Insurance companies that are excellent from a customer’s perspective will still need to have operational excellence. This is necessary because efficient processes enable affordable premiums. The challenge is to make the operational excellence “invisible” for the customer, to treat the customer in such a way that he or she doesn’t notice the processes needed to deliver the service. Ideally, there’s a lean machine on the inside, while customers get the feeling they are receiving personally tailored service. This requires thought about where the “machine” part of the processes ends and the “human”, emphatic part begins. Not everything that can be done by software should be done by software. The telltale sign that the proportions are right is the customer enjoying a pleasant experience.

How can such a combination of operational excellence and customer intimacy be achieved?

Big data is an important tool to achieve this. Now, it really is possible to have an intimate relationship with the customer. However, this can only come about if several preconditions are fulfilled. Firstly, you must be highly compliant. Secondly, and most crucially, you should proactively contact pressure groups such as Bits of Freedom, EURM or the Chaos Computer Club. You can ask them to ask you difficult questions about how you handle privacy and protect the secrecy and integrity of the customer data that you use. You can also discuss the legitimacy of the goals you use the data for. The same must be done with customer focus groups. In the end, much of what can or cannot be done is dependent on individual preferences. You should enable and encourage an informed customer choice about when to supply what data. Don’t make assumptions about what customers prefer, but ask and validate. Fourthly, data should always be protected and encrypted to minimise the chance of anyone gaining illegal access. Finally, the hard- and software that you use should come from suppliers that are demonstrably not associated with any illicit eavesdropping, be it by corporate or government organisations. Insurance companies may struggle to put all of this into practice, not least because they have to deal with a lot of legacy hard- and software. This complexity is unavoidable, and you should be super-transparent about it.

The important thing here is that you “live” your data philosophy, not only in communication but also in visible behaviour. Be explicit about what level of assurance regarding data is possible today, and how that’s going to improve over the next few years. Have a credible road map for getting to the technical solutions that are needed. And again, get into contact with opinion leaders. Invite them to a dialogue to design a code of conduct, organise an employee training day on internal compliance together. It’s bound to be educational for all involved. If you act on your good intentions in this way, there are still going to be blow-ups because of data problems. But even then, a good relationship with opinion leaders will help enormously in containing the damage.

You also said American companies are at a disadvantage in terms of reassuring customers worried about privacy because of the nature of US privacy laws and the scandals surrounding the NSA. Does this also mean you see new business oppor­tunities for European insurance companies?

Sure. European insurance companies could provide “privacy-strong” ISP services, data centres or cloud space guaranteed to be compliant with Article 12 of the UN Charter. And what about a “safe Facebook”? What about a service that says to the customer: we will help you leave Facebook behind you? Moreover, providing high-privacy/ security online services to (European) customers is not only a business opportunity for the insurance sector, but also a great way to show leadership in socially responsible entrepreneurship. The privacy issue will only grow as more of the 78,000 plus documents from Snowden are released (so far we’ve seen only about 200, and the best is being saved for last). Insurance companies can work towards being the trusted parties by way of clear moral leadership on customer interaction and care of data. Such companies would surely also attract some of the most talented and motivated employees: everyone wants to work for companies that are seen to be leaders.

• “He is a really inspiring person with a truly interesting vision for IT and the insurance business.”
• “Thank you, Arjen! Your presentation was refreshingly blunt and, in my opinion, realistic. I think Eurapco showed courage inviting you to speak about things most of us want to ignore.”

‘Refreshingly blunt’, best compliment I’ve had in a long time 😉

NSA intell goldmine, who else has access?

<also on HuffPo UK>

Shortly after the initial release of some documents from whistleblower Edward Snowden I wrote a little summary about the IT-policy implications for Europe based on earlier columns. A lot of additional documents have come out since then and we can basically conclude that almost every computer system on the planet is fully broken or at least very vulnerable to NSA interference or manipulation.

Nobody, including the NSA, Edward Snowden, Glenn Greenwald has a total oversight of all the in the tens of thousands of documents let alone the political or strategic implications of the info contained in them. Most of the news keeps focusing on the ‘scandal’ aspect and/or the person of Snowden. Being angry at the US government (practised by most opponents) and attacking the person of Snowden (a favorite of apologists of the US regime) distracts from defining adequate policy responses and so far there have been precisely none in Europe. This constitutes a massive failure of the various EU governments to protect their citizens’ rights and the economic sovereignty of their nations. It is also strange in light of the fact that an adequate policy response had already been formulated in July 2001 and really just needs to be implemented.

But every now and them the disinfo spread by some apologists for the behaviors of the NSA is useful for understanding how much worse the situation may just turn out to be. This article by a former NSA employee is a nice example of an attempt at smearing the whistleblower while actually digging the hole the NSA (and the US regime) is in much, much deeper. The piece claims Snowden secretly worked for Russian intelligence all along. While I do not share the authors views on Snowden’s motivations or allegiances the suggestion that outside organisations could have agents inside the NSA has some interesting implications.

If I understand the gist of this post correctly there is a much bigger breach than one would conclude based on the mainstream news from the Guardian. Not only can (and does) the NSA collect pretty much everything anyone does in the digital realm by breaking systems and breaking into systems. They then are unable to protect this sigint goldmine from falling into the hands the agents of foreign intelligence organisations. So now all our data is in the hands of both the US and Russian governments. This begs the question what other organisations have deep-cover moles inside the NSA using its infrastructure to do the hard works of global sigint for them? The Chinese government? A South-American drugs Cartel? Private Military Companies? Journalists-activist-terrorists? Goldman Sachs? The implications are astounding.

If what this academic-with-the-columnist-style says it true the disaster is exponentially much bigger than it would initially appear to be and this has very little to do with any ‘damage’ to the US image (it’s got nowhere to go but up by now) or its ability to ‘do’ intelligence. First America gave the world the Internet as a global comms infrastructure and now it has given an unknown number of completely unaccountable actors the keys to this infrastructure to do with as they please.

A Russian/Chinese/Israeli/Iranian spy will benefit both from the sigint collected by the NSA systems and even more from the info about what the US Intelligence community is (and is not) looking at. They could maybe also manipulate the collection process to steer the NSA away from things they would like to remain unseen. Any serious spy organisation would spend a lot of resources on creating that ability since the US has made itself totally dependent on signals intelligence as opposed to humans in the field who speak languages and understand cultures.

If the NSA has created a global spying machine whose output they cannot control perhaps it would be best to shut the whole thing down today. This would also have the additional benefit of respecting the human right of privacy (as described in Article 12 of the universal declaration of human rights) for most of humanity.

The missed opportunity of avoiding PRISM

<originally a column for Consortium News>

On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months later across the Atlantic, they have never been implemented. Or even discussed further.

Under the heading “Measures to encourage self-protection by citizens and enterprises” lists several concrete proposals for improving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be “accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology“.

Other gems are the requests to “take appropriate measures to promote, develop and manufacture European encryption technology and software and, above all, to support projects aimed at developing user encryption technology, which are open-source” and “promote software projects whose source text is published, thereby guaranteeing that the software has no “back doors” built in (the so-called “open source software”)”. The document also mentions explicitly the unreliability of security and encryption technologies whose source code is not published. This is an issue that is a strict taboo in Dutch and UK discussions on IT strategy for governments (probably because certain major NATO partners might be offended).

Also, governments must set a good example to each other and their citizens by “systematic use of encryption of e-mails, so that in the longer term this will be normal practice.” This should in practice be realised by “ensuring the training and publication of their staff with new encryption technologies and techniques by means of the necessary practical training and courses.” Even candidate countries of the EU should be helped “if they cannot provide the necessary protection by a lack of technological independence“.

That one paragraph from the summer of 2001, when rational security policies had not yet been completely destroyed by 9/11, describes the basis for a solid IT policy that ensures security and privacy of citizens against threats from both foreign actors and the government itself (historically always the greatest threat to its citizens and the reason why we have constitutions).

Had these policies been implemented over the last decade then the PRISM revelations of the last week would have been met mostly with indifference. European citizens, governments and companies would be performing most of their computing and communications on systems controlled by European organisations, running software co-developed in Europe and physically located on European soil. An American problem with an overreaching spy apparatus would have been just that, an American problem – like teenagers with machine guns or lack of universal healthcare, just one more of those crazy things they do in the colonies to have ‘freedom’.

From the proprietary frying pan into the cloudy fire
Over eleven years ago, I was talking to Kees Vendrik (Dutch MP) about the broken European software market. Not only was it impossible to buy a brand laptop without having to buy a Microsoft Windows licence, it was also impossible to visit many websites (municipalities, railways and many others) without using Internet Explorer. The latter area has greatly improved and I can today lead my life using my OS and browsers of choice. The Dutch dependence on products such as MS Windows/Office has not really diminished however, despite all the wishes expressed by Parliament and attempts at government policies. Today it is not possible to finish secondary school as a student without owning and using several pieces of proprietary software. Imagine making a certain brand of pen mandatory for schools and picking a brand of pen that comes with a spying microphone (not under control of the user). That is the current situation in practical terms in the Netherlands and UK amongst others. Germany, France and Spain are doing slightly better by at least acknowledging the problem.

Meanwhile, the technological seismic shift that frightened Bill Gates so much back in ’95 (the web makes the operating system irrelevant) is fast becoming reality. Almost all new developments discussed by IT power players and specialists are web-based or based on open specifications and the most commonly used applications are running quite well as service in a browser.

So while the 15-20 year old problem of software dependency has never really been resolved (governments, with tens of thousands of IT workers, are still unable to wean itself off the familiar Microsoft technology stack), its impact is slowly becoming less relevant. Meanwhile, new dependencies based on ‘cloud’ providers are now proven to be even more detrimental.

Excessive use of proprietary software creates the risk of foreign manipulation and potential attacks on critical infrastructure (see Stuxnet). But at least if your systems are attacked in this way, there are some ways to track this. If you are working on the computer that does not belong to you, that is based in a foreign country and is managed by people you don’t know in ways you cannot check, it will be very difficult to have any control over what happens to your data.

The old assumption, that using local servers could be part of the solution, seems unfortunately to be an illusion under the post-9/11 Empire. All cloud services offered by companies based in the US are subject to US legislation, even if the servers are physically in another country. And US law is now somewhat, shall we say, problematic. With no evidence, but with an allegation of involvement in “terrorism”, systems can be closed down or taken over – without any warning or the possibility of adversarial judicial review. The term “terrorism” has been stretched so far in that anyone who allegedly breaks US law, even if they’re not a US citizen and even if they’re not in the US can still a deemed “terrorist”, just on the word of one of the many three-letter services (FBI, CIA, NSA, DIA, DHS, TSA, etc.). The EU was not happy about this but until the PRISM leak did not want to go so far as recommending its citizens and other governments to no longer use such services. PRISM is making it possible to at least have a serious discussion about this for the first time.

The long arm of the US Patriot Act goes even further than merely the servers of US companies on European soil. Thus domains can be “seized” and labelled: “this site was involved in handling child pornography“. Try explaining that as a business or non-profit organisation to your clients and (business) partners. Just using one .com, .org or .net extension as your domain name now makes you makes you liable under US law. All Europeans can now be seized from their homes for breaking US law. So a .com domain name makes your server effectively US territory.

We were already aware that proprietary platforms like Windows and Google Docs were not suitable systems for important things such as running public or critical infrastructure. However, now it turns out, that every service delivered through a .com / .org / .net domain places you under de facto foreign control.

Solution? As much as possible, change to free/opensource software on local servers. Fortunately there are quite a few competent hosting companies and businesses in Europe. Use local country domains like .nl, .de, .fr or, if you really want to be bullet proof, take a .ch domain. These are managed by a Swiss foundation and these people take their independence seriously. If you still want to use Google (Docs), Facebook, Evernote, Mind Meister, Ning.com, Hotmail or Office 365 – please do so with the awareness that you have no privacy and fewer civil rights than English noblemen had in the year 1215.

Fighting evildoers
A few months ago, a government speaker was defending the ‘Clean IT’ project at a meeting of RIPE (the organization that distributes IP addresses for Europe and Asia). Clean-IT is a European project of Dutch origin which aims to combat the ‘use of the Internet for terrorist purposes’. The problem with this goal is that ‘internet’, ‘use’ and ‘terrorism’ remain undefined, nor does it seem anyone is very interested in sorting this out. This lack of clarity in itself can useful if you are a government because you can then take a project in any direction you like. A bit like when data retention was rammed through the EU parliament in 2005 with the promise that it would be used only against terrorism – a promise that was broken within a few months. In Germany, data retention has now been declared unconstitutional and been abolished, while the Netherlands has rampant phone tapping, despite a total lack of evidence of the effectiveness of these measures. That all the databases of retained telecommunications data themselves become a target is not something that seems seriously to be taken into account in the threat analyses. All rather worrying for a government that is still usually unable to secure its own systems properly or ensure that external contractors do so.

Also, during the lecture on Clean-IT much emphasis was placed on the public-private partnership to reassure the audience. It’s strange that a government first makes itself incompetent by outsourcing all expertise, then it comes back after ten years and claims it cannot control those same companies, nor indeed their sub-contractors. The last step is then to outsource the oversight function to companies as well and reassurance the citizens: “We let companies do it! Don’t you worry that we would do any of the difficult technical stuff for ourselves, it’s all been properly outsourced to the same parties that messed up the previous 25 projects”.

Terrorism is obviously the access all areas pass – despite the fact that many more Europeans die slipping in the shower or from ill-fitting moped helmets than from terrorism. Moreover, we as Europeans have experience of dealing with terrorism. ETA, IRA and RAF were rendered harmless in previous decades by police investigations, negotiations and encapsulation. This was done without jeopardizing the civic rights of half a billion European citizens. Even when IRA bombs were regularly exploding in London nobody suggested dropping white phosphorous on Dublin or Belfast.

I hope that the pre-9/11 vision of the EU Parliament will be rediscovered at some point. It would be nice if some parts of the ‘Free West’ could develop a policy that would justify our moral superiority towards Russia, when we demand that they stop political censorship under the guise of “security”.

Backup plan: DIY
If all else fails (and this is not entirely unlikely) we need a backup plan for citizens. Because despite all petitions, motions, actions and other initiatives our civil liberties are still rapidly diminishing. Somehow a slow-motion corporate coup has occurred where the government wants to increase “efficiency” by relying on lots of MBA-speak and corporate management wisdoms that worked so well for the banking sector. The fact that the government’s primary function thereby evaporates does not seem to bother most civil servants. And meanwhile the companies themselves are apparently too busy making profits and fighting each other to worry about civil rights and other archaic concepts from the second half of the 20th century.

So rather than always trying to influence a political system that so very clearly ignores our interests, we can simply take care of ourselves and each other directly. This conclusion may not be pleasant, but it gives clarity to what we have to do.

One good example would be to have educational and civil liberties organisations providing weekly workshops to citizens on how to install and use encryption software to regain some privacy. These organisations should use their clout to get the slogan of “crypto is cool” on everyone’s lips. Technologists and designers should focus their energies on promoting the hip and user-friendly aspects of these pieces of software. This may be a lot more fun than lobbying ossified political institutions and actually provide some concrete privacy results.

Since 2006 I have ensured my own email privacy by no longer relying on the law, but by using a server outside the EU, SSL connection to it through a VPN tunnel entering the open Internet also outside the EU. I encrypt as many emails as possible individually with strong crypto (using Free GPG software). The fact that all those hordes of terrorists (who, our government asserts, are swamping the planet) have no doubt also adopted such measures – for less than 20 Euros a month – makes most of the low-level spying a complete and pointless waste of resources. Assuming the point truly is fighting ‘terrorism’ – something that is becoming a bit doubtful in light of the above.

Despite what some of the ‘but I have nothing to hide’ apologists say we have privacy rights and other civil liberties for the same reason we have a constitution. Not for situations were everything is OK but for those rare situations where things are not OK. Privacy is the last line of defence against governments who lose sight of their reason for existing (to serve their people). Privacy is therefore not the enemy of security but the most basic part of it. Because governments are much scarier than any would-be cyber-criminal or even terrorists. Criminals may steal some money and terrorists may kill a few people but when it comes to wars, mass repression or genocide you always need a government.

It is very obvious what European governments should be doing to promote the safety and security of their citizens and states. They already wrote it down in the summer of 2001. The fact that these measures are never part of any current ‘cybersecurity’ policy proposals should make people very suspicious, at least of their governments’ competence.

The above article was originaly written for and published on Consortium News. On June 22nd I was interviewed by Chuck Mertz from ‘This is Hell!’ radio (Chicago, WNUR 89.3 FM). The entire program of that morning is on the This Is Hell! site. My interview (all 52 minutes of it) is here.

OHM and other Three-Letter-Agencies

<originally a column for OHM2013.org – also on HuffPo UK>

“Whatever you do will be insignificant, but it is very important that you do it.” – Mahatma Gandhi

This summer the Dutch hacker community, with help from friends all over the world, will organise the seventh hacker festival in a series that started in 1989 with the Galactic Hacker Party. The world has changed massively since then (we’ll get to that) but the goal of these gatherings remains the same: to share knowledge and ideas about technology and its implications for our world, have heated discussions on what we should do about the problems we see (sometimes well before many others see them), generally have fun in communicating without keyboards, and being excellent to each other.

Four years ago a somewhat unknown Australian hacker with some new ideas about the future of journalism gave the opening keynote at HAR2009. His site was called Wikileaks and some of us had a hunch that this concept might be going places. We had no idea just how far that would be…

Not long after the first gathering in the Netherlands in 1989, the Berlin Wall came down. While we can claim no connection, the interminable Cold War had finally ended and many of us felt, with the optimism so typical of youth, that world peace might just be possible in our lifetimes. We would go back to making rockets that went up instead of straight-and-level and other great things would follow.

Regrettably that was not to be. First the .coms imploded, then three skyscrapers in New York, and soon after that our entire economy turned out to be a sort of multi-level-marketing casino. The 3rd millennium has started with a bang that is still echoing around the planet. Since then we’ve seen the ‘free’ part of the world become rather un-free rather fast. “US Department of Homeland Security relaxing a ban on toenail clippers” would have been be a scary headline for someone in 1993 on several levels. But in 2013 it is just one of those things to which people have sadly become accustomed.

What happened? And is there anything we can do about it? Why not ask some of the people who were insiders with some of those three-letter-agencies-that-many-of-us-fear*, who left and are now speaking out often at great personal risk and cost. Five former insiders from different government organisations will all give talks about their experiences within various secret agencies and provide a historic context to what is happing right now.

The alphabet soup begins with ex-CIA Ray McGovern who is now an outspoken and indefatigable international peace campaigner. Ray will give a broad historic context based on his experiences as an analyst and presidential ‘daily-briefer’ during a career with the CIA that started during the Vietnam war.

Ex-FBI Coleen Rowley will talk about her experience working against organized crime and terrorist organisations at the FBI. She went public over the intelligence-sharing failures that allowed 9/11 to happen, and in 2002 was voted “Time” Person of the Year.

In a more recent case, ex-NSA and natural-born geek Thomas Drake and ex-DoJ Jesselyn Radack will discuss Tom’s whistleblowing case relating to his work for the NSA were he was managing very large information gathering projects. Tom was one of the first victims of the recent US push-back against whistleblowers under the reanimated 1917 US Espionage Act and was threatened with life in prison.

Annie Machon, a former intelligence officer for MI5, will discuss her experience working for UK’s Security Service against terrorist organisations, why she became a whistleblower about the crimes and incompetence of the UK spies, and how all of this relates to current developments both in the Middle East and the shredding of our civil liberties in the West.

To try to make sense of all these insights and figure out what we should do to get out of the mess, the five experts will discuss our options in a special “Spook Panel”, and you can join in. How can we resist, retain privacy and perhaps get back to a world where you can get on a plane without being prodded, scanned and forced to give up dangerous materials like mineral water?

It is easy and understandable to get depressed about the world today, but that doesn’t help. Hackers are people who do things. So join us, share your knowledge, creativity and talents to help figure out what we can do to fix this. New media, crypto, art, networks, music, blogging, fast & clever analysis of news and patient explanations of history & culture. We need it all and much more. And we need everyone to help out because while the freedom to play with tech is vital, the freedom to do so while not being subjected to ‘extraordinary rendition‘, torture, or drone-strikes is even more important.

The summer of 1989 was long, hot and free. Let’s make another one at OHM2013.

*⁾If you don’t fear these agencies you’re either not paying attention or you have a very boring life.

Privacy, a decade on

<originally a column for Webwereld – in Dutch>

On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months after publication, they have never been implemented. Or even discussed further.

Under the heading "Measures to encourage self-protection by citizens and enterprises" lists several concrete proposals for inproving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be "accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology". So not just some abstract government infomercial on TV/radio but hands-on tips to get some actual work done please!

Appropriate measures

Other gems are the requests to "take appropriate measures to promote, develop and manufacture European encryption technology and software and, above all, to support projects aimed at developing user encryption technology, which are open-source" and "promote software projects whose source text is published, thereby guaranteeing that the software has no "back doors" built in (the so-called "open source software") ". The document also mentions explicitly the unreliability of security and encryption technologies whose source code is not published. This is an issue that is a strict taboo in Dutch and UK discussions on IT strategy for governments (probably because some major NATO partners might be offended).

Also, governments must set a good example to each other and their citizens by "systematic use of encryption of e-mails, so that in the longer term this will be normal practice." This should in practice be realised by "ensuring the training and publication of their staff with new encryption technologies and techniques by means of the necessary practical training and courses." Even candidate countries of the EU should be helped "if they cannot provide the necessary protection by a lack of technological independence". Unfortunately to this day I cannot send encrypted mails to officials and the vast majority of them do not even digitally sign their emails to allow me to verify the integrity of the content. Despite the fact the software that makes this possible has been available as open source since before publication of the report in 2001.

That one paragraph from the summer of 2001, when rational security policies had not yet been destroyed by September 11th, decribes the basis for a solid IT policy that ensures security and privacy of citizens against threats from both foreign actors and the government itself.

What a difference a decade makes …

Last Monday Privacy First organised a lecture & discussion evening on cyber security and the relationship with terrorism. Will van Gemert, director of National Cyber ??Security for the Coordinator for Counterterrorism and Security gave a lecture on the relationship between privacy and security. In this lecture there was much talk about consumers, little about people/citizens (perhaps the difference is a bit foggy from the windows of government skyscrapers in The Hague). He also insisted that the Government is very much working with ‘the market’ and private parties. It was probably meant to be reassuring but had the opposite effect on most attendees. Ideas from the EU document mentioned above, such as better IT education, open source encryption and technological diversity as defensive tactics, were unfortunately completely unknown concepts. The ribbon on the doors of the Cyber ??Security section of the National Counter Terrorism organisation had just been cut ,so perhaps things will be better in a year. We can but hope*.

A few weeks earlier, another of our government speakers defending even more colourfully the Clean IT project at a meeting of RIPE (the organization that distributes IP addresses for Europe and Asia). Clean-IT is a European project of Dutch origin which aims to combat the use of the Internet for terrorist purposes.

Terrorism is not defined

The problem with this goal is that ‘internet’, ‘use’ and ‘terrorism’ remain undefined, nor is anyone very interested in sorting this out. This in itself can useful if you are a government because you can then take a project in any direction you like. A bit like when data retention was rammed through the EU parliament in 2005 with the promise that it would be used only against "terrorism" – a promise that within a few months was broken. In Germany, data retention has now been declared unconstitutional and been abolished, while in the Netherlands we have rampant tapping, despite a total lack of evidence of the effectiveness of these measures. That all the databases of retained telecommunications data themselves become a target is not something that seems to be seriously taken into account in the threat analyses. All rather worriying for a government that is still usually unable to secure its own systems properly or ensure that hired private parties do so.

Also, during the lecture on Clean-IT much emphasis was placed on the public-private partnership to reassure the audience, yet this had a predominantly opposite effect. It’s strange that a government first proves itself incompetent by outsourcing all expertise, then it comes back after ten years and claims it cannot control those same comapnies, nor indeed their sub-contractors. The last step is then to outsource to companies that used as reassurance to citizens commented: "We let by companies do it! That you as a citizen do not think that we ourselves with our sausage fingers sit! Come all good". After Diginotar my confidence in the guiding and supervisory capacity of the government has dropped to just above absolute zero.

What a difference in approach between the summer of 2001 and today.

Terrorism is obviously the "access all areas pass" – but many more Europeans die slipping in the shower or from ill-fitting moped helmets than from "terrorism". Moreover, we as Europeans have experience of dealing with terrorism. ETA, IRA and RAF were rendered harmless in previous decades by police investigations, negotiations and encapsulation. This was done without jeopardizing the civic rights of half a billion European citizens. Even when weekly IRA bombs exploded in London nobody suggested dropping white phosphorous on Dublin or Belfast.

Hope

I hope* that the pre-9/11 vision of the EU Parliament will finally penetrate the Dutch Ministry of Security and Justice (formerly just ‘Justice’ soon ‘Love‘?). Perhaps a new cabinet will lead to new initiatives and opportunities? It would be nice if the ‘free West’ could develop a policy that would justify our moral superiority towards Russia, when we demand that they stop political censorship under the guise of "security".

* Hope: the desire for a future situation over which you have little or no influence: "I hope my plane does not crash."

Parliamentary hearing on IT-projects, security & privacy

On June 1st 2012 the Dutch government’s Parliamentary working group on government IT-projects held a hearing of experts. My written contribution below. Capture of videostream… (in Dutch). Dutch journalist Brenno de Winter published his thoughts here. Column on this published the week after here.

Introduction – IT and the Dutch national government
Universality is an assumption of astrophysics that states that all phenomena, everywhere, behave as we observe them from Earth. I’m assuming that phenomena I have observed in specific government IT projects also occur in government IT projects that I have less infromation about (this is usually caused by the poor implementation of Freedom Of Information Acts, see the notes of Mr de Winter).

IT project management is currently based on a rather naive model of reality – "smart entrepreneurs compete on a level playing field for the favours of the government, which then procures with insight and vision." However, this model does not adequately predict the observed outcome of the projects. Whence this group.

Another model would be "a corrupt swamp with the wrong incentives, populated by sharks and incompetent clowns". This model has the advantage of perfectly predicting the observed outcomes.

The price of outsourcing everything
No vision, no vigour, no knowledge, and especially no ambition to do anything to improve on any of these. This is the overarching theme of all government IT projects I have experienced both on the inside and externally. And I believe is the fundamental cause of the vast majority of practical problems the group wishes to understand.

From Knowledgenet to the National EHR, the Whale project, voting computers, the public transport card, and the failed attempt to break the monopoly of large software vendors – NOiV … the knee-jerk response remains the same: to reduce a social problem to a technical project that can then be quickly outsourced to IT suppliers and/or advisors. The societal aspects are quickly lost once the train of political promises, commercial interests and project logic leaves the station and becomes unstoppable. Even the parliamentary group on IT projects aims to outsource part of its work to an external company. The chances are that the selected external company will already have as its main selling-point an umbrella contract with the national government.  Probably this company will already have been advisors on one or more of the projects that may be under investigation.

In my experience as an advisor of a large government project (from the list of projects provided by the work group), I had to advise another consultant on how to hire yet other outside consultants to perform a security audit. The argument that the government has difficulty in hiring and retaining specialised expertise may be true in specific cases, but in reality, most of the hired ”IT workers” have no specialist expertise. Often they are generalists and/or project managers without much substantive technical knowledge. The inability of government to attract competent personnel should be seen as a problem that needs to be solved and not as an immutable law of nature. If we truly want something to change, we really need to be willing to change anything/everything.

Focus of the research proposal: look at the forest, not at the trees
By focusing on individual projects it is likely that the working group will only look at operational issues within these projects. The broader, underlying causes remain hidden, yet that is precisely where many failures begin. Moreover, it is especially important to look at such overarching issues as potential factors in future projects.

If anything has become clear since the Diginotar case, it is the total lack of accountability or sanctions subsequent to the failure of both executive and supervisory organisations and officials. Suppliers and officials who have endangered the security of citizens and the functioning of the state have largely remained in  position, free to repeat their mistakes in a few more years. Evaluation, in this context, is therefore only useful if lessons learned from them can be used to prevent a repetition of similar birth defects in new projects in the future.

Analyse context: causes and societal consequences of failure
When the EHR project was cancelled by the Senate, there was great indignation about the "wasted" 300 million Euros that had been spent. In my view, the 300 million is not the issue we should be focusing on. If the figures used by the Health Ministry and Nictiz concerning the need for the EHR system were correct, the real costs of the failure of the EHR system over the past 12 years are more than 20,000 lives and 16 billion Euros.

Therefore the real question is why Nictiz on the one hand did not have either the budget or the required mandate to deal with the problem, and on the other hand why this national disaster was not the most important issue for the Health Ministry to address.  Why did the leadership of the Ministry not have its hand on the wheel, with weekly reports to the Cabinet and parliament?

If the publicly-stated figures are incorrect, Parliament has been misinformed for more than 12 years and the project should never have been started. Either way, something went very wrong and it had very little to do with the technical aspects of the project (although there was enough to criticise there as well).

The above example is just one of many cases where the formal administrative motivation for a project and subsequently allocated funds and mandates bear no logical relationship.

Also the projects concerning the introduction of voting computers and the public transport card, had logical holes of Alice-in-Wonderland-like proportions. A very high level of public transparency about new projects here would probably have enabled citizens to provide both solicited and unsolicited assistance to the government in finding these holes.

It would also help to restore some confidence amongst citizens, whose faith has been repeatedly  dented. On the one hand the government uses its own incompetence as an excuse for failure, while on the other hand two weeks later it will ask its citizens to rely on its ability to finish a new megalomaniac techno-fix for a complex social issue. The current deep lack of credibility ultimately becomes a question of legitimacy.

Selection criteria for examining IT projects:

• Extent to which the original official motivations and assumptions were not investigated or found not to be substantiated. What was the problem? How would the proposed IT project fix this? Why was the gap between policy and reality not foreseen?
• Social costs of not solving a problem (by the failure of the project); these are often multiples of the cost of the IT project itself.
• Damage to citizens and their rights because of the failure of project or because of incorrect technical and organisational choices made during implementation.

IT projects the working group hould include in the investigation:

• The EHR
• The public transport card
• The NOiV & the NCA investigation into the failure of this policy.
• GOLD / DWR – introduction of the ‘standardised’ workplace for the national government between 2004 and today.

Doublethink, Waiting for the Big One, Doctor doctor, Asbestos, Gran knows why,  (my columns)

My Court of Audit questions for investigation into national openstandards and opensource policy 2010

Prof. Eben Moglen explains the big societal picture (45 min speech) – must watch!