Can funding open source bug bounties save Europe from mass-surveillance?

To protect citizens against mass-surveillance, a European Parliament study has recommended the EU finance open source audits and bug bounties, and consider restricting the export of personal data to give a space for local cloud services to emerge.

The recommendations come in a two-part study from the European Parliament for its committee on Civil Liberties, Justice and Home Affairs (LIBE), which is due to discuss the report in Brussels on Thursday.

Led by a dozen European security experts, it says the “EU should promote and foster the development and usage of open protocols, open implementations and open systems in general” that allows for public scrutiny.

Other suggestions include regulations that require ISPs to provide adequate encryption over their entire networks, raising public awareness about citizens’ digital exhaust and the benefits of encryption; investing in information transparency; helping to make security and privacy a utility; and promoting regulations that force cloud providers to adopt maximum privacy and security settings by default.

The study, which is only meant to inform LIBE of possible policy options, doesn’t shy away from controversial actions the EU could adopt for dealing with security and privacy in a “post-Snowden” world, touching on issues in the EU’s charge that Google harmed smaller, local rivals. On this front, the report proposes going beyond Europe’s tough proposed data protection directive to impose “stronger limits on exporting personal data”. Besides privacy benefits, it could also stimulate Europe’s cloud, social media and search engines, it notes.

It also canvasses the technical realities of mass-surveillance, from cryptography problems to government hacking capabilities. LIBE was tasked to conduct research into mass surveillance following the ex-NSA contractor’s first leaks in 2013.

So, to promote the adoption of encryption, the study's suggestions range from media campaigns, to financing independent product security tests, and promoting user-friendly end-to-end encryption tools. In the absence of a good product on the market, it recommends regulation that forces ISPs to provide end-to-end protection as a standard for data in-transit.

The report also suggests promoting open-source software as a way to build resilience to surveillance, which could be achieved by funding audits of important open-source software. Among several products it highlights is disk encryption software, TrueCrypt, which was recently subjected to a crowd-funded audit that was able to rule out the existence of NSA backdoors in the product.

“TrueCrypt is a typical example of a problem of the commons: worldwide use of software package was probably dependent on two or three developers,” the study notes to highlight why funding open source projects may be valuable.

A more hands-off approach could include initiating a European “Open Source Bug Bounty Program” or financing exiting ones. If the EU did this, one bounty program it could contribute to the Microsoft- and Facebook-backed Internet Bug Bounty on HackOne, which pays for bugs found in several key open source software projects deemed critical for the internet.

Alongside policy options to mitigate the effects of surveillance, the study outlines a host of encryption products that policy makers in Europe could encourage people to adopt, quoting Edward Snowden’s comment that “Properly implemented strong crypto systems are one of the few things that you can rely on.”

The products listed include encryption for PC and smartphone hard drives and data stored in the cloud, as well as encryption products for email, data in transfer, voice, web browsing, web search and chat. Among them include Tor, Microsoft’s BitLocker, encrypted cloud storage service Spider Oak, Cloudfogger, BoxCryptpor.

Finally, the study also recommends that users install a “security and privacy aware” OS, highlighting Qubes, openBSD, and TAILS as options.

This article is brought to you by Enex TestLab, content directors for CSO Australia.