The LIBE Committee and the STOA Panel of the European Parliament together with the Luxembourg Presidency organised a conference in Brussels earlier this week. The aim was to discuss possible European policies to improve privacy and strengthen IT security, among the leading international security and privacy experts. The discussions were actually lively but unfortunately also quite chaotic, so this post is really my effort to bring some structure in the debate.
Below I will describe what, according to the experts present, the problems are, what their causes are, how they can be solved and what European policies might help to achieve that. Before the conference I submitted my own policy recommendations, described here.
In essence the debate focused on two problems. The first problem being the dragnet surveillance as revealed by Edward Snowden, and the deliberate weakening of IT security systems by intelligence services to enable this and to also perform economic and political motivated espionage. This problem highlights the risk posed by third party adversaries like security services and law enforcement.
The second problem being the indiscriminate collection of personal data by companies and the use of this data to create detailed profiles of billions of citizens. And the fact that these data troves are also accessed (with or without cooperation of those companies) by law enforcement and intelligence services. This problem highlights the privacy risk posed by second parties (and their subcontractors) that offer services to European citizens.
Interestingly, problems that were not discussed during this conference were the insecurity of our critical infrastructure, cybercrime, and the general risk of using a brittle infrastructure for the bulk of our economic and administrative activities.
According to the experts, dragnet surveillance is mainly caused by the fact that our Internet infrastructure is insecure, due to bugs, poor design or deliberate weakening.
This is partly caused by a limited choice in the security supply chain (there are a limited number of suppliers of secure hard- and software, especially from Europe). Open source is poorly funded, not design-led and there is little coordination. Products are too complex, leading to bugs. Also, people don’t use end to end encryption, or other privacy friendly services, because of network effects (none of their friends are using it), lack of functionality, or poor usability. People choose what they use based on functionality and usefulness, not for privacy or security reasons. This also means that when designing new products and services companies put functionality first and security last. Last but not least, to increase homeland security and to counter terrorism, security services call for policies that allow dragnet surveillance. This puts privacy against security and sometimes itself security is even weakened for this cause. Policy makers have little understanding of the technical intricacies surrounding the privacy versus security debate, and fail to see the complex interplay between both.
There is not a lack of ideas and even concrete technologies that could improve the security of our infrastructure and that could help protect the privacy of European citizens. The problem lies in deployment.
The following solutions to the above problems were (among others) suggested.
Quick wins are the roll out of end-to-end encryption, when browsing the web (Let’s encrypt), when calling over the phone, or when exchanging text or email messages.
Transparency and open source are essential to make it harder for certain parties to introduce backdoors in systems. Unfortunately, many good open source initiatives are underfunded and understaffed. Although there are difficulties in certain areas (e.g. Apple recompiling and encrypting the binaries of all apps in their app store), deterministic build processes now allow people to independently verify that a given binary belongs to a particular version of an open source project. Inspection and perhaps verification and certification of open source projects requires international cooperation because few institutions (if any) have the budget to do them all by themselves.
Products should be designed with a different attitude: put security first, and then performance and functionality. Products should be simplified, as complexity is the enemy of security.
Product development should be design led. Products should be designed with a focus on the end user. (Note that this is, partially, at odds with the first point that puts functionality second to security. Also, a more autocratic design-led development is at odds with typical open source software development processes.)
Extend the notion of privacy by design to honesty by design or protection by design. Products should guarantee the user that they will not do them any harm. (People may not buy products that give guarantees on an abstract concept like privacy, but customers do buy products that protect them and that prevent them from harm.)
Prevent single points of failure; they are also single points of attack. Aim for distributed, peer-to-peer architectures, and stop using centralised architectures.
Focus more on resilience. Many system designs complete break down as soon as a single device or component fails. This can be avoided by designing for defense in depth. Assume components will break or will get hacked, but make sure the system survives and repairs such attacks.
Some of the solutions outlined above could be supported by European policies.
The development of secure and privacy friendly open source could be (financially) supported. Also coordination among such projects, and aligning their development process more with design led thinking, could be supported. Perhaps by setting up a European Open Source Initiative. The essence is to invest in the public good, and ensure — by basing the software on the right type of license — that anything derived from it also becomes a public good.
Stimulate the dialog between politicians, policy makers, industry, SMEs, academia, NGOs etc. in the area of security and privacy. Create a platform to facilitate this and that ensures people regularly meet to discuss recent developments in law, policy, society and technology.
Penalise the obvious use of insecure and intrusive software, products and services. Stimulate cross-industry benchmarking, and ensure the results are published. This should be an iterated process: solutions that are state of the art today may be outdated in a few years.
Introduce some form of liability for IT products and services, or think about a duty of care for providers and developers of such products and services. Everybody should be allowed to make honest mistakes but gross negligence must not be tolerated.
Change the incentive structure for businesses working with personal data. Certain business models should be disincentivised or simply ruled illegal. The upcoming data protection regulation is a good step in the right direction but is certainly not enough.