Category: opensource

Bankrupting the NSA with Tails & defeating TTIP

On Tuesday July 8th 2014 I was once more a guest on Max Keiser’s programme ‘The Keiser Report‘. Max is a former Wall Street trader who foresaw the current economic crisis a decade ago. On his show he lets rip on the insane financial system and allows his guests to do the same.

Max asked me about the handbook ‘Information Security for Journalists‘ I co-authored with journalist Silkie Carlo. The tools and methods it describes can help is slowing down the NSA by increasing the cost of surveiling individuals by a factor of about 1 million. We also discussed the latest US-inspired attempt-at-corporate-takeover-disquised-as-trade-agreement known as TTIP. I think this wil be defeated in the same way as its smaller precursors ACTA and SOPA before it because it is not in Europe’s interest. This will require some serious action on behalf of Europeans since our politicians seem a tad slow in recognising the patterns here.

Full Keiserreport episode here on RT site and here on Youtube.

The other IT from another Europe

Also on Consortium News and Huffington Post

Over the last 10-15 years public IT in Europe has not developed in line with public interests, nor does it guarantee the fundamental rights of citizens such as privacy and freedom of expression. Tremendous opportunities in the field of economic development and employment have also been missed. Europe effectively outsources much of its information processing (software & services) to foreign parties at the direct cost of hundreds of billions of Euros (typically around 1% of GNP). The opportunity-cost to local economic growth and employment opportunities are much greater than that. Even more costly than either of these is the de-facto handing over of control of data of governments, businesses and individual citizens to foreign spies who use it for political manipulation, repression of citizens’ freedoms and industrial espionage. Although the warnings about the negative consequences of current policies date back at least 15 years, these aspects have been documented in irrefutable detail over the last year by the revelations of Edward Snowden. 12 months later there has not even been the beginning of a policy response.

It could all have been so different …

In the first 21 months of the 21st century, the dot-com bubble burst and then three skyscrapers in New York collapsed. Between these two events a largely forgotten report to the European Parliament appeared in the summer of 2001. This report described the scale and impact of electronic espionage in Europe by the U.S. and its ‘Echelon’ partners (Canada, UK, Australia and New Zealand). Besides a detailed problem analysis, the report also gave concrete examples of IT policies that governments could take to significantly limit foreign intelligence spying on Europe.

In the same period was U.S. government won one of the largest anti-trust cases its history, against Microsoft, and the EU followed this victory by launching a similar case that would also be won leading to the highest fine to a company for economic crimes in the history of the EU.

It was against this background that thinking about strategic versus operational aspects of IT in the public sector changed. The report on Echelon made it clear that reducing IT into a merely operational exercise had disastrous consequences on the sovereignty of European states with respect to, in particular, the United States (and perhaps in the near future, China, other technically capable countries or non-state organizations). The economic consequences of industrial espionage against many high-tech and R&D-intensive companies became a major concern for the government.

The IT policy of governments would from 2002 onwards be based first on the political principles of a democratic and sovereign state. This not only meant a very different policy in the field of technology selection and procurement, but also the balance between outsourcing versus in-house expertise and required an extreme degree of transparency from all suppliers. Open data standards for public information were required, and non-compliance resulted in severe penalties (although public ridicule from 2009 onward was generally the most effective). These new frameworks for public IT created a new market for service providers who based solutions on so-called ‘Free Software’ (previously better known as ‘opensource’). The high degree of transparency both in project implementation as the technology itself made for a well functioning market and made recycling of (parts-of) systems the norm. Spending on software fell sharply and the freed up budget was used for the recruitment of highly qualified IT workers under conditions that could compete with the offerings of market.

The full transparency with respect to both the IT projects and the tech itself, combined with a depth of expertise within the government, changed the market for public software and IT services. Quality rose steadily while prices remained permanently under pressure. Since all service providers had full access to all software used in government (with only a few exceptions in defense, justice and home affairs), there was a very open playing field where all providers were expendable (and those who performed below par were replaced regularly).

In addition, computer and IT education from kindergarten to university studies was fundamentally revised. Basic understanding of the operation of computers and information networks became as normal as reading and writing. From 2006 every 14 year-old was taught in school how to encrypt email and what the disadvantages were of using software whose source codes are not published. Through this awareness among young people in Europe the adoption of social media occurred very differently than in the U.S.. Young people not only had end-user skills but real understanding about what was happening to their information when sending a message or upload a photo to websites. Being careful with your private information was considered cool. The social media landscape was not dominated by a handful of U.S. companies, instead there was a landscape of federated services such as Diaspora who competed among themselves but were compatible in the same way as is the case with email. These services were sometimes somewhat centralized but, just as often, completely decentralized and run on micro-servers in many people’s homes (such as the UK-invented 35 Euro RaspberryPi).

Due to the high privacy and safety awareness online crime did not have much grip on most European countries. Hardly anyone was naive enough to log on to strange domains or websites in response to a fake email that appears to come from their bank. And the use of customized secure USB drives created by various banks was accepted as obvious for any major online financial transactions. At the level of organisations high levels of expertise and a high degree of diversity in technology implementations made for robust security that was only seldom breached. The large demand for experts in well-paid jobs also kept many would-be criminals from selling their skills for more destructive applications.

This is the IT that Europe could have had if other choices were made over the last 12 years. All the knowledge and technology for these choices were available in the first months of this century. Because these choices were not made Europe has spent hundreds of billions on software licenses and services from American companies, while there were cheaper (often free), more flexible and safer alternatives available that would not operate as a foreign espionage platform. All these hundreds of billions were not not invested in European service, training, education and R&D. The economic impact may be a multiple of the roughly $1 trillion in foreign software licenses spent by Europe this century, while the social cost resulting from manipulated politicians during transatlantic negotiations on trade or environmental matters will probably never be known.

Europe still has everything it needs to develop and implement such policies. It is not too late to turn, no matter how regrettable the policy failures of the last decade and no matter how many wasted billions. Today could be the first day of such a new course. Concrete examples in the Netherlands, Germany, France, Spain the UK and many other places show that this is not only possible, but almost immediately leads to huge savings, improved safety and independence from foreign parties in future IT choices.

It’s not often that regaining national sovereignty and the restoration of civil rights can spur national innovation and employment programs simultaneously. The only thing missing is the political will to stop rewarding businesses and governments that use their technological dominance to spy on the entire world. We have nothing to lose but our chains to the NSA.

Kerckhoffs lecture: what Europe needs to do after Snowden

At 12:30 on Friday 13th of June 2014 I will give the Kerckhoff Lecture at the Radboud Universities Kerckhoffs Institute for information security in Nijmegen in room HG00.068. For an audience of students and faculty who probably know more about the maths of cryptography than myself I will talk about the tech-policy implications of the Snowden revelations and why Europe has been doing so very, very little.

Imagine a whistleblower releasing detailed documentary proof of a group of organisations that dump large volumes of toxic mixed chemical waste in European rivers and lakes. The documents describe in detail how often (daily) and how toxic (very). Now imagine journalists, civic organisations and elected representatives all starting furious discussions about how bad this is and what the possible horrible consequences theoretically could be for european citizens.

Now imagine that this debate goes on and on for months as slowly more documentation is published showing ever more detailed descriptions of the various compounds in the toxic chemicals and what rivers and lakes precisely they are being dumped into.

Now imagine that no journalist, civic organisation or elected representative comes up with a single concrete and actionable proposal to stop the actual and ongoing toxic dumping or to prevent future organisations getting into the habit of illegal dumping.

Imagine also that both governments and public-sector organisations, including the ones responsable for health- and environmental matters continue not only to procure products and services from above organisations but also continue to give them the licences they need to operate.

Imagine that this goes on for month after month after month for a full year.

Now Imagine it turns out that the Government not only already knew about this 13 years before but also had a detailed report on practical solutions to clean up the mess and prevent future poisoning.

Imagine that.

Sounds incredible does it not?

Except this is precisely how Europe has been not-dealing with the revelations by Edward Snowden on industrialised mass-surveillance of our government & civic institutions, companies and citizens.

The EU has spent most of a year holding meetings and hearings to ‘understand’ the problem but has not produced a single word on what concrete actions could regain the right to privacy for its citizens now. This while a July 2001 report on Echelon, the NSA/GCHQ precursor program to the current alphabet soup, explained the scope of the problem of electronic dragnet surveillance and made practical and detailed recomendations that would have protected Europeans and their institutions had they been implemented. Currently only Germany has seen the beginnings of policies that will offer some protection for its citizens.

On Friday the 13th of June I will discuss the full scope of the NSA surveillance problem, the available technological and policy solutions and some suggestions about why they have not and are not being implemented (or even discussed).

Slides from lecture are here in ODF and PDF

Letter to Parliamentary Committee on Gov. IT projects

Letter below has been submitted to the Temporary Committee on Government IT. This document is a translation from the Dutch original.

Dear Members of the Committee on ICT ,

On June 1st, 2012 I was invited by your predecessors to contribute to the expert meeting of the Parliamentary Working Group on ICT projects in government. The written submission that I made at that time is here, including a video of those hearings (in Dutch).

As an IT architect but also as a concerned citizen, I have been actively involved with the IT policy of the government since 2002, focusing on the areas of electronic health records, security and open standards / open source software. On the latter issue I was the initiator of the 2002 Parliamentary ‘Motion Vendrik’ that advocated greater independence from dominant software suppliers. Last year I also served as a technical expert on the Committee of Minister Plasterk who advised on the (im)possibilities of electronic support for the electoral process.

Although this motion Vendrik from 2002 was translated into the Heemskerk Action Plan in 2007, this policy was quietly killed in 2010/11 by the lobbying power of large software vendors and the U.S. government. Even the Court-of-Audit was pressured to *not* ask certain questions in its 2011 report on the policy. Since 2002, the Netherlands has spent about 60-90 billion on foreign software, for which in many cases free, equally good or better alternatives are available. Their use is, however, actively hindered by both the Ministries of Education and Interior, as well as the VNG supported by the lobbying apparatus of major suppliers and the U.S. government.

This despite Justice Minister Donner’s 2004 letter to Parliament in response to the Motion Vendrik where he admitted that:

  • the government’s dependence on Microsoft was very great;
  • that this was a problem ;
  • and that by introducing open standards and the use of open source that could be solved.

This dependence has since become much greater and more than one billion Euro was spent on Microsoft licenses over the last decade. That money would have paid for 10,000 man-years of expertise to migrate away from Microsoft products. A large part of the money spent would have remained in the Dutch economy and returned to the state through tax and VAT. Not that 10,000 man-years would have been needed. The Municipality of Ede did it against the odds for a fraction of the cost and now saves 92 % on software expenses (and 25% on overall budget). The rest of the government has yet to take steps. Why is an important question.

In addition to the huge amounts of money involved (the VAT ends up mostly in the Irish exchequer due to inter-EU trade to Irish headquarters of IT companies), it has also become clear in recent months thanks to Edward Snowden in particular that U.S. software is deployed as espionage infrastructure . This has practical implications. For example, the current semi-privatised infrastructure of the national Electronic Health Records system has been put under technical management of an American company and therefore falls under the Patriot Act. But the Windows PCs ( which are de facto mandatory in secondary schools) and Gmail accounts (which are necessary to follow a University course) are part of the global spy network. Similarly with the iPhones that some of you might use, about which NSA internal documents boast of the 100% success rate in automated monitoring at zero dollars cost per device.

All this means that even if IT projects according to any definition ‘succeed operationally’ these often still violate the basic rights of millions of Dutch citizens (article 12 NL – Constitution, Art 8 ECHR , Art 12 UNDHR). Examples include electronic heatth records, transportation smart cards and many information processing systems of governments that have been outsourced on foreign soil and/or to foreign companies (such as the database of fingerprints that for many years has been linked to the issue of passports).

Both the EU and the Dutch government have been aware of this problem since the summer of 2001, yet nothing has since been done in the Netherlands to ensure the privacy of citizens or the data security of Dutch public and private institutions. Indeed, much has been done by the government which has greatly exacerbated this problem.

The above points, in my view, mean that a purely ‘operational ‘ approach to project success simply does not cover all the obligations of a democratic government in its role as guardian of the rights of its citizens.

This past weekend, I have viewed the first five videos of hearings and was most impressed by the contribution of Mr. Swier Jan Miedema. He seemed to be the only person genuinely committed to getting to the heart of the problems and saying out loud what he thought (although Prof . Verhoef also make quite a few wise points). The most compelling aspect of his testimony was the obvious fear of specifically naming a commercial party. This seems to confirm what many in the Dutch IT world know: companies like Centric abuse their dominant position in local government for short-term gain including the exclusion of anyone who is a threat to those gains (here another example).

That an IT professional of such seniority has to beat around the bush with a trembling voice is typical of the situation in the ‘market’ for public ICT. Institutionalized corruption and abuse of power is more associated with a developing country than a democracy.

In the conversations with both Mr. Miedema and other experts several members of the committee asked several times if these people could not suggest what would ‘solve’ all this. As if the problem was something that could be fixed with some trick. It is worryingly obvious that (two years and 8-12 billion after the start of the Commission) there is still the idea these problems can be solved by changing project-management methodology. Based on my experience, I believe that the problem is much more fundamental. I strongly urge you to look much more widely and more deeply at the problem and to not exclude your own role as parliamentarians in this. No questions or solutions should be taboo. Even if thereby the significant economic interests of above mentioned suppliers or the job security of groups of officials/civil servants must be called into question.

Both Mr. Miedema and Prof. Verhoef expressed the view that everything that happens can be broadly explained by the incompetence that exists in both the government and its suppliers. There are however, limits to the incompetence theory. Somewhere in the process the prolonged and appalling scale of wasting money, endangering the cyber security of the Netherlands and violating the privacy of millions of Dutch citizens has been allowed (or at least not considered an important subject). The fact that the Commission itself over the last 2 + years can spend a couple of hours a week on a problem that costs hundreds of millions of Euros monthly might also be an indication of some inexplicable non-priority. There are many officials, businesses, cybercriminals and intelligence services abroad that greatly benefit from the status quo. Look especially at those who do not come to your hearings.

In the 21st century laws are made reality by software. So it no longer befits a democracy to hand over control of that software to (often foreign) commercial parties. Executive parts of government must be accountable to you ultimately and without control over the technology that underpins their work this accountability is simply not possible.

Obviously I am willing to explain myself further as to above matters.

With kind Regards,

Arjen Kamphuis

June 9th 2014: In The other IT of another Europe I commemorate one year of the Snowden/NSA scandal by describing a scenario in wich other choices were made, choices that are still open to us today…

In memoriam: Aaron Schwarz 1986 – 2013

Not sure what to say about the sudden death of Aaron Schwarz, idealist, freedom-fighter-extraordinaire and friend of open access to information for all of humanity. Aaron spend his life fighting for humanity’s highest ideals, contributing to technologies most of us use every day (even if we don’t know it). It just feels like something is very, very wrong is the so-called ‘free world’ is killing its best and brightest for living up to its highest ideals. We’ve got big problems and cannot afford to lose people like Aaron.

Cory Doctorow has written a eulogy here, Prof Lawrence Lessig had an overview of the case the US Department of Justice (ha!) saw fit to launch against Aaron. Glen Greenwald wrote about his heroic work in helping to defeat SOPA over the last years. A digital memorial to Aaron will be here for as long as there is an Internet. The files that started the case can be found here. Spread them around as wisely as possible.

But mostly just watch Aaron’s speeches and interviews, as many times as needed before you understand his ideas and ideals fully.

Update 28-06-2014: A documentary on the case Aaron Swartz – The Internet’s Own Boy is now available online. Also on

Windows 8 does not have to be a disaster

<originally a Webwereld column – in Dutch – also on HuffPo UK>

Klik voor grotere afbeelding

Gartner, IT-journalists and even former employees of Microsoft agree: Windows 8 will be a disaster. The Metro interface designed for tablets (a market that virtually does not exist in relation to MS-Windows) is unworkable on a desktop with a vertical non-touch screen, keyboard and mouse. Most office spaces still have this and most run legacy applications with interfaces that rely on a Windows PC using a keyboard and mouse. It is precisely the ongoing purchase of desktop PCs with the combination of MS-Windows and MS Office that has kept Microsoft financially afloat over the last 15 years

The combination of legacy applications (mostly proprietary) and familiarity with MS Office, led many IT organisations to automatically buy the new Windows platform, despite the high cost of licences and support. The inevitable result is a world of pain, with new interfaces, a lack of compatibility and the sudden cessation of support for critical components. IT policy is organised around coping with these problems instead of focusing on sustainable alternative solutions. And solving or mitigating these problems requires so much time and money that there is often little left over to plan further ahead. Thus, in many organisations the perfect vicious circle has existed for so long that many IT people can not even see it.

An important point here is that Windows 8 is only a disaster for those who buy it and those who are unsuccessfully trying to sell it. For the rest of us, it is irrelevant. So if you use a Windows7 PC, Mac or Linux machine, is very easy to just let all this misery pass you by. After a disastrous version of Windows is released, another (slightly less) catastrophic version (think ME/XP or Vista/7) will follow, and for those who still genuinely believe that they need a Microsoft operating system, they merely hope that a half-decent version will come along in a few years.

Organisations that (virtually) no longer have platform-dependent applications because they have (to) provide a web interface, have no reason at all to even think about purchasing proprietary operating systems. Organisations that do use these applications are better just sticking with earlier (already purchased) versions of MS Windows, so that all interfaces remain compatible and end users can continue working in their familiar environment. The IT department’s resulting spare time and money can be used to break the vendor lock between applications and platforms.

Most application vendors are now thinking about web interfaces, or APIs for tablet apps (even if it is just to keep company directors happily playing with their iPads). Application vendors who are not yet doing this should understand that in times of tough cuts IT euros can only be spent once, either with them or with Microsoft. Seems an easy choice, right? Fortunately, even company-specific applications do not last forever and when the time comes where there is something new to choose from it is useful to calculate the TCO of applications by including the underlying infrastructure costs (licences, management, security), and compare this to the TCO of applications that do not have such dependencies. Conversely, you can also say to your hoster: “I do not care what platform you run my applications on, but what would I have to pay you if it is an open source stack?”. A little negotiation is always possible in a stagnant market.

As with Vista, the main victims of Microsoft’s iPad-wannabe software are the basic PC consumers – those who buy a PC or laptop from a retailer and get a machine with a pre-installed disaster. In the coming years many IT professionals will have to deal with family, friends and acquaintances crying down the phone because they cannot find or use their favorite or essential PC applications. It will be Vista revisited. Do your friends a favour and downgrade them to Win7 if needed or upgrade them to Ubuntu if possible. The main reason why home users still want Windows is for gaming. Fortunately, people have worked hard on alternatives, including by previously mentioned former employees.

Although I dislike the iPad because of its extremely locked-down platform, tablets (with the first iPad) have presented to non-techies, for the first time in 20 years, a completely different platform to the Windows PC. So for the first time in aeons there is a widespread discussion about possible alternatives. Once we take that mental step, we open the way to discuss IT policy that really starts with the question of how best functionality is achieved at the lowest possible cost (which may also lead to discussing the underlying platform).

If Microsoft’s profit margins on the Windows/Office combo are cut back to 20% (it is currently 60-80%) the TCO figures will be more reasonable. Like IBM, over the years Microsoft will become an ordinary business providing rather boring-but-sometimes-necessary products at more normal profit margins. And that, except for the shareholders, is not a disaster.

Update: in the week after publishing this column a few dozen Dutch governments organisations promptly made my point with the total loss of network functionality from a nasty Windows virus. The infection is still going on and the dataloss and privacy implications of the breach is still being investigated. many sysadmins have been working overtime to contain the problem. Of course there will be another one of these six months from now and so on and so on. This has been going on for years.

Doublethink and Zen

<originally a Dutch Webwereld column>

Doublethink is a concept that was introduced by George Orwell in his famous novel ‘1984 ‘. It is a mental mechanism that allows people to believe sincerely and simultaneously two completely opposing ideas without a problem.

In the ten years that I have been involved with open source and open standards in the Dutch public sector, I have encountered many double thinkers. So for years I have endured “experts” and insiders patiently explaining that the migration to open source desktops within that community would be impossible, because civil servants could not work with other platforms. Asking non-techies to use anything but the Windows + Office desktop they were taught at Dutch schools would lead to disaster. It Just Could Not Happen.

The certainty with which this (to this day) is  mouthed as an aphorism everywhere has always amazed me. Previously, the Netherlands had migrated from WP5.2 in DOS to Windows Word 6, yet the Earth kept turning, children went to school and there was water from the tap.

Multiple migrations, mostly outside the Netherlands, have also demonstrated that ordinary users can do their work well with alternative platforms, provided they are given some training and support (something, indeed, that is perfectly normal when migrating to new releases of the usual proprietary systems).

The same people who for years have claimed with great certainty that "It Just Could Not Happen” have been busily rolling out iPads to the many managers and directors, who for many and varied reasons discover they need one. Apparently the adoption of an entirely different platform with a totally different interface is not as problematic as was asserted for all those years. Huh?

The classic “civil service desktop” tribe, led by IT heads of ministries and municipalities and supported by Microsoft, Pinkroccade and Centric, have had many happy years of “standardising” the Netherlands on proprietary tools, the management of which would then be done by the Dutch business partners of Microsoft. When asked why such a vulnerable and expensive monoculture was necessary, the standard reply is "working together!". For “working together”, according to these people, can only occur if everyone works with exactly the same stuff (never mind that millions of people on the internet are working together with very different tools). And that stuff should be consistent with what people already know, because learning something new is ultimately ‘not realistic’.

The Web 2.0 tribe wants everything on "the cloud" so that with iPads they can “work together” from Starbucks with colleagues and consumer-citizens-entrepreneurs. That this places control of state information in the hands of uncontrolled private and foreign parties is not part of the discussion. "We must work with the most modern tools!" When asked what they do in concrete terms,  the  answer is almost always shifty or there is some muttering about experiments and the importance of “working together”.

Both of the above tribes mix at “e-government” conferences and other such events and hear both perspectives, one after the other, with nobody apparently perceiving  these contradictions. It is Doublethink in its ultimate form: simultaneously believing two contradictory ideas without experiencing a conflict: from 11:00 to 11:30 they can believe that a Microsoft monoculture is a necessary requirement for civil servants to “work together”, and then from 13:30 until 14:00 just as happily accept that all hip 2.0 workers, with their privately-bought iPads authorised via LinkedIn, must have access to the State-intranet so that they are finally able to “work together” with other officials. And nobody is pointing to the naked emperor and saying that at least ONE of these two stories has to be nonsense (and probably both).

Despite all this focus on collaboration between government organizations are regularly at odds, working against each other, re-inventing wheels 300 times, or point to each other when things go wrong. Even Caligula or G W Bush could still learn a thing or two from such levels of surrealism.

Proprietary vs. open source in government is just ONE of the examples where sly salesmen from dubious companies appear to be much more attractive than people with demonstrated expertise. Also in the cases of Electronic Health Records, voting computers, the public transport chip card and the security of its own systems, the government actively chose lying, cheating vendors and/or incompetent bureaucrats over its own citizens and academics with a proven expertise.

After last year’s ‘Leaktober month’ and the Diginotar drama, it appeared that some light might finally break in, but now it is clear that one deals with problems by treating them as an immutable fact of reality. With the logic of “as it is now, so shall it remain”, the years-long impetus towards greater vendor independence and diversity of systems ground to a halt. Now the same logic is used as an excuse to defend failure everywhere. It’s a bit like claiming to achieve fire safety by shouting that not every building is on fire, and anyway the fire engines can drive with 130km/hr away – "We react so quickly!". Prevention is seen as difficult and, moreover, "as it is now, so shall it remain – you will never be safe."

Despite this latest capitulation to foreign intelligence services and criminals, yet more megalomaniac IT projects are underway. Citizens continue to entrust the government with all their personal information, despite the fact that the government itself admits to being unable to protect them adequately. When working on such projects, you’d need to remain in a permanent state of Doublethink to avoid a serious moral dilemma.

Once the Netherlands had a government that built the Delta Works to keep the sea out and ensured that the country was ranked in the global top 2 or 3 in the fields of health, education, social security, security, democracy and transparency of governance. Only Sweden and Denmark sometimes did better.

Today feels like the Dutch government is abolishing itself. It knows nothing, wants nothing, does nothing. Perhaps we the citizens should do the same. Give them nothing, ask for nothing, expect nothing. The Zen of the citizen-government relationship. Happiness is low expectations!