Nederlands
English
Category: news
Letter to Parliamentary Committee on Gov. IT projects
Letter below has been submitted to the Temporary Committee on Government IT. This document is a translation from the Dutch original.
Dear Members of the Committee on ICT ,
On June 1st, 2012 I was invited by your predecessors to contribute to the expert meeting of the Parliamentary Working Group on ICT projects in government. The written submission that I made at that time is here, including a video of those hearings (in Dutch).
As an IT architect but also as a concerned citizen, I have been actively involved with the IT policy of the government since 2002, focusing on the areas of electronic health records, security and open standards / open source software. On the latter issue I was the initiator of the 2002 Parliamentary ‘Motion Vendrik’ that advocated greater independence from dominant software suppliers. Last year I also served as a technical expert on the Committee of Minister Plasterk who advised on the (im)possibilities of electronic support for the electoral process.
Although this motion Vendrik from 2002 was translated into the Heemskerk Action Plan in 2007, this policy was quietly killed in 2010/11 by the lobbying power of large software vendors and the U.S. government. Even the Court-of-Audit was pressured to *not* ask certain questions in its 2011 report on the policy. Since 2002, the Netherlands has spent about 60-90 billion on foreign software, for which in many cases free, equally good or better alternatives are available. Their use is, however, actively hindered by both the Ministries of Education and Interior, as well as the VNG supported by the lobbying apparatus of major suppliers and the U.S. government.
This despite Justice Minister Donner’s 2004 letter to Parliament in response to the Motion Vendrik where he admitted that:
- the government’s dependence on Microsoft was very great;
- that this was a problem ;
- and that by introducing open standards and the use of open source that could be solved.
This dependence has since become much greater and more than one billion Euro was spent on Microsoft licenses over the last decade. That money would have paid for 10,000 man-years of expertise to migrate away from Microsoft products. A large part of the money spent would have remained in the Dutch economy and returned to the state through tax and VAT. Not that 10,000 man-years would have been needed. The Municipality of Ede did it against the odds for a fraction of the cost and now saves 92 % on software expenses (and 25% on overall budget). The rest of the government has yet to take steps. Why is an important question.
In addition to the huge amounts of money involved (the VAT ends up mostly in the Irish exchequer due to inter-EU trade to Irish headquarters of IT companies), it has also become clear in recent months thanks to Edward Snowden in particular that U.S. software is deployed as espionage infrastructure . This has practical implications. For example, the current semi-privatised infrastructure of the national Electronic Health Records system has been put under technical management of an American company and therefore falls under the Patriot Act. But the Windows PCs ( which are de facto mandatory in secondary schools) and Gmail accounts (which are necessary to follow a University course) are part of the global spy network. Similarly with the iPhones that some of you might use, about which NSA internal documents boast of the 100% success rate in automated monitoring at zero dollars cost per device.
All this means that even if IT projects according to any definition ‘succeed operationally’ these often still violate the basic rights of millions of Dutch citizens (article 12 NL – Constitution, Art 8 ECHR , Art 12 UNDHR). Examples include electronic heatth records, transportation smart cards and many information processing systems of governments that have been outsourced on foreign soil and/or to foreign companies (such as the database of fingerprints that for many years has been linked to the issue of passports).
Both the EU and the Dutch government have been aware of this problem since the summer of 2001, yet nothing has since been done in the Netherlands to ensure the privacy of citizens or the data security of Dutch public and private institutions. Indeed, much has been done by the government which has greatly exacerbated this problem.
The above points, in my view, mean that a purely ‘operational ‘ approach to project success simply does not cover all the obligations of a democratic government in its role as guardian of the rights of its citizens.
This past weekend, I have viewed the first five videos of hearings and was most impressed by the contribution of Mr. Swier Jan Miedema. He seemed to be the only person genuinely committed to getting to the heart of the problems and saying out loud what he thought (although Prof . Verhoef also make quite a few wise points). The most compelling aspect of his testimony was the obvious fear of specifically naming a commercial party. This seems to confirm what many in the Dutch IT world know: companies like Centric abuse their dominant position in local government for short-term gain including the exclusion of anyone who is a threat to those gains (here another example).
That an IT professional of such seniority has to beat around the bush with a trembling voice is typical of the situation in the ‘market’ for public ICT. Institutionalized corruption and abuse of power is more associated with a developing country than a democracy.
In the conversations with both Mr. Miedema and other experts several members of the committee asked several times if these people could not suggest what would ‘solve’ all this. As if the problem was something that could be fixed with some trick. It is worryingly obvious that (two years and 8-12 billion after the start of the Commission) there is still the idea these problems can be solved by changing project-management methodology. Based on my experience, I believe that the problem is much more fundamental. I strongly urge you to look much more widely and more deeply at the problem and to not exclude your own role as parliamentarians in this. No questions or solutions should be taboo. Even if thereby the significant economic interests of above mentioned suppliers or the job security of groups of officials/civil servants must be called into question.
Both Mr. Miedema and Prof. Verhoef expressed the view that everything that happens can be broadly explained by the incompetence that exists in both the government and its suppliers. There are however, limits to the incompetence theory. Somewhere in the process the prolonged and appalling scale of wasting money, endangering the cyber security of the Netherlands and violating the privacy of millions of Dutch citizens has been allowed (or at least not considered an important subject). The fact that the Commission itself over the last 2 + years can spend a couple of hours a week on a problem that costs hundreds of millions of Euros monthly might also be an indication of some inexplicable non-priority. There are many officials, businesses, cybercriminals and intelligence services abroad that greatly benefit from the status quo. Look especially at those who do not come to your hearings.
In the 21st century laws are made reality by software. So it no longer befits a democracy to hand over control of that software to (often foreign) commercial parties. Executive parts of government must be accountable to you ultimately and without control over the technology that underpins their work this accountability is simply not possible.
Obviously I am willing to explain myself further as to above matters.
With kind Regards,
Arjen Kamphuis
June 9th 2014: In The other IT of another Europe I commemorate one year of the Snowden/NSA scandal by describing a scenario in wich other choices were made, choices that are still open to us today…
‘Tinfoil Is The New Black’, Keiser Report interview
I was a guest on Max Keiser’s programme ‘The Keiser Report‘ last Thursday jan. 16th for the second time. Max is a former Wall Street trader who foresaw the current economic crisis a decade ago.
Full Keiserreport episode here on RT site and here on Youtube.
Max caught me be susprise by asking about the NSA TURMOIL and TURBINE programs. I confused them with other programs (there are many). The TURMOIL and TURBINE programs are part of the ‘Targeted Acces Operations’ family (see this Spiegel article). These are programs for gaining acces to systems by other means than abusing their built-in weaknesses over internet connections (the NSA’s favourite method because it can be automated to spy on everyone at very low cost). Targeted Accces Operations (TAO) deals with everything from intercepting & modifying electronic devices that people order online to the use of microwave beam weapons to identify, hack, break and manipulate computer systems from great distance. The latter method has also been used for targeting drone strikes. The talk by Jacob Appelbaum I mention in the beginning of the interview is here. Many more talks from the 2013 CCC conference in Hamburg can be found here.
The US Declaration Of Independence is one of the greatest political writings in history and can be re-written for more contemporary political problems as I did here. Accoring to US academics the US declaration was inspired by the Dutch declaration that preceded it by almost two centuries.
Blogpost on a previous interview last year.
Interview on London Real
Last year during my December visit on London I gave a 1 hour interview to London Real. This is great new free-form 1+ hr completly unscripted interview program that is available on Youtube and as a podcast. Tired of the superficial 3-minute interviews that stop just when things get interesting? London Real is your channel. If you want to keep up to date on the London startup/tech scene then checkout Silicon Real.
I was honored to be in a lineup that includes several of my current heroes including Max Keiser, Jared Diamond, Annie Machon and Rick Falkvinge.
Brian Rose and me spoke about NSA-spying, the nature of privacy, copyright, bitcoin and much more. The interview begins at 7:48. For more check out the London Real site. Compact mp3 for download here.
Committee report electronic voting
From April 26th until December 18th 2013 I was a member of the expert committee on voting computers. This committe was instituted to advise the Dutch Minister for the Interior on the feasability of re-introducing electronic voting methods.
In the past (2008, 2012) I have always been very critical about the way electronic voting was implemented in The Netherlands up to 2007. The lack of transparancy of this method and the impossibility of recounts made this fundamentally incompatible with real democracy and,
after some convincing by citizens, even the government agreed on this.
The commission recommends:
- The use of electronic aids to make the voting and counting processes more reliable and more accessible;
- To this end, account will be taken of the preconditions formulated by the commission;
- The introduction of a single nationwide voting system, consisting of a voting printer so that the voter can print his or her ballot paper and a scanner to count the votes electronically; This system can be made suitable for all voters;
- It should be clear in legislation that the paper process provides the guiding principle;
- Should the voting method proposed by the commission not be implemented, in whatever event it recommends the introduction of electronic counting linked to the introduction of a smaller ballot paper.
More details in the English Summary of the report. For all the entire report, press coverage and interviews go to the Dutch version of this blogpost.
Interview on The Keiserreport
On Moday december 2nd 2013 I was a guest on Max Keiser’s programme ‘The Keiser Report‘. Max is a former Wall Street trader who foresaw the current economic crisis a decade ago. On his show he lets rip on the insane financial system and allows his guests to do the same.
O, and a PetaFLOP is 1.000.000.000.000.000 computations per second. I should have known that š
Full Keiserreport episode here on RT site and here on Youtube.
Keynote & interview Eurapco Insurance
<on 26-09-2013 I gave the keynote at the Eurapco congres where top EU insurance firms share expertise>
We live in a world of rapid technological change. Keynote speaker and IT expert Arjen Kamphuis discusses the implications for the insurance industry and its customers, and what measures can be taken to ensure the best possible customer experience. The objective was to raise awareness of the rapid pace of socio-technical development today and what fundamental effects this will have on the insurance industry. Changes in customer behaviour and expectations will have an impact on customer satisfaction with our companiesā claims handling.
Future shock ā are we prepared for change? Some of the topics discussed in the keynote
- What if tomorrowās world looks really different? The basic rules of our business can change at incredible speed because of changes in technology, national/EU/ international policies, environmental threats and other external factors. New technology can overtake existing business models, and even make them irrelevant. The insurance industry faces the challenge of combining the need to be stable, secure and reliable with being dynamic, fast and responsive.
- Cyber security needs to be taken care of, both within companies and between companies and their customers. Privacy issues are of great importance for insurance companies. For instance, it would be damaging for the image of a stable, secure and reliable insurance company if it were to be revealed that all customer data had been fully exposed by hackers or the NSA.
- Today, all large service companies need to balance industrialised processes with the human touch. As a customer, you do not want to be exposed to the internal processes of your service provider. The customer just wants to receive service in an uncomplicated way. Changes in customer behaviour and expectations will have an impact on customer satisfaction with our companiesā claims handling.
- Our companiesā brands face increasing danger in a fast-paced world of social media. Our customers rely more on the experience of others than on the promises of the companies. Through social media, good and especially bad experiences can be shared easily and quickly. We can join the conversation about our brand, but not control it.
- A fast-changing world offers opportunities and threats for your business and your position in the market. Are you ready to adapt to changes in customer expectations? Is your organisation positioned to deal proactively with change, or could you be caught off guard? Do you have a plan for what to do if an improbable case scenario does occur? By carrying out regular scenario planning, you can at least have contingency plans for different case scenarios.
Insurance companies that are excellent from a customerās perspective will still need to have operational excellence. This is necessary because efficient processes enable affordable premiums. The challenge is to make the operational excellence āinvisibleā for the customer, to treat the customer in such a way that he or she doesnāt notice the processes needed to deliver the service. Ideally, thereās a lean machine on the inside, while customers get the feeling they are receiving personally tailored service. This requires thought about where the āmachineā part of the processes ends and the āhumanā, emphatic part begins. Not everything that can be done by software should be done by software. The telltale sign that the proportions are right is the customer enjoying a pleasant experience.
How can such a combination of operational excellence and customer intimacy be achieved?
Big data is an important tool to achieve this. Now, it really is possible to have an intimate relationship with the customer. However, this can only come about if several preconditions are fulfilled. Firstly, you must be highly compliant. Secondly, and most crucially, you should proactively contact pressure groups such as Bits of Freedom, EURM or the Chaos Computer Club. You can ask them to ask you difficult questions about how you handle privacy and protect the secrecy and integrity of the customer data that you use. You can also discuss the legitimacy of the goals you use the data for. The same must be done with customer focus groups. In the end, much of what can or cannot be done is dependent on individual preferences. You should enable and encourage an informed customer choice about when to supply what data. Donāt make assumptions about what customers prefer, but ask and validate. Fourthly, data should always be protected and encrypted to minimise the chance of anyone gaining illegal access. Finally, the hard- and software that you use should come from suppliers that are demonstrably not associated with any illicit eavesdropping, be it by corporate or government organisations. Insurance companies may struggle to put all of this into practice, not least because they have to deal with a lot of legacy hard- and software. This complexity is unavoidable, and you should be super-transparent about it.
The important thing here is that you āliveā your data philosophy, not only in communication but also in visible behaviour. Be explicit about what level of assurance regarding data is possible today, and how thatās going to improve over the next few years. Have a credible road map for getting to the technical solutions that are needed. And again, get into contact with opinion leaders. Invite them to a dialogue to design a code of conduct, organise an employee training day on internal compliance together. Itās bound to be educational for all involved. If you act on your good intentions in this way, there are still going to be blow-ups because of data problems. But even then, a good relationship with opinion leaders will help enormously in containing the damage.
You also said American companies are at a disadvantage in terms of reassuring customers worried about privacy because of the nature of US privacy laws and the scandals surrounding the NSA. Does this also mean you see new business opporĀtunities for European insurance companies?
Sure. European insurance companies could provide āprivacy-strongā ISP services, data centres or cloud space guaranteed to be compliant with Article 12 of the UN Charter. And what about a āsafe Facebookā? What about a service that says to the customer: we will help you leave Facebook behind you? Moreover, providing high-privacy/ security online services to (European) customers is not only a business opportunity for the insurance sector, but also a great way to show leadership in socially responsible entrepreneurship. The privacy issue will only grow as more of the 78,000 plus documents from Snowden are released (so far weāve seen only about 200, and the best is being saved for last). Insurance companies can work towards being the trusted parties by way of clear moral leadership on customer interaction and care of data. Such companies would surely also attract some of the most talented and motivated employees: everyone wants to work for companies that are seen to be leaders.
- āHe is a really inspiring person with a truly interesting vision for IT and the insurance business.ā
- āThank you, Arjen! Your presentation was refreshingly blunt and, in my opinion, realistic. I think Eurapco showed courage inviting you to speak about things most of us want to ignore.ā
‘Refreshingly blunt’, best compliment I’ve had in a long time š
NSA intell goldmine, who else has access?
<also on HuffPo UK>
Shortly after the initial release of some documents from whistleblower Edward Snowden I wrote a little summary about the IT-policy implications for Europe based on earlier columns. A lot of additional documents have come out since then and we can basically conclude that almost every computer system on the planet is fully broken or at least very vulnerable to NSA interference or manipulation.
Nobody, including the NSA, Edward Snowden, Glenn Greenwald has a total oversight of all the in the tens of thousands of documents let alone the political or strategic implications of the info contained in them. Most of the news keeps focusing on the ‘scandal’ aspect and/or the person of Snowden. Being angry at the US government (practised by most opponents) and attacking the person of Snowden (a favorite of apologists of the US regime) distracts from defining adequate policy responses and so far there have been precisely none in Europe. This constitutes a massive failure of the various EU governments to protect their citizens’ rights and the economic sovereignty of their nations. It is also strange in light of the fact that an adequate policy response had already been formulated in July 2001 and really just needs to be implemented.
But every now and them the disinfo spread by some apologists for the behaviors of the NSA is useful for understanding how much worse the situation may just turn out to be. This article by a former NSA employee is a nice example of an attempt at smearing the whistleblower while actually digging the hole the NSA (and the US regime) is in much, much deeper. The piece claims Snowden secretly worked for Russian intelligence all along. While I do not share the authors views on Snowden’s motivations or allegiances the suggestion that outside organisations could have agents inside the NSA has some interesting implications.
If I understand the gist of this post correctly there is a much bigger breach than one would conclude based on the mainstream news from the Guardian. Not only can (and does) the NSA collect pretty much everything anyone does in the digital realm by breaking systems and breaking into systems. They then are unable to protect this sigint goldmine from falling into the hands the agents of foreign intelligence organisations. So now all our data is in the hands of both the US and Russian governments. This begs the question what other organisations have deep-cover moles inside the NSA using its infrastructure to do the hard works of global sigint for them? The Chinese government? A South-American drugs Cartel? Private Military Companies? Journalists-activist-terrorists? Goldman Sachs? The implications are astounding.
If what this academic-with-the-columnist-style says it true the disaster is exponentially much bigger than it would initially appear to be and this has very little to do with any ‘damage’ to the US image (it’s got nowhere to go but up by now) or its ability to ‘do’ intelligence. First America gave the world the Internet as a global comms infrastructure and now it has given an unknown number of completely unaccountable actors the keys to this infrastructure to do with as they please.
A Russian/Chinese/Israeli/Iranian spy will benefit both from the sigint collected by the NSA systems and even more from the info about what the US Intelligence community is (and is not) looking at. They could maybe also manipulate the collection process to steer the NSA away from things they would like to remain unseen. Any serious spy organisation would spend a lot of resources on creating that ability since the US has made itself totally dependent on signals intelligence as opposed to humans in the field who speak languages and understand cultures.
If the NSA has created a global spying machine whose output they cannot control perhaps it would be best to shut the whole thing down today. This would also have the additional benefit of respecting the human right of privacy (as described in Article 12 of the universal declaration of human rights) for most of humanity.