To Counter Mass Surveillance, "SOS": Secure Open Source

The European Parliament is such a large organisation that it is easy to overlook aspects of it. That's certainly true for me when it comes to STOA:

The European Parliament defines its position on these [scientific and technological] issues through reports prepared by its Committees. If Committees decide that it would be helpful to their policy making role to seek out expert, independent assessments of the various scientific or technological options in the policy sectors concerned, then they have STOA at their disposal: the Parliament's own Science and Technology Options Assessment unit.

STOA is effectively a research department that can put together detailed briefs to help the European Parliament with its policy-making. A case in point is a report produced recently, which tackles the extremely topical subject of mass surveillance:

This document identifies the risks of data breaches for users of publicly available Internet services such as email, social networks and cloud computing, and the possible impacts for them and the European Information Society. It presents the latest technology advances allowing the analysis of user data and their meta-data on a mass scale for surveillance reasons. It identifies technological and organisational measures and the key stakeholders for reducing the risks identified. Finally the study proposes possible policy options, in support of the risk reduction measures identified by the study.

There are two parts. The first provides a detailed description of the current situation [.pdf]. Although much of it will be familiar to readers of this blog, I think it represents the best summary so far of everything that Edward Snowden has revealed to us about NSA and GCHQ spying. Even if you have been following all that closely, you have probably rather lost track of all the details (I know I have), so this 66-page round-up is extremely useful for the clear way it maps out what we now know. Here's its rather sobering conclusion:

Despite the rebuttal of many accusations, particularly those related to collaborations between commercial Internet companies and national security agencies, the authors of this report were not able to identify technical rebuttals of the revealed NSA documents, neither through revision of literature, nor through the statements of technical experts on the respective subject matter. Although this absence of technical refutations cannot be equated to being a validated proof of credibility or technical coherence of Snowden’s revelations, it can be asserted that :

The technical feasibility of the tools and practices applied by national security agencies is not disputed by any of the relevant technical communities.

In other words, even if we can't prove these all things are going on, they are plausible, and nobody's disproved that they are happening.

However, even more valuable is the second part, since it aims to provide practical solutions to addressing the problems it identifies in the first part [.pdf.] It rightly emphasises the importance of end-to-end encryption, and recommends that the EU:

Stimulate awareness of the necessity of using encryption by initiating a media campaign, as awareness of privacy risks is quite low.

Increase the knowledge level of end-users, both individuals and responsible departments in organisations, by setting up an independent platform where users can find information on tools, implementation, do’s and don’ts etc.

It even advocates bringing in new EU laws to make that happen, if necessary:

If the market does not provide security with end-to-end encryption by itself, regulation should be considered, obliging service providers and/or Internet service providers to provide end-to-end protection as standard for data in transit. An additional benefit of regulation would be a concrete political discussion on the balance between privacy and law enforcement and national security, at European and/or national level. The outcome of this debate should be implemented in national legislation.

But for readers of this column, the following recommendation will doubtless be particularly welcome:

stimulate user-friendliness of end-to-end encryption solutions, for instance by promoting existing user-friendly end-to-end encryption solutions for e-mail, messaging, chat etc. Dedicated funding or participation in open-source software end-to-end encryption solutions is also an option to specifically improve user-friendliness.

Indeed, the next section is entirely about promoting the use of free software:

Although it is not a universal remedy, open-source software is still an important ingredient in an EU strategy for more security and technological independence. The quality of the lifecycle processes of open-source software is crucial for its security – more than technology.

Support and fund maintenance and/or audit of important open-source software: open-source initiatives, some of them widely implemented for security and privacy, need funding to keep going and be audited (with regard to both code and processes).

Initiate a European “Open-Source Bug Bounty Programme” or finance existing programmes, as an alternative to intervening directly with specific open-source software programmes.

Set up certification schemes for a limited set of critical types of open-source software, implemented by technical tests (e.g. penetration tests, code reviews). To support this, the EU should draft and maintain an agenda of critical open-source software for its citizens and companies.

This is particularly important because it would achieve two goals at once: it would improve security - for all the reasons I've written about in the past - and it would promote wide use of open source in Europe.

The report has a number of other recommendations, including the following:

A consumer-market-oriented approach to European social media, Cloud services and search engines is a desirable option, although not the easiest, since the European market is open and fragmented and major platforms are available for all current service categories.

We therefore propose stronger legal limits on exporting personal data than those offered by the forthcoming data-protection regulation (mainly transparency on location, informed consent by individual). This would give European ICT players the time and legal space necessary to create demand for specific EU solutions. Liability and substantial fines for non-compliance will also provide a strong stimulus for action.

The ability of users to remain in control of their personal data is extremely important, and one that is currently under threat, as I've describedbefore. It's good to see STOA willing to point that out, and even propose politically rather bold solutions for dealing with it.

As is probably evident, I'm impressed with this report on surveillance. I strongly recommend readers of the blog to download it and take a look. After all, it's not only extremely good, but we Europeans paid for it, which gives an additional incentive to benefit from its insights.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+


Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon