The Trials and Tribulations of Secure Free Software for the European Parliament
After months of hearing about their own vulnerability at the hands of intelligence agencies like the NSA and GCHQ, next Wednesday, European Parliamentarians and their staff will have an opportunity to learn about defending Internet communications using strong encryption and trusted hardware and software. Unfortunately, unless the Parliament's own IT department shifts ground, it will be a theoretical discussion, rather than the practical first steps to a secure European Parliament that its organizers had hoped.
DebianParl is a version of the popular free software Linux distribution Debian, intended for use in parliaments around the world. It is intended to be bundled with tools to deal with tracking legislation, manage constituent correspondence, and most importantly allow lawmakers to use strong encryption to communicate securely with each other and with external parties.
Would most politicians really want to run Linux? It's hard to tell: politicians generally inhabit a homogenous technological environment, and do not get a chance to even glimpse what alternatives might exist, nor understand why people might want to fight for the right to have those alternatives. But an increasing number of politicians work for parties which espouse open standards and support for non-proprietary tools.
And with the rise of awareness about the potential targeting of politicians for digital surveillance, lawmakers have a new incentive to experiment with alternative operating systems. While the best solution to end-to-end security is to have a dedicated, institutional staff dealing with high-level security, few legislatures have sufficient internal awareness of the threats nor a budget to take that step. Neither are off-the-shelf proprietary enterprise solutions like Microsoft's engineered to defend against state-managed surveillance or malware.
Linux is not a magic shield against such snooping either — but a dedicated, hardened operating system designed from the ground up to use open encryption standards and supported with the expectation of attack has some advantages against a standard installation of a commercial closed-source implementation. It's a first step to general digital security awareness, including creating sensible security policies in BYOD (bring your own device) cultures, and even understanding the risks of using other off-the-shelf devices, like mobile phones.
The Green Party in the European Parliament have been keen to experiment with DebianParl for reasons of security and autonomy. But to do so, they need the Microsoft-run Parliament email and network systems to give them a chance.
Anyone who has struggled with introducing some variety into a Microsoft shop will know what that means: the Parliament's Exchange servers need to have its support for the open protocol options IMAP and SMTP turned on. The European Parliament's IT staff also need to work with the volunteers to create an authentication system for their WiFI network.
There are plenty of reasons why turning a closed, proprietary network into one that supports open standards and strong end-to-end encryption is challenging. But the proponents of DebianParl in Brussels say they had little success discussing their proposal with the local the IT staff, even with the direct support of a significant political coalition (the Green/EFA alliance has 58 MEPs from 15 countries).
Struggling with a recalcitrant IT department is something that many will be familiar with. But we're entering a time now where lawmakers cannot just stand by while their own security and flexibility is undermined by staff paid to support them. The European Parliament needs to open up: and that means open standards, and an infrastructure that will support the increasing digital security needs of a modern lawmaker.