What Brazil can teach Scotland about GCHQ

Originally published at the Centre for Technology and Society.

There were two major developments in the unfolding dragnet surveillance scandal today. The first, widely reported and closely followed in Britain, was the first ever public questioning of security officials by Parliament’s Intelligence and Security Committee. As it turned out, only a small segment of the hearing was given over to surveillance, and with the exception of chair Malcolm Rifkind, the committee members were not inclined to ask probing questions.

Less reported, but of far greater significance, was the announcement by the Brazilian government that from now on they will require all government-purchased software to be auditable and hosted in-country. The present situation is that most software is produced in America, most of that software cannot be independently audited, and that any of that software could contain secret back doors giving the NSA unfettered access to privileged government and commercial information.

The Brazilian government has realised that this situation is untenable. According to British trade publication The Register, from now on:

  • Government data must be carried by a government organisation or an organisation in which the government is a shareholder, other than for mobile communications
  • The government will create and operate its own email services
  • Facilities enabling audit of confidentiality, authenticity and integrity of the email system must be built in from the start
  • Data must be stored in government facilities in Brazil
  • Normal procurement practices are suspended in order to get this done without having to seek competitive bids.

This has major implications for how an independent Scotland should conduct its IT policy. If the native industries of small countries are to compete on a level playing field with those of large countries, governments must take action to protect their citizens from surveillance. Estonia’s status as the exemplar nation for coping with cyber-attacks shows that small size is no obstacle to effective policy-making.

The Scottish government, and indeed all other non-American governments, would be well-advised to amend public procurement policies to favour publicly auditable open source software. As few states have the resources and expertise necessary to conduct full private audits of enormous and complicated American software such as Microsoft Windows, public auditability is the only cost-effective and realistic solution.

This change to government procurement should be coupled to a degree of public provision – Brazil intends to offer secure email through its postal service – and to a shift in thinking at Scottish Enterprise to favour open source solutions and business models. Together, these measures would create a market for software that can be publicly verified as secure.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: