The TTIP Tragedy

europeYesterday, the European Parliament passed a draft report containing the EP’s recommendations to the Commission on the negotiations for TTIP. TTIP is the “free trade” treaty that is being negotiated between the US and the EU. It is the latest chapter in a long range of abbreviations across the world, from ACTA, to CETA, to TPP, TISA, etc. The end goal for TTIP is to create a single, massive free trade area/single market between the United States and the European Union member states. In practice, this requires that our standards be lowered to theirs and American businesses given unfettered access to the European markets (and in name vice versa, but it remains to be seen whether that will be the case in reality.)

The negotiations with the United States are being conducted in secret. There are various MEPs who are regularly informed about the progress of the negotiations, but they are prevented from saying anything substantial about the actual contents of the documents currently on the table. The peoples of Europe have no influence and no say in what makes it in the final treaty. Most of the Members of the European Parliament also have no idea about the exact contents of the negotiating document, and what is currently on the table. The European Parliament will vote on TTIP when the treaty is completed, but does not have the power to make amendments to the final text. This is a massive shame, since this treaty will influence us in major ways. In practice, it will open up our markets to American big business, while the effect for European middle and small enterprises are almost non-existent (as the vast majority of SMEs will not make the step to export to the United States).

Negligible Economic Advantages

The long-term economic advantages of TTIP to Europe is in fact completely negligible. Karel De Gucht, the previous EU Commissioner for Trade until 2014, claimed that TTIP will create lots of jobs in Europe, when in fact, we’re looking at an increase of GDP of at most 0.4 to 0.5 percent over a time period of decades. Claiming that this treaty will be about job creation and creating opportunities for workers on both continents is just completely dishonest, as also claimed in a blog on the U.S. Center for Economic and Policy Research (CEPR) website. According to various studies, the economic advantages are quite negligible. Incidentally, when De Gucht was confronted by some questions asked by the journalist regarding the alleged economic advantages of TTIP, he couldn’t provide an answer. And these are the sorts of people in charge of these things?

ISDS With A Different Name

ttip-2One important aspect that hasn’t been scrapped in the new resolution is the notorious ISDS provision (Investor-State Dispute Settlement). ISDS is a arbitration provision, that basically says that if a corporation thinks that a certain law passed by a nation-state’s parliament is hurting the profits of the corporation, they will have a way to sue the state for damages, in practice amounting to hundreds of millions of euro’s.

The most laughable thing about this arbitration commission is, that in the initial proposals, it consists of 3 lawyers, one of which will be from the company and another one from the nation state; the third one to be decided by the 2 parties. No legitimate judge would be asked to take this decision, and this provision has the potential to hurt democracy in a massive way. That this was even up for serious discussion is simply insane. When we as people can no longer decide for ourselves what we do and do not allow onto the market, because we should always take into account whether or not that will hurt someone’s business model, what independence do we have left? What will be left of the people’s sovereignty, granted to them by international law?

The ironic thing is that in the latest resolution passed by the European Parliament (P8_TA-PROV(2015)0252), the term “ISDS” has been replaced with: ‘a system for resolving disputes between investors and states’. Tell me: how is that different from “Investor-State Dispute Settlement”? This was just a different term used in the new resolution just so some fractions in the European Parliament can say: “Look people, we stopped ISDS!”, while at the same time the Commission and the negotiating team can say to the Americans that it’s still in. In effect, nothing has changed on this point. The entire concept of investors suing states for damages because legislation is a threat to their business model, and doing so in kangaroo courts, is an utter travesty to the legal system.

Another problem is that big corporations have an excessive influence on European policy-making. During the preparatory phase of TTIP, 590 meetings took place between the Commission and corporate lobbyists. 92% of these meetings were with representatives of big business. In fact, quite a few sentences in the proposals are directly written by the lobbyists, and made it in the proposals virtually unchanged. And this is not only a problem for TTIP, this happens all the time.

Consequences of Arbitrary Arbitration

An example of where this could lead to is the case of Achmea vs the Republic of Slovakia. In this case, Achmea (which is a major Dutch insurance conglomerate) sued the Slovak Republic for damages because they wanted to re-nationalise their health care system. Of course, Achmea stood to lose millions of euros in potential profits due to this policy change, so they sued, citing alleged breaches of the Treaty on encouragement and reciprocal protection of investments between the Czech and Slovak Federal Republic and the Kingdom of the Netherlands. Luckily, the arbitration committee in this case dismissed all of Achmea’s claims, and recognised the sovereignty of the Slovak Republic to make these kinds of policy decisions.

Now imagine what happens when TTIP is implemented, on a massive scale and in a vast area across many different industries? What sovereignty do we have left when we have to think about protecting the profits of huge corporations with each and every policy decision?

Investor-State Dispute Settlement is wholly unnecessary

Protecting investments by means of arbitration committees only makes sense if your trading partner is a country without a well-developed and functioning legal system. It does not make sense whatsoever in the context of a free trade deal between the United States and the EU, since European countries do have functioning legal systems. It isn’t a union of banana republics. At least not yet. So any investment arbitration mechanism in the TTIP treaty that circumvents the nation states’ legal system is wholly unnecessary. The only reason it will make it into the treaty is to give big business a lot more power to overrule the decisions made by our elected representatives. One step closer to a United States of Europe, which in the vision of eurocrats the likes of Guy Verhofstadt is only complete when it stretches from California to the Caspian Sea.

Benito Mussolini, the fascist Italian dictator during WWII, once defined fascism as: the merger of the corporate with the state. When TTIP is passed, the corporate is the state! We will open our European markets up to American multinationals who, as we know, have little concern for labour standards, food safety regulations, and more. It will amount to us lowering our standards to theirs in the interest of “free trade”.  If we don’t lower our standards, that would imply that the United States would raise theirs, which is extremely unlikely to happen in the current political climate. It will introduce a dispute settlement system that is actively hostile to the very principle of democracy. And our parliaments will have no say in the matter. Despite what the average eurocrat says, these are very real dangers. But there are even more reasons not to want this trade agreement with the United States.

Free Trade? With the people who spy on their allies?

nsaRecently, news came out that the United States NSA spied on the German Chancellor and her most senior officials and also on the last 3 Presidents of the French Republic. These documents on WikiLeaks also reveal that the US has a decade-long policy of economic espionage, and is intercepting all French corporate contracts and deals valued over $200 million.

Two years after Edward Snowden’s revelations were made public, we have seen a move towards more secrecy, more surveillance, and more corporatism, and a lot less transparency and accountability. Transparency and accountability is also a major issue within the EU institutions and in particular the TTIP negotiations, but I’ll get to that it a bit.

Over the last 2 years we have seen moves by various European intelligence agencies to imitate the NSA and GCHQ in their capabilities. Just recently, the Dutch government released for public consulting a proposal aimed to give the AIVD, more power, authorising them to start tapping cable-bound communications.

Also, the FBI by means of James Comey and others in the US and UK (Cameron, May) are desperately trying to ban encryption, against all expert advice. Banning encryption makes us less secure, preventing, for example, banks and corporations from protecting our personal data against interception by criminals. Without encryption we cannot securely shop online, we cannot message online, businesses cannot keep their trade secrets confidential, etc. Encryption is essential to the internet, and essential to innovation.

The important point is this: Do we really want to increase cooperation in the areas of trade and industry, across all sectors, with the country that has been spying on us and disregards its own Constitution and rule of law? Do we really think that is in the interest of European citizens?

I wonder what would happen in the following hypothetical situation. Let’s say for the sake of argument that it is revealed that the Bundesnachrichtendienst (Germany’s foreign intelligence agency) has been spying on the last 3 US Presidents. Would the US then take the initiative and start negotiating a trade deal and much closer cooperation with the Europeans? Or would these actions be strongly condemned and action taken to prevent these actions in the future? I think we know what the response of the US in this hypothetical situation would likely be. However, in the real world, the US has been spying on the Europeans for decades on a massive scale, and we still don’t reconsider who our allies are?

verhofstadt_van_baalenWe still mindlessly follow the US lead when it comes to demonising Russia, we don’t consider what actions are in the best interest of European businesses, we continue to give the US great advantages as they continue to stir up trouble, start revolutions and regime changes in Ukraine, hurting stability in the entire region, with MEPs Verhofstadt & Van Baalen joining in, calling for regime change on Maidan square.

The fact that US foreign policy is not a force of good in the world would already be grounds to scrap this entire treaty altogether.

Europe’s democratic deficit


An Ancient Greek ὄστρακον (ostrakon), mentioning Megacles, son of Hippocrates (inscription: ΜΕΓΑΚΛΕΣ ΗΙΠΠΟΚΡΑΤΟΣ), 487 BC. In the ancient Athenian democracy, ὄστρακον were pieces of discarded pottery that people would scratch a name into to cast their vote of who to banish from the city.

Some people may accuse me of being Eurosceptic. That is not the case: I like the concept of European cooperation and integration, I have many clients across Europe, I like the fact that I am able to travel, live, and work anywhere in the European Union. That is not the problem, and in fact, one of the greatest achievements of close European cooperation.

What is the problem, however, is the clear lack of democracy and transparency at the European level at various European institutions. European elections are held to elect Members for a small piece of the pie that is the European Parliament (depending on the country you’re from the piece may be bigger or smaller), but other than that, the European institutions are completely closed from all meaningful interactions with European citizens. The Commission is not elected, and all other European institutions that make or influence European policy also have unelected officials who decide on things. We have 4 different Presidents responsible for God knows what, and all unelected. This is the major problem with the Union, and the thing in my opinion needs to be fixed before we start thinking about further expansion, or the transfer of even more powers to Brussels.

Europe should embrace democracy, not eschew it, like we could see yet again prior to the latest Greek referendum, when various European leaders made threats to the Greek people about the consequences should they not agree to more austerity. Even the President of the European Parliament, Mr. Martin Schultz has made such threats, which is wholly unbecoming of a President of a poor excuse of a Parliament, who should be above all parties, and adhere to independence from such political opinions.

Democracy is a great concept, invented in the 5th century BCE by the ancient Athenians in Greece. We should do more of it!

The Sad Truth

The sad truth regarding TTIP is that — based on the resolution just passed by the EP — I can already make the prediction regarding the final verdict of the European Parliament when the TTIP final document is finally presented to them: they will pass it, and it’ll probably include some sort of ISDS provision. There will probably be time pressure involved, requiring MEPs to read and interpret thousands of pages of legalese in a very short time-frame, which ensures that no MEP will actually read the document they vote on.

And when TTIP is passed, corporate fascism in Europe has won.

Belgian Privacy Commission Found Facebook in Violation of EU and Belgian Privacy Law


About two weeks ago KU Leuven University and Vrije Universiteit Brussel in Belgium published a report commissioned by the Belgian Privacy Commission about the tracking behaviour of Facebook on the internet, more specifically how they track their users (and non-users!) through the ‘Like’ buttons and Share buttons that are found on millions of websites across the internet.

Based on this report and the technical report, the Belgian Privacy Commission published a recommendation, which can be found here. A summary article of the findings is also published.


The results of the investigation are depressing. It was found that Facebook disregards European and Belgian privacy law in various ways. In fact, 10 legal issues have been found by the commission. Facebook frequently dismisses its own severe privacy violations as “bugs” that are still on the list of being fixed (ignoring the fact that these “bugs” are a major part of Facebook’s business model). This allows them to let various privacy commissioners think that privacy violations are the result of unintended functionality, while in fact it is, the entire business model of Facebook is based on profiling people.

Which law applies?

Facebook also does not recognise the fact that in this case Belgian law applies, and claims that because they have an office in Ireland, that they are only bound by Irish privacy law. This is simply not the case. In fact, the general rule seems to be that if you focus your site on a specific market, (let’s say for example Germany), as evidenced by having a German translation of your site, your site being accessible through a .de top-level domain, and various other indicators as well (one option could be the type of payment options provided, if your site offers ways to pay for products or services, or maybe marketing materials), then you are bound by German law as well. This is done to protect German customers, in this example case.

The same principle applies to Facebook. They are active world-wide, and so should be prepared to make adjustments to their services such that they comply with the various laws and regulations of all these countries. This is a difficult task, as laws are often incompatible, but it’s necessary to safeguard consumers’ rights. In the case of Facebook, if they would build their Like and Share buttons in such way that they don’t phone home on page load and don’t place cookies without the user’s consent, they would have a lot less legal problems. The easiest way to comply if you run such an international site, is take the strictest legislation, and implement it such that it complies with that.

In fact, the real reason why Facebook is in Ireland is mostly due to tax reasons. This allows them to evade taxes, by means of the Double Irish and Dutch Sandwich financial constructions.

Another problem is that users are not able to prevent Facebook from using the information they post on the social network site for purposes other than the pure social network site functionality. The information people post, and other information that Facebook aggregates and collects from other sources, are used by Facebook for different purposes without the express and knowing consent of the people concerned.

The problem with the ‘Like’ button

Special attention was given to the ‘Like’ and ‘Share’ buttons found on many sites across the internet. It was found that these social sharing plugins, as Facebook calls them, place a uniquely identifying cookie on users’ computers, which allows Facebook to then correlate a large part of their browsing history. Another finding is that Facebook places this uniquely identifying datr cookie on the European Interactive Digital Advertising Alliance opt-out site, where Facebook is listed as one of the participants. It also places an oo cookie (which presumably stands for “opt-out“) once you opt out of the advertising tracking. Of course, when you remove this cookie from your browser, Facebook is free to track you again. Also note that it does not place these cookies on the US or Canadian opt-out sites.

As I’ve written earlier in July 2013, the problem with the ‘Like’ button is that it phones home to Facebook without the user having to interact with the button itself. The very act of it loading on the page means that Facebook gets various information from users’ browsers, such as the current page visited, a unique browser identifying cookie called the datr cookie, and this information allows them to correlate all the pages you visit with your profile that they keep on you. As the Belgian investigators confirmed, this happens even when you don’t have an account with Facebook, when it is deactivated or when you are not logged into Facebook. As you surf the internet, a large part of your browsing history gets shared with Facebook, due to the fact that these buttons are found everywhere, on millions of websites across the world.

The Filter BubblePersonal data points

A major problem of personalisation technology, like used by Facebook, but also Google, and others, is that it limits the information users are exposed to. The algorithm learns what you like, and then subsequently only serves you information that you’re bound to like. The problem with that is, that there’s a lot of information that isn’t likeable. Information that isn’t nice, but still important to know. And by heavily filtering the input stream, these companies influence our way of how we think about the world, what information we’re exposed to, etc. Eli Pariser talks about this effect in his book The Filter Bubble: What the Internet is Hiding From You, where he did a Google search for ‘Egypt’ during the Egyptian revolution, and got information about the revolution, news articles, etc. while his friend only got information about holidays to Egypt, tour operators, flights, hotels, etc. This is a vastly different result for the exact same search term. This is due to the heavy personalisation going on at Google, where algorithms refine what results you’re most likely to be interested in, by analysing your previously-entered search terms.

The same happens at Facebook, where they control what you see in your news feed on the Facebook site, based on what you like. Problem is that by doing that a few times, soon you’re only going to see information that you like, and no information that’s important, but not likeable. This massively erodes the eventual value that Facebook is going to have, since eventually, all Facebook will be is an endless stream of information, Facebook posts, images, videos that you like and agree with. It becomes an automatic positive feedback machine. Press a button, and you’ll get a cookie.

What value does Facebook then have as a social network, when you never come in touch with radical ideas, or ideas that you initially do not agree with, but that may alter your thinking when you come in touch with them? By never coming in touch with extraordinary ideas, we never improve. And what a poor world that would be!

Dutch Data Retention Law Struck Down

Good news on privacy protection for once: after an 11 March 2015 ruling of the Court of The Hague in the Netherlands in the case of the Privacy First Foundation c.s. versus The Netherlands, the court decided to strike down the Dutch data retention law. The law required telecommunication providers and ISPs to store communication and location data from everyone in the Netherlands for a year. The court based its decision on the reasoning that a major privacy infringement of this magnitude needs proper safeguards. The safeguards that were put in place were deemed insufficient by the court. There is too much room for abuse of power in the current law, which was the reason for the The Hague Court to strike it down, effective immediately.

An English article by the Dutch Bits of Freedom foundation explains it in more detail here. An unofficial translation of the court’s decision in English can be found here.

The question remains what will happen now. The law has been struck down, so it seems logical to scrap it entirely. Whether that will happen, or whether the decision stands should the Ministry of Security and Justice appeal the decision, time will tell.

RT Going Underground Interview About Regin

I recently did an interview with RT‘s Going Underground programme, presented by Afshin Rattansi. We talked about the recently-discovered highly sophisticated malware Regin, and whether GCHQ or some other nation state could be behind it. The entire episode can be watched here. For more background information about Regin, you can read my article about it.

With Politicians Like These, Who Needs Terrorists?

The text on the cover says: "Love is stronger than hate."

The text on the cover says: “Love is stronger than hate.”

Last week, on the 7th of January 2015, the satirical magazine Charlie Hebdo‘s office in Paris was attacked by Islamic fundamentalists. Charlie Hebdo is a French satirical magazine featuring jokes, cartoons, reports etcetera. that is stridently anti-conformist in nature. They make fun of politics, Judaism, Christianity and Islam and all other institutions. Like all of us they have every right to freedom of expression. But alas, fundamentalists did not agree, and opted to violently attack their office in Paris with assault rifles and rocket propelled grenades, leaving 12 people killed and 11 wounded. This was a terrible attack, and my heart goes out to the families and their colleagues and friends who have lost their loved ones.

After the attack, there was (rightly so) worldwide condemnation and the sentence “Je suis Charlie,” French for “I am Charlie,” became the slogan of millions. What I am afraid of however, is not the terrorists who perpetrate these attacks. What frightens me more, is the almost automatic response by politicians who immediately see reasons to implement ever more oppressive legislation, building the surveillance state. After all, the goal of terrorism is to change society by violent means. If we allow them to, the terrorists have already won. Their objective is completed by our own fear.

Hypocrites At The March

When I was watching footage of the march in Paris for freedom of expression I saw that a lot of government leaders were present, most of whom severely obstructed freedom of expression and freedom of the press in their home countries. Now they were were at the march, claiming the moral high ground and claiming to be the guardians of press freedom.

Here’s an overview of some of the leaders present at the march and what they did in relation to restricting press freedom in their own countries, courtesy of Daniel Wickham, who made this list and published it on his Twitter feed:

Politicians like the ones mentioned above, but also the likes of May (UK Home Secretary), Opstelten (the Netherlands’ Justice Minister) and many others are jumping on the bandwagon again to implement new oppressive laws limiting freedom of expression and the civil and human rights of their peoples. With leaders like these, who needs terrorists? Our leaders will happily implement legislation that will severely curtail our freedoms and civil liberties instead of handling the aftermath of tragic events like these as grown-ups. It would be better if they viewed participating in the march as a starting point to start improving the situation in the areas of freedom of expression and freedom of the press at home.

The Political Consequences Of Terrorist Attacks

What frightens me is the fact that people like Andrew Parker, head of MI5, the kind of person who normally never makes headlines, is given all the space he needed to explain to us “why we need them,” to put it in the words of High Chancellor Adam Sutler, the dictator from the film “V for Vendetta,” which is set in a near-future British dystopia. UK Chancellor George Osborne immediately said in response to the piece by Andrew Parker that MI5 will get an extra £100 million in funding for combating Islamic fundamentalism. David Cameron has confirmed this.

Politicians are using the tragic events in Paris as a way to demand more surveillance powers for the intelligence community in a brazen attempt to curtail our civil liberties in a similar way to what happened after the 9/11 attacks.

All the familiar rhetoric is used again, how it’s a “terrible reminder of the intentions of those who wish us harm,” how the threat level in Britain worsened and Islamic extremist groups in Syria and Iraq are trying to attack the UK, how the intelligence community needs more money to gather intelligence on these people, how our travel movements must be severely restricted and logged, the need for increased security at border checks, a European PNR (Passenger Name Record) (which, incidentally would mean the end of Schengen, one of the core founding principles on which the EU was founded — freedom of movement). The list goes on and on.

A trend can be seen here. UK Home Secretary Theresa May wants to ban extremist speech, and ban people deemed extremist from publicly speaking at universities and other venues. The problem with that is that the definition of extremist is very vague, and certainly up for debate. Is vehemently disagreeing with the government’s current course in a non-violent way extremist? I fear that May thinks that would fit the definition. This would severely curtail freedom of speech both on the internet and in real life, since there are many people who disagree with government policies, and are able to put forward their arguments in a constructive manner.

Before we can even begin to implement laws like these we need to discuss what extremism means, what vague concepts like “national security” mean. There are no clear definitions for these terms at this point, while the legislation that is being put into place since 9/11 is using these vague notions intentionally, giving the security apparatus way too much leeway to abuse their powers as they see fit.

I read that Cameron wants to ban all encrypted communications, since these cannot be decrypted by the intelligence community. This would mean that banks, corporations and individuals would leave themselves vulnerable to all kinds of security vulnerabilities, including identity theft among others, vulnerabilities which cryptographic technologies are meant to solve.

Cryptography is the practice of techniques for secure communication in the presence of adversaries. Without cryptography, you couldn’t communicate securely with your bank, or with companies that handle your data. You also couldn’t communicate securely with various government agencies, or health care institutions, etcetera. All these institutions and corporations handle sensitive information about your life that you wouldn’t want unauthorised people to have access to.  This discussion about banning cryptography strongly reminds me of the Crypto Wars of the 1990s.

Making technologies like these illegal only serves to hurt the security of law-abiding citizens. Criminals, like the people who committed the attacks at Charlie Hebdo, wouldn’t be deterred by it. They are already breaking the law anyway, so why worry? But for people who want to comply with the law, this is a serious barrier, and restricting cryptography only hurts our societies’ security.

Norwegians’ Response to Breivik

Instead of panicking, which is what these politicians are doing right now, we should instead treat this situation with much more sanity. Look for instance to how the Norwegians have handled the massacre of 77 people in Oslo and on the Norwegian island of Utøya by Anders Behring Breivik on July 22nd, 2011.

Breivik attacked the Norwegian government district in Oslo, and then subsequently went to Utøya, where a large Labour Party gathering was taking place. He murdered 77 people in total.

The response by the Norwegians was however, very different from what you would expect had the attack taken place in the UK, the US or The Netherlands, for instance. In these countries, the reaction would be the way it is now, with the government ever limiting civil liberties in an effort to build the surveillance state, taking away our liberties in a fit of fear. The Norwegians however, urged that Norway continued its tradition of openness and tolerance. Memorial services were held, the victims were mourned, and live went on. Breivik got a fair trial and is now serving his time in prison. This is the way to deal with crises like this.

Is Mass Surveillance Effective?

The problem with more surveillance legislation is the fact that it isn’t even certain that it would work. The effectiveness of the current (already quite oppressive) surveillance legislation has never been put to the test. Never was a research published that definitively said that, yes, storing all our communications in dragnet surveillance has stopped this many terrorist attacks and is a valuable contribution to society.

In fact, even the White House has released a review of the National Security Agency’s spy programmes in December 2013, months after the first revelations by Edward Snowden, and this report offered 46 recommendations for reform. The conclusion of the report was predictable, namely that even though the surveillance programmes have gone too far, that they should stay in place. But this report has undermined the NSA’s claims that the collection of meta-data and mass surveillance on billions of people is a necessary tool to combat terrorism.

The report says on page 104, and I quote:

“Our review suggests that the information contributed to terrorist investigations by the use of Section 215 telephony meta-data was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional Section 215 orders.”

And shortly after Edward Snowden’s revelations about the existence of some of these programmes were published, former director of the NSA Keith Alexander testified to the Senate in defence of his agency’s surveillance programmes. He claimed that dozens of terrorist attacks were stopped because of the mass surveillance, both at home and abroad. This claim was also made by President Obama, who said that it was “over 50.” Often, 54 is the exact number quoted. Alexander’s claim was challenged by Senators Ron Wyden (D-OR) and Mark Udall (D-CO), who said that they “had not seen any evidence showing that the NSA’s dragnet collection of Americans’ phone records has produced any valuable intelligence.” The claim that the warrant-less global dragnet surveillance has stopped anywhere near that number of terrorist attacks is questionable to say the least, and much more likely entirely false.

More oppressive dragnet surveillance measures aren’t helping with making the intelligence community any more efficient at their job. In fact, the more intelligence gets scooped up in these dragnet surveillance programmes, the less likely it becomes that a terror plot is discovered before it occurs, so that these may be stopped in time. More data needs to be analysed, and there’s only so much automatic algorithms can do when tasked with filtering out the non-important stuff. In the end, the intel needs to be assessed by analysts in order to determine their value and if necessary act upon it. There is also the problem with false positives, as people get automatically flagged because their behaviour fits certain patterns programmed into the filtering software. This may lead to all sorts of consequences for the people involved, despite the fact that they have broken no laws.

Politicians can be a far greater danger to society than a bunch of Islamic terrorists. Because unlike the terrorists, politicians have the power to enact and change legislation, both for better and for worse. When we are being governed by fear, the terrorists have already won.

The objective of terrorism is not the act itself. It is to try and change society by violent means. If we allow them to change it, by implementing ever more oppressive mass surveillance legislation (in violation of Article 8 of the European Convention on Human Rights (ECHR)), or legislation that restricts the principles of freedom of the press and freedom of speech, enshrined in Article 10 of the ECHR, freedom of assembly and association enshrined in Article 11, or of freedom of movement which is one of the basic tenets on which the European Union was founded, the terrorists have already won.

Let’s use our brains and think before we act.

Talk at Logan Symposium 2014, London

A few weeks ago, I was in London at the Logan Symposium 2014, which was held at the Barbican Centre in London from 5 to 7 December 2014. During this event, I gave a talk entitled: “Security Dilemmas in Publishing Leaks.” (slides, PDF) The event was organised by the Centre for Investigative Journalism in London.

The audience was a switched-on crowd of journalists and hacktivists, bringing together key figures in the fight against invasive surveillance and secrecy. and it was great to be there and to be able to provide some insights and context from a technological perspective.

The Ukrainian Veto: Why The MH17 Report Will Not Reveal The Truth

On November 26, 2014 it was revealed by the Dutch news outlet RTL Nieuws that there exists a confidentiality agreement that was signed by the Netherlands, Belgium, Australia and the Kiev regime in Ukraine that gives each of the signatories a veto on any information that comes out of the investigation.

The existence of this confidentiality agreement is confirmed by the Australian Government, more specifically by Melissa Stenfors, Acting Director of the Crisis Management & Contingency Planning Section of the Department of Foreign Affairs and Trade:

Veto_Australia_Ukraine_MH17Later, the authenticity of this letter was confirmed by the Australian Ministry of Foreign Affairs and Trade in the following statement to RTL Nieuws:

“The letter to which you refer is authentic. Australia, The Netherlands, Belgium and Ukraine have signed a non-disclosure agreement with respect to the criminal investigation into the downing of Malaysian Airlines flight MH17.

This agreement requires consensus among the parties before information regarding the investigation can be released. The non-disclosure of information is important to avoid jeopardising the investigation or prejudicing a future judicial proceeding arising from the investigation.

The Joint Investigation Team non-disclosure agreement was communicated in confidence by foreign governments, and, as a result, cannot be made public.”

(emphasis mine)

An Elsevier magazine Freedom of Information Act (Wob) request to reveal the contents of the confidentiality agreement mentioned above, along with 16 other documents concerning the investigation was denied by the Dutch cabinet.


Unanswered Questions

So far, the investigation into the downing of Malaysian Airlines Flight MH17 is poorly done. The Dutch Safety Board (Onderzoeksraad voor Veiligheid) published a preliminary report about MH17 on 9 September 2014. This report was unsatisfactory for many parties. Basically it only says that the damage to the front section of the fuselage and the cockpit indicates that the plane was hit by a large number of high-energy projectiles coming from outside the aircraft, and that the damage pattern does not match with any damage one would expect in case of failure of the aircraft’s engines or other systems. In any case, there are no indications of any technical or operational problems with the aircraft or its crew prior to the CVR (Cockpit Voice Recorder) and FDR (Flight Data Recorder) stopping their recordings at 13:20:03 hours.

Important questions still remain unanswered, like whether the damage was caused by an air-to-air missile (which would support the Russians’ claims of a Ukrainian fighter jet near the Malaysian airliner), or surface-to-air (which supports the Buk weapons system theory). In the case of a surface-to-air missile, it still remains to be seen who fired the weapon at the time. Satellite pictures that claim that the Buk was operated by the rebels and then transported out of eastern Ukraine into the Russian Federation are very grainy, and one cannot discern any important details, let alone confirm their authenticity. These questions have not yet been answered, let alone asked by the investigation team (at least as far as we know).

The existence of the confidentiality agreement however, is very problematic. Especially if it contains, as sources seem to indicate, a veto right for all parties, including Ukraine. What if the investigation does reveal something that might point to the Ukrainians being behind the MH17 disaster? Would that ever get published? I think not, given the fact that they have a veto. Basically, the way this investigation was set-up, almost guarantees an outcome that will absolve the Ukrainians of any blame in the disaster. When the report does come out eventually, it will no doubt serve as new fuel on the pyre, with the West trying to blame Russia for the downing of MH17. Another reason why the investigation might be slow-going, besides the obvious difficulties in collecting all the evidence, is because the release of the final report might need to be carefully timed, released only when there’s a lull in the anti-Putin rhetoric, and this could then serve to ignite people’s anger and play on emotions to start a war with Russia. Which is a horrible thought, and I certainly do not hope things will play out this way.

But just as we have been stumbling into World War One, some of the signs are seen again nowadays. For instance, just look at the sheer level of propaganda found in the mainstream media, impervious to facts and reason. We are stumbling into another World War before we realise what happened. As the distinguished journalist John Pilger so brilliantly said during his speech at the Logan Symposium in London this month, “the most effective propaganda is not found in the Sun or on Fox News, but beneath a liberal halo.” We need to find the counter-narrative, figure out what is really going on to try and prevent this tragedy from happening.

It pains me to see how the U.S. is using Europe as its playground, themselves safely removed far away across the Atlantic Ocean, and we Europeans are allowing them to. Why should we be so subservient to a nation whose foreign policy in the past 70 years has only contributed to igniting crises and wars across the world? South America was ravaged by U.S. foreign policy, as was Vietnam, Cambodia, Laos, Afghanistan, Iraq, Syria, Pakistan, Yemen, Somalia, Cuba, and countless of other countries. Innocent citizens across the globe now have to live with the very real and daily fear of extra-judicial murder in the form of drone strikes, personally ordered and authorised by President Obama every Tuesday, extraordinary renditions (kidnapping) to “black sites” in countries like Poland and Romania where people are subject to CIA torture, as the executive summary of the Senate Select Committee on Intelligence Torture Report (PDF) recently revealed.

And the sad thing is, I’m not seeing any significant change in the US, where pundits the likes of Dick Cheney are still trumpeting torture (euphemistically called “enhanced interrogation”). When the Nazi’s were defeated after the Second World War, they were brought before the court during the Nuremberg trials, and some of the people deemed mainly responsible for the crimes against humanity and war crimes committed under Hitler’s regime were executed for their crimes. In the US, there isn’t even the slightest hint of a criminal investigation into the people responsible for the torture committed by CIA personnel and contractors, either directly or indirectly.

The Second Cold War

The coup in Ukraine was used to try and lure Russia into a second Cold War. A massive misinformation campaign was mounted in the Western press which totally ignored the real cause of the current crisis in Ukraine, namely the US putsch to oust the pro-Russian Yanukovich from power and install the pro-US Yatsenyuk. Yanukovich was democratically elected, Yastenyuk was not. On Maidan square, snipers attacked both the pro- and anti-Yanokovich protesters. The telephone conversation Victoria Nuland (Assistant Secretary of State) held with Geoffrey Pyatt (U.S. Ambassador to Ukraine) that was intercepted and posted to YouTube was blacked out from the mainstream media. This offered compelling evidence that the Ukrainian crisis was a U.S. led coup.

I have written extensively about the coup previously, explaining that NATO expansion after the Cold War ended has put Russia on edge, as they are obviously concerned about their national security. When the Soviets did a similar thing in Cuba, this led to Cuban Missile Crisis in October 1962. Why is it OK for the U.S. to respond by blockading Cuba, but when it’s Russia’s national security that is being threatened by NATO’s military bases, these legitimate concerns are hand-waved away and ignored? American exceptionalism has no place in the 21st century, or in fact, in any century.

After the referendum on the status of the Crimea, where the vast majority of the (mostly ethnic Russian) population (96.77% in fact) voted to re-join the Russian Federation, after the separation of the Crimea from Russia by Nikita Khrushchev in 1954, the Russians were immediately blamed for annexing the area. However, there were no such outcries when Kosovo declared itself independent from Serbia (without a referendum, mind you). In the case of Kosovo, it suited the Western powers, in the case of the Crimea, it did not.

The Crimea is of strategic importance to the Russians, as their Black Sea Fleet is based in the Crimean city of Sevastopol. When the Ukrainian coup started, Russia was getting increasingly concerned about whether it would be able to continue its lease of the military base, which was set to expire in 2042. Losing access to the base would be difficult, as Sevastopol’s warm water port, its natural harbour and the extensive infrastructure already in place there currently makes it one of the best-outfitted naval bases in the Black Sea. Sevastopol also allows the Russians relatively quick and easy access to the Mediterranean. The Russian Mediterranean Task Force, which is based in Sevastopol, was previously used to remove Syrian chemical weapons and conduct anti-piracy operations near Somalia.

All I hope is that the current crisis will be resolved quickly, as the path we currently seem to be on (one almost inevitably leading to war), is a foolish endeavour, and we need to realise that talking and diplomacy will get us much further than empty threats and baseless allegations. We’ve previously seen what US interference does to countries, like in the 2003 invasion of Iraq, and the sanctions that were put in place before that. Millions of people have been displaced and killed in that conflict alone. We need to stop this madness and start the dialogue to understand and hear the valid concerns put forward. Only then can war be avoided.

Regin: The Trojan Horse From GCHQ

In 2010, Belgacom, the Belgian telecommunications company was hacked. This attack was discovered in September 2013, and has been going on for years. We know that this attack is the work of Western intelligence, more specifically, GCHQ, thanks to documents from Edward Snowden. This operation was called Operation Socialist. Now, however, we know a little bit more about how exactly this attack was done, and by what means. Internet connections from employees of Belgacom were sent to a fake LinkedIn page that was used to infect their computers with malware, called “implants” in GCHQ parlance. Now we know that Regin is the name given to the highly complex malware that seems to have been used during Operation Socialist.

Projekt 28Symantec recently reported on this malware (the full technical paper (PDF) can be found here), and it’s behaviour is highly complex. It is able to adapt to very specific missions and the authors have made tremendous effort to make it hard to detect. The malware is able to adapt and change, and since most of anti-virus detection relies on heuristics, or specific fingerprints of known malware, Regin was able to fool anti-virus software and stay undetected. However, Symantec put two and two together and has now revealed some of Regin’s inner workings.

fig3-countriesThe infections have ranged from telecoms and internet backbones (20% of infections), to hospitality (hotels, etc.), energy, the airlines, and research sectors but the vast majority of infections has been of private individuals or small businesses (48%). Also, the countries targeted are diverse, but the vast majority of attacks is directed against the Russian Federation (28%) and Saudi Arabia (24%).

The Regin malware works very much like a framework, which the attackers can use to inject various types of code, called “payloads” to do very specific things like capturing screen-shots, taking control of your mouse, stealing passwords, monitoring your network traffic and recovering files. Several Remote Access Trojans (also known as RATs) have been found, although even more complex payloads have also been found in the wild, like a Microsoft IIS web server traffic monitor (this makes it easy to spy on who visits a certain website etcetera). Another example of a highly complex payload that has been found is malware to sniff administration panels of mobile cellphone base station controllers.

How Regin Works

As mentioned above, Regin works as a modular framework, where the attackers can turn on/off certain elements and load specific code, called a “payload,” to create a Regin version that is specifically suited to a specific mission. Note that it is not certain whether all payloads have been discovered, and that there may be more than the ones specified in the report.

fig2-sectorsRegin does not appear to target any specific industrial sector, but infections have been found across the board, but mostly in telecom and private individuals and small businesses. Currently, it is not known what infection vectors can possibly be used to infect a specific target with the Regin malware, but one could for instance think of tricking the target into clicking on a certain link in an e-mail, visiting spoof websites, or maybe through a vulnerable application installed on the victim’s computer, which can be used to infect the target with Regin. In one instance, according to the Symantec report, a victim was infected through Yahoo! Instant Messenger. During Operation Socialist, GCHQ used a fake LinkedIn page to trick Belgacom engineers into installing the malware. So one can expect infection to take place along those lines, but other possibilities may of course exist.


The various stages of Regin.

Regin has six stages in its architecture, called Stage 0 to Stage 5 in the Symantec report. First, a dropper trojan horse will install the malware on the target’s computer (Stage 0), then it loads several drivers (Stage 1 and 2), loads compression, encryption, networking, and EVFS (encrypted file container) code (Stage 3), then it loads the encrypted file container and loads some additional kernel drivers, plus the payloads (Stage 4), and in the final stage (Stage 5) it loads the main payload and the necessary data files for it to operate.

The malware seems to be aimed primarily against computers running the Microsoft Windows operating system, as all of the files discussed in the Symantec report are highly Windows-specific. But there may be payloads out there which target GNU/Linux or OS X computers. The full extent of the malware has not been fully revealed, and it will be interesting to find out more about the exact capabilities of this malware. The capabilities mentioned in the report are already vast and can be used to spy on people’s computers for extended periods of time, but I’m sure that there must be more payloads out there, I’m certain that we’ve only scratched the surface of what is possible.

Regin is a highly-complex threat to computers around the world, and seems to be specifically suited towards large-scale data collection and intelligence gathering campaigns. The development would have required significant investments of time, money and resources, and might very well have taken a few years. Some components of Regin were traced back all the way to 2003.

Western Intelligence Origins?

In recent years, various governments, like the Chinese government, and the Russian government, have been implicated in various hacking attempts and attacks on Western infrastructure. In the article linked here, the FBI accuses the Russians of hacking for the purpose of economic espionage. However, Western governments also engage in digital warfare and espionage, not just for national security purposes (which is a term that has never been defined legally), but they also engage in economic espionage. In the early 1990s, as part of the ECHELON programme, the NSA intercepted communications between Airbus and the Saudi Arabian national airline. They were negotiating contracts with the Saudis, and the NSA passed information on to Boeing which was able to deliver a more competitive proposal, and due to this development, Airbus lost the $6 billion dollar contract to Boeing. This has been confirmed in the European Parliament Report on ECHELON from 2001. Regin also very clearly demonstrates that Western intelligence agencies are deeply involved in digital espionage and digital warfare.

Due to the highly-complex nature of the malware, and the significant amount of effort and time required to develop, test and deploy the Regin malware, together with the highly-specific nature of the various payloads and the modularity of the system, it is highly likely that a state actor was behind the Regin malware. Also, significant effort went into making the system very stealthy and hard for anti-virus software to detect. It was carefully engineered to circumvent anti-virus software’s heuristic detection algorithms and furthermore, some effort was put into making the Regin malware difficult to fingerprint (due to its modular nature)

Furthermore, when looking at the recently discovered attacks, and more especially where the victims are geographically located, it seems that the vast majority of attacks were aimed against the Russian Federation, and Saudi Arabia.

According to The Intercept and Ronald Prins from Dutch security company Fox-IT, there is no doubt that GCHQ and NSA are behind the Regin malware. Der Spiegel revealed that NSA malware had infected the computer networks of the European Union. That might very well been the same malware.


symantic_virus_discovery.siA similar case of state-sponsored malware appeared in June 2010. In the case of Stuxnet, a disproportionate amount of Iranian industrial site were targeted. According to Symantec, which has published various reports on Stuxnet, Stuxnet was used in one instance to change the speed of about 1,000 gas-spinning centrifuges at the Iranian nuclear power plant at Natanz, thereby sabotaging the research done by Iranian scientists. This covert manipulation could have caused an explosion at this nuclear facility.

Given the fact that Israel and the United States are very much against Iran developing nuclear power for peaceful purposes, thinking Iran is developing nuclear weapons instead of power plants, together with Stuxnet’s purpose to attack industrial sites, amongst those, nuclear sites in Iran, strongly indicates that the US and/or Israeli governments are behind the Stuxnet malware. Both of these countries have the capabilities to develop it, and in fact, they started to think about this project way back in 2005, when the earliest variants of Stuxnet were created.

Dangers of State-Sponsored Malware

The dangers of this state-sponsored malware is of course that should it be discovered, it may very well prompt the companies, individuals or states that the surveillance is targeted against to take countermeasures, leading to a digital arms race. This may subsequently lead to war, especially when a nation’s critical infrastructure is targeted.

The dangers of states creating malware like this and letting it out in the wild is that it compromises not only security, but also our very safety. Security gets compromised when bugs are left unsolved and back doors built in to let the spies in, and let malware do its work. This affects the safety of all of us. Government back doors and malware is not guaranteed to be used only by governments. Others can get a hold of the malware as well, and security vulnerabilities can be used by others than just spies. Think criminals who are after credit card details, or steal identities which are subsequently used for nefarious purposes.

Governments hacking other nations’ critical infrastructure would constitute an act of war I think. Nowadays every nation worth its salt has set up a digital warfare branch, where exploits are bought, malware developed and deployed. Once you start causing millions of Euros worth of damage to other nations’ infrastructure, you are on a slippery slope. Other countries may “hack back” and this will inevitably lead to a digital arms race, the damage of which does not only affect government computers and infrastructure, but also citizens’ computers and systems, corporations, and in some cases, even our lives. The US attack on Iran’s nuclear installations with the Stuxnet malware was incredibly dangerous and could have caused severe accidents to happen. Think of what would happen had a nuclear meltdown occurred. But nuclear installations are not the only ones, there’s other facilities as well which may come under attacks, hospitals for instance.

Using malware to attack and hack other countries’ infrastructure is incredibly dangerous and can only lead to more problems. Nothing has ever been solved by it. It will cause a shady exploits market to flourish which will mean that less and less critical exploits get fixed. Clearly, these are worth a lot of money, and many people that were previously pointing out vulnerabilities and supplying patches to software vendors are now selling these security vulnerabilities off on the black market.

Security vulnerabilities need to be addressed across the board, so that all of us can be safer, instead of the spooks using software bugs, vulnerabilities and back doors against us, and deliberately leaving open gaping holes for criminals to use as well.

The Internet of Privacy-Infringing Things?

Let’s talk a little bit about the rapid proliferation of the so-called Internet of Things (IoT). The Internet of Things is a catch-all term for all sorts of embedded devices that are hooked up to the internet in order to make them “smarter,” able to react to certain circumstances, automate things etcetera. This can include many devices, such as thermostats, autonomous cars, etc. There’s a wide variety of possibilities, and some of them, like smart thermostats are already on the market, with autonomous cars following closely behind.

According to the manufacturers who are peddling this technology, the purpose of hooking these devices up to the internet is to be able to react better and provide more services that were previously impossible to execute. An example would be a thermostat that recognises when you are home, and subsequently raises the temperature of the house. There are also scenarios possible of linking various IoT devices together, like using your autonomous car to recognise when it is (close to) home and then letting the thermostat automatically increase the temperature, for instance.

There are myriad problems with this technology in its current form. Some of the most basic ones in my view are privacy and security considerations. In the case of cars, Ford knows exactly where you are at all times and knows when you are breaking the speed limit by using the highly-accurate GPS that’s built into modern Ford cars. This technology is already active, and if you drive one of these cars, this information (your whereabouts at all times, and certain metrics about the car, like the current speed, mileage, etc.) are stored and sent to Ford’s servers. Many people don’t realise this, but it was confirmed by Ford’s Global VP of Marketing and Sales, Jim Farley at a CES trade show in Las Vegas at the beginning of this year. Farley later retracted his statements after the public outrage, claiming that he left the wrong impression and that Ford does not track the locations of their cars without the owners’ consent.

Google’s $3.2 billion acquisition

google-nest-acquisition-1090406-TwoByOneNest Labs, Inc. used to be a separate company making thermostats and smoke detectors, until Google bought it for a whopping $3.2 billion dollars. The Nest thermostat is a programmable thermostat that has a little artificial intelligence inside of it that enables it to learn what temperatures you like, turns the temperature up when you’re at home and turns it down when you’re away. It can be controlled via WiFi from anywhere in the world via a web interface. Users can log in to their accounts to change temperature, schedules, and see energy usage.

Why did Google pay such an extraordinary large amount for a thermostat company? I think it will be the next battleground for Google to gather more data, the Internet of Things. Things like home automation and cars are markets that Google has recently stepped into. Technologies like Nest and Google’s driver-less car are generating massive amounts of data about users’ whereabouts and things like sleep/wake cycles, patterns of travel and usage of energy, for instance. And this is just for the two technologies that I have chosen to focus my attention on for this article. There are lots of different IoT devices out there, that eventually will all be connected somehow. Via the internet.

Privacy Concerns

One is left to wonder what is happening with all this data? Where is it stored, who has access to it, and most important of all: why is it collected in the first place? In most cases this collecting of data isn’t even necessary. In the case of Ford, we have to rely on Farley’s say-so that they are the only ones that have access to this data. And of course Google and every other company out there has the same defence. I don’t believe that for one second.

The data is being collected to support a business model that we see often in the tech industry, where profiles and sensitive data about the users of a service are valuable and either used to better target ads or directly sold on to other companies. There seems to be this conception that the modern internet user is used to not paying for services online, and this has caused many companies to implement the default ads-based and data and profiling-based business model. However, other business models, like the Humble Bundle in the gaming industry for instance, or online crowd-funding campaigns on Kickstarter or Indiegogo have shown that the internet user is perfectly willing to spend a little money or give a little donation if it’s a service or device that they care about. The problem with the default ads-based business model discussed above is that it leaves the users’ data to be vulnerable to exposure to third parties and others that have no business knowing it, and also causes companies to collect too much information about their users by default. It’s like there is some kind of recipe out there called “How to start a Silicon Valley start-up,” that has profiling and tracking of users and basically not caring about the users’ privacy as its central tenet. It doesn’t have to be this way.

Currently, a lot of this technology is developed and then brought to market without any consideration whatsoever about privacy of the customer or security and integrity of the data. Central questions that in my opinion should be answered immediately and during the initial design process of any technology impacting on privacy are left unanswered. First, if and what data should we collect? How easy is it to access this data? I’m sure it would be conceivable that unauthorized people would also be able to quite easily gain access to this data. What if it falls into the wrong hands? A smart thermostat like Google Nest is able to know when you’re home and knows all about your sleep/wake cycle. This is information that could be of interest to burglars, for instance. What if someone accesses your car’s firmware and changes it? What happens when driver-less cars mix with the regular cars on the road, controlled by people? This could lead to accidents.


And what to think of all those “convenient” dashboards and other web-based interfaces that are enabled and exposed to the world on all those “smart” IoT devices? I suspect that there will be a lot of security vulnerabilities to be found in that software. It’s all closed-source and not exposed to external code review. The budgets for the software development probably aren’t large enough to accommodate looking at the security and privacy implications of the software and implementing proper safeguards to protect users’ data. This is a recipe for disaster. Only when using free and open source software can proper code-review be implemented and code inspected for back-doors and other unwanted behaviour. And it generally leads to better quality software, since more people are able to see the code and have the incentives to fix bugs, etc. in an open and welcoming community.

Do we really want to live in a world where we can’t have privacy any more, where your whereabouts are at all times stored and analysed by god-knows who, and all technology is hooked up to each other, without privacy and security considerations? Look, I like technology. But I like technology to be open, so that smart people can look at the insides and determine whether what the tech is doing is really what it says on the tin, with no nasty side-effects. So that the community of users can expand upon the technology. It is about respecting the users’ freedom and rights, that’s what counts. Not enslaving them to closed-source technology that is controlled by commercial parties.