EC's Reding: Europe needs a 'Mr. Cyber Security'

After an apparent victory in her efforts to prevent the UK from establishing a central database for private citizen communications, European Commissioner for Information Society and Media Viviane Reding said she wants her government to create a post for a point-man for the continent's cybersecurity.

"Although the EU has created an agency for network and information security, called ENISA, this instrument remains mainly limited to being a platform to exchange information and is not, in the short term, going to become the European headquarters of defense against cyber attacks. I am not happy with that," stated Comm. Reding (PDF available here). "I believe Europe must do more for the security of its communication networks. Europe needs a 'Mister Cyber Security' as we have a 'Mister Foreign Affairs,' a security tsar with authority to act immediately if a cyber attack is underway, a Cyber Cop in charge of the coordination of our forces and of developing tactical plans to improve our level of resilience. I will keep fighting for this function to be established as soon as possible."

The news comes as Reding meets with other government leaders in Estonia this week, to debate not only a pan-European policy for Internet security, but also the broader topic -- one that's near and dear to her heart -- of the establishment of some form of Internet governance, a topic she'll have more to speak about next week.

In the meantime, the UK Home Office decided this morning to back down from its plans to establish a central database for logging communications between private citizens -- a database which would have been contributed to by the country's Internet service providers. This after the EC issued a formal warning to the British government last week that it could go so far as to take it to court in Brussels, to protect against the possibility of any individual misusing such a database for unauthorized purposes.

In a communiqué issued this morning by the British Home Office (PDF available here), Home Secretary Jacqui Smith essentially echoed some of the language of Comm. Reding's earlier statement: "For the police, the security and intelligence agencies, and other public authorities like the emergency services, being able to use the details about a communication -- not its content, but when, how and to whom it was made -- can make all the difference in their work to protect the public," states Sec. Smith. "It is no exaggeration to say that information gathered in this way can mean the difference between life and death. However, rapid technological changes in the communications industry could have a profound effect on the use of communications data for these and other purposes. The capability and protection we have come to expect could be undermined."

UK Security and Counter-terrorism Minister Vernon Coaker (L - Gedling) had suggested that the creation of a database was necessary in order to comply with an EU directive mandating that personally identifiable information be kept on hand for 12 months. Some saw that as a way of sneaking in new government oversight, while passing the blame onto a higher authority. Although this morning's communiqué cited the European Convention on Human Rights, Article 8(1) ("Everyone has the right to respect for his private and family life, his home and his correspondence"), it then went on to say that the government ensures that the content of private communication may only be accessed by authorities under certain emergency circumstances.

Amid those circumstances, it listed maintaining the economic well-being of the UK in such instances where national security may be jeopardized, and assessing whether taxes are owed by an individual. Still, it maintains that safeguards are in place to determine whether such cases mandate privacy invasion; and when they do, only a certain specially trained team of elite investigators are allowed to dive into private communications -- a team that sounds like something out of a Jerry Bruckheimer series, and that uses an acronym that must have been unavoidably tempting.

"The single point of contact system (SPoC), extended beyond police to all relevant public authorities following the enactment of RIPA, created trained and accredited experts in each public authority who understand how to interpret the information that is held by communications service providers," reads the communiqué. "This group, trained partially by industry to know what data is available to support investigations, helps to ensure effective working relationships between investigators and companies."

Already, the UK government has a kind of "tsar" in place to serve as the single point of contact, if you will, in cases where the government's authority may be under dispute, says the communiqué. This is the Interception of Communications Commissioner, who by law must have served as a judge. However, if a citizen feels her or his private data has been abused by authorities, he may seek redress before the Investigatory Powers Tribunal.

The Tribunal's own Web site describes itself this way: "The Tribunal can investigate complaints about any alleged conduct by or on behalf of the Intelligence Services -- Security Service (sometimes called MI5), the Secret Intelligence Service (sometimes called MI6) and GCHQ (Government Communications Headquarters). Because the Tribunal is the only appropriate place you can complain about the Intelligence Services, the scope of conduct it can investigate concerning them, is much broader than it is with regard to the other organizations under its jurisdiction."