Comments on UK government’s consultation on document standards

The UK is currently inviting comments on the standards it should use for “sharing or collaborating with government documents”. Among other things, the government proposes to make ODF the sole standard for office-type documents.

FSFE has submitted its comments on this proposal, which we believe is very positive. Just now, in the final hours of the process, Microsoft has submitted a lengthy comment, urging the government to include OOXML in its list of standards.

We have filed a short response to Microsoft’s submission. While it should appear on the consultation page shortly, I’m publishing it here right now.

If you, too, believe that the UK government should in future rely on Open Standards alone, please hurry up and file comments of your own.

The lengthy discussion Microsoft offers here essentially boils down to a single demand: That the UK government should in future rely on OOXML simply because it’s what Microsoft’s products support.

This claim is diametrally opposed to the significant efforts that the UK government has recently made to break free from vendor lock-in and stop the IT procurement gravy train, and to the progress that it has made in this direction. Microsoft’s claim also ignores the great extent of preparation which has gone into this proposal, and the thorough analysis of user needs which the government has conducted, and on which the present proposal is based.

Competition takes place on top of standards, not between them. OOXML fails the UK government’s Open Standards definition, in that it is clearly dependent on a single supplier: Microsoft itself.

Whenever a government breaks out of the status quo, and takes bold action to improve matters for the long term, it is easy to manufacture fear, uncertainty, and doubt. We would hope that Microsoft will instead embrace competition, and ensure that all its office products work well with ODF. The company could then rely on the strengths of its product portfolio, rather than on the lock-in strategies that have made it the target of competition regulators around the world.

We are confident that when assessing Microsoft’s response, the UK government will keep the question of “cui bono?” firmly in mind.

UK government sets “red lines” on wasteful IT contracts

While working on FSFE’s response to the UK government’s consultation on using Open Standards by default for government documents, I noticed something that I had apparently overlooked during the busy days ahead of FOSDEM. On Jan 24, the UK government published a few principles for future government IT contracts.
They’re quite clear, quite brief, and quite powerful:

  •     no IT contract will be allowed over £100 million in value –  unless there is an exceptional reason to do so, smaller contracts mean competition from the widest possible range of suppliers
  •     companies with a contract for service provision will not be allowed to provide system integration in the same part of government
  •     there will be no automatic contract extensions; the government won’t extend existing contracts unless there is a compelling case
  •     new hosting contracts will not last for more than 2 years

Regarding the first one: 100 million GBP may seem quite a lot. OTOH, the UK government apparently has several IT contracts worth
over a billion pounds each, so this is a significant improvement.

If other governments – and especially the European Commission – followed this approach, that would mean a lot of progress.

Free speech, crypto, and Free Software

On Document Freedom Day (March 26), FSFE and the Greens/EFA group in the European Parliament are organising an event in the European Parliament to discuss how cryptography can help us break the grip of the surveillance state.

The draft program looks amazing. We’ll have Werner Koch (of GnuPG fame, and one of FSFE’s founders), Karen O’Donoghue (Internet Society), French journalist Amaelle Guitton, and Swedish IT security expert Joachim Strömbergson.

Free speech is a human right, and a cornerstone of any democratic society. To enable communication, it is important that documents can be opened and read by the people who are meant to receive them. In today’s world, it is equally important that we have the ability to ensure that documents are read /only/ by the people meant to receive them, to prevent a scenario where both censorship and self-censorship degrade the ability of citizens to speak freely to each other, develop new ideas, and drive the progress of our society.

If encryption tools are to be considered trustworthy, their workings must be fully transparent. The encryption programs themselves need to be Free Software, so that anyone can independently assess how they work, and verify that they do not contain any defects or back doors.

The encryption methods are perhaps even more crucial. Encryption can only work with Open Standards. Cryptography as a field is developing rapidly, and the topic has long been far too complex for any single person to comprehend it fully. The best way of dealing with this complexity is to standardise cryptographic methods.

Such standards need to be created in a process that is open to public participation and assessment; collaborative; and fully transparent. In other fields of technology, closed, proprietary methods are merely an inefficient approach. In cryptography, such methods mean that the tools relying on them cannot be audited, and are therefore considered untrustworthy. In addition, the lack of independent review of the methods used frequently leads to poor-quality programs and systems.

Open Standards in the field of encryption, on the other hand, mean that cryptographic tools can rely on widely accepted methods which have been extensively reviewed, criticised, and validated by experts in the field. If those encryption tools are distributed as Free Software, the tools themselves can be efficiently audited. This is not only essential to ensuring that the tools do not contain any critical mistakes or back doors. It also opens those tools up to an ongoing process of improvement.

Registration for the March 26 event will open soon.

 

#IloveFS: The humble downloader that could

There are lots of reasons to love Free Software. The stack of little games that comes pre-packaged with most GNU/Linux distributions. The way it makes you feel empowered rather than constrained. How it has taught an entire generation to see sharing knowledge as the normal thing to do, not as the exception.

And all those handy little tools it provides, right there at your fingertips. Like wget. This little program, part of the GNU project that aims to create a free operating system, downloads stuff. Nothing more, nothing less. Fire up a command line, type “wget” plus the URL of the file you want to download, and off you go. In its simplicity, you can compare wget (and its cousin curl) to a screwdriver. Regardless of what it is that you’re working on, you’ll want one around.

Information is power. wget’s specialty is to move information from one place to another with great efficiency and speed. Add the “-r” option to you command line, and wget will happily copy to your computer whatever files it can find on the target server.

Reports say [Warning: the article isn't very good] that it was this humdrum sysadmin tool that Edward Snowden used to collect a stash of internal NSA files documenting the agency’s aggressive, and frequently illegal, surveillance programs. And it was this tool that Chelsea Manning used to collect the documents she handed over to WikiLeak, documenting illegal killings, torture, and much bumbling by the US government in Iraq and elsewhere.

Only last week, a French journalist was fined for downloading a batch of files that a French government agency had made available on its servers, without realising that they were accessible to the general public. Perhaps information really wants to be free, and wget opens the doors of its cages.

As we fight for our freedom, and against surveillance, censorship and oppression, simple tools like wget may be some of our best weapons.

Three things to do on The Day We Fight Back

Today is “the day we fight back” against mass surveillance, and here at FSFE we’re proud to be part of the struggle.

Mass surveillance is a huge problem. Governments are spying on you, endangering the very fabric of democracy. Corporations are asking you to deal away your privacy for a little convenience, with much the same effect.

Mass surveillance is also a hard problem to solve. Essentially, we are up against a very human fear of dangers hidden somewhere in the dark. We’re being told that surveillance will protect us.

Our task is to make everyone understand that surveillance not only fails at protecting us. It also makes everyone worse off in the long run. Difficult, but we have to start somewhere.

So here are three humble suggestions for small steps you can take to secure a democratic future for our societies:

  1. Make your web browsing more secure by installing the HTTPS Everywhere extension in your browser. This will make it much harder for potential snoopers to intercept your connection with the web sites you look at, and will help to protect any data you send there.
  2. Generate a GPG key, and start using it to encrypt your data – especially your email. (There’s help on the web.)
  3. Write to one or more of your political representatives. Explain that you are deeply concerned about mass surveillance, and ask them to help end the practice. Be polite, brief and clear.

See, that wasn’t so hard. You have not only made yourself a little more secure, you have also helped others to improve their privacy, and have contributed to driving political change. Thank you!

Here’s a fourth thing you can do: Support FSFE by joining the Fellowship. FSFE is dedicated to working for freedom in the digital society. We need your help to carry this struggle forward in the years to come.

European Parliament calls for distributed systems

At the Free Software Foundation Europe, we have long advocated building networked systems that have no central point of control.

In a world where Facebook owns your social network, where Google follows almost everything you do on the web, and governments merrily intercept your private information without regard for legal niceties, this idea provides us with an alternative to the Orwellian dystopia we’re increasingly moving towards.

Many systems we use every day today – think email or the web – owe their success to the lack of a central point of control. They have come to be a foundation of our daily lives precisely because they have no “off” switch that anyone with an agenda can flick at will. Yet most of today’s large network services treat their users as products to be sold, not as customers to be served.

In this context, any sign of progress is encouraging, however small. On December 10, 2013, the European Parliament passed a resolutionthat, among other things, highlights the need for decentralised services with strong privacy protections:

The European Parliament [...] 49.  Calls on the Commission to promote the development, jointly with stakeholders, of decentralised services based on free and open-source software that would help harmonise practices across cloud providers and enable EU citizens to regain control over their personal data and communication, for example by means of point-to-point encryption; [...]

Sure, this isn’t world-changing in and of itself. (And here at FSFE we would word such a text a bit differently.) But it’s something that campaigners like you and me can point out to the people we talk to when we try and persuade them to join our vision of a distributed future.

Transparency in EU policy making: a modest proposal

Today I participated in a lunch discussion run by EurActiv that was supposed “to explore the opportunities for more transparent and efficient EU
decision-making”.

Under discussion was an EU-funded project that would somehow rank people trying to influence policy making in Brussels, and make it easier to see who’s working on what.This would supposedly make the whole policy making process in the EU more open and efficient.

Fair enough. But while we were looking at the slides and nibbling sandwiches, it occurred to me that there’s a much, much simpler way to achieve the same goal. It’s called transparency.

Continue »

UK to pick ODF as default document format

On Tuesday, the UK government published a proposal to make the Open Document Format the standard format for all government files.As The Register notes,

The Cabinet Office’s Standards Hub explained its thinking on the matter and published the recommendation this week, using the following language:

“When dealing with citizens, information should be digital by default and therefore should be published online. Browser-based editing is the preferred option for collaborating on published government information.  HTML (4.01 or higher e.g. HTML5) is therefore the default format for browser-based editable text. Other document formats specified in this proposal – ODF 1.1 (or higher e.g. ODF 1.2), plain text (TXT) or comma separated values (CSV) – should be provided in addition. ODF includes filename extensions such as .odt for text, .ods for spreadsheets and .odp for presentations.”

The proposal is open for public comment until February 26. FSFE will submit a statement, and so should you.

What I like best about this announcement is that it’s not just a bureaucratic decision made by someone, somewhere, without regard to practical realities. This is actually based on a lot of research that the UK’s Government Digital Services (GDS) has done with the very people who will be affected by this decision.

A blog post by the leader of that research exercise gives some impression of the length that GDS has gone to to make sure their recommendations are relevant and practical:

As part of our parallel discovery project we have:

- analysed feedback on using government documents that we received through GOV.UK customer support and transformation projects

- interviewed people in government to understand what they use electronic documents for, how they work, and who they share with

- carried out a survey of 650 citizens and businesses, to ask them about their experience when using documents produced by the government

The UK government has a record of going two steps forward, one step back on Free Software and Open Standards. This here is definitely a step or two forward. It’s also the right way to go about such complex decisions. The European Commission and other public administrations around Europe should take note.

European Commission still in denial on vendor lock-in

If you’re suspecting that the European Commission isn’t entirely serious about using and supporting the Open Document Format, you might be on to something. Responding to questions from the European Parliament about whether the EC’s Microsoft addiction might have lead it into being locked into the Redmond giant’s products, the Commission basically says “move on, nothing to see here.”

Read on for the gory details.

Continue »

European Parliament: MEPs, staffers have their emails cracked, should demand change

The French website Mediapart reports that at the European Parliament in Strasbourg, a technically skilled person managed to intercept 14 Members of the European Parliament and their staffers using trivial tools. (Original article behind paywall, English version, report by Der Spiegel in German.)

[Update: I've changed "hacked" to "crack" in the title. As you'll be aware, "hack" refers to a clever solution to a problem, while "crack" refers to a malicious attack.]

Based on the information in the article, it appears that the attacker set up a basic man-in-the-middle attack, using a laptop to act as a network connection point for the email client software on the victims’ mobile phones. In this scenario, the victims’ phones probably displayed a certificate warning, which they ignored.

This incident highlights just how shoddy the Parliament’s IT infrastructure is. It’s up to the Parliament’s IT administration to fix this, and it’s up to the MEPs to demand change. Der Spiegel says that MEPs who wanted to use encryption were actually kept from doing so by the Parliament’s IT services. If true, that would be rather discouraging, to put it mildly.

Educating people not to ignore certificate warnings might help. But it’s hardly a solution. To actually improve the situation, MEPs should demand that the Parliament’s IT services give them reliable, secure end-to-end encryption on their devices.

It goes without saying that in order to be secure, such encryption technology needs to be fully auditable, and thus needs to be Free Software. The Parliament’s IT services should take a look at GnuPG and the clients that use it, for a start.