Marking Commissioner Malmström’s homework

Julian Huppert MP has broken new ground today (as far as I’m aware) by “crowd-sourcing” views on the newly-announced proposal for an EU Directive on Attacks Against Information Systems.

Having looked at the press release, my first impression of the Directive is that it is seriously unbalanced and needs to be substantially re-worked. As my teachers used (frequently, I’m afraid) to write on my prep: “Adequate as far as it goes, but I need to see more.”

I don’t deny that botnets and the like represent a potential threat to computing infrastructures, and thereby indirectly to interests such as consumer safety, commerce, and even national security – though one should also note that in their recent report for the OECD, Professor Peter Sommer (LSE) and Dr Ian Brown (Oxford University) argue convincingly that the majority of such threats are both localised and short-term in their effect. Let us not, then, rush to fling the cyber-baby out with the bathwater.

If we step back for a moment and balance the cyber-war rhetoric with Sommer and Brown’s more qualified perspective, the obvious shortcoming of the proposed EU Directive is that it focusses entirely on measures to prevent “illegal interception” and legislation against the use of malware… entirely ignoring the point that the technology to abuse online systems is often the same as the technology used to control it. The difference between lawful and unlawful interception is the prefix “un-“, not the means used.

With that in mind, the EU Directive comes across as a piece of work less than half finished. While the policymakers and drafters were considering how to prevent the activities they don’t want, they should have been devoting at least as much effort to considering how to regulate the activities they do want. Badly or insufficiently regulated, those activities do every bit as much social and economic harm as the threats the Directive is keen to stress.

This is by no means just about EU citizens, either. Every instance of bad or incomplete regulatory oversight in our own house is an excuse for repressive regimes to point to that bad example and say “look: that’s how they do it in the EU, so it must be acceptable”. We need only look at the suppression of internet services in Iran, Tunisia, Pakistan, Egypt and elsewhere to see how this leaves the door open to profound and damaging abuse of citizens’ rights and self-determination.

So, for every paragraph about the prevention of illegal activity, the Directive should contain a paragraph about the protection of legitimate activity – including legitimately anonymous and/or pseudonymous activity – and a paragraph about the regulation of law enforcement interception, data retention, content filtering, packet inspection and so on.

Regrettably, the Directive comes from the office of Cecila Malmström, the EU’s Home Affairs Commissioner, and her reported views on this kind of thing do not inspire optimism. At the recent CPDP2011 conference in Brussels, she was quoted as having said “data retention is here to stay”. When the captains of industry say things like “privacy is no longer the social norm”, it makes them look ignorant. When policymakers simply acquiesce with such views, it makes them look dangerous.

As Hielke Hijmans (Head of Policy and Consultations for the EDPS) succinctly put it, at the same conference: “It’s not good enough for governments and policy-makers to say ‘privacy is dead, get over it’: the challenge for them is to work out how social privacy norms can be protected in an information society.”

I’m afraid that, in the margin of Ms Malmström’s prep, I can only write “B minus. A fair effort, but must try harder.”