Category: government

Committee report electronic voting

From April 26th until December 18th 2013 I was a member of the expert committee on voting computers. This committe was instituted to advise the Dutch Minister for the Interior on the feasability of re-introducing electronic voting methods.

In the past (2008, 2012) I have always been very critical about the way electronic voting was implemented in The Netherlands up to 2007. The lack of transparancy of this method and the impossibility of recounts made this fundamentally incompatible with real democracy and,
after some convincing by citizens
, even the government agreed on this.

The commission recommends:

  • The use of electronic aids to make the voting and counting processes more reliable and more accessible;
  • To this end, account will be taken of the preconditions formulated by the commission;
  • The introduction of a single nationwide voting system, consisting of a voting printer so that the voter can print his or her ballot paper and a scanner to count the votes electronically; This system can be made suitable for all voters;
  • It should be clear in legislation that the paper process provides the guiding principle;
  • Should the voting method proposed by the commission not be implemented, in whatever event it recommends the introduction of electronic counting linked to the introduction of a smaller ballot paper.

More details in the English Summary of the report. For all the entire report, press coverage and interviews go to the Dutch version of this blogpost.


In memoriam: Aaron Schwarz 1986 – 2013

Not sure what to say about the sudden death of Aaron Schwarz, idealist, freedom-fighter-extraordinaire and friend of open access to information for all of humanity. Aaron spend his life fighting for humanity’s highest ideals, contributing to technologies most of us use every day (even if we don’t know it). It just feels like something is very, very wrong is the so-called ‘free world’ is killing its best and brightest for living up to its highest ideals. We’ve got big problems and cannot afford to lose people like Aaron.

Cory Doctorow has written a eulogy here, Prof Lawrence Lessig had an overview of the case the US Department of Justice (ha!) saw fit to launch against Aaron. Glen Greenwald wrote about his heroic work in helping to defeat SOPA over the last years. A digital memorial to Aaron will be here for as long as there is an Internet. The files that started the case can be found here. Spread them around as wisely as possible.

But mostly just watch Aaron’s speeches and interviews, as many times as needed before you understand his ideas and ideals fully.

Update 28-06-2014: A documentary on the case Aaron Swartz – The Internet’s Own Boy is now available online. Also on Archive.org.


DIY privacy, because the law no longer works

<originally a Webwereld column – in Dutch>

 Over the last few years it seems as though everything that is centralised fails. Governments fail to solve societal problems (or even just complete a successful IT project), central banks fail to monitor the behaviour of ordinary banks, IT companies fail to offer us solutions that are safe and respect our privacy somewhat …

Decentralisation works better: bittorrent, non-Western popular revolts, open source software, hacktivism and to a certain extent the Occupy movement. I’m glad Bits of Freedom and international counterparts such as the EFF exist because they put issues on the agenda that most of the over-50 politicians would not otherwise consider. In Berlin, the Pirate Party has over 9% of the seats in local government and is spreading rapidly across Germany.

But is all this really upholding our "rights"? Because despite all petitions, motions, actions and other initiatives our (digital) civil liberties are still evaporating. In the Netherlands it is virtually impossible to finish high school without buying Microsoft or Apple products, despite a long string of promises and agreements about this from our government. There are so many PCs that are controlled by cyber criminals that Microsoft had to set up a specific spring-cleaning for the Netherlands without user consent. This also makes it immediately apparent who really controls all these systems. Meanwhile, the government uses its own catastrophic Diginotar failure as a pretext for yet more government regulation of the online world.

The way the ACTA treaty brutally sweeps all issues of democratic control off the table clearly indicates where the interests of our Atlantic partners lie. SOPA is just the cherry on the icecream to show why we should no longer be dealing with the US-based IT services: Unsuitable.

It might be a better use of our time just to accept that our government is no (longer?) capable of resisting corporate power. Somehow or other a slow-motion palace revolution has occurred where the government wants to increase “efficiency” by relying on lots of MBA-speak and corporate management wisdoms that worked so well for the banking sector. The fact that the government’s primary function thereby evaporates does not seem to bother it. And meanwhile the companies themselves are apparently too busy making profits and fighting each other to worry about civil rights and other archaic concepts from the second half of the 20th century.

So rather than always trying to influence a system that ignores our interests, we can simply take care of ourselves and each other. This conclusion is not pleasant, but it gives clarity to what we have to do.

One good example is the Bits of Freedom weekly workshops on how to install encryption software and its publications that help people get to grips with these tools. The organisation should use its clout to get the slogan of "crypto is cool” on everyone’s lips. The NLnet Foundation should focus its energies on promoting the hip and user-friendly aspects of these pieces of software. Webwereld journalists should be looking for a modern, technical Deepthroat to make anonymous-advanced-OV-chip-card-hacking available to the general public.

Civil rights organizations and hacktivists can play a very different but probably even more effective role. Since 2006 I have ensured my own email privacy by no longer relying on the law, but by using a server outside the EU, SSL connection to it through a VPN tunnel entering the open Internet also outside the EU. And then I encrypt as many emails as possible individually with GPG. I suppose the fact that all those hordes of terrorists (who, our government asserts, are swamping Europe) have no doubt adopted such measures – for less than 20 Euros a month – making all the data retention measures a complete and pointless waste of resources.

What is possible now with email will soon be possible with telephony by using VOIP through international VPNs. This will even happen soon with mobiles (although your location information will remain a problem).

Then add an anonymous public transport card hack, a future version of Bitcoin for money transfers, and all you will need is a freshly installed Linux laptop (with an encrypted hard disk) and Bob’s your uncle. Just resist the temptation to put your whole life on Facebook and auto-tweet your GPS-data from you phone.

Then you can forget about any digital privacy legislation. You do not need government. You empower yourself as a modern citizen – better living through technology. Too bad it had to come to this – that old democracy concept seemed a really nice idea.

Update 2012: At Cryptoparty.org you can find places where citizens are teaching each other how to use privacy enhacing tools. If your locale is not on the list then add it and find people to get going where you live!


Xeroxing the war

In 1969, when the Vietnam War was in full swing,  a senior analyst at the U.S. Department of Defense was quietly copying a secret report about the war. This report, which ran to 7000 pages, covered the progress of the Vietnam war in exhaustive detail. The analyst intended to share this highly classified information with influential politicians and scientists, in the hope that it would quickly bring the war to an end.

That analyst was Daniel Ellsberg, a former officer of the Marine Corps who worked for RAND, the Pentagon think tank. As a result of his experiences in Vietnam and his meetings with conscientious objectors in the US, he became convinced that the war was wrong. With his insider’s knowledge, he already knew that it was militarily lost, but that the American government was misleading the people. Every day the Vietnam war took about eight hundred Vietnamese lives, more than two thirds of them civilians, and twenty American soldiers. Many more were seriously injured or maimed for life..

On June 13, 1971 The New York Times tried to publish a number of excerpts from these documents, but was blocked by the Nixon government through legal and political means. Senator Mike Gravel made a breakthrough by reading a large part of the document in the Senate. The reading of 4100 pages took a while, but the rules of the Senate do not allow a senator who is talking to be interrupted (the "filibuster"). Everything the Senator said automatically became part of the proceedings of the Senate and thus on the public record. The publication of this information was the beginning of the end of the Vietnam war and the start the process of withdrawal of U.S. troops.

Fast forward to 2010. The US is once again embroiled in unwinnable wars, launched on dubious grounds, that continue indefinitely without any clear strategy or goal. Every extra day that these wars continue, more civilians and soldiers die.

And now there are new people who leak secret information about the wars, in the hope that the resulting political pressure will bring them to a close. The Xerox technology in 1969 has been replaced by a global computer network that uses encryption to protect the identity of the whistleblowers. Even Wikileaks does not know their identities – this is safer for both the whistleblowers and Wikileaks.

But the media’s response is simply surreal. The bulk of the attention and the debate is about the Xerox machine – or at least the 21st century equivalent of it, the Wikileaks website. Questions such as "is WikiLeaks journalism?" and "should you be allowed to leak classified information?" are discussed in exhaustive detail by apparently intelligent media pundits – who with alarming regularity seem to have little understanding of the very technology they are discussing.

Iraq Deaths EstimatorThe first ‘big’ coup from Wikileaks, the “Collatoral Murder" video, led to a huge debate about the culpability of the helicopter pilots and whether or not it was reasonable for them to be able to distinguish between a camera and a grenade launcher. The key topic that was not discussed was the simple fact that the Pentagon had knowingly, for three years, lied to both Reuters and the families of the civilian casualties in Baghdad about the circumstances surrounding the shooting by an Apache helicopter, which was one kilometre away and which riddled two children with bullets from its cannon. The Pentagon made a statement in 2007 saying that it knew nothing of any injuries to children, even though it had been in possession of this video from day one and it leaves nothing to the imagination.

The deliberate lying from the start of the Iraq war continues to this day. The Dutch late night talk show, P&W, led the news on TV with "Dutchman involved in leaking attack video": that, after all, is news – apparently far more important than the fact that children were shot and there was a cover-up.

Wikileaks has already been the top story in the news for more than one week, and that’s a problem. The Xerox machine is not important. Illegal wars of aggression launched on the basis of lies are important. The torture of innocent citizens in secret prisons is important. Spying on UN diplomats is important. Messing about in the internal political decisions of other countries is important.

So why is the entire media is so busy with the Xerox machine and the person with his finger on the copy button? Dear journalists, you have been presented with a cornucopia of scoops, many of which make Watergate pale into insignifcance. If African dictators were doing the things Western countries are being accused of, they would be dragged in handcuffs to the International Court in The Hague. Get to work!


Parliament’s questions to the Court of Audit

Actieplan HeemskerkPreamble
The Lower House of the Dutch Parliament has asked the Court of Audit to investigate the problems and opportunities related to the adoption of open standards and open source software for the government’s information systems. The Court has invited various experts to give their views. This blog post is my contribution.

The questions are being asked to the highest supervisory body of the country, rather than the departments responsible for implementing this policy – the Ministries of Home Affairs, and also Economic Affairs, Agriculture & Innovation – eight years after the government’s first unanimous vote on this issue and the expenditure of about 5 billion euros on licensing fees. The impression given to the outside world is that Parliament is not impressed with the progress of the last eight years and believes that the relevant government departments could benefit from the external scrutiny of a neutral and objective body.

Each of the following five questions implies a series of unspoken assumptions. In order to answer the questions, it is necessary to identify and, where neccesary, challenge these underlying assumptions in order to reach a sensible answer.

The five questions
Here are the answers to the questions raised by Parliament. There is so much interdependence that subsequent responses will sometimes refer back to earlier parts.

“You cannot solve a problem with the same thinking that created it”

1.What possibilities and scenarios exist for the reduction of closed standards and the introduction of open source software by the central government (ministries and related agencies) and local authorities?

The Netherlands is a modern western country and has the same access to knowledge, skills, technology and comparable budgets for IT as Germany, France, Spain and Finland. It is a fact that all these countries have already implemented large-scale adoptions of open source and open standards in government. The implementation requirements of the Dutch government are also very similar to these countries. The reason that The Netherlands has not moved further in this area, eight years after the original, unanimous Parliamentary vote, can therefore be attributed to nothing more than the administrative culture and our Atlanticist political orientation.

There is no fundamental reason why the achievements of these other countries cannot be replicated in The Netherlands, especially as the  groundwork has already been done. Barriers to migration have often been treated as immutable laws of nature rather than just a problem to be solved.

  • Parliament should no longer accept that a high dependence on one supplier is an adequate excuse not to move away from that very dependency (as the Cabinet did in response to parliamentary questions in 2004 and 2006 and 2008). The dependency itself is the problem that must be addressed, not an enshrined principle that IT departments must endure.
  • Parliament should no longer accept that the acknowledged lack of technical or organisational knowledge amongst the 60,000 government IT professionals (and their suppliers) is an excuse for the lack of progress. It is implausible that the Dutch government is incapable of replicating the successful work of its European counterparts. Any governmental IT or management staff who do not have the requisite skills to carry out the very reasonable requests of Parliament should be replaced or retrained. Incompetence is grounds for dismissal, certainly not an excuse for refusal to do the necessary work.
  • Intrinsic motivation works better than coercion. Administrators and IT staff who understand the wishes of Parliament can embrace it with real conviction and are likely to want to produce better results than those who only work under duress.  Such an approach will select and promote suitable people to the right jobs. The staff whose policies and  behaviour have caused our current problems are probably not going to the ones who find the necessary solutions.
  • The link between HR and remuneration policies for IT professionals and achieving technical certification related to proprietary software from a handful of suppliers must be completely severed.

“When you find yourself in a hole, stop digging”

2. What part of closed standards and software can be replaced by open standards and open source solutions and what cannot?

This question has yet another unspoken assumption: that central government has a realistic oversight of all systems, applications and related standards. It does not. As a result, questions about the number of systems that can be replaced are very hard to answer and have little relevance to achieving lower costs and greater independence in the foreseeable future – primarily because of the very large differences in costs that are associated with different standards. The government would do well to focus on the most common, generic issues, for which proven alternatives already exist. The original 2002 Vendrik Parliamentary motion already asked for this.

Key points to identify: what are the most expensive closed source areas where functional open source alternatives already exist and are already being used successfully elsewhere? What are the closest functioning areas that can result in successful migrations?

Migration plans should be drawn up in these areas as a matter of high priority – and this means halting or delaying other projects that may block these migrations and accelerating projects that play a supporting role.

For instance, in 2005 the former Ministry of Economic Affairs produced a document management system which has made it virtually impossible for years for the Ministry to use other web browsers, word processors or desktop operating systems. This is particularly surprising as, in 2004, the government itself announced that such closed systems in the work environement were harmful and undesirable, and were therefore going to be actively addressed as per the wishes of Parliament.

A current, concrete example within national government is the introduction of SharePoint. There is a significant risk that this investment, once made, will be (ab)used yet again as an excuse not to migrate to open and available alternatives. That would take us up to 2016 (14 years after the initial Parliamentary decision!) before any real work could begin on migration.

“Not everything that can be counted counts, and not everything that counts can be counted.”

3.What are the current costs? What are the predicted up-front and structural costs costs of moving from closed standards and the introduction of open source software? What are the projected savings?

NL software importThe Dutch government currently spends about one billion Euros on proprietary software licences annually.  These licences are mainly foreign, and the income tax and VAT on this expenditure flows into the Irish exchequer, because most European branches of American software companies are based there. The total Dutch expenditure is eight times more. Both governmental and general software expenses grow by about 10% per annum and are therefore unsustainable.

A significant portion of these annual costs can be saved or ploughed back into the local economy through Dutch SMEs, and so this cost will be an investment in the Dutch knowledge economy. With the government as the leading customer in this new market structure, it is feasible that The Netherlands could save billions per year.

In addition to these direct costs, various indirect savings could increase this amount many times over: the costs of management and security for vulnerable mono-cultures; the cost of merging old legacy systems and new applications; and social costs caused by security failures and easily avoidable software security problems. Every month there are Dutch hospitals whose primary processes are severely disrupted by computer viruses – a direct result of monoculture.

Moving beyond the financial, it becomes more difficult to quantify the social impact of the high dependency level of Dutch society on certain foreign, privately-owned companies.  However, if more than 80% of the PCs in The Netherlands can be remotely controlled or even switched off, what does that say about Dutch national sovereignty? Is it politically acceptable for foreign software suppliers or government bodies to have an On/Off switch for ministries, municipalities, police, hospitals, water works, supermarkets, schools etc…?

“The best moment to plant a tree is 25 years ago, the next best moment is now.”

4.How would the reduction of closed standards and the introduction of open source software be realised?

With not only the right mandate (which Parliament actually voted for eight years ago!), but also the right expertise significant results are attainable within 24-36 months. This requires making this area a priority issue and a break from the old attitudes, excuses and methodologies of recent years (see answer to question 1). Successes abroad can serve as templates for our projects.

One area where we could make a rapid start would be primary education. Currently we are actively strengthening existing monopolies via this sector with public money. If by 2011/12 the first two years of primary school use open systems and then a higher class is switched each year, The Netherlands will have the first generation of citizens who are trained in vendor-neutral systems entering the workforce in 12 years, easily capable of working with multiple systems and applications. De ‘Rosa Boekdrukker’ primary school in Amsterdam clearly shows how this can be done.

Dutch hospitals in The Netherlands could follow the example of the Antonius Hospital in Nieuwegein.  Many other hospitals can share in this success.   And because it’s already been shown to work, the risks and costs for the next 100 hospitals are much lower.

It will take at least a decade before the full potential of open source and open standards can be utilised.

“Go out on the limb, that’s where the fruit is”

5. Beyond the cost, what other advantages, disadvantages, risks and opportunities should the Court of Audit factor in? What conditions must be met to make possible the implementation of open standards and open source software?

Benefits & Opportunities

  • Savings of billions per year in direct costs for all citizens and IT-using organisations in The Netherlands.
  • Redirecting a stream of funds from Ireland / USA into Dutch society as a huge and permanent investment in our knowledge economy.
  • Government investment in software will result in free, reusable software and knowledge available to our whole society, rather than controlled by privately-owned and usually foreign companies.
  • Security is strengthened through greater diversity of IT, competition, and the possibility of custom code audits.
  • National sovereignty is reinforced when the government has complete control over its systems.
  • General IT competence will dramatically improve, ensuring fewer spectacular and expensive failures such as the 2006 ‘Walvis’ Tax project, national medical records, public transit chip cards and, most recently, the new police system to name but a few.

Disadvantages and risks

  • The current, fragmented IT policy of the Dutch government means that a thousand little fiefdoms may need to be broken up.
  • The apparent lack of skills amongst IT management may have consequences for personnel. No doubt there will be resistance.
  • Significant investment is probably needed in re-training government IT professionals.
  • Angry phone calls from Washington DC when the flow of licensing money is shut off.

Preconditions

  • See answers to question 1.
  • Be realistic about the positioning and motivation of software companies. Companies seek to maximise profits, control markets and will therefore exploit any leeway that the government offers them. We do not invite the turkey to discuss the Christmas dinner. Therefore why do we accept “advice” from software companies and their interest groups about the best software strategy?
  • We need to break away from the idea that  extensive outsourcing is necessary, effective or desirable. The raison d’etre of government is to justly serve the legitimate needs of its citizens; it should therefore have detailed and inherent control over information systems. Stop the corporate-speak and ‘playing business’ by civil servants. Government is not a business, nor should it pretend to be. Outsourcing the control of information processing systems is contrary to the very principles of a democratic state for exactly the same reasons that outsourcing the military forces or the judiciary would be.
  • Make a clear distinction between political and administrative goals and the means of achieving them. Cutting costs can be realised in many ways, regaining national sovereignty in only one.
  • As long as desktop projects implemented under the guise of “efficiency through economy-of-scale” result in each desktop costing 6600,- Euros per annum, this kind of bullshit-bingo is completely risible. Keep IT managers and other decision makers who don’t know the difference between desktop-standards and a "standard-desktop" away from such projects.