Category: free software
Over the last 10-15 years public IT in Europe has not developed in line with public interests, nor does it guarantee the fundamental rights of citizens such as privacy and freedom of expression. Tremendous opportunities in the field of economic development and employment have also been missed. Europe effectively outsources much of its information processing (software & services) to foreign parties at the direct cost of hundreds of billions of Euros (typically around 1% of GNP). The opportunity-cost to local economic growth and employment opportunities are much greater than that. Even more costly than either of these is the de-facto handing over of control of data of governments, businesses and individual citizens to foreign spies who use it for political manipulation, repression of citizens’ freedoms and industrial espionage. Although the warnings about the negative consequences of current policies date back at least 15 years, these aspects have been documented in irrefutable detail over the last year by the revelations of Edward Snowden. 12 months later there has not even been the beginning of a policy response.
It could all have been so different …
In the first 21 months of the 21st century, the dot-com bubble burst and then three skyscrapers in New York collapsed. Between these two events a largely forgotten report to the European Parliament appeared in the summer of 2001. This report described the scale and impact of electronic espionage in Europe by the U.S. and its ‘Echelon’ partners (Canada, UK, Australia and New Zealand). Besides a detailed problem analysis, the report also gave concrete examples of IT policies that governments could take to significantly limit foreign intelligence spying on Europe.
In the same period was U.S. government won one of the largest anti-trust cases its history, against Microsoft, and the EU followed this victory by launching a similar case that would also be won leading to the highest fine to a company for economic crimes in the history of the EU.
It was against this background that thinking about strategic versus operational aspects of IT in the public sector changed. The report on Echelon made it clear that reducing IT into a merely operational exercise had disastrous consequences on the sovereignty of European states with respect to, in particular, the United States (and perhaps in the near future, China, other technically capable countries or non-state organizations). The economic consequences of industrial espionage against many high-tech and R&D-intensive companies became a major concern for the government.
The IT policy of governments would from 2002 onwards be based first on the political principles of a democratic and sovereign state. This not only meant a very different policy in the field of technology selection and procurement, but also the balance between outsourcing versus in-house expertise and required an extreme degree of transparency from all suppliers. Open data standards for public information were required, and non-compliance resulted in severe penalties (although public ridicule from 2009 onward was generally the most effective). These new frameworks for public IT created a new market for service providers who based solutions on so-called ‘Free Software’ (previously better known as ‘opensource’). The high degree of transparency both in project implementation as the technology itself made for a well functioning market and made recycling of (parts-of) systems the norm. Spending on software fell sharply and the freed up budget was used for the recruitment of highly qualified IT workers under conditions that could compete with the offerings of market.
The full transparency with respect to both the IT projects and the tech itself, combined with a depth of expertise within the government, changed the market for public software and IT services. Quality rose steadily while prices remained permanently under pressure. Since all service providers had full access to all software used in government (with only a few exceptions in defense, justice and home affairs), there was a very open playing field where all providers were expendable (and those who performed below par were replaced regularly).
In addition, computer and IT education from kindergarten to university studies was fundamentally revised. Basic understanding of the operation of computers and information networks became as normal as reading and writing. From 2006 every 14 year-old was taught in school how to encrypt email and what the disadvantages were of using software whose source codes are not published. Through this awareness among young people in Europe the adoption of social media occurred very differently than in the U.S.. Young people not only had end-user skills but real understanding about what was happening to their information when sending a message or upload a photo to websites. Being careful with your private information was considered cool. The social media landscape was not dominated by a handful of U.S. companies, instead there was a landscape of federated services such as Diaspora who competed among themselves but were compatible in the same way as is the case with email. These services were sometimes somewhat centralized but, just as often, completely decentralized and run on micro-servers in many people’s homes (such as the UK-invented 35 Euro RaspberryPi).
Due to the high privacy and safety awareness online crime did not have much grip on most European countries. Hardly anyone was naive enough to log on to strange domains or websites in response to a fake email that appears to come from their bank. And the use of customized secure USB drives created by various banks was accepted as obvious for any major online financial transactions. At the level of organisations high levels of expertise and a high degree of diversity in technology implementations made for robust security that was only seldom breached. The large demand for experts in well-paid jobs also kept many would-be criminals from selling their skills for more destructive applications.
This is the IT that Europe could have had if other choices were made over the last 12 years. All the knowledge and technology for these choices were available in the first months of this century. Because these choices were not made Europe has spent hundreds of billions on software licenses and services from American companies, while there were cheaper (often free), more flexible and safer alternatives available that would not operate as a foreign espionage platform. All these hundreds of billions were not not invested in European service, training, education and R&D. The economic impact may be a multiple of the roughly $1 trillion in foreign software licenses spent by Europe this century, while the social cost resulting from manipulated politicians during transatlantic negotiations on trade or environmental matters will probably never be known.
Europe still has everything it needs to develop and implement such policies. It is not too late to turn, no matter how regrettable the policy failures of the last decade and no matter how many wasted billions. Today could be the first day of such a new course. Concrete examples in the Netherlands, Germany, France, Spain the UK and many other places show that this is not only possible, but almost immediately leads to huge savings, improved safety and independence from foreign parties in future IT choices.
It’s not often that regaining national sovereignty and the restoration of civil rights can spur national innovation and employment programs simultaneously. The only thing missing is the political will to stop rewarding businesses and governments that use their technological dominance to spy on the entire world. We have nothing to lose but our chains to the NSA.
Dear Members of the Committee on ICT ,
On June 1st, 2012 I was invited by your predecessors to contribute to the expert meeting of the Parliamentary Working Group on ICT projects in government. The written submission that I made at that time is here, including a video of those hearings (in Dutch).
As an IT architect but also as a concerned citizen, I have been actively involved with the IT policy of the government since 2002, focusing on the areas of electronic health records, security and open standards / open source software. On the latter issue I was the initiator of the 2002 Parliamentary ‘Motion Vendrik’ that advocated greater independence from dominant software suppliers. Last year I also served as a technical expert on the Committee of Minister Plasterk who advised on the (im)possibilities of electronic support for the electoral process.
Although this motion Vendrik from 2002 was translated into the Heemskerk Action Plan in 2007, this policy was quietly killed in 2010/11 by the lobbying power of large software vendors and the U.S. government. Even the Court-of-Audit was pressured to *not* ask certain questions in its 2011 report on the policy. Since 2002, the Netherlands has spent about 60-90 billion on foreign software, for which in many cases free, equally good or better alternatives are available. Their use is, however, actively hindered by both the Ministries of Education and Interior, as well as the VNG supported by the lobbying apparatus of major suppliers and the U.S. government.
This despite Justice Minister Donner’s 2004 letter to Parliament in response to the Motion Vendrik where he admitted that:
- the government’s dependence on Microsoft was very great;
- that this was a problem ;
- and that by introducing open standards and the use of open source that could be solved.
This dependence has since become much greater and more than one billion Euro was spent on Microsoft licenses over the last decade. That money would have paid for 10,000 man-years of expertise to migrate away from Microsoft products. A large part of the money spent would have remained in the Dutch economy and returned to the state through tax and VAT. Not that 10,000 man-years would have been needed. The Municipality of Ede did it against the odds for a fraction of the cost and now saves 92 % on software expenses (and 25% on overall budget). The rest of the government has yet to take steps. Why is an important question.
In addition to the huge amounts of money involved (the VAT ends up mostly in the Irish exchequer due to inter-EU trade to Irish headquarters of IT companies), it has also become clear in recent months thanks to Edward Snowden in particular that U.S. software is deployed as espionage infrastructure . This has practical implications. For example, the current semi-privatised infrastructure of the national Electronic Health Records system has been put under technical management of an American company and therefore falls under the Patriot Act. But the Windows PCs ( which are de facto mandatory in secondary schools) and Gmail accounts (which are necessary to follow a University course) are part of the global spy network. Similarly with the iPhones that some of you might use, about which NSA internal documents boast of the 100% success rate in automated monitoring at zero dollars cost per device.
All this means that even if IT projects according to any definition ‘succeed operationally’ these often still violate the basic rights of millions of Dutch citizens (article 12 NL – Constitution, Art 8 ECHR , Art 12 UNDHR). Examples include electronic heatth records, transportation smart cards and many information processing systems of governments that have been outsourced on foreign soil and/or to foreign companies (such as the database of fingerprints that for many years has been linked to the issue of passports).
Both the EU and the Dutch government have been aware of this problem since the summer of 2001, yet nothing has since been done in the Netherlands to ensure the privacy of citizens or the data security of Dutch public and private institutions. Indeed, much has been done by the government which has greatly exacerbated this problem.
The above points, in my view, mean that a purely ‘operational ‘ approach to project success simply does not cover all the obligations of a democratic government in its role as guardian of the rights of its citizens.
This past weekend, I have viewed the first five videos of hearings and was most impressed by the contribution of Mr. Swier Jan Miedema. He seemed to be the only person genuinely committed to getting to the heart of the problems and saying out loud what he thought (although Prof . Verhoef also make quite a few wise points). The most compelling aspect of his testimony was the obvious fear of specifically naming a commercial party. This seems to confirm what many in the Dutch IT world know: companies like Centric abuse their dominant position in local government for short-term gain including the exclusion of anyone who is a threat to those gains (here another example).
That an IT professional of such seniority has to beat around the bush with a trembling voice is typical of the situation in the ‘market’ for public ICT. Institutionalized corruption and abuse of power is more associated with a developing country than a democracy.
In the conversations with both Mr. Miedema and other experts several members of the committee asked several times if these people could not suggest what would ‘solve’ all this. As if the problem was something that could be fixed with some trick. It is worryingly obvious that (two years and 8-12 billion after the start of the Commission) there is still the idea these problems can be solved by changing project-management methodology. Based on my experience, I believe that the problem is much more fundamental. I strongly urge you to look much more widely and more deeply at the problem and to not exclude your own role as parliamentarians in this. No questions or solutions should be taboo. Even if thereby the significant economic interests of above mentioned suppliers or the job security of groups of officials/civil servants must be called into question.
Both Mr. Miedema and Prof. Verhoef expressed the view that everything that happens can be broadly explained by the incompetence that exists in both the government and its suppliers. There are however, limits to the incompetence theory. Somewhere in the process the prolonged and appalling scale of wasting money, endangering the cyber security of the Netherlands and violating the privacy of millions of Dutch citizens has been allowed (or at least not considered an important subject). The fact that the Commission itself over the last 2 + years can spend a couple of hours a week on a problem that costs hundreds of millions of Euros monthly might also be an indication of some inexplicable non-priority. There are many officials, businesses, cybercriminals and intelligence services abroad that greatly benefit from the status quo. Look especially at those who do not come to your hearings.
In the 21st century laws are made reality by software. So it no longer befits a democracy to hand over control of that software to (often foreign) commercial parties. Executive parts of government must be accountable to you ultimately and without control over the technology that underpins their work this accountability is simply not possible.
Obviously I am willing to explain myself further as to above matters.
With kind Regards,
June 9th 2014: In The other IT of another Europe I commemorate one year of the Snowden/NSA scandal by describing a scenario in wich other choices were made, choices that are still open to us today…
Socially aware people are, often justifiably, very good at moral indignation, but they just as often display a touching naivety. I recently watched with some surprise the American Occupy activists who were shocked (shocked I tell you!) as policemen (or university rent-a-cops) launched unprovoked attacks using batons and pepper spray.
It is indeed despicable that these officials use so much violence. But if people are still shocked by this in 2011, one has to wonder where they’ve been hiding for the last 10 years – have they not watched the news? Did they think that they could let stolen elections, illegal wars of aggression, shooting children with anti-tank weapons and the torture of innocent civilians happen without the ultimate consequence of their govenment using the same force against them?
But even the naive indignation of some Occupy activists about their government and its boot boys, is nothing compared to the childish surprise of the IT press about ACTA and SOPA. The copyright industry has for decades lobbied for the length of copyright to stretch to the end-of-time-plus-a-day extra.
Sony has no problems with infecting computers of their customers with what amounts to a virus. A torrent of writs has poured forth from the offices of copyright enforcement. Babies and the elderly without a PC, deceased persons, and even a HP laser printer have been falsely accused of copyright infringement (labeled as “theft” by the lawyers of the industry). Surely we all know the kinds of organisations we are facing now?
That’s why I’m happy that the Kafkaesque combo of ACTA / SOPA has become clear. Now ACTA and SOPA have almost been rammed through, at least we all know where we stand. The wolves have thrown off their sheep’s clothing and shown themselves for what they are: predators with no interest in our welfare. We therefore need not be quasi-shocked about the fact that some large companies behave like predators.
Now we have determined that we are dealing with predators, we can take action. Acting all shocked and angry once a wolf reveals himself in a kindergarten playroom is not an effective measure – he is a predator. If you want to prevent a bloodbath, you need to build a fence around the playroom – or perhaps even around the wolf.
If we want IT to work for us, we must ensure that the technology is designed around our interests rather than the interests of software vendors or copyright serfs. We need computers and network devices that do what we want them to do, even if that is not in the commercial interests of a handful of large companies or the political will of illegal government lobbyists.
For over 25 years the Free Software Foundation has been the only organization calling for this. During the last 15 years the debate about the principles of free software has been almost completely overshadowed by the much more business-orientated and pragmatic approach of the Opensource Initiative. The reason to found the Opensource Initiative was literally the ‘too principled’ attitude of the Free Software Foundation.
Meanwhile, all the things that the FSF has warned us about for so long have become the new and ugly reality. The complete lack of principle in discussing the applications of our technology is now starting to bite in very nasty ways. Almost all PCs (and I include Macs here), phones and game consoles have onboard functions that are not there for our benefit but for companies that want to earn our money. When you’re not in contol of your computer, is it still your computer / phone / console / router / etc … ?
This is an old political lesson: if you wait too long to protest, maybe you will no longer able or allowed to protest. This applies not only to addressing governments that start wars or the state stupidly bailing out the banks. This applies equally to the question of who is in charge of the computers and networks that we now all depend on. If we collectively do not demand principles as part of our tech, then we will get technology without them.
The ideas of the Free Software Foundation have never been more important. Not because proprietary software is worse (sometimes) nor because Free Software has become so much better (much!), but because our own systems, our digital home, is where we should all have have a say.
Only principled thinking (in addition to technical function) about our IT will keep the wolves from the door.