeid of invoeren algemeen kiesrecht). Maar geloof mij niet, deze ex CIA/NSA/FBI/DoJ/MI5 medewerkers legden het afgelopen zomer nog even uit.
Als je privacy minder belangrijk vindt dat de hoeveelheid tijd die je per weekend TV reclames kijkt dan is dit stuk niet voor jou. Want het kost een beetje moeite, intelligentie en een aandachtsspanne groter dan die van een Gordonoudvis. OK, inmiddels zijn we 60% van de lezers kwijt. Da’s jammer maar niet iedereen is te helpen. En als je echt niks te verbergen hebt laat je dan eens 15 min door Hans Teeuwen op live TV interviewen over je seksleven. Afschrikwekkende voorbeelden hebben tenslotte ook nut en het houdt de dumpert vol.
Doe eerste eens iets aan je wachtwoorden. Want 12345 is echt uncool en overal hetzelfde is niet handig als social media sites steeds hun wachtwoord-databases laten lekken. Hier wat tips.
Gedaan? OK, gratis en vrij email programma en encryptie software downloaden. Windows slachtoffers hierrr, Mac-hipsters daarrr. Linux gebruikers hebben GPG standaard al aan boord. Installeren en Enigmail plug-in toevoegen aan Thunderbird. Gedetailleerde Thunderbird, Enigmail, GPG instellingen howto-video.
Nu zorgen dat de andere mensen met wie je mailt dit ook gaan doen (dit is het moeilijkste stuk) want het werkt pas als zender en ontvanger van mail meedoen. Correct gebruikte mailcrypto is zelfs door de NSA nog niet te kraken (zet je sleutel-lengte op max. – 4096 bits). Gefeliciteerd, je kan nu mailen zonder dat Gmail, de NSA en GCHQ zonder enige moeite mee kunnen lezen (het hacken van je laptop blijft een risico als je lastige genoeg bent – en als je dat niet bent moet je meer je best doen!). Overweeg of je echt Windows en/of iDevices nodig hebt om je leven te leven. Amerikaanse software is by-design onveilig-voor-uw-veiligheid. Voor het geval jij, net als Angela Merkel een terrorist blijkt te zijn. Zo veel mogelijk vermijden dus.
Andere dingen die je eenvoudig kan doen is het gebruik van verschillende browsers liefst voorzien van plug-ins om altijd HTTPS te gebruiken en tracking zo veel mogelijk te blokkeren. Voor het meer serieuze werk de TOR-browser gebruiken.
Welcome to the resistance.
Een uitgebreidere versie van bovenstaande in het Engels en hier video van een workshop voor journalisten hierover met veel links. Gratis workshops om dit samen met hackers-bij-jou-in-de-buurt te proberen hier.
==============================
Eerder artikel met tips voor Sargasso.nl. Analyse van het falen van Europese overheden om ons te beschermen tegen digitale roofridders (onze Atlantische ‘partners’). Een aantal diepere implicaties van het onvermogen van de NSA om hun eigen data te beschermen en wat ideeën over de vraag waarom overheden uberhaupt zo de weg zijn kwijt geraakt de laatste 10 jaar.
Interview The Keiserreport
Op Maandag 2 december 2013 was ik te gast bij Max Keiser in zijn programma ‘The Keiser Report‘. Max is een voormalige beurshandelaar die de huidige financiële crisis correct heeft zien aankomen. Max geeft in zijn programma zijn ongezouten mening over het bizarre financiële systeem en laat zijn gasten dat ook doen.
O, en een PetaFLOP is 1.000.000.000.000.000 bewerkingen per seconde. Dat had ik moeten weten 😉
Volledige Keiser Report episode, hier op RT site en hier op Youtube en hier op De Dumpert van Geenstijl.
Tips hoe je Big Brother kunt omzeilen
<ook op Sargasso.nl>
Op 6 juli 2013 publiceerde de Britse krant The Guardian het eerste interview met Edward Snowden, tot dat moment systeembeheerder voor het Amerikaanse National Security Agency. Snowden kreeg door zijn werkzaamheden een gedetailleerd beeld van de mate waarin de NSA een wereldwijde Big Brother-staat in het inrichten was. Vrijwel alle elektronische communicatie wereldwijd werd realtime getapt, telefoons, laptops en servers werden gekraakt en softwarebedrijven werden gedwongen hun systemen met lekken op te leveren om dit mogelijk te maken.
Vermoedens van dergelijke activiteiten door onder meer Amerikaanse veiligheidsdiensten bestonden al decennia (zie dit artikel uit 1999) maar de schaal van de onthullingen die Snowden naar buiten brengt doet zelfs de meest paranoia-experts de rillingen over de rug lopen. Een korte opsomming en wat je er als burger aan kan doen.
Belgacom en Brazilië
De NSA en haar partners (onder andere het Britse GCHQ) tappen telefooncentrales en onderzeese glasvezelkabels af, ook in andere landen. Recentelijk is gebleken dat de telefooncentrales van Belgacom (de Belgische KPN) volledig gekraakt waren door experts van GCHQ (mogelijk met Amerikaanse hulp). Dit stelde GCHQ in staat al het telefonie- en dataverkeer te volgen en gericht af te luisteren. In Brazilië werden deze technieken ingezet tegen de nationale oliemaatschappij, het Braziliaanse Parlement en zelfs de persoonlijke communicatie van de Braziliaanse presidente. Die zegde meteen een staatsdiner met Obama af uit woede over deze schending van diplomatieke normen. Voorlopig moeten wij als eindgebruikers alle grote infrastructuren als onveilig beschouwen. Onversleutelde e-mails en telefoongesprekken kunnen worden afgeluisterd en dat wordt geautomatiseerd gedaan op onvoorstelbare schaal.
Alle grote sociale media platformen en diensten als Gmail worden realtime op de server van die bedrijven afgetapt. Het maakt dus niet uit of je in Facebook je privacy-instellingen op maximaal zet. De NSA kijkt direct in de Facebookdatabase onder de motorkap toch mee en kan overal bij. Dit betekent bijvoorbeeld dat het aantal seconden dat jij met je muis over een profielfoto in Facebook blijft hangen (zal je klikken of niet?) bekend is bij de NSA als men daar interesse in heeft. De NSA weet dus welke oude of nieuwe vlam jij nauwelijks bewust aan het volgen bent. Alle mail die je via een dienst al Gmail verstuurt, wordt bewaard (ook al verwijder jij de mail uit je mailbox) en gebruikt om een gedetailleerd beeld op te bouwen met wie je in gesprek bent, waarover, vanaf welke locatie en welk apparaat je daarvoor gebruikt.
Minder op sociale media
Sociale media zo min mogelijk of in ieder geval bewust (wetende dat je geen enkele privacy hebt) gebruiken is voorlopig het enige wat je zelf kan doen. Voor een emaildienst als Gmail bestaan wel heel veel alternatieven, die kosten soms een beetje geld (paar euro per maand) or iets meer moeite om te gebruiken. Daarnaast zijn er goed werkende technieken om je e-mails te versleutelen zodat deze onleesbaar zijn bij onderschepping tussen zender en ontvanger. Probleem met deze technieken is vooralsnog dat het wat moeite kost (een of twee uurtjes) het aan de praat te krijgen en dat de ontvanger ook deze techniek moet gebruiken. Een van de zaken die door Snowden worden bevestigd is dat de NSA correct gebruikte mail-encryptie nog niet kan kraken. De beperking van email-encryptie is dat dit alleen de inhoud van het bericht beschermt, niet wie er berichten uitwisselen, op welk moment en vanaf welke plaats. Hou dus rekening met die beperking als je dit toepast.
Anoniem(er) surfen
Om minder informatie over je surfgedrag weg te geven zijn er uitbreidingen op webbrowsers als Firefox zoals ‘Ghostery’ die het lastiger maken voor allerlei bedrijven jou uniek te identificeren en te volgen. Om nog anoniemer te zijn kan je voor spannende zaken surfen met de TOR-browser. Deze dienst stuurt je verkeer via drie andere servers over de hele wereld voordat je verbinding maakt met de website die je echt wilt bezoeken. Daardoor is het enorm veel lastiger je surfgedrag te volgen. Dergelijke anonimiteit is niet perfect en valt om zodra je gaat inloggen op een online dienst met je echte naam. Maar zolang je TOR goed gebruikt is het niet eenvoudig je te volgen en voor de NSA is TOR echt een hoofdpijndossier, zoals bleek uit recente interne documenten.
Daarnaast is het mogelijk bestanden of zelfs je hele harde schijf te versleutelen zodat verlies, diefstal of in beslagname van opslagmedia of je hele laptop niet meteen al je gegevens in handen van anderen laat vallen. Truecrypt is een krachtig stuk software hiervoor, dat in tegenstelling tot producten als Microsoft Bitlocker en Apple FileVault geen door NSA ingebouwde achterdeuren lijkt te hebben. Ook deze methoden zijn door Snowden bevestigd als ‘NSA-proof’, mits correct toegepast.
Kraken
De meest gebruikte methode om effectief gebruikte encryptie te omzeilen is het kraken van de computer van de eindgebruiker. De NSA is al zeker vijftien jaar actief bezig om toegang tot individuele systemen zo eenvoudig mogelijk te maken. De meeste bekende systemen zoals Windows, Android, MacOSX en iOS hebben ingebouwde achterdeuren of zwakheden die door de NSA gebruikt worden om individuele computers (een smartphone is ook een computer) te kraken om effectieve methoden als mailencryptie te omzeilen. Ook aan systemen als Linux (die vooralsnog als minder onveilig worden gezien) wordt gepoogd om zwakheden te introduceren. Dit onder meer door NSA-medewerkers actief deel te laten nemen aan de ontwikkeling van de software en communicatiestandaarden. Enkele malen zijn dergelijke pogingen in het verleden gedetecteerd door andere ontwikkelaars en gecorrigeerd door de wereldwijde gemeenschap van programmeurs. Hoeveel pogingen niet gedetecteerd zijn, is enorm lastig met zekerheid te zeggen. Door de enorme complexiteit van vrijwel alle moderne besturingssystemen kan geen mens meer alles overzien.
Het kraken van individuele systemen wordt in hoge mate geautomatiseerd, waardoor de NSA met beperkte menskracht toch miljoenen ‘targets’ aankan. Om deze automatisering mogelijk te maken werkt de NSA samen met bedrijven als Microsoft en Apple die lekken in hun systeem eerst aan de NSA moeten melden en pas (veel) later aan hun klanten.
Dit laatste probleem is het meest lastige om als eindgebruiker iets aan te doen omdat het gaan gebruiken van een heel nieuw besturingssysteem veel kennis en tijd kost, nog afgezien van het feit dat de meeste professionele gebruikers, scholieren of studenten vaak helemaal niet zelf mogen kiezen.
Voor serieuze journalisten en anderen die wel bereid zijn extra moeite te doen is er TAILS. Dit is een zeer zwaar beveiligd en minimalistische opgezet systeem dat helemaal werkt vanaf een USB-stick. Goedkoop en eenvoudig om altijd bij je te dragen.
Hier een een overzicht van tips, trucs en tools voor iedereen die hier mee aan de slag wil. Hier een video van een workshop voor onderzoeksjournalisten afgelopen juli.
NSA intell goldmine, who else has access?
<ook op Sargasso.nl en HuffPo UK>
Shortly after the initial release of some documents from whistleblower Edward Snowden I wrote a little summary about the IT-policy implications for Europe based on earlier columns. A lot of additional documents have come out since then and we can basically conclude that almost every computer system on the planet is fully broken or at least very vulnerable to NSA interference or manipulation.
Nobody, including the NSA, Edward Snowden, Glenn Greenwald has a total oversight of all the in the tens of thousands of documents let alone the political or strategic implications of the info contained in them. Most of the news keeps focusing on the ‘scandal’ aspect and/or the person of Snowden. Being angry at the US government (practised by most opponents) and attacking the person of Snowden (a favorite of apologists of the US regime) distracts from defining adequate policy responses and so far there have been precisely none in Europe. This constitutes a massive failure of the various EU governments to protect their citizens’ rights and the economic sovereignty of their nations. It is also strange in light of the fact that an adequate policy response had already been formulated in July 2001 and really just needs to be implemented.
But every now and them the disinfo spread by some apologists for the behaviors of the NSA is useful for understanding how much worse the situation may just turn out to be. This article by a former NSA employee is a nice example of an attempt at smearing the whistleblower while actually digging the hole the NSA (and the US regime) is in much, much deeper. The piece claims Snowden secretly worked for Russian intelligence all along. While I do not share the authors views on Snowden’s motivations or allegiances the suggestion that outside organisations could have agents inside the NSA has some interesting implications.
If I understand the gist of this post correctly there is a much bigger breach than one would conclude based on the mainstream news from the Guardian. Not only can (and does) the NSA collect pretty much everything anyone does in the digital realm by breaking systems and breaking into systems. They then are unable to protect this sigint goldmine from falling into the hands the agents of foreign intelligence organisations. So now all our data is in the hands of both the US and Russian governments. This begs the question what other organisations have deep-cover moles inside the NSA using its infrastructure to do the hard works of global sigint for them? The Chinese government? A South-American drugs Cartel? Private Military Companies? Journalists-activist-terrorists? Goldman Sachs? The implications are astounding.
If what this academic-with-the-columnist-style says it true the disaster is exponentially much bigger than it would initially appear to be and this has very little to do with any ‘damage’ to the US image (it’s got nowhere to go but up by now) or its ability to ‘do’ intelligence. First America gave the world the Internet as a global comms infrastructure and now it has given an unknown number of completely unaccountable actors the keys to this infrastructure to do with as they please.
A Russian/Chinese/Israeli/Iranian spy will benefit both from the sigint collected by the NSA systems and even more from the info about what the US Intelligence community is (and is not) looking at. They could maybe also manipulate the collection process to steer the NSA away from things they would like to remain unseen. Any serious spy organisation would spend a lot of resources on creating that ability since the US has made itself totally dependent on signals intelligence as opposed to humans in the field who speak languages and understand cultures.
If the NSA has created a global spying machine whose output they cannot control perhaps it would be best to shut the whole thing down today. This would also have the additional benefit of respecting the human right of privacy (as described in Article 12 of the universal declaration of human rights) for most of humanity.
The missed opportunity of avoiding PRISM
<originally a column for Consortium News>
On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months later across the Atlantic, they have never been implemented. Or even discussed further.
Under the heading “Measures to encourage self-protection by citizens and enterprises” lists several concrete proposals for improving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be “accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology“.
Other gems are the requests to “take appropriate measures to promote, develop and manufacture European encryption technology and software and, above all, to support projects aimed at developing user encryption technology, which are open-source” and “promote software projects whose source text is published, thereby guaranteeing that the software has no “back doors” built in (the so-called “open source software”)”. The document also mentions explicitly the unreliability of security and encryption technologies whose source code is not published. This is an issue that is a strict taboo in Dutch and UK discussions on IT strategy for governments (probably because certain major NATO partners might be offended).
Also, governments must set a good example to each other and their citizens by “systematic use of encryption of e-mails, so that in the longer term this will be normal practice.” This should in practice be realised by “ensuring the training and publication of their staff with new encryption technologies and techniques by means of the necessary practical training and courses.” Even candidate countries of the EU should be helped “if they cannot provide the necessary protection by a lack of technological independence“.
That one paragraph from the summer of 2001, when rational security policies had not yet been completely destroyed by 9/11, describes the basis for a solid IT policy that ensures security and privacy of citizens against threats from both foreign actors and the government itself (historically always the greatest threat to its citizens and the reason why we have constitutions).
Had these policies been implemented over the last decade then the PRISM revelations of the last week would have been met mostly with indifference. European citizens, governments and companies would be performing most of their computing and communications on systems controlled by European organisations, running software co-developed in Europe and physically located on European soil. An American problem with an overreaching spy apparatus would have been just that, an American problem – like teenagers with machine guns or lack of universal healthcare, just one more of those crazy things they do in the colonies to have ‘freedom’.
From the proprietary frying pan into the cloudy fire
Over eleven years ago, I was talking to Kees Vendrik (Dutch MP) about the broken European software market. Not only was it impossible to buy a brand laptop without having to buy a Microsoft Windows licence, it was also impossible to visit many websites (municipalities, railways and many others) without using Internet Explorer. The latter area has greatly improved and I can today lead my life using my OS and browsers of choice. The Dutch dependence on products such as MS Windows/Office has not really diminished however, despite all the wishes expressed by Parliament and attempts at government policies. Today it is not possible to finish secondary school as a student without owning and using several pieces of proprietary software. Imagine making a certain brand of pen mandatory for schools and picking a brand of pen that comes with a spying microphone (not under control of the user). That is the current situation in practical terms in the Netherlands and UK amongst others. Germany, France and Spain are doing slightly better by at least acknowledging the problem.
Meanwhile, the technological seismic shift that frightened Bill Gates so much back in ’95 (the web makes the operating system irrelevant) is fast becoming reality. Almost all new developments discussed by IT power players and specialists are web-based or based on open specifications and the most commonly used applications are running quite well as service in a browser.
So while the 15-20 year old problem of software dependency has never really been resolved (governments, with tens of thousands of IT workers, are still unable to wean itself off the familiar Microsoft technology stack), its impact is slowly becoming less relevant. Meanwhile, new dependencies based on ‘cloud’ providers are now proven to be even more detrimental.
Excessive use of proprietary software creates the risk of foreign manipulation and potential attacks on critical infrastructure (see Stuxnet). But at least if your systems are attacked in this way, there are some ways to track this. If you are working on the computer that does not belong to you, that is based in a foreign country and is managed by people you don’t know in ways you cannot check, it will be very difficult to have any control over what happens to your data.
The old assumption, that using local servers could be part of the solution, seems unfortunately to be an illusion under the post-9/11 Empire. All cloud services offered by companies based in the US are subject to US legislation, even if the servers are physically in another country. And US law is now somewhat, shall we say, problematic. With no evidence, but with an allegation of involvement in “terrorism”, systems can be closed down or taken over – without any warning or the possibility of adversarial judicial review. The term “terrorism” has been stretched so far in that anyone who allegedly breaks US law, even if they’re not a US citizen and even if they’re not in the US can still a deemed “terrorist”, just on the word of one of the many three-letter services (FBI, CIA, NSA, DIA, DHS, TSA, etc.). The EU was not happy about this but until the PRISM leak did not want to go so far as recommending its citizens and other governments to no longer use such services. PRISM is making it possible to at least have a serious discussion about this for the first time.
The long arm of the US Patriot Act goes even further than merely the servers of US companies on European soil. Thus domains can be “seized” and labelled: “this site was involved in handling child pornography“. Try explaining that as a business or non-profit organisation to your clients and (business) partners. Just using one .com, .org or .net extension as your domain name now makes you makes you liable under US law. All Europeans can now be seized from their homes for breaking US law. So a .com domain name makes your server effectively US territory.
We were already aware that proprietary platforms like Windows and Google Docs were not suitable systems for important things such as running public or critical infrastructure. However, now it turns out, that every service delivered through a .com / .org / .net domain places you under de facto foreign control.
Solution? As much as possible, change to free/opensource software on local servers. Fortunately there are quite a few competent hosting companies and businesses in Europe. Use local country domains like .nl, .de, .fr or, if you really want to be bullet proof, take a .ch domain. These are managed by a Swiss foundation and these people take their independence seriously. If you still want to use Google (Docs), Facebook, Evernote, Mind Meister, Ning.com, Hotmail or Office 365 – please do so with the awareness that you have no privacy and fewer civil rights than English noblemen had in the year 1215.
Fighting evildoers
A few months ago, a government speaker was defending the ‘Clean IT’ project at a meeting of RIPE (the organization that distributes IP addresses for Europe and Asia). Clean-IT is a European project of Dutch origin which aims to combat the ‘use of the Internet for terrorist purposes’. The problem with this goal is that ‘internet’, ‘use’ and ‘terrorism’ remain undefined, nor does it seem anyone is very interested in sorting this out. This lack of clarity in itself can useful if you are a government because you can then take a project in any direction you like. A bit like when data retention was rammed through the EU parliament in 2005 with the promise that it would be used only against terrorism – a promise that was broken within a few months. In Germany, data retention has now been declared unconstitutional and been abolished, while the Netherlands has rampant phone tapping, despite a total lack of evidence of the effectiveness of these measures. That all the databases of retained telecommunications data themselves become a target is not something that seems seriously to be taken into account in the threat analyses. All rather worrying for a government that is still usually unable to secure its own systems properly or ensure that external contractors do so.
Also, during the lecture on Clean-IT much emphasis was placed on the public-private partnership to reassure the audience. It’s strange that a government first makes itself incompetent by outsourcing all expertise, then it comes back after ten years and claims it cannot control those same companies, nor indeed their sub-contractors. The last step is then to outsource the oversight function to companies as well and reassurance the citizens: “We let companies do it! Don’t you worry that we would do any of the difficult technical stuff for ourselves, it’s all been properly outsourced to the same parties that messed up the previous 25 projects”.
Terrorism is obviously the access all areas pass – despite the fact that many more Europeans die slipping in the shower or from ill-fitting moped helmets than from terrorism. Moreover, we as Europeans have experience of dealing with terrorism. ETA, IRA and RAF were rendered harmless in previous decades by police investigations, negotiations and encapsulation. This was done without jeopardizing the civic rights of half a billion European citizens. Even when IRA bombs were regularly exploding in London nobody suggested dropping white phosphorous on Dublin or Belfast.
I hope that the pre-9/11 vision of the EU Parliament will be rediscovered at some point. It would be nice if some parts of the ‘Free West’ could develop a policy that would justify our moral superiority towards Russia, when we demand that they stop political censorship under the guise of “security”.
Backup plan: DIY
If all else fails (and this is not entirely unlikely) we need a backup plan for citizens. Because despite all petitions, motions, actions and other initiatives our civil liberties are still rapidly diminishing. Somehow a slow-motion corporate coup has occurred where the government wants to increase “efficiency” by relying on lots of MBA-speak and corporate management wisdoms that worked so well for the banking sector. The fact that the government’s primary function thereby evaporates does not seem to bother most civil servants. And meanwhile the companies themselves are apparently too busy making profits and fighting each other to worry about civil rights and other archaic concepts from the second half of the 20th century.
So rather than always trying to influence a political system that so very clearly ignores our interests, we can simply take care of ourselves and each other directly. This conclusion may not be pleasant, but it gives clarity to what we have to do.
One good example would be to have educational and civil liberties organisations providing weekly workshops to citizens on how to install and use encryption software to regain some privacy. These organisations should use their clout to get the slogan of “crypto is cool” on everyone’s lips. Technologists and designers should focus their energies on promoting the hip and user-friendly aspects of these pieces of software. This may be a lot more fun than lobbying ossified political institutions and actually provide some concrete privacy results.
Since 2006 I have ensured my own email privacy by no longer relying on the law, but by using a server outside the EU, SSL connection to it through a VPN tunnel entering the open Internet also outside the EU. I encrypt as many emails as possible individually with strong crypto (using Free GPG software). The fact that all those hordes of terrorists (who, our government asserts, are swamping the planet) have no doubt also adopted such measures – for less than 20 Euros a month – makes most of the low-level spying a complete and pointless waste of resources. Assuming the point truly is fighting ‘terrorism’ – something that is becoming a bit doubtful in light of the above.
Despite what some of the ‘but I have nothing to hide’ apologists say we have privacy rights and other civil liberties for the same reason we have a constitution. Not for situations were everything is OK but for those rare situations where things are not OK. Privacy is the last line of defence against governments who lose sight of their reason for existing (to serve their people). Privacy is therefore not the enemy of security but the most basic part of it. Because governments are much scarier than any would-be cyber-criminal or even terrorists. Criminals may steal some money and terrorists may kill a few people but when it comes to wars, mass repression or genocide you always need a government.
It is very obvious what European governments should be doing to promote the safety and security of their citizens and states. They already wrote it down in the summer of 2001. The fact that these measures are never part of any current ‘cybersecurity’ policy proposals should make people very suspicious, at least of their governments’ competence.
The above article was originaly written for and published on Consortium News. On June 22nd I was interviewed by Chuck Mertz from ‘This is Hell!’ radio (Chicago, WNUR 89.3 FM). The entire program of that morning is on the This Is Hell! site. My interview (all 52 minutes of it) is here.
OHM and other Three-Letter-Agencies
<originally a column for OHM2013.org – also on HuffPo UK> – video of The Great Spook Panel below this post
“Whatever you do will be insignificant, but it is very important that you do it.” – Mahatma Gandhi
This summer the Dutch hacker community, with help from friends all over the world, will organise the seventh hacker festival in a series that started in 1989 with the Galactic Hacker Party. The world has changed massively since then (we’ll get to that) but the goal of these gatherings remains the same: to share knowledge and ideas about technology and its implications for our world, have heated discussions on what we should do about the problems we see (sometimes well before many others see them), generally have fun in communicating without keyboards, and being excellent to each other.
Four years ago a somewhat unknown Australian hacker with some new ideas about the future of journalism gave the opening keynote at HAR2009. His site was called Wikileaks and some of us had a hunch that this concept might be going places. We had no idea just how far that would be…
Not long after the first gathering in the Netherlands in 1989, the Berlin Wall came down. While we can claim no connection, the interminable Cold War had finally ended and many of us felt, with the optimism so typical of youth, that world peace might just be possible in our lifetimes. We would go back to making rockets that went up instead of straight-and-level and other great things would follow.
Regrettably that was not to be. First the .coms imploded, then three skyscrapers in New York, and soon after that our entire economy turned out to be a sort of multi-level-marketing casino. The 3rd millennium has started with a bang that is still echoing around the planet. Since then we’ve seen the ‘free’ part of the world become rather un-free rather fast. “US Department of Homeland Security relaxing a ban on toenail clippers” would have been be a scary headline for someone in 1993 on several levels. But in 2013 it is just one of those things to which people have sadly become accustomed.
What happened? And is there anything we can do about it? Why not ask some of the people who were insiders with some of those three-letter-agencies-that-many-of-us-fear*, who left and are now speaking out often at great personal risk and cost. Five former insiders from different government organisations will all give talks about their experiences within various secret agencies and provide a historic context to what is happing right now.
The alphabet soup begins with ex-CIA Ray McGovern who is now an outspoken and indefatigable international peace campaigner. Ray will give a broad historic context based on his experiences as an analyst and presidential ‘daily-briefer’ during a career with the CIA that started during the Vietnam war.
Ex-FBI Coleen Rowley will talk about her experience working against organized crime and terrorist organisations at the FBI. She went public over the intelligence-sharing failures that allowed 9/11 to happen, and in 2002 was voted “Time” Person of the Year.
In a more recent case, ex-NSA and natural-born geek Thomas Drake and ex-DoJ Jesselyn Radack will discuss Tom’s whistleblowing case relating to his work for the NSA were he was managing very large information gathering projects. Tom was one of the first victims of the recent US push-back against whistleblowers under the reanimated 1917 US Espionage Act and was threatened with life in prison.
Annie Machon, a former intelligence officer for MI5, will discuss her experience working for UK’s Security Service against terrorist organisations, why she became a whistleblower about the crimes and incompetence of the UK spies, and how all of this relates to current developments both in the Middle East and the shredding of our civil liberties in the West.
To try to make sense of all these insights and figure out what we should do to get out of the mess, the five experts will discuss our options in a special “Spook Panel”, and you can join in. How can we resist, retain privacy and perhaps get back to a world where you can get on a plane without being prodded, scanned and forced to give up dangerous materials like mineral water?
It is easy and understandable to get depressed about the world today, but that doesn’t help. Hackers are people who do things. So join us, share your knowledge, creativity and talents to help figure out what we can do to fix this. New media, crypto, art, networks, music, blogging, fast & clever analysis of news and patient explanations of history & culture. We need it all and much more. And we need everyone to help out because while the freedom to play with tech is vital, the freedom to do so while not being subjected to ‘extraordinary rendition‘, torture, or drone-strikes is even more important.
The summer of 1989 was long, hot and free. Let’s make another one at OHM2013.
*)If you don’t fear these agencies you’re either not paying attention or you have a very boring life.
