Felix Reda

When a politican talks about security, they’re usually coming for your civil rights.
Tweet this!

When a politican talks about security technology, they’re usually coming for your civil rights. Suspicionless mass surveillance, secret internet blocklists, arduous security theatre at airports: Safety and freedom are presented as trade-offs — and many politicians are all too willing to sacrifice more and more the latter for the short-term sugar high of feeling like they’re Doing Something to Keep The World Safe.

Security and liberty don’t have to be opposites. I want the European Union to focus its energy and funds on projects that increase both the safety and the autonomy of its people at the same time. At my proposal, next year’s EU budget will include a step in that direction:
€1 million of the EU’s €40 million pilot project fund will be spent towards open source software security.

* * *

Software is everywhere. Whether you’re calling your mom, driving to work, withdrawing money from the bank or using a government service: You’re interacting with computer code. Software is at the heart of our rapid technological progress.

But all code contains errors. Software development is a never-ending cycle of finding and fixing bugs — hopefully before someone can exploit them for malicious purposes.

In opposition to this, some code follows the philosophy of free and open source software: It’s developed in an open collaborative community, allowing users the freedom to check what’s going on, copy and modify it to suit their preferences and contribute their changes back to the pool. You’ve probably enjoyed the result of such work, such as (most parts of) the Android phone operating system, the Firefox web browser, the WordPress blogging software, the VLC media player and many other applications — as well as the majority of internet infrastructure that is less visible to end users (web servers, databases, routing software, etc).

* * *

Government should enrich the commons, not any specific corporation.
Tweet this!

In my view, government should tend heavily towards using and supporting open source software. Your state shouldn’t run on code more accessible to intelligence agencies than to you. Any software a government pays for should be open source: Through its actions, government should enrich the commons, not any specific corporation.

A recent study commissioned by my parliamentary group, the Greens/EFA, found that the most appropriate way for Parliament to meet its own standard of “utmost transparency” is “mak[ing] Free Software and Open Standards mandatory for all systems and data used for the work of Parliament.”

Unfortunately, we’re far from that goal: The Parliament mostly runs proprietary software like Microsoft Outlook, which makes it next to impossible for MEPs to communicate by encrypted e-mail using their official Parliament e-mail addresses (although you can still send me encrypted e-mail to my private address). The recent uncovering of attacks by U.S. and British intelligence agencies on the Belgian telecommunications company Belgacom confirms that this is an urgent concern.

* * *

Using open source software is a prerequisite for autonomy and security — but it is not sufficient. Just because the theoretical opportunity exists for anyone to check code for flaws, doesn’t mean it will automatically happen.

A simple explanation how “Heartbleed” worked

Last April, the “Heartbleed” bug was discovered in a critical piece of encryption software that ensures nobody can listen in on your online banking. The flaw had been in the code since March 2012. In September, an even more surprising discovery was made: A core component of most open-source operating systems was found to have been exploitable since all the way back to September 1989. This bug was named “Shellshock“.

It’s clear that more resources are needed to discover and fix such errors in software the world has come to rely on. The European Union is the ideal level for such public investment that benefits not just its own administration and that of all member states, but the general public.

* * *

The EU may only spend money on things specifically provided for in legislation. There’s one exception: A small slice of the budget is reserved for “pilot projects and preparatory actions” for new proposals not already sanctioned in law.

“Governance and quality of software code – Auditing of free and open-source software” is the pilot project submitted by myself and my colleague Max Andersson from the Swedish Greens. After successful negotiations, the 2015 budget now reserves 1 million Euros for our pilot project as item 26 03 77 02 (page 732). The project, which will be conducted by the Commission, consists of three parts:

1. Specifying how to conduct code audits: A study to develop best practices for code review and quality assessment, which will compare such processes inside the EU with those in the Debian open source community.
2. Finding out what needs auditing: A full inventory of all open source software in use within all the EU institutions.
3. First experiences: An exemplary review of some critical software in use by both the EU and the public.

If the project is successful, it may continue as a pilot project (up to one additional year) or develop into a preparatory action (which may run for a maximum of three years) — and finally become part of the regular budget. For comparison, 2004’s anti-terrorism security research pilot project later grew into seven-year funding of €1.4 billion under the research and development funding framework.

I’ll do my best to ensure this project is an equally impactful first step — but towards security research that’s looking to expand, not curtail your freedoms.

To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.