Bug bounties, disclosure rules, product certification, and support for open source software are all in a grab-bag of proposals put to the European Parliament to help fight mass surveillance.
The calls are set out in the second of two studies prepared for the European Parliament, as part of a “strategy for more security and technological independence” within the EU.
Since end-to-end encryption is on most individuals' “too hard” list, the report argues that in a post-Snowden world, people need ways to adopt end-to-end encryption with a focus on open source software, and software development needs to be secure “by design”.
The security report notes that providers are already moving towards mass encryption, which helps overcome the adoption barriers that confront the individual, but adds that to help citizens, “it is advisable to raise awareness, improve knowledge, carry out testing and provide other help with finding the right tools”.
Only in the event of a market failure should regulation be considered, the report states.
Disclosure and security baselines are seen as importance to build trust between member states, the report says, while hardware and software certification would help innovation.
The report scorns the idea of somehow firewalling Europe's chunk of the internet, but does suggest that “Regulations on certified hardware and software for major Internet access points in the EU would raise the overall security of the European part of the Internet”.
It notes that strengthening Europe's data protection rules – particularly with respect to what can be sent offshore – would encourage more cloud operations to set up servers within the EU.
“This would give European ICT players the time and legal space necessary to create demand for specific EU solutions”, the report says.
Other suggestions in the report are support for open source security code review processes, more European contributions to help fix broken Internet protocols (something the IETF has started work on), and an “independent institute for certification of encryption standards and key open source software platforms”.
Possibilities put forward include EU bug bounties, and identifying critical open source projects that could be subject to certification.
The report doesn't come down completely on the side of the user, instead paying the usual obeisance to law enforcement. “Since the users of these products might be either criminals or well-meaning citizens, a political discussion is needed to balance the interests involved”, the report notes.