“CLEAN IT”: the secret EU surveillance plan that wasn’t

By EDRi · October 10, 2012

This article is also available in:
Deutsch: [“CLEAN IT”: Der geheime Überwachungsplan, der keiner war | https://www.unwatched.org/EDRigram_10.19_CLEAN_IT_Der_geheime_Ueberwachungsplan_der_keiner_war?pk_campaign=edri&pk_kwd=20121010]

There was a lot of interest among EU policy wonks and digital rights
people last week about an initiative called CLEAN IT, following the leak
of its “confidential” draft recommendations. “Police to ‘patrol’
Facebook and Twitter for terrorists under EU plan” announced the UK’s
Daily Telegraph. Cory Doctorow blogged about how an “EU working group”
had produced the “stupidest set of proposed Internet rules in the
history of the human race”. The blogosphere was soon awash with reports
of the new ACTA. There was only one problem: CLEAN IT is not an EU
working group, and its proposals are not an EU plan.

So what was all the fuss about? CLEAN IT is a transnational project
funded under the €600 million euro “Prevention of and Fight against
Crime” (ISEC) programme established in 2007. Whereas the ISEC programme
can be used to support projects “initiated and managed by the Commission
with a European dimension”, CLEAN IT is a national project led by the
office of the Dutch Counter-terrorism coordinator with their
counterparts from Belgium, Germany, Spain and the UK brought in as
partners. The project received €325,000 to fund four workshops, two
conferences and the now hapless looking project team in The Hague. The
stated objective of the project is to develop a “non-legislative
´framework´ that consists of general principles and best practices”.

What we’re really talking about then is a few meetings around Europe
where representatives of law enforcement agencies, industry and
government come together to discuss “terrorist use of the internet”. To
most of the participants, it was probably a bit of a ‘jolly’; to the
project leaders it was probably the cutting edge of cyber-terror policy.
For what it’s worth, “terrorist use of the internet” is being discussed
all over the place, including at the United Nations and Council of
Europe, though these initiatives have apparently attracted much less
critical attention.

Had they not produced such an incredibly stupid set of proposals, few
people would have paid the CLEAN IT project much attention either, if
any. It’s a sad truth that the European Commission is now throwing so
much of money at “security” projects that if it converted all of their
‘recommendations’, ‘principles’ and ‘best practices’ into biofuel,
Brussels would probably be carbon-neutral. But producing hot air is not
the same as developing EU policy or even national policy – far from it.

Of course, it’s easy to see where the confusion comes from: that huge EU
flag in the corner of the CLEAN IT website, and the fact that much EU
policy does indeed get honed on international law enforcement ‘jollies’.
Moreover, as the European Digital Rights Organisation rightly explains,
the Commission is only too fond of sponsoring these kinds of devious
deliberations whilst promoting ‘voluntary’ private sector enforcement
across its ‘cybercrime’ portfolio.

But who cares if it wasn’t technically an EU plan? Surely by
naming-and-shaming the initiative so ruthlessly – the EU Home Affairs
Commissioner was forced to publicly disown CLEAN IT in a tweet – a
little exaggeration has done the world a favour and killed the
initiative? The short answer is: “yes, good riddance”. The longer answer
is “yes, but…”, but it’s quite an important “but”.

An example speaks volumes. A few years ago news surfaced of an EU-funded
initiative called INDECT. It was reported in much the same way as CLEAN
IT. INDECT had received €12 million from the €1.4 billion EU security
research programme and claimed it would help develop the surveillance
equivalents of GM foods, stem cell research and ‘fracking’.
INDECT promised to develop face recognition, internet surveillance,
smart CCTV and drones as part of suite of “threat detection tools”.

People began to question’s the project’s credibility when it produced
this terrible PR video, but by this time the cat was out of the bag and
activists were telling the world that INDECT was building drones for
FRONTEX (the EU border police), databases for EUROPOL (the EU police
office) and targeting protest groups – none of which was actually true
(ironically, an array of other little noticed EU-funded projects have
effectively been doing just that). The widespread exaggeration and
misrepresentation culminated in this hopelessly inaccurate video from
Anonymous, which claimed that INDECT was about to be piloted at the
London 2012 Olympics.

This is not good. We need activists armed with facts to target the real
bad guys, for they are legion. And we need NGOs and journalists to focus
on scandalising more tangible threats to internet freedom. The danger is
that, just as happened with INDECT, CLEAN IT may become a focus for
misguided activism while much more sophisticated but ultimately much
more dangerous initiatives slip under the radar, comfortable in the
knowledge that the amateurs at CLEAN IT have preoccupied many of their
would-be critics.

We can be sure, of course, that there are elements in Europe who would
dearly like to see the CLEAN IT wish list put into practice (including
many from the law enforcement community and the industries that serve
it, and some from the European Commission itself), but we should be
careful to distinguish between transnational talking shops, EU working
groups and draft EU policy. We should also understand that it will take
scores of CLEAN ITs to take us down this particular road to tyranny.

With this in mind we’d surely do better to focus at least some of our
attention on how these dreadful initiatives get funded in the first
place, not least because the EU is preparing to agree its multiannual
financial framework (MFF) for the period 2014-2020. As far as ‘security’
is concerned, there’s no sign whatsoever of the austerity that is
devastating welfare and other areas of public policy. The proposed MFF
includes the €11 billion internal security fund (a 40% increase on the
previous MFF) which will allocate plenty to “raising the levels of
security for citizens and business in cyberspace” and “preventing
terrorism and addressing radicalisation and recruitment”.

A further €3.8 billion is earmarked for the new security research
programme in “Horizon 2020”. Yet almost no-one from the human rights or
civil liberties community in Europe is questioning, never mind
challenging these particular ‘cash cows’. This is not good either, for
the anti-democratic culture that underpins the myriad CLEAN ITs of this
world is growing precisely because of the way ‘security’ is now framed
and funded.

Article published initially on Netzpolitik.org (only in German, 9.10.2012)

Clean IT: Der geheime Plan der EU, der keiner war

EDRi-gram: ENDitorial: Clean IT is just a symptom of the pinata politics
of privatised online enforcement (26.09.2012)

EDRi: Clean IT – Leak shows plans for large-scale, undemocratic
surveillance of all communications (21.09.2012)


Anonymous on INDECT project

MFF – 11 billion Euros internal security fund

(Contribution by Ben Hayes – project director at EDRi-member Statewatch,
UK and a fellow of the Transnational Institute)