The European Parliament’s emergency systems to hold meetings and cast votes during the coronavirus outbreak has flaws and is vulnerable to manipulation, its vice president responsible for information technologies told POLITICO in an interview.
Parliament’s emergency measures, passed in March, helped make some urgent calls on how to help stop the spread of the coronavirus across the Continent.
“It’s obvious that the situation is unprecedented … Parliament had to come up with a temporary solution,” said Marcel Kolaja, a member of the Czech Pirate Party and Greens group, who oversees the institution’s IT, digital and telecom policy.
But, he said, that system needs changing at the latest by the summer in order to boost security and confidentiality of communication.
The system now in place included having members of the European Parliament vote over email, which Kolaja called “a huge space for manipulation” and that relies on MEPs having to go check the voting record to make sure their ballot was registered correctly.
The crisis is also pushing some members to use online chat apps and videoconferencing tools that are based outside of the EU.
According to Kolaja, “we need to understand that if you have a provider of such service that is based in a different jurisdiction, laws of the establishment of that company apply. We need to make sure that no information leaks through that platform.”
How do you evaluate the security of how Parliament is now working, during this lockdown period?
Suddenly Parliament was in a situation where MEPs were pretty much all in their home countries. It also became apparent that there is an imminent need to vote on critical measures when it comes to mitigating the impact of the pandemic.
Parliament had to very quickly come up with a temporary solution how to work. The Bureau [of members overseeing the institution’s internal workings] decided for a temporary system on voting via email.
We should use a remote e-voting system only in situations like this, only for urgent matters.
I personally insisted that the decision of the Bureau needed to have a clear sunset clause. That’s why it ends end-July.
Would you consider the email voting system secure?
The system we currently have can be very much improved.
MEPs have to print their ballot, sign and scan it and send it back over email, where there is a huge space for manipulation. The guarantee that the vote was not manipulated basically lies in procedural measures: MEPs have to verify that their vote has been correctly registered.
We should deploy a system to make it possible to digitally sign the vote by the MEP. Parliament services are working on such a solution.
How are you holding your virtual meetings?
The Parliament is very specific [in its needs]. That’s because of security and confidentiality of information. However, it’s also because of the specificities of how Parliament works [like] when the chair gives the floor to a member and when there’s a specific order of the meeting that we must follow. The Parliament’s official meetings also need to be translated and interpreted into several languages.
In the end, you find out that there’s not too many tools on the market that fulfill your needs. Parliament decided to go for a solution provided as a service. The system is called Interactio.
I think it has a lot of room for improvements. One is that [MEPs] are required to use Apple products, iPhones or iPads. We should remove that barrier … to be able to work with open-source software so that we are not locked into one particular technology of one particular company.
Secondly, in the long run I believe the Parliament should be using a system that is fully hosted in-house.
Has Parliament advised its members on the use of videoconferencing application Zoom, which has come under fire for its cybersecurity flaws?
There have been concerns raised and information shared that using Zoom imposes certain security threats.
We need to understand that if you have a provider of such service that is based in a different jurisdiction, laws of the establishment of that company apply. We need to make sure that no information leaks through that platform.
If it’s a platform established in the country where the company has the obligation to provide data to the government or intelligence agencies — and where it can also be given a gag order so that they cannot even tell anyone that this is happening — this is a risk. Everyone who shares anything via that platform needs to understand this.
The system should in the long run be hosted on the premises of the Parliament. And Parliament should get into a situation where it provides solutions that are hosted in-house, so we don’t have to deal with these types of issues.
For messaging applications, too, Parliament should deploy its own platform. It can be one of the open-source platforms available. It would be great if it had end-to-end encryption. It should be encouraged by Parliament for employees to use such a system over those hosted by third parties.
The Commission recently recommended its staff use end-to-end encrypted app Signal for public conversations. Would you support this?
I understand the Commission wanted to improve what’s been happening. Of course there are a lot of services that are a lot worse than Signal. But it still is a centralized system that would be hosted outside of Parliament, and even outside of [EU] jurisdiction. And there’s no control over what the company does with the data.
How will this change how Parliament works, when the crisis is over?
It can fundamentally change how Parliament is prepared for such situations.
I would like that this crisis changes what Parliament provides to MEPs and employees, including chat systems and videoconferencing systems, so they can use these systems in normal times.
The crisis for us is a huge opportunity to understand these issues [of security and confidentiality] more, when we normally don’t pay attention to this.
This interview was edited for length and clarity.