Category: news

The missed opportunity of avoiding PRISM

<originally a column for Consortium News>

On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months later across the Atlantic, they have never been implemented. Or even discussed further.

Under the heading “Measures to encourage self-protection by citizens and enterprises” lists several concrete proposals for improving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be “accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology“.

Other gems are the requests to “take appropriate measures to promote, develop and manufacture European encryption technology and software and, above all, to support projects aimed at developing user encryption technology, which are open-source” and “promote software projects whose source text is published, thereby guaranteeing that the software has no “back doors” built in (the so-called “open source software”)”. The document also mentions explicitly the unreliability of security and encryption technologies whose source code is not published. This is an issue that is a strict taboo in Dutch and UK discussions on IT strategy for governments (probably because certain major NATO partners might be offended).

Also, governments must set a good example to each other and their citizens by “systematic use of encryption of e-mails, so that in the longer term this will be normal practice.” This should in practice be realised by “ensuring the training and publication of their staff with new encryption technologies and techniques by means of the necessary practical training and courses.” Even candidate countries of the EU should be helped “if they cannot provide the necessary protection by a lack of technological independence“.

That one paragraph from the summer of 2001, when rational security policies had not yet been completely destroyed by 9/11, describes the basis for a solid IT policy that ensures security and privacy of citizens against threats from both foreign actors and the government itself (historically always the greatest threat to its citizens and the reason why we have constitutions).

Had these policies been implemented over the last decade then the PRISM revelations of the last week would have been met mostly with indifference. European citizens, governments and companies would be performing most of their computing and communications on systems controlled by European organisations, running software co-developed in Europe and physically located on European soil. An American problem with an overreaching spy apparatus would have been just that, an American problem – like teenagers with machine guns or lack of universal healthcare, just one more of those crazy things they do in the colonies to have ‘freedom’.

From the proprietary frying pan into the cloudy fire
Over eleven years ago, I was talking to Kees Vendrik (Dutch MP) about the broken European software market. Not only was it impossible to buy a brand laptop without having to buy a Microsoft Windows licence, it was also impossible to visit many websites (municipalities, railways and many others) without using Internet Explorer. The latter area has greatly improved and I can today lead my life using my OS and browsers of choice. The Dutch dependence on products such as MS Windows/Office has not really diminished however, despite all the wishes expressed by Parliament and attempts at government policies. Today it is not possible to finish secondary school as a student without owning and using several pieces of proprietary software. Imagine making a certain brand of pen mandatory for schools and picking a brand of pen that comes with a spying microphone (not under control of the user). That is the current situation in practical terms in the Netherlands and UK amongst others. Germany, France and Spain are doing slightly better by at least acknowledging the problem.

Meanwhile, the technological seismic shift that frightened Bill Gates so much back in ’95 (the web makes the operating system irrelevant) is fast becoming reality. Almost all new developments discussed by IT power players and specialists are web-based or based on open specifications and the most commonly used applications are running quite well as service in a browser.

So while the 15-20 year old problem of software dependency has never really been resolved (governments, with tens of thousands of IT workers, are still unable to wean itself off the familiar Microsoft technology stack), its impact is slowly becoming less relevant. Meanwhile, new dependencies based on ‘cloud’ providers are now proven to be even more detrimental.

Excessive use of proprietary software creates the risk of foreign manipulation and potential attacks on critical infrastructure (see Stuxnet). But at least if your systems are attacked in this way, there are some ways to track this. If you are working on the computer that does not belong to you, that is based in a foreign country and is managed by people you don’t know in ways you cannot check, it will be very difficult to have any control over what happens to your data.

The old assumption, that using local servers could be part of the solution, seems unfortunately to be an illusion under the post-9/11 Empire. All cloud services offered by companies based in the US are subject to US legislation, even if the servers are physically in another country. And US law is now somewhat, shall we say, problematic. With no evidence, but with an allegation of involvement in “terrorism”, systems can be closed down or taken over – without any warning or the possibility of adversarial judicial review. The term “terrorism” has been stretched so far in that anyone who allegedly breaks US law, even if they’re not a US citizen and even if they’re not in the US can still a deemed “terrorist”, just on the word of one of the many three-letter services (FBI, CIA, NSA, DIA, DHS, TSA, etc.). The EU was not happy about this but until the PRISM leak did not want to go so far as recommending its citizens and other governments to no longer use such services. PRISM is making it possible to at least have a serious discussion about this for the first time.

The long arm of the US Patriot Act goes even further than merely the servers of US companies on European soil. Thus domains can be “seized” and labelled: “this site was involved in handling child pornography“. Try explaining that as a business or non-profit organisation to your clients and (business) partners. Just using one .com, .org or .net extension as your domain name now makes you makes you liable under US law. All Europeans can now be seized from their homes for breaking US law. So a .com domain name makes your server effectively US territory.

We were already aware that proprietary platforms like Windows and Google Docs were not suitable systems for important things such as running public or critical infrastructure. However, now it turns out, that every service delivered through a .com / .org / .net domain places you under de facto foreign control.

Solution? As much as possible, change to free/opensource software on local servers. Fortunately there are quite a few competent hosting companies and businesses in Europe. Use local country domains like .nl, .de, .fr or, if you really want to be bullet proof, take a .ch domain. These are managed by a Swiss foundation and these people take their independence seriously. If you still want to use Google (Docs), Facebook, Evernote, Mind Meister, Ning.com, Hotmail or Office 365 – please do so with the awareness that you have no privacy and fewer civil rights than English noblemen had in the year 1215.

Fighting evildoers
A few months ago, a government speaker was defending the ‘Clean IT’ project at a meeting of RIPE (the organization that distributes IP addresses for Europe and Asia). Clean-IT is a European project of Dutch origin which aims to combat the ‘use of the Internet for terrorist purposes’. The problem with this goal is that ‘internet’, ‘use’ and ‘terrorism’ remain undefined, nor does it seem anyone is very interested in sorting this out. This lack of clarity in itself can useful if you are a government because you can then take a project in any direction you like. A bit like when data retention was rammed through the EU parliament in 2005 with the promise that it would be used only against terrorism – a promise that was broken within a few months. In Germany, data retention has now been declared unconstitutional and been abolished, while the Netherlands has rampant phone tapping, despite a total lack of evidence of the effectiveness of these measures. That all the databases of retained telecommunications data themselves become a target is not something that seems seriously to be taken into account in the threat analyses. All rather worrying for a government that is still usually unable to secure its own systems properly or ensure that external contractors do so.

Also, during the lecture on Clean-IT much emphasis was placed on the public-private partnership to reassure the audience. It’s strange that a government first makes itself incompetent by outsourcing all expertise, then it comes back after ten years and claims it cannot control those same companies, nor indeed their sub-contractors. The last step is then to outsource the oversight function to companies as well and reassurance the citizens: “We let companies do it! Don’t you worry that we would do any of the difficult technical stuff for ourselves, it’s all been properly outsourced to the same parties that messed up the previous 25 projects”.

Terrorism is obviously the access all areas pass – despite the fact that many more Europeans die slipping in the shower or from ill-fitting moped helmets than from terrorism. Moreover, we as Europeans have experience of dealing with terrorism. ETA, IRA and RAF were rendered harmless in previous decades by police investigations, negotiations and encapsulation. This was done without jeopardizing the civic rights of half a billion European citizens. Even when IRA bombs were regularly exploding in London nobody suggested dropping white phosphorous on Dublin or Belfast.

I hope that the pre-9/11 vision of the EU Parliament will be rediscovered at some point. It would be nice if some parts of the ‘Free West’ could develop a policy that would justify our moral superiority towards Russia, when we demand that they stop political censorship under the guise of “security”.

Backup plan: DIY
If all else fails (and this is not entirely unlikely) we need a backup plan for citizens. Because despite all petitions, motions, actions and other initiatives our civil liberties are still rapidly diminishing. Somehow a slow-motion corporate coup has occurred where the government wants to increase “efficiency” by relying on lots of MBA-speak and corporate management wisdoms that worked so well for the banking sector. The fact that the government’s primary function thereby evaporates does not seem to bother most civil servants. And meanwhile the companies themselves are apparently too busy making profits and fighting each other to worry about civil rights and other archaic concepts from the second half of the 20th century.

So rather than always trying to influence a political system that so very clearly ignores our interests, we can simply take care of ourselves and each other directly. This conclusion may not be pleasant, but it gives clarity to what we have to do.

One good example would be to have educational and civil liberties organisations providing weekly workshops to citizens on how to install and use encryption software to regain some privacy. These organisations should use their clout to get the slogan of “crypto is cool” on everyone’s lips. Technologists and designers should focus their energies on promoting the hip and user-friendly aspects of these pieces of software. This may be a lot more fun than lobbying ossified political institutions and actually provide some concrete privacy results.

Since 2006 I have ensured my own email privacy by no longer relying on the law, but by using a server outside the EU, SSL connection to it through a VPN tunnel entering the open Internet also outside the EU. I encrypt as many emails as possible individually with strong crypto (using Free GPG software). The fact that all those hordes of terrorists (who, our government asserts, are swamping the planet) have no doubt also adopted such measures – for less than 20 Euros a month – makes most of the low-level spying a complete and pointless waste of resources. Assuming the point truly is fighting ‘terrorism’ – something that is becoming a bit doubtful in light of the above.

Despite what some of the ‘but I have nothing to hide’ apologists say we have privacy rights and other civil liberties for the same reason we have a constitution. Not for situations were everything is OK but for those rare situations where things are not OK. Privacy is the last line of defence against governments who lose sight of their reason for existing (to serve their people). Privacy is therefore not the enemy of security but the most basic part of it. Because governments are much scarier than any would-be cyber-criminal or even terrorists. Criminals may steal some money and terrorists may kill a few people but when it comes to wars, mass repression or genocide you always need a government.

It is very obvious what European governments should be doing to promote the safety and security of their citizens and states. They already wrote it down in the summer of 2001. The fact that these measures are never part of any current ‘cybersecurity’ policy proposals should make people very suspicious, at least of their governments’ competence.

The above article was originaly written for and published on Consortium News. On June 22nd I was interviewed by Chuck Mertz from ‘This is Hell!’ radio (Chicago, WNUR 89.3 FM). The entire program of that morning is on the This Is Hell! site. My interview (all 52 minutes of it) is here.

---

OHM and other Three-Letter-Agencies

<originally a column for OHM2013.org – also on HuffPo UK>

“Whatever you do will be insignificant, but it is very important that you do it.” – Mahatma Gandhi

This summer the Dutch hacker community, with help from friends all over the world, will organise the seventh hacker festival in a series that started in 1989 with the Galactic Hacker Party. The world has changed massively since then (we’ll get to that) but the goal of these gatherings remains the same: to share knowledge and ideas about technology and its implications for our world, have heated discussions on what we should do about the problems we see (sometimes well before many others see them), generally have fun in communicating without keyboards, and being excellent to each other.

Four years ago a somewhat unknown Australian hacker with some new ideas about the future of journalism gave the opening keynote at HAR2009. His site was called Wikileaks and some of us had a hunch that this concept might be going places. We had no idea just how far that would be…

Not long after the first gathering in the Netherlands in 1989, the Berlin Wall came down. While we can claim no connection, the interminable Cold War had finally ended and many of us felt, with the optimism so typical of youth, that world peace might just be possible in our lifetimes. We would go back to making rockets that went up instead of straight-and-level and other great things would follow.

Regrettably that was not to be. First the .coms imploded, then three skyscrapers in New York, and soon after that our entire economy turned out to be a sort of multi-level-marketing casino. The 3rd millennium has started with a bang that is still echoing around the planet. Since then we’ve seen the ‘free’ part of the world become rather un-free rather fast. “US Department of Homeland Security relaxing a ban on toenail clippers” would have been be a scary headline for someone in 1993 on several levels. But in 2013 it is just one of those things to which people have sadly become accustomed.

What happened? And is there anything we can do about it? Why not ask some of the people who were insiders with some of those three-letter-agencies-that-many-of-us-fear*, who left and are now speaking out often at great personal risk and cost. Five former insiders from different government organisations will all give talks about their experiences within various secret agencies and provide a historic context to what is happing right now.

The alphabet soup begins with ex-CIA Ray McGovern who is now an outspoken and indefatigable international peace campaigner. Ray will give a broad historic context based on his experiences as an analyst and presidential ‘daily-briefer’ during a career with the CIA that started during the Vietnam war.

Ex-FBI Coleen Rowley will talk about her experience working against organized crime and terrorist organisations at the FBI. She went public over the intelligence-sharing failures that allowed 9/11 to happen, and in 2002 was voted “Time” Person of the Year.

In a more recent case, ex-NSA and natural-born geek Thomas Drake and ex-DoJ Jesselyn Radack will discuss Tom’s whistleblowing case relating to his work for the NSA were he was managing very large information gathering projects. Tom was one of the first victims of the recent US push-back against whistleblowers under the reanimated 1917 US Espionage Act and was threatened with life in prison.

Annie Machon, a former intelligence officer for MI5, will discuss her experience working for UK’s Security Service against terrorist organisations, why she became a whistleblower about the crimes and incompetence of the UK spies, and how all of this relates to current developments both in the Middle East and the shredding of our civil liberties in the West.

To try to make sense of all these insights and figure out what we should do to get out of the mess, the five experts will discuss our options in a special “Spook Panel”, and you can join in. How can we resist, retain privacy and perhaps get back to a world where you can get on a plane without being prodded, scanned and forced to give up dangerous materials like mineral water?

It is easy and understandable to get depressed about the world today, but that doesn’t help. Hackers are people who do things. So join us, share your knowledge, creativity and talents to help figure out what we can do to fix this. New media, crypto, art, networks, music, blogging, fast & clever analysis of news and patient explanations of history & culture. We need it all and much more. And we need everyone to help out because while the freedom to play with tech is vital, the freedom to do so while not being subjected to ‘extraordinary rendition‘, torture, or drone-strikes is even more important.

The summer of 1989 was long, hot and free. Let’s make another one at OHM2013.

*⁾If you don’t fear these agencies you’re either not paying attention or you have a very boring life.

---

Icelandic porn filter is overkill

<Originally a Webwereld column – in Dutch>

In the middle of election season in Iceland a debate is raging about the need to protect young children from violent pornographic imagery that can be found on the Internet. Although it is unclear what the scale of this problem is, there is concern about the methods used by some in the porn industry to market their wares. There is an idea that some firms use the old tobacco industry method of ‘get them while they’re young’.

As I was in Iceland recently I was fortunate enough to be asked my opinions on these matters by government officials. The entire debate is being conducted during election season, so the local media are on top of every word uttered by anyone from either government or the local digital civil liberties organisations. What causes most of the (international) attention is the specific plan to put a national filter on all Icelandic internet connections. This would be a first for a western democracy (although such filters have been tried in various Asian countries from Iran to China). Proposing a method that could very well be called censorship is incongruous in a modern and progressive society such as Iceland (the only country to have convicted its bankers over their part in the current global financial crisis).

Within a few hours of setting foot on Iceland I was asked by Smari McCarthy of the Icelandic Modern Media Initiative to sign their letter of protest (by now published) against the filtering proposal.

During an informal dinner a few days later with officials it became clear that no decision on a filter, or any other policy, had been made. The government was looking into the problem and discussing possible solutions. The emotive nature of the debate causes the problems and solutions to get mixed up. I therefore attempted to structure the discussion over dinner:

Goals:

1. minimizing the harm caused by violent/degrading imagery to young children in Iceland;

2. fighting the industry that makes money out of degrading humans.

As stated I think it is vital to see these as separate goals that may require completely separate policies. The first is clearly an Icelandic state issue, the second may require a multi-national approach, altough there could be things Iceland can do to ‘not be part of the problem by funding this stuff’.

Methods:

1. The problem with a national filter on certain forms of internet traffic is that these filters work very poorly. This is because of the rapid speed of technological innovation on the supply side and the high creativity in circumventing the filter on the demand side. Once a filter-circumvention method has been found by one person, this knowledge will spread rapidly until it is everywhere. There are even special websites made by-and-for kids on how to circumvent filters and blocking software installed by parents/teachers/governments (their motto: ‘it is not a crime to be smarter than your parents’).

So the Icelandic government would open up a two-front technological info-war against both the porn industry (the very people who invented things like video-streaming over the internet) and its own citizens, some of whom may have a legitimate (if hard to understand) desire to watch certain content. Aside from the fact that forbidding things that are not perceived by their consumers to be harmful, this also makes the forbidden fruit more interesting for young people developing their independence and testing the limits of society.

But let us assume that some day in the future a filter is developed through a technical miracle (these sometimes do occur). Now you have built a working turnkey censorship infrastructure. The key question then is – who is actually in control of this infrastructure? Can you trust all possible future Icelandic governments or civil servants with the power to selectively turn off sources of information to all of Iceland?

In light of all the anti-terrorism laws being deployed against journalists, environmental and peace activists, and even citizens who fail to seperate all their rubbish appropriately, this is not a theoretical problem.

2. Now for the porn industry and options for taking it down (assuming for the sake of discussion that this could be a legitimate objective for a government). In my view the best and most practical thing that Iceland can do is to be very minimalist and selective in enforcing US-style copyright. Cutting off the money supply is a very concrete and easy thing that much of the Internet is already doing to the porn industry. Instead of frustrating this process, as many governments seem to be doing, the Icelandic government should welcome it. Thus making sure that those who want such online content can get it without sending money to these organisations. People make porn to make money. Take away their business model, and the business will go away as well.

I do, however, remain puzzled by one question: how precisely does the porn industry make money from kids? Do children have credit cards? I would find it hard to believe that these companies are doing things in the hope of a new customer 9 years from now. The tobacco analogy only goes so far: cigarettes are usually bought in cash, online porn with credit card or paypal. The lack of statistics about the problem (how many kids have been affected: 5, 500, 5000? And how do we come by these numbers?) is also a problem.

Forbidden fruits vs managing the problem

Like drugs, porn and gambling will never be completely removed from society as long as certain people want them. But the problems they cause can be managed and minimised. Attempts at banning things are usually not the most effective way to reduce harm. Even the banning of ‘child porn’ (a complete misnomer as it is actually imagery of child abuse) has not clearly led to fewer children being harmed by the production of it. Production and distribution has gone so deeply underground that nobody really knows what is going on anymore. The fact that researching/discussing these issues is a now a legal minefield does not help the situation.

Meanwhile these laws have provided a very nice way to destroy almost any individual simply by hacking their PC/laptop/phone (usually fairly trivial), putting some forbidden material on it and reporting them to the police. Even if they are not convicted and sent to prison, their career and social standing will probably be destroyed beyond repair. Proving one’s innocence in such a case is nearly impossible.

The strangest point is that despite the heavy crackdown on images of child abuse, western police forces rarely take down known servers on their own soil. The idea that making imagery of child abuse (aka ‘child porn’) invisible by technical means somehow results in the reduction of harm to children is widespead. Despite the actual harm being done during the production phase of the material rather than during the distribution phase.

Because the subject invokes such strong emotions many politicians (and their staff) will often make a strange logical leap. It goes like this:

1. this problem is terrible, we must do something;

2. this (a filter, ban, deploying the army) is something;

3. we must do this.

In the process of formulating soundbites for the evening news, the fact that something may be completely ineffective in solving the problem and also has major negative effects on society is forgotten. We see these kind of mental illogical-leaps all the time in areas like ‘the War on Terror’, ‘the War on Drugs’ and ‘Cyber-security’, where the solutions clearly fail and, in fact, cause massive new problems that are often worse than the original issue.

Much of the above casts serious doubt on the true goals and priorities of the government. Are we busy hiding stuff we would rather not see, or are we working on protecting children?

I have strongly suggest that the Icelandic government considers the above and uses any budget, allocated for filters, for improving sex-education in schools and support for addictions in the heathcare system. This may not yield immediate results but will most certainly do more good than implementing technical solutions that either do not work or make Iceland into an informational dictatorship.

Update: Despite a change of power the debate over this continues in Iceland. Strangly still with a complete lack of statistical info on the scale of the problem.

---

Cyberwar: the west started it

<originally a Webwereld column – in Dutch – also on HuffPo UK, Consortiumnews en Globalresearch>

A few years ago, Israeli and American intelligence developed a computer virus with a specific military objective: damaging Iranian nuclear facilities. Stuxnet was spread via USB sticks and settled silently on Windows PCs. From there it looked into networks for specific industrial centrifuges using Siemens SCADA control devices spinning at highspeed to seperate Uranium-235 (the bomb stuff) from Uranium-238 (the non-bomb stuff).

Iran, like many other countries, has a nuclear program for power generation and the production of isotopes for medical applications. Most countries buy the latter from specialists like the Netherlands that produces medical isotopes in a special reactor at ECN. The western boycott of Iran makes it impossible to purchase isotopes on the open market. Making them yourself is far from ideal, but the only option that remains as import blocked.

Why the boycott? Officially, according to the U.S. because Iran does not want to give sufficient openness about its weapons programs. In particular, military applications of nuclear program is an official source of concern. This concern is a fairly recent and for some reason has only been reactivated after the US attack on Iraq (a lot of the original nuclear equipment in Iran was supplied by American and German companies with funding from the World Bank before the 1979 revolution). The most curious of all allegations of Western governments about Iran is that they are never more than vague insinuations. When all 16 U.S. intelligence agencies in 2007 produced a joint study there was a clear conclusion: Iran is not developing a nuclear weapon (recent speech by the leader of this study here).

And that’s strange.

For if the 16 American intelligence services and their Israeli colleagues, the famous Mossad, can all agree that Iran is not making nuclear weapons, how do you justify an attack against civilian industrial infrastructure? And that this is the equivalent of a military attack is clear when you consider what would happen if Iran had been caught in a cyber attack on ‘our’  instalations in Borssele or Indian Point.

Stuxnet is designed for a single purpose: the damage of nuclear enrichment facilities in Iran. This is a country that just may perform these activities in accordance with the international agreements stipulated in the Non Proliferation Treaty. Iran, like most other countries in the world (except Israel, India, Pakistan, S Sudan and N Korea) signed this Convention. Nuclear weapons are not allowed but civil nuclear industry is,  a detail that sometimes escapes the attention of editors. Like the reason why Iran is not a democracy. I’m not saying the Iranian government are darlings, but the country has not attacked anyone in the past 200 years, unlike several of our NATO partners.

But Stuxnet has made some things very clear to Iran and the rest of the non-Western world. It does not matter that you abide by established agreements and treaties. It does not matter that you’re not a threat to the West. It does not matter that the countries that accuse you most of violating the non-proliferation agreements (U.S. and Israel) arethemselves the most egregious violators; USA by delivering plutonium to Israel and Israel by not even signing the treaty and secretly stashing 100-200 nuclear bombs in the basement.

So there is no reason for you to stick to agreements or treaties because it does not guarantee that the parties on the other side will do the same and it may offer a strategic disadvantage. And if you going to have the disadvantage of alleged conduct (boycotts, threats of bombing), it is logical that you also want the benefits. It is almost rational for Iran to develop a military nuclear program. Certainly North Korea seems to get away with it. As a bonus, is now has a few nuclear weapons and that is still the best guarantee that the U.S. will not be bringing unsolicited packages of "democracy" (although a lack of oil wells also seems to help).

Like the attack on Iraq, which was carried out based on deliberate lies (The US and UK knew Saddam had no WMDs), the U.S. again does not comply with the standards that it happily tries to impose on others. With the result that no-one takes such standards seriously anymore and the world (and cyberspace) becomes a wild west shooting gallery.

And that’s exactly what you do not want in a world where a handful of angry Chinese / Russian / Iranian / Iraqi / <insert other country> can completely anonymously and in secret take down your critical infrastructure. Western countries are much more vulnerable due to their high degree of automation than countries that have just outgrown their third world status. Cyber ??weapons are relatively inexpensive and developing them is more difficult to detect than the construction of missiles and aircraft carriers. The best defense against it is the prevention of an arms race. Like a nuclear war everybody loses in a cyber war. Safety in such a context is created by moral leadership (starting with: follow your own rules) and actively working at de-escalation. And that is exactly what the U.S. and Israel have not done.

With such friends, we are assured of a continuous stream of new enemies in countries that mainly want to be left alone, but that arm themselves just in case the "free West" is on the prowl in their region.

Setting up a Dutch Cyber ??Army while the sluices and pumping stations are equipped with factory-default passwords in their SCADA controllers seems pretty stupid. If you live in a glass house, not throwing stones and not motivating others to do so, is the smarter move.

Update: a NATO research team has determined thet Stuxnet ‘attack’ against Iran was an ‘Act of Force‘ (not an ‘Act of War). We’ll see if that determination holds up if a non-NATO country (let’s say Iran) does the same to a NATO country.

---

Dining with spies

<originally a column for Webwereld – in Dutch – also on HuffPo UK>

At their yearly conference the Dutch The National Cyber ??Security Center stated this week they want to listen more to the hacker community. It is fine that the government will at last listen to the people who have been ahead of the curve for decades, although the question remains – why it has waited to do this until 2013? Even if this had been done as recently as 5 or 10 years ago it would have saved an incredible amount of trouble and public money. I sincerely hope that the consultations with the hack(tivist) community are about more than just technical tricks, because most benefits to society are derived from discussing policy. For purely technical issues the usual consulting companies can always be hired and then simply pay hackers for their knowledge and advice, just like any other experts.

The Real News Network has produced an overview of the event and its broader context. This will remain relevant to understanding current global poliics for a long time.

---

In memoriam: Aaron Schwarz 1986 – 2013

Not sure what to say about the sudden death of Aaron Schwarz, idealist, freedom-fighter-extraordinaire and friend of open access to information for all of humanity. Aaron spend his life fighting for humanity’s highest ideals, contributing to technologies most of us use every day (even if we don’t know it). It just feels like something is very, very wrong is the so-called ‘free world’ is killing its best and brightest for living up to its highest ideals. We’ve got big problems and cannot afford to lose people like Aaron.

Cory Doctorow has written a eulogy here, Prof Lawrence Lessig had an overview of the case the US Department of Justice (ha!) saw fit to launch against Aaron. Glen Greenwald wrote about his heroic work in helping to defeat SOPA over the last years. A digital memorial to Aaron will be here for as long as there is an Internet. The files that started the case can be found here. Spread them around as wisely as possible.

But mostly just watch Aaron’s speeches and interviews, as many times as needed before you understand his ideas and ideals fully.

Update 28-06-2014: A documentary on the case Aaron Swartz – The Internet’s Own Boy is now available online. Also on Archive.org.

---

Privacy, a decade on

<originally a column for Webwereld – in Dutch>

On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months after publication, they have never been implemented. Or even discussed further.

Under the heading "Measures to encourage self-protection by citizens and enterprises" lists several concrete proposals for inproving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be "accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology". So not just some abstract government infomercial on TV/radio but hands-on tips to get some actual work done please!

Appropriate measures

Other gems are the requests to "take appropriate measures to promote, develop and manufacture European encryption technology and software and, above all, to support projects aimed at developing user encryption technology, which are open-source" and "promote software projects whose source text is published, thereby guaranteeing that the software has no "back doors" built in (the so-called "open source software") ". The document also mentions explicitly the unreliability of security and encryption technologies whose source code is not published. This is an issue that is a strict taboo in Dutch and UK discussions on IT strategy for governments (probably because some major NATO partners might be offended).

Also, governments must set a good example to each other and their citizens by "systematic use of encryption of e-mails, so that in the longer term this will be normal practice." This should in practice be realised by "ensuring the training and publication of their staff with new encryption technologies and techniques by means of the necessary practical training and courses." Even candidate countries of the EU should be helped "if they cannot provide the necessary protection by a lack of technological independence". Unfortunately to this day I cannot send encrypted mails to officials and the vast majority of them do not even digitally sign their emails to allow me to verify the integrity of the content. Despite the fact the software that makes this possible has been available as open source since before publication of the report in 2001.

That one paragraph from the summer of 2001, when rational security policies had not yet been destroyed by September 11th, decribes the basis for a solid IT policy that ensures security and privacy of citizens against threats from both foreign actors and the government itself.

What a difference a decade makes …

Last Monday Privacy First organised a lecture & discussion evening on cyber security and the relationship with terrorism. Will van Gemert, director of National Cyber ??Security for the Coordinator for Counterterrorism and Security gave a lecture on the relationship between privacy and security. In this lecture there was much talk about consumers, little about people/citizens (perhaps the difference is a bit foggy from the windows of government skyscrapers in The Hague). He also insisted that the Government is very much working with ‘the market’ and private parties. It was probably meant to be reassuring but had the opposite effect on most attendees. Ideas from the EU document mentioned above, such as better IT education, open source encryption and technological diversity as defensive tactics, were unfortunately completely unknown concepts. The ribbon on the doors of the Cyber ??Security section of the National Counter Terrorism organisation had just been cut ,so perhaps things will be better in a year. We can but hope*.

A few weeks earlier, another of our government speakers defending even more colourfully the Clean IT project at a meeting of RIPE (the organization that distributes IP addresses for Europe and Asia). Clean-IT is a European project of Dutch origin which aims to combat the use of the Internet for terrorist purposes.

Terrorism is not defined

The problem with this goal is that ‘internet’, ‘use’ and ‘terrorism’ remain undefined, nor is anyone very interested in sorting this out. This in itself can useful if you are a government because you can then take a project in any direction you like. A bit like when data retention was rammed through the EU parliament in 2005 with the promise that it would be used only against "terrorism" – a promise that within a few months was broken. In Germany, data retention has now been declared unconstitutional and been abolished, while in the Netherlands we have rampant tapping, despite a total lack of evidence of the effectiveness of these measures. That all the databases of retained telecommunications data themselves become a target is not something that seems to be seriously taken into account in the threat analyses. All rather worriying for a government that is still usually unable to secure its own systems properly or ensure that hired private parties do so.

Also, during the lecture on Clean-IT much emphasis was placed on the public-private partnership to reassure the audience, yet this had a predominantly opposite effect. It’s strange that a government first proves itself incompetent by outsourcing all expertise, then it comes back after ten years and claims it cannot control those same comapnies, nor indeed their sub-contractors. The last step is then to outsource to companies that used as reassurance to citizens commented: "We let by companies do it! That you as a citizen do not think that we ourselves with our sausage fingers sit! Come all good". After Diginotar my confidence in the guiding and supervisory capacity of the government has dropped to just above absolute zero.

What a difference in approach between the summer of 2001 and today.

Terrorism is obviously the "access all areas pass" – but many more Europeans die slipping in the shower or from ill-fitting moped helmets than from "terrorism". Moreover, we as Europeans have experience of dealing with terrorism. ETA, IRA and RAF were rendered harmless in previous decades by police investigations, negotiations and encapsulation. This was done without jeopardizing the civic rights of half a billion European citizens. Even when weekly IRA bombs exploded in London nobody suggested dropping white phosphorous on Dublin or Belfast.

Hope

I hope* that the pre-9/11 vision of the EU Parliament will finally penetrate the Dutch Ministry of Security and Justice (formerly just ‘Justice’ soon ‘Love‘?). Perhaps a new cabinet will lead to new initiatives and opportunities? It would be nice if the ‘free West’ could develop a policy that would justify our moral superiority towards Russia, when we demand that they stop political censorship under the guise of "security".

* Hope: the desire for a future situation over which you have little or no influence: "I hope my plane does not crash."

---