One year after NSA contractor Edward Snowden began exposing the U.S. government’s surveillance capabilities, Europe and other targets are still reeling from the revelations. But a little-noticed report in summer 2001 offered an early warning, says Dutch IT expert Arjen Kamphuis.
By Arjen Kamphuis
In the first 21 months of the Twenty-first Century, the dot-com stock bubble burst and then the 9/11 attacks propelled the United States into the “global war on terror.” Yet, between those two events a largely forgotten report to the European Parliament was issued on July 11, 2001, describing the scale and impact of electronic espionage in Europe by the U.S. and its “Echelon” partners (Canada, United Kingdom, Australia and New Zealand).
Speculation about this surveillance network had existed for years but it wasn’t until 1999 when a journalist published a report on the topic that the danger began to be taken seriously. That gave rise to the parliamentary report which besides offering a detailed analysis of the problem urged European governments to inform their citizens about Echelon and provided concrete examples of policies that Europe could take to significantly limit foreign intelligence spying.
Under the heading, “Measures to encourage self-protection by citizens and enterprises,” the report suggested improved data security and confidentiality for communications by EU citizens. The document also recommended “practical assistance in designing and implementing comprehensive protection measures, including the security of information technology.”
Europe was urged to “take appropriate measures to promote, develop and manufacture European encryption technology and software and, above all, to support projects aimed at developing user encryption technology, which are open-source.” The report recommended software projects whose source text is published, thereby guaranteeing that the software has no “back doors” built in so intelligence services can steal information.
If those recommendations had been implemented, history might have taken a very different course. For one, Europe would not have been rocked by the disclosures beginning a year ago from National Security Agency whistleblower Edward Snowden who described the U.S. government’s capacity to intercept vast amounts of personal data from people communicating in Europe and other parts of the world.
The 2001 report failed to have the impact that it might have because of the 9/11 attacks two months later, causing the NSA to expand its collection of worldwide data as President George W. Bush demanded maximum cooperation from NATO and other U.S. allies in the “war on terror.”
Had the report’s policy recommendations been implemented Snowden’s PRISM revelations in 2013 would have been met mostly with indifference because European citizens, governments and companies would be performing most of their computing and communications on systems controlled by European organizations, running software co-developed in Europe and physically located on European soil.
An American problem with an overreaching spy apparatus would have been just that, an American problem.
What Might Have Been
If the report had prompted a serious response from Europe in 2001, the EU’s IT situation could look very different with the Internet and other technologies having evolved in a more democratic way with personal privacy respected rather than today having this Big-Brother all-seeing-eye looming over democratic societies as a potential totalitarian threat.
The report on Echelon made it clear that reducing IT to a merely operational exercise had disastrous consequences on the sovereignty of European states with respect to, in particular, the United States (and perhaps in the near future, China as well as other technically capable countries and non-state organizations). For Europe, the economic consequences of industrial espionage against many high-tech and R&D-intensive companies remain a major concern.
Further, if the 2001 report had prompted action, the IT policy of governments would be based first on the political principles of a democratic and sovereign state. This not only would have meant a very different approach to technology selection and procurement, but also in the balance between outsourcing versus in-house expertise. Open data standards for public information would have been required.
These new frameworks for public IT would have created a new market for service providers who based solutions on so-called “Free Software” (previously better known as “open source”). Spending on software would have fallen sharply and freed up money for the recruitment of highly qualified IT workers.
In Europe, quality of IT services would have risen and there would have been a very open playing field since all service providers would have had full access to all software used in government (with only a few exceptions in defense, justice and home affairs).
Computer and IT education from kindergarten to university studies would have been fundamentally revised. Basic understanding of the operation of computers and information networks would have become as normal as reading and writing. Every 14-year-old would have been taught how to encrypt email and would be steeped in the disadvantages of using software whose source codes were not published.
Young people would not only have learned the end-user skills for computers but a real understanding of what was happening to their information when sending a message or uploading a photo.
A culture of being careful with your private information might have taken hold and the social media landscape would not be dominated by a handful of U.S. companies, but rather a varied landscape of federated services such as Diaspora which would be competing among themselves but would still be mutually compatible like email. Some services would be run on micro-servers in people’s homes (such as the UK-invented 35 Euro Raspberry-pi).
Due to the demand for privacy and the intensity of safety awareness, online crime would not have gained a grip on most European countries. Hardly anyone would be naive enough to log on to strange domains or websites in response to a fake email supposedly from their bank. And banks would use customized secure USB drives for any major online financial transaction.
This is the IT present that Europe could have had if its governments made other choices over the last 12 years. All the knowledge and technology for these choices were available in the first months of this century.
Yet, because these choices were not made, Europe has spent hundreds of billions of dollars on software licenses and services from American companies, while there were cheaper (often free), more flexible and safer alternatives available that would not operate as a foreign espionage platform.
All these hundreds of billions were not invested in European service, training, education and R&D. The economic impact may be a multiple of the $1 trillion in software licenses spent by Europe this century, while Europe also might have been spared the cost of handing over of control of its data to foreign spies who could then use it for a variety of illicit purposes: repression of citizens’ freedoms, industrial espionage and the manipulation of spied-upon politicians who were handling transatlantic negotiations on trade or environmental matters.
Europe could still change. It has everything it needs to make and implement these more independent and secure IT policies. No matter how regrettable the policy failures of the last decade and no matter how many wasted billions of dollars, it is not too late to make the turn.
Today could be the first day of such a new course. Concrete examples in the Netherlands, Germany, France, Spain, the UK and many other places show that this is not only possible, but almost immediately leads to huge savings, improved safety and independence from foreign parties in future IT choices.
Arjen Kamphuis is co-founder and Chief Technology Officer of Gendo. He studied Science and Policy at Utrecht University and worked for IBM and Twynstra Gudde as IT architect, trainer and IT strategy adviser. Since late 2001, Arjen has advised clients on the strategic impact of new technological developments.