Can funding open source bug bounties save Europe from mass-surveillance?

To protect citizens against mass-surveillance, a European Parliament study has recommended the EU finance open source audits and bug bounties, and consider restricting the export of personal data to give a space for local cloud services to emerge.

The recommendations come in a two-part study from the European Parliament for its committee on Civil Liberties, Justice and Home Affairs (LIBE), which is due to discuss the report in Brussels on Thursday.

Led by a dozen European security experts, it says the “EU should promote and foster the development and usage of open protocols, open implementations and open systems in general” that allows for public scrutiny.

Other suggestions include regulations that require ISPs to provide adequate encryption over their entire networks, raising public awareness about citizens’ digital exhaust and the benefits of encryption; investing in information transparency; helping to make security and privacy a utility; and promoting regulations that force cloud providers to adopt maximum privacy and security settings by default.

The study, which is only meant to inform LIBE of possible policy options, doesn’t shy away from controversial actions the EU could adopt for dealing with security and privacy in a “post-Snowden” world, touching on issues in the EU’s charge that Google harmed smaller, local rivals. On this front, the report proposes going beyond Europe’s tough proposed data protection directive to impose “stronger limits on exporting personal data”. Besides privacy benefits, it could also stimulate Europe’s cloud, social media and search engines, it notes.

It also canvasses the technical realities of mass-surveillance, from cryptography problems to government hacking capabilities. LIBE was tasked to conduct research into mass surveillance following the ex-NSA contractor’s first leaks in 2013.

So, to promote the adoption of encryption, the study's suggestions range from media campaigns, to financing independent product security tests, and promoting user-friendly end-to-end encryption tools. In the absence of a good product on the market, it recommends regulation that forces ISPs to provide end-to-end protection as a standard for data in-transit.

The report also suggests promoting open-source software as a way to build resilience to surveillance, which could be achieved by funding audits of important open-source software. Among several products it highlights is disk encryption software, TrueCrypt, which was recently subjected to a crowd-funded audit that was able to rule out the existence of NSA backdoors in the product.

“TrueCrypt is a typical example of a problem of the commons: worldwide use of software package was probably dependent on two or three developers,” the study notes to highlight why funding open source projects may be valuable.

Read more: How responsible are employees for data breaches and how do you stop them?

A more hands-off approach could include initiating a European “Open Source Bug Bounty Program” or financing exiting ones. If the EU did this, one bounty program it could contribute to the Microsoft- and Facebook-backed Internet Bug Bounty on HackOne, which pays for bugs found in several key open source software projects deemed critical for the internet.

Alongside policy options to mitigate the effects of surveillance, the study outlines a host of encryption products that policy makers in Europe could encourage people to adopt, quoting Edward Snowden’s comment that “Properly implemented strong crypto systems are one of the few things that you can rely on.”

The products listed include encryption for PC and smartphone hard drives and data stored in the cloud, as well as encryption products for email, data in transfer, voice, web browsing, web search and chat. Among them include Tor, Microsoft’s BitLocker, encrypted cloud storage service Spider Oak, Cloudfogger, BoxCryptpor.

Finally, the study also recommends that users install a “security and privacy aware” OS, highlighting Qubes, openBSD, and TAILS as options.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags TrueCryptopenbsdQubesEdward SnowdenBoxCryptporIT SecurityEuropean ParliamentCSO AustraliahackingCloudfoggerbitlocker

More about CSOEnex TestLabEUEuropean ParliamentFacebookGoogleMicrosoftNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts