European Parliament urges open source protection against Echelon

The European Parliament is suggesting that individuals and business routinely encrypt all emails to help protect them from eavesdropping by Echelon, the communications spy network. In its draft report into Echelon, the European Parliament says that member states should "above all to support projects aimed at developing user-friendly open-source encryption software."

In the draft report, which follows a lengthy investigation into the existence of the network, the European Parliament's rapporteur Gerhard Schmid concludes that, despite a lack of cooperation from intelligence services, there is sufficient evidence to suggest that Echelon does in fact exist and is used for industrial espionage as well as for other purposes.

Echelon is a US-led venture that has support from the UK, Canada, Australia and New Zealand. In a veiled reference to the UK, the European Parliament suggests that any EU member states involved in the activities allegedly carried out by Echelon could be in breach of European law. If the spy network was abused in such a way that it was used to spy on competitors, says Schmid, it would violate the member state's duty of loyalty and the concept of a common market with free competition.

Furthermore, an intelligence system which intercepted all communications without any guarantee of proportionality would not be compatible with the European Convention on Human Rights (EHCR), Schmid says in his report, which calls for all member states to review their legislation in this area. England is singled out as a country that must only give permission for further intelligence operations by the US conditional on US compliance with the EHCR.

According to the report, Echelon has been capable of intercepting telecommunications messages to and from a particular person via satellite since 1978. The list of targets is lengthy, with former NSA employee Wayne Madsen believing that Echelon may have been used to spy on NGOs such as Amnesty International and Greenpeace, and even Princess Diana, on which the NSA held more than 1,000 pages of information because her campaign against land mines ran counter to US policy.

The report cites a string of stories from other former secret service employees. There is Mike Frost, a former Canadian secret service officer, who worked at a listening post in Ottawa, and who said that all over the world, every day, telephone conversations, emails and faxes are monitored by Echelon.

In an interview for an Australian TV channel, Frost said by way of example that the Canadian secret service added a woman to its list of possible terrorists because she had used an ambiguous phrase in a harmless telephone conversation with a friend. When searching through intercepted communications, the computer had found the keyword and alerted an operator.

Another Canadian former secret service employee said he was expelled from the service because he had criticised the new emphasis on economic intelligence and civil targets.

However, the report notes, the system does have its limitations. While noting that the surveillance system depends upon worldwide interception of satellite communications, the report makes it clear that only a small proportion of communications actually use satellites; most use cables. Echelon states, notes the report, have access "to only a very limited proportion of cable and radio communications."

Worryingly, the report also says there could be more Echelon-like systems operated by non-English speaking countries. France is identified as the only EU member state that could set up a similar global interception system on its own, due to its overseas territories, while the study found evidence that Russia could also operate such a system. While the report concedes that there is insufficient evidence to prove that either France or Russia actually do have their own global communications interception networks, it says Russian ground stations in Latvia, Vietnam and Cuba point to the possibility of one such system.

The report identifies three cases where sensitive corporate information may be exposed to interception by Echelon. Companies that operate across time zones and have to send data from Europe to America and then on to Asia may be at risk, as may those companies that use videoconferencing. Finally, contracts that have to be negotiated locally and require a company's representatives to consult their head office may also be at risk. Industrial espionage, according to various sources, costs billions of pounds every year.

As a self protection method, the report suggests similar solutions for business and for private individuals; both entail the use of encryption. Businesses must, it says, secure their whole working environment and protect all communications channels that are used to send sensitive information. Private individuals should encrypt all emails.

To combat industrial espionage, the report calls on the European Commission and member states to take a series of specific actions:

• To devise appropriate measures to promote, develop and manufacture European encryption technology and software and above all to support projects aimed at developing user-friendly open-source encryption software
• To develop programmes to foster awareness of security problems and at the same time provide practical assistance in designing and implementing comprehensive protection strategies
• To consider to what extent industrial espionage can be corroborated by means of international law, particularly whether WTO rules could be adopted which would render contracts null and void if obtained by means of industrial espionage
• To undertake by means of a clear joint declaration not to engage in industrial espionage against one another, thereby signifying their compliance with the letter and spirit of the EC Treaty

Furthermore, says the report, European institutions and the public bodies should systematically encrypt e-mails so that ultimately encryption becomes the norm.

And businesses need to cooperate more closely with counter-espionage services, and particularly to inform them of attacks from outside for purposes of industrial espionage, in order to improve the services' efficiency.

The report cites RAF Menwith Hill as the most likely site for the UK Echelon base. Menwith Hill is owned by the UK Ministry of Defence, but is made available to the US Department of Defence, as a communications facility. The station chief is provided by the National Security Agency (NSA). Last summer there were 415 US military staff at RAF Menwith Hill, compared with just five UK military staff.

They can see you... Find out how and why in ZDNet UK's Surveillance News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.