European Parliament and hacking – a long history


The European Parliament is in a continuous struggle to protect MEPs' data (CC Dan Barpus via Flickr)

The European Parliament is in a continuous struggle to protect MEPs’ data (CC Dan Barpus via Flickr)

The hacking of at least 40.000 European Parliament (EP) emails does not appear to be a singular event, but the latest in a series of worrying IT security breaches.

On Thursday, the French website Mediapart reported that an anonymous hacker had accessed confidential emails of MEPs and other staff of the European Parliament (EP).

The attacker described the hacking as “child’s play” saying he only used “ridiculous” computer equipment.

The Austrian MEP Martin Ehrenhauser received a list with metadata of 40.000 emails from different institutions, including the European Parliament and the German Bundestag. According to Ehrenhauser, a connection between the list and the cyber attack is very likely.

The hacking sparked a discussion about how vulnerable the European Parliament is to cyber attacks.

MEPs criticised that the EP was using out-of-date software and did not allow its staff to encrypt their communication.

Security concerns not taken seriously

It is not the first time the EU’s IT services face claims of not doing enough to protect confidential data and communication.

In April 2011, the Austrian MEP Hans-Peter Martin reported to Klaus Welle, the EP General Secretary, that his private emails were accessed from another office within the European parliament.

The European Parliament has not reacted to his report down to the present day, Martin says.

In another case, Heiko Frenzel, author of Sicherheit-Online (security online), wrote in October 2011 that he had contacted the European Commission (EC) to inform them about 40 security loopholes on EU servers.

“The first ten hints, which were sent over a period of time, were simply ignored, some of them deleted unread,” Frenzel said.

According to Frenzel, it took the European institution almost one year, until September 2012, to deal with the breaches.

European Parliament should improve its IT services

EU leaders are pushing forward new legislation to protect citizens’ data amid continuous revelations about the NSA’s spying activities in Europe.

If the EP wants to be taken as a serious negotiating party in cyber security issues, it should, first of all, aim at improving its own IT services and making it impossible for hackers to access confidential data with elementary computer equipment.

EU leaders push for new data protection legislation amid NSA surveillance revelations

The NSA allegedly hacked Angela Merkel's phone (CC Arne List via Flickr)

The NSA allegedly hacked Angela Merkel’s phone (CC Arne List via Flickr)

European Union officials have demanded a speedy decision on a new data protection legislation at the European Council last week.

Data protection was originally not among the summit’s topics, but new revelations about the National Security Agency (NSA) put it on the agenda. According to a report by The Guardian, the phones of 35 world leaders, including German chancellor Angela Merkel, were monitored by the US secret service.

The new data protection EU leaders talk about does not address phone hacking, but one of the NSA’s other disputed activities: the US secret service’s massive spying on EU citizens’ online communication.

The bill passed the Libe committee (civil liberties, justice and home affairs) of the European Parliament on 21 October 2013. In order for it to become law, the EU Council of Ministers and the EU Commission have to approve the regulation.

The proposed legislation would restrict Internet companies’ rights to use EU citizens’ private data without their consent. The firms would therefore have to ask for the users’ explicit consent.

The legislation would also raise the fines for Internet companies if they break any of the laws. The companies could be forced to pay up to five per cent of their annual worldwide turnover.

However, the regulation passed by the European Parliament last week contains several changes made to the original version. Most importantly it replaced the so-called “right to be forgotten” with the “right to erasure”.

This right could significantly strengthen EU citizens’ data protection. The original draft would force Internet companies to guarantee that disputed data could not be found anywhere on the Internet.

The new bill restricts citizens to the right to enquire about their saved data and ask for erasure from companies’ servers (see German magazine Spiegel).

Internet giants opposed the “right to be forgotten”. Peter Fleischer, head of Google’s Global Privacy Counsel, wrote in a blog post: “A hosting platform can and should delete copies of material that they store on behalf of a user upon his or her request, but it cannot be expected to maintain control over other copies of the material published elsewhere online, as these are outside of the control of the hosting platform.”

The current EU regulation on data protection was passed 18 years ago and does not reflect changes in the digital landscape. This has led to differences in the data protection legislation of each EU member state.

International Internet companies, such as Google or Facebook, use the different laws to their advantage by placing their European headquarters in Ireland, the country with the weakest data legislation. The new regulation is aimed at creating EU-wide standards.

The EU citizens’ use of the Internet illustrates the scope the new legislation would have. According to the European Union, around 380.000 of the 500.000 European citizens use the Internet. Almost three quarters of European households have Internet connection. Roughly half of the European Internet users are members of social networks.

Why the European Union should suspend SWIFT data exchange with the US

NSA headquarters (CC Greg Goebel via Flickr)

NSA headquarters (CC Greg Goebel via Flickr)

The NSA uses the SWIFT data exchange to monitor international payments, the German Spiegel reported about one month ago. According to information from whistleblower Edward Snowden, a NSA division called “Follow The Money” collects EU information from EU citizens using SWIFT and transfers it to the NSA’s own database.

SWIFT stands for Society for Worldwide Interbank Financial Telecommunication. The Belgian company provides banks with a standardised method for international transactions.

The EU and US agreed in 2010 that the NSA could use SWIFT’s transaction database under strict conditions in order to track terrorists. The documents provided by Snowden, however, suggest that the intelligence service made use of this on a way bigger scale than agreed.

Today, the European Parliament (EP) passed a resolution that calls for a suspension of the EU’s SWIFT data exchange with the US. The EP vote was rather close with 280 to 254 votes and 30 abstentions.

The resolution passed is non-binding, but “the Commission will have to act if Parliament withdraws its support for a particular agreement”, says the EP in the text.

However, the European Commission does not see any reason to act so far. It argues that the allegations have not been proven.

Why the European Commission should act

Following the NSA scandal, the European Commission’s position in this debate seems rather naive: NSA revelations have shown that the US intelligence service has used several ways to obtain private data from EU citizens. The SWIFT data exchange seems to be part of this strategy – a fact the NSA does not even vehemently deny.

Suspending the SWIFT data exchange as part of the Terrorist Finance Tracking Program would not necessarily weaken efforts to combat international terrorism, like some conservative politicians say. Instead, it would send a clear signal that the fight against terrorism cannot be used as an excuse to spy on EU citizens.